CompTIA Security+ Flashcards 2
study
Pass the Hash Attack
provides a captured authentication hash to try to act like an authorized user.
Internal vs. External
We most often think about the threat actors who exist outside our organizations: competitors, criminals, and the curious. However, some of the most dangerous threats come from within our own environments.
Level of Sophistication/Capability
range from the unsophisticated/unskilled attacker simply running code borrowed from others to the advanced persistent threat (APT) actor exploiting Vulnerabilities discovered in their own research labs and unknown to the security community.
Resources/Funding
Just as threat actors vary in their sophistication, they also vary in the resources available to them. Highly organized attackers sponsored by organized crime or national governments often have virtually limitless resources, whereas less organized attackers may simply be hobbyists working in their spare time.
Intent/Motivation
Attackers also vary in their motivation and intent. The unskilled attacker may be simply out for the thrill of the attack whereas competitors may be engaged in highly targeted corporate espionage.
Nation-states
seek to achieve political objectives; organized crime often focuses on direct financial gain.
OR
attackers hacking into either foreign governments or corporations.
Unskilled Attackers
the term script kiddie is a derogatory term for unskilled attackers who Use hacking techniques but have limited skills.
Hacktivists
Hacktivists Use hacking techniques to accomplish some activist goal.
Organized crime
appears in any case where there is money to be made, and cybercrime is no exception.
Advanced persistent threats (APTs)
describes a series of attacks that they first traced to sources connected to the Chinese military.
Zero-day attacks
Attacks that exploit these vulnerabilities. Zero-day attacks are particularly dangerous because they are unknown to product vendors, and therefore, no patches are available to correct them.
Insider attacks
occur when an employee, contractor, vendor, or other individual with authorized access to information and systems uses that access to wage an attack against the organization.
Shadow IT
individuals and groups seek out their own technology solutions
Attacker Motivations:
Data exfiltration
-Espionage
-Service disruption
-Blackmail
-Financial gain
-Philosophical/political belief
-Ethical attacks
-Revenge attacks
-disruption/chaos
-War
Data exfiltration
attacks are motivated by the desire to obtain sensitive or proprietary information, such as customer data or intellectual property.
Espionage
attacks are motivated by organizations seeking to steal secret information from other organizations. This may come in the form of nation-states attacking each other or corporate espionage.B35
Service disruption
attacks seek to take down or interrupt critical systems or networks, such as banking systems or health-care networks.
Blackmail
attacks seek to extort money or other concessions from victims by threatening to release sensitive information or launch further attacks.
Financial gain
attacks are motivated by the desire to make money through theft or fraud. Organized crime is generally motivated by financial gainas are other types of attackers.
Philosophical/political belief
attacks are motivated by ideological or political reasons such as promoting a particular cause or ideology. Hacktivists are generally motivated by philosophical or political beliefs.
Ethical attacks
or white-hat hacking are motivated by a desire to expose vulnerabilities and improve security. These attacks are often carried out by security researchers or ethical hackers with the permission of the organization being tested.
Revenge attacks
are motivated by a desire to get even with an individual or organization by embarrassing them or exacting some other form of retribution against them.
Disruption/chaos
attacks are motivated by a desire to cause chaos and disrupt normal operations.
War
may also be a motivation for cyberattacks. Military units and civilian groups may Use hacking in an attempt to disrupt Military operations and change the outcome of an armed conflict.
Threat actors
targeting an organization need some means to gain access to that organization’s information or systems.
Attack Surfaces
This is a system, application, or service that contains a vulnerability that they might exploit.
Threat vectors
are the means that threat actors Use to obtain access
Message-based
attacks may also be carried out through other communications mechanisms such as by sending text messages through Short Message Service (SMS) or instant messaging (IM) applications. Voice calls may also be used to conduct vishing (voice phishing) attacks.
Message-Based Threat Vectors Examples
Email is one of the most commonly exploited threat vectors. Phishing messages, spam messages, and other email-borne attacks are simple ways to gain access to an organization’s network. Social media may be used as a threat vector in similar ways
Wireless Networks
offer an even easier path onto an organization’s network.
