Chapter 7: Explain various types of vulnerabilities

Vulnerability refers to a weakness in a system's hardware, software, or organizational processes that can be
exploited by attackers to gain unauthorized access or cause harm.

1. Application Vulnerabilities
 Memory injection: These attacks involve the secret insertion of malicious code into a
program’s memory space, allowing attackers to gain unauthorized access.
 Defenses against these attacks use techniques such as code signing, input validation, and memory
protection mechanisms.
 One well-known example of a memory injection attack is the Code Red worm that affected
Microsoft IIS web servers in 2001.
 Buffer overflow: Attackers flood a program’s buffer with excessive data, which can overwrite
adjacent memory spaces, disrupt program execution, and gain unauthorized access.
 Defending against buffer overflow attacks requires a multi-pronged approach, including input
validation, proper memory management.
 One real-world example of a buffer overflow attack is the Slammer worm, also known as the SQL
Slammer. In January 2003, this malicious software exploited buffer overflow vulnerability in
Microsoft SQL Server.
 Race conditions: A race condition occurs when two instructions from separate threads attempt
to access the same data simultaneously.
 Consider a scenario where one person is viewing a file, while, simultaneously, another person
accesses the same file. This phenomenon is referred to as Time-of-check (TOC) and time-of-use
(TOU). In this situation, the individual accessing the file might modify its data and overwriting the
information being viewed by the first person.
 An example of a race condition could involve an airline reservation system. Alice and Bob, are
trying to book the last available seat on a flight simultaneously. Between Alice’s check and booking
confirmation, Bob confirms his booking.
 Malicious update: A malicious update of software takes place by hidden code in the software.
Once the update is installed, the embedded code might grant unauthorized access.
 To defend against this threat, users and organizations must practice vigilant update verification,
digital signatures, and multi-factor authentication for update installation.
 An example of this was CCleaner, a popular utility software used to clean and optimize computers.
2. Operating System (OS)-Based Vulnerabilities
 An OS-based vulnerability attack occurs when hackers exploit weaknesses within the core software
that manages a device’s hardware and software resources.
 A prime example is the BlueKeep vulnerability that affected Microsoft Windows systems.
3. Web-Based Vulnerabilities
In the interconnected world of the internet, web-based vulnerabilities serve as gateways for digital intruders.
 Structured Query Language Injection (SQLI): Attacker exploits vulnerabilities in a
website or an application’s input fields to manipulate the SQL queries executed on the backend
database.
 SQLI works as follows: Input fields, Malicious input, Query manipulation, Data exposure.
 SQLI attacks can be overcome in the following ways: Stored procedure, Input validation.
 Cross-Site Scripting (XSS): Malicious code injection, executed in the context of a victim’s
browser.
 Example: A web application that allows users to post comments on a forum. The comments are
displayed to other users on the website. When other users visit the page and view the comments, the
malicious script gets executed in their browsers.
 This can be prevented by using input validation.
4. Hardware Vulnerabilities
 Vulnerabilities in firmware: Attack vectors may include outdated firmware, inadequate security
measures during development, or insufficient encryption protocols.
 To mitigate such risks, regular firmware updates and following security best practices are essential.
 End-of-life systems: End-of-life (EOL) signifies the end of a product’s life cycle when a system is
no longer manufactured. No spare parts or warranties are supported.
 Legacy system vulnerabilities: Legacy systems refer to outdated technologies. These systems lack
modern security features.
 Attackers can exploit vulnerabilities in legacy systems to gain unauthorized access.
5. Cryptographic Vulnerabilities
Cryptographic vulnerabilities, specifically weaknesses within certificates and encryption.
Certificate authority (CA) compromise: If a CA is compromised, attackers can generate fraudulent
certificates, leading to the interception of encrypted communications.
Key compromise: A key can be compromised due to theft, weak generation, or poor key management,
leading to unauthorized data access, manipulation, or decryption.
Flawed implementation: Poorly coded encryption routines and weak key management can create openings
that adversaries can exploit.
Outdated algorithms: Outdated algorithms exposes data to potential breaches.
Side-channel attacks: Cryptographic operations can leak information through side-channels such as power
consumption, timing, or electromagnetic radiation.
Backdoor exploitation: Deliberate backdoors within cryptographic systems can provide attackers with
unauthorized access.
Random number generation: Secure encryption relies on truly random numbers to generate cryptographic
keys. Predictable random number generation can lead to weak keys and compromised security.
Certificate revocation lists (CRLs) and the Online Certificate Status Protocol (OCSP):
 CRLs verify the current validity of digital certificates. OCSP enables real-time certificate validation.
 By compromised certificates, any keys listed on the CRL are validated for unauthorized access.
Secure key management: Weak key management is a common vector for attacks. Keys can be protected by
storing them in a Hardware Security Module (HSM).
SSL(Secure Socket Layer)/TLS (Transport Layer Security) downgrade:
 It targets the older versions of SSL/ TLS, which is used by outdated browsers.
 An example of this is the Padding Oracle on Downgraded Legacy Encryption (POODLE) attack,
a man-in-the middle attack.
6. Misconfiguration Vulnerabilities
The vulnerabilities stemming from misconfigured IT systems, network devices, and firewalls.
Network devices: When we purchase a new device, we should change the default configurations.
Misconfigurations in these devices can create significant weaknesses in the overall security.
Firewalls: Firewalls act as a frontline defense against unauthorized access by filtering incoming and
outgoing network traffic. Misconfigured firewall could create: Unauthorized access, Malware and
attacks.
Default credentials/configurations: Failing to change default usernames, passwords and configurations of
network devices and firewalls is a common oversight that makes it easy for attackers to gain access.
Unpatched software: Neglecting to update firmware and software on network devices and firewalls
providing an open door for attackers.
Excessive privileges: Granting excessive privileges to user accounts can lead to unauthorized access.
Chapter 8: Given a scenario, analyze indicators of malicious activity

