Security+ Domain 1.0: Threats, Attacks and Vulnerabilities

  1. Security+ Certification
  2. Security+: Definitions and Catchwords
  3. Security+ Domain 1.0: Threats, Attacks and Vulnerabilities
  4. Security+ Domain 2.0: Technologies and Tools, Chapter 6
  5. Security+ Domain 2.0: Technologies and Tools, Chapter 7
  6. Security+ Domain 2.0: Technologies and Tools, Chapter 8
  7. Security+ Domain 2.0: Technologies and Tools, Chapter 9
  8. Security+ Domain 2.0: Technologies and Tools, Chapter 10
  9. Security+ Domain 3.0: Architecture and Design: Chapter 11
  10. Security+ Domain 3.0: Secure Systems Design and Deployment: Chapter 12
  11. Security+ Domain 3.0: Secure Systems Design and Deployment: Chapter 12 cont’d
  12. Security+ Domain 3.0: Architecture and Design: Chapter 13: Embedded Systems
  13. Security+ Domain 3.0: Architecture and Design: Chapter 14: Application Development
  14. Security+ Domain 3.0: Architecture and Design: Chapter 15: Cloud and Virtualization
  15. Security+ Domain 3.0: Architecture and Design: Chapter 16: Resiliency and Automation
  16. Security+ Domain 3.0: Architecture and Design: Chapter 17: Physical Security
  17. Security+ Domain 4.0: Identity and Access Management: Chapter 18
  18. Security+ Domain 4.0: Identity and Access Management: Chapter 19
  19. Security+ Domain 4.0: Identity and Access Management: Chapter 20
  20. Security+ Domain 5.0: Risk Management: Chapter 21
  21. Security+ Domain 5.0: Risk Management: Chapter 22
  22. Security+ : Sample Questions
  23. Security+ Domain 5.0: Risk Management: Chapter 23
  24. bastion.inf
  25. Security+ Domain 5.0: Risk Management: Chapter 24
  26. Security+ Domain 5.0: Risk Management: Chapter 25
  27. Security+ Domain 5.0: Risk Management: Chapter 26
  28. Security+ Domain 5.0: Risk Management: Chapter 27
  29. Security+ Domain 5.0: Risk Management: Chapter 28
  30. Security+ Domain 5.0: Risk Management: Chapter 29
  31. Security+: My Favorite Free Tools

Chapter 1: Malware and Indicators of Compromise

Malware

Polymorphic malware

Viruses

Armored virus (encryption)

Crypto-Malware

Ransomware

Worms

Trojans

Rootkit

Keylogger

Adware

Spyware

Bots

RATs

Logic Bombs

Backdoors

Indicators of Compromise

IOC Tools

from FireEye (Mandiant)

OpenIOC

from MITRE

STIX

TAXII

CybOx

Chapter 2: Attacks

Social Engineering

Social Engineering – tricking a person into allowing access to a system; this includes dumpster diving and phishing

Password Guessing – this includes brute force (throwing thousands of passwords at a system), dictionary attacks (hashing every word in the dictionary to compare that hash value to user’s hashed password, looking for matches) and software exploitation (like buffer overflows).

Weak Keys – algorythms that allow the creation of keys with detectable patterns or structures allow weak keys.

Mathematical Attacks – usually these are statistical analyses that attempt to discover keys

Birthday Attacks – taking advantage of the birthday paradox, which is the greater possibility of finding something in common (like a birthday) if you start looking from a known value (like a certain date) rather than trying to analyze all values (like all dates).

WEP Cracking

Man-In-The-Middle Attacks (MIM) – The attacker looks like the server to the client, and looks like the client to the server, thus intercepting traffic and information.

Replay Attacks – These are similar to MIM attacks, except the traffic or information is changed before it is relayed.

TCP/IP Hijacking – setting up a device that appears to be valid to perform an MIM attack; spoofing is the act of falsifying one’s IP address to do this; Address Resolution Protocol (ARP) spoofing does this at the level of MAC addresses, by falsifying the MAC address resolution table.

In Windows, use the shell command:

arp -a

to view your ARP table. Note that you can use the arp -s command to add new entries manually, and the arp -d command to delete them, arp /? for detailed information.

arp -d *
arp /?

Rogue Access Point

SYN/ACK Attacks – Understand the basic nature of client/server connections in order to understand these attacks. A client sends a SYN packet to a server as its opening request, to initiate a “handshake.” The server, if it receives this SYN packet, responds with a SYN-ACK. The client, then, responds with an ACK. Think of it this way:

Client
Server
SYN
—–>
<—–
SYN-ACK
ACK
—–>

This is a bit of an oversimplification, because after the very first packet from the client, every packet contains an ACKnowledgement of response, and the final packet exchange will be FIN packets (“we’re finished”).