Systems
individual systems may also serve as threat vectors depending on how they are configured and the software installed on them
Files and Images
Individual files, including images, may also be threat vectors. An attacker may create a file that contains embedded malicious code and then trick a user into opening that file, activating the malware infection. These malicious files may be sent by email, stored on a file server, or placed in any other location where an unsuspecting user might be tempted to open it.
Removable Devices
Attackers also commonly use removable media, such as USB drives, to spread malware and launch their attacks. An attacker might distribute inexpensive USB sticks in parking lots, airports, or other public areas, hoping that someone will find the device and plug it into their computer, curious to see what it contains. As soon as that happens, the device triggers a malware infection that silently compromises the finder’s computer and places it under the control of the attacker.
Cloud
Cloud services can also be used as an attack vector. Attackers routinely scan popular cloud services for files with improper access controls, systems that have security flaws, or accidentally published API keys and passwords.
Supply Chain
Sophisticated attackers may attempt to interfere with an organization’s IT supply chain, including hardware providers, software providers, and service providers. Attacking an organization’s vendors and suppliers provides an indirect mechanism to attack the organization itself.
Indicators of compromise (IOCs)
These are the telltale signs that an attack has taken place and may include file signatures, log patterns, and other evidence left behind by attackers. IoCs may also be found in file and code repositories that offer threat intelligence information.
Malware
describes a wide range of software that is intentionally designed to cause harm to systems and devices, networks, or users.
Ransomware
is malware that takes over a computer and then demands a ransom.
Indicators of compromise (IoCs) for ransomware include, but are not limited to:
-Command and control (C&C) traffic and/or contact to known malicious IP addresses
-Use of legitimate tools in abnormal ways to retain control of the compromised system
-Lateral movement processes that seek to attack or gain information about other systems or devices inside the same trust boundaries
-Encryption of files
-Notices to end users of the encryption process with demands for ransom
-Data exfiltration behaviors, including large file transfers
Trojan
or Trojan horses are a type of malware that is typically disguised as legitimate software
Bots
connect to command and control (C&C) systems, allowing them to be updated, controlled, and managed remotely.
Bots, Botnets, and Command and Control
Many types of malware use command and control (C&C) techniques and systems to allow attackers to tell them what to do. These groups of systems that are under central command are called botnets, and individual systems are called bots.
Worms & Examples
are malware that spread themselves on networks via vulnerable services, email, or file shares.
Examples:
-Known malicious files
-Downloads of additional components from remote systems
-Command and control contact to remote systems
-Malicious behaviors using system commands for injection and other activities, including use of cmd.exe, msiexec.exe, and others
-Hands-on-keyboard attacker activity
Spyware & Examples
is malware that is designed to obtain information about an individual, organizations, or systems
Examples:
-Remote-access and remote-control-related indicators
-Known software file fingerprints
-Malicious processes, often disguised as system processes
-Injection attacks against browsers
Bloatware
describe unwanted applications installed on systems by manufacturers.
Viruses & Examples
are malicious programs that self-copy and self-replicate once they are activated.
Examples:
Memory-resident viruses
Non-memory-resident viruses
Boot sector viruses
Macro viruses
Fileless virus
Memory-resident viruses
which remain in memory while the system of the device is running
Non-memory
which execute, spread, and then shut down
Boot sector viruses
which reside inside the boot sector of a drive or storage media
Macro viruses
which use macros or code inside word processing software or other tools to spread
Email viruses
that spread via email either as email attachments or as part of the email itself using flaws inside email clients
Fileless virus
They spread via methods like spam email and malicious websites and exploit flaws in browser plug-ins and web browsers themselves. Once they successfully find a way into a system, they inject themselves into memory and conduct further malicious activity, including adding the ability to reinfect the system via the same process at reboot through a Registry entry or other technique. At no point do they require local file storage, as they remain memory resident throughout their entire active life.
Keyloggers
are programs that capture keystrokes from a keyboard, although keylogger applications may also capture other input such as mouse movement, touchscreen inputs, or credit card swipes from attached devices.
Logic Bombs
unlike the other types of malware described here, are not independent malicious programs.
