1.0 - Threats, Attacks, & Vulnerabilities Flashcards
Define
Typosqautting
A type of URL hijacking, using a misspelled version of a legitimate website URL
Define
Pharming
- Like phishing, but harvesting large groups of people
- Often utilizes a poisoned DNS server or client vulnerabilities
- Relatively rare, but they do occur
Define
Vishing
- Voice phishing, done over phone or voicemail
* Caller ID spoofing is common
Define
Smishing
- SMS phishing, performed via text message
* Caller ID spoofing is common
Define
Spear phishing
- Target phishing attacks, going after a very specific person or group.
- Utilize inside information, or public information gathered through reconnaissance, to make the attack more believable
Define
Whaling
- A spear phishing attack with a large target such as a CEO or CFO
- Typically for the purpose of getting funds from someone with access to a large bank account
Define
Dumpster Diving
• Gather personal details by going through trash, to use for phishing attacks and impersonation
How to Protect against Dumpster Diving?
- Shred or burn your documents
* Secure your garbage
Define
Shoulder Surfing
- Looking over someone’s shoulder to view private information, passwords, etc.
- Can be done from a distance using binoculars, telescopes, webcam monitoring
How to protect against Shoulder Surfing?
- Be aware of surroundings
- Use privacy filter (screen that blocks view from angles)
- Keep monitor facing away from windows, hallways
- Don’t do sensitive work in public area
Define
Watering Hole Attack
- When you can’t attack an organization directly, you can attack a third-party that is associated with them.
- The third party is termed the “watering hole.”
- Ex, hijack a website that the victim uses.
- The attack is looking for specific victims, but often all visitors of the watering hole are infected / attacked.
How to protect against a Watering Hole Attack?
- Make sure your own defenses are very good
* Use a multi-layered defense
Define
SPIM
Spam over Instant Messaging
Define
Spam
- Unsolicited messages, typically over email or on forums, etc.
- Can be malicious, but not necessarily so.
- Includes commercial advertising, non-commercial proselytizing, as well as malicious attacks like phishing
What are the problems caused by spam?
- Security concerns
- resource utilization
- storage costs
- management of spam
How to protect against spam?
- It is necessary to combine multiple approaches.
- Mail gateways / filters
- Utilize Allow lists
- SMTP standards checking (blocking anything not following RFC standards)
- rDNS check
- Tarpitting
- Recipient filtering
Define
Recipient Filtering
Blocking all email not addressed to a valid recipient
Define
rDNS
- Reverse DNS
* Confirms if a sender’s domain matches their IP address
Define
Tarpitting
- Intentionally slowing down server performance to slow down / mitigate an attack
- Ex. slow delivery of e-mail to prevent mass mailed spam, so the spammers move on from you
Define
Tailgating
- use an authorized person to gain unauthorized access to a building
- May involve social engineering such as walking with your hands full, posing as a 3rd party vendor, etc.
How to protect against tailgaiting?
- A no-tailgating policy
- Policy that all visitors must wear badges
- Mechanically prevent more than one person from entering at a time, such as a rotary, vestibule, airlock
What are some principles of social engineering?
- Authority
- Intimidation
- Scarcity
- Urgency
- Consensus / social proof
- Familiarity / Liking
- Trust
Define
Virus
- Malware that can reproduce itself
* Requires human interaction to execute
Define
Worm
A virus that can replicate and jump from machine to machine without requiring any human interaction
Describe some virus types
- Program virus: part of an application
- Boot sector virus: runs when booting system
- Script virus: can be operating-system or browser-based
- Macro virus: common in Microsoft Office
How to protect against ransomware?
- Always have a backup, ideally offline and disconnected
- Keep OS and applications up-to-date
- Keep anti-virus/malware signatures up-to-date
- Keep everything up-to-date
Difference between ransomware and crypto-malware?
- Ransomware may not necessarily encrypt your files, it can be any malware that requires payment to remove it
- Crypto-malware that encrypts your files is the most common form of ransomware today
- Therefore, ransomware is usually used exclusively to refer to crypto-malware
Define
Trojan horse
- Software that pretends to be something else
* Doesn’t really care much about replicating
Define
Fileless Virus
- Runs only in memory, saves nothing to system
- That makes it difficult to be detected
- Might modify the registry so it can run again after reboot
Examples of a PUP?
