Security+ Domain 1

Social Engineering

Social Engineering

an attempt by an attacker to convince someone to provide info like a password or perform an action they wouldn’t normally perform such as clicking on a malicious link

Phishing

commonly used to try to trick users into giving up personal information such as user accounts and passwords, click a malicious link, or open a malicious attachment

Spear Phishing

targets specific groups of users

Whaling

targets high level executives

Vishing

(Voice Phishing) phone based

Smishing

uses sms text messaging on mobile

Spam

Unsolicited email, generally considered an irritant

Spim

SPAM over instant messaging, also generally considered an irritant

Dumpster Diving

Gathering important details (intelligence) from things that people have thrown out in their trash

Tailgating

when an unauthorized individual might follow you in through that open door without badging in themeselves

Eliciting information

strategic use of casual conversation to extract information without the arousing suspicion of the target

Shoulder Surfing

a criminal practice where thieves steal you personal data by spying over your shoulder

Pharming

an online scam similar to phishing, where a website’s traffic is manipulated. and confidential information is stolen

Identity Fraud

use of another person’s personal information, without authorization, to commit a crime or to deceive or defraud that person or another third party

Prepending

is adding words or phrases like “SAFE” to a malicious file or suggesting topics via social engineering to uncover information of interest

Invoice Scams

fake invoices with a goal of receiving money or by prompting a victim to put their credentials into a fake login screen

Credential Harvesting

attackers trying to gain access to your usernames and passwords that might be stored on your local computer

Countermeasures: email defense, anti-malware, EDR/XDR solutions that will check URL’s and block the scripts often used to execute the attack

Reconnaissance

A common technique that comes in multiple forms

Passive discovery

techniques that do not send packets to the target like Google hacking, phone calls, DNS and WHOIS lookups

Semi-passive discovery

Touches the target with packets in a non-aggressive fashion to avoid raising alarms of the target

Active discovery

More aggressive techniques likely to be noticed by the target, including port scanning, and tools like nmap and Metasploit

Hoaxes

Intentional falsehoods coming in a variety of forms ranging from virus hoaxes to fake news. Social media plays a prominent role in hoaxes today

Impersonation

A form of fraud in which attackers pose as a known or trusted person to dupe the user into sharing sensitive info, transferring money, etc.

Watering hole attack

Attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware

Typosquatting

a form of cybersquatting (sitting on sites under someone else’s brand or copyright) targeting users who type an incorrect website address

This often employs a drive-by download that can infect a device even if the user does not click anything

Pretexting

an attacker tries to convince a victim to give up information of value, or access to a service or system

The distinguishing feature is that the attacker develops a story, or pretext in order to fool the victim. This often leans an establishing authority for the attacker as someone who should have access to information. This often includes a character played by the scam artist and a plausible situation where that character needs access to information

Influence Campaign

A social engineering attack intended to manipulate the thoughts and minds of large groups of people

Hybrid Warfare

Attack using a mixture of conventional and unconventional methods and resources to carry out the campaign

Social media

May use multiple social platforms everaging multiple / many individuals to amplify the message, influencing credibility. Many involve creating multiple fake accounts to post content and speed the spread.

Principles of Social Engineering

Authority - Citing position, responsibility, or affiliation that grants the attacker the authority to make the request.

Intimidation - Suggesting you may face negative outcomes if you do not facilitate access or initiate a process.

Consensus - Claiming that someone in a similar position or peer has carried out the same task in the past.

Scarcity - Limited opportunity, diminishing availability that requires we get this done in a certain amount of time, similar to urgency.

Familiarity - Attempting to establish a personal connection, often citing mutual acquaintances, social proof.

Trust - Citing knowledge and experience, assisting the target with an issue, to establish a relationship

Urgency - Time sensitivity that demands immediate action, similar to scarcity

Application Attacks

attacks attackers use to exploit poorly written software

Rootkit (escalation of privilege)

freely available on the internet and exploit known vulnerabilities in various operating systems enabling attackers to elevate privilege. Always keep security patches up to date and install anti malware software EDR / XDR

Back Door

undocumented command sequences that allow individuals with knowledge of the back door to bypass normal access restrictions often used in development and debugging.

