Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
140 Cards in this Set
- Front
- Back
Malicious code |
Refers to a broad category of threats to your network and systems,including viruses, Trojan horses, bombs, and worms |
|
Virus |
-Software designed to infect a computer system -Most viruses are really worms (misnamed by media) Goals: o Renders your system inoperable o Spreads to other systems |
|
Virus - Symptoms |
o Programs on your system start to load more slowly o Unusual files appear or disappear o Program sizes change from the installed versions |
|
880800A virus |
A program that can replicate itself on a system but cannot spread byitself from system to system or network to network without assistance. It requires aninstallation vector, such as an executable file attached to an e-mail message or a floppydisk |
|
Armored Virus |
-Makes itself difficult to detect or analyze -Contains protective code that stops debuggers or dissemblers fromexamining the code |
|
Retrovirus |
Designed to avoid discovery by actively attacking the anti-virusprograms attempting to detect it |
|
Stealth Virus |
-Hides itself by intercepting disk access requests-When an anti-virus program tries to read files or boot sectors to findthe virus, the stealth virus feeds the anti-virus program a clean imageof file or boot sector |
|
Boot Sector Virus |
-Spreads by infecting boot sectors |
|
File Infector Virus(Parasitic Virus) |
-Copies themselves into other programs -When an infected file is executed, the virus is loaded into memoryand tries to infect other executables |
|
Macro Viruses |
-Malware that is encoded as a macro embedded in a document -Programs such as Word and Excel allow programmers to expand thecapability of the application. -Macro viruses are application-specificrather than OS specific and propagate very rapidly via e-mail. Manyare Visual BASIC scripts that exploit commonly used MS apps (suchas Word, Excel, & Outlook) |
|
Multipartite(multi-part virus |
-Propagates by using both the boot sector and file infectormethods (i.e. DOS executables) -Every part needs to be removed, to prevent re-infection (When the virus attaches to the boot sector, it will in turn affect thesystem’s files, and when the virus attaches to the files, it will in turninfect the boot sector) |
|
Companion Virus |
-Attaches itself to legitimate programs -Creates a program with a different file extension -File may reside in your system’s temporary directory -When a user types the name of the legitimate program, thecompanion virus executes instead of the real program. |
|
Polymorphic Virus |
-Mutates by padding its own code to avoid detection -Makes pattern recognition hard |
|
MetamorphicVirus |
-Recompiles itself into a new form, so the code is constantly changing -Functionality (a.k.a. payload) changes -Can disassemble themselves, change their code, then reassemblethemselves into an executable form |
|
Worms |
-Computer program that propagates on its own-Does not need a host application to be transported -Self contained |
|
Trojan horse |
-A program that is disguised as another program-May be included as an attachment or as part of an installation program |
|
Logic Bomb |
-Malware inserted into a system which sets off an action when specific conditionsare met -Logic Bomb Examples: Michelangelo and Chernobyl |
|
Rootkits |
-Malware that has the ability to hide spyware blockers, anti-virus program, andsystem utilities -Runs at the root level or admin access |
|
Backdoors |
-Allows access to a computer (i.e. server, workstation, network device) -Full access to every aspect of the device -Can be spread via malware -Examples: Back Orifice or NetBus |
|
Backdoors Mitigation |
-Keep Anti-Virus up-to-date -IDS/IPS |
|
Backdoor Entry methods |
Backdoor and remote access programs such as Loki, NetCaZ, Masters Paradise, BackOrifice, BO2K and NetBus find their way to a computer via Trojan horses or as a wormor virus payload |
|
Spyware |
-Malware that works on collecting information about the system and what it isused for. -Spreads to machines by users who inadvertently ask for it -It could capture surfinghabits, keystrokes, passwords, system information, or install a backdoor |
|
Spyware Countermeasures |
-Good AV program -Filter messages out to prevent them from entering the network |
|
Ransomware |
-Software that takes “control” of system and demands payment to a third party. -Often delivered through a Trojan |
|
Denial of Service (DoS) |
-Prevents access to resources for authorized users -Common DoS attacks: o Ping-of-Death o Land Attack o Teardrop o SYN Flood |
|
Two TCP attack methods (TCP SYN Flood or TCP ACK Attack) |