- Browser toolbar
- Backup utility that displays ads
- Browser search engine hijacker
Define
RAT
- Remote Access Trojan
- aka Remote Administration Tool
- A tool that gives administrative access to a remote user
How to protect against RATs?
- Don’t run unknown software
- Don’t follow unknown links
- Keep anti-virus/OS/applications up-to-date
- Always have a backup
Define
Rootkit
- Modifies core system files, becomes part of the kernel
- Can therefore be invisible to the OS; won’t be seen in task manager
- Thus invisible to traditional anti-virus utilities
- Very difficult to remove even if discovered, because it is now part of the operating system
How to protect against Rootkits?
- Use a remover that is specific to the rootkit; these are usually developed after a rootkit is discovered
- Use Secure Boot on UEFI
Define
Secure Boot
- A feature of UEFI
- Looks at the kernel, and will not boot a system that has been modified (or a system that does not support the Secure Boot feature)
Define
Bot
- Malware that infects a machine for purposes of automation.
- Receives instructions from a Command and Control server.
- May make your machine participate in attacks, etc.
Define
C&C
- Command and Control
* The server that controls bots / botnets
Define
Botnet
• A system of Bots working together
What are botnets often used for?
- DDoS attacks
- Relay spam
- Proxy network traffic
- Various distributed computing tasks
- That computing power may be rented out for sale (DDoS as a Service)
How to protect against bots?
- Prevent initial infection by keeping up-to-date, don’t download unknown things, etc.
- Network monitoring
- Use firewall to block C&C communications
Define
Logic Bomb
- Something left on a system that waits for a predefined event
- Can be triggered by a date/time, or by a user action, or system event, etc.
- Often destroys itself, making it difficult to gather evidence after attack
How to protect against Logic Bombs?
- Each is unique, so there are no predefined signatures; difficult to detect
- Process and procedures are a good strategy
- Formal change control; all modifications must be documented; undocumented changes trigger an investigation
- Monitoring that alerts on changes
- Host-based intrusion detection
- Applications like Tripwire
- Constant auditing
Define
Spraying Attack
- Trying a small number of very common passwords to log in to a multitude of accounts
- Avoids locking any accounts by only trying a few of the most common passwords before moving on
- No lockouts, no alarms, no alerts
Define
Brute Force Attack
- Try every possible password combination until the right one is matched
- Can take a very long time if a strong hashing algorithm is used
- Requires a large amount of processing power.
- When performed Online, it usually results in account lockouts.
Define
Offline Brute Force Attack
- When an attacker has obtained a hashed password, they can create hashes of guessed passwords and see if the hashes match. If they match, the attacker has guessed the password.
- Does not result in an account lockout or any alerts because the attack is not performed against the login system.
Define
Dictionary Attack
• Similar to brute force, but uses common words rather than every possible combination of characters
• Password crackers may utilize letter common substitutions
e.g., as in p@$$w0rd
• Still takes a very long time
Define
Rainbow Table
- An optimized, pre-built set of hashes
- Contains pre-calculated hash chains
- Allows you to compare password hashes without needing to do hash calculations of guessed passwords.
Define
Salt
- Random data added to a password when hashing
- Every user gets their own unique salt, so hashes are unique even if passwords are the same
- A type of cryptographic nonce
Where is a password’s Salt information stored?
• It is commonly stored with the password
What does the use of Salt protect against?
- It prevents the use of rainbow tables
- Does not stop a brute force, but slows it down.
- If an attacker acquires a hashed password, they would also need to know the salt in order to perform an Offline Brute Force attack.
Define:
Malicious USB Cable
- Looks like a normal USB cable / charger, but has additional electronics inside
- When a victim inserts it into a computer, it runs malicious software
Define:
Malicious USB flash drive
- Looks like a normal USB thumb drive / flash drive, but has additional electronics inside
- When a victim inserts it into a computer, it runs malicious software
- Attackers may leave flash drives on tables or on the ground, knowing curious people will plug them in to see what’s on them.
How do malicious USB cables / drives initiate malicious software?
- Auto-Run: Older operating systems would automatically run files on USB devices, but in modern systems, this is now disabled or removed by default.
- HID: The device can still act as an HID (Human Interface Device) and behave as a keyboard and/or mouse, allowing it to type pre-programmed input on your system, such as launching a command prompt and running commands.
