Ch. 5 Endpoint Vulnerabilities, Attacks, and Defenses

workstation

a special computer designed for scientific or highly technical applications

malware

word that describes software designed to interfere with a computer’s normal functions and can be used to commit an unwanted and harmful action

ransomware

malicious software designed to extort money from victims in exchange for their endpoint device to be restored to its normal working state

blocking ransomware

blocks the user from using their computer in a normal fashion

locking ransomware

encrypts sdome or all of the files on the device so thjat they cannot be opened

keylogger

silently captures and stores each keystroke that a user types on the computer’s keyboard

spyware

tracking software that is deployed without the consent or control of the user

trojan

executable program that masquerades as a performing a benign activity but also does something malicious

remote access Trojan (RAT)

has the basic functionality of a Trojan but also gives the threat agent unauthorized remote access to the victim’s computer by using specially configured communication protocols

file-based virus

malicious code that is attached to a file that reproduces itself on the same computer without any human intervention

fileless virus

does not attach itself to a file but instead takes advantage of native services and processes that are part of the OS to avoid detection and carry out its attacks

worm

malicious program that uses a computer network to replicate (sometimes called a network virus)

bloatware

software that is installed on a device without the user requesting it

bot

Infected robot computer (zombie)

logic bomb

computer code that is typically added to a legitimate program but lies dormant and evades detection until a specific logical event triggers it

rootkit

malware that can hide its presence and the presence of other malware on the device

backdoor

gives access to a computer, program, or service that circumvents any normal security protections

privilege escalation

allows the attacker to gain illicit access of elevated rights or privileges beyond what is entitled for a user

buffer overflow attack

occurs when a process attempts to store data in RAM beyond the boundaries of a fixed-length storage buffer

improper input handling

features does not filter or validate user input to prevent a malicious action

rare condition

software occurs when two concurrent threads of execution access a shared resource simultaneously

web-based attacks

common type of attack is an application attack directed at programs running on Internet web servers

directory traversal

type of web-based attack that takes advantage of a vulnerability so that a user can move from the root directory to other restricted directories

cross-site scripting (XSS)

a website that accepts user input without validating it and uses that input in a response can be exploited

SQL injection

one of the most common injection attacks.

inserts statements to manipulate a database server

structured query language (SQL)

an attack that inserts statements to manipulate a database server

cross-site request forgery (CSRF)

takes advantage of authentication “token” that a website sends to a user’s web browser

server-site request forgery (SSRF)

takes advantage of a trusting relationship between web servers

replay attacks

commonly used against digital identities

-Threat actor retransmits selected and edited portions of the copied communications later to impersonate the legitimate user

cross-site scripting (XSS)

attack that is based on a website accepting user input without sanitizing or validating it

antivirus (AV)

software can examine a computer for file-based virus infections and monitor computer activity and scan new documents that might cointain a virus

static analysis

older AV products use signature-based monitoring

dynamic analysis

newer approach to AV is heuristic monitoring

secure cookies

sent to a web server with an encrypted request over the secure HTTPS protocol

HTTP Response Headers

headers that tell the browser how to behave while communiocating with the website

Host Intrusion Detection Systems (HIDS)

software-based application that runs on an endpoint computer and can detect an attack has occurred

Host Intrusion Prevention Systems (HIPS)

monitor endpoint activity to immediately block a malicious attack by following specific rules

Endpoint Detection and Response (EDR)

tools considered more robust than HIDS and HIPS

automated patch management tools

patch distribution and deployment systems that automatically update software across endpoints to mitigate vulnerabilities.

application allow list

a list of approved applications to run on the OS so that any item not approved will not functioin

sandbox

a “container” in which an application can be run so that it does not impact the underlying OS