Book - 1 Flashcards
(141 cards)
1
Q
Understand viruses.
A
Viruses are programs that are designed to spread from one system to another through self-replication and to perform any of a wide range of malicious activities.
Chapter 1.1
2
Q
Understand crypto-malware.
A
Crypto-malware is any form of malware that uses cryptography as a weapon or a defense.
Chapter 1.1
3
Q
Understand ransomware.
A
Ransomware is a form of malware that aims to take over a computer system in order to block its use while demanding payment.
Chapter 1.1
4
Q
Understand worms.
A
Worms are designed to exploit a single flaw in a system (operating system, protocol, service, or application) and then use that flaw to replicate themselves to other systems with the same flaw.
Chapter 1.1
5
Q
Understand Trojan horses.
A
A Trojan horse is a form of malicious software that is disguised as something useful or legitimate.
Chapter 1.1
6
Q
Understand rootkits.
A
A rootkit is a type of malicious code that fools the OS into thinking that active processes and files don’t exist. Rootkits render a compromised system completely untrustworthy.
Chapter 1.1
7
Q
Understand keyloggers.
A
A keylogger is a form of malware that records the keystrokes typed into a system’s keyboard.
Chapter 1.1
8
Q
Understand spyware and adware.
A
Spyware gathers information about users and may employ that information to customize advertisements or steal identities. Adware gathers information about users and uses it to direct advertisements to the user. Both spyware and adware are usually unwanted software that gathers information without authorization.
Chapter 1.1
9
Q
Understand botnets.
A
A botnet is a network of robots or malicious software agents controlled by a hacker in order to launch massive attacks against targets.
Chapter 1.1
10
Q
Understand a RAT.
A
A remote-access Trojan (RAT) is a form of malicious code that grants an attacker some level of remote-control access to a compromised system.
Chapter 1.1
11
Q
Understand logic bombs.
A
A logic bomb is a form of malicious code that remains dormant until a triggering event occurs. The triggering event can be a specific time and date, the launching of a specific program, or the accessing of a specific URL.
Chapter 1.1
12
Q
Understand backdoor attacks.
A
There are two types of backdoor attacks: a developer-installed access method that bypasses any and all security restrictions, or a hacker-installed remote-access client.
Chapter 1.1
13
Q
Understand malicious code countermeasures.
A
The best countermeasure to viruses and other malicious code is an antivirus scanner that is updated regularly and that monitors all local storage devices, memory, and communication pathways for malicious activity. Other countermeasures include avoiding downloading software from the Internet, not opening email attachments, and avoiding the use of removable media from other environments.
Chapter 1.1
14
Q
Understand social engineering.
A
Social engineeringis a form of attack that exploits human nature and human behavior. Social engineering attacks take two primary forms: convincing someone to perform an unauthorized operation or convincing them to reveal confidential information.
Chapter 1.2
15
Q
Understand phishing.
A
Phishing is the process of attempting to obtain sensitive information such as usernames, passwords, credit card details, or other personally identifiable information (PII) by masquerading as a trustworthy entity (a bank, a service provider, or a merchant, for example) in electronic communication (usually email).
Chapter 1.2
16
Q
Understand spear phishing.
A
Spear phishingis a more targeted form of phishing where the message is crafted and directed specifically to an individual or group of individuals. The hope of the attack is that someone who already has an online/digital relationship with an organization is more likely to fall for the false communication.
Chapter 1.2
17
Q
Understand whaling.
A
Whalingis a form of phishing that targets specific high-value individuals.
Chapter 1.2
18
Q
Understand vishing.
A
Vishing is phishing done over VoIP services.
Chapter 1.2
19
Q
Understand tailgating and piggybacking.
A
Tailgatingoccurs when an unauthorized entity gains access to a facility under the authorization of a valid worker but without their knowledge.Piggybackingoccurs when an unauthorized entity gains access to a facility under the authorization of a valid worker but with their knowledge and consent.
Chapter 1.2
20
Q
Understand impersonation.
A
Impersonationis the act of taking on the identity of someone else. The purpose of impersonation is to trick someone into believing you’re the claimed identity so you can use the power or authority of that identity. Impersonation is also known as masquerading or spoofing.
