Module 2: Cybersecurity Threats, Vulnerabilities, and Attacks
A threat domain is considered to be an area of control, authority, or protection that attackers can exploit to gain access to a system.
Cyber threats can be classified into different categories.
- Software attacks: DoS, computer virus
- Software errors: bug, an application going offline, cross-site script or illegal file server share
- Sabotage: authorized user successfully penetrating and compromising and org's primary db, defacement of an org's web
- Human error: inadvertent data entry errors, firewall misconfiguration
- Theft: laptops or equipment being stolen from and unlocked room
- Hardware failures: hard drive crashes
- Utility interruption: electrical power outages, water damage resulting from sprinkler failure
- Natural disasters: severe storms (hurricanes, torandos), earthquakes, floods, fires
Internal threats: usually carried out by current or former employees and other contract partners who accidentally or intentionally mishandle confidential data or threaten the operations of servers or network infrastructure devices by connecting infected media or by accessing malicious emails or websites.
External threats: typically stems from amateur or skilled attackers who can exploit vulnerabilities in networked devices or can use social engineering techniques, such as trickery, to gain access to an organization's internal resources
A user domain includes anyone with access to an organization's information system, including employees, customers, and contract partners. Users are often considered the weakest link in information security systems, posing a significant threat to the confidentiality, integrity, and availability of an organization's data.
Always keep in mind that there are no technical solutions, controls, or countermeasures that will make information systems any more secure than the behaviors and processes of the people who use these systems.
Because users can access an organization's systems, applications, and data from the LAN domain, it is critical that it has strong security and stringent access controls. Examples of threats to the LAN include:
The private cloud domain includes any private servers, resources, and IT infrastructure available to members of a single organization via the internet. While many organizations feel that their data is safer in a private cloud, the domain still poses significant security threats, including:
Where a private cloud domain hosts computing resources for a single organization, the public cloud domain is the entirety of computing services hosted by a cloud service or internet provider that are available to the public or shared across organizations.
The application domain includes all of the critical systems, applications, and data used by an organization to support operations. Increasingly, organizations are moving applications such as email, security monitoring, and database management to the public cloud. Common threats to applications include:
- Someone gaining unauthorized access to data centers, computer rooms, wiring closets or systems.
- Server downtime during maintenance periods.
- Network operating system software vulnerabilities.
- Data loss.
- Client-server or web application development vulnerabilities.
An advanced persistent threat (APT) is a continuos attack that uses elaborate espionage tactics involving multiple actors and/or sophisticated malware to gain access to the target's network. Attackers remain undetected for a long period of time, with potentially devastating consequences. APTs typically target governments and high-level organizations and are usually well-orchestrated and well-funded.
As the name suggests, algorithm attacks take advantage or algorithms in a piece of legitimate software to generate unintended behaviors. For example, algorithms used to track and report how much energy a computer consumes can be used to select targets or trigger false alerts. They can also disable a computer by forcing it to use up all its RAM or by overworking its CPU.
Backdoor programs are used by cybercriminals to gain unauthorized access to systems by bypassing the normal authentication procedures. Cybercriminals typically have authorized users unknowingly run a remote administrative tool program (RAT) on their computer that installs a backdoor. The backdoor gives the criminal administrative control over a target computer. Backdoors grant cybercriminals continued access to a system, even if the organization has fixed the original vulnerability used to attack the system.
Rootkit malware is designed to modify the OS to create a backdoor that attackers can then use to access the computer remotely. Most rootkits take advantage of software vulnerabilities to gain access to resources that normally shouldn't be accessible (privilege escalation) and modify system files. Rootkits can also modify system forensics and monitoring tools, making them very hard to detect. In most cases, a computer infected by a rootkit has to be wiped and any required software reinstalled.
The US Computer Emergency Readiness Team (US-CERT) and the US Department of Homeland Security sponsor a database of common vulnerabilities and exposures (CVE). These CVEs have been widely adopted as a way to describe and reference known vulnerabilities. Each CVE contains a standard identifier number, a brief description of the security vulnerability, and any important references to related vulnerability reports. The CVE list is maintained by a non-for-profit, the MITRE Corporation, on its public website.
Indicator of Compromise (IOC): IOCs such as malware signatures or malicious domain names provide evidence of security breaches and details about them.
Automated Indicator Sharing (AIS), a Cybersecurity and Infrastructure Security Agency (CISA) capability, enables the real-time exchange of cybersecurity threat indicators using a standardized and structured language. Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII) are standards used in AIS.
---
- Pretexting: This type of attack occurs when an individual lies to gain access to privileged data.
- Something for something (quid pro quo): Involves a request for personal information in exchange for something, like a gift.
- Identity fraud: This is the use of a person's stolen identity to obtain goods or services by deception.
Other attacks: shoulder surfing, dumpster diving, impersonation, hoax, piggybacking/tailgating, invoice scam, watering hole attack (describes an exploit in which an attacker observes or guesses what websites an organization uses most often and infects one or more of them with malware), typo squatting (cuando por error pones facebool.com en lugar de facebook.com y te lleva a una pagina igual donde metes tus datos de login...), prepending (attackers can remove the ‘external’ email tag used by organizations to warn the recipient that an email has originated from an external source), influence campaigns.
