Skip to content

Latest commit

 

History

History
629 lines (606 loc) · 38.2 KB

1.md

File metadata and controls

629 lines (606 loc) · 38.2 KB

1.0 Threats, Attacks and Vulnerabilities

1.1 Given a scenario, analyze indicators of compromise and determine the type of malware.

(Mike Meyers)

  • Viruses (Jason Dion)
    • Virus types (on JD study notes)
      • Boot sector
      • Macro
      • Program
      • Multipartite
      • Encrypted
      • Polymorphic
      • Metamorphic
      • Stealth
      • Armored
      • Hoax
    • "A virus is a piece of malicious code that replicates by attaching itself to another piece of executable code." (Conklin)
    • Armored
      • "An armored virus includes protective code that prevents examination of critical elements, such as scans by anti-virus software." (uCertiffy)
      • "Some malware, such as the Zeus Trojan, employs encryption in ways to prevent criminals from stealing the intellectual property of the very malware that they use." (Conklin)
  • Crypto-malware (Jason Dion)
    • "Crypto-malware is an early name given to malware that encrypts files on a system and then leaves them unusable either permanently, acting as a denial of service, or temporar- ily until a ransom is paid, making it ransomware." (Conklin)
  • Ransomware (Jason Dion)
    • "Ransomware is a form of malware that performs some action and extracts ransom from a user." (Conklin)
  • Worm (Jason Dion)
    • Worms self replicate and spread without a users consent or action
    • “Worms are designed to exploit a single flaw in a system (operating system, protocol, service, or application) and then use that flaw to replicate themselves to other systems with the same flaw. -Stewart
    • "Worms are pieces of code that attempt to penetrate networks and computer systems." (Conklin)
  • Trojan (Jason Dion)
    • "A Trojan horse, or simply Trojan, is a piece of software that appears to do one thing (and may, in fact, actually do that thing) but hides some other functionality." (Conklin)
  • Rootkit (Jason Dion, James Messer, Linus)
    • "Rootkits are a form of malware that is specifically designed to modify the operation of the operating system in some fashion to facilitate nonstandard functionality." (Conklin)
    • “A rootkit is a type of malicious code that fools the OS into thinking that active processes and files don’t exist. Rootkits render a compromised system completely untrustworthy. (Stewart)
  • Keylogger (James Messer)
    • "A piece of software that logs all of the keystrokes that a user enters." (Conklin)
  • Adware (James Messer)
    • "Software that is supported by advertising is called adware." (Conklin)
    • Use pop-up blocker
  • Spyware (Jason Dion)
    • "Spyware is software that “spies” on users, recording and reporting on their activities." (Conklin)
  • Spam
    • Activity that abuses electronic messaging systems, most commonly through email
  • Bots (James Messer)
    • "A bot is a functioning piece of software that performs some task, under the control of another program." (Conklin)
  • RAT (James Messer)
    • "A remote-access Trojan (RAT) is a toolkit designed to provide the capability of covert surveillance and/or the capability to gain unauthorized access to a target system." (Conklin)
  • Logic bomb (James Messer)
    • "A logic bomb is a piece of code that sits dormant for a period of time until some event or date invokes its malicious payload." (Conklin)
  • Backdoor (Jason Dion)
    • "Used to refer to programs that attackers install after gaining unauthorized access to a system to ensure that they can continue to have unrestricted access to the system, even if their initial access method is discovered and blocked." (Conklin)
  • Malware Summary (Jason Dion)

1.2 Compare and contrast types of attacks.

(Mike Meyers)

1.2.1 Social engineering

(Jason Dion, Mike Meyers 1, Mike Meyers 2)

