Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

MODULE 17 - Attacking What We Do CERTIFICATION CYBER OPS ASSOCIATE > MODULE 17 - CERTIFICATION CYBER OPS ASSOCIATE > Flashcards

MODULE 17 - CERTIFICATION CYBER OPS ASSOCIATE Flashcards

1
Q

IP Services ARP Vulnerabilities

A

Hosts broadcast an ARP Request to other hosts on the network segment to determine the MAC address of a host with a particular IP address.

All hosts on the subnet receive and process the ARP Request.

The host with the matching IP address in the ARP Request sends an ARP Reply.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Hosts broadcast an ARP Request to other hosts on the network segment to determine the MAC address of a host with a particular IP address.

All hosts on the subnet receive and process the ARP Request.

The host with the matching IP address in the ARP Request sends an ARP Reply.

A

Any client can send an unsolicited ARP Reply called a “gratuitous ARP.”

This is often done when a device first boots up to inform all other devices on the local network of the new device’s MAC address.

When a host sends a gratuitous ARP, other hosts on the subnet store the MAC address and IP address contained in the gratuitous ARP in their ARP tables.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Any client can send an unsolicited ARP Reply called a “gratuitous ARP.”

This is often done when a device first boots up to inform all other devices on the local network of the new device’s MAC address.

When a host sends a gratuitous ARP, other hosts on the subnet store the MAC address and IP address contained in the gratuitous ARP in their ARP tables.

A

However, this feature of ARP also means that any host can claim to be the owner of any IP/MAC they choose.

A threat actor can poison the ARP cache of devices on the local network, creating an MiTM attack to redirect traffic.

The goal is to associate the threat actor’s MAC address with the IP address of the default gateway in the ARP caches of hosts on the LAN segment.

This positions the threat actor in between the victim and all other systems outside of the local subnet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

ARP Cache Poisoning ARP cache poisoning can be used to launch various man-in-the-middle attacks.

A

ARP cache poisoning can be used to launch various man-in-the-middle attacks. :

– ARP REQUEST

– ARP REPLY

– SPOOFED GRATUITIONS

– ARP REPLIES

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

ARP cache poisoning can be used to launch various man-in-the-middle attacks. :

– ARP REQUEST

– ARP REPLY

– SPOOFED GRATUITIONS

– ARP REPLIES

A

ARP REQUEST :

The figure shows how ARP cache poisoning works.

PC-A requires the MAC address of its default gateway (R1); therefore, it sends an ARP Request for the MAC address of 192.168.10.1.

https://snipboard.io/7rgnUf.jpg

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

ARP cache poisoning can be used to launch various man-in-the-middle attacks. :

– ARP REQUEST

– ARP REPLY

– SPOOFED GRATUITIONS

– ARP REPLIES

A

ARP REPLY :

In this figure, R1 updates its ARP cache with the IP and MAC addresses of PC-A.

R1 sends an ARP Reply to PC-A, which then updates its ARP cache with the IP and MAC addresses of R1.

https://snipboard.io/u9G7MN.jpg

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

ARP cache poisoning can be used to launch various man-in-the-middle attacks. :

– ARP REQUEST

– ARP REPLY

– SPOOFED GRATUITIONS

– ARP REPLIES

A

SPOOFED GRATUITIONS :

In the figure, the threat actor sends two spoofed gratuitous ARP Replies using its own MAC address for the indicated destination IP addresses.

PC-A updates its ARP cache with its default gateway which is now pointing to the threat actor’s host MAC address.

R1 also updates its ARP cache with the IP address of PC-A pointing to the threat actor’s MAC address.

The threat actor’s host is executing an ARP poisoning attack.

The ARP poisoning attack can be passive or active. Passive ARP poisoning is where threat actors steal confidential information.

Active ARP poisoning is where threat actors modify data in transit, or inject malicious data.

https://snipboard.io/4LysW9.jpg

Note: There are many tools available on the internet to create ARP MiTM attacks including dsniff, Cain & Abel, ettercap, Yersinia, and others.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

DNS Attacks The Domain Name System (DNS) protocol defines an automated service that matches resource names, such as www.cisco.com, with the required numeric network address, such as the IPv4 or IPv6 address.

It includes the format for queries, responses, and data and uses resource records (RR) to identify the type of DNS response.

Securing DNS is often overlooked.

