2.0 Threats, Vulnerabilities, and Mitigation

Question 1

The entity responsible for an event that has an impact on the safety of another entity
– Also called a malicious actor
– Describes characteristics of the attacker
* Useful to categorize the motivation – Why is this attack happening?
– Is this directed or random?

Answer 1

2.0 Threat Actors

Question 2

External entity
– Government and national security
* Many possible motivations
– Data exfiltration, philosophical, revenge, disruption,
war
* Constant attacks, massive resources
– Commonly an Advanced Persistent Threat (APT)
* Highest sophistication
– Military control, utilities, financial control
– United States and Israel destroyed 1,000 nuclear
centrifuges with the Stuxnet worm

Answer 2

Nation states

Question 3

Runs pre-made scripts without any knowledge of what’s really happening
– Anyone can do this
* Motivated by the hunt
– Disruption, data exfiltration, sometimes philosophical
Can be internal or external – But usually external
* Not very sophisticated
– Limited resources, if any
* No formal funding
– Looking for low hanging fruit

Answer 3

Unskilled attackers/Script Kiddie

Question 4

A hacker with a purpose
– Motivated by philosophy, revenge, disruption, etc.
* Often an external entity
– Could potentially infiltrate to also be an insider threat
* Can be remarkably sophisticated
– Very specific hacks
– DoS, web site defacing, private document release
* Funding may be limited
– Some organizations have fundraising options

Answer 4

Hacktivist

Question 5

More than just passwords on sticky notes – Motivated by revenge, financial gain
* Extensive resources
– Using the organization’s resources against themselves
* An internal entity
– Eating away from the inside
* Medium level of sophistication
– The insider has institutional knowledge
– Attacks can be directed at vulnerable systems – The insider knows what to hit

Answer 5

Insider threat

Question 6

Going rogue
– Working around the internal IT organization – Builds their own infrastructure
* Information Technology can put up roadblocks
– Use the cloud
– Might also be able to innovate
* Limited resources – Company budget
* Medium sophistication
– May not have IT training or knowledge

Answer 6

Shadow IT

Question 7

Professional criminals
– Motivated by money
– Almost always an external entity
* Very sophisticated
– Best hacking money can buy
* Crime that’s organized
– One person hacks, one person manages the exploits,
another person sells the data, another handles customer support
* Lots of capital to fund hacking efforts

Answer 7

Organized crime

Question 8

Client-based
– Infected executable
– Known (or unknown) vulnerabilities – May require constant update
Agentless
– No installed executable
– Compromised software on the server
would affect all users
– Client runs a new instance each time

Answer 8

Vulnerable software vectors

Question 9

Patching is an important prevention tool – Ongoing security fixes
* Unsupported systems aren’t patched – There may not even be an option
* Outdated operating systems
– Eventually, even the manufacturer won’t help
* A single system could be an entry
– Keep your inventory and records current

Answer 9

Unsupported systems vectors

Question 10

The network connects everything – Ease of access for the attackers – View all (non-encrypted) data
* Wireless
– Outdated security protocols (WEP, WPA, WPA2) – Open or rogue wireless networks
* Wired
– Unsecure interfaces - No 802.1X
* Bluetooth
– Reconnaissance, implementation vulnerabilities

Answer 10

Unsecure network vectors

Question 11

Most network-based services connect over a TCP or UDP port
– An “open” port
* Every open port is an opportunity for the attacker – Application vulnerability or misconfiguration
* Every application has their own open port – More services expand the attack surface
* Firewall rules
– Must allow traffic to an open port

Answer 11

Open service ports

Question 12

Most devices have default usernames and passwords – Change yours!
* The right credentials provide full control – Administrator access
* Very easy to find the defaults for your access point or router – https://www.routerpasswords.com

Answer 12

Default credentials

Question 13

amper with the underlying infrastructure – Or manufacturing process
* Managed service providers (MSPs)
– Access many different customer networks from one
location
* Gain access to a network using a vendor – 2013 Target credit card breach
* Suppliers
– Counterfeit networking equipment
– Install backdoors, substandard performance and availability – 2020 - Fake Cisco Catalyst switches

Answer 13

Supply chain vectors

Question 14

ocial engineering with a touch of spoofing – Often delivered by email, text, etc.
– Very remarkable when well done
* Don’t be fooled – Check the URL
* Usually there’s something not quite right – Spelling, fonts, graphics

Answer 14

Phishing

Question 15

We trust email sources
– The attackers take advantage of this trust
* Spoofed email addresses
– Not really a legitimate email address – professor@professormessor.com
* Financial fraud
– Sends emails with updated bank information – Modify wire transfer details
* The recipient clicks the links
– The attachments have malware

