cybrary security+ domain 1-2

CompTIA Security+ 501

Cybrary - Ron Woerner 1

CompTIA Security+

SY0-501

Instructor: Ron Woerner, CISSP, CISM

CompTIA Security+

Domain 1 –Threats, Attacks and Vulnerabilities

1.2 Compare and contrast types of attacks

Part 1: Social Engineering Attacks



1.2 Attack Types

● Social engineering: Phishing; Spear phishing; Whaling;

Vishing; Tailgating; Impersonation; Dumpster diving; Shoulder surfing

● Application/service attacks: Buffer overflow; Injection; Cross-site scripting;

Cross-site request forgery; Privilege escalation; Impersonation/Masquerading;

Replay; Driver manipulation (Shimming; Refactoring);

● Cryptographic attacks: Birthday; Known plain text/cipher text; Rainbow tables;

Dictionary; Brute force; Pass the hash

● Hijacking and related attacks: Clickjacking; Session hijacking; URL hijacking;

Typo squatting); MAC spoofing; IP spoofing

● Network / Wireless Attacks: DoS; DDoS; Man-in-the-middle; Amplification;

DNS poisoning; Domain hijacking; ARP poisoning; Initialization Vector (IV);

Evil twin; Rogue AP; Jamming; Bluejacking; Bluesnarfing

Social Engineering

Definition:

● The process by which intruders gain access to facilities, network, systems,

data and even employees by exploiting the generally trusting nature of

people.

● The use of deception to manipulate individuals into divulging confidential or

personal information that may be used for fraudulent purposes.

● Reference: Chris Hadnagy, The Art of Human Hacking (Wiley, 2010)



Social Engineering Attack Types

● Online○ Phishing; Vishing; Whaling; Spear Phishing

○ Spoofing

● Offline / Physical○ Tailgating

○ Impersonation

○ Dumpster diving

○ Shoulder surfing

● Either

Communications Spoofing / Fraud

● Phishing: sending emails purporting to be

from reputable companies in order to induce

individuals to reveal personal information.

● Spear Phishing: sending emails ostensibly

from a known or trusted sender in order to

induce targeted individuals to reveal

confidential information.



Phishing Example

Communications Spoofing / Fraud

● Whaling: a phishing attack that is specifically aimed at

wealthy, powerful, or prominent individuals.

● Vishing: making phone calls or leaving voice

messages purporting to be from reputable companies.

● Pharming: traffic redirect to a spoofed web site

● Variants - SMiShing



Communications Spoofing

● Vishing: the fraudulent practice of

making phone calls or leaving voice

messages purporting to be from

reputable companies in order to

induce individuals to reveal

personal information.

● Variants: SMiShing

Communications Spoofing

● Hoax: Malicious actors issuing false warnings to

alarm users

● Swatting: Fraudulent calls to the police

● Watering Hole Attack: A security exploit in which

the attacker seeks to compromise a specific

group of end users by infecting websites that

members of the group are known to visit.



Social Engineering Attacks – Physical

Tailgating: Gaining entry to electronically locked systems is to follow

someone through the door they just unlocked


Dumpster Diving: The practice of

foraging in garbage that has

been put out on the street in

dumpsters, garbage cans, etc.,

for discarded items that may still

be valuable, useful, or used to

commit fraud.




● Shoulder Surfing: watching someone “over their shoulder” when they enter

sensitive data such as a password or credit card information.

Social Engineering – Principles

Reasons for effectiveness

● Authority

● Intimidation

● Consensus / Social Proof

● Scarcity

● Familiarity / Liking

● Trust

● Urgency

● Reciprocity

Reference: Cialdini, Influence, Science and Practice, 5th ed, 2009



Social Engineering – Prevention

● User education

● “Trust, but verify”

● “If you see something, say something”

Sample question

A user contacts you suspecting that his computer is

infected. Yesterday he opened an email that looked like

it was from a colleague. When he later talked to that

person, she said she never sent an email. What type of

attack is the most likely the cause of the infection?

