1.0 Attacks, Threats, and Vulnerabilities (24%)
2.0 Architecture and Design (21%)
3.0 Implementation (25%)
4.0 Operations and Incident Response (16%)
5.0 Governance, Risk, and Compliance (14%)
Compare and contrast different types of social engineering techniques.
Phising
- A type of social engineering in which an attacker attempts to obtain sensitive information from user by masquerading as a trusted entity or instant messages sent to a large group, often random users.
Smishing
- An attack using SMS (Short Message Service) on victim's cell phones. A version of Phising used via SMS.
Vishing
- A variation of Phising that utilizes voice communication technology to obtain the information the attacker is seeking.
SPAM
- Bulk, unsolicited e-mail. Not typically considered a security issue or social engineering, it can still be a security concern.
SPIM (Spam Over Instant Messaging)
- SPAM received via instant messaging, with the purpose to get an unsuspecting user to click malicious content or links, this initiating the attack.
Spear Phishing
- Refers to a Phishing attack that targets a specific person or group of people with something in common. A targeted attack seems more plausible than a message sent to users randomly.
Dumpster Diving
- The process of going through a target's trash in hopes of finding valuable information that might be used in a penetration attempt.
Shoulder Surfing
- The attacker directly observes the individual entering sensitive information on a form, key-pad, or keyboard. Could be viewed in-person, a camera, or binoculars.
Pharming
- Consists of misdirecting users to fake websites make to look official. Attackers taker individuals, one by one, by sending out e-mails. To become a victim, the recipient must take action.
Tailgating
- Simple tactic of following closely behind a person who has just used their own access card of PIN to gain physical access to a room or building.
Eliciting Information
- A skilled social engineer can use a wide range of psychological techniques to convince people, whose main job is to help others, to perform tasks resulting in security compromises,
Whaling
- An attack in which the target is a high-value person, often a CEO or CFO. Custom build attack targeted at an individual to increase odds of success.
Prepending
- The act of adding something else to the beginning of an item. In social engineering, prepending is the act of supplying information that another will act upon, frequently before they ask for it, in an attempt to legitimize the actual request, which comes later.
Identity Fraud
- The use of fake credentials to achieve an end.
Invoice Scams
- Sending a fake invoice for collections in an attempt to get a company to pay for things it has not ordered.
Credential Harvesting
- The collection of credential information, such as user IDs. passwords, and so on, enabling an attacker a series of access passes to the system.
Reconnaissance
- An adversary will examine the systems they intend to attack, using a wide range of methods.
Hoax
- A humorous or malicious deception. Not always seen as a security threat, but can become one as it can convince users to take some sort of action that weakens security.
Impersonation
- A common social engineering technique and can be employed in many ways. Can occur in-person, over the phone, or online. The attacker assumes a role that is recognized by the person being attacked, and in assuming that role, the attacker uses the potential victims's biases against their better judgement to follow procedures.
Watering Hole Attack
- Typically direct to a target. Involves the infecting of a target website with malware. Usually backed by Nation-States or High-Resource attackers as they are complex. Typical attack vector will be a zero-day attack to further avoid detection.
Typosquatting
- An attack form that involves capitalizing upon common typographical errors. If a user mistypes a URL, the the result should be a '404 Error', or 'Resource Not Found'. An attacker can register a mistyped URL, then the user would land on the attacker's page.
Pretexting
- A form of social engineering in which the attacker uses a narrative (the pretext) to influence the victim into giving up some item of information.
- Example would be a former student calling up a college or a former admin calling an executive.
Influence Campaigns
- The use of collected information and selective publication of material to key individuals in an attempt to alter perceptions and change people's minds on a topic.
- Example: 'Hybrid Warfare' on Social Media using propaganda to influence large groups to form a specific opinion on a topic.
Authority
- If an attacker can convince a target that they have authority in a particular situation, they can entice the target to act in a particular manner or else face adverse consequences.
Intimidation
- Can be subtle, through perceived power, or more direct, through the use of communications that build an expectation of superiority.