Answer 15

Business email compromise

Question 16

How are they so successful?
– Digital slight of hand - It fools the best of us
* Typosquatting
– A type of URL hijacking - https://professormessor.com
* Pretexting - Lying to get information
– Attacker is a character in a situation they create
– Hi, we’re calling from Visa regarding an automated payment
to your utility service…

Answer 16

Tricks and misdirection

Question 17

Vishing (Voice phishing) is done over the phone or voicemail – Caller ID spoofing is common
– Fake security checks or bank updates
* Smishing (SMS phishing) is done by text message – Spoofing is a problem here as well
– Forwards links or asks for personal information
* Variations on a theme
– The fake check scam, phone verification code scam,
– Boss/CEO scam, advance-fee scam
– Some great summaries on https://reddit.com/r/Scams
© 2023 Messer Studios, LLC
Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 20

Answer 17

Phishing with different bait

Question 18

Before the attack, the trap is set - There’s an actor and a story
* “Hello sir, my name is Wendy and I’m from Microsoft Windows. This is an urgent check up call for your computer as we have found several problems with it.”
* Voice mail: “This is an enforcement action executed by the US Treasury intending your serious attention.”
* “Congratulations on your excellent payment history! You now qualify for 0% interest rates on all of your credit card accounts.

Answer 18

The pretext

Question 19

Attackers pretend to be someone they aren’t – Halloween for the fraudsters
* Use some of those details from reconnaissance – You can trust me, I’m with your help desk
* Attack the victim as someone higher in rank – Office of the Vice President for Scamming
* Throw tons of technical details around
– Catastrophic feedback due to the depolarization of the
differential magnetometer
* Be a buddy - How about those Cubs?

Answer 19

Impersonation

Question 20

Extracting information from the victim
– The victim doesn’t even realize this is happening – Hacking the human
* Often seen with vishing (Voice Phishing)
– Can be easier to get this information over the phone
* These are well-documented psychological techniques – They can’t just ask, “So, what’s your password?”

Answer 20

Eliciting information

Question 21

Your identity can be used by others
– Keep your personal information safe!
* Credit card fraud
– Open an account in your name, or use your
credit card information
* Bank fraud
– Attacker gains access to your account or opens
a new account
* Loan fraud
– Your information is used for a loan or lease
* Government benefits fraud
– Attacker obtains benefits on your behalf

Answer 21

Identity fraud

Question 22

ever volunteer information – My password is 12345
* Don’t disclose personal details – The bad guys are tricky
* Always verify before revealing info
– Call back, verify through 3rd parties
* Verification should be encouraged
– Especially if your organization owns valuable
information

Answer 22

Protect against impersonation

Question 23

Determine which website the victim group uses – Educated guess - Local coffee or sandwich shop – Industry-related sites
* Infect one of these third-party sites – Site vulnerability
– Email attachments
* Infect all visitors
– But you’re just looking for specific victims – Now you’re in!

Answer 23

Watering Hole Attack

Question 24

Disseminate factually incorrect information – Create confusion and division
* Influence campaigns
– Sway public opinion on political and social issues
* Nation-state actors
– Divide, distract, and persuade
* Advertising is an option
– Buy a voice for your opinion
* Enabled through Social media
– Creating, sharing, liking, amplifying

Answer 24

Misinformation/disinformation

Question 25

Pretend to be a well-known brand
– Coca-cola, McDonald’s, Apple, etc.
* Create tens of thousands of impersonated sites – Get into the Google index, click an ad,
get a WhatsApp message
* Visitors are presented with a pop-up
– You won! Special offer! Download the video!
* Malware infection is almost guaranteed
– Display ads, site tracking, data exfiltration

Answer 25

Brand impersonation

Question 26

Always update
– Monthly or on-demand updates
– It’s a race between you and the attackers
* May require testing before deployment – A patch might break something else
* May require a reboot – Save all data
* Have a fallback plan
– Where’s that backup?

Answer 26

Best practices for OS vulnerabilities

Question 26

Add code into the memory of an existing process – Hide malware inside of the process
* Get access to the data in that process – And the same rights and permissions – Perform a privilege escalation

Answer 26

Memory injection

Question 27

Dynamic-Link Library
– A Windows library containing code and data – Many applications can use this library
* Attackers inject a path to a malicious DLL – Runs as part of the target process
* One of the most popular memory injection methods – Relatively easy to implement

Answer 27

DLL injection

Question 28

Overwriting a buffer of memory
– Spills over into other memory areas
* Developers need to perform bounds checking
– The attackers spend a lot of time looking for openings
* Not a simple exploit
– Takes time to avoid crashing things
– Takes time to make it do what you want
* A really useful buffer overflow is repeatable
– Which means that a system can be compromised

