CompTIA Security+ (SY0-501) Cert Prep:1

Threats, Attacks, and Vulnerabilities

Certified Security Professional

Module 1

Malicious Software: Infect Computer systems, damaging data and disrupting normal operations of
system

Malware: Propogation technique & Payload technique

Propogation Mechanism: The way how malware spreads

Payload Mechanism: A malware payload compromising user name and password

Propogation Mechanism: 3 Ways:

1) Virus: between systems after a user action. User education can protect virus
2) Worms: system to system without interaction, infecting system without user ding anything and
infects LAN. Best way to defend is to keep system updated with application patches.
 1988: The RTM Worm, brought attention to internet security
 Stuxnet: 2010 – Infiltrated Iranian nuclear facility
3) Trojan Horses: They pretend to be legitimate pieces of Software, and carries malicious hidden
payload.

Application control solutions limit the software and act as good defense, specially approved by
administrators.

RAT : Remote access Trojan is a type of Trojan horse

Payload Mechanism:

1) Adware: Malware that has specific purpose of displaying ads, but instead of generating revenue
for the content owner, adware generates revenue for the malware author.

Adware Mechanism: Changing the default search engine, Display popup ads, replace legitimate ads with
other ads.

2) Spyware: It’s a malware that gathers information without the user’s knowledge or consent. It
then reports the information back to the malware author to use it for any type of purpose, like
identity theft, espionage, access to financial accounts etc.

Spyware Techniques: Logging keystrokes; Monitoring web browsing; Searching hard drives and cloud
storage.

3) Ransomware: Blocks a user’s legitimate use of a computer or data until a ransom is paid. The
most Common way is encrypting files with a secret key and then selling that key for ransom. Eg:
Cryptolocker Ransomware
 CryptoLocker:

 Arrive via email attachments

 Encrypts local files
 Demands ransom on short notice

Preventing Malware:

 Anti-Malwre software update

 Security Patches
 User education

Backdoors & Logic Bombs: Significant risk to application security.

Some malware doesn’t fit this pattern, instead of being independent programs, they are pieces of code
inserted into other applications with malicious intent.

The 2 types that fit in this category are Backdoors & Logic Bombs.

Backdoors: Occurs when a programmer provides a means to grant themselves or others future access to
a system. They usually do this with benevolent purposes.

 Hardcoded accounts
 Default passwords
 Unknown access channels

Eg: Movie war games in 1983, when someone gained access to military computer system by learning the
name of the system creator son, to gain full access to system, also in Galaxy samsung devices and credit
card readers.

Logic Bomb: Works by modifying the existing code. It is a malware that’s set to execute a payload when
certain conditions are met.Eg: Payroll, in 2013 a logic bomb struck govt system in S.Korea.

Logic Bomb conditions:

1) Date/ Time reached

2) File contents
3) API Call results

Advanced Malware: 3 Types

 Rootkits
 Polymorphism
 Armored viruses
Root account: A special superuser account that provides unrestricted access to system resources. Its
normally limited for system admins , but is an ultimate goal for many hackers.

Rootkits: Type of malware that originally were designed for privilege escalation. A hacker will gain
access to a normal user account on a system and then use the rootkit to gain root, or escalate the
normal user access to unrestricted superuser cases. It is now used to describe software techniques
designed to hide other software on a system.

Root kit deliver a variety of payloads. They include backdoors, botnet agents and Adware/Spyware.

Ring Protection Model: Used by Computer systems to describe the type of access that different
programs may have to system resources. Most programs run in a less privileged user mode, while the
operating system itself uses a very highly privileged kernel mode.

Root kits can run either in user mode or kernel mode.

User Mode vs. Kernel Mode:

User Mode root kits:

 Run with normal user privileges

 Are easy to write and difficult to detect

Kernel Mode:

 Run with system privileges

 Are difficult to write and difficult to detect

Polymorphic Viruses:

Most anti-malware software uses a technique known as signature detection. It recognizes viruses by
maintaining a database of known virus patterns, and then comparing suspect files to that database. Anti-
malware vendors must frequently update the database, and viruses are detected only when they match
an existing signature.

Polymorphic viruses fights signature detection by changing themselves constantly. Because of this the
virus files doesn’t look the same from one system to another. The signatures don’t match, so signature
detection doesn’t work.

Polymorphic viruses often work by using encryption. They encrypt themselves using a different key on
each system they infect, making the files look completely different. The virus loader then has the
decryption key necessary to retrieve the original virus code.

Armored Viruses:
When viruses uses Polymorphism, antivirus researchers have to pick them apart to retrofit anti-malware
software to detect them properly. The key way they do this by using a technique known as reverse
engineering. In reverse engineering the programmer reaches down deep into the virus to analyze the
machine language, or assembly code that makes up the viruses DNA.

Armored viruses implement techniques designed to defeat reverse engineering. These include writing
the viruses in obfuscated assembly language that hides the true intent of the code, blocking the use of
system debuggers, and preventing a technique known as sandboxing that can isolate the virus.

3 Advanced techniques that malware author use to defeat detection and prevention mechanism:

1) Rootkits hide other software installed on the system for malicious reason.
2) Polymorphic viruses change themselves often to avoid detection by antivirus software.
3) Armored viruses use sophisticated techniques to hide themselves from virus detection
mechanisms.

Security plus professionals should be familiar with these above techniques, but rest assured modern
antivirus software protects from each of them.

Botnets:

Botnets are collections of zombie computers used for malicious purposes. They are a network of
infected systems. A hacker creating a botnet begins by infecting a system with malware delivered
through any of the techniques. Once the hacker gains control of the system, he joins it to the botnet.
The system then lies dormant, awaiting further instructions from the hacker.

First the hacker doesn’t use the botnet usually, by themselves. They typically rents or sells the botnet to
others, who use them to deliver spam, engage in distributed denial of service attacks, mine bitcoins or
perform brute force attacks against passwords. Basically any situation where computing power, storage
or network con activity is a key resource.

Hackers have to command and control their Botnets somehow. Orders have to get from the hacker too
all of the systems that make up the botnet. They do this through command and control networks.
Hackers use indirect command and control mechanisms. Common command and control mechanisms
include internet relay chat, or IRC channels, Twitter accounts and peer to peer communication within
the botnet itself. These mechanism have to be highly redundant because security analysts will shut them
down one by one.

Zero Days & Advances Persistent Threat (APT):

Many attacks take place because an organization fails to apply security patches leaving them vulnerable
to an attacker who knows how to exploit a vulnerability.

Fix to this is simple: Organizations should apply security updates as soon as they are available from
operating system and application vendors to fortify their systems against attack.

Undiscovered security vulnerabilities lurk in existing code and can expose an organization to risk.
Ethical disclosure: When a security personnel discovers a new vulnerability, they typically handle it in an
ethical and responsible fashion. This normally means notifying the vendor responsible for the
vulnerability and giving them the opportunity to fix it before publicly disclosing the vulnerability. That’s
the normal process that covers thousands of newly discovered vulnerability each year.