Chapter 1.2
21
Q
Understand dumpster diving.
A
Dumpster diving is the act of digging through trash in order to obtain information about a target organization or individual. It can provide an attacker with information that could make social engineering attacks easier or more effective.
Chapter 1.2
22
Q
Understand shoulder surfing.
A
Shoulder surfing occurs when someone is able to watch your keyboard or view your display. This may allow them to learn your password or see information that is confidential, private, or simply not for their eyes.
Chapter 1.2
23
Q
Understand hoaxes.
A
A hoax is a form of social engineering designed to convince targets to perform an action that will cause problems or reduce their IT security. A hoax is often an email that proclaims some imminent threat is spreading across the Internet and that you must perform certain tasks in order to protect yourself.
Chapter 1.2
24
Q
Understand watering hole attacks.
A
A watering hole attack is a form of targeted attack against a region, a group, or an organization. It’s waged by poisoning a commonly accessed resource.
Chapter 1.2
25
Understand principles of social engineering.
Many techniques are involved in social engineering attacks. These often involve one or more common principles such as authority, intimidation, consensus/social proof, scarcity, familiarity/liking, trust, and urgency.
Chapter 1.2
26
Understand arbitrary code execution.
Arbitrary code execution is the ability to run any software on a target system.
Chapter 1.2
27
Understand DoS.
Denial of service (DoS) is a form of attack that has the primary goal of preventing the victimized system from performing legitimate activity or responding to legitimate traffic. One form exploits a weakness, an error, or a standard feature of software to cause a system to hang, freeze, consume all system resources, and so on. The end result is that the victimized computer is unable to process any legitimate tasks. Another form floods the victim’s communication pipeline with garbage network traffic. The end result is that the victimized computer is unable to send or receive legitimate network communications.
Chapter 1.2
28
Understand a Smurf attack.
This form of DRDoS uses ICMP echo reply packets (ping packets).
Added: Usually initiated through a botnet which sends pings from a forged source address (the victim's address) to a third party. The third party sends echo replies, overwhelming the victim.
Chapter 1.2
29
Understand Xmas attacks.
The Xmas attack is actually an Xmas scan. It’s a form of port scanning that can be performed by a wide number of common port scanners, including Nmap, Xprobe, and hping2. The Xmas scan sends a TCP packet to a target port with the flags URG, PSH, and FIN all turned on.
Chapter 1.2
30
Understand DDoS.
Distributed denial-of-service (DDoS) employs an amplification or bounce network that is an unwilling or unknowing participant that is unfortunately able to receive broadcast messages and create message responses, echoes, or bounces. In effect, the attacker sends spoofed message packets to the amplification network’s broadcast address.
Chapter 1.2
31
Understand man-in-the-middle attacks.
A man-in-the-middle attack is a form of communications eavesdropping attack. Attackers position themselves in the communication stream between a client and server (or any two communicating entities). The client and server believe they’re communicating directly with each other.
Chapter 1.2
32
Understand buffer overflows.
Buffer overflows occur due to a lack of secure defensive programming. The exploitation of a buffer overflow can result in a system crash or arbitrary code execution. A buffer overflow occurs when a program receives input that is larger than it was designed to accept or process. The extra data received by the program is shunted over to the CPU without any security restrictions; it’s then allowed to execute. Results of buffer overflows can include crashing a program, freezing or crashing the system, opening a port, disabling a service, creating a user account, elevating the privileges of an existing user account, accessing a website, or executing a utility.
Chapter 1.2
33
Understand injection attacks.
An injection attack is any exploitation that allows an attacker to submit code to a target system in order to modify its operations and/or poison and corrupt its data set. Examples include SQL injection, LDAP injection, XML injection, command injection, HTML injection, code injection, and file injection.
Chapter 1.2
34
Understand SQL injection.
SQL injection attacks allow a malicious individual to perform SQL transactions directly against the underlying database through a website front end.
Chapter 1.2
35
Understand directory traversal.
A directory traversal is an attack that enables an attacker to jump out of the web root directory structure and into any other part of the filesystem hosted by the web server’s host OS.