1. A malicious client can skip sending this last ACK message 2. By spoofing the source IP address in the SYN, it makes the server send theSYN-ACK to the falsified IP address, and thus never receive the ACK |
|
TCP SYN Flood or TCP ACK Attack |
-Attacker sends a succession of SYN requests to a target -Can be mitigated on most modern networks |
|
TCP Handshake |
(3-way handshake): 1. The client requests a connection by sending a SYN (synchronize) message tothe server. 2. The server acknowledges this request by sending SYN-ACK back to the client. 3. The client responds with an ACK, and the connection is established |
|
Distributed Denial of Service (DDoS) |
-Amplifies a DoS by using multiple computers to conduct an attack against asingle entity (Smurf Attack) -Uses Zombies/Botnets to multiply the number of attackers |
|
Zombie |
A computer compromised by a hacker that is used to perform malicious tasksunder remote direction |
|
Botnet |
A network of compromised systems containing malware which acts as a robot |
|
Bot |
Bots are programs that run automated tasks o Compromised systems obey a master or author of the code |
|
Spammer botnet |
1. A botnet operator sends out viruses or worms, infecting ordinary users'computers, whose payload is a malicious application—the bot. 2. The bot on the infected PC logs into a particular C&C server (often an IRCserver, but, in some cases a web server). 3. A spammer purchases the services of the botnet from the operator. 4. The spammer provides the spam messages to the operator, who instructs thecompromised machines via the IRC server, causing them to send out spammessages |
|
Smurf Attack (Broadcast Attack) |
An attacker sends a large amount of ICMP echo requests (ping) trafficto IP broadcast addresses, all of it having a spoofed source address of the intendedvictim. If the routing device delivering traffic to those broadcast addresses delivers theIP broadcast to all hosts, most hosts on that IPnetwork will take the ICMP echo request and reply to it with an echo reply, multiplyingthe traffic by the number of hosts responding. |
|
Fraggle attack |
Attacker sends spoofed UDP packets to broadcast addresses and theUDP packets are directed to port 7 (Echo) or port 19 (Chargen). When connected toport 19, a character generator attack can be run |
|
Man-in-the-Middle Attacks |
Occurs when someone/-thing intercepts data and retransmits to another entity |
|
MITM Attack Countermeasures |
Random sequence numbers, encryption, mutual authentication |
|
Session Hijacking |
-a.k.a. TCP/IP Hijacking -Takes control of an active TCP session by using sequence number guessing -Starts as a MITM attack |
|
Replay Attack |
Information (credentials) captured over a network and replayed later |
|
Spoofing |
Spoofing is a situation in which one person or program successfully masquerades asanother by falsifying data |
|
IP address spoofing |
The creation of TCP/IP packets using someone else'sIP address. |
|
MAC spoofing |
Technique for changing a factory-assigned Media AccessControl (MAC) address of a network interface on a networked device |
|
ARP poisoning |
-Attacker (on the same switched network) forges ARPreplies to a victim system and a device like the default gateway. The attackeris placed in the clients ARP table as the default gateway, the attacker isplaced in the default gateways ARP table as the client -All data from the clientgoes to the attacker, (who can do a variety of things with it during the MITMattack) who then forwards it to the default gateway. Neither the defaultgateway nor the legitimate client system is aware of the attacker |
|
Web spoofing
|
attacker creates a convincing but false copy of the entireWebsite. The false site looks just like the real one: it has all the same pagesand links. However, the attacker controls the spoofed site. The attacker hascreated this page to dupe the victim into providing information such asusernames, passwords, credit card numbers, etc. These pages can be part ofa Man in the Middle attack
|
|
DNS spoofing
|
You are redirected because the DNS server resolving theURL name to IP address has been poisoned
|
|
Typosquatting/URL hijacking |
Registering domains that are similar to those for a known entity but based on amisspelling or typographical error. o Ex. “Yahooo.com” or “Gooogle.com” o Best defense against typosquatting is to register those domains with alldeviations of the designated site |
|
Watering Hole Attack |
-Attacker uses a strategy to identify a site that is visited by those they aretargeting, poisoning that site, and then waiting for the results. -Best defense is to make certain all parties involved are secured. o Identify weak links, bring them up to the same level of security |
|
Drive-by-Download |