Computer Virus

a type of malicious code or program written to alter the way a computer operates and is designed to spread from one computer to another.

Crypto malware

Ransomware that encrypts files stored on a computer or mobile device in order to extort money.

Hoaxes

Virus hoaxes are a nuisance that result in wasted resources. Used to spread through “email from a friend” but have changed with social media.

Logic Bombs

Logic Bombs are malicious code objects that infect a system and lie dormant until they are triggered by the occurrence of one or more conditions, such as time, program launch, website logon, etc.

Trojan Horse

a software program that appears good and harmless but carries a malicious, hidden payload that has the potential to wreak havoc on a system or network. Only install software from trusted sources and do not let users install anything they want.

Worm

a type of malware that spreads copies of itself from computer to computer, replicating itself without human interaction.

Potentially unwanted programs (PUPs)

a program that may be an unwanted app often delivered alongside a program the user wants. PUPs include spyware, adware, and dialers.

Keylogger

Designed to log keystrokes, creating records of everything you type on a computer or mobile keyboard.

Spyware

Malware designed to obtain information about an individual, system, or organizaiton.

Fileless virus

a type of malicious software that does not rely on virus-laden files to infect a host. Instead, it exploits applications that are commonly used for legitimate and justified activity to execute malicious code in resident memory.

Command and control

a computer controlled by an attacker or cybercriminal which is used to send commands to systems compromised by malware and receive stolen data from a target network.

Remote access trojan (RAT)

a malware program that gives an intruder administrative control over a target computer.

Ransomware

infects a target machine and then uses encryption technology to encrypt documents, spreadsheets, and other files stored on the system with a key known only to the malware creator. Some countermeasures are to backup your computer, store backups separately, and to do file auto-versioning. To prevent malware, update / patch your computer, use caution with web links, use caution with email attachments, verify email senders, and preventative software programs and user awareness training.

Dictionary attacks

Use programs with built in dictionaries. They attempt all dictionary words to try and find the correct password, in the hope that a user would have used a standard dictionary word. Countermeasures include MFA, biometric authentication, limit number of attempts, and to force reset after certain number of failed attempts.

Password spraying

Attacker tries a password against many different accounts to avoid lockouts that typically come when brute forcing a single account. This will succeed when the admin or an application sets a default password for new users. Countermeasures to this include MFA, CAPTCHA, and forcing password change on first login.

Offline

Attempt to discover passwords from a captured database or captured packet scan.

Online

Attempts to discover a password from an online system. For example, an attacker trying to log on to an account by trying to guess a user’s password. Most web and wi-fi attacks are online attacks.

Plaintext / unencrypted

Protocols and authentication methods that leave credentials unencrypted, like basic authentication and telnet.

Brute Force Attack

Attempts to randomly find the correct cryptographic key attempting all possible combinations (trial and error). Password complexity and attacker resources will determine effectiveness of this attack. Countermeasures include cryptographic salts, CAPCHA, and throttling the rate of repeated logins and IP blocklists.

Cryptographic Salts

help us neutralize the rainbow tables attackers may be using

Rainbow tables

These contain precomputed values of cryptographic hash functions to identify commonly used passwords

Salt

random data that is used as an additional input to a one-way function that hashes data, a passwords, or passphrase. Adding salts to the passwords before hashing them reduces the effectiveness of rainbow table attacks.

Multi-factor Authentication

• Something you know (pin or password)

• Something you have (trusted device)

• Something you are (biometric)

This prevents phishing attacks, spear phishing attacks, keyloggers, credential stuffing, brute force and reverse brute force attacks, and man-in-the-middle attacks.

Bots

represent significant threats due to the massive number of computers that can launch attacks.

Botnet

a collection of compromised computing devices (often called bots or zombies)

Bot Herder

criminal who uses a command-and-control-server to remotely control the zombies. They often use botnets to launch attacks on other systems or to send spam or phishing emails.

Malicious flash drive

Attack comes in two common forms:

• Drives dropped where they are likely to be picked up.

• Sometime effectively a trojnan, shipped with malware installed after leaving the factory.

Malicious USB cable

Less likely to be noticed than a flash drive. May be configured to show up as a human interface device (e.g. a keyboard)

Card cloning

Focusses on capturing info from cards used for access, like RFID and magnetic stripe cards.

Skimming

Involve fake card readers or social engineering and handheld readers to capture (skim) cards, then clone so attacker may use for their own purposes.

Adversarial Artificial Intelligence

A rapidly developing field targeting AI and ML.

Tainted training data for machine learning (ML)

Data poisoning that supplies AI and ML algorithms with adversarial data that serves the attackers purposes, or attacks against privacy.

Security of machine learning algorithms

• Validate quality and security of the data sources.

• Secure infrastructure and environment where AI and ML is hosted.

• Review. test. and document changes to AI and ML algorithms.

Artificial Intelligence (AI)

Focusses on accomplishing “smart” tasks combining machine learning and deep learning to emulate human intelligence

Machine Learning (ML)

A subset of AI, computer algorithms that improve automatically through experience and the use of data.

Deep Learning

a subfield of machine learning concerned with algorithms inspired by the structure and function of the brain called artificial neural networks.

Supply Chain Attacks

a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain.

• Often attempt to compromise devices, systems. or software before it reaches an organization.

• Sometimes focus on compromising a vulnerable vendor in the organization’s supply chain, and then attempting to breach the target organization.

• This attack is known as an “island hopping” attack.

Cloud_based attacks

• Data center is often more secure and less vulnerable to disruptive attacks such as DDoS.

• On the downside, you will not have facility-level or physical system-level audit access.

On-premise attacks

• You do not benefit from the cloud’s shared responsibility model.

• You have more control, but are responsible for security of the full stack.

Collision Attack

attack on a cryptographic hash to find two inputs that produce the same hash value

Downgrade Attack

when a protocol is downgraded from a higher mode or version to a low-quality mode or lower version.

Birthday Attack

an attempt to find collisions in hash functions.

Replay Attack

an attempt to rescue authentication requests.

Privilege Esculation

A security hole created when code is executed with higher privileges than those of the user running it.

Request Forgeries

a type of injection using malicious scripts

Cross-site scripting (XSS)

A type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.

This occurs when an attacker uses a web application to send malicious code to a different end user.

Cross-site request forgery (XSRF or CSRF)

exploits user trust to execute code

similar to cross-site scripting attacks, but exploit a different trust relationship.

exploits trust that a user has in a website to execute code on the user’s computer.

Dynamic-link library (DLL)

Is a situation in which the malware tries to inject code into the memory process space of a library using a vulnerable/compromised DLL.

Lightweight Directory Access Protocol (LDAP)

exploits weaknesses in LDAP implementations

This can occur when the user’s input is not properly filtered, and the result can be executed commands, modified content, or results returned to unauthorized queries.

Extensibe Markup Language (XML)

when users enter values that query XML (known as XPath) with values that take advantage of exploits, it is known as an XML injection attack.

XPATH works in a similar manner to SQL except that it does not have the same levels of access control, so exploits can return entire documents.

SQL injection attakcs

used to compromise web front-end and backend databases

Use unexpected input to a web application to gain unauthorized access to an underlying database. Some countermeasures include input validation, use prepared statements, and limit account privileges.

Pointer / Object Dereference

An attack that consists of finding null references in a target program and dereferencing them, causing an exception to be generated.

The vulnerability in memory that usually causes the applications to crash or a denial of service is a NULL Pointer dereference.

In this case, there is nothing at that memory address to dereference (it is empty, or NULL) and the application crashes.

Directory Traversal

Gaining access to restricted directories

If an attacker is able to gain access to restricted directories through HTTP, it is known as a directory traversal attack.

One of teh simplest ways to perform directory traversal is by using a command injection attack that carries out the action.

Most vulnerability scanners will check for weaknesses with directory traversal / command injection and inform you of their presence.

Buffer Overflows

attacks attackers use to exploit poorly written software.

exists when a developer does not validate user input to ensure that it is of an appropriate size (allows input that is too large can “overflow” memory buffer).