Answer 28

Buffer overflows

Question 29

A programming conundrum
– Sometimes, things happen at the same time – This can be bad if you’ve not planned for it
* Time-of-check to time-of-use attack (TOCTOU)
– Check the system
– When do you use the results of your last check?
– Something might happen between the check and the use

Answer 29

Race condition

Question 30

– Adding your own information into a data stream
* Enabled because of bad programming
– The application should properly handle input
and output
* So many different data types – HTML, SQL, XML, LDAP, etc.
An example of website code:
– “SELECT * FROM users WHERE name = ‘“ + userName + “’”; * How this looks to the SQL database:
– “SELECT * FROM users WHERE name = ‘Professor’”; * Add more information to the query:
– “SELECT * FROM users WHERE name = ‘Professor’ OR ‘1’ = ‘1’”; * This could be very bad
– View all database information, delete database information, add users, denial of service, etc.

Answer 30

Code injection

Question 30

The most common relational database management
system language
* SQL injection (SQLi)
– Put your own SQL requests into an existing application – Your application shouldn’t allow this
* Can often be executed in a web browser – Inject in a form or field

Answer 30

SQL injection - SQL - Structured Query Language

Question 31

One of the most common web app (browser) vulnerabilities – Takes advantage of the trust a user has for a site – Complex and varied
* commonly uses JavaScript – Do you allow scripts? Me too.

Answer 31

Cross-site scripting XXS

Question 32

Web site allows scripts to run in user input – Search box is a common source
* Attacker emails a link that takes advantage of this vulnerability
– Runs a script that sends credentials/
session IDs/cookies to the attacker
* Script embedded in URL executes in the victim’s browser – As if it came from the server
* Attacker uses credentials/session IDs/cookies to steal victim’s information without their knowledge
– Very sneaky

Answer 32

Non-persistent (reflected) XSS attack

Question 33

Attacker posts a message to a social network – Includes the malicious payload
* It’s now “persistent”
– Everyone gets the payload
* No specific target
– All viewers to the page
For social networking, this can spread quickly – Everyone who views the message can
have it posted to their page
– Where someone else can view it and propagate it
further…

Answer 33

Persistent (stored) XSS attack

Question 34

Cloud adoption has been nearly universal
– It’s difficult to find a company NOT using the cloud
* We’ve put sensitive data in the cloud – The attackers would like this data
* We’re not putting in the right protections – 76% of organizations aren’t using
– MFA for management console users
* Simple best-practices aren’t being used
– 63% of code in production are unpatched
– Vulnerabilities rated high or critical (CVSS >= 7.0)

Answer 34

Security in the cloud

Question 34

The hypervisor manages the relationship between physical and virtual resources
– Available RAM, storage space, CPU availability, etc.
* These resources can be reused between VMs – Hypervisor host with 4 GB of RAM
– Supports three VMs with 2 GB of RAM each – RAM is allocated and shared between VMs
* Data can inadvertently be shared between VMs
– Time to update the memory management features – Security patches can mitigate the risk

Answer 34

Resource reuse

Question 34

he virtual machine is self-contained – There’s no way out
– Or is there?
* Virtual machine escape
– Break out of the VM and interact with the host
operating system or hardware
* Once you escape the VM, you have great control – Control the host and control other guest VMs
* This would be a huge exploit
– Full control of the virtual worl

Answer 34

VM escape protection

Question 35

Quite different than non-virtual machines – Can appear anywhere
* Quantity of resources vary between VMs – CPU, memory, storage
* Many similarities to physical machines
– Complexity adds opportunity for the attackers
* Virtualization vulnerabilities – Local privilege escalations – Command injection
– Information disclosure

Answer 35

Virtualization security

Question 36

March 2017 - Pwn2Own competition
– Hacking contest
– You pwn it, you own it - along with some cash
* JavaScript engine bug in Microsoft Edge – Code execution in the Edge sandbox
* Windows 10 kernel bug
– Compromise the guest operating system
* Hardware simulation bug in VMware – Escape to the host
Patches were released soon afterwards

Answer 36

Escaping the VM

Question 37

Denial of Service (DoS)
– A fundamental attack type
* Authentication bypass
– Take advantage of weak or faulty authentication
* Directory traversal
– Faulty configurations put data at risk
* Remote code execution
– Take advantage of unpatched systems – Attack the application
* Web application attacks have increased – Log4j and Spring Cloud Function
– Easy to exploit, rewards are extensive
* Cross-site scripting (XSS)
– Take advantage of poor input validation
* Out of bounds write
– Write to unauthorized memory areas
– Data corruption, crashing, or code execution
* SQL injection
– Get direct access to a database

Answer 37

Cloud Specific Vulnerabilities