Malware automatically downloaded to your computer without your consent or evenyour knowledge Can be initiated: -by visiting a Web site -by viewing an HTML e-mail message -along with a user-requested application |
|
Xmas Attack |
-Scans/attack conducted with Xmas packets -Packet with every single option set for whatever protocol is in use -By observing how a host responds to the packet, assumptions can be maderegarding the host's operating system --Christmas tree packets arealways suspicious and indicate a high probability of network reconnaissance activities |
|
Transitive Access |
-A service that invokes another service to satisfy an initial request -Problem arises from a poor choice of access control mechanism, one that usesauthentication to make access decisions |
|
Malicious Internal/Insider Threats |
An Organizations employees can be one of its’ largest vulnerabilities/threats -Reasons o Disgruntled o Corporate Espionage/Fraud o Careless o Lack of training o They are already in your network/facility |
|
Internal/Insider Threat Mitigations |
• Least Privilege • Keep good logs • Keep good backups • Separation of duties -Account management: • • Use individual credentials as you setup new accounts • • Verify and review accounts • • Suspend accounts • Conduct regular User Awareness Training |
|
SPIM |
SPAM over Instant Messaging |
|
SPIT |
SPAM over Internet Telephony |
|
Cost of Spam |
-Loss of productivity -ISP cost for increased storage space for clients -Bandwidth cost for increased traffic |
|
Phishing Attacks |
Uses socialengineering (Emails) to steal personalidentity data and financial accountcredentials |
|
Vishing |
Using phone calls to stealpersonal identity data and financialaccount credentials |
|
Pharming |
Attack in which a user can befooled into entering sensitive data suchas a password or credit card number intoa malicious web site that impersonates alegitimate web site |
|
Spear Phishing |
Email/IM scam to aparticular target, some inside informationabout the organization or individual isneeded |
|
Whaling |
Spear phishing directed towards senior executives or someone of greatimportance in an organization |
|
Social Engineering |
Exploits human nature by convincing someone to reveal information or perform anactivity Examples include: -Impersonating support staff or management-Asking for someone to hold open a door rather than using a key for entrance -Spoofed e-mails that ask for information or ask you to do things -Looking on or under desks for usernames and passwords |
|
Buffer Overflows |
-Most common attack against Web servers -More information is placed in a buffer (memory stack or heap) than it can hold,which then overflows into the next buffer -Attacker can create a DoS or run code with elevated privileges -Application can be terminated -Writes data beyond the allocated space -Safeguards: o Input validation o Patch/Upgrade |
|
Integer Overflow |
-Like a buffer overflow, involves putting too much information into too small of aspace. -Ex. Using 8 bits, it is possible to express any number in binary from 0-255. If only8 bits are set aside and the user enters a value of 256 to be converted to binary,it exceeds what can be stored and results in an integer overflow |
|
Arbitrary Code Execution |
Attacker’s ability to execute any commands on a target machine or in a targetprocess. o Used in arbitrary code execution vulnerability that gives an attacker a wayto execute arbitrary code |
|
Remote Code Execution |
The ability to trigger arbitrary code execution from one machine on another |
|
Cross-Site Scripting (XSS) |
-Vulnerability where an attacker can add comments/code to web pages whichallows code injection -Code could redirect valid data to the attacker |
|
XSS Safeguards |
o Input validation (phone number – server side routine could remove allcharacter other than digits). o Set web apps to tie session cookies to the IP address of the original userand only permit that IP to use the cookie |
|
SQL Injection |
-Code injected into a database via a web form -Allows an attacker to query data from the database -DoS is the most common SQL attack o User ID = ‘ ‘ or 1=1; |
|
LDAP Injection |
-Can occur anywhere that underlying code could use some type of input for LDAPsearches, queries, or any other LDAP function -Implementation of simple precautions during development o Controlling the types and numbers of characters that are accepted byinput boxes o Input validation |
|
XML Injection |
-Attack technique used to manipulate or compromise the logic of an XMLapplication or service -Injection can cause the insertion of malicious content into the resultingmessage/document |
|
Cookies |
