Cybersecurity Exam 2

Internet

A network of computers and similar devices throughout the world

Uses of the internet

Email, streaming music and video, and cloud storage

Web (or World Wide Web)

A collection of pages, which are digital documents of content. Each page is stored on a website that can transmit content on request

Server

The digital address of a computer

Browsers

People access websites using programs that fetch and display webpages and sometimes pass user data back to the site

Search engine

A program that locates webpages matching a query from a user

Man-in-the-Browser

Code inserted into a browser can read, copy, and redistribute anything the users enters in the browser. Trojan horse that intercepts data passing through the browser

Keystroke Logger (or key logger)

Either hardware or software that records keystrokes entered by the user

Page-in-the-Middle

A type of browser attack in which a user is redirected to another page

Program Download Substitution

The attacker presents a page with a desireable and seemingly innocuous program for the user to download

User-in-the-Middle

Puts a human between two automated processes so that the human unwittingly helps spammers register automatically for free email accounts

CAPTCHA (Completely Automated Public Turing to tell Computers and Humans Apart)

A puzzle that supposedly only a human can solve, so a server apllication can distinguish between a human who makes a request and an automated program generating the same request repeatedly

Shared Secret

Something only the two entities wanting to authenticate should know. Must be something no malicious middle agent can know

One-Time Password

Good for only one use. The two end parties need to have a shared secret list or passwords (or a way to generate passwords as needed)

Out-of-Band Communication

Transferring one fact along a communication path seperate from that of another fact (Phone call, Text, or smart phone authenticator app to confirm login)

Successful Identification and Authentication

Shared secret, One-time password, Out-of-band communication, Continuous authentication

Browser Attack Types

Man-in-the-Browser, Keystroke Logger, Page-in-the-Middle, Program Download Substitution, User-in-the-Middle

Defaced Website

Occurs when an attacker replaces or modifies the content of a legitimate website

Fake Website

Successful attackers can take the time and care to prepare convincing forgeries. The attacker can get all the images a real site uses

Attacks Targeting Users

False or misleading content:
Defaced website, fake website, fake code

Integrity Checksums

A mathematical function that reduces a block of data (including an executable program) to a small number of bits. Can detect altered content on a website

Signed Code or Data

A digital signature is an electronic seal that can vouch for the authenticity of a file or other data object. The recipient can inspect the seal to verify that it came from the person or organization believed to have signed the object and that the object was not modified after it was signed

Protecting Websites Against Malicious Modification

Integrity checksums, Signed code or data

Cookie

A data file containing any data the page owner wants, in any format, including being encrypted

Web bug

Can report page traversal patterns to central collecting points, compomising privacy. Used by a 3rd party for marketing (or spying on you)

Clickjacking

Tricking a user into clicking a link by disguising what the link points to. An invisible prompt to approve something dangerous 

Framing (or using an iframe)

A structure that can contain all or part of a page, can be placed and moved anywhere on another page, and can be layered on top or underneath other frames

Drive-by download

An attack in which code is downloaded, installed, and executed on a computer without the user’s permission and usually without the user’s knowledge

Malicious Web Content

Substitute content on a real website, web bug, clickjacking, drive-by download

Scripting or injection attacks

An unauthorized request that is delivered as a script or injected into the dialog with the server

Code Within Data

Executable code contained within what might seem to be ordinary data

Cross-Site Scripting (or XSS)

Executable code is included in the interaction between client and server and executed by the client or server

Persistent cross-site scripting attack

Such an attack can harm the server side if the server interprets and executes the script or saves the script and returns it to other clients (who would then execute the script)

SQL Injection

Operates by inserting code into an exchange between a client and database server

Database management systems (DBMS)

Use a language called SQL (structured query language) to represent queries to the DBMS

Dot-Dot-Slash

A malicious user cannot break out of the subdirectory by naming a file directly but the attacker can climb backward through the directory structure to get to the desired point, enabling an attacker to modify or delete it

Server-Side Include

This weakness takes advantage of the fact that webpages can invoke a particular function automatically and execute commands

Ransomware attack

The criminal seizes a valuable resource from the victim, offering to return it on payment of a ransom

Apps

Single-purpose applications intended to run on a particular platform

Mobile Devices

Computers that you can hold in a hand — smartphones, smartwatches, and tablets 

Open Web App Security Project (OWASP)

An international foundation whose mission is to improve the security of web apps

Injection attack

The use of input data to affect an app’s behavior maliciously

Spyware

Spies on your activity, transerring data without your permission or even knowledge

Jailbreak

Execute code that removes the operating system’s limit on the source of apps

Sideloading

Installing an app from a source other than the vendor’s app store

DevOps

A set of practices that unites development (Dev) and operations (Ops), attempting to bring code into use rapidly but with control

Agile methods

Seeks to bring about code that can adapt rapidly to changing user needs

Static application security testing (SAST)

Sometimes called white-box or clear-box testing tools because they inspect inside the application

Dynamic application security testing (DAST)

Sometimes called black-box testing tools because they do not examine the internals of an application but look only at its activity

Interactive application security testing (IAST)

Combine static and dynamic tools. Can analyze code as it is being written and then as it is compiled and run

Runtime application self-protection (RASP)

Continuously monitors application inputs to detect and prevent both known and unknown threats at the point of the vulnerability

Spam

Ficticious or misleading email. Often use realistic topics for false messages to lure recipients to follow a malicious link

Phishing

The email message tries to trick the recipient into disclosing private data or taking another unsafe action

Smishing

A phishing attack transmitted by SMS (text) message

Vishing

Uses a voice phone call

Spear phishing

Tempts recipients by seeming to come from sources the receiver knows and trusts