  • Principles (reasons for effectiveness) (James Messer)
    • Authority
      • "I'm calling from the help desk."
    • Intimidation
      • "There will be bad things if you don't help."
    • Consensus
      • "Your co-worker Jill did this for me last week."
    • Scarcity
      • "This situation will not be this way for long."
    • Familiarity
      • "We have common friends."
    • Trust
      • "I'm from IT. I am here to help."
    • Urgency
      • "Act quickly, don't think!"
  • Watering hole attack (James Messer, Jason Dion)
    • A watering hole attack is a form of targeted attack against a region, a group, or an organization. It’s waged by poisoning a commonly accessed resource.(Stewart)
    • Going where people in a company visit, and infecting those locations.
    • e.g. sandwich shops, coffee shops
  • Phishing (James Messer, Jason Dion)
    • Spam that tries to get information out of you.
    • Claims to be someone else
    • e.g. collects login info.
    • Replicated login pages
    • Vishing
      • Over the phone
    • Spear phishing
      • Targeted phishing; focus on narrow group
    • Whaling
      • Targeting toward CEO, highest levels, etc.
  • Tailgating (James Messer)
    • Using someone else to gain entry into building
    • Blend in with clothing
    • Policy for visitors (e.g. badges)
    • Scan one person at a time
    • Man traps, air locks
    • Train to ask: Who are you? why are you here?
  • Impersonation (James Messer)
    • Pretending to be someone you aren't
    • Never volunteer information
    • Call back, verify through 3rd parties
  • Dumpster diving (James Messer, Jason Dion)
    • Valuable information left in trash
    • Technically legal in all 50 states, but not on private property
    • Secure garbage
    • Shred or even burn
  • Shoulder surfing (James Messer, Jason Dion)
    • Overlook sensitive information
    • Binoculars / telescopes
    • Web cam
    • Privacy filter
    • Keep monitor out of sight
  • Hoax (James Messer, Jason Dion)
    • Consider the source
    • Cross reference

1.2.2 Application/service attacks

(Mike Meyers 1, Mike Meyers 2)

  • DoS: Denial of Service (James Messer, Mike Meyers)

    • Overload the service
    • Sometimes not malicious; service overwhelmed
    • Sometimes accidental: network loop
    • DDoS
      • Distributed; many computers
      • Botnets
      • Asymmetric threat
      • Amplification: (Smurf attack?)
        • Turn your small attack/request (64 bytes) in to big attack/reply (512 bytes), reflected off another device or service.
        • Increasingly common DDoS technique
        • Use protocols with little or no Authentication or checks (NTP, DNS,ICMP)

  • Man-in-the-middle (On-Path Attack) (James Messer, Mike Meyers)

    • Between two devices
    • Directs traffic, forwards
    • ARP poisoning / Spoofing
      • Spoofs IP/MAC responds with false identification of device
    • Man-in-the-browser
      • Malware/Trojan sets proxy on browser to redirect requests
      • Middle man Malware intercept and manipulate communications immediately after they leave the browser and before they exit the network interface (Stewart)

  • Buffer overflow (James Messer)

    • Overwrite buffer of memory
    • Spills over into other memory areas
    • Developers need to perform bounds checking
    • "Buffer overflows can be initiated by sending random data to other services on a computer." (uCertify)
    • "If you’re concerned about buffer overflows then checking boundaries is the best defense... Checking user input helps but doesn’t prevent buffer overflow attacks." (Dion)

  • Injection (James Messer)

    • SQL injection; input not santizied, validated
    • XML injection - modify xml requests
    • LDAP injection - modify LDAP requests to manipulate application results

  • XSS: Cross-site scripting (James Messer, Jason Dion)

    • Takes advantage of the trust user has for a site
    • Non-persistent (reflected) XSS attack
      • Web site allows script to run in user input
      • Attempts to have a non-persistent effect activated by a victim clicking a link on the site
    • Persistent (stored) XSS attack
      • Attempts to get data provided by the attacker to be saved on the web server by the victim
      • e.g. post a message to social network with malicious payload
      • Everyone gets the payload
    • DOM based (client side XSS attack)
      • Attempt to exploit the victims web browser
    • Don't blindly click in email inbox
    • Validate input
    • increasing security with cookie storage

  • XSRF, CSRF: Cross-site request forgery (James Messer, Jason Dion)

