1.1 Given a scenario, analyze indicators of compromise and determine the type of malware
- Virus: an old-fashioned term going back to the mid-1980s. A piece of software that may intrude into your system, often by attaching to other existing files. Viruses will propagate or spread to other devices. They would also activate - or perform some function such as erasing the boot sector on your hard drive. There are many more specific terms to describe malware in this day and age.
- Ransomware: also known as crypto-malware. It is software that will encrypt your data and will demand payment from the user to get the decryption key. Can be mitigated with a good data backup strategy.
- Worm: a piece of malicious code that is capable of scanning your network, finding other systems, and spreading to the other systems by replicating itself. The first computer worm was antivirus software, spreading itself to remove a commonly found virus. The second computer worm caused a ton of damage and led to the first criminal conviction under the computer fraud and abuse act.
- Trojan Horse: a piece of software that disguises itself as something else. Typically related to an application that makes the user want to run the software.
- Rootkit / Backdoor: a piece of software that escalates its privileges which will typically allow root access to a system for the threat actor. This is sometimes referred to as a backdoor. A backdoor just means a way for an unauthorized person to access your system, this is a property of a rootkit.
- Keylogger: Malware that records keystrokes and will often automatically transmit keystrokes to the threat actor for review. Can be used for catching login credentials as they are typed.
- Adware: programs that attempt to display ads on your system to generate revenue.
- Spyware: a form of malware that hides itself and doesn’t typically display ads or make itself known, to allow for continuous exfiltration of data from the infected system.
- Bots: programs that run on your computer and accept command and control messages from a central location. Often many computers accept commands from the same source, this forms what is known as a botnet. This gives the controller a lot of power by having full control over many machines, denial of service attacks can be performed by commanding the botnet to send messages to a target system.
- RAT: stands for remote access trojan/tool. It’s a piece of software that allows a threat actor to view the screen and control the infected computer.
- Logic Bomb: typically some malware which is triggered by some event taking place. A common threat is to have a logic bomb go off if your employer disables your account.
- Polymorphic Malware: Malware that changes itself to try and bypass signatures that are used by antimalware software. By changing itself, it may be able to sneak by malware scanners since it will appear to be different than what the signatures are in the antimalware software.
- Armored Virus: malware which contains a lot of superfluous code to try and throw off threat researches and antimalware software from being able to determine what the malware is trying to do.
1.2 Compare and contrast types of attacks
These are attacks that rely on the human factor. We as humans have
feelings vulnerabilities too. Social engineering attacks are effective because they often rely on the following principles:
- Authority: The threat actor will often act as if they have the authority to make the requests/demands that they are making. People respect authority and may be compelled to fulfill the threat actor’s requests.
- Intimidation: The threat actor may intimidate or threaten you. Examples include bullying or even be subtle such as saying things like “look if you don’t do this for me right now, it’s not gonna be my ass on the line, it will be yours and everyone will know it.”
- Consensus: This is an attack that is meant to sway opinions by providing false reviews or testimonials. Very common on eCommerce sites such as Amazon or eBay. Another example is downloading a malicious file, if comments on something all say it worked for them and they liked it, the person viewing the web page is more likely to download the file.
- Scarcity: Presenting exclusive access to some club or commodity can make the person more enticed to act and perform some action
- Familiarity: When a threat actor attempts to build rapport, to get the target to become familiar with them before launching an attack.
- Trust: In the same vein as familiarity, earning and leveraging the trust of a target before launching an attack.
- Urgency: Act now or you will lose your chance! Buy now, they’re going quick! I’m going into a sales meeting in 4 minutes and I need this done NOW. Does not give the target the appropriate time to assess the situation before acting.
Examples of social engineering attacks include the following:
- Phishing: Phishing is similar to spam, but it’s an email that tries to get information from the recipient.
- Spear Phishing: Targeted phishing to try to phish a specific person. Often uses the person’s name or personal information in the communication or poses as services the target uses.
- Whaling: Whaling is considered to be going for an attack with a massive impact, such as going after the CEO, CFO.
