Ethical Hacking Essentials PDF

Summary

This document is a guide to ethical hacking essentials. Topics covered include information security fundamentals, threats, and countermeasures. It provides a comprehensive overview of various aspects of ethical hacking, including network attacks, web application attacks, and social engineering.

Full Transcript

Ethical Hacking Essentials (EHE) Table of Contents Module 01: Information Security Fundamentals - Information Security Fundamentals - Information Security Laws and Regulations Module 02: Ethical Hacking Fundamentals - Cyber Kill Chain Methodology - Hacking Concepts and Hacker Classes...

Ethical Hacking Essentials (EHE) Table of Contents Module 01: Information Security Fundamentals - Information Security Fundamentals - Information Security Laws and Regulations Module 02: Ethical Hacking Fundamentals - Cyber Kill Chain Methodology - Hacking Concepts and Hacker Classes - Different Phases of Hacking Cycle - Ethical Hacking Concepts, Scope, and Limitations - Ethical Hacking Tools Module 03: Information Security Threats and Vulnerability Assessment - Threat and Threat Sources - Malware and its Types - Vulnerabilities - Vulnerability Assessment Module 04: Password Cracking Techniques and Countermeasures - Password Cracking Techniques - Password Cracking Tools - Password Cracking Countermeasures Module 05: Social Engineering Techniques and Countermeasures - Social Engineering Concepts and its Phases - Social Engineering Techniques - Insider Threats and Identity Theft - Social Engineering Countermeasures Module 06: Network Level Attacks and Countermeasures - Sniffing - Packet Sniffing Concepts - Sniffing Techniques - Sniffing Countermeasures - Denial-of-Service - DoS and DDoS Attacks - DoS and DDoS Attack Countermeasures - Session Hijacking - Session Hijacking Attacks - Session Hijacking Attack Countermeasures Module 07: Web Application Attacks and Countermeasures - Web Server Attacks - Web Server Attacks - Web Server Attack Countermeasures - Web Application Attacks - Web Application Architecture and Vulnerability Stack - Web Application Threats and Attacks - Web Application Attack Countermeasures - SQL Injection Attacks - SQL Injection Attacks - SQL Injection Attack Countermeasures Module 08: Wireless Attacks and Countermeasures - Wireless Terminology - Wireless Encryption - Wireless Network-Specific Attack Techniques - Bluetooth Attacks - Wireless Attack Countermeasures Module 09: Mobile Attacks and Countermeasures - Mobile Attack Anatomy - Mobile Platform Attack Vectors and Vulnerabilities - Mobile Device Management (MDM) Concept - Mobile Attack Countermeasures Module 10: IoT and OT Attacks and Countermeasures - IoT Attacks - IoT Concepts - IoT Threats and Attacks - IoT Attack Countermeasures - OT Attacks - OT Concepts - OT Threats and Attacks - OT Attack Countermeasures Module 11: Cloud Computing Threats and Countermeasures - Cloud Computing Concepts - Container Technology - Cloud Computing Threats - Cloud Attack Countermeasures Module 12: Penetration Testing Fundamentals - Fundamentals of Penetration Testing and its Benefits - Strategies and Phases of Penetration Testing - Guidelines and Recommendations for Penetration Testing **Module 01: Information Security Fundamentals** - Information Security Fundamentals - Information security is a state of well-being of information and infrastructure in which the possibility of theft, tampering, and disruption of information and services is low or tolerable - Need for Security - Evolution of technology, focused on ease of use - Rely on the use of computers for accessing, providing, or just storing information - Increased network environment and network-based applications - Direct impact of security breach on the corporate asset base and goodwill - Increasing complexity of computer infrastructure administration and management - Elements of Information Security - Confidentiality - Integrity - Availability - Authenticity - Non-repudiation - The Security, Functionality, and Usability Triangle - Security: Restrictions - Functionality: Features - Usability: GUI - Security Challenges - Compliance to government laws and regulations - Lack of qualified and skilled cybersecurity professionals - Difficulty in centralizing security in a distributed computing environment - Difficulty in overseeing end-to-end processes due to complex IT infrastructure - Fragmented and complex privacy and data protection regulations - Use of a serverless architecture and applications that rely on third-party cloud providers - Compliance issues and issues with data removal and retrieval due to the implementation of Bring Your Own Device (BYOD) policies in companies - Relocation of sensitive data from legacy data centers to the cloud without proper configuration - Weak links in supply-chain management - Increase in cybersecurity risks such as data loss and unpatched vulnerabilities and errors due to the usage of shadow IT - Shortage of research visibility and training for IT employees - Motives, Goals, and Objectives of Information Security Attacks - Attacks = Motive (Goal) + Method + Vulnerability - A motive originates out of the notion that the target system stores or processes something valuable, and this leads to the threat of an attack on the system - Attackers try various tools and attack techniques to exploit vulnerabilities in a computer system or its security policy and controls in order to fulfil their motives - Motives behind information security attacks - Disrupting business continuity - Stealing information and manipulating data - Creating fear and chaos by disrupting critical infrastructures - Causing financial loss to the target - Damaging the reputation of the target - Classification of Attacks - Passive Attacks - Do not tamper with the data and involve intercepting and monitoring network traffic and data flow on the target network - Examples include sniffing and eavesdropping, Footprinting, Network traffic analysis and Decryption of weakly encrypted traffic - Active Attacks - Tamper with the data in transit or disrupt the communication or services between the systems to bypass or break into secured systems - Examples include DoS, Man-in-the-Middle, session hijacking, and SQL injection - Close-in Attacks - Are performed when the attacker is in close physical proximity with the target system or network in order to gather, modify, or disrupt access to information - Examples include social engineering such as eavesdropping, shoulder surfing, and dumpster diving - Insider Attacks - Involve using privileged access to violate rules or intentionally cause a threat to the organization's information or information systems - Examples include theft of physical devices and planting keyloggers, backdoors, and malware - Distribution Attacks - Occur when attackers tamper with hardware or software prior to installation - Attackers tamper with the hardware or software at its source or in transit - Information Security Attack Vectors - Cloud Computing Threats: - Cloud computing is an on-demand delivery of IT capabilities where sensitive data of organizations, and their clients is stored. Flaw in one client's application cloud allow attackers to access other client's data - Advanced Persistent Threats (APT): - An attack that is focused on stealing information from the victim machine without the user being aware of it - Viruses and Worms: - The most prevalent networking threat that are capable of infecting a network within seconds - Ransomware: - Restricts access to the computer system's files and folders and demands an online ransom payment to the malware creator(s) in order to remove the restrictions - Mobile Threats: - Focus of attackers has shifted to mobile devices due to increased adoption of mobile devices for business and personal purposes and comparatively lesser security controls - Botnet - A huge network of the compromised systems used by an intruder to perform various network attacks - Insider Attack - An attack performed on a corporate network or on a single computer by an entrusted person (insider) who has authorized access to the network - Phishing - The practice of sending an illegitimate email falsely claiming to be from a legitimate site in an attempt to acquire a user's personal or account information - Web Application Threats - Attackers target web applications to steal credentials, set up phishing site, or acquire private information to threaten the performance of the website and hamper its security - IoT Threats - IoT devices include many software applications that are used to access the device remotely - Flaws in the IoT devices allows attackers access into the device remotely and perform various attacks - Information Security Laws and Regulations - Payment Card Industry Data Security Standard (PCI DSS) [https://www.pcisecuritystandards.org](https://www.pcisecuritystandards.org/) - A proprietary information security standard for organizations that handle cardholder information for major debit, credit, prepaid, e-purse, ATM, and POS cards - PCI DSS applies to all entities involved in payment card processing --- including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process, or transmit cardholder data - PCI Data Security Standard, High Level Overview: - Build and Maintain