Ethical Hacking COSS 273 PDF

Ethical hacking COSS 273 Module 1 Information security fundamentals Information security: state of well-being of info in which the possibility of theft, tampering, and disruption of info and services is low or tolerable - Protection or safeguarding of info and info systems Elements of information security Confidentiality: info is accessible only to authorized users - Breaches occur due to improper data handling or hacking attempts - Controls include data classification, data encryption, and proper disposal of equipments (DVDs, USBs) Integrity: trustworthiness of data or resources, assurance that info is accurate for its purpose - Measures to maintain data integrity include checksum (number produced by a math function to verify that a given block of data is not changed - Access control which ensures that only authorized users can update, add, or delete data Availability: assurance that the systems responsible for delivering, storing, and processing info are accessible when needed - Measures include disk arrays for redundant systems and clustered machines, antivirus software to combat malware, and distributed denial of service (DDoS) prevention systems Authenticity: characteristic of communication, documents, or any data that ensures the quality of being genuine or uncorrupted - Measures such as biometrics, smart cards, and digital certificates ensure the authenticity of data, transactions, communications, etc. Non-repudiation: way to guarantees that the sender of the message cannot later deny having sent the message and that the recipient cannot deny having received the message - Digital signatures are used to ensure non-repudiation Security, functionality, and usability triangle Functionality: set of features provided by the system Usability: GUI components used to design the system for ease of use Security: restrictions imposed on accessing the components of the system - Increase or decrease of any of the components affects the two other components Security challenges Compliance to government laws Lack of qualified and skilled cybersecurity professionals Use of a serverless architecture and applications that rely on third party cloud providers Increase in cybersecurity risks such as data loss and unpatched vulnerabilities and errors due to the usage of shadow IT Shortage of research visibility and training for IT employees Motives, goals, and objectives of information security attacks Attackers generally have motives (goals) and objective behind their info security attacks Motive originates out of the notion that a target system stores or processes something valuable, which leads to the threat of an attack on the system Attacks = Motive + method + vulnerability Motives behind info security attacks: - Disrupt business continuity - Perform info theft - Manipulate data - Create fear and chaos - Bring financial loss to the target - Damage reputation of the target - Take revenge - Demand ransom Classification of attacks Passive attacks: do not tamper with the data and involve intercepting and monitoring network traffic and data flow on the target network. Attacks are difficult to detect because there is no interaction with the target system or network. Allows data or files being transferred to be captured without user consent. Can obtain data like unencrypted data in transit, or other sensitive info that is useful - Footprinting, sniffing and eavesdropping, network traffic analysis Active attacks: tamper with data being transferred or disrupt the communication or services between the systems to bypass or break into a secured system. Attackers penetrate or infect the target’s internal network and gain access to a remote system to compromise the network. These attacks can be detected because they send traffic actively - DDoS attacks, bypassing protection mechanisms, malware attacks (viruses, worms), modification of info, session hijacking, firewall and IDS attack, man in the middle attack, backdoor access, Close in attacks: attacker is physically close with the target system or network in order to gather, modify, or disrupt access to info. Attackers gain close proximity through secret entry, open access, or both - Social engineering (eavesdropping, shoulder surfing, dumpster diving) Insider attacks: use of privileged access to violate rules or intentionally cause a threat to the organization’s info or info system. Performed by trusted persons who have access to the target. Misuse the organization’s assets to directly affect the confidentiality, integrity, and availability of info systems - Eavesdropping and wiretapping, theft of physical devices, planting keyloggers, backdoors, or malware Distribution attacks: tampering with hardware or software prior to installation. Tamper with hardware at its source or in transit. Backdoors can be created by software or hardware vendors at the time of manufacture. Attackers leverage these backdoors to gain unauthorized access to the target info, system, or network - Modification of software or hardware during production/distribution Information security attack vectors Cloud computing threats: refers to the on demand delivery of IT capabilities in which IT infrastructure and applications are provided to subscribers as a metered service over a network (the cloud). Clients can store sensitive info on the cloud. A flaw in one client’s application can allow attackers to access another client’s data Advanced persistent threats (APT): refers to an attack that steals info from a victim machine without its user being aware. Targeted at large companies and government networks. They are slow attacks so the effect on computer performance and internet connections is barely noticeable. Exploits vulnerabilities in the applications running on computers, and OS. Viruses and worms: most prevalent networking threats and capable of infecting a network within seconds. - Virus is a self replicating program that makes a copy of itself by attaching to another computer program, or document (make their way into computer when sharing a malicious file containing it with the victim through the internet or removable media) - Worm is a malicious program that replicates, executes, and spreads across network connections (enter network when victim downloads a malicious file, opens a spam mail, or browses a malicious website Ransomware: restrict access to computer files and folders and demand a ransom inorder to regain access Mobile threats: users may download malware infested applications (APKs) onto their smartphones which can damage other applications and data or reveal sensitive info. Attackers can remotely access a smartphone’s camera and recording app to view user activities and track voice communications Botnet: huge network of compromised systems used by attackers to perform DDoS attacks. Bots perform tasks such as uploading viruses, and stealing data. Phishing: sending illegitimate email falsely claiming to be from a legitimate site in an attempt to acquire a user’s personal or account info. Distributed by malicious links. Web application threats: attackers target web applications to steal credentials, set up phishing sites or acquire private info IoT (internet of things) threats: these devices (smart watches, smart phones, printers, fridges, cameras, etc) have little to no security, which makes it easier to hack into them and steal info Module 2 Ethical Hacking Fundamentals Cyber kill chain methodology: - Reconnaissance: gather data on the target and look for weak spots - Weaponization: create a deliverable malicious payload using an exploit and a backdoor - Delivery: deliver weaponized bundle to victim via email, USB, malicious link on website, etc. - Exploitation: exploit a vulnerability by executing code on victim’s system - Installation: install malware on target system to maintain access to the target network for an extended period - Command and control (C&C): create C&C channel to communicate and pass data back and forth - Actions on objectives: perform actions to achieve intended goals/objectives Tactics, Techniques, and Procedures (TTPS) - Tactics: guidelines that describe the way an attacker performs the attack from beginning to end (helps us predict and detect evolving threats in the early stages) - Techniques: technical methods used by an attacker to achieve intermediate results during the attack (helps us identify vulnerabilities and implement defensive measures in advance) - Procedures: organizational approaches that threat actors follow to launch an attack (helps us identify what the attacker is looking for within the target org) Adversary behavioral identification - Involves the identification of the common methods or techniques used by adversaries to launch attack on or to penetrate an oranganization’s network - Gives the security professionals insight into upcoming threats and exploits Indicators of compromise (IoCs) - Clues, artifacts, and pieces of forensic data found on the network or OS of an organization that indicate a potential intrusion or malicious activity in the organization’s infrastructure - Security professionals must monitor IoCs to effectively and efficiently detect and respond to evolving cyber threats - Email indicators: used to send malicious data to target org or individual (ex: sender’s email, email subject, and links or attachments) - Network indicators: useful for C&C, malware delivery, identifying the OS, and other tasks (ex: URLs, domain names, and IP addresses) - Host-based indicators: found by performing analysis of infected system within the organizational network (ex: filenames, file hashes, registry keys) - Behavioral indicators: identify behaviors related to malicious activities (ex: document executing PowerShell script, and remote command execution) Hacking: refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to a system’s resources - Involves modifying system or application features to achieve a goal outside of the creator’s og purpose - Can be used to steal and redistribute intellectual property, leading to business loss - Hacking on a computer network is generally done using scripts or other network programming. Include creating viruses, worms, and performing DDoS attacks, backdoors, Trojans, packet sniffing, phishing, and password cracking. A hacker is someone with excellent computer skills who can create and explore computer software and hardware. Usually done to destroy, steal sensitive data, or perform malicious attacks. Hacker classes/threat actors - Black hats: resort to malicious or destructive activities and are also known as crackers - White hats: use professed skills for defensive purposes and are also known as security analysts - Gray hats: work both with black and white hats - Suicide hats: aim to bring down the critical infrastructure for a cause and are not worries about facing jail time or any kind of punishment - Script kiddies: unskilled hacker that compromises a system by running scripts, tools, and software that real hackers developed - Cyber terrorists: motivated by religious or political beliefs to create fear through large scale disruption of computer networks - State sponsored hackers: employed by the government to penetrate and gain top secret information and damage information systems of other governments - Hacktivist: promote political agendas by hacking, deface or disable website - Hacker teams: consortium (group of two or more orgs) of skilled hackers having their own resources and funding. Research the state of the art technology - Industrial spies: perform corporate espionage by illegally spying on competitor organizations and focus on stealing information such as blueprints and formulas - Insider: employee who has access to critical assets of an org. Use privileged access to violate rules or intentionally cause harm - Criminal syndicate: groups of individuals involved in organized, planned, and prolonged criminal activities. Illegally embezzle money by performing sophisticated cyberattacks - Organized hackers: miscreants (person who misbehaves, criminal) who use rented devices or botnets to perform various cyberattacks to pilfer money from victims Hacking phases - Reconnaissance: gather information about a target before attack Passive: no direct interaction with target, searching public records Active: direct interaction with target, telephone call to target’s help desk or technical department - Scanning: before the attack, attacker scans the network for specific information based on info gather during reconnaissance (port scanners, ping tools, vulnerability scanners). The logical extension of active reconnaissance. - Gaining access: attacker obtains access to the OS or applications on target computer or network. Attacker can gain access at he OS, application, or network layers. Can escalate privileges to obtain complete control of the system. Examples: password cracking, denial of service, and session hijacking - Maintaining access: attacker tries to retain their ownership of the system. May prevent system from being owned by other attackers by securing their exclusive access with backdoors, rootkits, or Trojans. Can manipulate data, applications, and configurations on the owned system. Use compromised system to launch further attacks. Rootkits gain access at the OS level, Trojans gain access at application level. - Clearing tracks: activities carried out to hide malicious acts. Attacker’s intentions include obtaining continuing access to the victim’s system, remaining unnoticed and uncaught, and deleting evidence that might lead to their prosecution. Overwrites the server, system, and application logs to avoid suspicion Module 3 Information security threats and vulnerability assessment Define threat and threat sources Security threat: incidents that negatively impact the organization’s IT infrastructure - Potential occurrence of an undesirable event that can damage or disrup the operational and functional activities of an org Vulnerabilities: security gaps or flaws in the system or network that make threats possible, temps hackers to exploit them Attackers use cyber threats to infiltrate and steal data like personal info, financial info, or login credentials Criticality of a threat depends on how much damage it can cause, how controllable it is, level of complexity in identifying the latest discovered threat in advance Threat sources: - Natural: fires, floods, power outages - Unintentional: unskilled admin, accidents, lazy or untrained employees - Intentional: internal and external Internal: fired employee, disgruntled employee, service providers, contractors External: hackers, criminals, terrorists, foreign intelligence agents, corporate raiders Structured external: done by technically skilled attackers, using tools to gain access to network. Motivation are usually criminal bribes, racism, politics, terrorism. Unstructured external: done by unskilled attackers, script kiddies to access network. Primarily done out of curiosity. Define malware and its types Malware: malicious software that damages or disables computer systems and gives limited or full control of the systems to hacker for the purpose of theft or fraud - Programmers/hackers use malware to attack browsers and track websites visited - Slow down systems - Cause hardware failure, making computers inoperable - Steal personal information, like contacts - Change system settings Malware can enter a system in many ways: - Instant messenger app, portable hardware media, browser and email software bugs, untrusted sites, downloading files from the internet, email attachments, installation by other malware, bluetooth and wireless networks Techniques attackers use to distribute malware on the web: - Black hat search engine optimization (SEO): ranking malware pages highly in search results - Social engineered click jacking: tricking users into clicking innocent looking webpages - Spear phishing sites: mimicking legitimate institutions in an attempt to steal login credentials - Malvertising: embedding malware in ad networks that display across hundred of legitimate, high traffic sites - Compressed legitimate websites: hosting embedded malware that spreads to unsuspecting victims - Drive by downloads: exploiting flaws in browser software to install malware just by visiting a web page - Spam emails: attachiung malware to emails and tricking victims to click the attachment Components of malware: - Crypter: software that protects malware from undergoing reverse engineering or analysis (cannot be detected by antivirus detection) - Downloader: type of trojan that downloads other malware from the internet on to the PC (installed when first gain access to a system) - Dropper: type of trojan that covertly installs other malware files on to the system (need to install malware code/program on the system before executing dropper) - Exploit: malicious code that breaches the system security via software vulnerabilities to access info or install malware (categorized into local exploits and remote exploits based on type of vulnerabilities abused) - Injector: program that injects its code into other vulnerable running processes and changes how they execute to hide or prevent its removal - Obfuscator: program that conceals its code and intended purpose via various techniques, and thus, makes it hard for security mechanisms to detect or remove it - Packer: program that allows all files to bundle together into a single executable file via compression to bypass security software detection - Payload: piece of software that allows control over a computer system after it has been exploited - Malicious code: command that defines malware’s basic functionalities such as stealing data and creating backdoors Types of malware: - Trojans: program that contains malicious or harmful code inside an apparently harmless program or data, which can later gain control and cause damage Gets activated when user performs certain predefined actions They create a covert/hidden communication channel between the victim computer and the attacker for transferring sensitive data - Viruses - Ransomware - Computer worms - Rootkits - PUAs or grayware - Spyware - Keylogger - Botnets - Fileless