SEC+ preparation #4

Let’s jump into next day of preparing for SEC+.

Before beginning I just want to give credit to Master OTW at Hackers-Arise. I really enjoy how he describes data of various topics. Real professional.

You can purchase Security+ SY0-701 boot camp here

Threat vectors and attack surfaces

• Message based vectors

• Wired

• Wireless

• Systems

  • Usually unpatched software is the hole to the system. Patching is one of the most important thing is software. If stuff breaks after patching, make a test environment.

  • It’s good to understand how SQL works to make SQL injections

• Files and images

• Removable devices

Email is usually the most common method. Phishing is the most popular.

Botnet is a “zombie” devices army. IoT is a good example of it. You can hack IoT devices and then make a DDoS attack using those devices.

• Threat data and intelligence

  • It’s an activity that cyber security professionals do to get the newest information about newest threats. Some companies does threat intelligence for a fee.

  • It helps to identify risks to the organization.

• Open source intelligence (OSINT)

  • It’s a really big thing.

  • It’s basically using information that is already on the internet and to use this information for your needs, for example for defending organization.

  • There are organizations which does OSINT and then sells the information. It takes days to them, but you get that information in seconds.

• Proprietry and close source intelligence

  • Government intelligence and organizations use it.

• Assessing threat intelligence

  • Is the information accurate?

• Information sharing organizations

  • Usually organization that gets hacked does not share information about that event because they don’t want to lose their reputation and things like that. Actually it is really bad, because other organizations can have that same vulnerability and they can also be hacked.

• Conducting your own research

  • Depends upon time and skill

Malicious code: Malware

On the Sec+ exam they introduce many types of malware. We need to know characteristics about those types.

Type:

• Ransomware

• Viruses

• Worms

• Spyware, trojans, rootkits, bloatware

• Backdoors, keyloggers

• Logic bombs

• Botnets, Bots and Command and control

Ransomware

It is decryption of important files and asking to pay the ransom. Usually in Bitcoin

• If you pay the ransom, you’re feeding ransomware industry. If they get money, they make better ransomware.

• Usually companies has cybersecurity insurance. They decide if it is worth to pay or not.

Bloatware

It’s a term used to describe unwanted applications in your system by manufacturer. For example your phone. More applications running, broader the attack surafce.

Virus (IMPORTANT)

It’s a program that replicates that being copied or initiating it’s copying to another program, computer boot sector or document.

• It cannot replicate by themselves, they need a host carrier.

• Might be appended to executable.

• Usually removed by Antivirus Software

• Often time acquired by installing software.

• Usually the affect Windows systems. 90% of systems in the world are Windows based.

Varieties of Viruses:

• Memory-resident viruses

  • They remain in memory while the system is running

• Non-memory-resident viruses

  • These execute, spread and then shut down

• Boot sector viruses

  • They reside in a boot sector

  • If you corrupt the boot sector, the system won’t boot

• Macro viruses

  • They use macros or code inside word processing software or other tools to spread

  • Blackenergy attack in Ukraine (2014) was macro virus attack. They used worm in a word document

• Email viruses

  • They usually spread via email attachments

Worm

Self contained and it can spread to other systems. Virus needs media and worm does not.

Trojan

The name refers to The Trojan Horse.

• Software appears to be safe, but inside there’s a malicious part

• They do not self replicate

• They require piece of soft to carry them

• Usually they are installed from an unknown website.

• Nothing is free. If the product is free, you are the product.

• Trojan can install backdoor or keystroke recorder or even steal files.

• We should encrypt all our stuff

Avoiding trojans:

• Do not download stuff from unknown websites.

• Use multi layers of defense:

  • AntiVirus

  • AntiSpyware

  • AntiMalware

• Only antivirus is not enough anymore

Logic bomb

A set of instruction to a program to “explode” when certain condition is met.

It detonates at a certain time. Then harm to the system is done.

Rootkits

• Could be in any platform

• Hard to detect

• Hides files that rootkit installs

• May contain a backdoor or key stroke recorder

Spyware

Piece of software that is installed secretly. It gathers information about user.