Consensus
- A group-wide decision. Typically come from rounds of group negotiation, which can be manipulated to achieve desired outcomes.
Scarcity
- If something is in short supply, and is valued, then arriving with what is needed can bring reward, and acceptance. Implied scarcity or implied future change in availability, can create a perception of scarcity.
Familiarity
- Building this sense of appeal can lead to misplaced trust.
Trust
- An understanding of how something will act under specific conditions. Social engineers can shape the perceptions of a target to where they will apply judgements to the trust equation and come to a false conclusion.
Urgency
- Time can be manipulated to drive a sense of urgency and prompt shortcuts that can lead to opportunities for injections into processes.
Types of Attack Indicators.
Malware
- Refers to software that has been designed for some nefarious purpose.
- Examples would be: Viruses, Trojan Horses, Logic Bombs, Spyware, and Worms.
Ransomware
- A form of malware that performs some action and extracts a ransom from the user.
- Typically encrypts files on a system and then leaves then unusable either permanently, acting as a DoS, or temporarily until a ransom is paid.
Trojans
- A piece of software that appears to do one thing 9may actually do that thing) but hides some other functionality.
Worms
- Pieces of code that attempt to penetrate networks and computer systems.
- Once penetration occurs, the worm will create a new copy of itself on the penetrated system.
- Reproduction of a worm thus does not rely on the attachment of the virus to another piece of code or to a file, which would be the definition of a virus.
Potentially Unwanted Programs (PUP)
- A designation by security companies and anti-virus vendors to identify programs that may have adverse effects on a computer's security or privacy.
Fileless Viruses
- A piece of malware operating in Memory only. A 'memory-based attack'.
Command and Control
- Used by hackers to control malware that has been launched against targets. These malware elements work to exfiltrate data.
Bots
- A functioning piece of software that performs some task, under the control of another program.
- A series of bots controlled across a network in a group, is called a 'Botnet'.
Crypto-Malware
- Malware that uses a system's resources to mine cryptocurrency.
Logic Bombs
- Malicious software that is deliberately installed, generally by an authorized user.
- A piece of code that sits dormant for a period of time until come event or date invokes its malicious payload.
Spyware
- Software that 'spies' on users, recording and reporting on their activities.
- Typically installed without the user's knowledge, spyware can perform a wide range of activities.
Keyloggers
- A piece of software that logs all of the keystrokes that a user enters.
Remote-Access Trojans (RATs)
- A toolkit designed to provide the capability of covert surveillance and/or the capability to gain unauthorized access to a target system.
- Typically mimic the behavior or keyloggers and packet sniffers using the automated collection of keystrokes, usernames, passwords, screenshots, browser history, e-mails, chat logs, and more, but they also do so with a design of intelligence.
Rootkit
- A form of malware that is specifically designed to modify the operation of the OS in some fashion to facilitate nonstandard functionality.
Backdoors
- Originally nothing more than methods used by developers to ensure they can gain access to an application, even if something were to happen in the future to prevent normal access methods.
Spraying
- An attack that uses a limited number of commonly used passwords and applies them to a large number of accounts.
- Useful when you don't care which account you get access to, and is fairly successful when you use a large set of accounts.
Dictionary
- A password-cracking program that uses a list of dictionary words to try to guess the password, hence the name dictionary attack.
Brute Force
- A password-cracking perform attempts all possible password combinations.
Offline
- Can be employed to perform hash comparisons against a stolen password file.
Online
- Occur in real time against a system, it is frequently being done to attack a single account with multiple examples of passwords.
- Tend to be very noisy and easy to see by network security monitoring.
Rainbow Tables
- Precomputed tables or hash values associated with passwords.
- Changes the search for a password form a computational problem to a lookup problem.
Plaintext/Unencrypted
- Any time a system can send you a copy of your password.
Malicious USB Cable
- 'Poisoned' cables have been found with electronics that can deliver malware to machines.