- Files: The flash drive may simply contain malicious files and malware that, once interacted with by the user, will infect the system.
- Boot Device: If configured as a boot device, and a victim leaves it inserted when they reboot their computer, it may boot to the malicious USB which can then infect the computer.
- Wireless network adapter: Can connect the device to another network, redirect or modify internet traffic requests, act as a wireless gateway for other devices, etc.
Define
HID
- Human Interface Device
* Examples: Keyboard, Mouse
Define
Skimming
- Stealing credit card information, usually during a normal transaction
- Can either be skimmed from the card itself (the magnetic strip) or from the computer that it interacts with
Define
ATM Skimming
• An additional step of a Skimming attack, a small camera is added to the environment to record your PIN entry
Define:
Card Cloning
- Creating a duplicate of a credit card using information obtained from a skimmer.
- The cloned card can only be used for transactions using the magnetic stripe, as the chip can’t be cloned.
- Common for gift cards, which don’t utilize a chip.
Define
“Poisoning the training data”
- An attack on machine learning / AI
- Attackers send modified training data to confuse the AI / cause it to behave incorrectly
- AI is only as good as its training process
Define
Evasion Attack
- Finding limitations in an AI system in order to circumvent it
- Since AI is trained by specific criteria, it can be fooled if attackers change up their approach
How to protect against attacks on AI / machine learning?
- Check the training data to verify contents
- Constantly retrain with new data, more data, better data
- Train the AI to recognize potential poison data and evasion attacks
Define
Supply Chain
- All steps in the process from raw materials to end-user
* Includes raw materials, suppliers, manufacturers, distributors, customers, consumers
Define
Supply Chain Attack
- Attacking a target by going after another vendor in their supply chain
- Ex., if an HVAC vendor has VPN access to a target’s network, you attack the vendor to exploit that access
- Ex., you put malicious code or hardware into a device that is being sold down the supply chain
- One exploit can infect the entire chain
On-Premises vs. In-Cloud Security:
List PROS of ON PREM
- Full control of security
- Local on-site IT can manage more attentively
- System checks can occur at any time
- Don’t need to call outside team for support
On-Premises vs. In-Cloud Security:
List CONS of ON PREM
- A local team can be expensive and difficult to staff
* Security changes can take time. New equipment, configurations, and additional costs.
On-Premises vs. In-Cloud Security:
List PROS of IN-CLOUD
- Data is in a secure environment
- Strict physical access controls
- Automated security updates
- Fault-tolerance and redundancy lead to limited downtime, higher availability
- One-click deployments
On-Premises vs. In-Cloud Security:
List CONS of IN-CLOUD
- Third-parties may have access to your data
- Users must still be trained to follow security best-practices
- May not be as customizable
Define
Birthday Attack
- A type of Cryptographic Attack
- The attacker generates multiple versions of plaintext to try to match the hash of the target encrypted text
- i.e., try to find a collision through brute force
- Once matched, they can fake signatures, certificates, etc.
Define
Collision
• In Cryptography, a collision is when two different plaintexts have the same hash value
How to protect against a Birthday Attack?
Use a long hash output size
What is a Downgrade Attack?
- An attacker forces systems to downgrade their security to a form of encryption that is more vulnerable
- May be performed by influencing / intercepting the initial negotiation when encryption forms are determined
How to protect against Downgrade Attacks?
Do not allow a fallback to lower levels of encryption that are known to be vulnerable.
Define
Privilege Escalation
- Gaining higher level access to a system
- Either through exploiting a vulnerability, bug, or design flaw
- Typically used to access the root or admin account
Define
Horizontal Privilege Escalation
- Gaining access through one account to a different account
* Unlike normal privilege escalation, the access is not necessarily higher, just different
How to protect against Privilege Escalation?
- Ensure all systems are patched
- Keep AV software updated
- Utilize Data Execution Prevention
- Utilize Address space layout randomization
Define
Data Execution Prevention
- A safeguard on an operating system
- Only allows applications to run in certain areas of memory where that function is allowed.
- Allows only applications in executable areas to run
- If an attacker tries to run an application in the data section of memory, it is blocked
Define
Address Space Layout Randomization
- A safeguard on an operating system
- Randomizes where information is stored in memory
- If an attacker finds a way to take advantage of a memory address on one system, they will not be able to duplicate that on another system
- Prevents a buffer overrun at a known memory address
What are the legalities around Dumpster Diving?
