Module 9: Threats, Vulnerabilities, and Attacks
Lesson 1: Understanding Cyber Attacks
A cyber attack is the attempt to disrupt, destroy, or gain unauthorized access to an information system component
A threat is unwanted damage that could happen to a system asset or personnel
A threat actor individual or object that can carry out a threat
A vulnerability is a flaw that can cause damage to a system asset or personnel
A hacker is someone who uses a computing device to carry out a cyber attack
Script kiddies are hackers with no skills and require pre-configured tools to attack
Insiders are organization personnel who have internal access to the information system
State actors are attackers acting on behalf of a government
Cyber crimes occur when an attacker uses a computer and breaks a law
An exploit is taking advantage of a vulnerability (flaw)
Modis Operandi is the understanding of the reason and method of a crime
Types of Attacks:
o Active attacks attempt to cause damage or gain unauthorized access to the system
o Passive attacks attempt to gather information about the system without affecting operations
o Zero-day attacks target a vulnerability that has no patch or protection
A data breach occurs when sensitive and protected data is exposed to unauthorized parties
Types of Cyber Attacks:
o Business attacks is the stealing or destroying of critical business information
o Financial attacks is the stealing or destroying of money and/or financial account information
o Terrorist attacks focus on scaring people to changing their normal way of life using fear tactics
© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
� Module 9: Threats, Vulnerabilities, and Attacks
o Grudge attacks focus on exacting revenge against a person or organization
o Thrill attacks are done by poorly skilled attackers to test their abilities, or just for the fun of it
o Military and intelligence attacks focus on stealing or destroying classified information
Lesson 2: Threat Modeling Concepts
Threat modeling is a form of risk assessment that models aspects of the attack and defense
o The focus of threat modeling is to understand: What are we building? What can go wrong? What are we going to
do about that? Did we do a good enough job?
o The attack side of the model looks at vulnerabilities, exploits and attacks, attack vectors, and threats
o The defense side of the model looks at risks, security controls, and security objectives
NIST Data-Centric System Threat Modeling
STRIDE Threat Model
OWASP Application Threat Modeling
The NIST threat model steps are:
1. Identify and characterize the system and data of interest
2. Identify and select the attack vectors to be included in the model
3. Characterize the security controls for mitigating the attack vectors
4. Analyze the threat model
Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege (STRIDE) threat
model was created by Microsoft
The OWASP Threat Model steps are:
1. Analyze trust boundaries to and within the solution that we build
2. Analyze the actors that interact within and outside of the trust boundaries
© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
� Module 9: Threats, Vulnerabilities, and Attacks
3. Analyze information flows within and to and from the trust boundaries
4. Analyze information persistence within and out of trust boundaries
5. Analyze trust boundaries to and within the solution that we build
6. Analyze the actors that interact within and outside of the trust boundaries
7. Analyze information flows within and to and from the trust boundaries
8. Analyze information persistence within and out of trust boundaries
Lesson 3: System Patch Management
A patch is a software fix
A security patch is focused on security vulnerabilities, features and capabilities
Patches add new features to software, applications, and firmware which can change the security posture
Patch management must follow a consistent security policy
o The process for identifying, acquiring, installing, and verifying patches for products and systems
Methods of Patching:
o Decentralized patch management (or unmanaged hosts) is where hosts manage its own patch updates
o Centralized patch management involves having a single focal point to provide patches
Agent-based patching is where an agent on each host talks to the patch server
Agentless scanning is where the patch server scans systems to identify patching needs
Passive network monitoring is where local network traffic is scanned to identify patching needs
A patch management policy is required to ensure system patching is performed in a consistent manner
The patch management policy must outline the process and the steps necessary to patch the system
The process is identify, acquire, evaluate, authorize, install, verify:
© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
� Module 9: Threats, Vulnerabilities, and Attacks
o Identify is researching patches with trusted organizations and software vendors
o Acquiring is downloading the patch from the trusted organization and/or software vendor
o Evaluate is testing the patch to evaluate the effects against the target system
o Authorize is where the system stakeholders must authorize patch installation
o Installing is where the patches are installed to the production or operational hosts that require patching
o Verify is testing the patch to verify it has not affected production or operations
Reconfiguration, removal, or installing a compensating feature can be an option to patching
Lesson 4: Protecting Against Malicious Software
Every computing device is vulnerable to malicious software
Malware is software that is purposely designed to harm a computing component
Malcode is any part of software or scripting code designed to cause harm to a computing component
A compression virus finds and attaches itself to an executable file, then compresses the file to avoid possible detection
A multipart virus uses multiple infection methods to infect different parts of the system
A stealth virus disguises itself by modifying system and boot records to avoid detection by anti-malware
Malware is typically a passive method of attacking a target system
A virus is a small malicious application (or code) hidden inside another program
o A macro virus uses a “macro” programming language to execute malicious code
o Boot sector viruses infect the boot sector of a storage device, such as a hard disk drive
o A polymorphic virus morphs as it spreads throughout the system
A worm is a malicious self-replicating, self-contained application that executes malicious code
A logic bomb is a time-released form of malicious code
© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
� Module 9: Threats, Vulnerabilities, and Attacks
A Trojan Horse is malicious software that is disguised as a trusted application
A rootkit is a collection of known vulnerabilities and exploits for a target system
Spyware is a small application that monitors and collects, stores, and sends data to an attacker
Adware targets users with advertisements of recently searched products
A bot is an automated program that executes programmed instructions
o Multiple bots on create a bot network (botnet)
Anti-Malware is a software agent or application that is designed to detect and remove malware