However, it is crucial to the operation of a network and should be secured accordingly.

A

DNS attacks include the following:

DNS open resolver attacks DNS stealth attacks DNS domain shadowing attacks DNS tunneling attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

DNS Open Resolver Attacks Many organizations use the services of publicly open DNS servers such as GoogleDNS (8.8.8.8) to provide responses to queries.

This type of DNS server is called an open resolver.

A DNS open resolver answers queries from clients outside of its administrative domain.

DNS open resolvers are vulnerable to multiple malicious activities described in the table.

A

DNS Resolver Vulnerabilities :

– DNS cache poisoning attacks

– DNS amplification and reflection attacks

– DNS resource utilization attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

DNS Resolver Vulnerabilities :

– DNS cache poisoning attacks

– DNS amplification and reflection attacks

– DNS resource utilization attacks

A

DNS cache poisoning attacks :

Threat actors send spoofed, falsified record resource (RR) information to a DNS resolver to redirect users from legitimate sites to malicious sites.

DNS cache poisoning attacks can all be used to inform the DNS resolver to use a malicious name server that is providing RR information for malicious activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

DNS Resolver Vulnerabilities :

– DNS cache poisoning attacks

– DNS amplification and reflection attacks

– DNS resource utilization attacks

A

DNS amplification and reflection attacks :

Threat actors use DoS or DDoS attacks on DNS open resolvers to increase the volume of attacks and to hide the true source of an attack.

Threat actors send DNS messages to the open resolvers using the IP address of a target host.

These attacks are possible because the open resolver will respond to queries from anyone asking a question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

DNS Resolver Vulnerabilities :

– DNS cache poisoning attacks

– DNS amplification and reflection attacks

– DNS resource utilization attacks

A

DNS resource utilization attacks :

A DoS attack that consumes the resources of the DNS open resolvers.

This DoS attack consumes all the available resources to negatively affect the operations of the DNS open resolver.

The impact of this DoS attack may require the DNS open resolver to be rebooted or services to be stopped and restarted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

DNS Stealth Attacks

To hide their identity, threat actors also use the DNS stealth techniques described in the table to carry out their attacks.

A

DNS Stealth Attacks To hide their identity, threat actors also use the DNS stealth techniques described in the table to carry out their attacks.

DNS Stealth Techniques :

– Fast Flux

– Double IP Flux

– Domain Generation Algorithms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

DNS Stealth Attacks To hide their identity, threat actors also use the DNS stealth techniques described in the table to carry out their attacks.

DNS Stealth Techniques :

– Fast Flux

– Double IP Flux

– Domain Generation Algorithms

A

Fast Flux :

Threat actors use this technique to hide their phishing and malware delivery sites behind a quickly-changing network of compromised DNS hosts.

The DNS IP addresses are continuously changed within minutes.

Botnets often employ Fast Flux techniques to effectively hide malicious servers from being detected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

DNS Stealth Attacks To hide their identity, threat actors also use the DNS stealth techniques described in the table to carry out their attacks.

DNS Stealth Techniques :

– Fast Flux

– Double IP Flux

– Domain Generation Algorithms

A

Double IP Flux :

Threat actors use this technique to rapidly change the hostname to IP address mappings and to also change the authoritative name server.

This increases the difficulty of identifying the source of the attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

DNS Stealth Attacks To hide their identity, threat actors also use the DNS stealth techniques described in the table to carry out their attacks.

DNS Stealth Techniques :

– Fast Flux

– Double IP Flux

– Domain Generation Algorithms

A

Domain Generation Algorithms :

Threat actors use this technique in malware to randomly generate domain names that can then be used as rendezvous points to their command and control (C&C) servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

DNS Domain Shadowing

Attacks Domain shadowing involves the threat actor gathering domain account credentials in order to silently create multiple sub-domains to be used during the attacks.

These subdomains typically point to malicious servers without alerting the actual owner of the parent domain.

A

DNS Domain Shadowing

Attacks Domain shadowing involves the threat actor gathering domain account credentials in order to silently create multiple sub-domains to be used during the attacks.

These subdomains typically point to malicious servers without alerting the actual owner of the parent domain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

DNS Tunneling Botnets have become a popular attack method of threat actors.

Most often, botnets are used to spread malware or launch DDoS and phishing attacks.

A

DNS in the enterprise is sometimes overlooked as a protocol which can be used by botnets.