    • XSRF, CSRF (Sea surf)
    • XSRF: Cross-site request forgery (XSRF) occurs when an attacker forces a user to execute actions on a webserver for which they are already authenticated (e.g bank account)
    • AKA One-click attack; Session riding
    • Takes advantage of session trust (user already logged in to a bank account, attacker sending a link to do something malicious like fund transfer)
    • Apps need anti-forgery techniques
    • XSRF prevention measures include adding a randomization string (called a nonce) to each URL request and session establishment and checking the client HTTP request header referrer for spoofing. (Stewart)
    • Usually a cryptographic token to prevent a forgery
    • XML file scanning and cookie verification
    • Ensure requests originated from user's device

  • Privilege escalation (James Messer)

    • Bugs or design flaws that allow one to gain higher-level access
    • higher-level access means more capabilities
    • Some escalations are horizontal
    • Do high priority vulnerability patches
    • Update the antivirus
    • Data execution prevention
    • Address space layout randomization (messer)

  • DNS poisoning (James Messer)

    • Sends people to IP address they didn't intend
    • Modify the DNS server / Modify the client host file
    • Send fake response to a valid DNS request
    • This can be accomplished by deploying a rogue DNS server (also known as DNS spoofing and DNS pharming), using DNS poisoning, altering the HOSTS file, corrupting IP configuration, and using proxy falsification.(Stewart)
    • "The practice of dispensing IP addresses and host names with the goal of traffic diversion." (uCertify)

  • Domain hijacking (James Messer)

    • Changes which DNS server is used for a domain
    • Get access to the domain registration

  • Zero day (James Messer)

    • Exploits vulnerability no one else knows exist
    • Bad guys keep yet-to-be-discovered holes to themselves
    • CVE: cve.mitre.org

  • Replay (James Messer)

    • If one has access to network packets, they might replay the packets, making themselves look like original user.
    • Packet capturing Usually done by Network tap, ARP poisoning , malware
    • Actual replay attack don't require being in the middle (MitM)
    • Avoid with unique salts and encryption

  • Pass the hash

    • "The attacker captures the hash used to authenticate a process. They can then use this hash by injecting it into a process in place of the password. This is a highly technical attack, targeting the Windows authentication process, injecting a copy of the password hash directly into the system. The attacker does not need to know the password, but instead can use a captured hash and inject it directly, which will verify correctly, granting access." (Conklin)

  • Hijacking and related attacks (James Messer)

    • URL hijacking
      • Typo squatting (Takes advantage of misspellings, typos)
      • Used as phishing site
      • Brandjacking (register a domain similar to your brand name)
      • Different top-level domain (.org instead of .com)
    • Clickjacking
      • You're clicking on a button, but you're actually clicking on invisible layer
      • Common on phones
      • Cloak and dagger (android app)
    • Session hijacking aka Sidejacking
      • Cookies
        • Session ID often saved in cookies
      • Sidejacking - someone else get access to the service without actually authenticated with the service
        • Session ID captured by attacker
          • Wireshark, Kismet used to capture session info
      • Header, cookie manipulation
      • Encrypt everything end-to-end to prevent Session hijacking
        • Additional load on server
        • Or use VPN
      • Session ID monitors
        • Blacksheep, appliciation-specific monitors

  • Driver manipulation (James Messer)

    • Drivers mediate interaction between hardware and operating system
      • Often trusted
      • Hardware interactions contain sensitive information
    • Shimming (filling in the space between two objects , middleman)
      • i.e. for backwards compatibility with previous Windows versions
      • Windows: Compatibility Mode
      • Malware write their own shims to get around security (take advantage of lack of UAC user account control feature in older versions) ,
    • Refactoring
      • Metamorphic malware: looks different each time it's downloaded so its difficult to identify with anti malware signatures
      • Adds NOPS or no operations, loops, pointless code strings so it looks different
      • Makes it different for signature-based detection
      • Use Layering approach to prevent this (anti malware with URL blocking, make backups )