- Varies in different countries
- In the US, it is LEGAL, not illegal, to go through someone else’s trash. Nobody owns trash.
- However, you cannot break the law in order to gain access to the trash (i.e. if it is on private property with No Trespassing signs)
Define
XSS
- Cross Site Scripting
- Name comes from its original association with browser security flaws.
- Info from one site could be shared with another.
- A common vulnerability with web-based applications.
- (Not to be confused with Cascading Styles Sheets / CSS)
Define
Non-Persistent XSS Attack
- If a website allows scripts to be run in user input (such as a search field), it is vulnerable for this type of attack.
- An attacker e-mails a link to the site, containing embedded input to run a script
- Once clicked, the site executes in the victim’s browser, as if it came from the server.
- The payload of the script is usually sent to the attacker, and may contain session IDs, credentials, etc.
“Reflected XSS Attack” is also known as?
Another name for a Non-Persistent XSS Attack.
Define
Persistent XSS Attack
- An XSS attack where the embedded code is permanently stored on the server, such as in a social media post
- Everyone who views the page receives the payload and runs the script, without requiring a special link
“Stored XSS Attack” is also known as?
Another name for a Persistent XSS Attack
How to protect against XSS?
- Never click an untrusted link
- Consider disabling JavaScript, or control when it is enabled
- Keep browsers and applications updated
- Developers: validate input; don’t allow users to add scripts to input field
Define
Code Injection
- Adding your own information or commands to a data stream
* Should never be allowed to happen, but may be vulnerable due to bad programming
What are common data types used in Code Injection?
- HTML injection
- SQL injection
- XML injection
- LDAP injection
- DLL injection
Define
Buffer Overflow
- When one section of memory is able to overwrite a different section of memory
- Overwriting a buffer of memory so that it spills over into other memory areas
- This grants an attacker the ability to modify memory they do not have access to
- This should never happen, but an attacker can take advantage of poor programming
- Very rare to find a vulnerability, particularly one that is repeatable and useful.
How to avoid a Buffer Overflow
• Developers need to perform bounds checking, to ensure that this cannot happen
Define
Replay Attack
- An attacker gains a copy of information transmitted over the network
- May be done via Network tap, ARP poisoning, Malware on the victim’s computer.
- This information can be replayed by the attacker to pose as the victim.
Define
Pass the Hash
- A type of replay attack
- When a user logs into a server, the hashed password is sent
- The attacker receives that traffic to gain the hashed password
- They can then provide that same hash to the server to appear as though they know the password
How to protect against a Pass the Hash attack?
- Always use an secured connection to the server so that intercepted traffic is encrypted (SSL, TLS)
- Servers should salt the hash, such as by using a Session ID along with the password, to create a unique authentication hash each time
Define
Sidejacking
- A name for session hijacking
- If an attacker can know your Session ID, they can use it to hijack / pose as your session, even from a different location and system
- With the session ID, the attacker does not need to authenticate the username and password
Define
Cross-Site Request
- When one website requests information from another web server
- Common and usually perfectly legitimate
- Ex. embedding a YouTube video or Instagram Photos on another webpage
What does this stand for?
XSRF
Cross-Site Request Forgery
What does this stand for?
CSRF
Cross-Site Request Forgery
pronounced “Sea-Surf”
Define
One-Click Attack
Another term for a Cross-Site Request Forgery
Session Riding
is also known as?
Another term for a Cross-Site Request Forgery
Define
Cross-Site Request Forgery
- An attacker sends requests to a web server through a victim’s own computer/browser. Since the webserver trusts the victim’s browser, it accepts the attacker’s request
- The attack requires access or control of the victim’s browser, but may be invisible to the victim.
How to protect against Cross-Site Request Forgery?
- Developers should have anti-forgery techniques added
* Usually a cryptographic token to prevent forgery
Define
SSRF
- Server-Side Request Forgery
- An attack on a vulnerable web application
- Attacker sends requests directly to a web server, and it performs the requests
- Allows the attacker to gain whatever access the web server itself has, such as access to an internal network
How to protect against SSRF?
- It is caused by bad programming. Ensure your application does not have these vulnerabilities.
- Server should always validate user input and responses.