Because of this, when DNS traffic is determined to be part of an incident, the attack is often already over.

It is necessary for the cybersecurity analyst to be able to detect when an attacker is using DNS tunneling to steal data, and prevent and contain the attack.

To accomplish this, the security analyst must implement a solution that can block the outbound communications from the infected hosts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Threat actors who use DNS tunneling place non-DNS traffic within DNS traffic.

This method often circumvents security solutions.

For the threat actor to use DNS tunneling, the different types of DNS records such as TXT, MX, SRV, NULL, A, or CNAME are altered.

For example, a TXT record can store the commands that are sent to the infected host bots as DNS replies.

A DNS tunneling attack using TXT works like this:

A

1) The data is split into multiple encoded chunks.
2) Each chunk is placed into a lower level domain name label of the DNS query.
3) Because there is no response from the local or networked DNS for the query, the request is sent to the ISP’s recursive DNS servers.
4) The recursive DNS service will forward the query to the attacker’s authoritative name server.
5) The process is repeated until all of the queries containing the chunks are sent.
6) When the attacker’s authoritative name server receives the DNS queries from the infected devices, it sends responses for each DNS query, which contains the encapsulated, encoded commands.
7) The malware on the compromised host recombines the chunks and executes the commands hidden within.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

DNS Tunneling To be able to stop DNS tunneling, a filter that inspects DNS traffic must be used.

Pay particular attention to DNS queries that are longer than average, or those that have a suspicious domain name.

Also, DNS security solutions, such as Cisco Umbrella (formerly Cisco OpenDNS), block much of the DNS tunneling traffic by identifying suspicious domains.

Domains associated with Dynamic DNS services should be considered highly suspect.

https://snipboard.io/rJdIMv.jpg

A

DNS Tunneling To be able to stop DNS tunneling, a filter that inspects DNS traffic must be used.

Pay particular attention to DNS queries that are longer than average, or those that have a suspicious domain name.

Also, DNS security solutions, such as Cisco Umbrella (formerly Cisco OpenDNS), block much of the DNS tunneling traffic by identifying suspicious domains.

Domains associated with Dynamic DNS services should be considered highly suspect.

https://snipboard.io/rJdIMv.jpg

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

DHCP DHCP servers dynamically provide IP configuration information to clients.

The figure shows the typical sequence of a DHCP message exchange between client and server.

A

DHCP DHCP servers dynamically provide IP configuration information to clients.

The figure shows the typical sequence of a DHCP message exchange between client and server.

Normal DHCP Operation

https://snipboard.io/5sMeWV.jpg

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

DHCP Attacks DHCP Spoofing Attack A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients.

A rogue server can provide a variety of misleading information:

A

A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients.

A rogue server can provide a variety of misleading information: :

– Wrong default gateway

– Wrong DNS server

– Wrong IP address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients.

A rogue server can provide a variety of misleading information: :

– Wrong default gateway

– Wrong DNS server

– Wrong IP address

A

Wrong default gateway :

Threat actor provides an invalid gateway, or the IP address of its host to create a MiTM attack.

This may go entirely undetected as the intruder intercepts the data flow through the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients.

A rogue server can provide a variety of misleading information: :

– Wrong default gateway

– Wrong DNS server

– Wrong IP address

A

Wrong DNS server :

Threat actor provides an incorrect DNS server address pointing the user to a malicious website.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients.

A rogue server can provide a variety of misleading information: :

– Wrong default gateway

– Wrong DNS server

– Wrong IP address

A

Wrong IP address :

Threat actor provides an invalid IP address, invalid default gateway IP address, or both.

The threat actor then creates a DoS attack on the DHCP client.

26
Q

Assume a threat actor has successfully connected a rogue DHCP server to a switch port on the same subnet as the target clients.

The goal of the rogue server is to provide clients with false IP configuration information.

A

Assume a threat actor has successfully connected a rogue DHCP server to a switch port on the same subnet as the target clients.

The goal of the rogue server is to provide clients with false IP configuration information.

27
Q

Click each button for an illustration and explanation of the steps in a DHCP spoofing attack.

– Client Broadcasts DHCP Discovery Messages

– DCHP Servers Respond with Offers

– Client Accepts Rogue DHCP Request

– Rogue DHCP Acknowledges the Request

A

Client Broadcasts DHCP Discovery Messages :

In the figure, a legitimate client connects to the network and requires IP configuration parameters.