Rootkits
are malware that is specifically designed to allow attackers to access a system through a backdoor.
Phishing
is a broad term used to describe the fraudulent acquisition of information, often focused on credentials like usernames and passwords, as well as sensitive personal information like credit card numbers and related data.
Smishing
phishing via SMS (text) messages. Relies on text messages as part of the phishing scam
Vishing
phishing via telephone or phishing accomplished via voice or voicemail messages.
Impersonation
Pretending to be someone else. Is a key tool in a social engineer’s toolkit and can be used for malicious purposes.
Identity fraud
or identity theft is the use of someone else’s identity.
Business email compromise-
often called BEC, relies on using apparently legitimate email addresses to conduct scams and other attacks.
Methods:
-Using compromised accounts
-Sending spoofed emails
-Using common fake but similar domain techniques
-Using malware or other tools
Pretexting
process of using a made-up scenario to justify why you are approaching an individual. _________ is often used as part of impersonation efforts to make the impersonator more believable.
Watering Hole Attack
use websites that target frequent to attack them. These frequently visited sites act like a watering hole for animals and allow the attackers to stage an attack, knowing that the victims will visit the site. Once they know what site their targets will use, attackers can focus on compromising it, either by targeting the site or deploying malware through other means such as an advertising network.
Brand Impersonation Attack (brand spoofing)
This common form of attack uses emails that are intended to appear to be from a legitimate brand relying on name recognition and even using email templates used by the brand itself.
Typosquatting
use misspelled and slightly off but similar to the legitimate site URLs to conduct __________ attacks. ________ rely on the fact that people will mistype URLs and end up on their site,A130 thus driving ad traffic or even sometimes using the typo-based website to drive sales of similar but not legitimate products.
Password Related Attack
-Brute-force attacks, which iterate through passwords until they find one that works.
-Password spraying attacks are a form of brute-force attack that attempts to use a single password or small set of passwords against many accounts.
-Dictionary attacks are yet another form of brute-force attack that uses a list of words for their attempts.
SQL Injection Attack
malicious code is inserted into strings of code that are later passed to a SQL database server.
Legacy Platforms
Software vendors eventually discontinue support for every product they make.
Weak Configurations
Default settings that pose a security risk such as administrative setup pages that are meant to be disabled before moving a system to production.
-default credentials or unsecured accounts, including both normal user accounts and unsecured root accounts with administrative privileges. Accounts may be considered unsecured when they either lack strong authentication or use default passwords.
-Open service ports that are not necessary to support normal system operations.
-Open permissions that allow users access that violates the principle of least privilege.
Privilege escalation
uses hacking techniques to shift from the initial access gained by the attacker to more advanced privileges such as root access on the same system.
Code Injection Attacks
These attacks seek to insert attacker-written code into the legitimate code created by a web application developer.
Dynamically Linked Libraries (DLLs)
containing malicious code in a DLL injection attack.
Session Hijacking Attack
take a different approach by stealing an existing authenticated session. These attacks don’t require that the attacker gain access to the authentication mechanism; instead, they take over an already authenticated session with a website.
Cookies
Most websites that require authentication manage user sessions using ______ managed in the user’s browser and transmitted as part of the HTTP header information provided by a website.
Ways an attacker might obtain a cookie:
-Eavesdropping on unencrypted network connections and stealing a copy of the cookie as it is transmitted between the user and the website.
-Installing malware on the user’s browser that retrieves cookies and transmits them back to the attacker.
-Engaging in an on-path attack, where the attacker fools the user into thinking that the attacker is actually the target website and presenting a fake authentication form. They may then authenticate to the website on the user’s behalf and obtain the cookie.
Pass the Hash Attack
is another form of replay attack that takes place against the operating system rather than a web application.
Directory Traversal Attack
-when web servers allow the inclusion of operators that navigate directory paths and filesystem access controls don’t properly restrict access to files stored elsewhere on the server.
Privilege Escalation Attack
seek to increase the level of access that an attacker has to a target system.
Cross-Site Scripting (XSS) Attacks
occur when web applications allow an attacker to perform HTML injection inserting their own HTML code into a web page.
