Security Flashcards
How do you implement Malware Prevention
Do the following:
• Install anti-malware on all systems to search for malware, viruses, worms, trojans, and rootkits.
• Enable automatic definition updates on your anti-malware software.
• Configure frequent quick malware scans along with less frequent full system scans.
• Implement anti-spam measures. This can be done using anti-spam software on each individual workstation. However, it’s usually advantageous to implement an anti-spam appliance that filters email messages for your entire organization.
How do you Implement Browser Security?
Do the following:
• Disable pop-ups on all web browsers. Pop-ups can covertly install malware or redirect users to malicious websites. Enable pop-ups only for legitimate sites that require them.
• Override automatic cookie handling. Configure your browser to prompt you before allowing cookies.
• Disable third-party browser extensions.
• Disable sounds in web pages.
Spam
Spam may or may not be malicious in nature. However, it wastes time, network bandwidth, and storage space as many organizations are required by law in the United States to retain all email communications for a period of time.
The best way to combat spam is to implement an anti-spam appliance that is placed between your network and the internet. The appliance scans all emails as they enter the organization and quarantines anything deemed to be spam.
Phishing Emails
Phishing is the process used by attackers to acquire sensitive information such as passwords, credit card numbers, and usernames by masquerading as a trustworthy entity. Phishing emails are drafted such that they appear to have come from a legitimate organization, such as banking, social media, or e-commerce websites. They convince the user to click a link that takes them to a malicious website (that looks exactly like the legitimate website) where they are tricked into revealing sensitive information.
To detect phishing email, train users to recognize their key characteristics:
• The source address of the message may not match the domain of the company it claims to be coming from.
• The message tries to create a sense of urgency. For example, it may warn that your bank account will be frozen, that your credit card has been stolen, or that you will be subject to arrest if you don’t follow the instructions in the message.
• The hyperlinks in the message go to websites that are not associated with the organization the message claims to be coming from. If you hover your mouse over a link (without clicking it) you can see where the link actually leads. If it isn’t pointing to the organization’s URL, there’s a pretty good chance the message is an exploit.
Hijacked Emails
To hijack an email account, attackers use password hints set up by the user to try to gain access to the user’s email account. Users should not use personal information such as their birthplace or mother’s maiden name. This information is relatively easy to obtain using social media. Once an account has been hijacked, the attacker can use it to propagate spam or malware to every contact in the user’s address book.
Pharming
Pharming redirects one website’s traffic to another, bogus, website that is designed to look like the real website. Once there, the attacker tricks the user into supplying personal information, such as bank account and PIN numbers. Pharming works by resolving legitimate URLs to the IP address of malicious websites. This is typically done using one of the following techniques:
• Changing the hosts file on a user’s computer
• Poisoning a DNS server
• Exploiting DHCP servers to deliver the IP address of malicious DNS servers in DHCP leases.
Rogue Antivirus
Rogue antivirus exploits usually employ a pop-up in a browser that tells the user the computer is infected with a virus and that the user must click a link to clean it. Sometimes this exploit is used to trick users into paying for worthless software they don’t need. However, it also is frequently used to deploy malware on the victim’s computer.
Cookies
Cookies are data files placed on a client system by a web server for retrieval at a later time. Cookies are primarily used to track the client. By default, cookies can be retrieved only by the server that set them. The cookies themselves are fairly benign; however, cookies can be exploited by an attacker to steal a client’s session parameters. This allows the attacker to impersonate the client system and hijack the session, potentially exposing sensitive information.
Browser History
The browser history and its cache contain information that an attacker can exploit. If an attacker can gain access to the cache or the browser history, they can learn things about the user such as:
• The email service they use
• The bank where they keep their accounts
• Where they shop
An attacker can exploit this information to conduct other attacks, such as stealing cookies or sending phishing emails.
What are the symptoms of a malware infection?
- Slow computer performance
- Internet connectivity issues
- Operating system lock ups
- Windows update failures
- Renamed system files
- Disappearing files
- Changed file permissions
- Access denied errors
What are the best practices you should follow before removing the malware?
- Identify the malware symptoms.
- Quarantine the infected system.
- Disable system restore to prevent the malware from being saved in a restore point (and to prevent an uninfected restore point from being potentially deleted to make room for a new restore point).
- Remediate the infected system.
- Update the anti-malware definitions.
- Scan for and remove the malware. Some malware can be removed while the system is running normally. However, some malware can be removed only while in Safe Mode or in the Pre-Installation Environment.
- Schedule future scans and updates.
- Re-enable system restore and create a new restore point.
- Educate users to prevent the infection from happening again.