The client broadcasts a DHCP Discover request looking for a response from a DHCP server.

Both servers receive the message.

https://snipboard.io/9qPisy.jpg

28
Q

Click each button for an illustration and explanation of the steps in a DHCP spoofing attack.

– Client Broadcasts DHCP Discovery Messages

– DCHP Servers Respond with Offers

– Client Accepts Rogue DHCP Request

– Rogue DHCP Acknowledges the Request

A

DCHP Servers Respond with Offers :

The figure shows how the legitimate and rogue DHCP servers each respond with valid IP configuration parameters.

The client replies to the first offer received.

https://snipboard.io/qh1SuM.jpg

29
Q

Click each button for an illustration and explanation of the steps in a DHCP spoofing attack.

– Client Broadcasts DHCP Discovery Messages

– DCHP Servers Respond with Offers

– Client Accepts Rogue DHCP Request

– Rogue DHCP Acknowledges the Request

A

Client Accepts Rogue DHCP Request :

In this scenario, the client received the rogue offer first.

It broadcasts a DHCP request accepting the parameters from the rogue server, as shown in the figure.

The legitimate and rogue server each receive the request.

https://snipboard.io/CFPn26.jpg

30
Q

Click each button for an illustration and explanation of the steps in a DHCP spoofing attack.

– Client Broadcasts DHCP Discovery Messages

– DCHP Servers Respond with Offers

– Client Accepts Rogue DHCP Request

– Rogue DHCP Acknowledges the Request

A

Rogue DHCP Acknowledges the Request :

However, only the rogue server unicasts a reply to the client to acknowledge its request, as shown in the figure.

The legitimate server stops communicating with the client because the request has already been acknowledged.

https://snipboard.io/z23tZB.jpg

31
Q

Enterprise Services HTTP and HTTPS Internet browsers are used by almost everyone.

Blocking web browsing completely is not an option because businesses need access to the web, without undermining web security.

To investigate web-based attacks, security analysts must have a good understanding of how a standard web-based attack works.

These are the common stages of a typical web attack:

A

1) The victim unknowingly visits a web page that has been compromised by malware.
2) The compromised web page redirects the user, often through many compromised servers, to a site containing malicious code.
3) The user visits this site with malicious code and their computer becomes infected. This is known as a drive by download. When the user visits the site, an exploit kit scans the software running on the victim’s computer including the OS, Java, or Flash player looking for an exploit in the software. The exploit kit is often a PHP script and provides the attacker with a management console to manage the attack.
4) After identifying a vulnerable software package running on the victim’s computer, the exploit kit contacts the exploit kit server to download code that can use the vulnerability to run malicious code on the victim’s computer.
5) After the victim’s computer has been compromised, it connects to the malware server and downloads a payload. This could be malware, or a file download service that downloads other malware.
6) The final malware package is run on the victim’s computer.

32
Q

Independent of the type of attack being used, the main goal of the threat actor is to ensure the victim’s web browser ends up on the threat actor’s web page, which then serves out the malicious exploit to the victim.

A

Some malicious sites take advantage of vulnerable plugins or browser vulnerabilities to compromise the client’s system.

Larger networks rely on IDSs to scan downloaded files for malware.

If detected, the IDS issues alerts and records the event to log files for later analysis.

33
Q

Server connection logs can often reveal information about the type of scan or attack.

The different types of connection status codes are listed here:

– Informational 1xx

– Successful 2xx

– Redirection 3xx

– Client Error 4xx

– Server Error 5xx

A

Informational 1xx :

This is a provisional response, consisting only of the Status-Line and optional headers.

It is terminated by an empty line.

There are no required headers for this class of status code.

Servers MUST NOT send a 1xx response to an HTTP/1.0 client except under experimental conditions.

34
Q

Server connection logs can often reveal information about the type of scan or attack.

The different types of connection status codes are listed here:

– Informational 1xx

– Successful 2xx

– Redirection 3xx

– Client Error 4xx

– Server Error 5xx

A

Successful 2xx :

The client’s request was successfully received, understood, and accepted.

35
Q

Server connection logs can often reveal information about the type of scan or attack.

The different types of connection status codes are listed here:

– Informational 1xx

– Successful 2xx

– Redirection 3xx

– Client Error 4xx

– Server Error 5xx

A

Redirection 3xx :

Further action must be taken by the user agent to fulfill the request.

