1.2 - Given a scenario, analyze potential indicators to determine the type of attack. Flashcards
Given a scenario, analyze potential indicators to determine the type of attack.
Malware
- malicious software
- harms usrs comp/data
- targets info stored on local comps + other resources/comps
- takes advantage of weaknesses/system vulnerabilties -> makes it more dangerous + enables spreading more effectively
- gathers info (keystrokes)
- viruses + worms
Ransomware + protection
- malware that takes over comp. + demands ransom
- perps want ur $, will take ur comp. in the meantime
- could be a false ransom
-> locks ur comp. “by the police” - ransom may be avoided
- security professional might be able to remove these kinds of malware
Protection
- ALWAYS have a backup, ideally an offline backup
- Keep OS up to date
-> patch vulnerabilities
- Keep apps up to date
-> security patches
- Keep antivirus + antimalware signatures up to date
- Keep everything up to date
Trojans
- malware disguised as legit software
- rely on unsupecting ppl running them -> provides perp with path into sys./device
- software designed to be something else (typically hidden)
- capture/conquer ur comp. free reign once inside
- can open gates 4 other programs
- can perform actions wthout usrs knowledge/consent
- can collect + send data causing comp. to malfunction
- don’t replicate themselves like viruses do
- circumvent existing sec.
- often classified by payload/function
Most common
- backdoor
- downloader
- infostealer
- keylogger
PUPs (Potentially unwanted programs)
- typically installed wthout user knowing
- identified by antivirus/anti-malware
- potentially undesirable software
- often installed along with other software
- overly aggressive toolbar
- backup utility that displays ads
- browser search engine hijacker
- includes spyware, browser toolbars, web browser tracking, adware, dialers
Symptoms
- can slow down system, etc.
Detection/Removal
- antivirus/antimalware tools
Mitigation
- limit usr rights 2 prevent software installs
-limit what software can be installed
awareness
- best practices
Command and control
- botnet contacts central control system -> provides commands + updates + tracks how many sys. r in botnet
- mechanism by which malicious software communicates with remote server/controller
- allows perps to send instructions to malware on infected comp.
- these servers are essential for managing/maintaing control over compromised systems
Bots + infection + prevention
- automated comp. program
- doesn’t need usr interaction
- outside sources can control
- ur machine becomes a bot once infected
- sits around -> checks in with command + control server -> waits for instructions
Infected via
- trojan horse
- OS/app vulnerability
- port left open
- unpatched vulnerability
Prevention
- OS/app patches
- antivirus/antimalware
- updated signatures
- identifying existing infection
-> on demand scans
-> network monitoring
- prevent command + control
-> block at firewall
-> identify at workstation with host based firewall/host based IPs
Cryptomalware
- newer gen. of ransomware
- data unavailable until u provide the $
- malware encrypts ur data files BUT ur OS remains available
-> want u running but not working - pay to obtain decryption key
-> untraceable payment system
-> unfortunate use of public key cryptography
Logic bombs + prevention
- virus/trojan horse
- executes malicious actions when certain event occurs OR after certain period of time
- time bomb (time or date)
- user event (logic bomb)
- difficult to identify
Prevention
- process + procedures
-> formal change control
- electronic monitoring
-> alert on changes
-> host based intrusion detection
- constant auditing
-> admin can circumvent existing systems
Spyware + detection + protection
- malware spies on you
- can change comps config without consent
- software communicates info from users system to another party without user knowing
- EX: advertising, identify theft, etc
- EX: browser monitoring, surfing habits, keyloggers
Detection
- slow system
- windows desktop slow coming up
- clicking link doesn’t do anything/takes you to unexpected website
- browser homepage changes (might not be able to reset it)
- webpages automatically added to your favorites list
Protection (adware + spyware)
- know what ur installing
- maintain antivirus/antimalware, always have latest signatures
- have a backup
- malwarebytes (run scans)
Keylogger trojans
- monitors + sends keystrokes from infected comp.
- EX: passwords, CC #s, messages
RAT (remote access Trojan) + protection
- provide perp with remote access to sys.
-allow perp to take control of systems remotely - install without usrs knowledge
- remote admin tool -> ultimate backdoor
- malware installs server/service/host and perp connects with client software
-identifying if it’s legit remote support tool or not is difficult
-may cause false positives - EX: key logging, screen recording, screenshots, copy files, embed more malware, etc.
Protection
- DON’T run/download unknown software
- ALWAYS consider the consequences
- Keep antivirus/anti-malware signatures up to date
- ALWAYS have a backup
-security awareness
-antimalware
Rootkit + detection + removal
- software that can be installed/hidden
-designed to allow perps to access a sys. thru backdoor - can be part of software packages, installed thru unpatched vulnerabilities, downloaded/installed by usrs
- compromise system + gain elevated privileges
- can lead to compromising other devices on network
- programs that view traffic/keystrokes + alter existing files to escape detection/create system backdoor
- modifies core system files
- might be invisible to OS, antivirus software b/c it can run in background
- use encryption to protect outbound comms. + piggyback commonly used ports to communicate without interrupting apps
Detection
- look at memory processes
- monitor outbound comms.