A. Phishing

B. Trojan

C. Spear phishing

D. Whaling



Sample question

You observe a delivery person entering your building

by following an employee through a locked door into

a secure facility. Which term best describes this type

of attack:

A. Shoulder surfing

B. Reciprocity

C. Tailgating

D. Whaling

Security+ Lab Guide

Social Engineering Reconnaissance

● Often a compromise in a company begins by

attackers searching through social media for

information on employees or the organization

● Attackers is looking to gain access to internal

systems by impersonating or exploiting

internal employees



CompTIA Security+



Part 2: Application/service Attacks

Attack Types

● Social engineering: Phishing; Spear phishing; Whaling; Vishing; Tailgating;

Impersonation; Dumpster diving; Shoulder surfing



Replay; Driver manipulation (Shimming; Refactoring); Zero-Day (0-Day)

Exploits







Evil twin; Rogue AP; Jamming; Bluejacking



Application Attacks

● Buffer overflow

● Injection

● Cross-site scripting (XSS)

● Cross-site request forgery (CSRF or XSRF)

● Privilege escalation

OWASP Top 10 Application Security Risks - 2017

https://www.owasp.org/index.php/Top_10-2017_Top_10



Application Attacks –

Buffer overflow

● When more data are written to

a buffer than it can hold

● An anomaly where a program,

while writing data to a buffer,

overruns the buffer's boundary

and overwrites adjacent

memory locations.

Application Attacks – Injection

● Occur when untrusted data is sent to an interpreter as

part of a command or query.

● The most common fall into the following categories:○ Escape characters not filtered correctly

○ Type handling not properly done

○ Conditional errors

○ Time delays

● The way to defend against this attack is always to filter

input.

● Examples: SQL Injection, OS, LDAP, XML



Application Attacks – Cross-site scripting &

Cross-site request forgery

● Cross-site scripting (XSS): occur whenever an application

includes untrusted data in a new web page without proper

validation or escaping, or updates an existing web page with

user-supplied data using a browser API that can create HTML

or JavaScript.○ Example: Ron<SCRIPT>alert(‘hello’)</SCRIPT>Woerner

● Cross-site request forgery (CSRF/XSRF): an attack that forces

an end user to execute unwanted actions on a web application.

Also known as a session riding or one-click attack


Privilege Escalation

The act of exploiting a bug, design flaw or configuration

oversight in an operating system or software

application to gain elevated access to resources that

are normally protected from an application or user.




Prevention & Response

● Good coding practices – See OWASP

● Filter and validate any user input

● Use a Web Application Firewall (WAF)

● Build security into the Software Development

Life Cycle (SDLC)

● Have an incident response plan in place

Zero-Day (0-Day) Exploits

● An attack that exploits a previously unknown security

vulnerability.

● It may take advantage of a security vulnerability on the

same day that the vulnerability becomes generally known.

● Example: Stuxnet

● Prevention:

○ Defense in depth;

○ Patch;

○ Keep AV up-to-date



Impersonation / Masquerading / Replay Attacks

● The act if pretending to be someone or something to gain unauthorized

access to a system.

● Capturing network traffic via eavesdropping, then reestablishing a

communications session by replaying captured traffic using spoofed

authentication credentials.

● Prevention: Token authentication (Kerberos),

MFA/TFA, Encryption, Sequenced session identification

Driver manipulation

● Driver: A program that controls a device (printers,

media, keyboards, etc.)

● Shimming: creating a library—or modifying an existing

one—to bypass a driver and perform a function other

than the one for which the API was created.

● Refactoring: set of techniques used to identify the flow

and then modify the internal structure of code without

changing the code’s visible behavior



Cryptographic attacks

See section on Cryptography

● Birthday: an attack on cryptographic hash that looks for

hash collisions – exploiting the 1-to-1 nature of hashing

functions.

● Known plain text/cipher text: An the attacker attempts to

derive a cryptographic key by using pairs of known plain

text along with the corresponding cipher text.

● Frequency analysis: Looking at the blocks of an

encrypted message to determine if any common

patterns exists

Cryptographic attacks

Password attacks:

● Dictionary: systematically entering each word in a

dictionary as a password

● Brute force: systematically attempting all possible combinations of

letters, numbers, and symbols. Usually automated.

● Rainbow tables: all of the possible password hashes are computed in

advance and those hash values are compared with the password

database.

● Pass the hash: An attacker attempts to authenticate to a remote

server or service by intercepting password hashes on a network.



Sample question

During a breach investigation, you notice that the attacker

entered the database through a web front end application

by manipulating the database code to exploit a

vulnerability. What is the most likely name for this type of

attack?

A. SQL parsing

B. Database injection

C. SQL injection

D. Session hijacking

Sample question

Which of the following type of attack is the result of

software vulnerabilities and is caused by supplying

more data than is expected in an input field?

A. Buffer overflow attack

B. Cross site scripting

C. Denial-of-Service (DoS) attack

D. App overloading



Sample question

Which form of attack uses special programs that attempt

all possible character combinations to determine

passwords?