Chapter 1.2
36
Understand cross-site scripting.
Cross-site scripting (XSS) is a form of malicious code injection attack in which an attacker is able to compromise a web server and inject their own malicious code into the content sent to other visitors.
Chapter 1.2
37
Understand cross-site scripting (XSS) prevention.
The most effective ways to prevent XSS on a resource host are implemented by the programmer by validating input, coding defensively, escaping metacharacters, and rejecting all script-like input.
Chapter 1.2
38
Understand cross-site request forgery (XSRF).
Cross-site request forgery (XSRF) is an attack focused on the visiting user’s web browser more than on the website being visited. The main purpose of XSRF is to trick the user or the user’s browser into performing actions they had not intended or would not have authorized.
Chapter 1.2
39
Understand cross-site request forgery (XSRF) prevention.
XSRF prevention measures include adding a randomization string (called a nonce) to each URL request and session establishment and checking the client HTTP request header referrer for spoofing.
Chapter 1.2
40
Understand privilege escalation.
Privilege escalation occurs when a user account is able to obtain unauthorized access to higher levels of privileges, such as a normal user account that can perform administrative functions. Privilege escalation can occur through the use of a hacker tool or when an environment is incorrectly configured.
Chapter 1.2
41
Understand ARP poisoning.
ARP poisoning is the act of falsifying the IP-to-MAC address resolution system employed by TCP/IP.
Chapter 1.2
42
Understand amplification.
An amplification attack is one where the amount of work or traffic generated by an attacker is multiplied in order to cause a significant volume of traffic to be delivered to the primary victim. An amplification attack can also be known as a reflective or bound attack.
Added: The attacker selects requests that have large responses. The attacker can then send small requests over his network that generate large replies resulting in DDoS attack. Smurf attack is an example of an amplification attack.
Chapter 1.2
43
Understand DNS poisoning.
DNS poisoning is the act of falsifying the DNS information used by a client to reach a desired system. This can be accomplished by deploying a rogue DNS server (also known as DNS spoofing and DNS pharming), using DNS poisoning, altering the HOSTS file, corrupting IP configuration, and using proxy falsification.
Chapter 1.2
44
Understand pharming.
Pharming is the malicious redirection of a valid website’s URL or IP address to a fake website that hosts a false version of the original valid site.
Chapter 1.2
45
Understand domain hijacking.
Domain hijacking or domain theft is the malicious action of changing the registration of a domain name without the authorization of the valid owner. This may be accomplished by stealing the owner’s logon credentials, using XSRF, hijacking sessions, using MitM, or exploiting a flaw in the domain registrar’s systems.
Chapter 1.2
46
Understand man-in-the-browser.
The man-in-the-browser (MitB, MiTB, MiB, MIB) attack is effectively a MitM attack. The only real distinction is that the middle-man malware is operating on the victim’s system, where it is able to intercept and manipulate communications immediately after they leave the browser and before they exit the network interface.
Chapter 1.2
47
Understand zero day.
Zero-day attacks are newly discovered attacks for which there is no specific defense. A zero-day exploit aims at exploiting flaws or vulnerabilities in targeted systems that are unknown or undisclosed to the world in general. Zero day also implies that a direct or specific defense to the attack does not yet exist; thus most systems with the targeted vulnerable asset are at risk.
Chapter 1.2
48
Understand a replay attack.
In a replay attack, an attacker captures network traffic and then replays the captured traffic in an attempt to gain unauthorized access to a system.
Chapter 1.2
49
Understand pass the hash.
Pass the hash is an authentication attack that potentially can be used to gain access as an authorized user without actually knowing or possessing the plain text of the victim’s credentials. This attack is mostly aimed at Windows systems.
Chapter 1.2
50
Understand hijacking attacks.
Hijacking attacks are those where an attacker takes over control of a session from a valid user. Some forms of hijacking disconnect the client, whereas others grant the attacker a parallel connection into the system or service.
Chapter 1.2
51
Understand clickjacking.
Clickjacking is a web page–based attack that causes a user to click on something other than what the user intended to click. This is often accomplished by using hidden or invisible layovers, frame sets, or image maps.