Define
Driver Manipulation
- Drivers control the interaction between the hardware and your OS, and are trusted by the OS
- If an attacker can exploit a vulnerability in a driver, they can perform trusted actions
- Hardware interactions often contain very sensitive information (webcam video, microphone audio, everything you type in)
Define
Application Compatibility Shim Cache
- Used by Windows for applications running in Compatibility Mode
- The Shim Cache is what caches the information that goes between the existing operating system and the previous operating system being used for compatibility.
- (A “shim” is something that fills the space between two objects)
Define
Shimming
• Malicious code created to run in the Application Compatibility Shim Cache to get around security.
Define
Refactoring
- Malware that is made to appear as a different program every time it is downloaded
- Can be done by reordering functions, adding random code strings and pointless instructions
- This helps it avoid signature-based anti-virus / anti-malware detection
What is this also known as?
Metamorphic Malware
Another term for Refactoring
How to protect against Refactoring?
- Signature-based security will not be effective.
* Use a layered approach to security that looks at behavior.
What versions of SSL/TLS are deprecated, and what are current standards?
- SSL 3.0 and prior (i.e. all versions of SSL) are deprecated
- TLS 1.0 and 1.1 are deprecated
- TLS 1.2 and 1.3 are both current standards
Define
SSL Stripping
- An on-path attack and downgrade attack.
- Attack sits between victim and server and modifies the data sent between them.
- If the server requires encryption, the attacker communicates with the server using encryption but relays it to and from the victim without encryption, so that they can see and modify all data.
Define
HTTP Downgrade
Another name for SSL Stripping
How can an on-path attack be achieved?
Attack may utilize a proxy server, ARP Spoofing, Rogue Wi-Fi hotspot, etc.
How to protect against SSL Striping?
- Both clients and servers must be updated
- Require from the client side (such as in the browser) that all communication be in HTTPS, not allowing HTTP to even be requested.
- Require from the server side not to respond to HTTP and require HTTPS
Define
Race Condition
- A programming conundrum
- Can occur when more than one thing is happening at the same time, especially when unexpected, and the order in which they complete causes unintended results
Define
TOCTOU
- Time-of-Check to Time-of-Use
- An attack that takes advantage of a race condition
- The attack occurs between when a victim checks the result of something, and when they actually use those results, not being aware that the data has been altered since it was checked.
How to protect against Race Conditions?
Very thoughtful programming. Must account for every possible situation and circumstances that their program may be used in.
Define
Rogue Access Point
- An unauthorized wireless access point
* May or may not be malicious, but a security concern either way
Define
802.1X
- A form of Network Access Control
* Requires you to authenticate when accessing the network, regardless of type of connection (wireless, ethernet, etc.)
How to protect against Rogue Access Points?
- Schedule periodic site surveys
- Evaluate wireless spectrum
- Use network access controls so that even if an attacker did get access to the network, they would still need to authenticate
Define
Wireless Evil Twin
- An attacker configures a rogue wireless access point to use the same (or similar) SSID and security settings as the legitimate network
- If well-placed with strong signal, they can even overpower existing access points
How to protect against Wireless Evil Twins?
- Do not do sensitive work on open wireless networks
- Use HTTPS
- Use a VPN
Define
Bluejacking
- Sending unsolicited messages to another device via Bluetooth
- Not typically a serious threat, since it’s just a message, and requires close physical proximity
- Some devices and software may allow the message to include an image, contact card, or video
Define
Bluesnarfing
- Accessing data on a device using the Bluetooth communications channel without needing to authenticate
- May include Contacts list, calendar, e-mail, photos, and any files on the device.
- Patched in 2003, modern devices are not susceptible.
- If using an older Bluetooth device, it is a serious security concern.
Wireless Deauthentication is also known as?
• Another name for Wireless Disassociation Attack
Define
Wireless Disassociation Attack
- A DoS attack that causes wireless devices to be unable to communicate with the access point
- Performed by sending deauthentication or disassociation management frames to the AP
- A flaw of 802.11, which originally sent management frames unencrypted
- Patched in 2014, now some of the important management frames are encrypted
Define
Wireless Jamming
- A form of radio frequency interference
- A type of DoS attack to prevent wireless communication
- Interference may not be intentional, such as microwave ovens or fluorescent lights, but jamming is intentional.