- Vishing: Voice phishing - using voice, scam phone calls trying to get personal information.
- Spam: Unsolicited email - not a major in some incidents, however usually just a minor irritant.
- Tailgating: Following closely behind someone who walks into a locked door, bypassing the physical authorization mechanisms of the area or building.
- Impersonation: Pretending to be someone else, for example, impersonating the CEO and emailing an employee asking them to do something.
- Dumpster Diving: Digging through trash to find information from sources such as thrown out documents that weren’t shredded or computer systems that were thrown out without being securely wiped.
- Shoulder Surfing: Looking over someone’s shoulders at their computer screen or work area to retrieve information while the person is working. Could include them entering their password or reading confidential information on a document. A new but similar attack with work from home is screen sharing.
- Hoax: False information that is spread which does not correlate to what events transpired. A lie that is attempted to spread to throw off the entity being attacked.
- Watering Hole Attack: When a threat actor infects a system or website that the target organization often uses. Solarwinds hack is an example.
- Spim: Instant message spam (Skype, Teams, WhatsApp). I have never heard of this term in my 10 years of being in the IT industry and 22 years as a computer user. We typically just call it spam, but you know… trivial exam knowledge.
Application and Service Attacks
- DoS: denial of service attack is a type of attack which disrupts a service, preventing it from functioning for its users.
- DDoS: distributed denial of service attack is a type of attack which uses many computers (often botnets) to send messages to a target system which overloads it, preventing it from servicing its users.
- MitM: man in the middle attack is when a threat actor has control over a device in the middle of a communication channel. This allows the threat actor to both eavesdrop and fabricate messages.
- Buffer overflow: is a boundary problem, where data is written to buffer, but overruns the buffer’s boundary which could impact adjacent memory.
- Injection: is an attack that leverages sections of a program that accept input, and taking advantage of how that input is parsed by the application. A common example is using a web form to inject SQL commands.
- Cross-Site Scripting: a type of web attack that allows a threat actor to execute arbitrary clientside scripting that appears to come from a trusted domain. Often used to steal cookies, session data. Exploits the trust the user has for the site.
- Cross-Site Request Forgery: AKA CSRF similar to CSS, however, this exploits the trust the site has for the user. A threat actor tricks a target into submitting a web request they did not intend, which may perform actions on the website on behalf of the target user.
- Privilege Escalation/Elevation: the goal of a threat actor once in a system is to ensure they have the privilege and capabilities to have full control over the system. Privilege elevation/escalation is when the threat actor exploits some vulnerability in the system to gain further unauthorized access to the system.
- ARP Poisoning: exploits address resolution protocol often using gratuitous ARP messages to update clients on the same network segment with fake ARP entries, which can be used to form a man in the middle attack.
- Amplification: Often used in conjunction with spoofing as a DoS attack - where a small message is sent to a server as a request, and the server returns a large response to the target. The idea is a large impact in a response for a little put in as a request.
- DNS Poisoning: Similar to ARP poisoning except instead of exploiting ARP, we are exploiting DNS to provide faulty responses to DNS queries. Can be used in conjunction with phishing attacks or others to steal sensitive information.
- Domain Hijacking: when you let a domain registration lapse / not renewed and a threat actor grabs the domain from you. They can steal incoming emails, put up a malicious website, or hold the domain ransom, demanding a large sum of money for it to be returned.
- Man in the Browser: related to Man in the Middle attacks, except typically constrained to the web application layer instead of the network layer. An example is a compromised web proxy server or browser extension.
- Zero Day: is any vulnerability that exists in the wild, but is not yet widely known. Until it’s known, threat actors can continue to exploit the vulnerability without anyone being aware.
- Replay: is an attack often used once a man in the middle attack has been carried out to attempt to replay messages which have been observed in an attempt to exfiltrate data or cause some action to occur. One example used to be garage door openers, threat actors could listen for the radio signal to be broadcast to open the door, capture it and then replay it at a later time.