Chapter 1.2
52
Understand session hijacking.
TCP/IP hijacking, orsession hijacking, is a form of attack in which the attacker takes over an existing communication session. The attacker can assume the role of the client or the server, depending on the purpose of the attack.
Chapter 1.2
53
Understand typo squatting/URL hijacking.
Typo squatting, or URL hijacking, is a practice employed to capture traffic when a user mistypes the domain name or IP address of an intended resource.
Chapter 1.2
54
Understand cookies.
A cookie is a tracking mechanism developed for web servers to monitor and respond to a user’s serial viewing of multiple web pages. It may allow identity theft.
Chapter 1.2
55
Understand driver manipulation.
Driver manipulation occurs when a malicious programmer crafts a system or device driver so that it behaves differently based on certain conditions.
Chapter 1.2
56
Understand shimming.
Shimming is a means of injecting alternate or compensation code into a system in order to alter its operations without changing the original or existing code.
Chapter 1.2
57
Understand refactoring.
Refactoring is a restricting or reorganizing of software code without changing its externally perceived behavior or produced results. Refactoring focuses on improving software’s nonfunctional elements, such as quality attributes, non-behavioral requirements, service requirements, and constraints.
Chapter 1.2
58
Understand spoofing.
Spoofing is the act of falsifying data. Usually the falsification involves changing the source addresses of network packets. Because the source address is changed, victims are unable to locate the true attackers or initiators of a communication. Also, by spoofing the source address, attackers redirect responses, replies, and echoes of packets to some other system.
Chapter 1.2
59
Understand MAC spoofing.
MAC spoofing is used to impersonate another system, often a valid or authorized network device in order to bypass port security or MAC filtering limitations.
Chapter 1.2
60
Understand IP spoofing.
There are three main types of IP spoofing: crafting IP packets for an attack but setting the source IP address to that of an innocent, uninvolved third party; via DoS, disconnecting the owner/user of an IP address, then temporary taking on that IP address on the attack system; or using an IP address from the subnet that is not currently assigned to a valid authorized system.
Chapter 1.2
61
Understand war driving.
War driving is the act of using a detection tool to look for wireless networking signals. Often, war driving is the process of someone looking for a wireless network they aren’t authorized to access.
Chapter 1.2
62
Understand wireless replay attacks.
Wireless replay attacks may focus on initial authentication abuse. They may be used to simulate numerous new clients or cause a DoS.
Chapter 1.2
63
Understand initialization vector (IV).
IV is a mathematical and cryptographic term for a random number. Most modern crypto functions use IVs in order to increase their security by reducing predictability and repeatability.
Chapter 1.2
64
Understand evil twin attacks.
During an evil twin attack, a hacker configures their system as a twin of a valid wireless access point. Victims are tricked into connecting to the fake twin instead of the valid original wireless network.
Chapter 1.2
65
Understand rogue access points.
A rogue WAP may be planted by an employee for convenience or it may be operated externally by an attacker. Rogue wireless access points should be discovered and removed in order to eliminate an unregulated access path into your otherwise secured network.
Chapter 1.2
66
Understand jamming.
Jamming is the transmission of radio signals to prevent reliable communications by decreasing the effective signal-to-noise ratio.
Chapter 1.2
67
Understand WPS attacks.
WPS is a security standard for wireless networks that was found to be flawed. The standard called for a code that could be sent to the base station remotely in order to trigger WPS negotiation. This led to a brute force guessing attack that could enable a hacker to guess the WPS code in just hours.
Chapter 1.2
68
Understand bluejacking.
Bluejacking is the sending of messages to Bluetooth-capable devices without the permission of the owner/user. Just about any Bluetooth-enabled device, such as a smartphone or notebook computer, can receive a bluejacked message.
Chapter 1.2
69
Understand bluesnarfing.
Bluesnarfing is the unauthorized accessing of data via a Bluetooth connection. Successful bluesnarfing attacks against smartphones and notebooks have been able to extract calendars, contact lists, text messages, emails, pictures, videos, and more.
Chapter 1.2
70
Understand RFID.