a Secure Network - Install and maintain a firewall configuration to protect cardholder data - Do not use vendor-supplied defaults for system passwords and other security parameters - Protect Cardholder Data - Protect stored cardholder data - Encrypt transmission of cardholder data across open, public networks - Maintain a Vulnerability Management Program - Use and regularly update anti-virus software or programs - Develop and maintain secure systems and applications - Implement Strong Access Control Measures - Restrict access to cardholder data by business need to know - Assign a unique ID to each person with computer access - Restrict physical access to cardholder data - Regularly Monitor and Test Networks - Track and monitor all access to network resources and cardholder data - Regularly test security systems and processes - Maintain an Information Security Policy - Maintain a policy that addresses information security for all personnel - ISO/IEC 27001:2013 [https://www.iso.org](https://www.iso.org/) - Specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization - It is intended to be suitable for several different types of use, including: - Use within organizations to formulate security requirements and objectives - Use within organizations as a way to ensure that security risks are cost-effectively managed - Use within organizations to ensure compliance with laws and regulations - Defining new information security management processes - Identifying and clarifying existing information security management processes - Use by the management of organizations to determine the status of information security management activities - Implementing business-enabling information security - Use by organizations to provide relevant information about information security to customers - Health Insurance Portability and Accountability Act (HIPAA) [https://www.hhs.gov](https://www.hhs.gov/) - Electronic Transaction and Code Set Standards - Requires every provider who does business electronically to use the same health care transactions, code sets, and identifiers - Privacy Rule - Provides federal protections for the personal health information held by covered entities and gives patients an array of rights with respect to that information - Security Rule - Specifies a series of administrative, physical, and technical safeguards for covered entities to use to ensure the confidentiality, integrity, and availability of electronically protected health information - National Identifier Requirements - Requires that health care providers, health plans, and employers have standard national numbers that identify them attached to standard transactions - Enforcement Rule - Provides the standards for enforcing all the Administration Simplification Rules - Sarbanes Oxley Act (SOX) [https://www.sec.gov](https://www.sec.gov/) - Enacted in 2002, the Sarbanes-Oxley Act is designed to protect investors and the public by increasing the accuracy and reliability of corporate disclosures - The key requirements and provisions of SOX are organized into 11 titles: - Title I: - Public Company Accounting Oversight Board (PCAOB) provides independent oversight of public accounting firms providing audit services ("auditors") - Title II - Auditor Independence establishes the standards for external auditor independence, intended to limit conflicts of interest and address new auditor approval requirements, audit partner rotation, and auditor reporting requirements - Title III - Corporate Responsibility mandates that senior executives take individual responsibility for the accuracy and completeness of corporate financial reports - Title IV - Enhanced Financial Disclosures describe enhanced reporting requirements for financial transactions, including off-balance-sheet transactions, pro-forma figures, and the stock transactions of corporate officers - Title V - Analyst Conflicts of Interest consist of measures designed to help restore investor confidence in the reporting of securities analysts - Title VI - Commission Resources and Authority defines practices to restore investor confidence in securities analysts - Title VII - Studies and Reports includes the effects of the consolidation of public accounting firms, the role of credit rating agencies in the operation of securities markets, securities violations and enforcement actions, and whether investment banks assisted Enron, Global Crossing, or others to manipulate earnings and obfuscate true financial conditions - Title VIII - Corporate and Criminal Fraud Accountability describes specific criminal penalties for fraud by the manipulation, destruction, or alteration of financial records, or other interference with investigations while providing certain protections for whistle-blowers - Title X - White Collar Crime Penalty Enhancement increases the criminal penalties associated with white-collar crimes and conspiracies. It recommends stronger sentencing guidelines and specifically adds the failure to certify corporate financial reports as a criminal offense - Title IX - Corporate Tax Returns states that the Chief Executive Officer should sign the company tax return - Title XI - Corporate Fraud Accountability identifies corporate fraud and record tampering as criminal offenses and assigns them specific penalties. It also revises sentencing guidelines and strengthens their penalties. This enables the SEC to temporarily freeze large or unusual payments - The Digital Millennium Copyright Act (DMCA) [https://www.copyright.gov](https://www.copyright.gov/) - The DMCA is a United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization (WIPO) - It defines the legal prohibitions against the circumvention of technological protection measures employed by copyright owners to protect their works, and against the removal or alteration of copyright management information - The Federal Information Security Management Act (FISMA) [https://csrc.nist.gov](https://csrc.nist.gov/) - The FISMA provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets. It includes: - Standards for categorizing information and information systems by mission impact - Standards for minimum security requirements for information and information systems - Guidance for selecting appropriate security controls for information systems - Guidance for assessing security controls in information systems and determining security control effectiveness - Guidance for security authorization of information systems - General Data Protection Regulation (GDPR) [https://gdpr.eu](https://gdpr.eu/) - GDPR regulation was put into effect on May 25, 2018 and one of the most stringent privacy and security laws globally - The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching tens of millions of euros - GDPR Data Protection Principles: - Lawfulness, fairness, and transparency - Purpose limitation - Data minimization - Accuracy - Storage limitation - Integrity and confidentiality - Accountability - Data Protection Act 2018 (DPA) [https://www.legislation.gov.uk](https://www.legislation.gov.uk/) - The DPA is an act to make provision for the regulation of the processing of information relating to individuals; to make provision in connection with the Information Commissioner's functions under specific regulations relating to information; to make provision for a direct marketing code of practice, and connected purposes - The DPA protects individuals concerning the processing of personal data, in particular by: - Requiring personal data to be processed lawfully and fairly, based on the data subject's consent or another specified basis, - Conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and - Conferring functions on the Commissioner, giving the holder of that office responsibility to monitor and enforce their provisions - Cyber Law in Different Countries - United States - Section 107 of the Copyright Law mentions the doctrine of "fair use" [https://www.copyright.gov](https://www.copyright.gov/) - Online Copyright Infringement Liability Limitation Act [https://www.uspto.gov](https://www.uspto.gov/) - The Lanham (Trademark) Act (15 USC §§ 1051 - 1127) [https://www.uspto.gov](https://www.uspto.gov/) - The Electronic Communications Privacy Act [https://fas.org](https://fas.org/) - Foreign Intelligence Surveillance Act [https://fas.org](https://fas.org/) - Protect America Act of 2007 [https://www.justice.gov](https://www.justice.gov/) - Privacy Act of 1974 [https://www.justice.gov](https://www.justice.gov/) - National Information Infrastructure Protection Act of 1996 [https://www.nrotc.navy.mil](https://www.nrotc.navy.mil/) - Computer Security Act of 1987 [https://csrc.nist.gov](https://csrc.nist.gov/) - Freedom of Information Act (FOIA) [https://www.foia.gov](https://www.foia.gov/) - Computer Fraud and Abuse Act [https://energy.gov](https://energy.gov/) - Federal Identity Theft and Assumption Deterrence Act [https://www.ftc.gov](https://www.ftc.gov/) - Australia [https://www.legislation.gov.au](https://www.legislation.gov.au/) - The Trade Marks Act 1995 - The Patents Act 1990 - The Copyright Act 1968 - Cybercrime Act 2001 - United Kingdom [https://www.legislation.gov.uk](https://www.legislation.gov.uk/) - The Copyright, Etc. and Trademarks (Offenses And Enforcement) Act 2002 - Trademarks Act 1994 (TMA) - Computer Misuse Act 1990 - The Network and Information Systems Regulations 2018 - Communications Act 2003 - The Privacy and Electronic Communications (EC Directive) Regulations 2003 - Investigatory Powers Act 2016 - Regulation of Investigatory Powers Act 2000 - China - Copyright Law of the People's Republic of China (Amendments on October 27, 2001) [http://www.npc.gov.cn](http://www.npc.gov.cn/) - Trademark Law of the People\'s Republic of China (Amendments on October 27, 2001) [http://www.npc.gov.cn](http://www.npc.gov.cn/) - India - The Patents (Amendment) Act, 1999, Trade Marks Act, 1999, The Copyright Act, 1957 [http://www.ipindia.nic.in](http://www.ipindia.nic.in/) - Information Technology Act [https://www.meity.gov.in](https://www.meity.gov.in/) - Germany - Section 202a. Data Espionage, Section 303a. Alteration of Data, Section 303b. Computer Sabotage [https://www.cybercrimelaw.net](https://www.cybercrimelaw.net/) - Italy - Penal Code Article 615 ter [https://www.cybercrimelaw.net](https://www.cybercrimelaw.net/) - Japan - The Trademark Law (Law No. 127 of 1957), Copyright Management Business Law (4.2.2.3 of 2000) [https://www.iip.or.jp](https://www.iip.or.jp/) - Canada - Copyright Act (R.S.C., 1985, c. C-42), Trademark Law, Canadian Criminal Code Section 342.1 [https://laws-lois.justice.gc.ca](https://laws-lois.justice.gc.ca/) - Singapore - Computer Misuse Act [https://sso.agc.gov.sg](https://sso.agc.gov.sg/) - South Africa - Trademarks Act 194 of 1993 [http://www.cipc.co.za](http://www.cipc.co.za/) - Copyright Act of 1978 [https://www.nlsa.ac.za](https://www.nlsa.ac.za/) - South Korea - Copyright Law Act No. 3916 [https://www.copyright.or.kr](https://www.copyright.or.kr/) - Industrial Design Protection Act [https://www.kipo.go.kr](https://www.kipo.go.kr/) - Belgium - Copyright Law, 30/06/1994 [https://www.wipo.int](https://www.wipo.int/) - Computer Hacking [https://www.cybercrimelaw.net](https://www.cybercrimelaw.net/) - Brazil - Unauthorized modification or alteration of the information system [https://www.domstol.no](https://www.domstol.no/) - Hong Kong - Article 139 of the Basic Law [https://www.basiclaw.gov.hk](https://www.basiclaw.gov.hk/) **Module 02: Ethical Hacking Fundamentals** - Cyber Kill Chain Methodology - The cyber kill chain methodology is a component of intelligence-driven defense for the identification and prevention of malicious intrusion activities - It helps security professionals to understand the adversary's tactics, techniques, and procedures beforehand - Reconnaissance - Gather data on the target to probe for weak points - Activities of the adversary include the following: - Gathering information about the target organization by searching the Internet or through social engineering - Performing analysis of various online activities and publicly available information - Gathering information from social networking sites and web services - Obtaining information about websites visited - Monitoring and analyzing the target organization's website - Performing Whois, DNS, and network footprinting - Performing scanning to identify open ports and services - Weaponization - Create a deliverable malicious payload using an exploit and a backdoor - The following are the activities of the adversary: - Identifying appropriate malware payload based on the analysis - Creating a new malware payload or selecting, reusing, modifying the available malware payloads based on the identified vulnerability - Creating a phishing email campaign - Leveraging exploit kits and botnets - Delivery - Send weaponized bundle to the victim using email, USB, etc. - The following are the activities of the adversary: - Sending phishing emails to employees of the target organization - Distributing USB drives containing malicious payload to employees of the target organization - Performing attacks such as watering hole on the compromised website - Implementing various hacking tools against the operating systems, applications, and servers of the target organization - Exploitation - Exploit a vulnerability by executing code on the victim's system - Exploiting software or hardware vulnerabilities to gain remote access to the target system - Installation - Install malware on the target system - The following are the activities of the adversary: - Downloading and installing malicious software such as backdoors - Gaining remote access to the target system - Leveraging various methods to keep backdoor hidden and running - Maintaining access to the target system - Command and Control - Create a command and control channel to communicate and pass data back and forth - The following are the activities of the adversary: - Establishing a two-way communication channel between the victim's system and the adversary-controlled server - Leveraging channels such as web traffic, email communication, and DNS messages - Applying privilege escalation techniques - Hiding any evidence of compromise using techniques such as encryption - Actions on Objectives - Perform actions to achieve intended objectives/goals - Tactics, Techniques, and Procedures (TTPs) - The term Tactics, Techniques, and Procedures (TTPs) refers to the patterns of activities and methods associated with specific threat actors or groups of threat actors - Tactics are the guidelines that describe the way an attacker performs the attack from beginning to the end - Techniques are the technical methods used by an attacker to achieve intermediate results during the attack - Procedures are organizational approaches that threat actors follow to launch an attack - Adversary Behavioral Identification - Adversary behavioral identification involves the identification of the common methods or techniques followed by an adversary to launch attacks on or to penetrate an organization's network - It gives the security professionals insight into upcoming threats and exploits - Adversary Behaviors - Internal Reconnaissance - Use of PowerShell - Unspecified Proxy Activities - Use of Command-Line Interface - HTTP User Agent - Command and Control Server - Use of DNS Tunneling - Use of Web Shell - Data Staging - Indicators of Compromise (IoCs) - Indicators of Compromise (IoCs) are the clues, artifacts, and pieces of forensic data found on the network or operating system of an organization that indicate a potential intrusion or malicious activity in the organization's infrastructure - IoCs act as a good source of information regarding the threats that serve as data points in the intelligence process - Security professionals need to perform continuous monitoring of IoCs to effectively and efficiently detect and respond to evolving cyber threats - Categories of Indicators of Compromise - Understanding IoCs helps security professionals to quickly detect the threats against the organization and protect the organization from evolving threats - For this purpose, IoCs are divided into four categories: - Email Indicators - Used to send malicious data to the target organization or individual - Examples include the sender's email address, email subject, and attachments or links - Network Indicators - Useful for command and control, malware delivery, identifying the operating system, and other tasks - Examples include URLs, domain names, and IP addresses - Host-Based Indicators - Found by performing an analysis of the infected system within the organizational network - Examples include filenames, file hashes, registry keys, DLLs, and mutex - Behavioral Indicators - Used to identify specific behavior related to malicious activities - Examples include document executing PowerShell script, and remote command execution - Listed below are some of the key Indicators of Compromise (IoCs): - Unusual outbound network traffic - Unusual activity through a privileged user account - Illegitimate files and software - Geographical anomalies - Multiple login failures - Increased database read volume - Large HTML response size - Multiple requests for the same file - Mismatched port-application traffic - Unusual usage of ports and protocols - Suspicious registry or system file changes - Unusual DNS requests - Malicious emails - Unexpected patching of systems - Signs of Distributed Denial-of-Service (DDoS) activity - Service interruption and the defacement - Bundles of data in the wrong places - Web traffic with superhuman behavior - A drastic increase in bandwidth usage - Malicious hardware - Hacking Concepts and Hacker Classes - What is Hacking? - Hacking refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to a system's resources - It involves modifying system or application features to achieve a goal outside of the creator's original purpose - Hacking can be used to steal and redistribute intellectual property, leading to business loss - Who is a Hacker? - An intelligent individual with excellent computer skills who can create and explore computer software and hardware - For some hackers, hacking is a hobby to see how many computers or networks they can compromise - Some hackers' intentions can either be to gain knowledge or to probe and do illegal things - Some hack with malicious intent such as to steal business data, credit card information, social security numbers, email passwords, and other sensitive data - Hacker Classes/Threat Actors - Black Hats - Individuals with extraordinary computing skills; they resort to malicious or destructive activities and are also known as crackers - White Hats - Individuals who use their professed hacking skills for defensive purposes and are also known as security analysts - Gray Hats - Individuals who work both offensively and defensively at various times - Suicide Hackers - Individuals who aim to bring down the critical infrastructure for a \"cause\" and are not worried about facing jail terms or any other kind of punishment - Script Kiddies - An unskilled hacker who compromises a system by running scripts, tools, and software that were developed by real hackers - Cyber Terrorists - Individuals with a wide range of skills who are motivated by religious or political beliefs to create the fear through the large-scale disruption of computer networks - State-Sponsored Hackers - Individuals employed by the government to penetrate and gain top-secret information from, and damage the information systems of other governments - Hacktivist - Individuals who promote a political agenda by hacking, especially by using hacking to deface or disable website - Hacker Teams - A consortium of skilled hackers having their own resources and funding. They work together in synergy for researching the state-ofthe- art technologies - Industrial Spies - Individuals who perform corporate espionage by illegally spying on competitor organizations and focus on stealing information such as blueprints and formulas - Insider - Any employee (trusted person) who has access to critical assets of an organization. They use privileged access to violate rules or intentionally cause harm to the organization's information system - Criminal Syndicates - Groups of individuals that are involved in organized, planned, and prolonged criminal activities. They illegally embezzle money by performing sophisticated cyberattacks - Organized Hackers - Miscreants or hardened criminals who use rented devices or botnets to perform various cyber-attacks to pilfer money from victims - Different Phases of Hacking Cycle - Hacking Phases - Reconnaissance - Scanning - Gaining Access - Maintaining Access - Clearing Tracks - Hacking Phase: Reconnaissance - Reconnaissance refers to the preparatory phase where an attacker seeks to gather information about a target prior to launching an attack - Reconnaissance Types - Passive Reconnaissance - Involves acquiring information without directly interacting with the target - For example, searching public records or news releases - Active Reconnaissance - Involves directly interacting with the target by any means - For example, telephone calls to the target's help desk or technical department - Hacking Phase: Scanning - Scanning refers to the pre-attack phase when the attacker scans the network for specific information based on information gathered during reconnaissance - Scanning can include the use of dialers, port scanners, network mappers, ping tools, and vulnerability scanners - Attackers extract information such as live machines, port, port status, OS details, device type, and system uptime to launch attack - Hacking Phase: Gaining Access - Gaining access refers to the point where the attacker obtains access to the operating system or applications on the target computer or network - The attacker can gain access at the operating system, application, or network levels - The attacker can escalate privileges to obtain complete control of the system - Examples include password cracking, buffer overflows, denial of service, and session hijacking - Hacking Phase: Maintaining Access - Maintaining access refers to the phase when the attacker tries to retain their ownership of the system - Attackers may prevent the system from being owned by other attackers by securing their exclusive access with backdoors, rootkits, or Trojans - Attackers can upload, download, or manipulate data, applications, and configurations on the owned system - Attackers use the compromised system to launch further attacks - Hacking Phase: Clearing Tracks - Clearing tracks refers to the activities carried out by an attacker to hide malicious acts - The attacker's intentions include obtaining continuing access to the victim's system, remaining unnoticed and uncaught, and deleting evidence that might lead to their prosecution - The attacker overwrites the server, system, and application logs to avoid suspicion - Ethical Hacking Concepts, Scope, and Limitations - What is Ethical Hacking? - Ethical hacking involves the use of hacking tools, tricks, and techniques to identify vulnerabilities and ensure system security - It focuses on simulating the techniques used by attackers to verify the existence of exploitable vulnerabilities in a system's security - Ethical hackers perform security assessments for an organization with the permission of concerned authorities - Consider the following definitions: - The noun "hacker" refers to a person who enjoys learning the details of computer systems and stretching their capabilities. - The verb "to hack" describes the rapid development of new programs or the reverse engineering of existing software to make it better or more efficient in new and innovative ways. - The terms "cracker" and "attacker" refer to persons who employ their hacking skills for offensive purposes. - The term "ethical hacker" refers to security professionals who employ their hacking skills for defensive purposes. - Why Ethical Hacking is Necessary - To beat a hacker, you need to think like one! - Ethical hacking is necessary as it allows for counter attacks against malicious hackers through anticipating the methods used to break into the system - Reasons why organizations recruit ethical hackers - To prevent hackers from gaining access to the organization's information systems - To uncover vulnerabilities in systems and explore their potential as a security risk - To analyze and strengthen an organization's security posture - To provide adequate preventive measures in order to avoid security breaches - To help safeguard customer data - To enhance security awareness at all levels in a business - Ethical Hackers Try to Answer the Following Questions - What can an intruder see on the target system? (Reconnaissance and Scanning phases) - What can an intruder do with that information? (Gaining Access and Maintaining Access phases) - Does anyone at the target organization notice the intruders' attempts or successes? (Reconnaissance and Covering Tracks phases) - Are all components of the information system adequately protected, updated, and patched? - How much time, effort, and money are required to obtain adequate protection? - Are the information security measures in compliance with legal and industry standards? - Scope and Limitations of Ethical Hacking - Scope - Ethical hacking is a crucial component of risk assessment, auditing, counter fraud, and information systems security best practices - It is used to identify risks and highlight remedial actions. It also reduces ICT costs by resolving vulnerabilities - Limitations - Unless the businesses already know what they are looking for and why they are hiring an outside vendor to hack systems in the first place, chances are there would not be much to gain from the experience - An ethical hacker can only help the organization to better understand its security system; it is up to the organization to place the right safeguards on the network - Skills of an Ethical Hacker - Technical Skills - In-depth knowledge of major operating environments, such as Windows, Unix, Linux, and Macintosh - In-depth knowledge of networking concepts, technologies, and related hardware and software - A computer expert adept at technical domains - The knowledge of security areas and related issues - High technical knowledge of how to launch sophisticated attacks - Non-Technical Skills - The ability to quickly learn and adapt new technologies - A strong work ethic and good problem solving and communication skills - Commitment to an organization's security policies - An awareness of local standards and laws - Ethical Hacking Tools - Reconnaissance Using Advanced Google Hacking Techniques - Google hacking refers to the use of advanced Google search operators for creating complex search queries to extract sensitive or hidden information that helps attackers find vulnerable targets - Popular Google advanced search operators [http://www.googleguide.com](http://www.googleguide.com/) - \[cache:\] Displays the web pages stored in the Google cache - \[link:\] Lists web pages that have links to the specified web page - \[related:\] Lists web pages that are similar to the specified web page - \[info:\] Presents some information that Google has about a particular web page - \[site:\] Restricts the results to those websites in the given domain - \[allintitle:\] Restricts the results to those websites containing all the search keywords in the title - \[intitle:\] Restricts the results to documents containing the search keyword in the title - \[allinurl:\] Restricts the results to those containing all the search keywords in the URL - \[inurl:\] Restricts the results to documents containing the search keyword in the URL - \[location:\] Finds information for a specific location - Reconnaissance Tools - Web