2.4 Flashcards
An overview of malware, viruses and worms, spyware and bloatware, other malware types, physical attacks, denial of service, DNS attacks, wireless attacks, on-path attacks, replay attacks, malicious code, application attacks, cryptographic attacks, password attacks, indicators of compromise
Software doing bad things to your system
Malware
A download that happens automatically without the user clicking on or opening anything
Drive-by download
A type of malware that encrypts or exfiltrates your computer’s data, and then asks for a sum of money to return or not expose the data
Ransomware
If you log into your computer and find that your files are encrypted, what type of malware is your computer infected with? Besides the encryption, your computer works normally.
Ransomware
True/False
Keep your backups online so that you can quickly restore them.
False
Keep your backups offline so that attackers can’t access them
4 ways to protect against ransomware
Have an offline backup
Keep your OS updated
Keep your applications patched
Keep your antimalware signatures up-to-date
A type of malware that replicates itself via user intervention (ex. clicking a link, running an executable)
Virus
A type of virus that runs as part of an application
Program virus
A type of virus that automatically runs as the system boots
Boot sector virus
A type of virus that runs as part of a script on a browser
Script virus
A type of virus commonly found in Microsoft Office files as part of a small application embedded within the file
Macro virus
A type of virus that never writes any software or malicious code to your storage drives. It operates in memory, but is never installed in a file or application.
Fileless virus
A type of malware that self-replicates without human intervention. This malware can attack at any time and move freely within your network once it gets in.
Worm
What are the 2 main technologies that stop worm infections?
Firewalls and IPS/IDS
A type of malware that monitors your browsing, takes screen captures, and may log your keystrokes. This data is sometimes used for advertising, identity theft, or affiliate fraud.
Spyware
4 ways to protect against spyware
Maintain your antimalware signatures
Research what you’re installing
Keep a backup!
Run antimalware scans
A type of malware that might be benign other than the fact it takes up storage and memory, and reduces performance. It’s something that you don’t need and don’t expect, often forcibly bundled with other apps.
This malware can open your system to exploits, even if it doesn’t damage your device on its own.
Bloatware
3 ways to remove bloatware
Manually remove it
Use the built-in uninstaller
Third-party uninstallers and cleaners (always have a backup!)
A type of spyware that logs your keystrokes and sends them to the attacker
Often includes clipboard logging, screen logging, instant messaging, and search engine queries
Keylogger
A type of malware that performs an action after a predefined event has happened (ex. date and time or user event)
This malware is usually left by someone with a grudge. Because they are created by a person, they are very difficult to identify with malware signatures. There are NO KNOWN SIGNATURES.
Logic bomb
3 ways to prevent a logic bomb
Processes and procedures to protect configurations from being changed (formal change control)
Electronic monitoring (alert on changes, HIDS)
Constant auditing
A type of malware that modifies the core system files in a way that is invisible to the OS. Essentially, to becomes a part of the kernel/OS of the machine. Because of this, it’s invisible to antivirus.
It has full run of your computer.
Rootkit
3 ways to find and remove rootkits
Look for unusual symptoms (identify with antimalware software)
Use a remover specific to the type of rootkit
Secure boot with UEFI
How can a secure boot help identify and remove a rootkit?
The secure boot will search for a OS signature, and verify that the kernel of the OS hasn’t changed before the system is booted. Even if the rootkit has been installed, the secure boot will stop the rootkit from running once the computer boots up for real.
A type of physical attack where the attacker gains physical access to the device that they want to break into. They do this by forcing doors open or breaking windows.
Brute force
A type of physical attack where attackers make copies of access badges or key fobs of authorized personnel. They can read one card/fob and then immediately copy it to another in a matter of seconds, without the authorized individual knowing.
RFID cloning
How is RFID cloning mitigated?
MFA
The attacker might have the badge, but they likely don’t have other information
A type of physical attack where the attacker attacks everything supporting the technology. Cutting off power, interfering with HVAC (Heating, Ventilation, AC) or humidity controls, taking down fire suppression, etc.