RFID (radio frequency identification) is a tracking technology based on the ability to power a radio transmitter using current generated in an antenna when placed in a magnetic field. RFID can be triggered/powered and read from up to hundreds of meters away.
Chapter 1.2
71
Understand NFC.
Near field communication (NFC) is a standard to establish radio communications between devices in close proximity. It lets you perform a type of automatic synchronization and association between devices by touching them together or bringing them within inches of each other.
Chapter 1.2
72
Understand disassociation.
Disassociation is one of the many types of wireless management frames. A disassociation can be used in several forms of wireless attacks, including discovering hidden SSIDs, causing a DoS, hijacking sessions, and using MitM.
Chapter 1.2
73
Understand password attacks.
The strength of a password is generally measured in the amount of time and effort involved in breaking the password through various forms of cryptographic attacks. These attacks are collectively known as password cracking or password guessing. Forms of password attacks include brute force (also known as a birthday attack), dictionary, hybrid, and rainbow tables.
Chapter 1.2
74
Understand password guessing.
Password guessing is an attack aimed at discovering the passwords employed by user accounts. It’s often called password cracking. There are two primary categories of password-guessing tools based on the method used to select possible passwords for a direct logon prompt or birthday attack procedure: brute force and dictionary.
Chapter 1.2
75
Understand password crackers.
A password cracker is a tool used to reverse-engineer the secured storage of passwords in order to gain (or regain) access to an unknown or forgotten password. There are four well-known types of password-cracking techniques: dictionary, brute force, hybrid, and precomputed hash.
Chapter 1.2
76
Understand birthday attacks.
The birthday attack exploits a mathematical property that if the same mathematical function is performed on two values and the result is the same, then the original values are the same. This concept is often represented with the syntax f(M)=f(M') therefore M=M'.
Chapter 1.2
77
Understand known plain text and known cipher text attacks.
The cryptographic attacks of known plain text and known cipher text are focused on encryption systems that use the same key repeatedly or that select keys in a sequential or otherwise predictable manner. The goal is to discover the key or a key of the series, and then use that key to determine other keys and thus be able to decrypt most or all of the data protected by the flawed encryption system.
Chapter 1.2
78
Understand rainbow tables.
Rainbow tables take advantage of a concept known as a hash chain. It offers relatively fast password cracking, but at the expense of spending the time and effort beforehand to craft the rainbow table hash chain database.
Chapter 1.2
79
Understand dictionary attacks.
A dictionary attack performs password guessing by using a preexisting list of possible passwords.
Chapter 1.2
80
Understand brute-force attacks.
A brute force attack is designed to try every valid combination of characters to construct possible passwords, starting with single characters and adding characters as it churns through the process, in an attempt to discover the specific passwords used by user accounts.
Chapter 1.2
81
Understand online vs. offline password cracking.
An online password attack occurs against a live logon prompt. An offline attack is one where the attacker is not working against a live target system, but instead is working on their own independent computers to compromise a password hash.
Chapter 1.2
82
Understand collision.
A collision is when the output of two cryptography operations produces the same result. Collisions occur in relation to encryption operations as well as hashing operations.
Chapter 1.2
83
Understand a downgrade attack.
A downgrade attack attempts to prevent a client from successfully negotiating robust high-grade encryption with a server. This attack may be performed using a real-time traffic manipulation technique or through a man-in-the-middle attack (a false proxy) in order to forcibly downgrade the attempted negotiation to a lower quality level of algorithms and key exchange/generation.
Chapter 1.2
84
Understand replay attacks.
A replay attack is one in which an attacker captures network packets and then retransmits or replays them back onto the network.
Chapter 1.2
85
Understand weak implementations.
Most failures of modern cryptography systems are due to poor or weak implementations rather than a true failure of the algorithm itself.
Chapter 1.2
86
Define a threat actor.
A threat actor is the person or entity who is responsible for causing or controlling any security-violating incidents experienced by an organization or individual.
Chapter 1.3
87
Define script kiddies.
Script kiddies are threat actors who are less knowledgeable than a professional skilled attacker. A script kiddie is usually unable to program their own attack tools and may not understand exactly how the attack operates.