- check for newly installed software
- antimalware scans
-detection tools look for behaviors + signatures typical of rootkits
-integrity checking
-data validation
Removing
- use remover specific to toolkit
- secureboot with UEFI (bios)
- have to remove toolkit AND malware rootkit is using
Backdoor
- provide access that bypasses normal authentication/authorization procedures
-not malicious on own - app code functions devs create intentionally/unintentionally
- shortcut entry point added to allow rapid code eval/testing during app development
- can allow perp unauthorized access if they’re not removed b4 app deployment
Detection
-check 4 unexpected open ports + services
Password attacks
- two categories
-> online attack
-> offline attack
Spraying attack + detection
password attacks
- try to log in wth incorrect pswd
-> eventually locked out - attack acct wth top 3+ pswds
-> move on to next acct if they don’t work
-> no lockouts, alarms, or alerts
slow approach
Detection
- single failed log in across multiple accts at same time
Dictionary attacks + prevention
password attacks
- trying every word in dict. to gain access to system
- common word lists available on the net + can sometimes be customized by language/line of work
- pswd crackers can substitute letters (p&ssw0rd)
- takes time
- discover pswds for common words
-> won’t discover ones wth random character pswds - can use dif. custom dicts.
-> list could have 1234 and abcde - most successful on simple pswds b/c attack tries each word in list
Prevention
- “password” is easily compromised
-> changing “o” to numeral “0” + changing “a” to “@” could thwart attack
Brute force attacks + online + offline
password attacks
- tries every possible pswd combo until it matches hash
- relies on cryptanalysis or hashing alg.
- could take time b/c strong hasing alg. slows things down
- cracks short pswds faster than dict. attacks
Online
- keep trying login process
- slow
- most accts lockout after certain # of failed attempts
Offline
- obtain list of usrs + hashes
- calculate pswd hash + compare to stored hash
- large computational resources
- attempts to exhaust all possible combos
Offline attacks
password attacks
- convenient b/c can iterate thru dif. methods + countless attempts
- perp has access to material independant of source system
- EX: encrypted password database might have been downloaded
- less risky for perp
-> perp has opportunity to circumvent control wthout detection
Online attacks + detection + prevention
password attacks
- occurs while connected to a system
- EX: automated/manual attack against ur web based email acct
-> attacker tries logging in with ur username/pswd
Detection
- usrs getting locked out of their accts
Prevention
- security best practices can help avoid
- EX: locking accts after several failed attempts
Rainbow table
password attacks
- optimized prebuilt set of hashes (doesn’t have to contain every hash)
- saves time + storage space
- contain precalculated hash chains
- speed increase, especially wth longer pswd lengths
- need dif. tables for dif. hashing methods
-> windows dif. than MySQL - can occur offline, perp only has to search against required pswd hashes
Plaintext/unencrypted
- pswds shouldn’t be unencrypted in plaintext b/c easy to compromise
- some apps store pswds unencrypted “in the clear”
- -> u can read pswrd stored
- anyone with access to pswd file/database has every cred.
- get a better app if it saves pswd as plaintext
Physical attacks
- opportunities for attacks, often thru use of or on peripheral devices
Malicious USB cable + prevention
Physical attacks
- looks like normal one BUT has additional electronics inside
- OS identifies it as a HID (human interface card)
-> looks like you’ve connected keyboard/mouse
-> keyboard doesn’t need extra rights/permissions - cable takes over once connected
-> downloads/installs malicious software
Prevention
- don’t plug in just any USB cable
- ALWAYS use trusted hardware
Malicious flash drive + prevention
Physical attacks
- could act as HID (human interface card)/keyboard
-> start command prompt + type anything without ur intervention - perp can load malware in docs
- can be configured as boot device, then infects comp. after reboot
- acts as ethernet adapter
-> redirects/modifies internet traffic requests
-> acts as wireless gateway for other devices
Prevention
- NEVER connect an untrusted USB device
Card cloning
Physical attacks
- creates duplicate of a card
-> looks/feels like OG
-> often includes printed CVC (card validation code) - get card details from skimmer b/c clone needs an original
- can only be used with magnetic stripe cards
-> b/c chip can’t be cloned - cloned gift cards r common
Skimming + prevention
Physical attacks
- stealing CC info, usually during normal transaction
-> copy data from magnetic stripe (card #, expiration date, card holders name) - perp uses CC info for other financial transactions
- fraud is responsibility of the seller
- ATM skimming = includes small camera to watch for ur pin
Prevention
- ALWAYS check before using card readers