Environmental attack
A type of attack where the attacker causes a service or device to fail, preventing authorized users from accessing it
DoS
A DoS attack where the cause is unintentional, often performed by legitimate individuals. This can happen through a programming error, accidentally downloading something too large/complex for a device to handle, or by a piece of equipment breaking (ex. a water line breaking in the IT dept)
“Friendly” DoS
A type of attack where the attacker causes a service or device to fail by enlisting a large number of computers to take up the resources of that device.
DDoS
A type of threat where the attacker has comparatively fewer resources than the victim
Asymmetric threat
What kind of attack is often called an asymmetric threat?
DDoS
The attacker by themself often has fewer resources than the network they attempt to bring down. But with the help of a botnet, they can be successful.
A method of carrying out a DDoS attack in which the attacker sends a query to a server, and spoofs their IP address so the response of that query will be sent to the victim.
Both the query and response are relatively the same size and are of the same protocol.
DDoS reflection
A method of carrying out a DDoS attack in which the attacker sends a query to a server, and spoofs their IP address so the response of that query will be sent to the victim.
The response is much larger than the original query, meaning that the attacker doesn’t have to expend many resources in exchange for a large attack.
DDoS amplification
Which 3 protocols can be abused to perform DDoS amplification?
NTP, DNS, ICMP
3 methods to perform DNS poisoning
Modify the DNS server
Modify the device’s host files (they take precedent over DNS queries)
Via MITM, intercept the legitimate DNS server response, and instead send one of your own (real-time redirection)
A type of attack where the attacker causes the victim to resolve a valid domain name into a malicious IP address or vice versa
DNS poisoning
A type of attack where the attacker gets access to the domain registration of a legitimate website
That way, the attacker has control over where the traffic flows
Domain hijacking
3 ways an attacker can get into the account used for the domain registration for a website
Brute force
Social engineer the password
Gain access to the email address that manages the account
A type of attack where the victim is redirected to an advertising site, a competitor site, a phishing site, or a site that performs drive-by downloads when attempting to access a legitimate website.
URL hijacking
AKA typosquatting
AKA brandjacking
2 other names for URL hijacking
Typosquatting
Brandjacking
A type of wireless attack where the attacker disconnects the victim from their network connection. A type of DoS attack.
Wireless deauthentication attack
What type of frames does the wireless deauthentication attack take advantage of?
802.11 management frames
Frames used for the management of network connections. They are sent/received by the AP, and are used to connect to the network, manage the connection, and then disconnect from the network. They are also used to associate to and dissociate from an AP.
802.11 management frames
RF stands for
Radio frequency
A type of wireless attack where the attacker transmits interfering wireless signals (noise) until the victim cannot discern the legitimate traffic from the noise. It prevents any nearby victims from being able to receive signals from the AP.
RF jamming
AKA wireless jamming
Which IEEE update addressed the problem enabling wireless deauthentication attacks by encrypting management frames?
802.11ac
What equipment can inadvertently cause RF jamming?
Microwave
Fluorescent lights
RF jamming is AKA
Wireless jamming
3 different ways to carry out wireless/RF jamming
Constant, random bits/frames
Random intervals of noise
Reactive jamming - only happens when someone else tries to communicate
True/False
Wireless/RF jamming can be carried out across the globe
False
Wireless/RF jamming needs to be performed close-by
The method of finding the source of RF jamming
Fox hunting
What 2 types of tools are useful during fox hunting?
Directional antenna - locates the direction of the signal
Attenuator - lowers the signal strength to make it easier to tell where it’s coming from (it gets louder as you get closer)
A type of attack where the attacker sits between two devices and watches all the traffic occurring between them
On-path attack
AKA MITM attack
MITM stands for
Man-in-the-middle
A type of on-path attack where the attacker gets on the same subnet as the victim devices.
The attacker then spoofs their IP address to one of a trusted device, and then advertises their IP/MAC pair to legitimate devices. That way, the legitimate devices will then send their traffic to the malicious device instead of the legitimate device.
ARP poisoning
What enables ARP poisoning?
No security in ARP
A type of on-path attack in which the attacker resides between the device and the network, acting as a proxy. In fact, the attacker resides in the same system as the victim.
Even if the network traffic is encrypted, because the attacker is on the same system, they would be able to see the data
Once the victim logs into their bank account, the attacker can get those credentials for later use. They can then start other sessions behind the scenes that the victim will not see. Online shopping, money transfers, etc.