Data Extractor [http://www.webextractor.com](http://www.webextractor.com/) - It extracts targeted contact data (email, phone, and fax) from the website, extracts the URL and meta tags (title, description, keyword) for website promotion, and so on - Whois Lookup - [https://whois.domaintools.com](https://whois.domaintools.com/) - [https://www.tamos.com](https://www.tamos.com/) - IMCP Traceroute - TCP Traceroute - UDP Traceroute - Scanning Tools - Nmap [https://nmap.org](https://nmap.org/) - Use Nmap to extract information such as live hosts on the network, open ports, services (application name and version), types of packet filters/ firewalls, as well as operating systems and versions used - MegaPing [http://www.magnetosoft.com](http://www.magnetosoft.com/) - Includes scanners such as Comprehensive Security Scanner, Port scanner (TCP and UDP ports), IP scanner, NetBIOS scanner, and Share Scanner - Unicornscan - In Unicornscan, the OS of the target machine can be identified by observing the TTL values in the acquired scan result - Hping2/Hping3 [http://www.hping.org](http://www.hping.org/) - NetScanTools Pro [https://www.netscantools.com](https://www.netscantools.com/) - SolarWinds Port Scanner [https://www.solarwinds.com](https://www.solarwinds.com/) - PRTG Network Monitor [https://www.paessler.com](https://www.paessler.com/) - OmniPeek Network Protocol Analyzer [https://www.liveaction.com](https://www.liveaction.com/) - Enumeration Tools - Nbtstat Utility [https://docs.microsoft.com](https://docs.microsoft.com/) - The nbtstat utility in Windows displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local and remote computers, and the NetBIOS name cache - nbtstat \[-a RemoteName\] \[-A IP Address\] \[-c\] \[-n\] \[-r\] \[-R\] \[-RR\] \[-s\] \[-S\] \[Interval\] - NetBIOS Enumerator [http://nbtenum.sourceforge.net](http://nbtenum.sourceforge.net/) - NetBIOS Enumerator helps to enumerate details, such as NetBIOS names, Usernames, Domain names, and MAC addresses, for a given range of IP addresses - Other NetBIOS Enumeration Tools: - Global Network Inventory [http://www.magnetosoft.com](http://www.magnetosoft.com/) - Advanced IP Scanner [https://www.advancedip-scanner.com](https://www.advancedip-scanner.com/) - Hyena [https://www.systemtools.com](https://www.systemtools.com/) - Nsauditor Network Security Auditor [https://www.nsauditor.com](https://www.nsauditor.com/) **Module 03: Information Security Threats and Vulnerability Assessment** - Threat and Threat Sources - What is a Threat? - A threat is the potential occurrence of an undesirable event that can eventually damage and disrupt the operational and functional activities of an organization - Attackers use cyber threats to infiltrate and steal data such as individual's personal information, financial information, and login credentials - Examples of Threats - An attacker stealing sensitive data of an organization - An attacker causing a server to shut down - An attacker tricking an employee into revealing sensitive information - An attacker infecting a system with malware - An attacker spoofing the identity of an authorized person to gain access - An attacker modifying or tampering with the data transferred over a network - An attacker remotely altering the data in a database server - An attacker performing URL redirection or URL forwarding - An attacker performing privilege escalation for unauthorized access - An attacker executing denial-of-service (DoS) attacks for making resources unavailable - An attacker eavesdropping on a communication channel without authorized access - Threat Sources - Natural - Fires - Floods - Power failures - Unintentional - Unskilled administrators - Accidents - Lazy or untrained employees - Intentional - Internal - Fired employee - Disgruntled employee - Service providers - Contractors - External - Hackers - Criminals - Terrorists - Foreign intelligence agents - Corporate raiders - Malware and its Types - Malware is malicious software that damages or disables computer systems and gives limited or full control of the systems to the malware creator for the purpose of theft or fraud - Malware programmers develop and use malware to: - Attack browsers and track websites visited - Slow down systems and degrade system performance - Cause hardware failure, rendering computers inoperable - Steal personal information, including contacts - Erase valuable information, resulting in substantial data loss - Attack additional computer systems directly from a compromised system - Spam inboxes with advertising emails - Different Ways for Malware to Enter a System - Instant Messenger applications - Portable hardware media/removable devices - Browser and email software bugs - Untrusted sites and freeware web applications/ software - Downloading files from the Internet - Email attachments - Installation by other malware - Bluetooth and wireless networks - Common Techniques Attackers Use to Distribute Malware on the Web. Security Threat Report ([https://www.sophos.com](https://www.sophos.com/)) - Black hat Search Engine Optimization (SEO) - Ranking malware pages highly in search results - Social Engineered Click-jacking - Tricking users into clicking on innocent-looking webpages - Spear-phishing Sites - Mimicking legitimate institutions in an attempt to steal login credentials - Malvertising - Embedding malware in ad-networks that display across hundreds of legitimate, high-traffic sites - Compromised Legitimate Websites - Hosting embedded malware that spreads to unsuspecting visitors - Drive-by Downloads - Exploiting flaws in browser software to install malware just by visiting a web page - Spam Emails - Attaching the malware to emails and tricking victims to click the attachment - Components of Malware - The components of a malware software depend on the requirements of the malware author who designs it for a specific target to perform intended tasks - Crypter: Software that protects malware from undergoing reverse engineering or analysis - Downloader: A type of Trojan that downloads other malware from the Internet on to the PC - Dropper: A type of Trojan that covertly installs other malware files on to the system - Exploit: A malicious code that breaches the system security via software vulnerabilities to access information or install malware - Injector: A program that injects its code into other vulnerable running processes and changes how they execute to hide or prevent its removal - Obfuscator: A program that conceals its code and intended purpose via various techniques, and thus, makes it hard for security mechanisms to detect or remove it - Packer: A program that allows all files to bundle together into a single executable file via compression to bypass security software detection - Payload: A piece of software that allows control over a computer system after it has been exploited - Malicious Code: A command that defines malware's basic functionalities such as stealing data and creating backdoors - Types of Malware - Trojans - Viruses - Ransomware - Computer Worms - Rootkits - PUAs or Grayware - Spyware - Keylogger - Botnets - Fileless Malware - What is a Trojan? - It is a program in which the malicious or harmful code is contained inside an apparently harmless program or data, which can later gain control and cause damage - Trojans get activated when a user performs certain predefined actions - Trojans create a covert communication channel between the victim computer and the attacker for transferring sensitive data - Indications of Trojan Attack - The computer screen blinks, flips upside-down, or is inverted so that everything is displayed backward - The default background or wallpaper settings change automatically - Web pages suddenly open without input from the user - The color settings of the operating system (OS) change automatically - Antivirus programs are automatically disabled - Pop-ups with bizarre messages suddenly appear - How Hackers Use Trojans - Delete or replace critical operating system files - Record screenshots, audio, and video of victim's PC - Use victim's PC for spamming and blasting email messages - Download spyware, adware, and malicious files - Disable firewalls and antivirus - Create backdoors to gain remote access - Steal personal information such as passwords, security codes, and credit card information - Encrypt the data and lock out the victim from accessing the machine - Common Ports used by Trojans - Types of Trojans - Remote Access Trojans - Backdoor Trojans - Botnet Trojans - Rootkit Trojans - E-Banking Trojans - Point-of-Sale Trojans - Defacement Trojans - Service Protocol Trojans - Mobile Trojans - IoT Trojans - Security Software Disabler Trojans - Destructive Trojans - DDoS Attack Trojans - Command Shell Trojans - Creating a Trojan - Trojan Horse construction kits help attackers to construct Trojan horses of their choice - The tools in these kits can be dangerous and can backfire if not properly executed - Trojan Horse Construction Kits - DarkHorse Trojan Virus Maker - Trojan Horse Construction Kit - Senna Spy Trojan Generator - Batch Trojan Generator - Umbra Loader - Botnet Trojan Maker - Theef RAT Trojan - Theef is a Remote Access Trojan written in Delphi. It allows remote attackers access to the system via port 9871 - What is a Virus? - A virus is a self-replicating program that produces its own copy by attaching itself to another program, computer boot sector or document - Viruses are generally transmitted through file downloads, infected disk/flash drives, and as email attachments - Characteristics of Viruses - Infect other programs - Transform themselves - Encrypt themselves - Alter data - Corrupt files and programs - Self-replicate - Purpose of Creating Viruses - Inflict damage on competitors - Realize financial benefits - Vandalize intellectual property - Play pranks - Conduct research - Engage in cyber-terrorism - Distribute political messages - Damage networks or computers - Gain remote access to a victim\'s computer - Indications of Virus Attack - Processes require more resources and time, resulting in degraded performance - Computer beeps with no display - Drive label changes and OS does not load - Constant antivirus alerts - Computer freezes frequently or encounters an error such as BSOD - Files and folders are missing - Suspicious hard drive activity - Browser window "freezes" - Stages of Virus Lifecycle - Design: Development of virus code using programming languages or construction kits. - Replication: The virus replicates for a period within the target system and then spreads itself. - Launch: The virus is activated when the user performs specific actions such as running an infected program. - Detection: The virus is identified as a threat infecting target system. - Incorporation: Antivirus software developers assimilate defenses against the virus. - Execution of the damage routine: Users install antivirus updates and eliminate the virus threats. - How does a Computer Get Infected by Viruses? - When a user accepts files and downloads without properly checking the source - Opening infected e-mail attachments - Installing pirated software - Not updating and not installing new versions of plug-ins - Not running the latest antivirus application - Clicking malicious online ads - Using portable media - Connecting to untrusted networks - Types of Viruses - System or Boot Sector Virus - File and Multipartite Virus - Macro and Cluster Virus - Stealth/Tunneling Virus - Encryption Virus - Sparse Infector Virus - Polymorphic Virus - Metamorphic Virus - Overwriting File or Cavity Virus - Companion/Camouflage Virus - Shell and File Extension Virus - FAT and Logic Bomb Virus - Web Scripting Virus - Email and Armored Virus - Add-on and Intrusive Virus - Direct Action or Transient Virus - Terminate & Stay Resident Virus - Creating a Virus - A virus can be created in two different ways: - Writing a Virus Program - Using Virus Maker Tools - DELmE's Batch Virus Maker - Bhavesh Virus Maker SKW - Deadly Virus Maker - SonicBat Batch Virus Maker - TeraBIT Virus Maker - Andreinick05\'s Batch Virus Maker - Ransomware - A type of malware that restricts access to the computer system's files and folders - Demands an online ransom payment to the malware creator(s) to remove the restrictions - Dharma - Dharma is a dreadful ransomware that attacks victims through email campaigns; the ransom notes ask the victims to contact the threat actors via a provided email address and pay in bitcoins for the decryption service - eCh0raix - SamSam - WannaCry - Petya and NotPetya - GandCrab - MegaCortex - LockerGoga - NamPoHyu - Ryuk - Cryptgh0st - Ransomware Families - Cerber - CTB-Locker - Sodinokibi - BitPaymer - CryptXXX - Cryptorbit ransomware - Crypto Locker Ransomware - Crypto Defense Ransomware - Crypto Wall Ransomware - Computer Worms - Malicious programs that independently replicate, execute, and spread across the network connections - Consume available computing resources without human interaction - Attackers use worm payloads to install backdoors in infected computers - Monero - Bondat - Beapy - How is a Worm Different from a Virus? - A Worm Replicates on its own - A worm is a special type of malware that can replicate itself and use memory but cannot attach itself to other programs - A Worm Spreads through the Infected Network - A worm takes advantage of file or information transport features on computer systems and automatically spreads through the infected network, but a virus does not - Worm Makers - Internet Worm Maker Thing - Internet Worm Maker Thing is an open-source tool used to create worms that can infect victim\'s drives, files, show messages, and disable antivirus software - Some additional worm makers are as follows: - Batch Worm Generator - C++ Worm Generator - Rootkits - Rootkits are programs that hide their presence as well as attacker's malicious activities, granting them full access to the server or host at that time, and in the future - Rootkits replace certain operating system calls and utilities with their own modified versions of those routines that, in turn, undermine the security of the target system causing malicious functions to be executed - A typical rootkit comprises of backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc. - The attacker places a rootkit by: - Scanning for vulnerable computers and servers on the web - Wrapping it in a special package like a game - Installing it on public computers or corporate computers through social engineering - Launching a zero-day attack (privilege escalation, buffer overflow, Windows kernel exploitation, etc.) - Objectives of a rootkit: - To root the host system and gain remote backdoor access - To mask attacker tracks and presence of malicious applications or processes - To gather sensitive data, network traffic, etc. from the system to which attackers might be restricted or possess no access - To store other malicious programs on the system and act as a server resource for bot updates - Potentially Unwanted Application or Applications (PUAs) - Also known as grayware or junkware, are potentially harmful applications that may pose severe risks to the security and privacy of data stored in the system where they are installed - Installed when downloading and installing freeware using a third-party installer or when accepting a misleading license agreement - Covertly monitor and alter the data or settings in the system, similarly to other malware - Types of PUAs - Adware - Torrent - Marketing - Cryptomining - Dialers - Adware - A software or a program that supports advertisements and generates unsolicited ads and pop-ups - Tracks the cookies and user browsing patterns for marketing purposes and collects user data - Consumes additional bandwidth, and exhausts CPU resources and memory - Indications of Adware - Frequent system lag - Inundated advertisements - Incessant system crash - Disparity in the default browser homepage - Presence of new toolbar or browser add-ons - Slow Internet - Spyware - A stealthy program that records the user\'s interaction with the computer and the Internet without the user\'s knowledge and sends the information to the remote attackers - Hides its process, files, and other objects in order to avoid detection and removal - Spyware Propagation - Drive-by download - Masquerading as anti-spyware - Web browser vulnerability exploits - Piggybacked software installation - Browser add-ons - Cookies - What Does the Spyware Do? - Steals users' personal information and sends it to a remote server or hijacker - Monitors users' online activity - Displays annoying pop-ups - Redirects a web browser to advertising sites - Changes the browser's default settings - Changes firewall settings - Keylogger - Keystroke loggers are programs or hardware devices that monitor each keystroke as the user types on a keyboard, logs onto a file, or transmits them to a remote location - It allows the attacker to gather confidential information about the victim such as email ID, passwords, banking details, chat room activity, IRC, and instant messages - What a Keylogger can Do? - Record every keystroke typed on the user's keyboard - Capture screenshots at regular intervals, showing user activity such as typed characters or clicked mouse buttons - Track the activities of users by logging Window titles, names of launched applications, and other information - Monitor the online activity of users by recording addresses of the websites visited and with keywords entered - Record all login names, bank and credit card numbers, and passwords, including hidden passwords or data displayed in asterisks or blank spaces - Record online chat conversations - Make unauthorized copies of both outgoing and incoming email messages - Botnets - A Botnet is a collection of compromised computers connected to the Internet to perform a distributed task - Attackers distribute malicious software that turns a user's computer into a bot - Bot refers to a program or an infected system that performs repetitive work or acts as an agent or as a user interface to control other programs - Why Attackers use Botnets? - Perform DDoS attacks, which consume the bandwidth of the victim's computers - Use sniffer to steal information from one botnet and use it against another botnet - Perform keylogging to harvest account login information for services - Use to spread new bots - Perpetrate a "click fraud" by automating clicks - Perform mass identity theft - Fileless Malware - Fileless malware, also known as non-malware, infects legitimate software, applications, and other protocols existing in the system to perform various malicious activities - Leverages any existing vulnerabilities to infect the system - Resides in the system's RAM - Injects malicious code into the running processes such as Microsoft Word, Flash, Adobe PDF Reader, Javascript, and PowerShell - Reasons for Using Fileless Malware in Cyber Attacks - Stealthy in nature - Exploits legitimate system tools - Living-off-the-land - Exploits default system tools - Trustworthy - Uses tools that are frequently used and trusted - Fileless Propagation Techniques - Phishing emails - Legitimate applications - Native applications - Infection through lateral movement - Malicious websites - Registry manipulation - Memory code injection - Script-based injection - Malware Countermeasures - Trojan Countermeasures - Avoid opening email attachments received from unknown senders - Block all unnecessary ports at the host and use a firewall - Avoid accepting programs transferred by instant messaging - Harden weak default configuration settings and disable unused functionality, including protocols and services - Monitor the internal network traffic for odd ports or encrypted traffic - Avoid downloading and executing applications from untrusted sources - Install patches and security updates for the OS and applications - Scan external USB drives and DVDs with antivirus software before using them - Restrict permissions within the desktop environment to prevent installation of malicious applications - Avoid typing commands blindly and implementing pre-fabricated programs or scripts - Manage local workstation file integrity through checksums, auditing, and port scanning - Run host-based antivirus, firewall, and intrusion detection software - Virus and Worm Countermeasures - Install antivirus software that detects and removes infections as they appear - Pay attention to the instructions while downloading files or programs from the Internet - Regularly update antivirus software - Avoid opening attachments received from unknown senders, as viruses spread via email attachments - Since virus infections can corrupt data, ensure that you perform regular data backups - Schedule regular scans for all drives after the installation of antivirus software - Do not accept disks or programs without checking them first using a current version of an antivirus program - Do not boot the machine with an infected bootable system disk - Stay informed about the latest virus threats - Check DVDs for virus infection - Ensure that pop-up blockers are turned on and use an Internet firewall - Perform disk clean-up and run a registry scanner once a week - Run anti-spyware or anti-adware once a week - Do not open files with more than one file-type extension - Be cautious with files sent through instant messenger applications - Rootkit Countermeasures - Reinstall OS/applications from a trusted source after backing up critical data - Maintain well-documented automated installation procedures - Perform kernel memory dump analysis to determine the presence of rootkits - Harden the workstation or server against the attack - Do not download any files/programs from untrusted sources - Install network and host-based firewalls and frequently check for updates - Ensure the availability of trusted restoration media - Update and patch OSs, applications, and firmware - Regularly verify the integrity of system files using cryptographically strong digital fingerprint technologies - Regularly update antivirus and anti-spyware software - Keep anti-malware signatures up to date - Avoid logging into an account with administrative privileges - Adhere to the least privilege principle - Ensure that the chosen antivirus software possesses rootkit protection - Do not install unnecessary applications, and disable the features and services not in use - Refrain from engaging in dangerous activities on the Internet - Close any unused ports - Periodically scan the local system using host-based security scanners - Increase the security of the system using two-step or multi-step authentication, so that an attacker will not gain root access to the system to install rootkits - Never read emails, browse websites, or open documents while handling an active session with a remote server - Spyware Countermeasures - Try to avoid using any computer system that you do not have a complete control over. - Never adjust your Internet security setting level too low because it provides many chances for spyware to be installed on your computer. Therefore, always set your Internet browser security settings to either high or medium to protect your computer from spyware. - Do not open suspicious emails and file attachments received from unknown senders. There is a high likelihood that you will allow a virus, freeware, or spyware onto the computer. Do not open unknown websites linked in spam mail messages, retrieved by search engines, or displayed in pop-up windows because they may mislead you into downloading spyware. - Enable a firewall to enhance the security level of your computer. - Regularly update the software and use a firewall with outbound protection. - Regularly check Task Manager and MS Configuration Manager reports. - Regularly update virus definition files and scan the system for spyware. - Install anti-spyware software. Anti-spyware is the first line of defense against spyware. This software prevents spyware from installing on your system. It periodically scans and protects your system from spyware. - Keep your OS up to date. - Windows users should periodically perform a Windows or Microsoft update. - For users of other OSs or software products, refer to the information given by the OS vendors, and take essential steps against any vulnerability identified. - Perform web surfing safely and download cautiously. - Before downloading any software, ensure that it is from a trusted website. Read the license agreement, security warning, and privacy statements associated with the software thoroughly to gain a clear understanding before downloading it. - Before downloading freeware or shareware from a website, ensure that the site is safe. Likewise, be cautious with software programs obtained through P2P fileswapping software. Before installing such programs, perform a scan using antispyware software. - Do not use administrative mode unless it is necessary, because it may execute malicious programs such as spyware in administrator mode. Consequently, attackers may take complete control of your system. - Do not download free music files, screensavers, or emoticons from the Internet because when you do, there is a possibility that are downloading spyware along with them. - Beware of pop-up windows or web pages. Never click anywhere on the windows that display messages such as "your computer may be infected," or claim that they can help your computer to run faster. If you click on such windows, your system may become infected with spyware. - Carefully read all disclosures, including the license agreement and privacy statement, before installing any application. - Do not store personal or financial information on any computer system that is not totally under your control, such as in an Internet café. - PUAs/Adware Countermeasures - Always use whitelisted, trusted, and authorized software vendors and websites for downloading software. - Always read the end-user license agreement (EULA) and any other terms and conditions before installing any program. - Always turn on the option to detect PUAs in the OS or antivirus software. - Regularly update the OS and antivirus software to detect and patch the latest PUAs. - Uncheck unnecessary options while performing software setup to prevent the automatic installation of PUAs. - Avoid installing programs through the "express method" or "recommended method" and instead choose custom installation. - Be vigilant towards social engineering techniques and phishing attacks to avert the download of PUAs. - Install trusted antivirus, anti-adware, or ad-blocker software to detect and block adware and other malicious programs. - Use paid software versions and avoid downloading freeware and other shareware programs provided by third-party vendors. - Employ a firewall to filter data transmission and to send only authorized and trusted content. - Carefully examine URLs and email addresses, and avoid clicking on suspicious links. - Take time to research and read online reviews before downloading any software or plug-in. - Attempt to search for the software in a search engine, instead of clicking on ads redirecting to software download. - Keylogger Countermeasures - Use pop-up blockers and avoid opening junk emails. - Install anti-spyware/antivirus programs and keep the signatures up to date. - Install professional firewall software and anti-keylogging software. - Recognize phishing emails and delete them. - Regularly update and patch system software. - Do not click on links in unsolicited or dubious emails that may direct you to malicious sites. - Use keystroke interference software that insert randomized characters into every keystroke. - Antivirus and anti-spyware software can detect any installed software, but it is better to detect these programs before installation. Scan the files thoroughly before installing them onto the computer and use a registry editor or process explorer to check for keystroke loggers. - Use the Windows on-screen keyboard accessibility utility to enter a password or any other confidential information. Use your mouse to enter any information such as passwords and credit card numbers into the fields, by using your mouse instead of typing the passwords with the keyboard. This will ensure that your information is confidential. - Use an automatic form-filling password manager or a virtual keyboard to enter usernames and passwords, as this will avoid exposure through keyloggers. This automatic form-filling password manager will remove the need to type your personal, financial, or confidential details such as credit card numbers and passwords via the keyboard. - Keep your hardware systems secure in a locked environment and frequently check the keyboard cables for attached connectors, USB port, and computer games such as the PS2 that may have been used to install keylogger software. - Use software that frequently scan and monitor changes in your system or network. - Install a host-based IDS, which can monitor your system and disable the installation of keyloggers. - Use one-time password (OTP) or other authentication mechanisms such as two-step or multi-step verification to authenticate users. - Enable application whitelisting to block downloading or installing of unwanted software such as keyloggers. - Use VPN to enable an additional layer of protection through encryption. - Use process-monitoring tools to detect suspicious processes and system activities. - Regularly patch and update software and the OS. - Fileless Malware Countermeasures - Remove all the administrative tools and restrict access through Windows Group Policy or Windows AppLocker - Disable PowerShell and WMI when not in use - Disable macros and use only digitally signed trusted macros - Install whitelisting solutions such as McAfee Application Control to block unauthorized applications and code running on your systems - Never enable macros in MS Office documents - Disable PDF readers to run JavaScript automatically - Disable Flash in the browser settings - Implement two-factor authentication to access critical systems or resources connected to the network - Implement multi-layer security to detect and defend against memory-resident malware - Use User Behavior Analytics (UBA) solutions to detect threats hidden within your data - Ensure the ability to detect system tools such as PowerShell and WMIC, and whitelisted application scripts against malicious attacks - Run periodic antivirus scans to detect infections and keep the antivirus program updated - Install browser protection tools and disable automatic plugin downloads - Schedule regular security checks for applications and regularly patch the applications - Regularly update the OS with the latest security patches - Examine all the running programs for any malicious or new signatures and heuristics - Enable endpoint security with active monitoring to protect networks when accessed remotely - Examine the indicators of compromise on the system and the network - Regularly check the security logs especially when excessive amounts of data leave the network - Restrict admin rights and provide the least privileges to the user level to prevent privilege escalation attacks - Use application control to prevent Internet browsers from spawning script interpreters such as PowerShell and WMIC. - Carefully examine the changes in the system's usual behavior patterns compared with the baselines - Use next-generation antivirus (NGAV) software that employs advanced technology such as ML (machine learning) and AI (artificial intelligence) to avoid new polymorphic malware - Use baseline and search for known tactics, techniques, and procedures (TTPs) used by many adversarial groups - Ensure that you use Managed Detection and Response (MDR) services that can perform threat hunting - Ensure that you use tools such as Blackberry Cylance and Microsoft Enhanced Mitigation Experience Toolkit to combat fileless attacks - Disable unused or unnecessary applications and service features - Uninstall applications that are not important - Block all the incoming network traffic or files with the.exe format - Vulnerabilities - Refers to the existence of weakness in an asset that can be exploited by threat agents - Common Reasons behind the Existence of Vulnerability - Hardware or software misconfiguration - Insecure or poor design of the network and application - Inherent technology weaknesses - Careless approach of end users - Vulnerability Classification - Misconfiguration - An application running with debug enabled - Unnecessary administrative ports that are open for an application - Running outdated software on the system - Running unnecessary services on a machine - Outbound connections to various Internet services - Using misconfigured SSL certificates or default certificates - Improperly authenticated external systems - Incorrect folder permissions - Default accounts or passwords - Set up or configuration pages enabled - Disabling security settings and features - Default Installations - Buffer Overflows - Unpatched Servers - Design Flaws - Operating System Flaws - Application Flaws - Open Services - Default Passwords - Zero-day/Legacy Platform vulnerabilities - Examples of Network Security Vulnerabilities - TCP/IP protocol vulnerabilities - HTTP, FTP, ICMP, SNMP, SMTP are inherently insecure - Operating System vulnerabilities - An OS can be vulnerable because: - It is inherently insecure - It is not patched with the latest updates - Network Device Vulnerabilities - Various network devices such as routers, firewall, and switches can be vulnerable due to: - Lack of password protection - Lack of authentication - Insecure routing protocols - Firewall vulnerabilities - User account vulnerabilities - Originating from the insecure transmission of user account details such as usernames and passwords, over the network - System account vulnerabilities - Originating from setting of weak passwords for system accounts - Internet service misconfiguration - Misconfiguring internet services can pose serious security risks. For example, enabling JavaScript and misconfiguring IIS, Apache, FTP, and Terminal services, can create security vulnerabilities in the network - Default password and settings - Leaving the network devices/products with their default passwords and settings - Network device misconfiguration - Misconfiguring the network device - Unwritten Policy - Unwritten security policies are difficult to implement and enforce - Lack of Continuity - Lack of continuity in implementing and enforcing the security policy - Politics - Politics may cause challenges for implementation of a consistent security policy - Lack of awareness - Lack of awareness of the security policy - Impact of Vulnerabilities - Information disclosure: A website or application may expose system-specific information. - Denial of service: Vulnerabilities may prevent users from accessing website services or other resources. - Privilege escalation: Attackers may gain elevated access to a protected system or resources. - Unauthorized access: Attackers may gain unauthorized access to a system, a network, data, or an application. - Identity theft: Attackers may be able to steal the personal or financial information of users to commit fraud with their identity. - Data exfiltration: Vulnerabilities may lead to the unauthorized retrieval and transmission of sensitive data. - Reputational damage: Vulnerabilities may cause reputational damage to a company's products and security. Reputational damage has a direct impact on customers, sales, and profit. - Financial loss: Reputational damage may lead to business loss. Further, vulnerability exploitation may lead to expenses for recovering damaged IT infrastructure. - Legal consequences: If customers' personal data are compromised, the organization may need to face legal consequences in the form of fines and regulatory sanctions. - Hold footprints: Vulnerabilities may allow attackers to stay undetected even after executing an attack. - Remote code execution: Vulnerabilities may allow the execution of arbitrary code from remote servers. - Malware installation: Vulnerabilities can make it easy to infect with and spread viruses in a network. - Data modification: Vulnerabilities may allow attackers to intercept and alter data in transit. - Vulnerability Research - The process of analyzing protocols, services, and configurations to discover vulnerabilities and design flaws that will expose an operating system and its applications to exploit, attack, or misuse - Vulnerabilities are classified based on severity level (low, medium, or high) and exploit range (local or remote) - An administrator needs vulnerability research: - To gather information about security trends, newly discovered threats, attack surfaces, attack vectors and techniques - To find weaknesses in the OS and applications and alert the network administrator before a network attack - To understand information that helps prevent security problems - To know how to recover from a network attack - Resources for Vulnerability Research - Microsoft Vulnerability Research (MSVR) ([https://www.microsoft

Use Quizgecko on...
Browser
Browser