Card Cloning
- Smart card chips themselves cannot be cloned, but in the case of a credit card having a damaged chip, many systems resort back to the magnetic strip information, making the cloning attack still a potential threat.
Skimming
- Devices that are physical devices built to intercept credit card information.
- These devices can be placed directly on to a credit card reader to skim the data.
Adversarial AI
- Attackers can use AI to enable their attacks, such as phishing, to avoid machine detection.
Tainted Training Data for Machine Learning
- ML works by using a training data set to calibrate the detection model to enable detection on sample data.
- As conditions change over time, the ML algorithm needs retraining or updating to make it effective against different inputs.
- If an adversary in engaged in that training data first, they can manipulate the data sets.
Security of Machine Learning Algorithms
- Should an attacker be able to reproduce the exact same set of parameters, they would be able to create attack data sets that could slip past the ML algorithm.
Cloud-Based vs. On-Premise Attacks
- Security must be defined and implemented no matter if it is in the cloud or on-premise.
Cryptographic Attacks
- Attacks against the cryptographic system.
- Takes advantage of the concept that cryptography is 'magic' or incomprehensible, leading people to trust is without validation.
- Although understood by computer scientists, algorithm weaknesses that can be exploited are frequently overlooked by developers.
Birthday
- A special type of brute force attack that gets its name from something known as the birthday paradox, which states that in a group of at least 23 people, the chance that two individuals will have the same birthday is greater than 50 percent.
- Equation = 1.25k^1/12.
- K = 365 for days in a year for Birthday example.
- The same phenomenon applies to passwords, with 'k' being quite a bit larger than 50, but still a manageable number for computers and today's storage capacities.
Collision
- An attack where two different inputs yield the same output of a hash function.
- Through the manipulation of data, subtle changes are made that are not visible to the user yet create different versions of a digital file.
Downgrade
- The attacker takes advantage of a commonly employed principle to support backward compatibility to downgrade the security to a lower or nonexistent state.
Application Attack Indicators.
Privilege Escalation
- Attacker exploits vulnerabilities that enable them to achieve root or admin-level access.
- Sniffers can be used to grab better credentials, or existing privileges can be used to elevate ones own privileges.
Cross-Site Scripting (XSS)
- Cause of the vulnerability is from weak user input validation. If input is not validated properly an attacker can include a script in their input and have it rendered as part of the web process.
Types of XSS attacks:
- Non-persistent XSS: The injected script is not persisted or stored but rather is immediately executed and passed back via the web server,
- Persistent XSS: The script is permanently stored on the web server or some back-end storage. This allows the script to be used ahainst others who log in to the system.
- DOM-based XSS: Script is executed in the browser via the Document Object Model (DOM) process as opposed to the web server.
Scripting attack examples:
- Theft of authentication information from a web app
- Session hijacking
- Deploying hostile content
- Changing user settings, including future users
- Impersonating a user
- Phishing or stealing sensitive information
Structured Query Language
- A SQL injection attack is a form of code injection aimed at any SQL-based database, regardless of vendor.
- EX: The function takes the user-provided inputs for username and password and substitutes them in a 'where' clause of a SQL statement with the express purpose of changing the 'where' clause into one that gives a false answer
to the query.
Dynamic-Link Library (DLL)
- A piece of code that can add functionality to a program through the inclusion of library routines linked at runtime,
- DLL injection is the process of adding to a program, at runtime, a DLL that has a specific function vulnerability that can be capitalized upon by the attacker.
- EX: Microsoft Office, a suite of programs that use DLLs loaded at runtime, adding an 'evil' DLL in the correct directory, or via a registry key, can result in additional functionality being incurred.
Lightweight Directory Access Protocol (LDAP)
- When an app constructs an LDAP request based on user input, a failure to validate the input can lead to a bad LDAP request.
- Just as SQL injection can be used to execute arbitrary commands in a database, LDAP injection can do the same in a directory system.
- Somethign as simple as a wildcard character (*) in a search box can return results that would normally be beyond the scope of a query.
Extensible Markup Language (XML)
-