Chapter 1.3
88
Define a hacktivist.
A hacktivist is someone who uses their hacking skills for a cause or purpose. A hacktivist commits criminal activities to further their cause.
Chapter 1.3
89
Understand how organized crime is involved in cybercrime.
Organized crime is involved in cybercrime activities because it is yet another area of exploitation that may allow them to gain access, power, or money.
Chapter 1.3
90
Understand how nation-states are using cyberattacks.
Most nation-states are now using cyberattacks as yet another weapon in their arsenal against their real or perceived enemies, whether internal or outside their borders.
Chapter 1.3
91
Define APT.
APT (advanced persistent threat) is any form of cyberattack that is able to continually exploit a target over a considerable period of time. An APT often takes advantage of flaws not publicly known and tries to maintain stealth throughout the attack.
Chapter 1.3
92
Understand the risks presented by insiders.
One of the biggest risks at any organization is its own internal personnel. Hackers work hard to gain what insiders already have: physical presence within the facility or a working user account on the IT infrastructure.
Chapter 1.3
93
Understand the risks presented by competitors.
While it is widely known that such actions are illegal, many organizations still elect to perform corporate espionage and sabotage against their competition.
Chapter 1.3
94
Understand the risks presented by internal and external threat actors.
Threats can originate from inside your organization as well as outside. All too often, companies focus most of their analysis and security deployment efforts on external threats without providing sufficient attention to the threats originating from inside.
Chapter 1.3
95
Understand threat actors’ level of sophistication.
Threat actors can vary greatly as to their skill level and level of sophistication. Some attackers are highly trained professionals who are applying their education to malicious activities, whereas others are simply bad guys who learned how to perform cyberattacks just to expand their existing repertoire.
Chapter 1.3
96
Know how threat actors access resources and funding.
Some threat actors are well funded with broad resources; others are not. Some threat actors self-fund, whereas others find outside investors or paying customers. Self-funded threat actors might highjack or use advertisement platforms to obtain funds; others may use ransomware to extort money from their victims.
Chapter 1.3
97
Understand threat actors’ intent and motivation.
The intent or motivation of an attacker can be unique to the individual or may be similar to your own. Some attackers are motivated by the obvious benefits of money and notoriety. Others attack from boredom or just to prove to themselves that they can.
Chapter 1.3
98
Understand open-source intelligence.
Open-source intelligence is the gathering of information from any publicly available resource. This includes websites, social networks, discussion forums, file services, public databases, and other online sources. It also includes non-Internet sources, such as libraries and periodicals.
Chapter 1.3
99
Understand active reconnaissance.
Active reconnaissance is the idea of collecting information about a target through interactive means. By interacting with a target, accurate and detailed information can be collected quickly but at the expense of potentially being identified as an attacker rather than just an innocent, benign, random visitor.
Chapter 1.4
100
Know how to use port scanners.
A port scanner is a vulnerability assessment tool that sends probe or test packets to a target system’s ports in order to learn about the status of those ports.
Chapter 1.4
101
Understand passive reconnaissance.
Passive reconnaissance is the activity of gathering information about a target without interacting with the target. Instead, information is collected from sources not owned and controlled by the target (other websites and services) as well as by eavesdropping on communications from the target.
Chapter 1.4
102
Define pivoting.
In penetration testing (or hacking in general), a pivot is the action or ability to compromise a system, and then using the privileges or access gained through the attack to focus attention on another target that may not have been visible or exploitable initially.
Chapter 1.4
103
Understand initial exploitation.
The initial exploitation in a penetration test or a real-world malicious attack is the event that grants the attacker/tester access to the system. It is the first successful breach of the organization’s security infrastructure that grants the attacker/tester some level of command control or remote access to the target.
Chapter 1.4
104
Define persistence.
Persistence is the concept of an attack that maintains remote access to and control over a compromised target. A persistent attack grants the attacker ongoing prolonged access to and control over a victim system and/or network.
Chapter 1.4
105
Understand escalation of privilege.