---
Malware is any code that can be used to steal data, bypass access controls, or cause harm to or compromise a system. 3 of the most common types of malware: viruses, worms and trojan horses.
- Virus: When executed, replicates and attaches itself to other files, inserting its own code into the file. Viruses can be spread through removable media such as USB flash drives, internet downloads, and email attachments. Viruses mutate to avoid detection.
- Worms: Replicates by independently exploiting vulnerabilities in networks. Unlike a virus, worms can run by themselves.
- Trojan horse: Exploits the privileges of the user who runs them, do not self-replicate.
A logic bomb is a malicious program that waits for a trigger, such as a specified date or database entry, to set off malicious code. Until this trigger event happens, the logic bomb will remain active. Once activated, a logic bomb implements malicious code that causes harm to a computer in various ways. It can sabotage db records, erase files, and attack OS or applications. Cybersecurity specialist have recently discovered logic bombs that attack and destroy the hardware components in a device or server, including cooling fans, CPU, memory, HDD, and PSU. The logic bomb overdrives these components until they overheat or fail.
Ransomware, DoS
DNS attacks
- Domain reputation: An organization needs to monitor its domain reputation, including its IP address, to help protect against malicious external domains. Domain reputation is used to classify emails as spam or potential security threats.
- DNS spoofing/DNS cache poisoning: An attack in which false data is introduced into a DNS resolver cache.
- Domain hijacking: When an attacker wrongfully gains control of a target's DNS information, they can make unauthorized changes to it. This is known as domain hijacking. The most common way of hijacking a domain name is to change the administrator's contact email address through social engineering or by hacking into the administrator's email account.
- URL redirection
L2 attacks
Spoofing, or poisoning, is a type of impersonation attack that takes advantage of a trusted relationship between two systems:
- MAC address spoofing occurs when an attacker disguises their device as a valid one on the network and can therefore bypass the authentication process.
- ARP spoofing sends spoofed ARP messages across a LAN. This links an attacker's MAC address to the IP address of an authorized device on the network.
- IP spoofing sends IP packets from a spoofed source address in order to disguise the packet origin.
MAC flooding compromises the data transmitted to a device. An attacker floods the network with fake MAC addresses, compromising the security of the network switch.
Man-in-the-Middle (MITM) aka on-path attack, happens when a cybercriminal takes control of an intermediate device without the user's knowledge. With this level of access, an attacker can intercept, manipulate, and relay false information between the sender and the intended destination.
Man-in-the-Mobile (MITMO) is a variation of MITM used to take control over a user's mobile device. When infected, the mobile device is instructed to exfiltrate user-sensitive information and send it to the attackers.
---
WIRELESS AND MOBILE DEVICE ATTACKS
Grayware is any unwanted app that behaves in an annoying or undesirable manner. And while grayware may not carry any recognizable malware, it may still pose a risk to the user by, for example, tracking your location or delivering unwanted advertising. Authors of grayware typically maintain legitimacy by including these ‘gray’ capabilities in the small print of the software license agreement. This factor poses a growing threat to mobile security in particular, as many smartphone users install mobile apps without really considering this small print.
SMiShing is another tactic used by attackers to trick you. Fake text messages prompt you to visit a malicious website or call a fraudulent phone number, which may result in malware being downloaded onto your device or personal information being shared.
A rogue AP is a wireless AP installed on a secure network without explicit authorization. Although it could potentially be set up by a well-intentiones employee looking for a better wireless connection, it also presents an opportunity for attackers looking to gain access to an organization's network. An attacker will often use social engineering tactics to gain physical access to an organization’s network infrastructure and install the rogue access point. Also known as a criminal’s access point, the access point can be set up as a MitM device to capture your login information. This works by disconnecting the rogue access point, which triggers the network to send a deauthentication frame to disassociate the access point. This process is then exploited by spoofing your MAC address and sending a deauthentication data transmission to the wireless access point.
An evil twin attack describes a situation where the attacker’s access point is set up to look like a better connection option. Once you connect to the evil access point, the attacker can analyze your network traffic and execute MitM attacks.
Wireless signals are susceptible to electromagnetic interference (EMI), radio frequency interference (RFI), and even lightning strikes or noise from fluorescent lights. Attackers can take advantage of this fact by deliberately jamming the transmission of a radio or satellite station to prevent a wireless signal from reaching the receiving station. In order to successfully jam the signal, the frequency, modulation and power of the RF jammer needs to be equal to that of the device that the attacker is seeking to disrupt.
Due to the limited range of Bluetooth, an attacker must be within range of their target:
- Bluejacking uses Bluetooth technology to send unauthorized messages or shocking images to another Bluetooth device.
- Bluesnarfing occurs when an attacker copies information, such as emails and contact lists, from a target's device using a Bluetooth connection.