malware Indications of trojan attacks - Computer screen blinks, flips upside down, or is inverted so that everything is displayed backwards - Default background or wallpaper settings change automatically - Web pages suddenly open without input from the user - Color settings of the OS change automatically - Antivirus programs are automatically disabled - Pop ups with bizarre messages suddenly appear How hackers use trojans: - Delete or replace critical OS files - Record screenshots, audio and video of victim’s PC - Use vicitim’s PC for spamming and blasting email messages - Download spyware, adware, and malicious files - Disable firewalls and antivirus - Create backdoors to gain remote access - Steal personal information such as passwords, security codes, and credit card information - Encrypt the data and lock out the victim from accessing the machine Vulnerability: existence of weakness in an asset that can be exploited by threat agents Common reasons for the existence of vulnerabilities: - Hardware or software misconfig - Insecure or poor design of the network and application - Inherent technology weaknesses - Careless approach of end users Vulnerability classification Misconfiguration: most common and mainly caused by human error, examples of misconfig: - App running with debug enabled, running outdated software, incorrect folder permissions, default account or passwords (attackers can easily detect these misconfigs with scanning tools) Default installations: usually user friendly, especially when using the device for the first time. Failing to change the default settings while deploying the software or hardware allows the attacker to guess the settings to break into system Buffer overflows: due to coding errors, attackers try to take control of the system by writing content beyond the allocated size of the buffer Unpatched servers: unupdated or misconfigured servers, updating software regularly and maintaining systems properly by patching and fixing bugs can help in mitigating the vulnerabilities caused by unpatched servers Design flaws: universal to all OS devices and systems, incorrect encryption, poor validation of data refers to logical flaws in the functionality of the system OS flaws: timely patching of the OS, installing minimal software applications, and using applications with firewall capabilities are essential steps that an admin must take to protect the OS Application flaws: vulnerabilities in apps that attackers exploit Open services: admin must continuously check for unnecessary or insecure ports and services to reduce the risk to the network Default passwords: manufacturers provide users with default passwords to access the device during its initial set up, must change for future use. If not changed, they become vulnerable to attacks like brute force and dictionary attacks Zero day vulnerabilities: unknown vulnerabilities in software/hardware that are exposed but not yet patched. Exploited by attackers before being acknowledged and patched by the software developers or security analysts Legacy platform vulnerabilities: exposed from old or familiar code. Vulnerability assessment Vulnerability research: process of analyzing protocols, services, and configurations to discover vulnerabilites and design flaws that will expose an OS and its applications to exploit, attack, or misuse Vulnerability assessment: in depth examination of the ability of a system or app, to withstand exploitations (identify weaknesses that could be exploited, predict the effectiveness of additional security measures in protecting information resources from attacks Vulnerability management life cycle: helps identify and remediate security weaknesses before they can be exploited - Identify assets and create a baseline: identifies critical assets and prioritizes them to define the risk based on the criticality and value of each system - Vulnerability scan: security analyst performs scan to identify known vulnerabilities in the organization’s infrastructure - Risk assessment: all serious uncertainties that are associated with the system are assessed and prioritized and remediation is planned to permanently eliminate system flaws - Remediation: process of applying fixes on vulnerable systems in order to reduce the impact and severity of vulnerabilities - Verification: security team performs a rescan of systems to assess if the required remediation is complete and whether the individual fixes have been applied to the impacted assets. - Monitor: organizations need to perform regular monitoring to maintain system security. Continuous monitoring identifies potential threats and any new vulnerabilities that have evolved Module 4 Password cracking techniques and countermeasures Password cracking Techniques uses to recover passwords from computer systems Attackers use password cracking techniques to gain unauthorized access to vulnerable systems Most of the password cracking techniques are successful because of weak or easily guessable passwords Password complexity Passwords contain letters, special characters and numbers Passwords that contain only numbers Passwords that contain only special characters Passwords that contain letters and numbers Passwords that contain only letters Passwords that contain only letters and special characters Passwords that contain only special characters and numbers Want passwords to have high entropy (longer passwords) Microsoft authentication Security accounts manager (SAM) database: windows stores user passwords in SAM or in the AD database in domains - Passwords are never stored in clear text and are hashed, and the results are stored in SAM NTLM authentication: store user’s passwords in the SAM database uding different hashing methods Kerberos authentication: Windows Microsoft upgraded to default authentication protocol to kerberos which provides a stronger authentication for client/server applications than NTLM - Uses secretkey cryptography for validating identities Types of password attacks Nonelectronic attacks: attacker does not need technical knowledge to crack password - Shoulder surfing - Social engineering - Dumpster diving Active online attacks: attacker performs cracking by directly communicating with the victim’s machine - Dictionary (loaded into the cracking application that runs against user accounts), brute force (tries every combo of characters until password is broken), and rule bases attack (used when the attacker gets some info about the password) - Hash injection attack: attacker injectrs a compromized has into the local session and use the hash to validate network resources, extracts a logged on domain admin account hash, extracts hash to log onto DC - LLMNR/NBT-NS poisoning: two main elements of windows OS that are used to perform name resolution for hosts present on the same link, attacker cracks NTLMv2 hash, extracted credentials are used to log on to the host system in the network - Trojan/spyware/keyloggers - Password guessing: attacker creates a list of all possible passwords from info coillected through social engineering and manually inputs them on the victim’s machine to crack the passowords Quantum computer examines all items at the same time allowing them to do brute force more quickly Passive online attacks: attacker performs password cracking without communicating with the authorizing party - Wire sniffing: attackers run packet sniffer tools on LAN to access and record the raw network traffic (sensitve info may include passwords and emails) - Man in the middle attack: attacker acquires access to the communication channels between the victim and the server to extract the info needed - Replay attack: packets and authentication tokens are captured using a sniffer, after info is extracted, the tokens are placed back on the network to gain access Offline attack: attacker copies the target’s password file and then tries to crack passwords on his own system at a different location - Rainbow table attack (pre-computed hashes): contains tons of password, hashes, compare password hashes to precomputed hash table to see if match - Distributed network attacks Default passwords: password supplied by the manufacturer with new equipment - Attackers use default passwords present in the list of words or dictionary to perform password guessing attack L0phtCrack: tool designed to audit passwords and recover applications Ophcrack: windows password cracker based on rainbow tables, comes with GUI and runs multiple platforms Rainbowcrack: cracks hashes with rainbow tables, uses time memory tradeoff algorithm to crack hashes Password cracking countermeasures: - Disallow the use of the same password during password change - Disallow the use of passwords that can be found in a dictionary - Set the password change policy to 30 days - Disallow password sharing - Do not use cleartext protocols and protocols with weak encryption - Do not use any system default passwords - Make passwords hard to guess by consisting of a combo of uppercase, lowercase, letters, numbers, etc. - Ensure that applications neither store passwords in memory nor write them to disks in clear text - Use a random string (salt) as a prefix or suffix to the password - Disallow the use of passwords such as date of birth, spouse, child’s - Lockout an account subjected to too many incorrect password guesses - Use two factor or multifactor authentication Module 5 Social engineering techniques and countermeasures What is social engineering? The art of convincing people to reveal confidential info Depend on the fact that people are unaware of the valuable info to which they have access and are careless about protecting it Common targets of social engineering Resceptionists and help desk personnel Technical support executives System admin Users and clients Vendors of the target org Senior executives Impact of social engineering attack on an organization Economic losses Damage of goodwill Loss of privacy Dangers of terrorism Law suits and arbitration Temporary or permanent closure Factors that make companies vulnerable to social engineering Insufficient security training Unregulated access to information Several organizational units Lack of security policies Why is social engineering effective? Does not deal with network security issue; instead it deals with the psychological manipulation of a human being to extract desired information Human behavior is the most susceptible factor Difficult to detect social engineering attempts No method that can be applied to ensure complete security No specific software or hardware to defend against it Phases of social engineering attack Research the target company: dumpster diving, websites, employees, tour of the company Select the target: Identify frustrated employees of the target company Develop a relationship: develop relationship with selected employees Exploit the relationship: collect sensitive account and financial information Types of social engineering Human based: info gathered by interaction - Impersonation - Vishing - Eavesdropping - Shoulder surfing - Dumpster diving - Reverse social engineering (make yourself look like an expert so victim can confide in you) - Piggybacking (giving someone permission access) - Tailgating (not giving permission, someone following you through a door) Computer based: info gathered with help of computers - Phishing - Pop up window attacks - Spam mail - Instant chat messenger - Scareware Mobile based: info gathered with help of mobile apps - Publishing malicious apps - Using fake security apps - Repackaging legitimate apps - Smishing (SMS phishing) Insider threats/insider attacks An employee who has access to critical assets of an org Involves privileged access to intentionally violate rules or cause threat to the orgs information Generally performed by a privileged user, disgruntled employee, terminated employee, accident prone, employee, etc. Reasons for insider attacks Financial gain Steal confidential data Revenge Become future competitor Perform competitors bidding Public announcement Types of insider threats Malicious:disgruntled or terminated employee who steals data or destroiys the company’s network intentionally by introducing malware to the network Negligent:uneducated or potential security threats or who simply bypass general security to meet workplace efficiency Professional: harmless insiders who use their technical knowledge to identify vulnerabilities in the company’s network and sell confidential info to competitors Compromised: insider with access to critical assets of an org who is compromised by an outside threat actor Why are insider attacks effective? Easy to launch Difficult to prevent Differentiating harmful actions from employees’s regular work is very difficult Employee may refuse to accept responsibility and claim it was a mistake Employees can easily cover tracks Can go undetected for years and remediation is expensive Identity theft Imposter steals your personally identifiable information (PII) like name, social security, credit card, driver’s license number Attackers can use identity theft to impersonate employees of a target org and physically access facilities Can open new accounts Obtain utility service Open bank accounts Electronic withdrawals from debit card Types of identity theft Child identity theft Criminal identity theft Financial identity theft Driver’s license identity Insurance identity Medical identity Tax identity Identity cloning and concealment Synthetic identity Social security theft Module 5 Network Level attacks and countermeasures Sniffing Packet sniffing is the process of monitoring and capturing all data packets passing through a given network using a software app or hardware device - Allows attacker to observe and access the entire network traffic from a given point in order to gather sensitive information like Telnet passwords - Opening up frames on the NIC (network interface card) and being able to read contents - Sets NIC of the system to the promiscuous mode (read every frame) so that it listens to all the data transmitted on its segment Passive sniffing: sniffing through the hub, where traffic is sent to all ports - Involves monitoring packets sent by others without sending any additional data packets in the network traffic (more stealth than active sniffing) Active sniffing: interacting with the system, sniff a switch-based network - Involves injecting address resolution packets (ARP) into the network to flood the switch’s content addressable memory (CAM) table (table of mac addresses), keeps track of host port connections How an attacker hacks the network using sniffing - Attacker connects his laptop to a switch port (usually on a wall) - They identify the victim to target their attacks - Traffic destined for the victim’s machine is redirect to the attacker - Attacker runs discovery tools to learn about network topology - They poison the victim’s machine by using ARP spoofing techniques - Hacker extracts password and sensitive data from redirected traffic Sniffing techniques Mac flooding: flooding the CAM table with fake mac address and IP pairs until it is full - Switch then acts as a hub by broadcasting packets to all machines on the network, attacker can sniff traffic easily - Macof is a linux/unix tool that floods the switch’s CAM tools by sending fake MACs DHCP starvation: DHCP assigns valid IP addresses to host systems out of a pre-assigned DHCP protocol - Process of inundating (flood) DHCP servers with fake DHCP request and using all the available IP addresses - Results in DOS attack, where the DHCP server cannot issue new IP addresses ARP spoofing: ARP is used to map an IP address to a physical machine address (MAC address) - Sending a large number of forged entries to the target machine’s ARP cache ARP poisnoing tools: arpspoof: redirect packets from a target host on the LAN intended for another host on the LAN by forging ARP replies MAC spoofing/duplicating: launched by sniffing a network for MAC addresses of clients who are actively associated with a switch port and reusing one of those addresses - Hacker can intercept and use a legitimate user’s MAC address to receive all the traffic destined for the user - Allows attacker to gain access to the network and take over someone’s identity DNS poisoning: unauthorized manipulation of IP addresses in the DNS cache - Corrupted DNS redirects a user request to a malicious website to perform illegal activities Denial of service DOS: Attack on a computer or network that reduces, restricts, or prevents accessibility of system resources to its legitimate users - Attackers flood the victim system with non-legitimate service requests or traffic to overload its resources DDOS: coordinated attack that invloves a multiude of compromised systems (botnet) attacking a single target, thereby denying service to users of the targeted system UDP flood: sends spoofed UDP packets at a high packet rate to a remote host on random ports of a target server using a large source of IP range - Flooding of UDP packets causes server to check for non-existent apps at the ports - Legit apps are inaccessible by the system and give an error reply with an ICMP “destination unreachable” packet - Attack consumes network resources and available bandwidth, exhausting network until goes offline ICMP flood: attackers send large volumes of ICMP echo request packets to a victim system directly or through reflection networks - Packets signal the victim’s system to reply, and result comboo of traffic saturates the bandwidth of the victim’s network connection, causing it to be overwhelmed and subsequently stop responding to legit TCP/IP request Ping of death: attacker tries to crash, destabilize, or freeze targeted system or service by sending malformed or oversized packets - Sending a packet with a size larger than the limit Smurf attack: spoofs the source IP address with the victim’s IP address and sends a large number of ICMP ECHO request packets to an IP broadcast network - Causes all hosts on the broadcast network to respond to the received ICMP echo requests - These responses will be sent to the victim machine, causing it to crash SYN flood: attacker sends a large number of SYN requests with fake source IP addresses to the target server (victim) - Target machine sends back syn/ack in response to request and waits for the ack to complete session startup - Target machine does not get response because the source address is fake - Syn flooding takes advantage of a flaw in the implementation of the TCP three-way handshake in most hosts Fragmentation: stop victim from being able to reassemble fragmented packets by flooding the target system with TCP or UDP fragments, resulting in reduced performance - Sends a large number of fragmented packets to a target web server with small packet rate - Reassmbling and inspecting these large fragmented packets consumes excessive resources Multi vector: combo of volumetric, protocol, and application layer attacks to disable the target system or service - Attackers rapidly and repeatedly change the form of their DDOS attack Peer to peer: instruct clients of peer to peer file sharing hubs to disconnect from their peer to peer network and to connect to the victim’s fake website - Attackers exploit flaws in the network using DC++ (direct connect) protocol, used for sharing all types of files between instant messaging clients - Launch massive DDOS attacks and compromise websites Permanent DOS: phlashing, attacks that cause irreversible damage to the system hardware - Sabotages the system hardware, requiring victim to replace or reinstall the hardware - Use bricking a system to carry out attack - Send fraudulent hardware updates to the victims Distributed reflection DOS (DRDoS): spoofed attack, involves using mutiple intermediaray and secondary machines - Launch this attack by sending request to the intermediary hosts, which then redirects the request to the secondary machines, which reflects the attack traffic to the target Session hijacking Attacker gains control of a valid TCP communication session between two computers - Most authentications only occur at the start of a TCP session, allows hacker to gian access to a machine - Attackers can sniff all traffic from TCP session and perform identity theft, information theft, fraud - Attacker steals valid session ID and uses it to authenticate himself with the server Session hijacking process Sniff: place yourself between victim and target Monitor: monitor flow of packets and predict the sequence number Session desynchronization: break connection to the victim’s machine Session id prediction: take over session Command injection: start injecting packets to target server Types of session hijacking Passive session hijacking: attacker hijacks a session but sits back, watches, and records all traffic in that session Active session hijacking: attacker finds an active session and seizes control of it Session hijacking in OSI model Network level hijacking: interception of packets during transmission between a client and the server in a TCP or UDP session Application level: gaining control over the HTPP’s user session by obtaining session IDs Module 6 web application attacks and countermeasures Web server attacks Web server: a computer system that stores, processes, and delivers web pages to clients via HTTP Web server components: - Document root: stores critical HTML files related to the web pages of a domain name - Virtual hosting: technique of hosting multiple domains or websites on the same server - Server root: stores server’s configuration, error, executable, and log files - Virtual document tree: provides storage on a different machine or disk after original disk is filled up - Web proxy: proxy server that sits between the web client and web server to prevent IP blocking and maintain anonymity Security issues: - Attackers target software vulnerabilities and configuration errors to compromise web servers - Network and OS level attacks can be defended using proper network security measures such as firewalls, IDS, etc. - Web servers can be accessed from anywhere via the internet, which renders them highly vulnerable to attacks Impact of web server attacks: - Compromise of user accounts - Website defacement - Secondary attacks from the website - Root access to other applications or servers - Data tampering and data theft - Reputational damage of the company Web server attacks: DNS server hijacking: attacker compromises the DNS server and changes the DNS settings so that all the requests coming towards the target web server are redirected to the hacker’s malicious server (sent to fake websites) DNS amplification attack: takes advantage of DNS recursive method of DNS redirection to perform DNS amplification attacks - Uses compromised PCs with spoofed IP address to amplify the DDoS attacks on victim’s DNS server by exploiting the DNS recursive method Directory traversal attacks: attackers use the../(dot-dot-slash) sequence to access restricted directories outside the web server root directory - Can use trial and error method to navigate outside the root directory and access sensitive info Website defacement: intruder maliciously alters the visual appearance of web page (inserts provocative or offending data) - Expose visitors to some propaganda or misleading info Web server misconfiguration: configuration weakness in web infrastructure that can be exploited to launch various attack on web servers such as directory traversal, server intrusions, and data theft Http response splitting attack: involves adding header response datra into the input field - Attacker can control first response to redirect the user to a malicious website Web cache poisoning: attacks the reliability of an intermediate web cache source - Attackers swap cached content for a random URL with infected content - Users can unknowingly use the poisoned content instead of true and secured content SSH brute force (try every possible combination) attack: used to create an encrypted SSH tunnel between two hosts to transfer unencrypted data over an insecure network - Attackers brute force SSH login to gain unauthorized access to an SSH tunnel - SSH tunnels can be used to transmit malwares and other exploits to victims without being detected Web server password cracking: attacker tries to exploit weaknesses to hack well chosen passwords - Most common passwords found are password, root, admin, demo, test, guest, qwerty, pet names - Attackers use different methods like social engineering, spoofing, phishing, trojan or virus, wiretapping, keystroke logging - Mainly target: SMTP, web servers, SSH tunnels, FTP servers Server side request forgery (SSRF): attackers exploit SSRF vulnerabilities in a public web server to send crafted requests to the internal or back end servers - Once attack is successful, then attackers can performa various activities such as port scanning, network scanning, IP address directory, reading web server files, etc. - Metasploit: exploitment development platform that supports fully automated exploitation of web servers, by abusing known vulnerabilities and leveraging weak passwords via telnet Web server attack countermeasures Apply restricted ACLs and block remote registry admin Security related settings are configured appropriately Remove unnecessary ISAPI filters from web server Remove all unnecessary file shares Relocate sites and virtual directories to non-system partitions Fortify webinspect: automated dynamic testing solution Web application threats and attacks Web apps: provide an interface between end users and web servers through a set of web pages that are generated at the server end or contain script code to be executed dynamically within the client web browser Though they enforce certain security policies, they are vulnerable to attacks like: - Sql injection, cross site scripting, and session hijacking Web service: application or software that is deployed over the internet and uses standard messaging protocols such as SOAP, UDDI, WSDL, and REST to enable communication - SOAP: based on XML format and used to transfer data between a service provider and requestor - Restful web services: based on set of constraints using underlying HTTP concepts to improve performance Injection flaws: web app vulnerabilities that allow untrusted data to be interpreted and executed as a part of a command or query - Attackers construct malicious commands or queries that result in data loss or corruption, lack of accountability, or denial of access - SQL injection: involves the injection of malicious SQL queries into user input forms Broken authentication: attackers can exploit vulnerabilities in authentication or session management functions like exposed accounts, session IDs, logout, password management, to impersonate users - Session ID in URLs: attackers sniff the network traffic to get session IDs and reuse those sessions for malicious purposes - Password exploitation: can gain access to a web app’s password database - Timeout exploitation: when user does not logout from a site before closing browser from a public computer and hackers later exploit that user’s privileges Sensitive data exposure: occurs due to flaws like insecure cryptographic storage and info leakage - App uses poorly written encryption code to securely encrypt and store sensitive data in database - Attacker can exploit this flaw and steal or modify weakly protected sensitive data like credit card numbers, SSNs, etc. XML external entity (XXE): server side request forgery (SSRF) attack that can occur when a misconfigured XML parser allows app to parse XML input from unreliable source - Attackers can refer victim’s web app to an external entity by including the reference in the malicious XML input - When malicious input is processed, enables attacker to access protected files and services Broken access control: attacker identifies a flaw related to access control and bypasses the authentication, which allows them to compromise network - Allows an attacker to act as users or admin with privileged functions and create, access, update or delete every record Security misconfiguration: misconfigured security settings - Unvalidated inputs: vulnerability where input from client is no validated before being processed by web app and backend servers - Parameter/form tampering: manipulation of parameters exchanfed between client and server to modify app data - Improper error handling: insight into source code such as logic flaws, and default accounts (attacker can identify vulnerabilities to launch various web app attacks) - Insufficient transport layer protection: supports weak algorithms and uses expired or invalid certificates (exposes user data to untrusted third parties and can lead to account theft) Cross-site scripting (CSS/XSS): attacks exploit vulnerabilities in dynamically generated web pages, which lets attackers inject client-side scripts into web pages viewed by other users - Occurs when unvalidated input data is included in dynamic content that is sent to a user’s web browser for rendering Insecure deserialization: effective process of linearizing and delinearizing data objects for transmission to other networks or systems - Attackers inject malicious code into serialized data and forward it to the victim - Insecure deserialization, deserializaes the malicious serialized content along with the injected malicious code, compromising the system or network Using components with known vulnerabilities: most web apps that use components as libraries and frameworks always execute them with full privileges Insufficient logging and monitoring: web apps maintain logs to track usage patterns, like user login credentials and admin login credentials - Attackers usually inject, delete, or tamper the web app logs to engage in malicious activities or hide their identities Web application tools Burp suite: supports everything in the app hacking, app testing process and exploits security vulnerabilities Metasploit Nikto Sn1per Web application attack countermeasures Sql injection attacks: - Limit length of user input - Use custom error messages - Monitor DB traffic using IDS Command injection flaws - Perform input validation - Escape dangerous characters LDAP injection attacks: - Perform type, pattern, and domain value validation on all input data - Make LDAP filter as specific as possible SQL (structured query language)injection attacks Sql injection: technique used to take advantage of unsanitized input vulnerabilities to pass SQL commands through a web app for execution of backend database - Base attack used to either gain unauthorized access to a database or retrieve info directly from the database - SQL commands used to perform operations on the database include insert, select, update, and delete. These commands are used to manipulate data in the database server - Apps usually use SQL statements to authenticate users to the app, validate roles and access levels, store and obtain info for the app and user, and link to other data sources - Sql injection attacks work because the application does not properly validate an input before passing it to an sql statement Attackers can use SQL to: - Bypass authentication - Bypass authorization - Disclose information - Compromise data integrity - Compromise availability of data - Remote code execution Types of SQL injection In band SQL injection: using the same communication channel to perform the attack and retrieve the results - Piggybacked sql: attacker injects an additional malicious query into the original query\ Module 7 Wireless Attacks and Countermeasures Wireless terminology GSM: universal system for mobile transportation for wireless networks worldwide Bandwidth: describes the amount of info that may be broadcast over a connection Access point: used to connect wireless devices to a wireless/wired network BSSID: MAC address of an AP that has set up a basic service set (BSS) ISM band: set of frequencies for the international industrial, scientific, and medical communities Hotspot: place where a wireless network is available for public use Wireless networks Wi-fi refers to WLANS based on IEEE 802.11 standard, which allows the device to access the network from anywhere within an AP range - Devices like game consoles, PCs, and smartphones use Wi-Fi to connect to a network resource, such as the internet, by a wireless network AP Types of Wireless encryption 802.11i: an IEEE amendment that specifies security mechanisms for 802.11 wireless networks WEP (Wired equivalency privacy): encryption algorithm for IEEE 802.11 wireless networks, 1st, turned out to be hackable, keys never changed giving hackers all the time they needed to hack it - Designed to provide a wireless LAN a level of security and privacy comparable to a wired LAN - Has significant vulnerabilities and design flaws and can be easily cracked EAP (extensible authentication protocol): supports multiple authentication methods, such as token cards, Kerberos, and certificates, after WEP LEAP: proprietary version of EAP developed by Cisco WPA: advanced wireless encryption protocol using TKIP and MIC to provide stronger encryption and authentication, keys disappeared - Didnt use AES so wasnt available for government and military networks TKIP (temporal key integrity protocol): security protocol used in WPA as a replacement for WEP WPA2: an upgrade to WPA using AES and CCMP for wireless data encryption - Uses set up password to protect unauthorized network access - Personal and enterprise WPA2 enterprise: integrates EAP standards or RADIUS with WPA2 encryption, centralized client authentication using multiple authentication methods AES: symmetric key encryption used in WPA2 as a replacement for TKIP CCMP (cipher block chaining message authentication)(: encryption protocol used in WPA2 for stronger encryption and authentication RADIUS: centralized authentication and authorization management system PEAP: protocol that encapsulates the EAP within an encrypted and authenticated transport layer security (TLS) tunnel WPA3: third-generation Wi-Fi security protocol that uses GCMP-256 for encryption and HMAC-SHA-384 for authentication - Personal uses password based authentication using SAE protocol (dragonfly key exchange) - Resistant to offline dictionary attacks and key recovery attacks - Enterprise: protects sensitive data using many cryptographic algorithms - And uses ECDSA-384 for exchanging keys Wireless network-specific attack techniques Rogue AP attack: placed into an 802.11 network that can be used to hijack the connections of legitimate network users - User turns on computer, the rouge AP will offer to connect with the network user’s NIC - All the traffic the user enters will pass through the rogue AP, enabling a form of wireless packet sniffing - Connecting to a fake Mcdonalds Wi-Fi or Starbucks Wi-Fi Client Mis-association: attacker sets up a rogue AP outside the corporate perimeter and lures the employees of the organization to connect with it - Once associated, attackers may bypass the enterprise security policies Misconfigured AP attack: APs are configured to broadcast SSIDs to authorized users - To verify authorized users, network admin incorrectly use the SSIDs as passwords (weak password or no password) - SSID broadcasting is a configuration error that enables intruders to steal an SSID and cause the AP to assume they are allowed to connect (config error) Unauthorized association: soft APs are client cards or embedded WLAN radios in some PDAs and laptops that can be launched inadvertently or through a virus program - Attackers infect a victim’s machine and activate soft APs, allowing them unauthorized connection to the enterprise network - Attackers connect to enterprise networks through soft APs instead of actual APs Ad-hoc connection attack: Wi-Fi clients communicate directly via an ad hoc mode that does not require an AP to relay attacks - An ad hoc mode is inherently insecure and does not provide strong authentication and encryption - Attackers can easily connect to and compromise the enterprise client operating in ad hoc mode Honeypot AP attack: attacker traps vicitms using fake hotspots AP MAC spoofing: hacker spoofs the MAC address of WLAN client equipment to mask as an authorized client - Attacker connects to an AP as an authorized client and eavesdrops on sensitive info Key reinstallation attack (KRACK): all secure Wi-Fi networks use the 4 way handshake process to join the network and generate a fresh encryption key that will be used to encrypt the network traffic - Works by exploiting the 4 way handshake of the WPA2 protocol by forcing Nonce reuse - Works against all modern protected Wi-Fi networks and allows attackers to steal sensitive info, such as credit card numbers, passwords, messages, emails, etc A Nonce is a type of code that should only be used one time Jamming signal attack: all wireless networts are prone to jamming, overwell radio channel with extra noise - Causes a DoS because 802.11 is a CSMA/CA protocol whose collision avoidance algorithms require a period of silence before a radio is allowed to transmit - An attacker stakes out the area from a nearby location with a high-hain amplifier drowning out the legitimate AP - Attacker overloads traffic to prevent authorized user from accessing a wireless network and block communication in certain radius Understand Bluetooth attacks Bluetooth is a wireless technology that allows devices to share data over short distances - Replaces cables connecting portable or fixed devices while maintaining high levels of security Bluetooth stack: an implementation of the Bluetooth protocol stack - Allows inheritance app to work over bluetooth - General purpose and embedded system Bluetooth modes: discoverable and pairing mode - Discoverable: bluetooth devices are visible by other Bluetooth enabled devices, only necessary while connecting to a device for the first time (devices remember each other) - Limited discoverable: visible for only a limited period of time, for a specific event or during temporary conditions. No host controller interface (HCI) command to set device to this mode, user has to do this indirectly. Filters out non-matched IACs and reveals itself only to those that are matched - Non-discoverable: prevents device from appearing on the list during search process, but remains visible to users and devices it previously paired with (or known its MAC address) - Non-pairable mode: device rejects pairing requests sent by any device - Pairable mode: device can accept pairing requests and establish a connection with a device that requested pairing WiMax (802.16) is designed to provide multiple physical layer and MAC options KNOB (key negotiation of bluetooth) attack: is used by an attacker to breach the security mechanism of a paired bluetooth device for eavesdropping on the data being carried by short distance communication protocols Module 9 Mobile attacks and countermeasures Vulnerable areas in mobile business environment OWASP top 10 mobile risks - Improper platform usage: misuse of a platform feature - Insecure data storage: assumes that users and malware will not have access to mobile device’s file system and sensitive info - Insecure communication: poor handshaking, incorrect SSL version, cleartext communication of sensitive assets - Insecure authentication: failing to identify users when required - Insufficient cryptography: cryptography is not performed correctly - Insecure authorization: captures authorization issues - Client code quality: security decisions via untrusted inputs - Code tampering: local resource modification, dynamic memory modification - Reverse engineering: analysis of final core binary to determine its source code, libs, algorithms, and other assets - Extraneous functionality: hidden backdoor functionality or other internal development security controls Anatomy of mobile attack: The device: attackers targeting device can use various entry points - Browser based attacks: phishing, clickjacking (click something different from what they think they are clicking), man in the mobile, data caching - Phone/SMS-based attacks: smishing, baseband attacks (exploit vulnerabilities in GSM/3GPP which sends and receives radio signals to cell towers) - Application based attacks: no encryption/weak encryption, sensitive data storage, escalated privileges - System: no passcode/weak passcode, iOS jailbreaking (gets rid of security mechanisms set by Apple, provides root access to OS), Android rooting The network - Wi-Fi (weak encryptiong/no encryption - Rogue access points - Packet sniffing - Man in the middle - Session hijacking - DNS poisoning - SSLStrip - Fake SSL certificates The data center/CLOUD - Web-server attacks: server misconfig, XSS, brute force attacks - Database attacks: SQL injection, privilege escalation, data dumping Mobile attack vectors Malware: - Virus and rootkit - Application modification - OS modification Data exfiltratrion: - Extracted from streams and email - Print screen and screen scraping - Copy to USB key and loss of backup Data tampering: - Modification by another application - Undetected tamper attempts - Jailbroken device Data loss: - Application vulnerabilities - Unapproved physical access - Loss of device Module 10 IoT and OT attacks and countermeasures IoT Also known as internet of everything (IoE) refers to the network of devices having IP addresses and the capability to sense, collect, and send data using embedded sensors, communication hardware or processors - Thing refers to a device that is implanted on natural, human made, or machine made objects and is able to communicate over the network Some key features of the IoT are connectivity, sensors, AI, small devices, and active management - Some examples include smart watches, TVs, cameras, thermostats, healthcare devices, transportation (cars) Includes 4 primary systems: - IoT devices - Gateway systems - Data storage systems using cloud tech - Remote control using mobile apps Important components of IoT tech that play key role in the function of IoT devices: - Sensing tech: sensors embedded in the devices sense lots of info like temperature, location, gases, health data of a patient - IoT gateway: connect an IoT device (internal network) to the end user (external network), data collected by the sensors is sent to the connected user or cloud via gateway - Cloud server/data storage: the collected data arrives at the cloud, where it is stored and undergoes data analysis, processed data is then transmitted to the user, who can take certain actions based on info received - Remote control using mobile app: end user uses remote controls like phones, tablets, laptops installed with a mobile app to monitor, control, retrieve data, and take a specific action on IoT devices from a remote location IoT architecture Edge tech layer: contains all the hardware components (sensors, RFID, readers) - Plays an important part in data collection and in connecting devices within the network with the server Access gateway layer: bridges the gap between two endpoints, device and client - Carries out message routing, message identification, and subscribing - Problem: improper authentication Internet layer (mobile): serves as the main component in carrying out communication between two endpoints (device to device, device to cloud, device to gateway, back end share) - Problem: Insecure API, authentication, lack of storage security Middleware layer: responsible for functions like data management, device management, and issues like data analysis, data aggregation, data filtering, device information discovery, and access control - Operates in two way mode - Problem: firewall, improper communication encryption Application layer: responsible for delivery of services to the users from different sectors like building, industrial, manufacturing, automobile, security, healthcare - Problem: no auto security updates, default passwords OWASP (open web app security project) top 10 IoT threats Weak, guessable, or hardcoded passwords - Allows publicly available or unchangeable credentials to be determined via brute forcing Insecure network services - Prone to various attacks like buffer overflow (causes DoS) Insecure ecosystem interfaces - Web, backend API, mobile, and cloud interfaces are ecosystem interfaces - Common vulnerabilities include lack of authentication/authorization, lack of encryption or weak encryption Use of insecure or outdated components - Outdate or older versions of software components Insufficient privacy protection - User’s personal info stored on device can be compromised Insecure data transfer and storage - Lack of encryption and access control of data that is in transit can lead to sensitive info being compromised Lack of device management - Lack of security support through device management may open door to attacks - Deployed in production, update management, system monitoring, etc. Lack of physical hardening - Allows attacker to acquire sensitive info that helps them in performing remote attack or obtaining local control of device Various kinds of specific IoT threats DDoS: attacker converts devices into an army of botnets to target a specific system or server, makes it unavailable to provide services Attack on HVAC systems: can steak confidential info such as user credentials and perform further attacks on the target network Rolling code attack: attacker jams and sniffs signal to obtain code transferred to a vehicle’s receiver, used to unlock and steal car Blueborne attack: attacker connects to nearby devices and exploits the vulnerabilities of the BT protocol Sybil attack: attacker uses multiple forged identities to create a strong illusion of traffic congestion, affecting communication between neighboring nodes and networks Exploit kit: malicious script used to exploit poorly patched vulnerabilities MITM: attacker pretends to be a legit sender who intercepts all the communication between sender and receiver and hijacks communication Replay attack: attackers intercept legit messages from valid communication and continuously send intercepted message to target device to perform DoS SQL injection attack: attacks mobile or web app used to control IoT devices, to gain access to the devices and perform further attacks DNS rebinding attack: able to obtain access to the victim’s router using a malicious JavaScript code injected on a web page IoT attack countermeasures Disable the guest and demo user accounts if enabled Use lock out feature to lock accounts with too many invalid login attempts Implement strong authentication mechanisms Locate control system networks and devices behind firewalls and isolate them from the business network Implement end to end encryption and use the public key infrastructure (PKI) Patch vulnerabilities and update the device firmware regularly Implement IPS and IDS in the network Allow only trusted IP addresses to access the device from the internet Protect devices from physical tampering OT attacks Operational tech: software and hardware designed to detect or cause changes in industrial operations through direct monitoring and controlling of industrial physical devices - Consists of ICS (industrial control systems) to monitor and control the industrial operations - Most OT systems run on old versions of software and use obsolete hardware, making it vulnerable to phishing, spying, and ransomware The industrial physical devices include switches, pumps, lights, sensors, cameras, elevators, robots, etc. - Any system that analyzes and processes operational data can be a part of OT OT systems are used in manufacturing, mining, healthcare, transportation, etc. IT/OT convergence (IIOT) - industrial internet of things: integration of IT computing systems and OT operation monitoring systems - Bridging the gap can improve overall business, producing faster and efficient results Benefits: - Enhancing decision making - Enhancing automation - Expedite business output - Minimizing expenses - Mitigating risks Purdue model: describes the internal connections and dependencies of important components in ICS networks - Consists of three zones: manufacturing (OT), enterprise (IT), DMZ Challenges of OT Lack of visibility Plain text passwords Network complexity Legacy tech Lack of anti-virus protection Rapid pace of change Convergence with IT Unique production networks/proprietary software Vulnerable communication protocols OT threats Maintenance and admin threat: exploit zero day vulnerabilities, inject and spread malware to IT systems Data leakage: exploit IT systems connected to the OT network to gain access to IT/OT gateway, steal operationally significant data like config files Protocol abuse Potential destruction of ICS Resources: exploit vulnerability in OT systems to disrupt the functionality of the OT infrastructure leading to life and safety issues Reconnaissance attacks: OT allows remote communication with little to no encryption or authentication, attackers gather info for later stages of an attack DoS: exploit communication protocol like common industrial protocol (CIP) HMI based attacks: human machine interfaces Spear phishing: send fake emails containing malicious links or attachments, malware is injected to the system/software once clicked Malware attacks: reusing legacy malware packs that were previously used to exploit IT systems to exploit OT systems Buffer overflow: exploits various buffer overflow vulnerabilities that exist in ICS software to inject malicious data and commands to modify the normal behavior and operation of the systems - Leads to erratic program behavior, including memory access errors and incorrect results, and causes mobile devices to crash Side channel: retrieve critical info from OT system by observing its physical implementation Exploiting unpatched vulnerabilities: ICS vendors develop products that are reliable and provide high speed, real time performance with no built in security features OT attack countermeasures Use purpose built sensos to discover vulnerabilities in the network Update systems to latest tech and do regular patches Implement secure config and secure coding practices Maintain an asset register for tracking outdated systems Use strong passwords and change default passwords Implement VPNs to secure remote access Disable unused services to harden system Use only tested and familiar third party web servers Train employees with the latest security policies and raise awareness of the latest threats and risks Secure the network perimeter to filter and prevent unauthorized inbound traffic Module 11 Cloud computing threats and countermeasures Delivers computing services, such as online business apps, online data storage, and webmail over the internet Major cloud service providers are Google, Amazon, and Microsoft Separation of responsibilities of subscribers and service providers is essential - Prevents conflict of interest, illegal acts, fraud, abuse, and error and helps in identifying security control failures, including information theft, security breaches, and evasion of security controls Mainly three types of cloud services, IaaS (infrastructure), PaaS (platform), and SaaS (software) Public cloud: services are rendered over a network that is open for public use Private cloud: cloud infrastructure is operated for a single organization only Community cloud: shared infrastructure between several organizaitons from a specific community with common concerns Hybrid cloud: combo of two or more clouds Multi cloud: dynamic heterogeneous environment that combines workloads across multiple cloud vendors, managed via one proprietary interface to achieve long term business goals Cloud consumer: person or org that maintains a business relationship with the cloud service provider and uses the cloud services Cloud provider (CSP): person or org who acquires and manages the computing infrastructure intended for providing services Cloud carrier: acts as an intermediary that provides connectivity and transport services between CSPs and cloud consumers - Provides access to consumers via a network, telecommunication, and other access devices Cloud auditor: can evaluate the services provided by a CSP regarding security controls Cloud broker: cloud services becoming too complicated for cloud consumers to manage so a they request services from a broker - Broker manages cloud services regarding use, performance, and delivery and maintains the relationship between CSPs and consumers Cloud storage is a medium used to store digital data using a network - Physical storage is distributed to multiple servers - Orgs can buy storage capacity from the CSP for storing user, org, and app data - CSP responsible for managing the data and keeping the data available and accessible Three main layers are front-end, middleware, and back-end - Front-end: used by end user where it provides APIs for the management of data storage - Middleware: performs several functions like data de-duplication and replication of data - Back-end: where hardware is implemented Container: package of an app/software including all its dependencies such as library files, configuration files, binaries, and other resources that run independently of other processes in the cloud environment - Provided to the subscribers in the form of CaaS - CaaS includes the virtualization and management of containers through orchestrators - Subs can develop rich, scalable containerized apps through the cloud or onsite data centers Practice quizzes HIPAA (health insurance portability and accountability act): civilian act that enforces “electronic transactions and code set standards” Destructive trojan: attackers use it for the autodeletion of files, folders, and registry entries as well as local drives to cause the OS to fail Malicious reprogramming attack: involves sniffing radio commands and injecting arbitrary code into the firmware of the remote controllers to maintain persistence Functionasaservice (FaaS):provides data processing like IoT services for connected devices, mobile and web apps, and batchandstreamprocessing Kubelet: the node component of Kubernetes that ensures all pods and containers are healthy and running as expected Cloudborne attack: attacker exploits the vulnerability in a baremetal cloud server and uses it to implant a malicious backdoor in its firmware Security audit: implemented to check if an org is following a set of standard policies and procedures in protecting its network

Ethical Hacking COSS 273 PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue