Skip to content

Latest commit

 

History

History
109 lines (90 loc) · 5.41 KB

D1.md

File metadata and controls

109 lines (90 loc) · 5.41 KB

Malware

  • Virus – replicates using port 1900
  • Polymorphic virus – mutates, as does its hash value
  • Ransomware – asks for money; could be subtle
  • Worm – spreads using port 5000
  • Trojan – could change .dll files
  • Rootkit – upon reinstalling the OS, it is still there; in Linux, look for the bash shell as a path
  • Keylogger – logs keystrokes
  • Adware – uses popups
  • Bots – infected machine used as an attack vector
  • RAT – sends back passwords to the hacker, who then logs in
  • Logic bomb – needs a trigger, such as time

Attacks – Social Engineering

  • Phishing– uses email; targets one person
  • Spear phishing – attacks a group
  • Whaling – attacks CEO or high‐level executives
  • Vishing – uses a telephone or leaves a voicemail
  • Tailgating – follows someone through; does not use credentials
  • Impersonating – pretends to be from the help desk or IT team
  • Dumpster diving – pulls information from the trash bin
  • Shoulder surfing – someone looks over an employee's shoulder or uses a smartphone to video your bank transaction
  • Watering hole – infects a trusted website
  • Authority – email from CEO or HR; asks you to fill in a form
  • Urgency – letting a fireman into the server room

Attacks – Application

  • DoS – one host taking out another
  • DDoS – multiple hosts taking out one host
  • Man‐in‐the middle – interception attack data in real time
  • Replay – interception attack data replayed at a later date
  • Kerberos – prevents replay and pass‐the‐hash attacks
  • Buffer overflow – too much data in a field
  • Integer overflow – too large a number in a data field
  • XSS – uses HTML tags/JavaScript; no authentication
  • XSRF/CSRF – asks you to click on an icon and provide authentication
  • Privilege escalation – tries to get admin rights
  • ARP poisoning – prevented by using static entries in the arp cache—for example, arp ‐s
  • ARP – local LAN attack
  • DNS poisoning – prevented by using DNSSEC that produces RRSIG records
  • Man‐in‐the‐browser – trojan already installed; after bank transactions; URL does not change
  • Zero‐day virus – cannot be detected other than baseline; takes more time to get antidote
  • Pass‐the‐hash – attacks NTLM authentication; prevented by disabling NTLM or using Kerberos
  • Session hijacking – steals your cookies

Wireless Attacks

  • Evil twin – looks like a legitimate WAP
  • Rogue AP – free; steals information; prevented by using 802.1x
  • Jamming – interference attack
  • WPS – push the button; brute-force attacks underlying password
  • Bluejacking – hijacks Bluetooth phone; sends text messages
  • Bluesnarfing – steals contacts from Bluetooth phone
  • RFID – prevents theft of small devices
  • NFC – wireless payment; short range
  • Disassociation attacks – prevents access to the WAP

Cryptographic Attacks

  • Birthday – hash-collision attack; digital signatures vulnerable
  • Rainbow tables – precomputed list of passwords and hashes; used for hash-collision attacks
  • Dictionary – password; prevented by using a random character in your password or misspelling your password
  • Brute force – every available combination; prevents account lockout low value or salt password
  • Collison – matches hashes
  • Downgrade – uses legacy SSL rather than TLS; POODLE is a classic example
  • Weak implementation – uses WEP; better to use WPA2‐CCMP as it is the strongest

Threat Actors

  • Script kiddie – purchases scripts and programs, probably from the dark web
  • Hacktivist – politically motivated agent
  • Organized crime – profit-driven agent who will blackmail you
  • Nation state/APT – foreign government agent
  • Insider – known as a malicious insider; hardest to detect
  • Competitors – steals your trade secrets; beats you to market with your product

Penetration Testing

  • Intrusive – can cause damage
  • Black box – knows nothing
  • White box – knows everything
  • Gray box – has at least one piece of information—for example, a password or diagram
  • Fuzzing – enters random characters into an application for spurious results; black-/white-box pen testers use it
  • Pivot – accesses a network through a vulnerable host, then attacks a secondary, more important host
  • Initial exploitation – where pen testing starts
  • Escalation of privileges – obtains admin rights
  • Intrusive scan – used in pen testing; can cause damage to your system

Vulnerability Scanning

  • Passive – no damage
  • Credentialed – admin rights; more information; audit files; account and certificate information
  • Non‐credentialed – low level; finds missing patches
  • Identify lack of security controls or misconfiguration

Vulnerability Impact

  • Race condition – two threads accessing data at the same time
  • End‐of‐life systems – lack of vendor support; no patches
  • Error handling – customer side makes error small; IT support error needs all information
  • Default configuration – changes username or passwords
  • Resource exhaustion – running CPU at 100% or running out of memory
  • Untrained users – not complying with policies
  • Key management – ensures keys signed in and out each day