----
APPLICATION ATTACKS
Cross-Site Scripting
Attacks carried out through web apps are becoming increasingly common. Threat actors exploit vulnerabilities in the coding of a web-based app to gain access to a database or server. XSS is a common threat to many web apps. This is how it works:
- Cybercriminals exploit the XSS vulnerability in injecting scripts containing malicious code into a web page.
- The web page is accessed by the victim, and the malicious scripts unknowingly pass to their browser.
- The malicious script can access cookies, session tokens, or other sensitive information about the user, which is sent back to the cybercriminal.
- Armed with this information, the cybercriminal can impersonate the user.
Code Injection
Most modern websites use a database, such as SQL or an XML database, to store and manage data. Injection attacks seek to exploit weaknesses in these databases.
- XML injection attack: Can corrupt the data on the XML database and threaten the security of the website. It works by interfering with an application's processing of XML data or query entered by a user. Cybercriminals can manipulate this query by programming it to suit their needs. This will grant them access to all of the sensitive information stored on the database and allows them to make any number of changes to the website.
- SQL injection attack: Cybercriminals can carry out an SQL injection attack on websites or any SQL database by inserting a malicious SQL statement in an entry field. This attack takes advantage of a vulnerability in which the app does not correctly filter the data entered by a user for characters in an SQL statement. As a result, the cybercriminal can gain unauthorized access to information stored on the database, from which they can spoof an identity, modify existing data, destroy data or even become an administrator of the database server itself.
- DLL injection attack: A dynamic link library (DLL) file is a library that contains a set of code and data for carrying out a particular activity in Windows. Applications use this type of file to add functionality that is not built-in, when they need to carry out this activity. DLL injections allows a cybercriminal to trick an application into calling a malicious DLL file, which executes as part of the target process.
- LDAP injection attack: This exploits input validation vulnerabilities by injecting and executing queries to LDAP servers, giving cybercriminals an opportunity to extract sensitive information from an organization's LDAP directory.
Buffer overflow
Buffers are memory areas allocated to an application. A buffer overflow occurs when data is written beyond the limits of a buffer. By changing data beyond the boundaries of a buffer, the application can access memory allocated to other processes. This can lead to a system crash or data compromise, or provide escalation of privileges.
These memory flaws can also give attackers complete control over a target’s device. For example, an attacker can change the instructions of a vulnerable application while the program is loading in memory and, as a result, can install malware and access the internal network from the infected device.
---
Every piece of information that an attacker receives about a targeted system or application can be used as a valuable weapon for launching a dangerous attack.
Cross-site request forgery (CSRF)
CSRF describes the malicious exploit of a website where unauthorized commands are submitted from a user's browser to a trusted web application. A malicious website can transmit such commands through specially-crafted image tags, hidden forms or JS requests - all of which can work without the user's knowledge.
Race condition attack
Aka a time of check (TOC) or a time of use (TOU) attack, a race condition attack happens when a computing system that is designed to handle tasks in a specific sequence is forced to perform two or more operations simultaneously. For example, operating systems are made up of threads — the smallest sequence of program instructions required to carry out a process. When two or more threads access shared data and try to change it at the exact same time, a race condition attack occurs.
Improper input handling attack
Data inputted by a user that is not properly validated can affect the data flow of a program and cause critical vulnerabilities in systems and applications that result in buffer overflow or SQL injection attacks.
Error handling attack
Attackers can use error messages to extract specific information such as the hostnames of internal systems and directories or files that exist on a given web server — as well as database, table and field names that can be used to craft SQL injection attacks.
API attack
An API delivers a user response to a system and sends the system’s response back to the user. An API attack occurs when a cybercriminal abuses an API endpoint.
Replay attack
This describes a situation where a valid data transmission is maliciously or fraudulently repeated or delayed by an attacker, who intercepts, amends and resubmits the data to get the receiver to do whatever they want.
Directory traversal attack
Directory traversal occurs when an attacker is able to read files on the webserver outside of the directory of the website. An attacker can then use this information to download server configuration files containing sensitive information, potentially expose more server vulnerabilities or even take control of the server.
Resource exhaustion attacks
These attacks are computer security exploits that crash, hang or otherwise interfere with a targeted program or system. Rather than overwhelming network bandwidth like a DoS attack, resource exhaustion attacks overwhelm the hardware resources available on the target’s server instead.
---
Spear phishing is a highly targeted attack which sends customized emails to a specific person based on information the attacker knows about them, which could be their interests, preferences, activities, or work projects. For example, a cybercriminal discovers through their research that you are looking to buy a specific model of car. The cybercriminal joins a car discussion forum you are a member of, forges a car sale offering and sends you an email that contains a link to see pictures of the car. When you click on the link, you unknowingly install malware on your device.
Vishing (voice phishing) uses voice communication technology to encourage users to divulge information, such as their credit card details. Criminals can spoof phone calls using VoIP or leave recorded messages to five the impression that they are legitimate callers.
Pharming misdirects users to a fake version of an official website.
Whaling is a phishing attacks that targets high profile individuals, such as senior executives within an organization, politicians and celebrities.