Here lies the basis of the SYN flood attack. See this Cloudflare page for a longer explanation:
https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/
and this Imperva page:
https://www.imperva.com/learn/application-security/syn-flood/).
Basically, if I’m an attacker, I can send a server a SYN package, but never acknowledge the ACK that comes back. The server holds a half-open connection for me, but I never reply. Instead I send a new SYN packet from yet another spoofed IP address, opening but never acknowledging another connection. Before long the server is overwhelmed with these faked connections, and DOS results: this is a SYN flood.

A Ping Flood is a bombardment with ping requests, and also the reason ICMP is tightly controlled on secure networks. See Imperva’s page:
https://www.imperva.com/learn/application-security/ping-icmp-flood/

The similar Smurf attack occurs when an attacker sends forged ICMP echo request packets to every computer on a network, using a false source IP (usually a server’s). This causes them to send responses to the victim, the server that really holds that IP address. This floods the network, resulting in DOS. A Smurf is made possible by misconfigured network devices that respond to ICMP echoes sent to broadcast addresses (x.x.x.255).

A Fraggle attack is the same technique, used over UDP rather than ICMP.

The Ping of Death is a variant of Smurf that sends deliberately oversized ICMP ping packets (larger than 65,535 bytes), attacking older OSs susceptible to this malformation. It won’t  work any more.

A Land attack is also an older one that sends a packet with the same host (IP) specified as both sender and receiver. This locks up some systems.

Distributed Denial-of-Service (DDoS) Attacks – These attacks amplify the situation by using dozens, hundreds, or thousands of “zombie” computers. If you’re already in this situation, obviously, life is bad.

The Security+ test gets very picky about the differences between these categories. Know these intimately.

Viruses – These attach themselves to something, whether a document or a program. They are executable code. The most common vector is e-mail attachments. The victim has to do something to activate a virus; typically this is clicking on the attachment. Anti-virus software is the (putative) cure.

Worms – These travel by themselves. They do not have to attach themselves to something else. They do not require action by the victim to be launched into action. They do often use e-mail as a convenient vector of propagation. You’ll need both procedures (“Never even open e-mails from unknown sources!”) and products (hardware and software firewalls) to protect against worms.

Logic Bombs – A specific event triggers a logic bomb, which then does its damage. This can be a date or an event like a person’s account being deactivated. Policies like code reviews, practices like network surveillance and monitoring programs, and products like Tripwire (which monitors signatures of executable files for changes) are all necessary, but not sufficient to protect against logic bombs.

Trojan Horses – Some programs disguise themselves as one thing, then reveal an ugly side when they’re opened. People addicted to internet freebie programs are very susceptible to this threat. These things are tough to fight, typically requiring anti-virus and other software to prevent, and often forcing disinfection after an infection occurs. These in particular force me to enforce a rule: “If you don’t HAVE to have a piece of software to do your job, you are FORBIDDEN to have it.” Needless to say this is very unpopular; but I’ve seen more than one business literally bankrupted by violating this practice.

Back Doors – Worms, trojans or viruses may install secret entrances to systems. Sometimes an innocent intent opens this vulnerability, like a programmer’s testing procedure that’s never removed. Sometimes an evil virus like MyDoom creates the opening. Your only protection is network scanning. Visit, for instance, Gibson Research and follow the ShieldsUp! link for a scan of your home PC.

For more malware types and examples, see this Certified Ethical Hacker page on our other site, https://schoolforhackers.com:

https://schoolforhackers.com/certified-ethical-hacker-v10-chapter-10-contd-denial-of-service/

Chapter 3: Threat Actors

Types

OSINT

Chapter 4: Vulnerability Scanning and Penetration Testing

Pen Test Concepts

Active vs Passive reconnaissance

Exploitation

Pivoting

Escalation

Types of Pen Testing

Black Box

White Box

Gray Box

Vulnerability Scanning

MBSA

Nessus / OpenVAS

Retina

Chapter 5: Vulnerabilities and Impacts

System vulns

Improper input handling

Improper error handling

Misconfiguration / Weak Configuration

Vulnerable users

Improperly configured user accounts

Vulnerable business processes

Weak encryption

Memory vulns

Undocumented assets

Architecture/Design weaknesses

New threats

Improper Certificate and Key Management