- May be constant, or intermittent, data sent over the network to overwhelm the signal
- Requires close physical proximity to be effective
Define
Reactive Jamming
- A type of wireless jamming
- The attacker only creates interference when someone else tries to communicate
- May be targeting a specific individual device
Define
Fox Hunting
- Using a directional antenna and headphones to try to locate the source of a signal
- Can be used in locating the source of wireless jamming or interference
Define
RFID
- Radio Frequency Identification
- Uses RADAR technology: Radio energy is transmitted to the tag, the RF powers the tag and an ID is transmitted back.
- Usually unidirectional, but can actually be bi-directional
- Some tag formats can be active/powered
- Used everywhere: in access badges, pet identification, inventory, anything that needs to be tracked
What are some RFID security concerns?
- Data capture: view communication if sent in the clear
- Decrypt communication: Many default keys of common device are publicly available.
- Replay attack
- Spoof the reader
- DoS by signal jamming
Define
NFC
- Near-Field Communication
- A type of enhanced RFID
- Bidirectional communication
What are some common applications of NFC?
- In-store payment systems to pay via mobile phone
- Bluetooth can use NFC to bootstrap pairing process
- Authentication card / access token
What are some NFC security concerns?
- Remote capture of data (NFC is its own wireless network)
- Frequency jamming, DoS
- Relay / Replay attack, on-path attack
- Loss of device control (such as a lost/stolen phone)
Define
Nonce
- In cryptography, a nonce is an arbitrary number used only once
- From the term “for the nonce” meaning “for the time being”
- A random or pseudo-random number, though it may also be a counter
Define
IV
- Initialization Vector
- A type of cryptographic nonce, added to the front of a cryptographic key
- Often used in WEP, and some SSL implementations
What are examples of nonces?
- Initialization Vector
* Salt
Define
On-Path Attack
• Formerly known as man-in-the-middle
• An attacker (for example, perhaps, a “man”) might sit in-between (that is to say, in “the middle”) of two communicating devices. (But we won’t use those words, because that would be
patriarchal)
- The attacker intercepts and redirects your traffic without your knowledge.
- They may merely read all the communication, or may modify it for malicious purposes.
Define
ARP Poisoning
- Address Resolution Protocol Poisoning
- A type of on-path attack
- An attacker sends false ARP response messages to devices that it wants to poison. This may allow it to impersonate various devices.
- The attack must be on the LAN to perform
Define
ARP
- Address Resolution Protocol
- Protocol used for devices to track and match IP addresses to MAC addresses in their ARP Cache.
- ARP as a protocol has no security built into it. Devices make and receive modifications to ARP tables without any authentication or encryption.
Define
On-Path Browser Attack
- A type of on-path attack where the “man in the middle” is on the victim’s own device
- Malware runs in the browser to perform the interception and redirection.
Define
MAC Flooding
- Attack sends traffic with so many different source MAC addresses that it fills a switch’s MAC Table and overwrites all legitimate MAC addresses on the network.
- Every switch has a limit to how many addresses it can store in its MAC table, and when it gets full, it will recognize that and start flooding traffic to all interfaces since it can no longer track destinations
- Effectively turning a switch into a hub - all traffic is transmitted to all interfaces
- This gives an attacker the opportunity to capture all network traffic
How to protect against MAC Flooding?
- Most switches have security features to detect MAC flooding.
- The switch can restrict how many MAC addresses can come in from a single interface
Define
MAC Cloning
- An attacker changes their MAC address to match that of an existing device
- May be used to circumvent MAC filters
- Or, may be used to create a DoS, as traffic for the legitimate MAC address will be disrupted
Another name for MAC Cloning?
MAC Spoofing
How to protect against MAC Cloning?
• Most modern switches have security features that look out for it and prevent it from disrupting the network.
Define
DNS Poisoning
• Modify DNS records so that traffic is redirected
Can be achieved by:
- modifying a device’s hosts file
- sending a fake response to a valid DNS request
- gaining access to the DNS server and modifying records
Define
Domain Hijacking
- Gaining access to domain registration, allowing you to control traffic flows for the domain
- May be achieved by brute force, social engineering, gaining access to e-mail address of account manager, etc.