A. brute-force attack

B. dictionary attack

C. password guessing

D. birthday attack

CompTIA Security+



Part 2: Application/service Attacks



CompTIA Security+



Part 3: Network & Wireless Attacks

Attack Types

● Social engineering: Phishing; Spear phishing; Whaling; Vishing; Tailgating;

Impersonation; Dumpster diving; Shoulder surfing



Replay; Driver manipulation (Shimming; Refactoring);







Evil twin; Rogue AP; Jamming; Bluejacking



Hijacking and related attacks

● Clickjacking: tricking a web user into clicking a spoofed button or graphic.

● Session hijacking (Cookie hijacking): exploiting a valid computer session, or

session key, to gain unauthorized access to information or services.

● URL hijacking / Typo squatting: the act of registering domains that are

similar to those for a known entity but based on a misspelling or typographical

error. (examples: g00gle.com, gooogle.com)

Network Hijacking Attacks

MAC spoofing: The Media Access

Control (MAC) address is a hard-coded

on a network interface controller (NIC)

number. Many drivers allow the MAC

address to be changed. A technique for

changing a factory-assigned MAC

address of a network interface on a

networked device.




IP spoofing: A technique used to gain unauthorized access to

machines, whereby an attacker illicitly impersonates another machine

by manipulating IP packets. IP Spoofing involves modifying the packet

header with a forged (spoofed) source IP address, a checksum, and the

order value.


ARP spoofing: when an attacker sends a

fake ARP (Address Resolution Protocol) messages

over a local area network. This results in the linking of an

attacker's MAC address with the IP address of a

legitimate computer or server on the network.



Man-in-the-Middle Attacks

● An attack where the attacker secretly relays and

possibly alters the communication between two parties

who believe they are directly communicating with each

other.

● The attacker may either observe (confidentiality attack)

or alter (integrity attack)

Denial of Service Attacks (DoS)

● Preventing access to resources by users authorized

to use those resources. Attacking systems availability.

● May accomplish:

○ Deny access to information, applications, systems, or communications.

○ Bring down a website while the communications and systems continue

to operate.

○ Crash the operating system (a simple reboot may restore the server to

normal operation).

○ Fill the communications channel of a network and prevent access by

authorized users.



Distributed Denial of Service Attacks

(DDoS)

● A DoS attack utilizing multiple

compromised computer systems

as sources of attack traffic

● Amplifies the concepts of a DoS

attack by using multiple

computer systems (often through

botnets) to conduct the attack

against a single organization

DoS & DDoS – Prevention

● Work with your ISP / network provider

● Border protection / Intrusion Detection & Protection System

● Update Network Appliances, Operating Systems and Applications

● End users’ systems are up-to-date and deploy anti-virus – bot prevention



Amplification Attacks

● The goal of the attacker is to get a response to their

request in a greater than 1:1 ratio so that the additional

bandwidth traffic works to congest and slow the responding

server down.

● The ratio achieved is known as the amplification factor ,

and high numbers are possible with UDP based protocols

such as NTP, CharGen, and DNS.

● Usually employed as a part of a DDoS attack

Domain Hijacking /

DNS Poisoning / DNS Spoofing

● AKA Resolution Attacks

● Poisoning: When an attacker alters the

domain-name-to-IP-address mappings in a DNS system

to redirect traffic to a rogue system or perform a DoS attack.

● Spoofing: When an attacker sends false replies to a requesting system in

place of a valid DNS response.

● Protect any internal DNS servers

● Use authoritative DNS sources



Wireless Attacks

● Evil twin: A rogue wireless access point poses

as a legitimate wireless service provider to intercept

information that users transmit

● Rogue AP: Any wireless access point added to your

network that has not been authorized

● Initialization Vector (IV): an arbitrary number that can

be used along with a secret key for data encryption.

This number, also called a nonce, is employed only one

time in any session. If the IV is weak, as in WEP, it may

be reused.

● Jamming: Causing interference with a wireless signal.

PAN Wireless Attacks

● Bluejacking: the sending of unsolicited

messages (think spam) over a Bluetooth

connection

● Bluesnarfing:

○ The gaining of unauthorized access through

a Bluetooth connection

○ Intercepting data through a Bluetooth

connection



Sample question

Of the below term, which one best describes the

type of attack that captures portions of a session to

play back later to convince a host that it continues to

communicate with the original system?

A. IP hijacking

B. Jamming

C. Trojan

D. Replay

Sample question

You have a user call you from a hotel saying

there’s an issue with your organization’s web site

and that it looks like it’s been compromised. You

check it from your work at it appears fine. What is a

likely cause associated with the user at the hotel?

A. Logic bomb

B. DNS Poisoning

C. Trojan horse

D. Evil twin



CompTIA Security+



Part 3: Network & Wireless Attacks

CompTIA Security+



Part 1: Social Engineering Attacks

cybrary security+ domain 1-2

Documents