Reflected XSS (Input)
XSS attacks commonly occur when an application allows reflected input.
Stored/Persistent XSS
is to store cross-site scripting code on a remote web server in an approach known as stored XSS. These attacks are described as persistent because they remain on the server even when the attacker isn’t actively waging an attack.
Cross-Site Request Forgery (CSRF/XSRF) Attack
are similar to cross-site scripting attacks but exploit a different trust relationship. XSRF attacks exploit the trust that remote sites have in a user’s system to execute commands on the user’s behalf.
Buffer Overflows Attack
occur when an attacker manipulates a program into placing more data into an area of memory than is allocated for that program’s use. The goal is to overwrite other information in memory with instructions that may be executed by a different process running on the system.
Memory Injection
technique of maliciously inserting information into memory.
Race Conditions
the security of a code segment depends upon the sequence of events occurring within the system
Time-of-Check-to-Time-of-Use (TOCTTOU or TOC/TOU)
is a type of race condition that occurs when a program checks access permissions too far ahead of a resource request.
Collisions
Cases where a hash function produces the same value for two different methods.
Birthday attacks-This is an attack on cryptographic hashes
based on something called the birthday theorem or they find collisions where two different inputs produce the same hash value output
Downgrade Attack
is sometimes used against secure communications such as TLS in an attempt to get the user or system to inadvertently shift to less secure cryptographic modes.
Sensors
are another way to provide security monitoring.
Detecting Physical Attacks
Brute-force attacks which include breaking down doors cutting off locks or other examples of the simple application of force or determination to physical entry.
-Radio frequency identification (RFID) cloning attacks work by cloning an RFID tag or card.
-Environmental attacks include attacks like targeting an organization’s heating and cooling systems, maliciously activating a sprinkler system, and similar actions.
Virtual machines
are the basic building block of compute capacity in the cloud.
Virtual machine (VM) escape
vulnerabilities are the most serious issue that can exist in a virtualized environment particularly when a virtual host runs systems of differing security levels.
Resource reuse
occurs when cloud providers take hardware resources that were originally assigned to one customer and reassign them to another customer. If the data was not properly removed from that hardwarethe new customer may inadvertently gain access to data belonging to another customer.
Firmware
is the embedded software that allows devices to function.
End-of-life or legacy
hardware drives concerns around lack of support. Once a device or system has reached end-of-life they typically will also reach the end of their support from the manufacturer.
End of sales
The last date at which a specific model or device will be soldalthough devices often remain in the supply chain through resellers for a period of time.
End of life
While the equipment or device is no longer sold it remains supported. End-of-life equipment should typically be on a path to retirement but it has some usable lifespan left.
End of support
the last date on which the vendor will provide support and/or updates.
Legacy
This term is less well defined but typically is used to describe hardware, software, or devices that are unsupported.
Allow Lists-
_____ list tools allow you to build a list of software, applications, and other system components that are allowed to exist and run on a system. If they are not on the list, they will be removed or disabled, or they will not be able to be installed. (sometimes referred to as whitelisting)
Endpoint Detection and Response-systems provide monitoring
systems provide monitoring, detection, and response capabilities for systems. EDR systems capture data from endpoints and send it to a central repository, where it can be analyzed for issues and indicators of compromise or used for incident response activities.
Deny Lists
Block lists, or _____ lists, are lists of software or applications that cannot be installed or run, rather than a list of what is allowed. (sometimes referred to as blacklists)
Host-based intrusion prevention system (HIPS)
analyzes traffic before services or applications on the host process it.
Hardening A System
or application involves changing settings on the system to increase its overall level of security and reduce its vulnerability to attack.
Open ports and services
One of the fastest ways to decrease the attack surface of a system is to reduce the number of _________ that it provides by disabling ports and protocols. After all, if attackers cannot connect to the system remotely, they’ll have a much harder time exploiting the system directly.
Removing Unnecessary Software
removing software that isn’t needed removes the potential for a disabled tool to be reenabled. It also reduces the amount of patching and monitoring that will be required for the system.
Default Passwords
Changing default passwords is a common hardening practice and should be a default practice for any organization.
Configuration Enforcement
a process that not only monitors for changes but makes changes to system configurations as needed to ensure that the configuration remains in its desired state.
Patching
Ensuring that systems and software are up to date helps ensure endpoint security by removing known vulnerabilities.
Full-disk encryption (FDE)
encrypts the disk and requires that the bootloader or a hardware device provide a decryption key and software or hardware to decrypt the drive for use.
Decommissioning
When systems and devices are at the end of their useful life cycle
Defense in Depth
Built in layers or they are built around multiple controls designed to ensure that a failure in a single control— or even multiple controls—is unlikely to cause a security breach
Access control lists (ACLs)
are rules that either permit or deny actions.
On-path Attack (or Man-in-the-middle (MitM))
attack occurs when an attacker causes traffic that should be sent to its intended recipient to be relayed through a system or device the attacker controls.
SSL Stripping
an attack that in modern implementations removes TLS encryption to read the contents of traffic that is intended to be sent to a trusted endpoint.
Browser-Based On-Path attack (or man-in-the-browser MitB or MiB)
This attack relies on a Trojan that is inserted into a user’s browser.
Domain hijacking
changes the registration of a domain, either through technical means like a vulnerability with a domain registrar or control of a system belonging to an authorized user, or through nontechnical means such as social engineering.
DNS poisoning
Ways:
-One form is another form of the on-path attack where an attacker provides a DNS response while pretending to be an authoritative DNS server. Vulnerabilities in DNS protocols or implementations can also permit DNS poisoning, but they are rarer.
-DNS poisoning can also involve poisoning the DNS cache on systems.
URL redirection
When domain hijacking isn’t possible and DNS cannot be poisoned, another option for attackers is ________. ________ can take many forms, depending on the vulnerability that attackers leverage, but one of the most common is to insert alternate IP addresses into a system’s hosts file.
Distributed Denial of Service (DDoS)
conducted from multiple locations, networks, or systems, making it difficult to stop and hard to detect or consume resources or target services to cause them to fail.
Sideloading
is the process of transferring files to a mobile device, typically via a USB connection, a MicroSD card, or via Bluetooth in order to install applications outside of the official application store.
Jailbreaking
takes advantage of vulnerabilities or other weaknesses in a mobile device’s operating system to conduct a privilege escalation attack and root the systemproviding the user with more access than is typically allowed.
Account lockout
which is often due to brute-force login attempts or incorrect passwords used by attackers.
Concurrent session usage
when users aren’t likely to use concurrent sessions. If a user is connected from more than one system or device, particularly when the second device is in an unexpected or uncommon location or the application is one that isn’t typically used on multiple devices at once, this can be a strong indicator that something is not right.
Blocked content
is content that the organization has blocked, often via a DNS filter or other tool that prohibits domains, IP addresses, or types of content from being viewed or accessed. If this occurs, it may be because a malicious actor or malware is attempting to access the resource.
Impossible travel
which involves a user connecting from two locations that are far enough apart that the time between the connections makes the travel impossible to have occurred typically indicates that someone else has access to the user’s credentials or devices.
Resource consumption
like filling up a disk or using more bandwidth than usual for uploads or downloads, can be an indicator of compromise. Unlike some of the other IoCs here, this one often requires other actions to become concerning unless it is much higher than usual.
Resource inaccessibility
can indicate that something unexpected is happening. If a resource like a system, file, or service isn’t available identifying the underlying cause and ensuring that the cause isn’t malicious, can be important.
Missing logs
may indicate that an attacker has wiped the logs to attempt to hide their actions. This is one reason that many organizations centralize their log collection so that a protected system will retain logs even if they are wiped on a server or workstation.
Published/Documented
describes indicators that have been discovered and published or documented.
Least Privilege
individuals should be granted only the minimum set of permissions necessary to carry out their job functions.
Out-of-cycle logging
occurs when an event that happens at the same time or on a set cycle occurs at an unusual time. This might be a worker logging in at 2 a.m. who normally works 9-5 or a cleanup process that gets activated when it normally runs once a week.