  • Spoofing

    • Spoofing is the act of falsifying data. Usually the falsification involves changing the source addresses of network packets.(Stewart)
    • "Spoofing is an attack where an attacker masquerades as another person by falsifying information." (uCertify)
    • One device pretends to be something it is not
    • Email, caller ID, ARP spoofing MitM
    • MAC spoofing (James Messer)
      • Spoofs "burned-in" hardware address
      • Circumvents MAC based ACL or filter
      • Difficult to detect
    • IP spoofing (James Messer)
      • Pretending to be address that isn't on your network
      • Used for ARP poisoning and DNS amplification / DDoS
      • Easier to identify than MAC address spoofing

1.2.3 Wireless attacks

  • War driving
    • War driving is the act of using a detection tool to look for wireless networking signals. Often, war driving is the process of someone looking for a wireless network they aren’t authorized to access. (Stewart)
  • Replay (James Messer)
    • WEP could not stop this
      • Requires thousands of Initialization vector (IV) packets analyze throughout day
    • e.g. ARP request replay attack
    • Dont use WEP
  • IV (James Messer, Jason Dion)
    • Data encrypted with same key is relatively easy to crack, IV is extra bit of data thrown in to change things around.
    • Ideally this should prevent attacks, but with 802.11 WEP , the IV is passed along with the encrypted data
    • Basically IV is in clear easy to crack
    • "Involves the interception of authentication traffic on a wireless network." (uCertify)
  • Rogue AP (James Messer)
    • Someone plugs in unauthorized access point
      • Or enables wireless sharing in the OS
    • Schedule a periodic survey
      • Walk around office
      • Use third-party tools / WiFi Pineapple
    • Configure 802.1X (network access control, require you to authenticate regardless of connection type)
  • Evil twin (James Messer)
    • Duplicates SSID, security settings; disguises as another
    • Users connect to evil twin instead of legitimate access point
    • Mitigation: Encrypt your communication using HTTPS or VPN
  • RF Jamming (James Messer)
    • DOS - prevent wireless communication
    • Goal is to decreases signal-to-noise ratio at the receiving device; overwhelms good signal
    • Receiver can't hear good signal
    • Sometimes unintentional (microwave oven)
    • Types:
      • Constant, random bits / constant legitimate frames
      • Random timing - random data and legitimate frames
      • Reactive - only when someone or something trying to connect
    • Fox hunting
      • Looking for source of jamming signal
      • Requires directional antenna, attenuator
  • WPS: Wi-Fi Protected Setup (James Messer)
    • Designed for easy setup without long passphrase
    • e.g. pin, button, NFC
    • Easy to crack; took up to 4 hours
      • After slowdown measures, takes one day to one week
    • Some WPA pins on back of router
    • Pixie Dust (new attack)
      • WPS pin may be poorly encrypted
      • Offline WPS brute force
      • Takes 30 minutes or less
    • Avoid using WPS
  • Bluejacking (James Messer)
    • Sending of unsolicited messages to another device via Bluetooth
      • May include address book object
    • Typical functional distance is about 10 meters
    • Third-party software may be used
      • Blueooover, Bluesniff
    • Standard updated to prevent
  • Bluesnarfing (James Messer)
    • "Bluesnarfing is the unauthorized access of information from a Bluetooth device." (uCertify)
    • Access a Bluetooth-enabled device and transfer data
      • Contact list, calendar, email, pictures, video, etc.
  • RFID (James Messer)
    • Access badges
    • Radar technology
      • Radio energy transmitted to the tag
      • ID is transmitted back
      • Some tag formats can be active/powered
    • Data capture
      • View communication
      • Replay attack
    • Spoof the reader
    • DoS - signal jamming
    • Decryption keys often publicly available
  • NFC (James Messer)
    • Two-way communication
      • Payment systems
    • Helps with Bluetooth pairing, bootstrapping
    • Access token, identity "card"
      • Short range with encryption support
    • Remote capture
      • 10 meters for active devices
    • Frequency jamming
    • Replay / relay attack
    • Loosing a device
  • Disassociation (James Messer)
    • A form of DoS
      • Removed from wireless network
      • you may not be able to stop it
    • Management frames (802.11 wireless)
      • Original wireless standards did not add protection for them
        • Sent in the clear
        • No authentication or validation
      • Use a management frame called Deauthentication frame to fo Disassociation attack
    • tools
      • aireplay-ng
    • Disassociation attack goals
      • Gather authentication info for cryptographic attack
      • Conduct a DOS attack