A client SHOULD detect infinite redirection loops, because these loops generate network traffic for each redirection.

36
Q

Server connection logs can often reveal information about the type of scan or attack.

The different types of connection status codes are listed here:

– Informational 1xx

– Successful 2xx

– Redirection 3xx

– Client Error 4xx

– Server Error 5xx

A

Client Error 4xx :

For cases in which the client seems to have erred.

Except when responding to a HEAD request, the server SHOULD include an entity containing an explanation of the situation, and if it is temporary.

User agents SHOULD display any included entity to the user.

37
Q

Server connection logs can often reveal information about the type of scan or attack.

The different types of connection status codes are listed here:

– Informational 1xx

– Successful 2xx

– Redirection 3xx

– Client Error 4xx

– Server Error 5xx

A

Server Error 5xx :

For cases where the server is aware that it has erred, or it cannot perform the request.

Except when responding to a HEAD request, the server SHOULD include an entity containing an explanation of the error situation, and if it is temporary.

User agents SHOULD display any included entity to the user.

38
Q

To defend against web-based attacks, the following countermeasures should be used:

A

1) Always update the OS and browsers with current patches and updates.
2) Use a web proxy like Cisco Cloud Web Security or Cisco Web Security Appliance to block malicious sites.
3) Use the best security practices from the Open Web Application Security Project (OWASP) when developing web applications.
4) Educate end users by showing them how to avoid web-based attacks.

39
Q

The OWASP Top 10 Web Application

Security Risks is designed to help organizations create secure web applications.

It is a useful list of potential vulnerabilities that are commonly exploited by threat actors.

A

The OWASP Top 10 Web Application

Security Risks is designed to help organizations create secure web applications.

It is a useful list of potential vulnerabilities that are commonly exploited by threat actors.

40
Q

Common HTTP Exploits Malicious iFrames Threat actors often make use of malicious inline frames (iFrames).

An iFrame is an HTML element that allows the browser to load another web page from another source.

iFrame attacks have become very common, as they are often used to insert advertisements from other sources into the page.

A

Threat actors compromise a webserver and modify web pages by adding HTML for the malicious iFrame.

The HTML links to the threat actor’s webserver.

In some instances, the iFrame page that is loaded consists of only a few pixels.

This makes it very hard for the user to see.

Because the iFrame is run in the page, it can be used to deliver a malicious exploit, such as spam advertising, an exploit kit, and other malware.

41
Q

These are some of the ways to prevent or reduce malicious iFrames:

A

1) Use a web proxy to block malicious sites.
2) Because attackers often change the source HTML of the iFrame in a compromised web site, make sure web developers do not use iFrames. This will isolate any content from third-party web sites and make modified pages easier to find.
3) Use a service such as Cisco Umbrella to prevent users from navigating to web sites that are known to be malicious.
4) Make sure the end user understands what an iFrame is. Threat actors often use this method in web-based attacks.

42
Q

HTTP 302 Cushioning Another type of HTTP attack is the HTTP 302 cushioning attack. Threat actors use the 302 Found HTTP response status code to direct the user’s web browser to a new location.

Threat actors often use legitimate HTTP functions such as HTTP redirects to carry out their attacks. HTTP allows servers to redirect a client’s HTTP request to a different server.

HTTP redirection is used, for example, when web content has moved to a different URL or domain name.

This allows old URLs and bookmarks to continue to function.

Therefore, security analysts should understand how a function such as HTTP redirection works and how it can be used during attacks.

A

HTTP 302 Cushioning :

When the response from the server is a 302 Found status, it also provides the URL in the location field.

The browser believes that the new location is the URL provided in the header. The browser is invited to request this new URL.

This redirect function can be used multiple times until the browser finally lands on the page that contains the exploit. The redirects may be difficult to detect due to the fact that legitimate redirects frequently occur on the network.

43
Q

These are some ways to prevent or reduce HTTP 302 cushioning attacks:

A

Use a web proxy to block malicious sites.

Use a service such as Cisco Umbrella to prevent users from navigating to web sites that are known to be malicious.

Make sure the end user understands how the browser is redirected through a series of HTTP 302 redirections.

44
Q

Domain Shadowing When a threat actor wishes to create a domain shadowing attack, the threat actor must first compromise a domain.