What if a vulnerability is kept secret?

The researcher simply holds on to it and preserves the vulnerability as a secret weapon used to gain
access to systems. This type of vulnerability is known as a Zero-day vulnerability. Until others discovers,
a zero-day is an incredibly powerful weapon. Applying security patches won’t protect you against this
vulnerability because there is no patch to apply.

Intrusion detection systems may not detect a zero-day vulnerability attack because there are no
signatures of the attack for it to match.

Window of vulnerability: The time between the discovery of a zero-day vulnerability and the release of
a security update or patch.

Exploiting a zero day vulnerability is difficult. You need have the tools and skills required to exploit the
zero-day.

Advanced Persistent Threat (APTs):

Are attackers who are well funded and highly skilled.

Are typically government sponsored or other highly organized groups carrying out those very focused
attacks

They have access to zero days and other sophisticated technical tricks.

They are persistent because they are methodically working to gain access to a highly selective set of
targets with military or economic value.

Defending against APTs is Difficult

Their use of zero day vulnerabilities give them the capability to compromise the security of any typical
enterprise.

After all it is hard for a small business, or even a large one to stand up technically to the resource of a
government agency. You can protect your organization to some extent by implementing string security
measures including: Use of strong encryption and rigorous monitoring in the hope that your sensitive
data will withstand an APT attack.

Quiz: Q & A

1) Cryptolocker is an example of what type of malicious software: Ransomware

2) What type of malware delivers its payload only after certain conditions are met, such as specific
date and time occurring: Logic bomb
3) What techniques does some malware use to modify itself each time it infects a new system to
avoid signature detection systems: Polymorphism
4) Which of the following is a common command and control mechanism for botnets: IRC
 Module 2

Cybersecurity Adversaries:

Security professionals must defend their organizations against many different kind of threats.

Differentiating Attackers:

 Attacks may come from either internal or external attackers

 Internal Attackers pose greater risk given their level of legitimate access to resources.
 Level of sophistication
 Access to resources
 Motivation
 Intent.

Attackers range from all the way from a fairly unskilled lone wolf attacker, who thrills breaking into the
systems all the way to secretive government agencies with access to almost unlimited human and
financial resources.

Script kiddies: Least sophisticated threat: - Unskilled attackers who simply reuse hacking tools
developed by others They can be easily defeated by regular security controls such as regular patching,
endpoint security software, firewalls and intrusion prevention systems.

Hacktivists: May fall anywhere on the sophistication range. They might be no more talented than a
script kiddie, or they might possess advanced technical skills. They are distinguished from other hackers
based upon their motivation. They seek to use hacking tools to advance political and social agendas.

Organized crime seeks to use hacking tools, such as ransomware, for financial gain.

Corporate espionage is also a motivation for attackers. Competitors may use hacking tools and
techniques for corporate espionage purposes to give them business advantage. This is not limited to
business world either.

Nation states sponsor highly sophisticated advanced persistent threat (APT) groups, consisting of 100’s
or 1000’s of highly skilled and well funded individuals. APT groups often are Military units or have
Military training. They employ extremely advanced tools and are very difficult to detect.

APT hackers not only attack other governments. While government target each other’s cyber security
defenses, they also go after civilian targets that may possess information or control resources that are
valuable to advancing that government’s interests.

Insider Threat:

51% of organizations experiencing a security breach experienced an insider attack

72% of insider attacks are handled internally

67% of insider breaches are more costly to remediate than external attacks.
Privilege Escalation Attacks: Administrators; Executives & Users.

It can take a normal user credentials and transform them into powerful super user accounts.

Most insider attackers:

1) Had personal predispositions : Mental illness or Series of rule violations

2) Were disgruntled due to unmet expectations: Low salary, Passed over for promotion
3) Triggered by stressful events

Used Access methods unknown to management:

1) 59% - Former employees

2) 75% - Created access paths alternative mechanism that bypassed the organization’s standard
security controls.

Control Insider Attacks:

 Using common HR practices

 Perform background checks to uncover past legal issues
 Give users only the permission that they need
 Require multiple users to carry out sensitive transaction
 Implementing mandatory vacation policy for critical staff

Behavioral indicators from FBI

 Taking work materials home

 Interest in issues outside responsibilities
 Unexplained duplication of materials
 Strange network Access patterns
 Using personal hardware/software
 Working odd hours
 Unexplained foreign contacts/ trips
 Unexplained affluence

Robust security programs include controls that limit access and monitor user activity to quickly detect
and remediate insider attacks.

Threat Intelligence:

A critical component of any organizations cybersecurity program. It allows organizations to stay current
on emerging cybersecurity threats. Broad intelligence consists of set of activities that an organization
undertakes to educate itself about changes in the cybersecurity threat landscape, and adapt security
controls based upon that information.
Open Source Intelligence: Is called Gathering information from freely available public sources.

Common sources of open source Intelligence include:

1) Security websites
2) General news media
3) Social media
4) Government sponsored cybersecurity ANALYSIS CENTERS
5) Security research organizations

Email Address Harvesting: They search web for valid email address for target domain and use to send
out spearfishing attacks.

Module 3

Denial of Service Attacks: It is a category of attacks that disrupts the normal use of computing
resources.

The CIA triad (Confidentiality/ Integrity/ Availability) describes the 3 goals of Information security
professionals.

Denial of Service (DoS) Attack:

1) Makes a resource unavailable for legitimate se

2) Sends a huge number of requests to a server
3) Is difficult to distinguish from legitimate requests

Limitations of a DoS Attack:

1) Requires massive amount of bandwidth

2) Is easy to block based on IP address

Distributed Denial of Service (DDoS): Uses botnet to overwhelm a target.

Eg: Ping command sends a packet echo request. In an attack known as Smurf attack, the attacker send
echo requests to the broadcast addresses of 3 rd party servers using a forged source address. That forged
source address is actually the real IP address of the victim. When the 3 rd party servers receive the
address, they e believe they came from the victim and send the victim an echo reply. The victims
network connection then becomes overwhelmed with replies received from all over the place. Smurf
Attack is also an example of Amplified Attack

In an Amplification attack, the attacker carefully chooses requests that have very large responses. The
attacker can then send small requests over their network connection that generate very large replies
over the 3rd party network connection.

Variations on the Smurf Attack send carefully crafted requests that have very large responses.
Amplification Factor: Is the degree of amplification that takes place in an attack. The degree to which it
increases in size:

If the response is twice the size of request, the amplification factor is 4/2 = 2

If an attacker designs an amplification attack that uses 64 byte queries to generate 512 byte responses,
the amplification factor is 512/64 = 8. The attack sends eight times as much traffic to the victim as the
attacker sent to the intermediaries.