- Pass the Hash: is an attack where the threat actor steals the hash of the target’s password, then simply uses this hash to authenticate to services on the network. The plaintext password does not necessarily need to be known. Ofen used to attack NTLM / Microsoft Windows networked systems.
- Clickjacking: when you’re on a website and you try to click a button, but the site makes you click something else or perform some other action.
- Session Hijacking: exploiting a valid session key or cookie to gain unauthorized access to a system. Similar to pass the hash type attack in Windows in that the plaintext credentials need not be known. Sometimes called “Pass the Cookie”.
- Typo Squatting/URL Hijacking: register a domain very similar to common domains so if people accidentally mistype a domain they are directed to your website.
- Driver Manipulation - Shimming: Inserting code into a driver to execute some malicious action.
- Driver Manipulation - Refactoring: Code that changes itself to make it look different each time, often involves executing code that accomplishes nothing (called NOPs or No Operations).
- MAC Spoofing: A data link layer attack where a threat actor configures his network device to use the MAC address of a target. This can be used to get around authentication mechanisms such as MAC whitelists or bypass captive portals.
- IP Spoofing: Similar to MAC spoofing but at the network layer instead of the data link layer. The threat actor configures their machine to use the IP address of another machine, or send messages to make them appear as though they came from the target’s machine.
Denial of Service Attack - Additional Details
The idea behind a denial of service attack is to make a normally functioning system unable to provide service. A simple approach is to send so much traffic to a server such that it gets overloaded and is unable to keep up with all the incoming requests.
- Volume Attack: overloading the network links which provide access to the server.
- Protocol Attack: attack of the services or lower protocols which may cause the server to be unable to keep up with incoming requests.
- Application attack: attack of the application itself which may use up resources such as computer, memory or disk which will prevent the service from being able to respond to all incoming requests in a timely fashion.
A ping flood or UDP flood are two examples of volume attacks. A SYN flood of TCP SYN attack is an example of a protocol attack. A slow loris attack is an example of an application attack.
- Ping Flood: A threat actor sends many ICMP echo requests to a target in rapid succession to attempt to overload it.
- UDP Flood: A threat actor sends many UDP packets to random ports on a remote host in an attempt to overload it.
- SYN Flood / TCP SYN Attack: A threat actor rapidly initiates TCP connections to a server by sending a SYN packet but never finishing the handshake. The server has to then spend resources keeping half-open connections open until they time out.
- Slow Loris Attack: A common attack on an Apache server, which is used to keep connections open and eventually filling their maximum concurrent connection pool. This will deny additional connection attempts from legitimate clients.
Some more advanced attacks do something called amplification. An amplification attack is an attack that costs very little traffic from the threat actor but may generate tremendous amounts of traffic on the target. This is done by finding a weakness where you can make a request with a teeny tiny packet, and have the response be very large. A smurf attack is an example of an amplification attack.
- Smurf Attack: the threat actor will spoof the IP address of the target and then send an ICMP packet to a network broadcast address. This will cause all hosts in the broadcast domain to respond to the target, not the threat actor. A smurf attack is an example of a DDos Attack.
- Distributed Denial of Service (DDoS) Attack: a type of attack where not just a single source of traffic is attacking a system. Typically DDoS’s are run from a botnet, where a threat actor has infected many different computers from across the world and commands them all to attack a specific host.
Man in the Middle Attacks (MITM) - Additional Details
A third party that is listening in on a conversation between two network hosts. The third party is intercepting the traffic, sitting in the middle of the conversation. The method used to get in the middle of the conversation depends on the technologies and protocols used to form the conversation.
One common attack is on wireless networks since all radio waves are sent out in the open and can be received by any nearby antenna. 802.11 isn’t the only wireless protocol susceptible to MITM attacks. Bluetooth is also susceptible, as well as NFC (Near Field Communication eg: tap to pay).
Wired MITM attacks are typically much trickier since you can’t always capture all information being transmitted around you. Switches typically deliver frames based on destination MAC addresses, which it finds in its CAM table. Spoofing is an ARP attack that leverages gratuitous ARPs to try and fool switches into delivering frames to the threat actor instead of the intended recipient.