Escalation of privilege is any attack or exploit that grants the attacker greater privileges, permissions, or access than what may have been achieved by the initial exploitation. Privilege escalation can be either horizontal or vertical.
Chapter 1.4
106
Understand black-box testing.
Black-box penetration testing proceeds without using any initial knowledge of how an organization is structured; what kinds of hardware and software it uses; or its security policies, processes, and procedures. It provides a realistic external criminal hacker perspective on the security stance of an organization.
Chapter 1.4
107
Understand white-box testing.
White-box testing makes use of knowledge about how an organization is structured, what kinds of hardware and software it uses, and its security policies, processes, and procedures. The result is that it gives a rogue administrator a lot of information about the organization’s security.
Chapter 1.4
108
Understand gray-box testing.
Gray-box testing combines the two other approaches to perform an evaluation based on partial knowledge of the target environment. The results are a security evaluation from the perspective of a disgruntled employee.
Chapter 1.4
109
Understand penetration testing.
A penetration test is a form of vulnerability scan that is performed by a special team of trained white-hat security specialists rather than by an internal security administrator using an automated tool. Penetration testing (also known as ethical hacking) uses the same tools, techniques, and skills of real-world criminal hackers as a methodology to test the deployed security infrastructure of an organization.
Chapter 1.4
110
Understand vulnerability scanning.
Vulnerability scanning is used to discover weaknesses in deployed security systems in order to improve or repair them before a breach occurs. By using a wide variety of assessment tools, security administrators can learn about deficiencies quickly.
Chapter 1.5
111
Understand passive testing of security controls.
A passive test of security controls is being performed when an automated vulnerability scanner is being used that seeks to identify weaknesses without fully exploiting discovered vulnerabilities.
Chapter 1.5
112
Understand vulnerability identification.
A scanner that is able to identify a vulnerability does so through a testing probing process defined in its database of evaluations. The goal of a vulnerability scanner is to inform you of any potential weaknesses or attack points on your network, within a system, or against an individual application.
Chapter 1.5
113
Understand the identification of a lack of security controls.
An important task for a vulnerability scanner is to identify any necessary or best-practice security controls that are not present in the evaluated target. Such a report may indicate that updates and patches are not applied or that a specific security mechanism is not present.
Chapter 1.5
114
Be able to identify common misconfigurations.
Many vulnerability scanners can determine whether or not you have improper, poor, or misconfigured systems and protections. If a vulnerability scanner is able to detect this issue, so can an attacker.
Chapter 1.5
115
Understand intrusive vs. nonintrusive.
An intrusive vulnerability scan attempts to exploit any flaws or vulnerabilities detected (also known as active evaluation). A nonintrusivevulnerability scan only discovers the symptoms of flaws and vulnerabilities and doesn’t attempt to exploit them (also known as passive evaluation).
Chapter 1.5
116
Understand credentialed vs. noncredentialed.
A credentialed scan is one where the logon credentials of a user, typically a system administrator or the root, must be provided to the scanner in order for it to perform its work. A noncredentialed scan is one where no user accounts are provided to the scanning tool, so only those vulnerabilities that don’t require credentials are discovered.
Chapter 1.5
117
Know what a false positive is.
A false positive occurs when an alarm or alert is triggered by benign or normal events.
Chapter 1.5
118
Know what a false negative is.
A false negative occurs when an alarm or alert is not triggered by malicious or abnormal events.
Chapter 1.5
119
Understand race conditions.
Time-of-check-to-time-of-use (TOCTTOU) attacks are often called race conditions because the attacker is racing with the legitimate process to replace the object before it is used. Another form of race condition attack occurs when two processes are running concurrently and one process is designed to finish first, but the attack alters the processing to change the order of completion.
Chapter 1.6
120
Comprehend end-of-life systems.
End-of-life systems are those that are no longer receiving updates and support from their vendors. If an organization continues to use an end-of-life system, then the risk of compromise is high because no future exploitation will ever be patched or fixed.
Chapter 1.6
121
Understand embedded systems.
An embedded system is any form of computing component added to an existing mechanical or electrical system for the purpose of providing automation and/or monitoring.
Chapter 1.6
122
Realize that there may be a lack of vendor support.