Eavesdropping Attack : Gains physical or logical access to the network, and eaves drop on
communication between 2 systems. They allow attacker to decrypt the encrypted communications and
confidential information without sender’s knowledge or consent.

All eavesdropping attack requires some compromise of the communication path between the client and
a server.

 Network device tapping

 DNS Poisoning
 ARP Poisoning

Man in the Middle Attacks & Replay Attacks.

Any one of the devices in the middle between the user and the server, represents a possible point
where an eavesdropper might listen in on the communication. Encryption such as that used with HTTPS,
prevents any of those intermediate devices from viewing or altering communication. Since simple
eavesdropping is easily defeated by encryption, attackers can use Man in the Middle Attack to step up
the game a bit. In this attack, the attacker tricks the sending system during the initial communication.
This might be done by reconfiguring a network device, or using DNS or ARP Poisoning.

Instead of establishing communications with a legitimate server, the user then connects directly to the
attacker. The attacker in turn connects to the legitimate server. The user authenticates to the fake
server set up by the attacker, and the attacker acts as a relay, the Man In The Middle, and can view all
of the communications that take place between the client and the server. The attacker receives the
request from the user, passes them on to the server, and receives the real responses, reads them, and
then replays them to the original user, who has no idea that there is a man in the middle intercepting
those communications.

The Man in the browser Attack is a variation on the man in the middle attack, where the attacker
compromises the user’s web browser or browser plugin to gain access to web communications.

A Replay Attack uses previously captured data, such as an encrypted authentication token, to create a
separate connection to the server that is authenticated, but does not involve the real end user. If the
attacker can resend the authentication sequences, without the remote system noticing that it is being
replayed, the attacker can then use those credentials for his or her ow purposes.
Replay Attack Limitation & Preventing Eavesdropping Attacks: The attacker can’t see the encoded
credentials. They are easily defeated by using simple session token, or through use of time stamps.

Each Session established with remote system should use new token that is chosen randomly and has
limited lifespan suitable to the length of time the authenticated session should last. So when the
attacker tries to replay that token its already expired or not valid.

Time stamps work in similar way by setting time properly to ensure that the packets they were sending
were sent during a similar tie window. Replay attacks can succeed during that short time window, but
attacks at a later time will be rejected. Once an attacker gains access to the network underlying a
connection, it becomes very difficult to protect those communications. Encryption, secure network
configuration, and strong authentic mechanisms are all good ways to protect you applications and users
from falling victims to eavesdropping attacks.

Network Attacks

Advanced Networking Attacks: Christmas Tree Attack; DNS Poisoning, ARP Poisoning, and
Typosquatting (URL Hijacking).

Packets:

Are the basic unit of network communications. Each time you request a webpage, send an email, or
transfer other information over the network, its divided into into small packets of information that are
then reassembled at the receiving system.

Contain a data payload to be sent

Contain a header with additional information, like source and destination addresses.

Packet Header Flags

Headers include flags. These are single bot fields that contain either a one or zero. If a field flag is set to
one, it indicates a special purpose packet. For eg: The SYN flag is used to set up a new connection. The
FYN flag is used to tear down a connection. Other clags are used to acknowledge connections, prioritize
data, or conduct network diagnostics.

A typical packet can have only one or two flags set to a value of one.

Christmas Tree Packet: In the Christmas tree packet all flags are set to one. Its set to be lit up like a
Christmas tree.

 Some systems crash when they receive a Christmas Tree packet, and can’t handle all the flags
being set because they have poorly designed network stacks. It’s a denial of service attack
(DOS).
 The Christmas Tree packet can also be used to conduct operating system fingerprinting.
 Different operating systems respond to receiving a Christmas Tree packet in different ways.
 Responses can be used to identify the operating system. By analyzing the exact response
attackers can often identify the specific operating system in use on a target server. This is very
useful information when conducting pre-attack reconnaissance.
Domain Name Service (DNS)
A service that translates common domain names into IP addresses for the purpose of network
routing, such as Lynda.com, or nd.edu to the IP addresses that computer use, such as
8.39.42.106.

DNS uses a hierarchical lookup system, where the initial request goes to a server o the clients
network. If that server doesn’t already know the answer, it then asks a series of other servers
until it finds the one with the correct answer.
For eg: When looking up www.wikipedia.org, an organizations DNS server first asks the root
main server. The root name server might not know the answer, but can tell the requesting
server what name server is responsible for the dot org top level domain. The requester then
goes and asks the dot org server, who also might not know the answer, but can tell the
requester what name server is responsible for the Wikipedia.org domain. The client then finally
asks the server responsible for the Wikipedia.org domain, and receives the correct IP address for
the server located at www.wikipedia.org.

DNS Poisoning: DNS Poisoning Attacks disrupt the normal operation of DNS by providing false
results. The attacker inserts incorrect DNS records at any point along that hierarchy, and can
then redirect traffic to the attackers system. The attackers system contains a web server built to
closely resemble the system that the unsuspecting victim expects to visit. When the victim logs
on to the attackers fake system, the attacker captures log on information.
In a well done DNS poisoning attack, the attacker passes the credentials through to the real
system, and then captures all traffic between the client and server, preventing the victim from
noticing the attack. That’s a man-in0the-middle attack.

Address Resolution Protocol (ARP): Performs a function similar to DNS, but deeper down in the
network stack. Instead of translating common domain names to IP addresses, ARP translates
logical IP addresses to the hardware MAC addresses on local area networks. These hardware
addresses are known as machine address code, or MAC addresses.

ARP Poisoning: Much like DNS poisoning ARP poisoning is a spoofing technique that provides
false information in response to ARP requests. Unlike DNS poisoning, ARP poisoning only works
on a local network. Normally any system on the network sends all traffic bound for outside the
network to a gateway system.
When ARP Spoofing occurs successfully, the victim system believes that another system is the
gateway and sends traffic to it. That system actually belongs to a malicious user engaging in a
man-in-the-middle attack.

Typosquatting (URL Hijacking): It is an attack that depends upon people making simple typing
mistakes. It’s very cheap to register a domain name. Sometimes its five bucks or less. Attackers
engaging in typosquatting simply register hundreds of typo variations on official sites. When
people incorrectly guess or mistype domain names, they visit the attackers site instead of the
real one. Typosuatting attack occurred in 2012 Election hoping to redirect the legitimate traffic.
Domain Hijacking attacks steal a domain registration or alter DNS records. They go a step
further, when attackers attempt to steal a legitimate domain. They may do this by contacting
the domain registrar, and attempting to illegitimately transfer actual ownership of the domain
themselves, or they may conduct a DNS attack that changes the legitimate site’s DNS records.

Networking opens a world of communication possibilities for systems, but it also creates
significant risk. Thse various risks associated with networking are Christmas Tree Attack; DNS
Poisoning, ARP Poisoning, and Typosquatting (URL Hijacking).