Define
URL Hijacking
• Registering domains that are slight variations or common misspellings of legitimate domain names
Could be used for purposes of:
- Showing Ads
- A phishing site, made to appear as the legitimate site
- Redirecting to a competitor’s site
- Selling the hijacked domain to the legitimate domain’s owner
- Infecting computers with a drive-by download
Define
Brandjacking
- Another term for typosquatting
* A type of URL hijack, taking advantage of a common misspelling
Define
Domain Reputation
- ISPs, search engines, and e-mail providers track reputations of domains
- If a domain receives too many reports of spam or malicious activity, it may get added to a blacklist
- The blacklist may result in all e-mail from that domain being marked as spam or rejected, or in a browser warning/preventing a user before they visit the site.
List examples of “Unintentional DoS”
- Accidentally creating a network loop (without STP enabled)
- Using more bandwidth that the network can handle
- A waterline breaking and damaging equipment
- Power outage
Define
OT
- Operation Technology
- The hardware and software used for industrial equipment
- Ex. electric grids, traffic control, manufacturing plants
What is unique about security for OT?
- It requires a much more critical security posture
- Must be extremely segmented and protected
- Failures can result in catastrophic events
Define
Amplified DDoS
- Uses reflection and spoofing techniques to turn a smaller attack into a larger one
- For example, the attacker may spoof the victim web server’s IP address, and send a small request out to a third-party server that results that results in a response much larger than the request. That response goes to the victim, since their IP was spoofed.
- Thus the attacker only sent small amounts of traffic but used a third party to send much larger traffic to the victim.
What is a malicious PowerShell script best-suited to attack?
- Windows systems
- Active Directory Administration
- File Share Access
What is a malicious Python script best-suited to attack?
- Cloud-based systems
- infrastructure such as routers, servers, switches
- When an single script needs to target a variety of OS types (Works with Windows, MacOS, and Linux)
What is a malicious Shell script best-suited to attack?
- Linux/Unix environments
* Web servers, databases, hypervisors
What is a malicious Macro script best-suited to attack?
- Users who can be fooled into opening the file that it contains and running the Macro
- Since the Macro may run in a familiar program, such as Word or Excel, it may be easier to fool a user
- Since Microsoft Office Macros use VBA, it has access to run commands on the Windows OS
Define
Semi-Authorized Hacker
- A hacker that is not formally authorized, but finds a vulnerability and does not use it.
- May be working for research purposes or to help expose the vulnerability so it can be patched.
Define
OSINT
- Open-Source Intelligence
* Publicly available sources such as discussion groups on the Internet, or Government hearings and reports
Define
CVE
- “Common Vulnerabilities and Exposures”
- a publicly available vulnerability database
- a community-managed list of vulnerabilities
- sponsored by DHS and CISA
Define
DHS
U.S. Department of Homeland Security
Define
CISA
Cybersecurity and Infrastructure Security Agency
Define
NVD
- “US National Vulnerability Database”
- A summary of CVEs
- Provides additional details over the CVE list, such as patch availability and severity scoring
- Sponsored by DHA and CISA
Define
AIS
- “Automated Indicator Sharing”
* An industry standard for automated sharing of important threat data freely and efficiently
Define
STIX
- “Structured Threat Information Expression”
- Part of the standards for AIS
- Standardized format for describing cyber threat information
- Includes motivations, abilities, capabilities, and response information
Define
TAXII
- “Trusted Automated Exchange of Indicator Information”
- Part of the standards for AIS
- Standard format for communication / transfer of STIX data
- Securely shares STIX data
Define
IOC
- Indicator(s) of Compromise
* An event that indicates an intrusion
List six examples of IOCs
- Unusual amount of network activity
- Change to file hash values
- Irregular international traffic
- Changes to DNS data
- Uncommon login patterns, such as time of day
- Spikes of read requests to certain files
What does this stand for:
NIST
• “National Institute of Standards and Technology”
Define
Vulnerability Feed
• Various sources that publish information on vulnerabilities
Includes:
- National Vulnerability Database
- CVE Data Feeds
- Third-party feeds
Define
RFC
- “Request for Comments”
- A type of online document, usually containing standards or methods for doing a particular task, but may technically contain any number of things
- A way to track and formalize standards that anyone on the Internet can use
- Published by the ISOC, and often written by the IETF
Define
ISOC
- “Internet Society”
* Publishes RFCs
Define
IETF
- “Internet Engineering Task Force”
* One of the most common authors of RFCs
Define:
TTP
- “Tactics, techniques, and procedures”
- The methods that attackers use to gain access, and what they do once they have access
- Having more information on a TTP will aid in preventing and recognizing the attack
Define
Zero-Day Attack
- An attack that leverages a vulnerability that has, before now, never been detected, published, or exploited before
- Due to this, there is usually no patch or prevention immediately available for the attack.