1.2.4 Cryptographic attacks

(James Messer)

  • Known plain text/cipher text
    • Focused on encryption systems that use the same key repeatedly or that select keys in a sequential or otherwise predictable manner. (Stewart)
    • They know part of the plain text
      • Its known as the "crib"
      • e.g WWII Enigma cipher
  • Rainbow tables
    • "Precomputed tables or hash values associated with passwords. Using rainbow tables can change the search for a password from a computational problem to a lookup problem." (Conklin)
    • Won't work with salted hashes
  • Dictionary
    • "Uses a list of dictionary words to try to guess the password." (Conklin)
    • People often use common words.
  • Brute force
    • "Password-cracking program attempts all possible password combinations." (Conklin)
    • Online BF is hard and slow its easier to do offline with list of hashes
  • Birthday
    • The birthday attack exploits a mathematical property that if the same mathematical function is performed on two values and the result is the same, then the original values are the same. (Stewart)
    • Hash collision - same hash value for 2 different plain texts
    • "The birthday attack is a special type of brute force attack that gets its name from something known as the birthday paradox, which states that in a group of at least 23 people, the chance that two individuals will have the same birthday is greater than 50 percent." (Conklin)
  • Collision
    • "A hash collision is the same hash value for two different plaintexts." (James Messer)
    • Digests are supposed to be unique.
    • MD5 has identified collisions
  • Downgrade
    • "Attacker takes advantage of a commonly employed principle to support backward compatibility, to downgrade the security to a lower or nonexistent state." (Conklin)
    • Forced to use an older, weaker algorithm.
  • Weak implementations
    • One weak link breaks the entire chain.
    • 802.11 WEP
      • Easy to decrypt
    • DES
      • Only 56 bits
  • Replay
    • Susceptible:
      • Hash with no salt
      • No session ID tracking
      • No encryption
    • Countermeasure
      • Kerberos time stamps
      • TTL: Time To Live

1.3 Explain threat actor types and attributes.

(James Messer, Jason Dion)

1.3.1 Types of actors

  • Script kiddies
    • Runs pre-made scripts
    • Might not know what they're doing
    • Not sophisticated
  • Hacktivist
    • Hacker with a purpose
    • Social change or political agenda
    • Can be sophisticated
    • Deface web site
    • Funding is limited
  • Organized crime
    • Outside of network
    • Usually motivated by money
  • Nation states/APT
    • Governments
    • External entity
    • Highest sophistication
    • APT: Advanced persistent threat
  • Insiders
    • Has institutional knowledge
    • Knows what to hit
  • Competitors
    • DoS, espionage, harm reputation
    • High sophistication

1.3.2 Attributes of actors

  • Internal/external
    • "Internal actors have access to the system... External actors have an additional step, the establishment of access to the system under attack." (Conklin)
  • Level of sophistication
    • "The greater the skill level the more an individual will be expected to lead and design the attacks." (Conklin)
  • Resources/funding
    • "Criminal organizations and nation states have larger budgets, bigger teams, and the ability to pursue campaigns for longer periods of time." (Conklin)
  • Intent/motivation
  • Use of open-source intelligence
    • "Open source intelligence, sometimes called open source threat intelligence, refers to intel- ligence data collected from public sources." (Conklin)

1.4 Explain penetration testing concepts.

(James Messer, Jason Dion, Mike Meyers)