Network Address Spoofing: Network addresses are easily altered by anyone with administrative
accesss to a system so they should not be relied upon for authentication purposes. Attackers can
modify both the IP address and the MAC address of a system.

MAC Spoofing Attack: Anyone with administrative access to a system can change its MAC
address using Simple Sudo command

IP Spoofing Attack: They are just as easy to conduct as MAC spoofing attacks. Anyone with
administrative access to a system can alter the system’s IP address. They are often more difficult
to use in reality because its difficult to reconfigure the network to receive return traffic at a
spoofed IP address. For this reason Spoofed IP addresses are used in Denial of Service attacks
where that return information isn’t necessary but they can commonly used in attacks that
require two-way communication.

Password Attacks:
1. /etc/passwd: Password File: When a user attempts to log into a system, the login process
checks the password file to determine whether the password is valid. The password file contains
a password hash, computed using a one way hash function.
When the user logs in, it takes the password, compute a hash and compares it with the one
stored in the file. If they match the user is logged in. This is vulnerable for a brute force attack.
Securing this Approach: Remove Password hashes from the publicly accessible/ etc/passwd file.

2. /etc/shadow:Shadow file: The hashes still exist and are stored in separate filed called
Shadow Password file. Unlike the password file, the shadow file can be locked down and highly
restricted, so only super user root may access it.

Hash Function
It is a mathematical function that takes a variable-length input and translates to a fixed-length
output, in a manner that is collision resistant.
 Hash Function Criteria:
 It must produce a completely different output for each input.
 It must be computationally difficult to retrieve the input from output
 It must be computationally difficult to find two different inputs that produce the same
hash output. When this occurs it’s a situation known as a collision. This is because of
mathematical phenomenon, known as Birthday problem

The Birthday Problem: States that collision may become very common with large samples.

What are the odds two people in a room will share a birthday?

 100% with 367 people

 50% with only 23 people
 99.9% with 70 people

Hashing algorithms must be carefully designed to avoid the Birthday problem.

Cracking Passwords: 4 Common types of password attacks

1. Brute Force Attacks – The attackers simply guesses all possible password combinations. This is
effective only against short non-complex passwords. This is the simplest form of attack against a
cryptographic system by repeatedly guessing the encryption keys to gain access to encrypted
information. Takes long time to complete successfully, if they ever succeed. Brute Force attacks
are also called as Known Ciphertext Attacks. Simple Shift Cipher is a cipher with a shift of one
change in the alphabet. There are only 25 possible shift keys. Key space – The set of all possible
encryption les usable with an algorithm. Modern Algorithms aren’t susceptible to Brute Force
Attacks. Size of Key spaces: 56-bit DES; 128-bit AES; 256-bit AES. Flawed Algorithms are
vulnerable to Brute Force Attacks
2. Dictionary Attacks – These are attacks assume that people use words as passwords and they
simply try all the words in the English language first.
3. Hybrid Attacks – These take common variations on those words into account as well. Such as
adding a year to the end of a word or replacing the letter O with a numerical zero and similar
twists.
4. Rainbow Table Attack – This attack goes a step further by pre-computing common password
hashes and saving a computational step during the attack.

Advanced Cryptographic Attacks: Knowledge based attacks go beyond the simplicity of Brute Force
Attacks, and combine other information available with attacker with cryptanalytic techniques, to break
the security of encrypted data.

The first knowledge based attack is the Frequency Analysis Attack. In this attack, the person trying to
break the code does statistical analysis of the ciphertext to try to detect patterns.

Known Plaintext Attack: Attacker has access to both encrypted and unencrypted version of single
message
Chosen-Plaintext Attack: The Attacker can create an encrypted message of their choice. They can study
the algorithm workings in greater details. And attempt to learn the key being used.

Downgrade Attacks: These attacks are possible when a system supports many different types of
encryption, some of which are insecure. The attacker use man-in-the-middle forcing two systems to use
weak cryptographic implementations. Eg: Poodle Attack in 2014. (From secure TLS protocol to Insecure
SSL protocol)

Watering Hole Attacks: Are a recent development in the cat and mouse game between information
security professionals and hackers. This uses sneaky techniques to lure unsuspecting users and infects
their systems with malware. They are also known as Client- Side attacks and uses malicious code and
other attacks that exploit vulnerabilities in the client accessing the server. Watering hole attacks oten
cause popup warnings, but users are conditionally clicked OK to security warnings to get them out of the
way and move on to the content they requested. Attackers can take advantage of this by installing
malware on a website and letting users come to them.Websites are a great way to spread malware
effectively:

 User trust the website they visit, to some extent.

 Browsers and add-ons often have vulnerabilities.

Attackers Limitations:

1. Attackers can’t just build their own sites.

2. Why would users visit the website
3. Content filtering can block known malware sites

How a Watering Hole Technique Works?

The attackers attacks and compromises a highly targeted website that their audience is likely to visit.
Next, the attacker chooses a client exploit that will breach the security of website visitor browsers, and
then bundles in a botnet payload that joins infected systems to the botnet. Then the attacker places the
malware on the compromised website, and then simply sits back and waits for infected systems to
phone home. Watering hole attacks are especially dangerous because they often come from otherwise
trusted websites. Attackers using this technique may gain access to highly targeted systems, and find
proverbial needle in a haystack, because the victim comes to them.
 Module 4

Wireless Attacks.

Wireless Networking:

Wireless networks are insecure by default until administrators add security controls. This is due to the
very nature of wireless networks. They use radio transmissions that may be intercepted by anyone with
an antenna. Security professionals use encryption to protect the confidentiality of information sent over
wireless networks.

 Wireless network use a standard technology called wireless fidelity (Wi-Fi)

 Governed by the IEE 802.11 Standard
 Uses plaintext Service Set Identifiers (SSIDs) like free Wi-Fi Guest
 Uses a technique known as beaconing to advertise to other devices they are available for
connection. Beaconing is optional and network doesn’t want to advertise can disable beaconing.

Security Concern on Wi-Fi:

Since it uses radio signals anyone can pluck out of the air with some very basic equipment and an
antenna. This makes encryption critical for protecting the security of wireless networks. Encryption
hides the true content of network traffic from those who don’t have the encryption key. It takes an
insecure communication technology, radio waves, and makes it secure.

Wi-Fi Encryption 4 Options: But First 2 below are bad options and the 3 rd & 4th are much better options.

1. You can opt to use no encryption whatsoever.

2. Wired Equivalent Privacy (WEP) use a static key and uses weak encryption that is easy to hack.
3. Wi-Fi Protected Access (WPA) uses the Temporal Key Integrity Protocol (TKIP) to add security
that WEP doesn’t have. TKI changes encryption key for each packet, preventing an attacker from
discovering the key after monitoring the network for a long period of time.
4. WPA2 uses an encryption protocol that is based upon AES. This protocol is called Counter Mode
Cipher Block Chaining Message Authentication code protocol (CCMP).