Race Conditions

A condition where the system’s behavior is dependent on the sequence or timing of other uncontrollable events.

Time-of-Check-to-Time-of-Use (TICTOU)

a timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request.

Error handling

Related to input validation is error handling

Every function that has any meaningful functionality should have appropriate error handling.

Properly done, the user will simply see an error message box.

Error handling is an element of good coding practices.

Session Replay

an attacker steals a valid session ID of a user and reuses it to impersonate an authorized user and perform fraudulent transactions or activities.

Integer Overflow

Putting too much information into too small of a space that has been set outside for numbers.

A type of arithmetic overflow error when the result of an integer operation does not fit within the allocated memory space.

Instead of an error handled in the program, it usually causes the result to be unexpected.

Other lead to buffer overflows and generally ranked as one of the most dangerous software errors.

Countermeasures; Good coding practices, appropriate typing of variables using large variable types, like long (Java) or long int (C).

API Attacks

Attempts to manipulate the application programming interface (API)

Include DDoS, Man in the Middle, and injection attacks focused on an API

Goals are to gain additional resource or data access, or interrupt service

Countermeasures: Transport Layer Security (TLS), OAuth, request timestamps, key/password hash

Resource Exhaustion

When an application continuously allocates additional resources exhausting machine resources, leading the system to hang or crash.

When exploited, vulnerabilities in apps, software, or system security that hang, crash, or interfere with external programs perform designated tasks properly.

Memory leaks can lead to resource exhaustion (see “memory leaks” in this session).

However, these attacks can be executed by exhausting other resource subsystems, such as CPU, disk, or network.

Countermeasures: Good software development practices (e.g. preventing memory leaks), limiting what files and apps can be executed on endpoints.

Memory Leak

The most common issue in memory management

Which languages are susceptible?

Many modern programming languages (such as C# and Java) don’t allow the programmer to directly allocate or deallocate memory. Therefore, those programming languages are not prone to memory leaks. However, certain older languages most notably C and C++, give the programmer a great deal of control over memory management.

Cause

Memory leaks are usually caused by failure to deallocate memory that has been allocated.

Secure Sockets Layer (SSL) Stripping

A technique by which a website is downgraded from https to http

This attack downgrades you connection from HTTPS to HTTP and exposes you to eavesdropping and data manipulation.

How it works

To execute an SSL strip attack, there must be three entities which are the victim’s system, secure web server, and attacker’s system.

In order to “strip” the TLS/SSL, an attacker intervenes in the redirection from HTTP to HTTPS and intercepts a request from the user to the server.

Countermeasures: Enable HTTPS on All pages of your website, implement a HTTP Strict Transport Security (HSTS) policy, so the browser requires HTTPS

Shimming

A shim is a small library that is created to intercept API calls transparently and do one of three things: handle the operation itself, change the arguments passed, or redirect the request elsewhere.

Involves creating a library (or modifying an existing) to bypass a driver and perform a function other than the one for which the API was created.

Refactoring

The name given to a set of techniques used to identify the flow and then modify the internal structure of code without changing the code’s visible behavior.

In legitimate scenarios, this is done in order to improve the design, to remove unnecessary steps, and to create better code.

In malware, this is often done to look for opportunities to take advantage of weak code and look for holes that can be exploited.

Pass the Hash

a technique whereby. an attacker captures a password hash (as opposed to the password characters) and then passes it through for authentication and lateral access.

Pass the hash vs Pass the Ticket

One primary difference between them is ticket expiration.

Countermeasures: Enforce least privilege access, analyze applications to determine which require admin privileges, use flexible policies that allow only trusted applications to run and in specific context.

On-Path (Man-in-the-Middle) Attack

Attacker who sits in the middle between to endpoints and is able to intercept traffic, capturing (and potentially changing) information.

Fools both parties into communicating with the attacker (in between the two) instead of directly with each other.

Different versions of the attack exist, some affecting websites, email communications, DNS lookups, or Wi-Fi networks

Countermeasures: only use secured Wi-Fi, VPN, HTTPS, and use multi-factor authentication.