Once a threat actor has established themselves within the data stream, there are several further actions they can take:
- Capture Data: using tools like Wireshark, all the data can be captured and recorded to a file on the threat actor’s machine. This would allow them to analyze the data carefully after the fact, as well as attempt to break any encryptions within the data stream.
- Replay Attack: Once you are in the middle, capturing information, you may be able to replay the incoming packets to try and attempt to gain access to the system they are communicating.
- Downgrade Attack: Attempt to negotiate security protocols to weaker, but still accepted standards (often accepted for compatibility). This can further allow the threat actor to exploit the system.
- Session Hijacking: Capturing the session data from clients communicating and then impersonating them by stealing their authentication tokens.
- IV: initialization vector attacks leverage known starting vectors in cipher chaining algorithms to obtain information about the starting state of the cipher chain. Knowing the initialization vector of a stream can go a long way in cracking the whole message.
- Evil Twin: a fraudulent wireless access point that looks like it’s legitimate. May trick clients into connecting to it instead of the legitimate one.
- Rogue AP: an access point that is not authorized that has been installed on a network. An example is an employee bringing home a router and connecting it to the network at his desk to get their own wifi SSID.
- Jamming: radio jamming is the deliberate broadcast of interfering traffic to disrupt the communication channel between other devices in the vicinity. It decreases the signal to noise ratio, making communications more difficult (imagine a lunatic screaming in the room while you’re trying to have a conversation with someone else).
- WPS: Wi-Fi Protected Setup is not an attack in and of itself, but it makes an attack trivial, like leaving your cash-stuffed wallet in your car, then leaving your keys in your car door downtown in a busy city. WPS should always be disabled. There are physical security concerns (you just need to push a button to connect) as well as brute force attack vulnerabilities.
- Bluejacking: older versions of Bluetooth were susceptible to bluejacking. It’s when a threat actor would be able to connect to a device without being authorized.
- Bluesnarfing: an attack that can exfiltrate data over Bluetooth. Also, something that older versions of Bluetooth used to be susceptible to.
- RFID: RFID cards are often used to transmit data over very short distances (think fobs) and used for things such as building access.
- NFC: Uses RFID protocols, but extends them further. Many similar properties to RFID attacks.
- Disassociation: When a threat actor crafts a special control message and broadcasts it out requesting the client disassociate from the wireless network. Often causes disruption, denial of service, or causes the client to disconnect and reconnect (can be used in conjunction with evil twin attack to get clients to disconnect from legitimate AP and connect to yours).
Don’t store passwords, store hashes. You can’t reverse a hash. Hashing attacks are comparative attacks.
- Birthday: Related to collision attacks described below, birthday attacks leverage the probability of collisions occurring. Think about it as a reconnaissance attack, as if you know what hashing algorithm the target uses, you can determine the length of the hash as well as the number of possible outputs of that hash function. This means you can calculate an approximation of the amount of time it will take to calculate a hash collision by a brute force attack. This gives the threat actor more tools in their arsenal.
- Known Plain Text/Cipher Text: If the plain text and ciphertext are both known, a threat actor can reverse engineer the encryption used to decrypt additional messages.
- Rainbow Tables: Precomputed list of hashes. Not just a hashtable, because it’s indexed using a reduction function. Usually, rainbow tables are in the 10’s of gigabytes or even terabytes range of size. Each hash function requires its rainbow table (MD5 table cannot be used for SHA2 hashes).
- Dictionary: iterates through a word list. Much faster than brute force attack for common words, since humans tend to use words as their passwords. May not be able to find a match for all passwords, however. More complete dictionaries are larger and take longer to get through.
- Brute Force: tries passwords at random or in predetermined order until all combinations have been attempted. There are online attacks that involve interacting with the service you are attacking directly to continue guessing. These can result in logs and alarms being set off. Offline attacks are possible if you have a dump of the data, this way you not interacting with the live system, and attempts are not logged.