How Attacker take advantage of WEP?

The Initialization Vector ( I V ) which is used to set the connection is sent out without encryption
because it is used to create the encrypted channel.

WPA & WPS Attacks

Wi-Fi Protected Access (WPA): Relies upon the RC4 encryption standard. The hackers waiting a long
period of time can gather enough clear-text information to determine the encryption key. WPA adds a
new twist to WEP with TKIP.
  Fixes the problems inherent in WEP
 Uses RC4 with 128-bit key, but adds Temporal Key Integrity Protocol (TKIP)
 Changes its key constantly, with a new key for each packet

Is WPA Secure?

 Known attacks allow injection of packets and some limited decryption

 These attacks work against the principles of TKIP.
 If you want to play it safe, use WPA2.
 WPA2 doesn’t use TKIP, so it isn’t vulnerable to this problem
 WPA2 throws out all vestiges of WEP

Wi-Fi Protected Setup (WPS):

 Allows quick setup of devices

 There are two methods for establishing connection:
1. Pressing button on devices
2. Use an 8 digit WPS PIN

WPS Attacks:

 Flaws in WPS make it trivial to guess the WPS PIN

 Though there are 10,000,000 possibilities, a flaw requires only 11,000 guesses.
 Once you have got the PIN, you get the WEP/WPA/WPA2 key
 PN can’t be changed

WPA2 Provides the strongest available encryption ad remains secure against all known attacks.

Propagation Attacks: Jamming & Interference attacks seek to deny users legitimate access to a wireless
network, by bringing a jammer into the vicinity of wireless network, and broadcast a very strong signal
that overpowers the legitimate wireless access points. Its equivalent of placing someone in a crowded
stadium and asking them to have a conversation with someone located a few feet away. The noise
overwhelms the conversation.

 Denial of service attacks are easy on wireless.

 The radio spectrum is open, but in a limited
 The loudest signal always wins, so it doesn’t to interfere with another signal.

War Driving Attacks: Hackers go mobile.

Attackers will cruise neighbor hoods and commercial areas, using special software tools that capture
information about Wi-Fi Networks, and even correlates it with GPS data to plot it on a map.
War Driving Tool - iStumbler: It’s a MAC tool showing detailed information about nearby wireless
networks.

Rogues and Evil Twins

Rogues Access point Attacks: It occurs when someone connects to an unauthorized wireless access
point to an enterprise network. The huge risk in this is that it can bypass other wireless authentication
mechanisms. If you use WPA2 security, a rogue access point configured to avoid encryption can quickly
bypass all of that. Anyone connecting to rogue AP can then gain unrestricted access to your network. A
second risk posed by Rogue access points is interference. There are limited number of Wi-Fi channel
available and rogue APs can quickly interfere with legitimate wireless use.

Rogue AP Detection:

Enterprise grade wireless networks has built-in intrusion detection capabilities.

Unknown radios on the network can be identified using triangulation, readings of signal strength and
direction from three or more legitimate Aps provide a good idea of Rogue’s general location.

Handheld tools can help to pinpoint them.

Evil Twin Attacks: They are cousins of phishing and pharming attacks. A hacker set up a fake access point
with the SSID of a legitimate network. They then lure unsuspecting users who will automatically connect
to that network when in the vicinity. Since hacker controls network, they can use DNS Poisoning and
similar tactics to redirect users to phishing websites.

Conducting Evil twin attack is easy if attackers use a very common SSIDs that millions of computers are
configured to automatically connect to. Attackers can automate the evil twin attack using software
called Karma Toolkit:

Karma toolkit searches for adjacent networks and then automatically creates an evil twin network and
builds fake websites that capture credentials from the users of the evil twin network.

Disassociation Attacks: Many attacks against wireless encryption require that attacker collect a large
number of authentication attempts from wireless clients. Disassociation Attacks speedup this time-
consuming process. They may also be used in Denial of service attacks against wireless network.

Deauthentication Frame

Immediately disconnects clients by sending Deauthentication Frame by Access point to the client.
Therefore it bears the source MAC address of the access point and the destination MAC address of the
client. Attackers can use this disassociation capability to force a network client to re-authenticate. They
do this by sending a spoofed data frame that uses MAC address of the access point as the source
address and the MAC address of the client as destination address. When the client receives this spoofed
frame, it believes that it came from the access point ad then disconnects from Wi-Fi network. The client
may then try to reconnect by re-authenticating to the network.
Disassociation Attack Goals :

1. Gather authentication information for cryptographic attacks against Wireless network

2. Conduct denial of service attacks on wireless networks.
3. Can expose a network to cryptographic authentication attacks

Near Field Communication Attacks: This provides attackers another pathway to exploit security
vulnerabilities.

 Is used for very short range links between devices (30-50 feet)
 Is most commonly seen in Bluetooth
 Commonly used for speakers, headsets, keyboards and similar devices

Bluejacking:

o This occur when an attacker sends Bluetooth spam to a user’s device

o The attacker tries to entice user to take some action.
o This is essentially Bluetooth spam/ phishing

Bluesnarfing:

 An attacker exploits firmware flaw in older Bluetooth devices

 The attacker forces pairing between devices
 The connection grants access to the device

NFC Security Improvements:

 Turn off discoverable mode when not in use

 Apply firmware updates
 Watch for suspicious activity

RFID Security: The RFID chips are embedded in many items and may be read by RFID scanners.

RFID Security Concerns:

1. Business want strong authentication and encryption to protect the integrity of RFID system
2. Consumers want privacy safeguards to protect their personal information.
 Module 5

Application Attacks

Application Security: The world runs on software. We are dependent on reliable and secure software.

 Purchased software: Acquired from software vendors for use in many different organizations.
 Developed Software: Customer- written to meet the specialized needs of a single organization.

Application Hardening: Is one of the core principles of software security. Cyber security expert must
carefully test software to ensure that it is locked down as much as possible and safe against attacks.
Some of the key principles of application hardening are:

 Ensuring that applications use proper authentication to validate the identity of users.
 Applications encrypt any sensitive data so attackers can’t read it by the underlying storage
directly.
 Ensure that application validate any user input that doesn’t contain dangerous code that
jeopardize the security of software or underlying computing infrastructure.
 Ensure Applications are not vulnerable to any known exploits, and when exploits are discovered,
that they are promptly corrected.
 Prompt Patching is critical as organizations apply security patches to correct software
vulnerability after they are released by software vendors.
 Attackers quickly exploit new vulnerabilities and attack organizations that are slow to correct
security problems.
 Application patch management is a critical security control.

Application Configuration:

 Type and scope of encryption.

 Users with access to the application, for eg: ERP
 Access granted to authorized users.
 Security of underlying infrastructure.
 Configurations baselines allow quick identification and remediation of security gaps.

