2. Attacks

Question 1

Into what broad categories can attacks be grouped?

Answer 1

Software and protocol/service.

Question 2

social engineering

Answer 2

An attack against a user, typically involves some form of social interaction.

Question 3

phishing

Answer 3

An attacker masquerades as a trusted entity to obtain sensitive information from users.

Question 4

spear phishing

Answer 4

A phishing attempt that targets a specific group.

Question 5

whaling

Answer 5

A phishing attempt at a high-value target.

Question 6

vishing

Answer 6

A phishing attempt using voice communication technology.

Question 7

tailgaiting

Answer 7

The tactic of following closely behind a person who has just used their own legitimate access to a building or room.

Question 8

impersonation

Answer 8

An attacker assumes a role that is recognized by the target, and uses the target’s bias against their better judgement.

Question 9

third-party authorization

Answer 9

Using previously obtain information (project, deadline, boss, etc.) an attacker arrives with:

1. something the victim is quasi-expecting and would otherwise see as normal,
2. the guise of an urgent issue in which the attacker would be helpful, or someone not to upset,
3. and a name drop of “Mr. Big”.

Question 10

watering hole attack

Answer 10

The method of infecting a target website with malware. These are complex and often the work of nation states.

Question 11

list: 2 major social engineering principles

Answer 11

1. Most people want to be helpful.

2. Most people seek to avoid confrontation.

Question 12

list: at least 5 social engineering tools

Answer 12

Authority
Intimidation
Consensus
Scarcity
Familiarity
Trust
Urgency

Question 13

describe: trust (social engineering)

Answer 13

An understanding of how something will act under specific conditions.

The whole objective of social engineering is not to force people to do things they would not do, but rather to give them a pathway that leads them to feel they are doing the correct thing in that moment.

Question 14

DoS

Answer 14

Denial of Service. An attack to prevent access to a target system.

Question 15

DDoS

Answer 15

Distributed Denial of Service. An attack that employs multiple attacking systems, typically a botnet.

Question 16

man-in-the-middle

Answer 16

An attack that inserts itself between 2 legitimate communicators. All communication is routed through the attacker’s host.

Question 17

session hijacking

Answer 17

A MitB attack. Information is stolen and allows the attacker to impersonate a legitimate session.

Example is a cross-site scripting attack, which tricks the user into executing code, resulting in cookie theft.

Question 18

buffer overflow

Answer 18

The input buffer that is used to hold program input is overwritten with data that is larger than the buffer can hold.

They typically inherit the privilege level of the program being exploited.

Question 19

list: root causes of buffer overflow

Answer 19

Poor programming practice and programming language weakness.

C was designed for space and performance. Many functions, like gets() are unsafe in that they permit operations such as unbounded string manipulation into fixed buffer locations.

Question 20

SQL injection

Answer 20

A tactic of modifying input to result in an SQL statement. XML and LDAP injections are done in the same fashion.

Question 21

XSS

Answer 21

Cross-site scripting. A common web attack method, wherein an attacker can include a script in their input, and have it rendered as part of the web process.

Question 22

list: 3 types of XSS attacks

Answer 22

1. Non-persistent XSS. Injected script not stored, but just immediately executed and passed back via the web server.
2. Persistent XSS. Script permanently stored on web server or some back-end storage.
3. DOM-based XSS. Script executed in browser via the Document Object Model (DOM) process, as opposed to the web server.

Question 23

list: 4 ways to limit XSS attacks

Answer 23

1. Use of anti-XSS libraries to strip scripts from input sequences.
2. Limiting types of uploads.
3. Screening size of uploads.
4. Whitelisting inputs

Question 24

XSRF

Answer 24

Cross-site request forgery. An attack that utilizes unintended behaviors that are proper in defined use, but are performed under circumstances outside authorized used.

An example of the confused deputy problem.

Performed against sites that have authenticated a user. The attack exploits the site’s trust in a previous authentication event.

By tricking a user’s browser to send an HTTP request to the target site, the trust is exploited.

Question 25

list: 4 protections against XSRF

Answer 25

1. Limit authentication times
2. Cookie expiration
3. Web page header checking
4. Random XSRF tokens (strongest method)

Question 26

list: privilege escalation methods

Answer 26

1. Using existing privilege and then do an act that steals better credentials (e.g. user of a sniffer, getting the SAM or etc/passwd file).
2. Through vulnerabilities in running processes that have elevated privilege (e.g. injecting malicious code).

Question 27

ARP poisoning

Answer 27

Wherein an attacker corrupts an ARP table, causing packets to be misrouted.

Question 28

amplification

Answer 28

Wherein an attacker uses a specific protocol to achieve what a single machine cannot do by itself (e.g. ICMP command ping).

Question 29

DNS poisoning

Answer 29

The changing of where DNS is resolved.

Using a VPN can change a DNS source, and this may be desired, but unauthorized changes can be attacks.

Question 30

domain hijacking

Answer 30

The act of changing the registration of a domain name without the permission of its original registrant.

Question 31

DNS spoofing

Answer 31

Wherein an attacker changes a DNS record.

Question 32

DNSSEC

Answer 32

Domain Name System Security Extensions. A US gov project that digitally signs DNS records with a key.

Question 33

Man-in-the-Browser

Answer 33

An MitB attack that changes browser behavior through helper objects or extensions. The financial malware Zeus targeted financial transactions on user machines, changing input after the users entered their credentials.

Question 34

zero-day attack

Answer 34

One that uses a vulnerability for which there is no previous knowledge outside of the attacker, or at least not the software vendor.

Question 35

replay attack

Answer 35

Wherein the attacker captures a portion of a communication between two parties and retransmits it at a later time.

Question 36

list: 3 protections from replay attacks

Answer 36

1. Encryption
2. Cryptographic authentication
3. Time stamps

Question 37

pass the hash

Answer 37

A hacking technique where the attacker captures the hash used to authenticate a process.

Question 38

hijacking

Answer 38

An attacker that hijacks a user’s experience, typically after an exchange of credentials, or in the background in a manner where the user is unaware of the attack.

Question 39

clickjacking

Answer 39

Tricks a user into clicking something different from what the user perceives. May be a transparent overlay, or some other rogue disguise, but net result is that user unknowingly clicks an attacker’s hidden control, causing the browser to execute the attacker’s code.

Question 40

session hijacking / TCP/IP hijacking

Answer 40

A process of taking control of an already existing session between a client and server.

Advantage is that the attacker does not have to circumvent any authentication methods.

Question 41

URL hijacking

Answer 41

A generic names for a wide range of attacks that target the URL - the primary means by which a user receives web content.

Question 42

typo squatting

Answer 42

A URL attack that involves routing traffic to similarly-spelled, but illegitimate sites.

Question 43

driver manipulation

Answer 43

An attack on a system by changing drivers, thus changing the behavior of a system.

Question 44

shimming

Answer 44

To put a layer of code between the driver and the OS.

Can be used to improve portability between OS updates. Can also be used maliciously.

Question 45

refactoring

Answer 45

The process of restructuring existing software without changing its external behavior.

Question 46

spoofing

Answer 46

Simply making data appear as though it comes from a different source.

Question 47

smurf attack

Answer 47

Wherein the packet sent by the attacker to a broadcast address is an echo request with the From address forged.

Question 48

Describe spoofing a trusted relationship.

Answer 48

An attacker can take advantage of a trusted relationship (two systems are configured to accept the authentication of each other) by modifying a packet to have a trusted system’s From address instead of the attacker’s From address.

Question 49

IV attack

Answer 49

Initialization Vector attack.