-Text file associated with your current web session and/or user information for asite -Saves your internet activity locally (not data) -Browsers offer settings to help control vulnerabilities from cookies -Transient vs. Persistent cookies |
|
Transient cookies |
are active only during a browsing session |
|
Persistent cookies |
store user identification information over an extended period |
|
Cookies Safeguards |
-Delete some or all of your cookies -Have your browser warn you when it is about to send a cookie to a server, andgive you the option of not sending it -Choose to save cookies only for the duration of this web browsing session -Disable all use of cookies by your browser |
|
Third party cookies |
-Automatically accept or reject cookies from certain sites of your own choosing -Disallow cookies that are to be sent to sites other than the main one you’rebrowsing (which protects against the kind of cross-site tracking) |
|
Active X |
Created by Microsoft to customize controls, icons, and other features to help increasethe usability of web-enabled systems and how it runs on the client systems.Authenticode is the method used for security. Authenticode is a type of certificatetechnology that allows ActiveX components to be validated by a server |
|
ActiveX Vulnerabilities |
-Controls are saved to the hard drive -Controls are executed within the security context of the current user account -Once user accepts author, then it is always accepted (no re-verification) |
|
ActiveX Safeguards |
-Deploy patches to fix vulnerabilities -Browser should be configured NOT to allow ActiveX to run by default -Under Internet Explorer Options go to: Security tab and choose the level ofsecurity to control how ActiveX responds to enabling, disabling, or prompting |
|
Java Applets |
-Stand alone mobile code downloaded from a server to a client, then runs fromthe browser -Platform independent (due to bytecode) -Sandbox o A virtual machine architecture Java Applet Vulnerabilitieso Limits the applet’s access to system resourceso Digitally signed applets can run outside the sandbox |
|
Java Applet Vulnerabilities |
-Applets may perform malicious operations -Errors in the Java virtual machine may allow some unsigned applets to runoutside the sandbox |
|
Java Applet Safeguards |
-Install the latest browser version -Deploy patches to fix vulnerabilities -Disable Java Applets -Limit browser plug-ins |
|
JavaScript |
-Scripting language used for web pages -Runs in a client's browser or web server and can be seamlessly embedded intoHTML documents and email -Uses o Opens new windows (controls size and position) o Detects user’s actions such as keystrokes o Changes images with mouse-move over’s |
|
JavaScript Vulnerabilities |
-Runs within the web page security level of permission settings -Can allow remote execution of programs -Interfaces with an OS, so potentially can damage systems or be used to sendinformation to unauthorized persons XSS (Cross Site Scripting) attacks can be carried out using Javascript |
|
JavaScript Safeguards |
-Apply JavaScript patches for browsers -Disable JavaScripts |
|
Directory Traversal |
-Goal is to order an application to access a computer file that is not intended to beaccessible -Attack exploits a lack of security as opposed to exploiting a bug in the code |
|
Zero Day Attacks |
-Threat that exploits vulnerabilities that are unknown to others or the softwaredeveloper -Occur during the vulnerability window |
|
Vulnerability Window |
time between when vulnerability is first exploited and whensoftware developers start to develop a counter to that threat. |
|
Vulnerability Window timeline |
1. Developer creates software containing an unknown vulnerability 2. Attacker finds the vulnerability before the developer does 3. Attacker writes and distributes an exploit while the vulnerability is not known tothe developer 4. Developer finds the vulnerability and starts developing a fix |
|
Malicious Add-On’s |
-Software add-on’s used to view certain web content/web pages -Some are created with malicious intent, such as exploiting a vulnerability in abrowser -Have been created for every browser |
|
Fail Secure |
System that is able to resort to a secure state when an error orsecurity violation is encountered |
|
Fail Safe |
A device, in the event of failure, responds in a way that will cause noharm, to other devices or danger to personnel |
|
Fail Soft |
A fail-soft system is a system designed to shut down any nonessentialcomponents in the event of a failure, but keep the system and programs running onthe compute |
|
Fail Closed |
Device/system fails and denies everything Examples: -A firewall fails and rejects all packets -A door fails and cannot be unlocked -An IPS fails and stops all traffic -Have to consider personnel safety for some physical securityimplementations (Locks) |