SQL Injection Attacks: Uses web as a mechanism to illegitimately access database servers that support
web applications and retrieve sensitive information or make unauthorized modifications to the
database. It allows dangerous interaction between attackers and your databases. Input validation is
essential to prevent SQL Injection Attacks

Single quote (‘) character is essential in input for SQL injection attack.

Database Driven Web Applications: Many modern applications rely upon databases to help generate
dynamic content in the fly. For eg: Online shopping website

Developers write dynamic web applications to reach out to databases to obtain content as they built
pages that respond to user requests.

Preventing SQL Injection Attacks against Applications is by Validating all user input.
Other Injection Attacks: LDAP Injection, XML Injection, Command Injection (Arbitrary code execution)

Cross Site Scripting Attacks: The most dangerous web-based attacks on the internet today. They are
easily executed by attackers without the knowledge of victim.

Cross site scripting attacks commonly abbreviated as XSS attacks occurs when an attacker embeds
malicious scripts in a 3rd party website that are later run by innocent visitors to that site. Webpages are
made using HTML code. HTML is a markup language that allows web pages to have all sorts of advanced
functionality, other than just displaying plain text. HTML authors can add different fonts, include images,
link to other sites and even include small programs called scripts that run in the browsers of visitors to
the site.

HTML Tags

o Markup text with formatting instructions .

o HTML Uses the concept of tags to perform all actions.
o <b>tag formats for bold text; <i> tag formats for italic text & <a> tag formats for hyperlinks in
webpage

The <script> Tag allows web developers to embed code in a page that runs a program inside the user’s
browser.

In a Cross site scripting attacks, the attacker manages to trick a legitimate website into sending its users
copes of a malicious script. This often happens when the site allows users to enter input that is then
displayed to other users. For eg: Auction Listing.

Its easy to defend against cross site scripting attacks. As with SQL injection attacks, the key is using input
validation on any user input that includes HTML. Specifically the input validation should watch for any
attempts to use the script tag in user-supplied input and remove that script code from the input.

The Open Web Application Security (OWASP), produces a package called Webgoat that illustrates many
common web security vulnerabilities.

Cross Site Request Forgery Attacks: These are similar to Cross site scripting attacks but even more
nefarious. Cross site request forgery also goes by two acronyms, some people call it CSRF, while others
use the XSRF acronym.

Cross Site Request Forgery Attacks (CSRF or XSRF) leverage the fact that users are often logged into
multiple sites at the same time and use one site to trick the browser into sending malicious requests to
another site without the users knowledge. These attacks prey upon the persistent authentication
sessions in a manner of similar to a cross site scripting attack. Eg: Sample Funds transfer, Auction Listing.

Defending against CSRF is very difficult and often requires:

 Re-architecting web applications to use cryptographically strong token in each exchange

between authenticated users and a website.
 Prevent the use of HTTP GET requests
 Advise users to log out of sites
 Automatically logging users out after a short idle period.
Clickjacking Attack: Is a form of cross site request forgery. In this attack the attacker hides elements of
webpage behind other elements so that a user cannot see what the user is actually clicking.

Cursorjacking is a specialized form of clickjacking that tricks the user about the cursors location on the
screen to make user think they are pointing at one element of page when they are actually clicking
somewhere else.

Detecting Clickjacking Attacks: No Script extension of Firefox includes a technology called Clear Click
that analyzes webpages before a user clicks on them, and make sure the page displayed to the user
doesn’t contain any visually hidden elements. If the page contains suspicious content, No Script warns
the user that a clickjacking attack might be underway.

Directory Traversal Attack: This attack allows the attacker to manipulate the file system structure on a
web server. The attack is attempted using strange entries contain strings "../../"

2 Important Characteristics of Unix File Systems:

1. A single period references the current directory

2. Using 2 references the directory one level higher in the hierarchy

Directory Traversal Attack uses these navigation references to try move up and down the directory
structure searching for unsecured files. They work when an application allows a user to request files
stored elsewhere in the file system.

ZAP is a web proxy that intercepts web requests and lets us modify them.

Directory Traversal Attacks are dangerous because they allow attackers to bypass normal access
controls and view sensitive files stored on a web server.

There are 2 ways to defend your application against Directory Traversal Attacks.

1. First you can use input validation to prevent the inclusion of periods in user requests.
2. Second you can set strict file system access control to limit the web server user ability to read
sensitive files

Buffer Overflow Attacks: Also pose a danger to security of web applications. When software engineers
develop apps, they often set aside specific portion to contain variable content. When the buffer
overflows this attack start to occur by enabling the hacker to conduct a buffer overflow attack against a
web application.

Web Cookies: These are small piece of content that can track users between website visits and across
different websites.

1. Cookies are data stored by websites in user browsers

2. They are particularly useful to recognize users
3. They are used to remember information

Privacy Risks associated with Cookies:

1. Cookies can be used across different websites

2. Cookies can track user activity
 3. If you log into one site, everything is de-anonymized

Cookies are used in Applications too . For eg: Adobe flash has its own cookie system, these are called
locally shared objects , or LSOs.

Session Hijacking Attacks:

After a user logs into a system, the webserver provides a cookie, so that the user doesn’t need to
continuously log into the system every time they requests a new webpage.

Presenting the cookie with each request causes the webserver to reference the earlier successful
login.

One major flaw with some major applications is that they don’t use random cookies, instead they
use a guessable value.

Malicious - Browser Add-Ons:

 Are also known as extensions

 Add new functionality to browsers and other software
 Are written by 3rd party developers

Security Risks for Browser Add-ons:

1. You might not know who wrote the code

2. Trojans may perform malicious secondary
3. Permissions may be overly broad

Sandbox execution is not a significant risk associated with browser add-ons and extensions

Code Execution Attacks: Special class of attacks where the attacker exploits a vulnerability in a system
that allows the attacker to run commands on that system.

Key Terms:

1. Arbitrary Code Execution – Code execution attacks where the attacker runs commands of their
choice.
2. Remote Code Execution - Code execution attacks that take place over a network connection.
These attackers may perform any action they desire on the targeted system.

Code Execution Objectives

 Install malicious code

 Join system to a botnet
 Stealing sensitive information
 Creating accounts or another backdoor to use for later access to the system.

2 Simple steps to protect systems from Code Execution Attacks

1. Limit administrative access

2. Patch systems and applications
Driver Manipulation: Driver Refactoring & Driver Shimming

Device drivers play an important role in computing.

Device Driver Serves as software interfaces between hardware devices and operating system. An
example for this is that we can use printer from wide variety of manufacturers because of this with
windows or any other OS.

Device driver require low level access to the OS and therefore run with admin privileges.

Refactoring:

 Modifying a driver to carry out malicious activities

 Requires access to the driver source code

Shimming:

 Wraps a legitimate driver with a malicious shim.

 Does not require access to the legitimate driver’s source code.

Code signing protects against malicious drivers. Device manufacturers write drivers and then apply
digital signatures to them so that the OS can verify the driver’s authenticity. The privileged nature of
drivers gives them deep access to the OS.