  • Penetration testing
    • Unlike vulnerability scanning pentest actually simulate an attack
    • They verify that threats exist and exploit known vulnerabilities
  • Passive reconnaissance
    • Gather information
    • Learn from open sources
      • Social media
      • Corporate web site
      • Reddit, forums
      • Social engineering
    • Doesn't require touching the equipment
    • Passive reconnaissance is the activity of gathering information about a target without interacting with the target. Instead, information is collected from sources not owned and controlled by the target (other websites and services) as well as by eavesdropping on communications from the target.(Stewart)
  • Active reconnaissance
    • Often done with vulnerability scan
    • Ping scans
    • Port scans
    • DNS queries
    • OS scans, OS fingerprinting
    • Service scans, version scans
    • Active reconnaissance is the idea of collecting information about a target through interactive means. By interacting with a target, accurate and detailed information can be collected quickly but at the expense of potentially being identified as an attacker rather than just an innocent, benign, random visitor.(Stewart)
  • Exploiting vulnerabilities
    • Break into system
    • Gain privilege escalation
    • Be careful; can cause DoS or loss of data
    • Password bruce-force
    • Database injection
    • Buffer overflow
  • Initial exploitation
    • Get into the network
    • A challenging hurdle (most of the time)
    • Secure way back in; backdoor
    • Build user accounts
  • Pivot
    • Foothold point
    • Inside of network relatively open
    • Jump from here to rest of network
  • Levels of information
    • Black box
      • Pentester knows nothing
      • Minimal information
      • Blind test
    • White box
      • Full disclosure
      • Being "an employee of the company... is often a requirement for white-box testing." (uCertify)
    • Grey/gray box
      • Mix of black and white
      • Focus on certain applications
  • Popular tool: Metasploit
  • Escalation of privilege
    • "The movement from a lower-level account to an account that enables root-level activity." (Conklin)
  • Persistence
    • "APT actors tend to be very patient and use techniques that make it very difficult to remove them once they have gained a foothold. Persistence can be achieved via a wide range of mechanisms, from agents that beacon back out, to malicious accounts, to vulnerabilities introduced to enable reinfection." (Conklin)
  • Penetration testing vs. vulnerability scanning
    • Vulnerability scanning
      • See if vulnerability exists
    • Pentest
      • Simulates an attack
      • Tries to exploit
    • With DoS attack: "Penetration testing will give you a detailed account of whether a network has the capability to detect and respond to a denial-of-service attack." (uCertify)
    • "Penetration tests are usually designed to simulate a particular attack, allowing the administrator to determine the potential impact of that threat to the network. Penetration tests are not designed to identify all vulnerabilities and weaknesses; to do that, you would use a vulnerability scanner, among other things." (uCertify)
    • Penetration testing: active
    • Vulnerability scanning: passive

1.5 Explain vulnerability scanning concepts.

(James Messer, Mike Meyers)

  • Vulnerability scanning is used to discover weaknesses in deployed security systems in order to improve or repair them before a breach occurs. By using a wide variety of assessment tools, security administrators can learn about deficiencies quickly.(Stewart)

  • Passively test security controls

    • A passive test of security controls is being performed when an automated vulnerability scanner is being used that seeks to identify weaknesses without fully exploiting discovered vulnerabilities.(Stewart)

  • vulnerability identification.

    • A scanner that is able to identify a vulnerability does so through a testing probing process defined in its database of evaluations. The goal of a vulnerability scanner is to inform you of any potential weaknesses or attack points on your network, within a system, or against an individual application.(Stewart)
    • Signature are the key

  • Identify lack of security controls

    • An important task for a vulnerability scanner is to identify any necessary or best-practice security controls that are not present in the evaluated target. Such a report may indicate that updates and patches are not applied or that a specific security mechanism is not present.(Stewart)

  • Identify common misconfigurations

    • Many vulnerability scanners can determine whether or not you have improper, poor, or misconfigured systems and protections. If a vulnerability scanner is able to detect this issue, so can an attacker.(Stewart)

  • Intrusive vs. non-intrusive scan

    • Non-intrusive (passive evaluation)
      • Don't exploit
      • Packet-capture & analysis
    • Intrusive (active evaluation)
      • Try out vulnerability; don't takd advantage of it

  • Credentialed vs. non-credentialed

    • Non-credentialed
      • No access, user/pass
    • Credentialed
      • A credentialed scan is one where the logon credentials of a user, typically a system administrator or the root, must be provided to the scanner in order for it to perform its work.(Stewart)
      • Emulates insider attack