• Can hijack the website and redirect it to other website.

• Does not replicate itself

• Pegasus - legal spyware developed by Israel.

Backdoors

• A way to bypass the normal access controls

• Establishes perma access

• Can be inserted with Trojan horse

• Often times referred as RAT (remote access trojan)

• Uses specific sequence number.

Botnet

Army of zombie machines

• User is usually not aware

• Software installed on a remote machine

• Usually it is used for DDoS but also can be used to brute force the password.

Social engineering and Password Attacks

Social engineering is very important.

• Uses social skills instead of technical. Most of the time requires both

• There are multiple techniques:

  • Scarcity

  • Reciprocation

  • Friendship

    • When someone wants to create a relationship with you. He invest weeks, months and then gets your trust. Then that person gives you something for free and after that he uses your trust to achieve what he wants.

• Salesmen are the best social engineers

Types (Important, will be in exam):

• Shoulder Surfing - hacking cameras or watching keystrokes

  • Could be done remotely

  • Using high power zoom on a camera

• Dumpster Diving - it’s when you check the dumpster for confidential info

  • Garbage is considered public property

    • You can’t get arrested for stealing garbage

• People will throw anything into garbage can

• Could be a great source of info

• Sensitive information has to be shreded

  • Should make small pieces, not stripes

  • Shredding bins are the best method, for exampe this shredder

• Tailgating - you join some group of people for a lunch in yard. Then you talk with them and then when they go inside back to the office they hold an open door for you and then you also get inside the place.

  • Kevin Mitnick did it often times

  • Man-Trap is a prevention from tailgating

    • This is a hallway containing two doors

    • Only one door will open at a time

    • User must authenticate to a guard

• Impersonation - retraining yourself as something that you’re not.

  • Spoof MAC address

  • Spoof IP address

  • Spoof your identity

  • Pretend to be a person of authority

  • Countermeasures:

    • Strong authentication mechanisms (at least two factor)

      • Two factor auth and multi factor auth are different things

    • Factors:

      • What you know, what you have and what you are

    • Pasword and fingerprint combination is multifactor

• Hoaxes - pretending

  • Form of social engineering

  • Might make you fell guilty

• Spear phishing is targeted

  • It is similar to whaling

  • Does do specifically target executives

  • Appears to come from a trusted source as well

  • They learn with OSINT methods about you and then use that information for phishing.

  • AI will make phishing a lot easier.

• Whaling - going after a big target

  • Super personalized attack

  • Target is a high level personal employee

  • Based on info gathered by OSINT

  • Sometimes takes long time

  • Hard to detect

  • May be a fake message from a partner

  • Even if you know recipient, do not trust the message

• Vishing - phishing, but by voice

  • Phishing through voice mail

  • Very effective

  • Can trick lots of users and customers

  • A new form of social engineering

  • Example would be:

    • Someone calls you and says that they are working in energy sector of your town. They say that you did not pay your bill and you must tell your credit card number to pay it and then they won’t turn off your electricity.

  • Cost is very minimum and success is really high.

  • You can’t trust caller ID

Security assesment and testing

1. Vulnerability scan

• Test if there is a potential vulnerability in your system.

• It uses know vulnerabilieties base to check.

• Will give you lots of false positives

2. Security scan

3. Penetration testing

4. Risk assesment

5. Security auditing

Vulnerability management

Identify → Evaluate → Treat → Report

Identifying scan targets

1. What is the data classification of the information stored in your system?

2. Is the system exposed to the internet or other public or semi-public networks?

3. What services are offered by the system?

4. Is the system a production, test or development system?

These are the things that we need to identify in a security scan.

Determining scan frequency

• Organization’s risk apetite

• Regulatory requirements

• Technical constraints

• Business constraints

• Licensing limitations

Vulnerability scanners

• Large database of know vulnerabilities

• Must be constantly updated

• Often times it will lie to you

• All result must be valued manually. This is what pentester does.

• Some vulnerability scanners:

  • Nesus

  • Retina

  • Qualys

  • OpenVAS

  • Rapid7

  • Nexpose