2.2 Flashcards
Common threat vectors, phishing, impersonation, watering hole attacks, other social engineering attacks
A method used by the attacker to gain access to systems
Threat vector
AKA attack vector
How can message-based attack vectors be used? (3)
Phishing attacks - thru email, text, IM
Malware - email attachment
Social engineering - invoice scams, cryptocurrency scams
How can image-based attack vectors be used? (1)
Image format (SVG, XML) can allow an attacker to edit the image description to include:
HTML injection
Javascript attack code
This can be prevented via browser input validation that will avoid running malicious code
How can voice call attack vectors be used? (4)
Vishing - tries to obtain info over phone
Spam over IP - large-scale automated phone calls
War dialing
Call tampering - disrupting voice calls, DoS
How can file-based attack vectors be used? (3)
PDF format can contain other objects
ZIP/RAR/compressed files may contain different files
MS Office files can contain macros
How can removable device attack vectors be used? (4)
Get around the firewall via USB interface, can infect airgapped networks
Malicious software on USB
USB devices can act as keyboards
Data exfiltration - transfer large amts of info, unplug it, and walk out the door
How can vulnerable software attack vectors be used? (2)
Client-based software
The attacker can infect the application/executable
This requires constant updates to mitigate
Agentless software
The attacker can compromise the central server, and would thereby affect all other users
This is very easy to distribute because, since this software is not installed on a machine, each person logging into that service is using a new (infected) instance of it
Difference between client-based and agentless software
Client-based software is installed on the system
Agentless software does not need to be installed; you connect to a separate system to access it, like a browser
How can unsupported system attack vectors be used? (3)
Unsupported systems are not patched, so there are no new security fixes
The manufacturer is under no obligation to help in crisis
A single system could be an entry - keep your inventory and records current, make sure to identify every single unsupported system/application
How can unsecure network attack vectors be used? (4)
Attackers can view all non-encrypted data
Open or rogue wireless network can be accessed
Wired or wireless interfaces without 802.1X will not have proper authentication requirements
Bluetooth can be used for reconnaissance, or attackers can root out implementation vulnerabilities
Which wireless security protocols are outdated? (3)
WEP, WPA, WPA2
An authentication protocol used by wired AND wireless networks that prevents access to a network without providing proper credentials
802.1X
How can open service port attack vectors be used? (3)
Applications that listen to specific ports might be vulnerable or misconfigured
More services (more open ports) expand the attack surface)
Misconfigured firewall rules can allow access to ports
How can default credentials attack vectors be used? (1)
Attackers can guess or search for default credentials online
How can supply chain attack vectors be used? (4)
A third party can have access to your infrastructure by riding inside trusted/existing equipment/software that has been tampered with. Attackers can tamper with the underlying infrastructure or manufacturing process
If an attacker gains access to your MSP, they have access to your network
Gain access to a network using a vendor
Suppliers can sell counterfeit networking equipment - install backdoors, or have substandard performance/availability
A type of social engineering that uses spoofing to attempt to gather information from the victim
Phishing
A type of URL hijacking where attackers misspell the domain name in a slight way to fool victims
Typosquatting
A method that attackers use to get a victim to engage in the fraud before being attacked. This method is NOT the attack itself.
This is often a story that the attacker makes up.
For example, the attacker may call posing as a Visa employee regarding an automated payment, and ask them to check their email.
A fraudulent email may have “RE:” attached to the beginning, making it seem as if it is an ongoing conversation.
An attacker may even impersonate someone and form a friendship/working relationship in order to set the victim up for a scam.
Pretexting
Phishing over phone or voicemail is called
Vishing
Phishing over text is called
Smishing
A type of pretexting where the attacker develops a character and a story, and plays that out with the victim as the audience
Impersonation
3 ways to protect against impersonation
Never volunteer sensitive information (passwords)
Don’t disclose personal details (address, phone number, etc.)
Always verify before revealing info - call back and verify thru 3rd parties
True/False
Impersonation can go 2 ways:
An attacker can pretend to be another person to solicit details from you, or
They might pretend to be you to open bank accounts, take loans, obtain tax benefits, or open or credit cards in your name
True
A type of attack where an attacker compromises a website that many victims access often
ex. Employees might order lunch every week from a certain sandwich shop, and use the online website to place the order. The attacker might compromise the sandwich shop website in order to get into the organization’s network.
Watering hole attack
3 ways to prevent watering hole attacks
Defense-in-depth
Firewalls and IPS together - the firewall might allow it, but the IPS will identify the suspicious traffic
Antivirus/antimalware signature updates
A type of social engineering in which people spread false information in order to create confusion, division, sway public opinion on social/political, or create visibility
This is sometimes used by foreign nation-state actors, advertisers, or social media influencers
Misinformation/disinformation
A type of social engineering where attackers create sites and social media accounts to impersonate popular brands in order to scam/infect victims
Brand impersonation