- Becoming increasingly common
Define
Open Permissions
- Technical name for a vulnerability caused by not applying proper access controls on data or systems
- Increasingly common with cloud storage
Define
Intelligence Fusion
• Process of gathering large volumes of data from different sources and types, between multiple teams, and combining it into a massive database so big data analytics can be used to analyze
Define
Non-Intrusive Scan
- A type of vulnerability scan
* The scan gathers information but does not try to exploit any vulnerability
Define
Intrusive Scan
- A type of vulnerability scan
- Makes use of vulnerabilities to see if it works
- Penetration Testing
Define
Non-credentialed Scan
- A type of vulnerability scan
* Scanner does not have login info, simulating such an attacker
Define
Credentialed Scan
- A type of vulnerability scan
* The scanner emulates an insider attack, using credentials of a user
Define
CVSS
- “Common Vulnerability Scoring System”
- Scoring of a vulnerability from 0 to 10
- Scoring standards change over time; there are different versions
- Scores assigned by NVD
Define
SIEM
- “Security Information and Event Management”
- Aggregates logs and alerts from multiple systems
- Stores them long-term, which can require an extremely high amount of storage space
- Usually includes advanced reporting features and data correlation
Define
Syslog
- A standard format for message logging
- Allows for a variety of systems to have consolidated logs
- Used with SIEMs
Define
UEBA
- “User and Entity Behavior Analytics”
* Analyzes actual behavior to look for problematic patterns
Define
Sentiment Analysis
- Analyzes public opinion and discourse to determine potential threats
- A well-known and much disliked organization is more likely to get attacked
Define
SOAR
- Security Orchestration, Automation, and Response
- Automate security routine so it eliminates tedious tasks, human error, and speeds up response time
- “Orchestrated” by connecting everything together, then automation takes it from there
Define
Lateral Movement
- Once an attacker has gained access through one vulnerable point in a network, lateral movement is when they move from one internal system to another.
- Most networks have strong security on the perimeter, but not as much security inside, making lateral movement much easier than the initial penetration.
Define
Persistence
- Something left behind by an attacker who has penetrated a system so they can easily regain / continue access
- Ex. leaving a backdoor, creating a user account, changing the password of an existing user
- Even if the initial vulnerability / exploit has been closed, “persistence” allows the attacked to continue accessing.
Define
Pivot
- The “pivot” is the point or device which is used to gain access to systems that are normally not accessible
- Serves as a jumping-off point to other systems. Could act as a relay or a proxy.
List the Steps of a Pentest
- Define “Rules of Engagement” in official document
- Determine working knowledge (how much will the testers know about the environment)
- Perform reconnaissance
- Exploit vulnerabilities / try to break into the system
- Attain initial exploitation, attain lateral movement, establish persistence, and pivot
- Cleanup - leave the network in its original state
Define and Provide Five Examples of
Passive Footprinting
• Reconnaissance using open sources, without detection
Sources could include:
- Social media
- Corporate website
- Online forums
- Social engineering
- Dumpster diving
Define
Warflying
• Same as wardriving, but performed with a drone flying over buildings/areas
Define
Wardriving
- Scan Wi-Fi across an area to collect SSIDs, type of encryption used, etc.
- Can be combined with GPS info to generate a map
Define and Provide Examples of:
Active Footprinting
- Reconnaissance by actively sending information into the network or devices.
- Can gain a lot of information, but activity would be detectable on the network and in logs.
Could include:
- Ping scans
- Port scans
- DNS queries
- OS scans, OS fingerprinting
- Service scans
- etc.
What teams exist in exercises?
- Red team
- Blue team
- purple team
- white team
Define
Red team
- Offensive security team
* hired to attack for exercise purposes
Define
Blue team
- Defensive security team in an exercise
- Operational security
- incident response
- threat hunting
- digital forensics
Define
Purple team
• Red team and blue team combined together for an exercise, to work cooperatively rather than competitively
Define
White team
- Manages the interactions between red teams and blue teams
- Enforces rules of security exercise, resolves any issues
- Manages post-even assessments, results.