Error & Exception Handling: Appropriately handling errors is a critical component of software security.

Normal State Diagram: 3 different states – Awaiting input, Calculating Tax state, Displays output.

Unpredictable States Jeopardize Application Security and can lead to serious security vulnerabilities,
such as buffer overflows and other compromises.

Error handling otherwise known as exceptional handling prevents this unpredictable state problem by
providing computer with explicit instructions in handling unpredictable states.

State Diagram: 4 different states - Awaiting input, Validate Input, Calculating Tax state, Displays output.
In case it validates as error it goes to error state. For eg: Java uses Try.. Catch model.
 Module 6

Social Engineering Attacks

Social Engineering Attacks uses Psychological tricks manipulating people into divulging information or
performing an action that undermines security. It is the online version of running a con.

Six Main Reasons that Social Engineering Attacks are Successful:

1. Authority and trust – People defer to authority

2. Intimidation – Scaring people
3. Consensus and social proof – The herd mentality
4. Scarcity – Getting the last one
5. Urgency – Time is running out
6. Familiarity & Liking – We say yes to people we like.

User education is the best solution to protect these kind of attacks.

Impersonation Attacks

1. Spam: Unsolicited Commercial Email (UCE)

2. Phishing: Stealing credentials. It is a sub category of spam.
3. Spear phishing: Targeted attacks to small audience. Have higher success rates
4. Whaling: It is sub of Spear phishing attack. Eg: To send fake docs to senior business leaders
5. Pharming: Using fake websites and send victims to fake site. Variation on pharming attack might
skip phishing messages and use DNS poisoning to redirect victims to the fake site.
6. Vishing or Voice Phishing Attacks: Hacker picks the telephone and calls unsuspecting people
using social engineering tactics to trick them into reveal sensitive information.
7. Spim: Use Instant messaging.
8. Spoofing : Faking an identity.

Physical Social Engineering

Three ways of Physical Social Engineering are Shoulder surfing, Dumpster diving and Tailgating.

Shoulder Surfing: Attacker looks over the shoulder of the victim when they do something sensitive on
their computer. The best solution to it is to be aware of who is around you and have special privacy
filters on laptop screens that prevents one from reading the screen at an angle.

Dumpster diving: Trash is gold, to a social engineer. They go through the trash looking for documents
containing sensitive information. By shredding documents its easy to get rid of this attack.

Tailgating: Social engineer follows someone to get access

 Module 7

Vulnerability Scanning and Penetration Testing

Vulnerability Assesment Tools: Comes in two forms.

1. Passive Tool: Observe Activity and provide security administrators with reports on system
configuration. They often monitor network traffic or observe system activity. The key is that they
don’t actually interact with systems. They just passively test security controls by watching
activity.
2. Active Tools: Do interact with systems they assess to identify both vulnerabilities and the
potential lack of security controls. This might be as innocuous as checking for open ports or it
might be more intrusive such as checking exploits against know Vulnerabilities.

Active tools are much riskier to use because they can disrupt normal system operation. If an active tool
can disrupt your server so can an attacker.

Vulnerability assessment tools may be used for configuration compliance scanning. In this mode the
assessment tools may reach out to systems, retrieve their configurations, and then compare those
configurations to a security standard noting any deviations from the standard and flagging them for
remediation.

Honey Pots

 Are type of passive tools simply sits on network and waits.

 Its designed to look very appealing to hackers.
 They might have obvious vulnerabilities to show up on a security scan, names like credit card
server or contain data such as files called employee social security data base.
 Honeypots are meant to serve as decoys to attract hacker attention and distract them from
other real servers
 Honey pots are also highly instrumented.

Honey Nets

 They are a variation on Honey Pots.

 They are decoy networks set up for attackers.
 They are sometimes also called dark nets, because they typically remain unused or dark
 Anyone connecting Honeynet is likely performing reconnaissance for an attack.
 Honeynets quickly identify other compromised systems on the land when those systems start
trying to connect to honeynet
 Some honeynets also exist in public internet and are used to create DNS blacklists of known
malicious P addresses.
Protocol Analyzers

 Peek into network traffic, and helps to peer into its contents.
 This is important when diagnosing a network problem or investigating a security incident
 Allows to see the actual packets exchanged on the network and dig deep into details of those
packets
 They raise privacy concerns because they provide deep insight into the activity of individual
users on the network
 The use of protocol analyzers should be carefully restricted
 Most common protocol analyzer is a free tool called Wireshark

TCP. Port 80 is the most common protocol used in web communication

Scanners : Testing systems for security issues is one of the most important tasks performed by security
professionals, but a little tedious.

Fortunately vulnerability assessment tools automate the process of vulnerability scanning. There are 3
major categories of his tool:

Port Scanner: Simply probe a system for open network ports. It is like rattling a buildings doorknobs
looking for unlocked doors. They check all of the possible 65,535 network ports on a server to see which
might be open. The most popular port scanning tool is a program called Nmap.

Vulnerability Scanners: Check those ports for known vulnerabilities. Instead of checking to see what
ports are open, the test open ports for active vulnerabilities and dig into the details of wat services are
using those ports. They also have a database of all known vulnerability exploits and test the server to
see if it contains vulnerabilities. The reports from vulnerability scanners provide important information
for system remediation. In the hands of an attacker, however that remediation information can be a
road map for exploitation. One popular vulnerability scanning tool is a web based tool called Nessus
takes long time to finish.

Tools like Nmap & Nessus hare used by system admins to scan to know the vulnerabilities on the servers

Application Scanner: That probe deep into web application to detect flaws.

Assessment Tools: 3 Different concepts – Threat, Vulnerability, Risk

A Threat is some external force that jeopardizes the security of your information and systems. They
might be naturally occurring such as hurricanes and wildfires or manmade such as hacking and
terrorism.

Vulnerability: They are weaknesses in your security controls that a threat might exploit to undermine
the confidentiality, integrity, or availability of your information or systems. These might include missing
patches, promiscuous firewall rules, or other security misconfiguations.

Risk : They occur when your environment contains both a vulnerability and a corresponding threat that
might exploit that vulnerability
The Likelihood of a risk is the probability that it will actually occur. For eg: Risk of earthquake.

The impact of a risk is the amount of damage that will occur if the risk materializes.