|
Logging Procedures |
-Any information possibly needed to reconstruct events should be logged -Do not over audit -Retention policy should be in place -Hash the logs for integrity checking |
|
Logging Types |
-Syslog -Windows Logs -Application/Software Logs -Network Device Logs: o Firewalls o Routers o WAP/RADIUS o DNS o Domain Controller |
|
Log Storage |
-Restrict access to all logs -Security Policy o Address the size of logs o How often they should be archived o Retention times o Storage Media |
|
Keys and Locks |
-Most common form of access control -Key locks -Combination locks -Keypad/Cipher locks -Smart locks -Key Log -Physical access logs/lists |
|
Key Log |
All key distribution should be logged and updated whenever keys are issuedor recalled |
|
Physical access logs/lists |
When a card reader or cipher lock is used, it can create a logfile of all access into and out of a building or room. Sign-in logs are used for loggingvisitors to a controlled environment |
|
Mantrap |
-Controls access and authentication -Requires visual identification to gain access -Prevents Piggybacking/Tailgating -Dual locked door facility |
|
Closed Circuit Television (CCTV) |
-Used as a deterrent and detective mechanism after an event -CCTV may introduce privacy concerns -Inform users they are being recorded |
|
Bollards |
Can be used, either to control traffic intake size by limiting movements, or tocontrol traffic speed by narrowing the available space |
|
Proximity Readers |
-Used for physical access -Contactless -User has a card, when placed in proximity to the reader the card is powered andtransmits the cards ID to the reader, granting access -Physical theft of card a concern |
|
MAC Filtering |
-Restricting access to a network via authorized MAC address -Can be used to strengthen security on a switch or AP -Can be circumvented, MAC’s can be spoofed |
|
Extensible Authentication Protocol (EAP) 802.1X |
Pass through port authentication -Authentication framework, not a specific authentication mechanism -Used over PPP and Wireless LANs -Provides over 40 authentication methods |
|
Vulnerability Assessments |
-Process of identifying, quantifying, and prioritizing vulnerabilities in a system -Audit should give detailed information on tools used, when scan was conducted,vulnerabilities found with risk levels -Senior management approval needed |
|
System scanning |
uses tools to test the effectiveness of your securityperimeter by actively looking for system vulnerabilities. Scanning helpsassure the effectiveness of an organization's security policy, securitymechanism implementations, and deployed countermeasures |
|
Footprinting |
the process of accumulating data regarding a specific networkenvironment, usually for the purpose of finding ways to intrude into theenvironment. It is the combination of active and passive reconnaissancetechniques for the purposes of establishing a strategy of attack |
|
Fingerprinting |
the process of discovering the underlying operating systemon a device |
|
Risk Mitigation |
-Implement countermeasures to protect against potential risks. -Perform a Cost Benefit Analysis. -Sometimes, the cost of some countermeasures may outweigh the cost of theirtargeted risks |
|
Protocol Analyzers |
-Hardware or software that gathers packet-level traffic across the network -Placed in-line or between devices -Used for logging, sniffing, network monitoring, troubleshooting, etc |
|
Protocol Analyzer Tools |
-Wireshark -Snort -Kismet |
|
Packet Sniffing on the Network |
• When a wired NIC (Network Interface Card) is put in promiscuous mode, the NICcaptures all traffic on the network segment it is installed. • When a wireless Interface Card (WIC) is put in monitor mode, the WIC capturesall traffic on the frequencies it monitors |
|
Penetration Testing (Pen Test) |
-An attempt to break into your own secured network -Third party is preferred -Typically performed from the internet -Get written approval prior to conducting tests |
|
Penetration Testing looks for vulnerabilities such as: |
-Poor or improper system configuration -Known or unknown hardware or software flaws-Application weaknesses -Can involve active exploitation of vulnerabilities |
|
Pen Test Report |
-Lists vulnerabilities discovered -An assessment of impact vs. probability -A proposal for mitigation or a technical solution |
|
Vulnerability Scanning |
-Running software which contains a database of known vulnerabilities against asystem -Detects potential vulnerabilities |
|
Vulnerability Scanning - Tools |
o Protocol Analyzers o Vulnerability Scanners (OVAL) o Port Scanners o Network Mappers o Password Crackers |
|
