2) Security Part 2 Flashcards
Malware: Ransomware
Locks all files and requests money in order to unlock.
In some cases, it doesn’t lock anything.
Can sometimes be removed with anti-malware
Crypto-Malware (Latest Ransomware)
Encrypts all files and requires payment in order to decrypt.
Very powerful encryption. The only way to decrypt is to send them money.
Keep offline version of backup to avoid issues.
Malware: Trojan Horse
Malware disguised as software. Doesn't care about replicating. Can circumvent existing security. Some trojans can disable anti-malware. Can install other types of malware.
Malware: Keylogger
Captures all keystrokes in order to acquire valuable personal information.
Logins, emails, URLs, passwords
Circumvents encryption because it records they keyboard directly.
Clipboard logging, screen logging, instant messaging, search engine queries
Malware: Rootkit
Originally a UNIX technique “root user”
Modifies core system files (part of the kernel)
Has complete control over OS
Can be invisible to system & anti-malware/virus
Malware: Virus
Generic term for malware that spreads/reproduces
Requires you to execute a program
Reproduces through file systems or networks
Some are invisible, some are annoying
Very common, thousands created every week
Program Virus - part of application
Boot Sector Virus - hides in boot sector
Script Virus - OS & browser-based
Macro Virus - Common in Microsoft Office
Malware: Botnet
Robot networks
Once your machine is infected, it becomes a bot/zombie
Can be installed with worms/trojans/viruses
Waits for third-party instructions
Third party can send out emails, perform DDoS, etc
Malware: Worm
Malware that self-replicates quickly
Requires no human intervention
Uses network as transmission medium
Firewalls & IDS/IPS can mitigate/prevent many worm infestations
Malware: Spyware
Malware that spies on you.
Advertising, identity theft, affiliate fraud
May come from a trojan.
Watches browsing habits
Sometimes uses keyloggers
Anti-Virus/Anti-Malware
You need both of these.
Real-time options (not just on-demand)
Modern anti-malware recognizes malicious activity
Doesn’t require specific set of signatures
Recovery Console
WinRE = Very Powerful/Dangerous - Last Resort
Gives complete control of OS
May need to repair boot sectors or file systems
Backup/Restore
Always have a backup
Image backup built into Windows 7/8/10
The only way to be 100% sure malware is removed
End User Education
One-on-one & personal training Posters & signs to remind users Message board posting Login message (invisible over time) Intranet Page
Software Firewalls
Monitor the local computer
Alert on unknown/unauthorized network communication
Prevent malware communication
Windows Defender Firewall
or Third Party
Should be running by default
DNS Configuration
Secure DNS Services External/Hosted DNS Service Real-time domain blocking Sites with malware unresolvable Constantly updated with known bad sites
Runs on secure platform
Avoids DNS cache poisoning attacks
Social Engineering: Phishing
Social engineering with a touch of spoofing.
Often done by spam, IM, etc
Check the URL
Usually something is not quite right
Vishing (Voice Phishing)
“I’m from IRS, need money, get gift cards”
Social Engineering: Spear Phishing
Phishing with inside information.
Makes attack more believable
Specified targets
Spear phishing CEO is “whaling”
Social Engineering: Impersonation
Pretending to be someone they aren’t
Use details from online resources or trash to seem legitimate
Calls from someone “higher up”
Throwing technical details around
Social Engineering: Shoulder Surfing
Someone looking over your shoulder to see information on screen (easy)
Social Engineering: Tailgating
Using someone else to gain access to a building.
Can simply follow someone into a building.
Social Engineering: Dumpster Diving
Using a dumpster/garbage to gather information.
Can be used to gather details for a different attack.
Names, phone numbers, etc
DDoS
Distributed Denial of Service
Launching an army of computers to bring down a service.
Botnets can be used for this
Attackers are “zombie” computers
ISP may have anti-DDoS systems
Can help “turn down” the DDoS volume
DoS
Denial of Service
Forcing a service to fail (commonly overloading)
Can take advantage of a vulnerability
Can send a packet causing service to be unavailable
Can be a smokescreen for another exploit
Doesn’t have to be complicated
Even turning off the power to a building
Unintentional DoS Network DoS (Layer 2 loop without STP) Bandwidth DoS (Downloading large files over DSL line)
Zero-Day
The vulnerability has not yet been detected or published yet.
Many applications have vulnerabilities
They just haven’t been found yet
White Hat: Reports vulnerability to developer
Black Hat: Exploits or sells vulnerability
MITM
Man-In-The-Middle
Redirects network traffic and then passes it on to the destination.
You never know your traffic was redirected.
ARP Poisoning (Spoofing) Attacker sits in middle, and pretends to be a certain IP address, sending it's MAC address to be stored in the ARP cache.
Mitigate: Use encrypted protocols (HTTPS, SSH)
Client-based VPN
Encrypted wireless networks
Brute Force
Passwords are hashed and stored
1-way cryptographic process, cannot reverse
Online:
Attempting every possible iteration of a password.
Keeps trying to login with different password combos.
Most accounts will lock out.
Offline:
Obtain the list of users/hashes
Calculate password hash & compare to stored hash
Large computational resource requirement
Dictionary
A type of brute force attack.
Goes through popular password terms (a dictionary)
Common wordlists available on the internet
Catches users who use simple passwords
Rainbow Table
An optimized, pre-built set of hashes Doesn't need to contain every hash The calculations are already done You search through the calculated hashes A simple search through a database
Need different tables for different hashing methods
Ex: Windows is different from MySQL
Won’t work with salted hashes
Salted hashes add additional random value added to original hash
Spoofing
Pretending to be something you aren’t.
Ex: Fake web server, DNS server, etc
Email address spoofing
Caller ID spoofing
MITM attacks MAC Spoofing: Many network drivers allow you to change MAC addresses (has legitimate uses) Circumvent MAC-based ACLs Very difficult to detect
IP Spoofing
Can be legit: Load balancing/testing
May not: ARP poisoning, DNS amplification/DDoS
Easier to identify than MAC spoofing
Non-Compliant System
It can be a challenge to constantly manage a device and make sure it’s in compliance.
SOE (Standard Operating Environments)
A set of tested/approved hardware/software
Standard OS image (usually)
OS & App Updates
Must have patches to be in compliance
OS updates, anti-virus signatures
Protecting against:
OS Control, Monitor network application traffic
Perform periodic scans
Require correction before giving access