Both the likelihood and impact of a risk help security professionals to prioritize the risks

Assessment Techniques: 4 Common Assessment techniques are:

1. Baseline reporting : (MBSA used by Microsoft)

 A great way to get started.
 Provides an initial review of a systems security status.
 Compares the current configuration to the expected baseline configuration
 It can be automated with tools
2. An Attack surface review
 Works to identify the attack surface of a system.
 Enumerates the attack surface all possible paths of attack
 Makes heavy use of port, vulnerability and application scanners
 Adopts the mindset of hacker
3. Code reviews
 Critical when an organization is involved in the creation of custom application code
 Performs both automated and manual assessment of software security
 Includes peer code review for an extra set of eyes to detect security issues
 Should be a mandatory part of promotion and release process for new code
4. Architecture reviews
IT systems are complex combinations of application servers, databases, networks, storage and
other resources
Dissects how everything fits together
Analyze s the interaction of various systems from high level approach, confidentiality, integrity
and availability issues

Penetration Testing: Vulnerability testing merely probes systems for vulnerabilities. Those tests
can be active reaching out and interacting with systems, but they are rarely dangerous because
they don’t typically complete an attack. Actually executing an attack is however the best way to
understand a systems vulnerabilities.
 Testers actually attacks systems and networks
 They verify the threats exist and exploit known vulnerabilities
 They also test security control by attempting to bypass/ defeat them
The National Institute for Standards and Technology (NIST) suggest penetration test loop back
and for the between a discovery phase and an attack phase.
 During discovery phase attackers conduct reconnaissance against systems and think of
possible avenues of exploit.
 When they find a path of potential vulnerability they move into attack phase where they
seek to gain access to the target system, escalate that access to advanced privileges and
 then browse through the network looking for new system they can access from that
vantage point.
 They may also install additional penetration testing tools on compromised systems in an
effort to gain even deeper access to the network.

3 Types of Penetration Tests:

White Box Test: Attackers have full knowledge of the network environment. Its equivalent of simulating
an insider attack.

Black Box Test: The attacker has no prior knowledge of the enterprise IT environment and seeks to gain
that knowledge as they move through the attack and discovery phases. Its equivalent of simulating an
external attack.

Gray Box Attack: They fall in the middle and the attacker has some knowledge of the system. This
approach is commonly used because it combines some of the external perspective benefits of a black
box test with the time saving nature of a white box test.

2 Concepts of Penetration Testing:

Pivot: Is an important concept used by penetration testers to simulate the activities of real attackers.
After exploiting a vulnerability in a system, attackers use that system as base from which to target other
systems on the same local network.

Persistence: Once an attacker gains access to a system they install a blackdoor on that system that
allows the attacker to regain access to the system in the future. These backdoors are independent of
vulnerabilities that the attacker used to gain initial access to the system and may allow the attacker to
discretely retain access to the system even after the administrator corrects the vulnerability that
allowed the attack in the first place.

Advanced Vulnerability Scanning:

Non-Intrusive Scanning: A safe mode that won’t disrupt the system operation

Intrusive Scanning: A dangerous mode that might disrupt the system operation

There are 2 Types of errors common in vulnerability scan reports :

False Positive error occurs when a scanner report a vulnerability that doesn’t actually exist, requiring
verification by security administrators. The danger they pose is that people will become desensitized if
too may are false alarms.

False Negative are far more dangerous. They occur when a scan fails to report a vulnerability that does
actually exist, making it more dangerous. This may be due to misconfiguration of scanner or it might be
simply a vulnerability that the scanner doesn’t know about yet.
Credentialed Scanning:

 Use read only scans

 Vulnerability scanners can see only what the outside world see
 This requires some amount of guessing
 Providing the scanner a server account allows it to assess the actual configuration which can
reduce the false positive rate
 Module 8

Impact of Vulnerabilities

Vendor Vulnerabilities: Every IT organizations depends upon products and services provided by outside
vendors.

Product End of Life : Introduces security concerns

3 Common Phrases vendors uses for Product End of Life:

1. End of sale : Product will no longer offer for purchase, but vendor will support existing
customers
2. End of support: The vendor will reduce or eliminate support for existing users of the product
3. End of Life: The vendor will no longer provide any support or updates for the product or
answer any questions.

Vendors may fail to provide adequate support for existing products because they are understaffed and
not interested.

Embedded system:

 Vendor may use this system that are not visible to you as end customer. For eg: A digital sign
system.
 These systems Adds additional security risk

Memory Vulnerabilities

Memory Overflow:

 Allows arbitrary code execution

 Resource exhaustion may slow down or disable a system

Memory Leak is a type of resource exhaustion: If an application requests memory from the OS, it will
eventually no longer need that memory and should then return the memory to the OS for other uses.

1. In the case of Memory leak, the application fails to return some memory that it no longer
needs, perhaps simply losing the track of an object that it as written to a reserved area of
memory.
2. If the application continues to do this for long period of time, it can slowly consume all of
the memory available on the system causing the system or application to crash.
3. Rebooting the system often resets the problem returning the memory to other uses, but if
the memory leak isn’t corrected the cycle simply begins again.

Memory Pointers: Can also cause security issues.

 Pointers are commonly used concept in application development

 There is simply an area of memory that stores an address of another location in memory. For eg:
photo (Pointer dereferencing used by applications)
  One security issue that arises might be if the pointer is empty containing what programmers call
a null value .
 If the application tries to dereference this null pointer, it causes a condition called pointer
exception

DLL Injection: Is another attack technique used by malware to undermine the security of a system.
Windows depends upon dynamically linked libraries, or DLLs, to provide common code hat applications
may share. Applications that wish to use a DLL ma load it and then make use of its contents.

 Tricks an application into loading malicious code

Race conditions:

 Occurs when the proper functioning of a security control depends upon the timing of actions
performed by the user or computer.
 Uncontrolled race conditions can be significant security vulnerabilities

Eg: Is a Time of check to Time of use, TOCTOU vulnerability. Time elapses between authorization and
the action. ATM Machine that dispenses cash.

Locks prevent simultaneous transactions from causing race conditions.

Configuration Vulnerabilities: The default configurations on the vendor devices may contain open
firewalls, guest accounts, default passwords or other serous security issues.

Cryptographic Vulnerabilities:

 Are common source of misconfigurations because they are complex to administer.

 If a system admin inadvertently configure weak cipher suites
 Weak cryptographic protocol implementations on a device, all to and from communication from
that device will be subject to eavesdropping and tampering.
 The error may be as simple as clicking the wrong checkbox
 Poor key management. Admins must carefully manage encryption keys to ensure that they don’t
fall into the wrong hands
 Poor certificate management, ensure strong certificate management is in place with real digital
certificates

Least Privilege to protect against attack

 Limits user permissions

Architectural Vulnerabilities:

 Occur when a complex system is improperly designed.

 They may create fundamental flaws in a system that are very difficult to remediate

IT Architecture:

 It is a set of well-defined practices and processes used to build complex, technical systems.
 IT Architects function in roles similar to that of traditional architects
 Processes and practices used to design systems
 Incorporate security early.
 Avoid bolt-on security requirements
 Look into complex interweaving of business processes and people involved in that design as
well.

System Sprawl: New devices are connected to a network, but old devices are not promptly
disconnected, leading to security vulnerabilities. This is even more risky when assets are undocumented
because nobody knows about them leaving them open flaws.