Signature based anti-malware uses a signature database
Heuristic-Based Anti-Malware uses multiple points of analysis
o Static Heuristic Analysis is the review of the potential malicious code without execution
o Dynamic Heuristic Analysis allows potential malicious code to run in a controlled VM or sandbox
Lesson 5: Common Attacks Against Personnel
Personnel are the most vulnerable of targets within an organization
Personnel are prone to mistakes, intimidation, and manipulation
Social engineering is the manipulation of personnel to gain unauthorized access
o The goal of social engineering is to trick or fool someone into providing information
Types of Social engineering:
o Phishing attacks use digital communication messages to collect private or sensitive information
o Spear phishing is a phishing attack against a specific person or group
o Whaling is a phishing attack carried out against senior executives
o Vishing is the use of a telephone based system to carry out a phishing attack
© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
� Module 9: Threats, Vulnerabilities, and Attacks
o Pretexting attacks use fake but believable stories to trick someone into providing unauthorized information
o Watering hole attacks focuses on infecting trusted websites
o Quid pro quo attacks creates a situation where a victim feels required to help the attacker
o Shoulder surfing attacks are looking over a victims shoulder to get unauthorized information
o Dumpster diving is the gathering information by searching through waste bins
o Tailgating is following an authorized person into the area
Security awareness training, security policies and procedures, and strong access controls is the best way to prevent
attacks against personnel
Lesson 6: Common Attacks Against Networks
The main goals of attacking a network is to gain unauthorized access or disrupt service
The main cause for network threats and vulnerabilities is misconfiguration
Other causes are firmware patching, network architecture design, and human authorization
Network scanning is used to discover vulnerabilities on the network
Eavesdropping Attacks:
o A ping sweep is used to discover live hosts on the network by pinging a series of IP addresses
o A port scan is sending TCP/IP communication requests to find an open and/or active TCP/IP port
o Network sniffing is the interception, capture, and analysis of targeted network traffic
o War driving is an attempt to connect to any wireless network that will permit access
A DOS attack is focused on denying availability of information system resources
A DDoS attack uses multiple attacking hosts to increase the volume of DoS traffic
o Ping of Death is a DoS attack using oversized ICMP packets
o A smurf attack is a DDoS attack that uses spoofed ICMP packets
© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
� Module 9: Threats, Vulnerabilities, and Attacks
o A fraggle attack is exactly like a Smurf attack, but uses port 7/udp and port 19/udp
o A SYN flood attack uses the TCP/IP handshake to cause a DoS by creating multiple half-open connections
o A teardrop attack uses malformed fragmented IP packets that cause a system to become unstable once they
are reassembled
A spoofing attack is when a person or a program masquerades as another person or program by falsifying
information
o ARP poisoning attacks alter a victim’s ARP table with incorrect information
o DNS poisoning attacks alter a victim’s DNS table with incorrect information
o DNS hijacking forces a victim to use an attackers DNS server instead of a legitimate one
o A Land attack is accomplished by sending spoofed TCP SYN packets with the victim's own IP address
o A replay (or playback) attack reuses legitimate communications in an attempt to gain unauthorized access
Bluejacking attacks focus on Bluetooth enabled devices to send unsolicited messages in an attempt to collect data
Bluesnarfing attacks focus on gaining unauthorized access to mobile device information via a Bluetooth connection
Lesson 7: Common Attacks Against Software
Software is designed for functionality, user experience, and performance…not security
Security is often times a secondary thought with software design
Software vulnerabilities must be researched, tracked, and mitigated to reduce software based attacks
OWASP focuses on many threats, vulnerabilities, and attacks that pertain to software applications
OWASP top 10 are the 10 most common software attacks and vulnerabilities
Common Software Attacks:
o A buffer overflow attack focuses on sending a computer more input data than it can process
© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
� Module 9: Threats, Vulnerabilities, and Attacks
o A Time of Check / Time of Use (TOC/TOU) attack tries to change an operating system condition after it’s been
checked, but before it’s executed
o A redirect and forwarding attack can occur when a web application accepts unvalidated data that redirects a
user to an untrusted web address
o Cross-site scripting (XSS) attacks takes advantage of 3rd party scripting languages to send unvalidated data to a
web application or browser
o A Cross-Site Request Forgery (CSRF) attack focuses on tricking a user to perform unwanted actions on a web
application
o An injection attack sends untrusted data to a command interpreter in an attempt to manipulate data
o A drive-by download attack occurs when software is downloaded without the knowledge of the victim
o A backdoor attack bypasses authorized security controls, communication channels, and other authorized means
to access system information
Maintenance hooks allows a developer or maintainer of a software application access that can bypass required security
controls
Covert channels are communication paths not normally used for transmitting or sharing information that violates a
security policy
Lesson 8: Common Attacks Against Cryptography
The main focus of cryptography attacks are the key, algorithm, and the data (confidentiality)
Discovering the cryptographic key, compromising a flaw in the algorithm, and gain unauthorized access to the data is
the goal
A known-plaintext attack is an attempt to find the crypto key by comparing the plaintext and the ciphertext for an
encrypted message
A linear cryptanalysis attack is a known-plaintext style attack that compares the plaintext and the ciphertext pairs
created with the same key
© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
� Module 9: Threats, Vulnerabilities, and Attacks
A ciphertext-only attack analyzes only the ciphertext
A chosen-plaintext attack chooses what plaintext will be encrypted so that the corresponding ciphertext can be
analyzed
A chosen-plaintext attack chooses what ciphertext will be decrypted so that the corresponding plaintext can be
analyzed
A differential cryptanalys is analyzes the differences between the plaintext and ciphertext pairs
An analytic attack focuses on structural weaknesses of a cryptography algorithm
A statistical attack focuses on the flaws in the statistical patterns of a cryptography algorithm
A side-channel attack is a passive attack focused on observing how the cryptographic algorithm works
A social engineering attack tries to convince personnel to provide the cryptographic key used for encryption
© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