On-path browser attack
AKA man-in-the-browser attack
A type of attack where the attacker reuses legitimate information in order to authenticate to a service
Replay attack
Why do attackers want your cookies?
Cookies contain session IDs; the attacker could gain access to a server without any authentication credentials by using the session ID
2 ways to avoid replay attacks
Encrypt the authentication credentials
Use a salt that changes for every session
A type of attack where the attacker gains access to a session ID, and then uses it in order to authenticate to the server
Session hijacking
AKA sidejacking
2 ways to prevent session hijacking
End-to-end encryption (HTTPS)
End-to-somewhere encryption (VPN concentrator; if you can’t encrypt the whole journey, you can at least encrypt part of it. It’s best to avoid cleartext over a local network)
Session hijacking is AKA
Sidejacking
An attack where the attacker inserts their own information into a data stream
Code injection
What enables code injection?
Bad programming
A really useful buffer overflow is ____
Repeatable
Buffer overflows can often be unpredictable. If the attacker can find a way to consistently get their desired outcome, it is very a very useful exploit.
In order to perform a replay attack, the attacker needs what kind of data?
Raw network data (through a network tap, ARP poisoning)
True/False
A replay attack is an on-path attack
False
While the attacker may gather the data to perform the replay attack through an on-path attack, the actual replay attack is not on-path
An application attack where an attacker gains elevated permissions on a system
Privilege escalation
4 ways to mitigate privilege escalation
Keep applications patched
Update anti-malware signatures
Data Execution Prevention
Use address space layout randomization (This changes the location in memory that an application runs each time it’s launched; prevents buffer overflow attacks)
What is it called when a legitimate website uses the user’s browser to make legitimate requests for other web pages to display content on the original website?
For example, when you go on one page, a video from YouTube and pictures from Instagram are also present.
Cross-site requests
CSRF takes advantage of what?
CSRF takes advantage of the trust that a web application has for the user
The web site trusts your browser
Requests are made without your consent or your knowledge
Attacker posts a Facebook status on your account
An attack that takes advantage of the trust that a web application has for the user
CSRF / XSRF
What anti-forgery solution has been implemented to prevent CSRF?
Cryptographic token
It verifies that the user has authenticated properly, and that the token is the correct one for that specific session
An attack that allows an attacker to read files on a website that are outside of the website’s file directory
Directory traversal
What enables directory traversal attacks?
Web server misconfiguration
OR
Web application software vulnerability
A cryptographic attack that takes advantage of the chances of a hash collision occurring. They check for this collision by brute force.
This method is much more efficient than brute force attacks, though it is a type of brute force.
1) The attacker gains a list of password hashes
2) Using a cryptographic algorithm, they generate hashes of would-be passwords until they find a collision. This process happens offline.
3) They then attempt to input the credentials
Birthday attack
What mitigates a birthday attack?
Large hash output sizes
The larger the hash, the more difficult it will be for the attacker to duplicate it
Which cryptographic algorithm has a problem with hash collisions?
MD5
A cryptographic attack where the attacker forces a system to revert its security to an older (less secure) model
Usually affects the encryption algorithm
Downgrade attack
SSL stripping is a form of what 2 kinds of attack?
On-path attack and downgrade attack
The attacker sits in the middle of the conversation and strips the S from HTTPS by rewriting URLs
A password attack in which the attacker attempts to use the top most common passwords on every account they can get their hands on.
NOTE
They stop short of raising any alarms or account lockouts.
Spraying attack
A password attack in which the attacker tries every password combination until the hash is matched.
Brute force attack
True/False
A strong hashing algorithm can slow down a brute force attack
True
Online brute force attacks involve
Passwords
Offline brute force attacks involve
Hashes
They take the stored hash offline and attempt all passwords until it matches the hash
This sidesteps account lockout procedures
IOC stands for
Indicators of Compromise
An event that happens at an unusual time, documented by a log, is called:
Out-of-cycle logging
True/False
Out-of-cycle logging typically reflects a configuration error
False
Out-of-cycle logging can be an IOC
True/False
Since logs record everything, you don’t have to worry that attackers can hide from them
False
Attackers can delete logs from the system
