2.0 Threats, Vulnerabilities, and Mitigation Flashcards
(42 cards)
The entity responsible for an event that has an impact on the safety of another entity
– Also called a malicious actor
– Describes characteristics of the attacker
* Useful to categorize the motivation – Why is this attack happening?
– Is this directed or random?
2.0 Threat Actors
External entity
– Government and national security
* Many possible motivations
– Data exfiltration, philosophical, revenge, disruption,
war
* Constant attacks, massive resources
– Commonly an Advanced Persistent Threat (APT)
* Highest sophistication
– Military control, utilities, financial control
– United States and Israel destroyed 1,000 nuclear
centrifuges with the Stuxnet worm
Nation states
Runs pre-made scripts without any knowledge of what’s really happening
– Anyone can do this
* Motivated by the hunt
– Disruption, data exfiltration, sometimes philosophical
Can be internal or external – But usually external
* Not very sophisticated
– Limited resources, if any
* No formal funding
– Looking for low hanging fruit
Unskilled attackers/Script Kiddie
A hacker with a purpose
– Motivated by philosophy, revenge, disruption, etc.
* Often an external entity
– Could potentially infiltrate to also be an insider threat
* Can be remarkably sophisticated
– Very specific hacks
– DoS, web site defacing, private document release
* Funding may be limited
– Some organizations have fundraising options
Hacktivist
More than just passwords on sticky notes – Motivated by revenge, financial gain
* Extensive resources
– Using the organization’s resources against themselves
* An internal entity
– Eating away from the inside
* Medium level of sophistication
– The insider has institutional knowledge
– Attacks can be directed at vulnerable systems – The insider knows what to hit
Insider threat
Going rogue
– Working around the internal IT organization – Builds their own infrastructure
* Information Technology can put up roadblocks
– Use the cloud
– Might also be able to innovate
* Limited resources – Company budget
* Medium sophistication
– May not have IT training or knowledge
Shadow IT
Professional criminals
– Motivated by money
– Almost always an external entity
* Very sophisticated
– Best hacking money can buy
* Crime that’s organized
– One person hacks, one person manages the exploits,
another person sells the data, another handles customer support
* Lots of capital to fund hacking efforts
Organized crime
Client-based
– Infected executable
– Known (or unknown) vulnerabilities – May require constant update
Agentless
– No installed executable
– Compromised software on the server
would affect all users
– Client runs a new instance each time
Vulnerable software vectors
Patching is an important prevention tool – Ongoing security fixes
* Unsupported systems aren’t patched – There may not even be an option
* Outdated operating systems
– Eventually, even the manufacturer won’t help
* A single system could be an entry
– Keep your inventory and records current
Unsupported systems vectors
The network connects everything – Ease of access for the attackers – View all (non-encrypted) data
* Wireless
– Outdated security protocols (WEP, WPA, WPA2) – Open or rogue wireless networks
* Wired
– Unsecure interfaces - No 802.1X
* Bluetooth
– Reconnaissance, implementation vulnerabilities
Unsecure network vectors
Most network-based services connect over a TCP or UDP port
– An “open” port
* Every open port is an opportunity for the attacker – Application vulnerability or misconfiguration
* Every application has their own open port – More services expand the attack surface
* Firewall rules
– Must allow traffic to an open port
Open service ports
Most devices have default usernames and passwords – Change yours!
* The right credentials provide full control – Administrator access
* Very easy to find the defaults for your access point or router – https://www.routerpasswords.com
Default credentials
amper with the underlying infrastructure – Or manufacturing process
* Managed service providers (MSPs)
– Access many different customer networks from one
location
* Gain access to a network using a vendor – 2013 Target credit card breach
* Suppliers
– Counterfeit networking equipment
– Install backdoors, substandard performance and availability – 2020 - Fake Cisco Catalyst switches
Supply chain vectors
ocial engineering with a touch of spoofing – Often delivered by email, text, etc.
– Very remarkable when well done
* Don’t be fooled – Check the URL
* Usually there’s something not quite right – Spelling, fonts, graphics
Phishing
We trust email sources
– The attackers take advantage of this trust
* Spoofed email addresses
– Not really a legitimate email address – professor@professormessor.com
* Financial fraud
– Sends emails with updated bank information – Modify wire transfer details
* The recipient clicks the links
– The attachments have malware
Business email compromise
How are they so successful?
– Digital slight of hand - It fools the best of us
* Typosquatting
– A type of URL hijacking - https://professormessor.com
* Pretexting - Lying to get information
– Attacker is a character in a situation they create
– Hi, we’re calling from Visa regarding an automated payment
to your utility service…
Tricks and misdirection
Vishing (Voice phishing) is done over the phone or voicemail – Caller ID spoofing is common
– Fake security checks or bank updates
* Smishing (SMS phishing) is done by text message – Spoofing is a problem here as well
– Forwards links or asks for personal information
* Variations on a theme
– The fake check scam, phone verification code scam,
– Boss/CEO scam, advance-fee scam
– Some great summaries on https://reddit.com/r/Scams
© 2023 Messer Studios, LLC
Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 20
Phishing with different bait
Before the attack, the trap is set - There’s an actor and a story
* “Hello sir, my name is Wendy and I’m from Microsoft Windows. This is an urgent check up call for your computer as we have found several problems with it.”
* Voice mail: “This is an enforcement action executed by the US Treasury intending your serious attention.”
* “Congratulations on your excellent payment history! You now qualify for 0% interest rates on all of your credit card accounts.
The pretext
Attackers pretend to be someone they aren’t – Halloween for the fraudsters
* Use some of those details from reconnaissance – You can trust me, I’m with your help desk
* Attack the victim as someone higher in rank – Office of the Vice President for Scamming
* Throw tons of technical details around
– Catastrophic feedback due to the depolarization of the
differential magnetometer
* Be a buddy - How about those Cubs?
Impersonation
Extracting information from the victim
– The victim doesn’t even realize this is happening – Hacking the human
* Often seen with vishing (Voice Phishing)
– Can be easier to get this information over the phone
* These are well-documented psychological techniques – They can’t just ask, “So, what’s your password?”
Eliciting information
Your identity can be used by others
– Keep your personal information safe!
* Credit card fraud
– Open an account in your name, or use your
credit card information
* Bank fraud
– Attacker gains access to your account or opens
a new account
* Loan fraud
– Your information is used for a loan or lease
* Government benefits fraud
– Attacker obtains benefits on your behalf
Identity fraud
ever volunteer information – My password is 12345
* Don’t disclose personal details – The bad guys are tricky
* Always verify before revealing info
– Call back, verify through 3rd parties
* Verification should be encouraged
– Especially if your organization owns valuable
information
Protect against impersonation
Determine which website the victim group uses – Educated guess - Local coffee or sandwich shop – Industry-related sites
* Infect one of these third-party sites – Site vulnerability
– Email attachments
* Infect all visitors
– But you’re just looking for specific victims – Now you’re in!
Watering Hole Attack
Disseminate factually incorrect information – Create confusion and division
* Influence campaigns
– Sway public opinion on political and social issues
* Nation-state actors
– Divide, distract, and persuade
* Advertising is an option
– Buy a voice for your opinion
* Enabled through Social media
– Creating, sharing, liking, amplifying
Misinformation/disinformation