Then, the threat actor must create multiple subdomains of that domain to be used for the attacks. Hijacked domain registration logins are then used to create the many subdomains needed.

After these subdomains have been created, attackers can use them as they wish, even if they are found out to be malicious domains. They can simply make more from the parent domain. The following sequence is typically used by threat actors:

A

1) A website becomes compromised.
2) HTTP 302 cushioning is used to send the browser to malicious websites.
3) Domain shadowing is used to direct the browser to a compromised server.
4) An exploit kit landing page is accessed.
5) Malware downloads from the exploit kit landing page.

45
Q

These are some ways to prevent or reduce domain shadowing attacks:

A

1) Secure all domain owner accounts. Use strong passwords and use two-factor authentication to secure these powerful accounts.
2) Use a web proxy to block malicious sites.
3) Use a service such as Cisco Umbrella to prevent users from navigating to web sites that are known to be malicious.
4) Make sure that domain owners validate their registration accounts and look for any subdomains that they have not authorized.

46
Q

Email Over the past 25 years, email has evolved from a tool used primarily by technical and research professionals to become the backbone of corporate communications.

Each day, more than 100 billion corporate email messages are exchanged.

As the level of use rises, security becomes a greater priority.

A

The way that users access email today also increases the opportunity for the threat of malware to be introduced.

It used to be that corporate users accessed text-based email from a corporate server.

The corporate server was on a workstation that was protected by the company’s firewall.

Today, HTML messages are accessed from many different devices that are often not protected by the company’s firewall. HTML allows more attacks because of the amount of access that can sometimes bypass different security layers.

47
Q

The following are examples of email threats:

– Attachment-based attacks

– Email spoofing

– Spam email

– Open mail relay server

– Homoglyphs

A

Attachment-based attacks :

Threat actors embed malicious content in business files such as an email from the IT department.

Legitimate users open malicious content.

Malware is used in broad attacks often targeting a specific business vertical to seem legitimate, enticing users working in that vertical to open attachments, or click embedded links.

48
Q

The following are examples of email threats:

– Attachment-based attacks

– Email spoofing

– Spam email

– Open mail relay server

– Homoglyphs

A

Email spoofing :

Threat actors create email messages with a forged sender address that is meant to fool the recipient into providing money or sensitive information.

For example, a bank sends you an email asking you to update your credentials.

When this email displays the identical bank logo as mail you have previously opened that was legitimate, it has a higher chance of being opened, having attachments opened and links clicked.

The spoofed email may even ask you to verify your credentials so that the bank is assured that you are you, exposing your login information.

49
Q

The following are examples of email threats:

– Attachment-based attacks

– Email spoofing

– Spam email

– Open mail relay server

– Homoglyphs

A

Spam email :

Threat actors send unsolicited email containing advertisements or malicious files.

This type of email is sent most often to solicit a response, telling the threat actor that the email is valid and a user has opened the spam.

50
Q

The following are examples of email threats:

– Attachment-based attacks

– Email spoofing

– Spam email

– Open mail relay server

– Homoglyphs

A

Open mail relay server :

Threat actors take advantage of enterprise servers that are misconfigured as open mail relays to send large volumes of spam or malware to unsuspecting users.

The open mail relay is an SMTP server that allows anybody on the internet to send mail. Because anyone can use the server, they are vulnerable to spammers and worms.

Very large volumes of spam can be sent by using an open mail relay. It is important that corporate email servers are never set up as an open relay. This will considerably reduce the amount of unsolicited emails.

51
Q

The following are examples of email threats:

– Attachment-based attacks

– Email spoofing

– Spam email

– Open mail relay server

– Homoglyphs

A

Homoglyphs :

Threat actors can use text characters that are very similar or even identical to legitimate text characters.

For example, it can be difficult to distinguish between an O (upper case letter O) and a 0 (number zero) or a l (lower case “L”) and a 1 (number one).

These can be used in phishing emails to make them look very convincing. In DNS, these characters are very different from the real thing.

When the DNS record is searched, a completely different URL is found when the link with the homoglyph is used in the search.

52
Q

Just like any other service that is listening to a port for incoming connections, SMTP servers also may have vulnerabilities.

Always keep SMTP software up to date with security and software patches and updates.

To further prevent threat actors from completing their task of fooling the end user, implement countermeasures.