Malware Attacks
 Malware (short for “malicious software”) refers to any software program or code that is specifically
designed to disrupt, damage, or gain unauthorized access to computer systems, networks, or devices.
Malware is created with malicious intent, and it can take various forms, including viruses, worms,
trojans, spyware, adware, ransomware, and more.
 Potentially Unwanted Programs (PUPs) are programs that are downloaded inside other programs.
They over consume computer resources and slow your computer down.
 Programs such as Malwarebytes will alert you of these kinds of downloads being PUPs and give you
the option to delete them.
Network Attacks
A network attack is an unauthorized and malicious attempt to disrupt, compromise, or gain access to
computer systems, data, or communication within a network, often for malicious purposes.
 Distributed Denial-of-Service (DDoS): A Denial-of-Service (DoS) attack refers to a type of attack
in which one host prevents a victim’s services from working.
 In this attack type, an attacker will place malware on computers/devices so that they can control
these computers that are now bots (and a group of these bots is called a botnet).
 Defending against DDoS attacks includes strategies: network enhancements, traffic filtering, and
adaptive response mechanisms.
Domain Name System (DNS) attacks
 DNS is the backbone of the internet, responsible for translating hostnames or domain names, such as
www.packtpub.com, into the numerical IP addresses that computers understand.
 DNS resolution : When a user types a website URL into their web browser, it uses DNS resolution
to find the IP address of the website, but this process can be susceptible to attacks.
 DNS sinkhole: A DNS sinkhole identifies known malicious domains and sends back false
information to potential attackers, preventing them from launching an attack.
 DNS cache poisoning: DNS cache poisoning (DNS spoofing) occurs when an attacker manipulates
DNS records to redirect users to malicious websites or fake website that looks like the legitimate
website being sought.
Wireless Attacks
The following two methods can be used to launch a wireless attack:
 Rogue access points: pretends to be a legitimate Wireless Access Point (WAP) to trick users into
connecting and sharing sensitive information.
 Evil twin: It intercepts communications between users and the legitimate network.
 To create an evil twin, the attackers create a duplicate network with a name similar to a well-known
network. Users are tricked into connecting, thinking they are accessing a trusted network.
 Deauthentication and jamming attacks: Wireless attacks can involve deauthentication and
jamming techniques to disrupt legitimate network services.
 Symptoms of these attacks are sudden disconnections, slow network speeds, and an increased
number of reconnection attempts.
 MAC spoofing and device impersonation: Malicious actors often engage in MAC address spoofing
to impersonate authorized devices on the network.
 Wi-Fi analyzer: A Wi-Fi analyzer listens to the network’s signals, interprets their nuances, and
presents you with a comprehensive view of the Wi-Fi landscape by scanning for nearby networks,
analyzing signal strength, and identifying potential interference sources.
On-path attacks,
 Referred to as “man-in-the-middle” or interception attacks, involve an adversary positioning
themselves to intercept the communication between two parties.
 They can intercept, modify, or eavesdrop on data being exchanged.
Credential Replay
Among the most prevalent and damaging cyberattacks are credential replay attacks
Two main types of credential attacks are as follows:
 Credential replay attacks: In a credential replay attack, the attacker captures valid credentials
(using packet-capturing tools such as Wireshark or tcpdump) during a legitimate login attempt and
then uses same credentials to gain unauthorized access.
 Credential stuffing: A credential stuffing attack targets users who submit the same credentials for
every system and online application that they log in to, whether it be personal or business.

Malicious Code
 Malicious code designed with the intention of infiltrating systems, exfiltrating data, and causing
digital mayhem.
Examples of malicious code attacks include the following:
 Bash shell attacks: Attackers may use Bash scripts to execute unauthorized commands, compromise
systems, or manipulate files.
 Python: Malicious Python scripts can execute a wide range of actions, from keylogging to data
exfiltration, and attackers can distribute Python-based malware through phishing emails, malicious
attachments, or compromised websites.
 JavaScript: Malicious JavaScript code can be injected into web pages to perform actions such as
stealing user data, redirecting traffic, or executing unauthorized transactions.

Indicators of Attack
Indicators of Attack (IoAs) provide early warnings of potential threats by identifying suspicious activities
or behaviors within a network, thereby helping organizations proactively defend against cyberattacks.
The following are some common indicators:
Account lockout: Frequent or unexpected lockouts, especially for privileged accounts, could indicate
malicious attempts to gain unauthorized access. A brute-force attack, for instance, will lock accounts out as
most companies only allow three attempts.
Concurrent session usage: Sudden spikes or a significantly higher number of concurrent sessions than
usual might indicate unauthorized access or a breach in progress.
Impossible travel: Impossible travel refers to multiple logins from two geographically distant locations in
an unrealistically short timeframe.
Resource consumption: Unusual spikes in resource consumption, such as excessive CPU or memory usage,
might suggest a malware infection.
Resource inaccessibility: When critical resources become suddenly inaccessible, it could be a sign of a
cyberattack.
Out-of-cycle logging: Logs that are generated at unusual or unexpected times can be indicative of
suspicious activities.
Published/documented: Published or documented vulnerabilities and configuration settings can attract
malicious actors.
Missing logs: The absence of expected logs (especially during critical events or incidents) can be a clear
sign of tampering or an attempt to hide malicious activities.