ias2 (2) reviewer.pdf

Full Transcript

Hardware Security Fundamentals

Three Common Computer Components:

1. Hardware: Physical parts of a computer like a keyboard or mouse.

2. Software: Programs or applications that run on the computer.

3. Firmware: Special software embedded in hardware that controls its
operation.

Four Basic Computer Functions:

1. Input: Data entered into the computer (e.g., through a keyboard).

2. Processing: The computer processes the data and performs tasks.

3. Storage: Saving data for later use.

4. Output: The computer delivers processed data (e.g., displaying on
a screen).

Dangers of IOT Devices

1. Easily-Hacked Operating System: Many IoT devices run on
operating systems that are vulnerable to hacking due to weak
security measures.
2. Outdated and Insecure Hardware: IoT devices often use hardware
that lacks modern security features, making them susceptible to
attacks.

3. Insecure Default Settings: Devices frequently come with default
settings that are not secure, such as weak passwords or open ports,
which can be easily exploited.

Security Threats

1. Physical Access:

This threat involves unauthorized individuals physically accessing a
device. This can lead to direct tampering, theft of sensitive data, or
installation of malicious software. Ex: An attacker gaining access to a
server room and connecting a rogue device to the network.
2. USB:

USB devices can be used to introduce malware or steal data.
Attackers often use infected USB drives to exploit the auto-run feature
or trick users into opening malicious files. Ex: A seemingly harmless
USB drive left in a public place, which when plugged into a computer,
installs malware that steals sensitive information.
3. Bluetooth:

Bluetooth connections can be exploited to gain unauthorized access
to devices, intercept data, or spread malware. Vulnerabilities in
Bluetooth protocols can be targeted by attackers. Ex: An attacker
using a Bluetooth sniffer to intercept data being transmitted between
a smartphone and a wireless headset.

Man-in-the-middle:
This attack occurs when an attacker secretly intercepts and
possibly alters the communication between two Bluetooth
devices without their knowledge. Ex: An attacker intercepting
data being transferred between a Bluetooth-enabled
smartphone and a wireless headset, potentially altering the
information or injecting malicious data. - An attacker intercepts
 and potentially alters the communication between two Bluetooth
devices.

Bluebugging:
This involves gaining unauthorized access to a Bluetooth-
enabled device to control its functions and access its data.
Attackers can exploit vulnerabilities to eavesdrop on
conversations, send messages, or make calls. Ex: An attacker
remotely accessing a victim's phone via Bluetooth to listen to
their conversations or send unauthorized messages. -

Bluetooth, often used to eavesdrop or send messages.

Bluejacking:
This is the practice of sending unsolicited messages to
Bluetooth-enabled devices. While often considered more of a
prank, it can be used to spread spam or phishing messages. Ex:
An attacker sending an unsolicited message to nearby Bluetooth
devices, tricking users into clicking on a malicious link. - Sending
unsolicited messages to Bluetooth-enabled devices.
 Bluesnarfing:
This threat involves unauthorized access to information on a
Bluetooth-enabled device. Attackers can steal data such as
contacts, messages, and other sensitive information. Ex: An
attacker using specialized software to connect to a victim's
phone via Bluetooth and download their contact list and text
messages without their knowledge. - Unauthorized access and
theft of information from a Bluetooth-enabled device.

Avoid these attacks thru:
1. Turn it off: Disable Bluetooth when not in use to prevent
unauthorized access.
2.
2. Pair carefully: Only pair with trusted devices to avoid
connecting to malicious ones.

3. Strong PIN: Use a strong PIN for Bluetooth connections to
enhance security.

4. Updates: Regularly update your device's software to patch
security vulnerabilities.

5. Least functionality: Enable only necessary Bluetooth features
to minimize potential attack vectors.
4. RFID:

RFID (Radio-Frequency Identification) technology is used for wireless
data transfer. Attackers can use RFID skimmers to read and clone RFID
tags, leading to unauthorized access or data theft. Ex: An attacker
using an RFID reader to clone an access card, allowing them to enter
a secure facility without authorization.