Retina and Gold Disk |
Vulnerability scanning tools used by the Department of Defense |
|
Open Vulnerability and Assessment Language (OVAL) |
-Sponsored by the US Department of Homeland Security -Standardizes vulnerability testing o How described and reported o An XML schema and repository of vulnerabilities |
|
Vulnerability Assessment Process (3 steps) |
-Representing configuration information of systems for testing -Analyzing the system for the presence of the specified machine statevulnerability, configuration, patch state, etc.) -Reporting the results of this assessment |
|
Network Mappers |
-Used to create network maps -Tools: o Nmap o SolarWinds o Whats Up Gold |
|
Mapping Techniques |
-Active Probing -Route Analytics -SNMP |
|
Active Probing approach (Mapping Techniques) |
relies on a series of Trace route-like probe packets inorder to build the network map |
|
Route Analytics approach (Mapping Techniques) |
relies on information from the routing protocols tobuild the network map |
|
SNMP (Mapping Techniques) |
retrieves data from Router and Switch MIBs in order to build the networkmap |
|
Password Crackers |
-Software utility that allows direct testing of a user’s logon password strength -Deciphers passwords using: --Brute force decryption --Dictionary look-up |
|
Password Crackers (Examples) |
-Cain and Abel -L0phtCrack -John the Ripper |
|
Vulnerability Scanners |
Computer program designed to assess computers, computer systems, networks orapplications for weaknesses -Port scanner -Ping scanner -Network enumerator -Network vulnerability scanner -Web application security scanner -Database security scanner |
|
Nessus |
A vulnerability scanner. It scans one or more computers remotely via thenetwork: -It does a port scan and tries various exploits on the open ports -It searches for misconfiguration, (e.g. open mail relay, database) -It checks for missing security patches -It searches for trojans and backdoors that are listening on a port -It tries to provoke buffer overflows -It searches default passwords and blank passwords -It tries DOS attacks sending mangled packets-It can remotely detect the version of installed antivirus software -It can check for improper network segmentation -The scanner can be scheduled to scan the company network every night |
|
Port Scanners |
-Probes for all enabled TCP/UDP ports -Used by system administrators or attackers -Port scanners tools: o SuperScan o NMAP o Nessus |
|
PING Scanner |
Uses ping (ICMP) messages to identify systems that are on the network |
|
Honey Pots |
-A bogus system that appears to be a production server -Configured with pseudo flaws -Can be used to learn the hacking techniques and methods that hackers employ -Padded Cell -Honeynet -Enticement vs. Entrapment |
|
Enticement |
is the process of luring someone into your plan or trap. You mightaccomplish this by advertising that you have free software, or you might brag that noone can break into your machine |
|
Entrapment |
is the process in which you encourage or induce a person to commit acrime when the potential criminal expresses a desire not to go ahead. Entrapment is avalid legal defense in a criminal prosecution |
|
Configuration Baselines (CB) |
-Establishes the mandatory settings that systems must have in place to beaccepted for use in the network -May also mark an approved security configuration item, e.g. security templates,that have been signed off for execution |
|
Configuration Baselines (CB) - Information Assurance |
The managementof security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures, and test documentationthroughout the life cycle of an information system. |
|
Three testing methods can be utilized for testing software |
Black Box -Examines a program from a user perspective-Testers do not have access to internal codeWhite Box -Examines the internal logical structures of a program, line by line, for errors Gray Box -Combines both (White and Black) -Testers approach the software as a user, and have access to the source code(Source code is used to develop tests to be run as a user) |
|
Code Review |
-Systematic examination of computer source code -Intended to find and fix mistakes overlooked in the initial development phase -Can often find and remove common vulnerabilities -Program managers schedule meetings throughout the process -Development personnel walk through the code looking for design/security flaws |
|
Design Reviews |
-Part of the development process for a secure system -Determine how various parts of the system will interoperate -Coding milestones are laid out by the design management team -Review meeting is conducted to ensure that everyone is in agreement and theprocess is still on track |