A

Use a security appliance specific to email such as the Cisco Email Security Appliance.

This will help to detect and block many known types of threats such as phishing, spam, and malware. Also, educate the end user.

When attacks make it by the security measures in place, and they will sometimes, the end user is the last line of defense.

Teach them how to recognize spam, phishing attempts, suspicious links and URLs, homoglyphs, and to never open suspicious attachments.

53
Q

Web-Exposed Databases

Web applications commonly connect to a relational database to access data.

Because relational databases often contain sensitive data, databases are a frequent target for attacks.

– Code Injection

– SQL Injection

A

Code Injection :

Attackers are able to execute commands on a web server’s OS through a web application that is vulnerable.

This might occur if the web application provides input fields to the attacker for entering malicious data.

The attacker’s commands are executed through the web application and have the same permissions as the web application.

This type of attack is used because often there is insufficient validation of input.

An example is when a threat actor injects PHP code into an insecure input field on server page.

54
Q

Web-Exposed Databases Web applications commonly connect to a relational database to access data.

Because relational databases often contain sensitive data, databases are a frequent target for attacks.

– Code Injection

– SQL Injection

A

SQL Injection :

SQL is the language used to query a relational database.

Threat actors use SQL injections to breach the relational database, create malicious SQL queries, and obtain sensitive data from the relational database.

55
Q

Web-Exposed Databases Web applications commonly connect to a relational database to access data.

Because relational databases often contain sensitive data, databases are a frequent target for attacks.

– Code Injection

– SQL Injection

A

SQL Injection :

One of the most common database attacks is the SQL injection attack.

The SQL injection attack consists of inserting a SQL query via the input data from the client to the application.

A successful SQL injection exploit can read sensitive data from the database, modify database data, execute administration operations on the database, and sometimes, issue commands to the operating system.

56
Q

Web-Exposed Databases Web applications commonly connect to a relational database to access data.

Because relational databases often contain sensitive data, databases are a frequent target for attacks.

– Code Injection

– SQL Injection

A

SQL Injection :

Unless an application uses strict input data validation, it will be vulnerable to the SQL injection attack.

If an application accepts and processes user-supplied data without any input data validation, a threat actor could submit a maliciously crafted input string to trigger the SQL injection attack.

57
Q

Web-Exposed Databases Web applications commonly connect to a relational database to access data.

Because relational databases often contain sensitive data, databases are a frequent target for attacks.

– Code Injection

– SQL Injection

A

SQL Injection ::

Security analysts should be able to recognize suspicious SQL queries in order to detect if the relational database has been subjected to SQL injection attacks.

They need to be able to determine which user ID was used by the threat actor to log in, then identify any information or further access the threat actor could have leveraged after a successful login.

58
Q

Client-side Scripting : Not all attacks are initiated from the server side.

Cross-Site Scripting (XSS) is where web pages that are executed on the client-side, within their own web browser, are injected with malicious scripts.

These scripts can be used by Visual Basic, JavaScript, and others to access a computer, collect sensitive information, or deploy more attacks and spread malware.

As with SQL injection, this is often due to the attacker posting content to a trusted website with a lack of input validation.

Future visitors to the trusted web site will be exposed to the content provided by the attacker.

A

These are the two main types of XSS:

– Stored (persistent)

– Reflected (non-persistent)

59
Q

These are the two main types of XSS:

– Stored (persistent)

– Reflected (non-persistent)

A

Stored (persistent) :

This is permanently stored on the infected server and is received by all visitors to the infected page.

60
Q

These are the two main types of XSS:

– Stored (persistent)

– Reflected (non-persistent)

A

Reflected (non-persistent) :

This only requires that the malicious script is located in a link and visitors must click the infected link to become infected.

61
Q

These are some ways to prevent or reduce XSS attacks:

A

1) Be sure that web application developers are aware of XSS vulnerabilities and how to avoid them.
2) Use an IPS implementation to detect and prevent malicious scripts.
3) Use a web proxy to block malicious sites.
4) Use a service such as Cisco Umbrella to prevent users from navigating to web sites that are known to be malicious.
5) As with all other security measures, be sure to educate end users. Teach them to identify phishing attacks and notify infosec personnel when they are suspicious of anything security-related.

MODULE 17 - Attacking What We Do CERTIFICATION CYBER OPS ASSOCIATE (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions