Security+ SYO-601 → Threats, Attacks, & Vulnerabilities Notes
Here is what you need to know before you take the Security+ SYO-601 exam
Malware
- Types - Propogation and Payload
- Viruses - Spread by human interaction - User education
- Worms - Spread under their own power by exploiting a vulnerabilities - Patching
- Trojan Horses - Disguises themselves and then pretends to be legitimate programs - Application Control
- Malware Payloads -
- Adware - Popups that serve the interest of the malware author
- Spyware - Gathers information for the malware author
- Potentially Unwanted Programs (PUPs) = Adware + Spyware
- Ransomware - encrypts files and then selling the decryption key for ransom money
- Cryptoware - Mines cryptocurrency
- Understanding Backdoors and Logic Bombs -embeds itself in other programs
- Backdoors - Provides workaround access
- Logic Bombs - Triggered events
- Looking at advanced Malware -
- Rootkits - Uses root account or system account to execute payload
- Fileless Viruses - Operate completely in computer memory
- Understanding botnets - Steal computing resources by doing the following:
- Infect Systems
- Convert to bots
- Infect other systems
- Check into the botnet operator's command and control network
- Get Instructions from the command and control network
- Deliver the payload
- Malicious Script Execution -
- Shell scripts - run on command line
- Application - run within a software application
- Programming Languages - Allow the creation of general purpose code.
Understanding Attackers
- Cybersecurity adversaries -
- Internal
- External
- Script kiddies
- Hacktivist
- Criminal Syndicates
- Preventing insider threats - 51% of attacks
- Privilege Escalation -
- Shadow IT -
- Attack Vectors -
- Email -
- Social Media -
- Removable media -
- Card Skimmers -
- Cloud Services -
- Unsecured network ports -
- Tampering with IT supply chain -
- Wireless networks -
- Zero Days and the Advanced Persistent Threat - Apply security updates as soon as possible - Undiscovered vulnerabilities that are most often carried out by Advanced Security Threats (APTs), which are highly trained hackers.
Threat Intelligence
- What is threat intelligence? - Information that allows teams to sty up to date on current risks
- Open Source Intelligence -
- Security websites
- Vulnerability databases
- News media
- Social media
- Information sharing centers
- File repositories
- Code repositories
- Security researchers
- Dark web
- Email Harvesting - searching for valid emails
- Managing Threat Indicators - Properties that describe a threat
- Cyber Observable eXpression (CybOX) - Not covered on SYOP-601
- STIX - part of CISA
- TAXII - part of CISA
- OpenIOC -
- Information Sharing and Analysis Centers (ISACs) - Go to https://nationalisacs.org/member-isacs for more information.
- Threat Research - Uses threat intelligence to determine what the adversaries are up to
- Reputational Threat Research - Identify past IPs and domain names
- Behavioral Threat Research - Notice of behavioral patterns
- Identifying Threats - Identifies and prioritizes threats
- Use a structured approach
- Asset Focus - asset inventory
- Threat Focus - how threats affects information
- Service Focus - identify impact of threats on services
- Automated approach - based on a code with built-in triggers
- Automating threat intelligence - blacklisting of IP addresses from threat feeds
- Start in alert-only mode to assess accuracy
- Incident response is a very manual process
- Data Enrichment - Reconnaisance, related log records & trigger a vulnerability scan
- (SOAR) -
- Machine Learning -
- Threat Hunting - An organized, systematic approach to seeking out indicators of compromise on our networks using expertise and analytic techniques
- Establish a hypothesis
- Identify Indicators of Compromise
- After discovering an incident, move into incident handling mode
Social Engineering Attacks - Education is key to prevention
- What is social engineering? - Manipulating people into divulging information or performing an action that undermines security
- Authority - people defering to authority
- Intimidation - Scaring people
- Consensus - Herd Mentality
- Scarcity - Getting the last one
- Urgency - Time is running out
- Familiarity - We like to say yes to people we like
- Impersonation attacks -
- Spam - unsolicited commercial email
- Phishing - Tricking users into giving out user credentials
- Spear Phishing - Targeted phishing
- Whaling - targeted phishing on senior leaders
- Pharming - Using fake websites
- Vishing - Voice phishing
- Smishing/SPIM - SMS and IM
- Spoofing - Fake identity
- Identity fraud and pretexting - Stealing people's identities and then using them to get something they are not entitled to - See https://public.tableau.com/profile/federal.trade.commission#!/vizhome/IdentityTheftReports/TheftTypesOverTime for more information.
- Pretexting - Pretending to be the consumer whose identity got stolen
- Identity Fraud -
- Watering hole attacks - Uses a common trusted website with vulnerabilities to lie and wait for their victims - Steps include:
- Identify and compromise a highly targeted website
- Choose a client exploit, and then bundle in a botnet
- Place the malware on the compromised website
- Sit back and wait for infected systems to phone home
- Physical social engineering - Using physical means to get unauthorized information
- Shoulder surfing - Be aware of your settings and use screen filters.
- Dumpster Diving - Shred sensitive documents
- Tailgating - Slipping in behind someone into a secure area - Be aware of who might be following you. Don't allow them to follow you into a secure area.
Common Attacks
- Password Attacks - Usually stored in Hashed forms - Better to store in shadow files
- Brute Force - Guessing
- Cracking - Tries all possibilities (e.g., John the Ripper)
- Dictionary - Uses words in a dictionary
- Hybrid - A combination of brute force, cracking, and dictionary attacks
- Rainbow Table - Uses precomputed hash values
- Password spraying - Uses a file with commonly used passwords
- Credential stuffing - Exploits reused passwords
- Adversarial artificial intelligence - Machine Learning which simulates human thought
- Descriptive Analytics - Describes the analytics being used for AI
- Predictive Analytics - Used to predict the outcome of future data input
- Prescriptive Analytics - Most commonly associated with optimization
- Adversarial AI - Fools the AI system - Build robust algorithms to prevent this kind of attack (e.g., manual override on self-driving cars)
Vulnerability Types - Confidentiality Integrity Availablity (CIA) describes a security professional's goals
- Vulnerability impact - Considers the following risks:
- Financial - cost of a breach or incident
- Reputational - how the customers will trust the company
- Strategic - ability to meet major goals and objectives
- Operational - day-to-day operations
- Compliance - ability comply with laws, regulations, and policies (e.g., HIPAA)
- Supply chain vulnerabilities -
- End of Sale - Vendor continues to support a product, but no longer sells the product
- End of Support - Vendor reduces or stops supporting a product
- End of Life - Vendor no longer supports the product
- Vendor failure to announce end of support - Mitigate with backups
- Configuration vulnerabilities - Good patch management (OS, applications and firmware)
- Default passwords
- open ports
- System misconfigurations
- Cryptographic
- Weak cipher suites
- Weak cryptographic protocol implementations
- Poor key management
- Poor certificate management
- other security issues
- Architectural vulnerabilities - Improperly designed systems
- Security - incorprate early
- System Sprawl - New devices connected to a network, but are not managed
Vulnerability Scanning