Any system, whether hardware or software, will become more insecure over time once it lacks vendor support. The lack of vendor support can be due to end-of-life dropping of support, but it can also be a “feature” of the product all along, where the vendor does not provide any improvement, support, or patching/upgrading of the product after the initial sale.
Chapter 1.6
123
Understand improper input handling.
Many forms of exploitation are caused by the lack of input sanitization or validation. Only with proper input handling can software exploitation be reduced or eliminated.
Chapter 1.6
124
Know proper input handling.
There are three main forms of input filtering that should be adopted by every programmer and included in every code they author: check for length, filter for known malware patterns, and escape metacharacters.
Chapter 1.6
125
Understand improper error handling.
Improper error handling may allow for the leaking of essential information to attackers or enable attackers to force a system into an insecure state. If error messages are not handled properly, they may disclose details about a flaw or weakness that will enable an attacker to fine-tune their exploit.
Chapter 1.6
126
Understand misconfiguration/weak configuration.
When misconfigurations or weak configurations are allowed to remain while a system is in active productive use, the risk of data loss, data leakage, and overall system compromise is higher.
Chapter 1.6
127
Know the risks of default configuration.
Default configurations should never be allowed to remain on a device or within an application. The tyranny of the default is the fact that defaults are usually insecure and thus leave a system open to simple compromise.
Chapter 1.6
128
Understand resource exhaustion.
Resource exhaustion occurs when applications are allowed to operate in an unrestricted and unmonitored manner so that all available system resources are consumed in the attempt to serve the requests of valid users or in response to a DoS attack.
Chapter 1.6
129
Understand untrained users.
Untrained users are more likely to make mistakes or abuse a system’s resources and capabilities.
Chapter 1.6
130
Understand improperly configured accounts.
The concept of improperly configured accounts is a violation of the principle of least privilege.
Chapter 1.6
131
Understand vulnerable business processes.
All business tasks, processes, procedures, and functions should be assessed as to their importance to the organization and their relative vulnerabilities.
Chapter 1.6
132
Understand weak cipher suites and implementations.
Many older algorithms or implementations of algorithms have known flaws, weaknesses, or means of compromise. These weaker ciphers should be avoided and disabled and replaced with stronger cipher suites with few or no issues.
Chapter 1.6
133
Understand memory leaks.
A memory leak occurs when a program fails to release memory or continues to consume more memory.
Chapter 1.6
134
Understand integer overflow.
An integer overflow is the state that occurs when a mathematical operation attempts to create a numeric value that is too large to be contained or represented by the allocated storage space or memory structure.
Chapter 1.6
135
Understand buffer overflow.
A buffer overflow is a memory exploitation that takes advantage of a software’s lack of input length validation. In some cases a buffer overflow can allow for the injection of shellcode (precompiled malicious code) into memory, where it may become executed with system-level privileges.
Chapter 1.6
136
Understand pointer dereference.
Pointer dereferencing is the programmatic activity of retrieving the value stored in a memory location by triggering the pulling of the memory based on its address or location as stored in a pointer.
Chapter 1.6
137
Understand DLL injection.
DLL injection is an advanced software exploitation technique that manipulates a process’s memory in order to trick it into loading additional code and thus perform operations the original author did not intend.
Chapter 1.6
138
Comprehend system sprawl/undocumented assets.
System sprawl or server sprawl is the situation where numerous underutilized servers are operating in your organization’s server room. The existence of undocumented assets is a form of wasted resources and lost opportunity.
Chapter 1.6
139
Understand architecture/design weaknesses.
Architecture or design flaws are mistakes in the overall concept, theory, implementation, or structure of an application. Design flaws may exist because of a misunderstanding of the problem that was intended to be solved, not understanding the requirements of the solution, violating common or good practice design principles, or failing to account for security measures during initial conception.
Chapter 1.6
140
Understand new threats.
New threats are being developed by hackers on a nearly daily basis. It is an essential part of security management to be aware of new threats.
Chapter 1.6
141
Understand improper certificate and key management.
Most of the failures of a cryptosystem are based on improper key management rather than on the algorithms.
Chapter 1.6