- Collision: two different pre hash inputs may result in the same output when run through a hashing function. This means you can enter a different password than what the user has and still be able to authenticate if the resulting hash is the same.
- Weak Implementations: Leveraging vulnerabilities or weaknesses found in older or nonstandard cryptography. Example DES can be exploited as the algorithm is not secure and the keyspace is small in comparison to AES.
It’s best to store passwords not only as a hash but hashed with a salt.
- Salt: takes the plaintext and appends some fixed pre-specified text to the plaintext, then the hash function is performed. This makes attacks much more difficult.
- Key Stretching: converting a password to a longer and more random key for cryptographic purposes such as encryption.
In wireless networks, WPA uses PBKDF2, but another key stretching algorithm is bcrypt.
1.3 Explain threat actor types and attributes
- Threat Actor: a malicious actor (organization or person) responsible for an event of an incident that images or have the potential to impact the safety or security of another entity.
- OSINT: Open Source Intelligence (OSINT) refers to any widely available information. Example sources include news stations, social media, public government records, blogs, or other publications. This is overt information as opposed to covert sources.
Types of Threat Actors
- Script kiddies: Typically trivial amount of attack knowledge, often uses pre-made tools without fully understanding underlying protocols. These threat actors often do not have sophisticated methods or motives, but may still be damaging and carry a high impact.
- Hacktivist: Some form of activism they are trying to pursue. Intent and motivation for the attack are often interesting as it’s not typically for financial gain.
- Organized Crime: Often very smart or small groups of people where the motivation is to make money.
- Nation States/APT: Large amount of resources, motivation is often intelligence/data exfiltration. Often carries out very sophisticated attacks. Often goes for advanced persistent threats which dwell within a system undetected for possibly many years, if ever.
- Insiders: Employees, but not always. Other examples include cleaning staff, contractors. Anyone who may have access to an asset.
- Competitors: Not often an issue due to laws, however, the risk is still technically present.
Attributes of Threat Actors:
- Internal or external of the environment: Examples of internal include: an employee, a janitor, an office visitor. Examples of external include: individuals attacking from other countries or outside of the network.
- Level of sophistication: Some threat actors use known, freely available tools, while others have very sophisticated tools and means of attacking a system.
- Resources and funding: Some threat actors have lots of resources, time, people, and money to put into launching an attack.
- Intent / Motivation: Some threat actors are doing this for money, others for espionage, while some do it for revenge or even world peace.
1.4 Explain penetration testing concepts
Penetration tests are authorized attempts to attack a system to determine whether vulnerabilities can be actively leveraged and to determine how the system reacts to these vulnerabilities. It’s important to note that penetration testing differs from vulnerability scanning. Vulnerability scanning using fingerprinting techniques to attempt to determine if a vulnerability exists. Penetration testing is to actively attempt to leverage a vulnerability on a system.
- Active reconnaissance: Gathering information about a system by interacting with it directly. This may alert the system owner that the system is under attack. Some examples include port scanning or probing the system in other ways such as grabbing banners.
- Passive reconnaissance: Gathering information about a system without interacting with it. For example, collecting information from public databases, talking to employees casually. It’s considered a safer method of gathering intelligence.
- Pivot: Once a host has been compromised, pivoting refers to the process of leveraging that compromised system as an entry point to attack other connected systems on the network. This can be referred to as island hopping, lateral moves, or as a multi-layered attack
- Initial exploitation: Refers to the stage where a threat actor has already performed reconnaissance and is ready to make the first move. Initial exploitation is the phase where the threat actor first breaks into the system. The vulnerability used to break in is referred to as the initial exploitation vector.
- Persistence: Refers to the stage in an attack where the attacker is trying to ensure that if the initial exploit vector is patched, they can retain access to the system. This typically involves installing additional remote access trojans (RATs) or similar types of software.
- Escalation of Privilege: Refers to a process a threat actor may use to elevate their access. Eg: A user account is compromised, and the threat actor has his initial exploitation vector into a network. The threat actor logs in as this user and then finds and uses additional vulnerabilities on the network to escalate their privilege to that of a domain administrator.
- Black Box: This is a type of test where the pentester does not have knowledge of a system and is simply tasked with penetrating the system. This can be beneficial, because sometimes providing information may influence the actions an attacker would take, which could result in the simulated attack not being representative of a real-world situation. A consultant with knowledge of vulnerabilities may focus on those specifically, but not look at a vulnerability not reported to them.
- White Box: This is a type of test where the pentester has open access to documentation of systems and applications and has full knowledge of how the system operates. This can be beneficial because the black box test may not make it far enough to test deeper parts of a system. Additionally, it simulates a scenario where an attacker’s reconnaissance provides them a great deal of information about the system.
- Grey Box: This is a type of test where the pentester may have some knowledge of a system, but not the full picture. Again, can help with different types of scenarios, such as when an attacker has performed initial exploitation but has not yet escalated privilege or pivoted to other systems.
1.5 Explain vulnerability scanning concepts
- Passively test security controls: This refers to vulnerability scanning and not penetration testing. A vulnerability scan is not going to exploit vulnerabilities but will take a light-handed approach to not disrupt any systems which are being scanned.
- Identify vulnerability: Vulnerability scanning can help determine vulnerabilities in a system
- Identify lack of security controls: From the vulnerabilities returned in a scan, it can help determine missing security controls, for example, it will find systems that are not patched which means that the organization likely does not have a robust patch management process.
- Identify common misconfigurations: Vulnerability scanning will help find common misconfigurations. Some examples include open ports, default username and passwords, data leaks (such as open access databases on the internet), and other misconfigurations which lead to vulnerabilities
- Intrusive vs Non-intrusive: An intrusive scan is more aggressive and carries a higher risk of disrupting a system compared to a non-intrusive scan which is considered safe by most. Personal experience: was at a client and kicked off an intrusive scan, then all of a sudden all their printers starting printing random garbage on hundreds of pages. Waste of toner and paper. This is a minor example, it could’ve been much worse such as causing a core application to crash.
- Credentialed vs non-credentialed: Similar to white-box vs black box. This simply refers to whether the scan is using some form of credential on the network to authenticate. This may allow the scanner to gather more details about vulnerabilities, however, does not represent what an attacker may see that has not yet performed initial exploitation of a system.
- False positive: When a vulnerability scanner detects a vulnerability that does not exist in reality we consider it a false positive. When a vulnerability scanner does not detect a vulnerability that does exist in reality, we consider it a false negative. If the vulnerability scanner were perfect (not realistic by far), we would only have true positives and true negatives.
1.6 Explain the impact associated with types of vulnerabilities
- Race conditions: Happens when two or more subroutines run concurrently, but in parallel specifically. Depending on many conditions, each time you run the program one subroutine may finish before the other, which could result in non-deterministic output and unexpected results. Race conditions can be avoided by structuring the code to use locks, wait groups, and other programming constructs.
- EoL systems: End of life systems are considered vulnerabilities as no further security updates or patches will be provided for these systems. As new vulnerabilities are discovered, actions external to the system must be taken to continue to mitigate them - for example, air gapping. It’s typically best to replace end of life systems with newer systems if possible.
- Embedded systems: Embedded systems are all around us. From industrial control systems such as that use PLCs and SCADA to IoT devices and sensors. These systems sometimes go overlooked but the security of such systems is just as, if not more important. Sometimes the impact of such a system could be massive. Imagine if a threat actor gained control over our electrical grid, or opened a dam which causes downstream ecological disaster.
- Improper input handling: If an application does not handle user input correctly, it could result in invalid data or worse - injection attacks. Input from users should always be validated to ensure it’s structured in a way that is expected.
- Improper error handling: An application developer should think about every type of scenario that could happen to an application and program their application to handle these errors accordingly. For example, if the network drops, the application should be able to detect this and
- Misconfiguration/Weak Configuration: Accidents happen, and sometimes best practices aren’t followed. Sometimes systems aren’t reconfigured periodically to meet the changing landscape of best practices. These can both result in vulnerabilities. For example, a weak encryption algorithm.
- Default configuration: Default configuration can be a vulnerability as the state of the system would be well documented by the vendor. Additionally, sometimes vendor default credentials are kept in production systems which allows anyone to log into that system.
- Resource exhaustion: Resource exhaustion is a vulnerability to DoS attacks. If resources are all consumed, for instance, CPU cycles, it leaves no resources for actual production applications.
- Untrained users: The human element is just as important to securing systems and the systems themselves. Untrained users are more likely to fall victim to social engineering attacks, described above for example phishing, email scams, improper disposal of documents, etc.
- Improperly configured accounts: Perhaps an account has more access than it requires to perform its function. Or maybe an account is enabled that doesn’t need to be enabled as the user had left the organization a long time ago. Audits are important processes to help detect improperly configured accounts
- Vulnerable business process: if a business process doesn’t have all the checks and balances, there is an opportunity to exploit or compromise a business process. Sometimes it requires multiple authorizations from different people to proceed through a process that can help mitigate some vulnerabilities. Another factor to consider is an unauthorized alteration of business processes such as someone not following the appropriate steps in the process.
- Weak cipher suites and implementations: A cipher suite is a collection of protocols and algorithms which define the negotiation protocol, key exchange methods, authentication, and encryption algorithms, and message HMAC. Weak cipher suites should be disabled in favor of those recommended by best practices. SSL, TLS 1.0, 1.1, 1.2 should all be disabled in favor of TLS 1.3. More will be covered in 6.0 - Cryptography
- Memory leak: Related to resource exhaustion vulnerabilities, a memory leak is when an application continues to allocate new memory over time, but never frees up old allocations of memory that are no longer required.
- Integer overflow: When an integer is incremented beyond its max value. eg) An 8-bit unsigned integer can only hold values up to 255, if you have a value of 255 and increment by 1, it wraps back around to 0. It’s important to use an appropriately sized type for the data the application is working with.
- Buffer overflow: When a program allocates a specific block of memory, but some operation causes it to impact an adjacent block of memory that was not a part of the originally allocated buffer.
- Pointer dereference: A pointer dereference is not in itself a vulnerability, I’m not sure what Security+ authors meant by this, but I’m going to assume they are instead referring to null point dereferences. Pointers are used in software to hold a small piece of data that points to a specific address in memory where the actual underlying data is held. A pointer is said to be dereferenced when it is read to obtain the address it’s pointing to. When there is no address saved in the pointer, it’s considered to be null. This can result in unexpected behavior, program crashes, etc. Typically this is the result of a bad implementation or when an assumption of the developer is violated.
- DLL injection: Dynamic Link Libraries are used in Windows Systems, but Linux has something similar called Shared Objects. The premise of this type of attack is when one program attempts to run code within the address space of another process by forcing it to load a DLL or SO. This can be used to influence the behavior of the original program by adding to or modifying its subroutines.
- System sprawl/undocumented assets: Often when new services come around, so do new servers and systems. Sometimes in the rush of reality, these systems can go undocumented due to negligence or mistake. If you don’t have an inventory of what systems you have, how can you possibly secure them?
- Architecture/design weaknesses: Design weaknesses are where much of the attention falls when thinking inside of the box. An example of a design weakness is not having appropriate controls in place such as not having a firewall at your network’s edge. Another example is not having a critical system operate with high availability/redundancy.
- New threats/zero-day: New threats also known as zero-day vulnerabilities are discovered all the time, every day. It’s important to keep up with patching and keeping systems in support to help mitigate known vulnerabilities, however with zero-day vulnerabilities the risk is often assumed or dealt with immediately after it’s uncovered. It’s important to remain
agile (i hate that word)nimble so systems can be quickly adapted to newly discovered vulnerabilities.
- Improper certificate and key management: Certificates are quite literally the keys to your secure communications and collaboration channels. If keys are not managed correctly, and they fall into the wrong hands it can allow a threat agent to eavesdrop on secure communications or authenticate as someone they are not.