  • False positive

    • Vulnerability identified that doesn't really exist

  • False negatives

    • Vulnerability existed, but wasn't discovered

See also:

  • nikto
    • scans servers
    • identifies vulnerabilities

1.6 Explain the impact associated with types of vulnerabilities.

(James Messer, Mike Meyers)

  • Race conditions
    • Programming conundrum
    • Async, sequencing needs validation
    • E.g bank account with two users thats able to transact same time
    • Time-of-check-to-time-of-use (TOCTTOU) attacks are often called race conditions because the attacker is racing with the legitimate process to replace the object before it is used. Another form of race condition attack occurs when two processes are running concurrently and one process is designed to finish first, but the attack alters the processing to change the order of completion.(Stewart)
  • Vulnerabilities due to:
    • End-of-life systems
      • No longer under support
      • No more security patches
      • End-of-life systems
    • Embedded systems
      • Often have outdated OS software
      • Upgrade... if you can
      • Malware takes advantages of vulnerabilities
    • Lack of vendor support
      • Vendors need to patch vulnerabilities
      • In a timely manner
  • Improper input handling
    • All input should be considered malicious
    • SQL injections, buffer overlfows
    • Validate, sanitize data
    • There are three main forms of input filtering that should be adopted by every programmer and included in every code they author: check for length, filter for known malware patterns, and escape metacharacters.(Stewart)
  • Improper error handling
    • Don't show too much error details to user
    • Hide stack traces, DB dumps, memory dumps to public
    • Right amount of detail
  • Misconfiguration/weak configuration
    • Turn off debuggers, defaults
  • Default configuration
    • "Default configuration is the configuration that a system enters upon start, upon recover- ing from an error, and at times when operating." (Conklin)
  • Resource exhaustion
    • Resource exhaustion occurs when applications are allowed to operate in an unrestricted and unmonitored manner so that all available system resources are consumed in the attempt to serve the requests of valid users or in response to a DoS attack.(Stewart)
    • Resource exhaustion is the state where a system does not have all of the resources it needs to continue to function." (Conklin)
  • Untrained users
    • Training is critical
    • Quiz and role play
    • Become familiar with common situations
  • Improperly configured accounts
    • Frequent audits needed
    • Abandoned and unnecessary accounts
    • Accounts with administrative access / violation of least privilege
  • Vulnerable business processes
    • Stolen SWIFT credentials in banks
  • Weak cipher suites and implementations
    • Protocol (AES/3DES)
    • Length of encryption key (40 bits/128 bits)
    • Hash used for integrity check (SHA,MD5)
    • Some cipher suits are easier to break than others, stay uptodate
    • Poor key and certificate management
  • Memory/buffer vulnerability
    • Memory leak
      • Memory allocated, never properly released
      • Slowly grows in size, eventually use up all mem
      • System crashes
    • Integer overflow
      • when a mathematical operation attempts to create a numeric value that is too large to be contained or represented by the allocated storage space or memory structure.(Stewart)
      • Large number into a smaller sized space
      • Hackers will take advantage of this issue
    • Buffer overflow
      • Overwriting a buffer of memory
      • Spills over into other memory areas
    • NULL Pointer dereference
      • Dereferencing address that points to nothing
      • App crashes
    • DLL injection
      • DLL injection is an advanced software exploitation technique that manipulates a process’s memory in order to trick it into loading additional code and thus perform operations the original author did not intend.(Stewart)
  • System sprawl/undocumented assets
    • Keeping track of resources is a challenge (e.g too many unnecessary VMs running)
    • Forgotten or misplaced devices
  • Architecture/design weaknesses
    • Proper locks on systems
    • Examine every part of network
  • New threats/zero day
    • There isn't always time to properly test
    • Balance severity with stability
    • WannaCry
  • Improper certificate and key management
    • Management needs to be well planned
    • What will be the organizations CA
    • How the CA content be protected
    • How will intermediate CA be created and managed