Man-in-the-Middle
A man-in-the-middle attack is used to intercept information passing between two communication partners. With a man-in-the-middle attack:
• An attacker inserts himself in the communication flow between the client and server. The client is fooled into authenticating to the attacker.
• Both parties at the endpoints believe they are communicating directly with each other, while the attacker intercepts and/or modifies the data in transit. The attacker can then authenticate to the server using the intercepted credentials.
Man-in-the-middle attacks are commonly used to steal credit card numbers, online bank credentials, as well as confidential personal and business information.
TCP/IP (session) Hijacking
TCP/IP hijacking is an extension of a man-in-the-middle attack where the attacker steals an open and active communication session from a legitimate user.
• The attacker takes over the session and cuts off the original source device.
• The TCP/IP session state is manipulated so that the attacker is able to insert alternate packets into the communication stream.
HTTP (session) Hijacking
HTTP (session) hijacking is a real-time attack in which the attacker hijacks a legitimate user’s cookies and uses the cookies to take over the HTTP session.
Replay Attack
In a replay attack, the attacker uses a protocol analyzer or sniffer to capture authentication information going from the client to the server. The attacker then uses this information to connect at a later time and pretend to be the client.
Phishing
A phishing scam employs an email pretending to be from a trusted organization, asking to verify personal information or send a credit card number. In a phishing attack:
• A fraudulent message (that appears to be legitimate) is sent to a victim.
• The message requests that the target visit a fraudulent website (which also appears to be legitimate). Graphics, links, and websites look almost identical to legitimate websites they are trying to imitate.
• The fraudulent website requests that the victim provide sensitive information, such as an account username and password.
What are some common phishing scams?
- A Rock Phish kit uses a fake website that imitates a real website (such as banks, PayPal®, eBay®, or Amazon®). Phishing emails direct victims to the fake website where they enter account information. A single server can host multiple fake sites using multiple registered DNS names. These sites can be set up and taken down rapidly to avoid detection.
- A Nigerian scam, also known as a 419 scam, involves email which requests a small amount of money to help transfer funds from a foreign country. For their assistance, the victim is promised a reward for a much larger amount of money that will be sent at a later date.
- In spear phishing, attackers gather information about the victim, such as identifying which online banks they use. They then send phishing emails for the specific bank that the victim uses.
- Whaling is another form of phishing that is targeted to senior executives and high profile victims.
- Vishing is similar to phishing but instead of an email, the attacker uses Voice over IP (VoIP) to gain sensitive information. The term is a combination of voice and phishing.
How can you protect against phishing?
- Check the actual link destination within emails to verify that they go to the correct URL and not a spoofed one.
- Do not click on links in emails. Instead, type the real bank URL into the browser.
- Verify that HTTPS is used when going to e-commerce sites. HTTPS requires a certificate that matches the server name in the URL that is verified by a trusted CA. You can also look for the lock icon to verify that HTTPS is used. If the website is using an invalid certificate, then an invalid SSL certificate warning appears when you try to access the website.
- Implement phishing protections within your browser.
Zombie
A zombie is a computer that is infected with malware that allows remote software updates and control by a command and control center called a zombie master. A zombie:
• Is also known as a bot (short for robot).
• Is frequently used to aid spammers.
• Can commit click fraud. The internet uses an advertising model called pay per click (PPC). With PPC, ads are embedded on a website by the developer. The advertiser then pays the website owner for each click the ad generates. Zombie computers can imitate a legitimate ad click, generating fraudulent revenue.
• Can be used to perform denial of service attacks.
Botnet
A botnet refers to a group of zombie computers that are commanded from a central control infrastructure. A botnet is:
• Under a command and control infrastructure where the zombie master (also known as the bot herder) can send remote commands to order all the bots they control to perform actions.
• Capable of performing distributed denial of service attacks.
• Detected through the use of firewall logs to determine if a computer is acting as a zombie and participating in external attacks.
Zero Day
A zero day attack (also known as a zero hour or day zero attack) is an attack that exploits computer application vulnerabilities before they are known and patched by the application’s developer.
Spoofing
Spoofing is used to hide the true source of packets or to redirect traffic to another location. Spoofing attacks:
• Use modified source and/or destination addresses in packets
• Can include site spoofing that tricks users into revealing information
Network attacks may also falsify source or destination addresses for network communications. This is called spoofing.
What are common methods of spoofing?
IP Spoofing; MAC Spoofing; ARP Spoofing
IP Spoofing
IP spoofing changes the IP address information within a packet. It can be used to:
• Hide the origin of the attack by spoofing the source address.
• Amplify attacks by sending a message to a broadcast address and then redirecting responses to a victim who is overwhelmed with responses.