1. Data theft:

This threat involves unauthorized individuals intercepting and stealing
data transmitted between RFID tags and readers. Attackers can use
specialized equipment to capture the radio signals and extract
sensitive information. Ex: An attacker using an RFID skimmer to read
credit card information from RFID-enabled cards without the owner's
knowledge. - Unauthorized individuals can intercept and steal data
transmitted between RFID tags and readers.
2. Unauthorized tracking:

Attackers can track the location and movement of RFID-tagged items
or individuals without permission. This can lead to privacy violations
and unauthorized surveillance. Ex: An attacker tracking the
movements of a person by reading the RFID tags in their belongings,
such as an RFID-enabled passport or access card. - Attackers can
track the location and movement of RFID-tagged items or individuals
without permission.

3. Unauthorized access:

Hackers can gain access to secure areas or systems by cloning RFID
tags. This allows them to bypass security measures and gain entry to
restricted zones or access sensitive information. Ex: An attacker
cloning an employee's RFID access card to enter a secure facility and
steal confidential data or equipment. - Hackers can gain access to
secure areas or systems by cloning RFID tags.

---------------------------------------------------------------
 Software Security Fundamentals

WHY IS IT IMPORTANT TO UPDATE YOUR DEVICE?

Updating your device ensures it has the latest security patches, fixes
bugs, and improves performance.

Security Enhancements:
- Protection Against Vulnerabilities: Updates often include
patches for security vulnerabilities that have been
discovered since the last update. These vulnerabilities can
be exploited by hackers to gain unauthorized access to your
device and data.
- Defense Against Malware: New types of malware and
viruses are constantly being developed. Updates help
protect your device by including the latest security
measures to combat these threats.

Bug Fixes:
- Improved Stability: Updates fix bugs that can cause your
device to crash or behave unpredictably. This leads to a
more stable and reliable user experience.
 - Enhanced Performance: Bug fixes can also improve the
overall performance of your device, making it run smoother
and faster.

New Features and Improvements:
- Access to New Features: Updates often bring new features
and functionalities that enhance the usability and
capabilities of your device.
- User Experience Enhancements: Updates can include
improvements to the user interface and user experience,
making your device easier and more enjoyable to use.

Compatibility:
- Support for New Applications: Updates ensure that your
device remains compatible with the latest applications and
software. This is particularly important as developers often
optimize their apps for the latest operating systems.
- Hardware Compatibility: Updates can also include drivers
and other software that ensure your device works well with
new hardware peripherals.
 Compliance and Standards:
- Regulatory Compliance: Updates can help ensure that your
device complies with the latest regulatory standards and
industry best practices.
- Interoperability: Keeping your device updated ensures it can
effectively communicate and work with other devices and
systems that are also up-to-date.

Mobile Applications: Trusted Sources:

- Apple Store: The official app store for iOS devices, known for its
strict security standards and quality control.

- Play Store: The official app store for Android devices, offering a
wide range of apps that are regularly checked for security and
quality.
SQL Injection

An SQL Injection attack, where a hacker sends malicious SQL queries
through website input fields to manipulate the database, potentially
gaining unauthorized access to data or administrative functions. This
highlights the importance of securing web applications against such
vulnerabilities.
1. Broken Authentication: This occurs when authentication
mechanisms are flawed, allowing attackers to compromise
passwords, keys, or session tokens to assume other users'
identities. Attackers can gain unauthorized access to personal
accounts and sensitive information.

2. Broken Access Control: This happens when restrictions on what
authenticated users are allowed to do are not properly enforced,
leading to unauthorized actions. Unauthorized users can access,
modify, or delete data they shouldn't have access to.
3. Insecure Deserialization: This vulnerability arises when untrusted
data is used to abuse the logic of an application, leading to
remote code execution or other attacks. Attackers can execute
arbitrary code, potentially taking control of the system.

4. Sensitive Data Exposure: This occurs when applications do not
adequately protect sensitive information such as financial data,
health records, or personal identifiers. Sensitive data can be
accessed by unauthorized parties, leading to privacy breaches
and identity theft.

5. Security Misconfiguration: This happens when security settings
are not defined, implemented, or maintained correctly, leaving
systems vulnerable to attacks. Systems can be easily exploited
due to weak security settings.

6. Using Known Insecure Components: This involves using software
components with known vulnerabilities, which can be exploited
by attackers. Attackers can exploit these vulnerabilities to
compromise the system.

7. XML External Entities (XXE): This vulnerability occurs when XML
input containing a reference to an external entity is processed by
a weakly configured XML parser, leading to data exposure or
 remote code execution. Attackers can access sensitive data or
execute malicious code.

8. Cross-Site Scripting (XSS): This happens when an application
includes untrusted data in a web page without proper validation
or escaping, allowing attackers to execute scripts in the user's
browser. Attackers can steal session tokens, deface websites, or
redirect users to malicious sites.

9. Insufficient Logging & Monitoring: This occurs when security
events are not logged or monitored adequately, making it
difficult to detect and respond to breaches. Security incidents
can go unnoticed, allowing attackers to cause more damage.

---------------------------------------------------------------

Malware Fundamentals

1. Cryptomining

Malware that secretly uses a computer's resources to mine
cryptocurrency. Cryptomining malware, also known as cryptojacking,
operates by hijacking a victim's computer or network to mine digital
currencies like Bitcoin without their consent. This can severely
degrade system performance and increase electricity costs, often
without the user even knowing it's happening.

Crypto mining malware accounts for ~20% of all malware attacks
worldwide.

2. Mobile Malware

Malware targeting smartphones and tablets. Mobile malware infects
mobile devices through apps, links, or malicious files. It can steal
sensitive data, track user activities, or even control the device
remotely. This type of malware is particularly dangerous due to the
widespread use of mobile devices for personal and business
communications.

Dropper: A type of mobile malware that "drops" or installs
additional malicious software onto a device, usually hiding its
true purpose during installation.
Adware: Malware that forces unwanted ads to appear on a
mobile device, often generating revenue for the attacker or
causing a poor user experience by displaying excessive pop-ups
or redirecting the user to malicious sites.
3. Botnet

A network of infected devices controlled remotely. Botnets consist of
large groups of computers, called "zombies," that have been infected
with malware, allowing an attacker to control them remotely. These
networks can be used to launch large-scale attacks like Distributed
Denial of Service (DDoS), sending spam, or spreading other malware,
all without the device owner's knowledge.

In the first half of 2022, almost a quarter of organizations
worldwide were infected by botnet malware.

4. Spyware

Malware that secretly tracks user activity. Spyware is designed to
covertly gather information from a user's computer or mobile device,
such as passwords, browsing habits, or financial data. It runs silently
in the background and sends the collected data to third parties, often
leading to privacy breaches or identity theft.

Symptoms of Sypware

Random Reboots
The device restarts unexpectedly without the user's action.
Spyware can cause a device to randomly reboot as it interferes
 with normal system processes, often due to the execution of
background activities that strain the system or conflict with
legitimate software.

Slow Performance
The device runs much slower than usual. Spyware consumes
system resources like memory and CPU power, leading to
noticeable slowdowns in overall performance, making apps and
processes take longer to load and operate.

Strange Text Messages
The device sends or receives unusual or suspicious messages.
Spyware may use the device to send texts or links to contacts,
spreading the malware or giving the attacker control, often
resulting in unsolicited messages with unknown content
appearing in your inbox.

Overheating
The device becomes unusually hot. Spyware running constantly
in the background causes the processor to overwork, generating
excessive heat, which can make the phone overheat even during
light usage or when idle.
 Unusually High Data Usage
The device uses more data than usual. Spyware often
communicates with external servers, sending stolen data or
receiving commands, which leads to higher-than-normal data
consumption, even when the device is not actively in use.

Unfamiliar Apps on Your Device
Unknown apps appear on the device without your knowledge.
Spyware can install additional apps without permission, often to
perform malicious activities, and these unfamiliar apps are a
common sign of infection, as they operate without user initiation.

5. Trojan

Malware disguised as legitimate software. Trojans appear as
harmless or useful software but, once installed, they execute
malicious activities. These activities may include opening a backdoor
for remote access, stealing sensitive information, or installing
additional harmful software. Unlike viruses, Trojans do not replicate
themselves but rely on deception to get installed by the user.
Common Types of Spyware

1. Keylogger

Records everything you type on a keyboard. Keyloggers capture and
log keystrokes, allowing attackers to steal sensitive data like
passwords, credit card numbers, and private communications
without the user knowing.

2. Adware

Displays unwanted ads on your device. Adware is designed to
bombard users with intrusive ads, often redirecting them to malicious
websites or slowing down the device, sometimes collecting personal
data in the process.

3. Browser Hijackers

Redirects your browser to unwanted websites. Browser hijackers
change browser settings, redirecting users to specific websites, often
to increase ad revenue for the attacker or to deliver additional
malware.

4. Trojan Horse

Disguises itself as legitimate software to harm your device. Trojan
horses trick users into installing what seems to be harmless software,
but once installed, they perform malicious activities like stealing data,
creating backdoors, or spreading more malware.

5. Rootkit

Hides malware deep within your system. Rootkits allow attackers to
gain administrative access to a system while remaining hidden,
making it difficult to detect and remove malware or other
unauthorized access.

6. Cookie Trackers

Tracks your online activity using cookies. Cookie trackers collect
information about your browsing habits and personal preferences,
often used for targeted advertising or even selling your data to third
parties without your consent.

7. Password Theft

Steals your stored passwords. Password theft involves malware
designed to extract saved passwords from browsers or password
managers, giving attackers direct access to online accounts,
including email, banking, and social media.
8. Stalkerware

Tracks someone's activities without their consent. Stalkerware is
designed to monitor a person's private activities, including location,
messages, and apps usage, often used by someone close to the
victim, such as a partner or employer, for surveillance purposes.

9. Web Beacons

Invisible trackers embedded in websites or emails. Web beacons, or
pixel tags, are small invisible images or snippets of code used to track
user behavior on websites or in emails, such as when an email is
opened, often used by marketers or attackers to collect detailed
information without the user knowing.

Rootkit vs RAT (Remote Access Trojan)

What separates a rootkit from a regular Trojan is a rootkit occupies
Ring 0 (aka root or kernel level), the highest run privilege available,
which is where the OS itself runs. A rootkit type, known as a "bootkit",
can even start running before the OS does. Rootkits operate at a
deeper system level, aiming to conceal malicious activities and other
malware, making them much harder to detect and remove.
A RAT serves as "backdoor" into the system, allowing an attacker

to:

Install/launch software
Send keystrokes
Download/delete files
Activate microphone/camera
Watch the screen
Log computer activity

RAT focuses on providing remote control of a system to the attacker
at a user-level, allowing visible manipulations.

2 types of Keylogger

Hardware Keylogger
A physical device connected to a computer to record keystrokes.

Software Keylogger
A program installed on a computer to track and log every
keystroke typed.
Tips to prevent keylogging:

Keep checking for unwanted software and delete it
Don't download files from unwanted sources
When using banking sites, use a virtual keyboard
Use password managers
Use a powerful and next-gen anti-virus security suite

Antivirus and Malware Scanners

Antivirus is a software designed to detect, prevent, and remove
malicious programs (malware) from a computer.

- Computer-File Focused: Antivirus scans files because malware is
often embedded within files that run on the system, such as
programs or documents.

- Signature-Based: Antivirus relies on known malware signatures
(unique patterns) to identify and block malicious files, comparing the
code of scanned files to a database of known threats.

NGAV went one step further by monitoring a computer's memory and
using predictive analytics.
Endpoint Protection Platform (EPP)

EPPs are designed to detect and block malicious activities on
endpoints (like computers and mobile devices). They use techniques
such as:

- Sandboxing: Isolating suspicious files or programs in a controlled
environment to observe their behavior without risking the main
system.

- Filtering: Heavily filtering IP addresses, URLs, and applications to
prevent access to known malicious sources.

Example: Microsoft Defender Advanced Threat Protection

- Function: This is an example of an EPP that provides advanced
threat protection by detecting and responding to threats in real-time.

EPPs are fundamental in cybersecurity because they provide a first
line of defense against malware, ensuring that harmful activities are
detected and blocked before they can cause damage.
Endpoint Detection and Response (EDR)

EDR solutions aim to provide real-time visibility into endpoint activities
by continuously recording data and responding to threats.

- Components:

- Real-Time Visibility: EDR tools monitor and log activities on
endpoints (like computers and mobile devices) to detect suspicious
behavior.

- Threat Response: They can automatically respond to detected
threats, such as isolating infected devices or blocking malicious
activities.

Visual Representation

- Network Diagram: The image shows a network with three platforms:

- Left Platform: Represents an individual monitoring endpoints.

- Central Platform: Symbolizes data storage or processing.

- Right Platform: Indicates security measures with a lock and shield
icon.

EDR is crucial in cybersecurity as it helps organizations quickly detect
and respond to potential threats, minimizing the impact of
cyberattacks.
Security Incident Containment

Prevents the spread of security breaches. Security Incident
Containment refers to the capability of an EDR system to limit
the extent of a breach and prevent it from spreading to other
parts of the network, effectively isolating the threat to minimize
damage.
Threat Detection

Identifies potential security threats. Threat Detection is the
process through which an EDR system continuously monitors for
suspicious activities or anomalies that may indicate a security
threat, allowing for early identification and mitigation of
potential attacks.

Incident Response

Addresses and resolves security incident. Incident Response
involves the set of actions taken by an EDR solution to address a
detected security incident, which can include eradicating the
threat, recovering affected systems, and restoring normal
operations to ensure minimal disruption.

Incident Investigation

Analyzes the cause and impact of security incidents. Incident
Investigation is the capability that allows an EDR system to
perform in-depth analysis and forensics on security incidents to
understand their cause, scope, impact, and the methods used
by attackers, helping to improve future defenses.
Extended detection and Response (XDR)

XDR provides centralized visibility into advanced threats. XDR
integrates multiple security tools and data sources, including
EDR (Endpoint Detection and Response), SIEM (Security
Information and Event Management), and SOAR (Security
Orchestration, Automation, and Response), to offer a
comprehensive view of security threats across an organization,
enabling more effective detection and response.

If you are too small, you can outsource your whole system to a
Managed Detection & Response (MDR) vendor.
Beware! Outsourcing has its fair share of caveats.

Endpoint Detection and Response (EDR)

EDR monitors and responds to threats on endpoints. EDR
solutions focus on detecting, investigating, and responding to
suspicious activities on endpoints like computers and mobile
devices, providing real-time visibility and automated responses
to mitigate threats.

Security Information and Event Management (SIEM)

SIEM collects and analyzes security data. SIEM systems
aggregate and analyze log data from various sources within an
organization to identify patterns and anomalies that may
indicate security incidents, providing insights and alerts for
further investigation.

Security Orchestration, Automation, and Response (SOAR)

SOAR automates security operations. SOAR platforms
streamline and automate security operations, including threat
detection, incident response, and remediation processes, by
integrating various security tools and workflows, thereby
improving efficiency and reducing response times.
Application Control

Restricts computers to run only pre-approved programs.
Application Control is a security measure that transforms
computers into appliances that can only execute software that
has been explicitly approved by the organization. This prevents
unauthorized or potentially harmful applications from running,
thereby reducing the risk of malware infections and ensuring
compliance with security policies.