Cybersecurity Essentials - Module 1 Cheat Sheet

# Module 1: Cybersecurity Threats, Vulnerabilities, and Attacks :::success Here is a cheat sheet generated from the course content using ChatGPT. It recaps the main concepts of each module, definitions and examples. At the end of (almost) each part, you will find a link to online related flashcards. ::: ### 1.1 Common Threats --- #### 1.1.1 Threat Domains - **Definition**: A threat domain is an area within an organization’s control or protection that attackers may exploit to gain unauthorized access. - **Examples of Threats in Domains**: - Direct physical access to sensitive devices or network resources. - Wireless networks extending outside organizational boundaries, increasing exposure to unauthorized access. - Bluetooth/NFC devices that attackers can target with proximity-based exploits. - Malicious email attachments spreading malware. - Compromised supply chain elements, where third-party hardware or software may introduce vulnerabilities. - Social media accounts, which are susceptible to phishing and social engineering attacks. - Removable media (e.g., USB drives) that may carry malware. - Cloud applications used within the organization that may lack sufficient security controls. --- #### 1.1.2 Types of Cyber Threats - **Software Attacks**: Attacks that exploit software vulnerabilities. - **Examples**: Denial-of-service (DoS) attacks, which overwhelm a server with traffic, and viruses, which replicate and spread to other systems. - **Software Errors**: Unintentional software issues that lead to vulnerabilities. - **Examples**: Cross-site scripting (XSS), where malicious code is injected into websites, or a software bug causing an application to crash. - **Sabotage**: Intentional harm to systems, often from insiders. - **Examples**: An insider accessing and compromising a database or defacing the organization’s website. - **Human Error**: Unintentional actions by users that create security risks. - **Examples**: Misconfigured firewalls that expose systems to unauthorized access or accidental data entry errors. - **Theft**: Physical theft of sensitive devices or equipment. - **Example**: A laptop with confidential information stolen from an unlocked room. - **Hardware Failures**: Malfunctions of physical devices leading to data loss or downtime. - **Example**: Hard drive crashes causing data loss without backup. - **Utility Interruptions**: Disruptions in essential services that impact operations. - **Examples**: Power outages leading to system downtime or water damage from sprinkler failures. - **Natural Disasters**: Environmental events, such as hurricanes or earthquakes, that can damage infrastructure and data. --- #### 1.1.4 Internal vs External Threats - **Internal Threats**: Threats originating from within the organization, typically by employees, ex-employees, contract staff, or trusted partners who may accidentally or intentionally compromise systems. - **Example**: An employee connects an infected USB drive to the network, introducing malware. - **External Threats**: Threats from outside the organization, often carried out by cybercriminals using social engineering or technical exploits to gain unauthorized access. - **Example**: A hacker group launches a phishing campaign to steal employee credentials. **Note**: Internal threats can be particularly damaging due to the access and insider knowledge employees have of the organization’s systems and security measures. --- #### 1.1.8 User Threats and Vulnerabilities - **Lack of Security Awareness**: Users unaware of security policies may mishandle data or ignore security controls, risking confidentiality, integrity, and availability of information. - **Poorly Enforced Policies**: Weak or inconsistently enforced policies reduce overall security. - **Data Theft**: Users stealing or leaking sensitive information can result in financial and legal issues. - **Unauthorized Downloads**: Installing unapproved software (e.g., games, apps) can introduce malware. - **Unauthorized VPNs**: Unauthorized VPN connections can hide data transfers and evade network monitoring. - **Access to Unapproved Websites**: Visiting risky websites that may contain malware, compromising user and network security. - **Destruction of Data**: Intentional or accidental actions causing data loss or system unavailability. --- #### 1.1.9 Device Threats - **Unattended Devices**: Leaving devices powered on and unattended may allow unauthorized access to network resources. - **Untrusted Downloads**: Downloading files from unverified sources increases malware risk. - **Software Vulnerabilities**: Exploitable flaws in device software that may not have been patched. - **Unauthorized Media**: Inserting external devices, like USB drives, which may contain malware. - **Outdated Hardware/Software**: Using older technology without current security updates increases vulnerability to attacks. --- #### 1.1.10 LAN (Local Area Network) Threats - **Local Area Network (LAN)**: A network of connected devices within the same geographic area, either wired or wireless, allowing users to share data and resources. - **Common LAN Threats**: - **Physical Access**: Unauthorized access to network infrastructure, such as wiring closets. - **Unauthorized System Access**: Accessing systems or data without approval. - **Software Vulnerabilities**: Unpatched network OS vulnerabilities. - **Wireless Network Exploits**: Unauthorized access to Wi-Fi networks. - **Data in Transit**: Sensitive data sent over the network can be intercepted. - **Firewall Misconfigurations**: Incorrect settings that expose network sections. --- #### 1.1.11 Private Cloud Threats - **Private Cloud**: A cloud environment dedicated to a single organization, hosted privately and offering secure, organization-only access over the internet. - **Common Private Cloud Threats**: - **Unauthorized Network Probing**: Scanning for vulnerabilities within the private cloud. - **Unauthorized Access**: Gaining access to private resources without permission. - **Device Vulnerabilities**: Routers, firewalls, or other network devices with software flaws. - **Configuration Errors**: Misconfigurations that expose private resources. - **Remote Access Risks**: Remote users accessing the private cloud without adequate security. --- #### 1.1.12 Public Cloud Threats - **Public Cloud**: A cloud environment that offers computing resources (e.g., storage, processing) shared across multiple organizations, accessible to the public and hosted by cloud providers. - **Service Models**: - **Software as a Service (SaaS)**: Subscription-based, centrally hosted software accessed via browsers or apps. - **Platform as a Service (PaaS)**: A cloud platform for developing, testing, and deploying applications. - **Infrastructure as a Service (IaaS)**: On-demand access to computing resources, such as storage and network infrastructure. - **Common Public Cloud Threats**: - **Data Breaches**: Sensitive data in shared environments at risk of unauthorized access. - **Loss or Theft of Intellectual Property**: Risk of proprietary information being compromised. - **Compromised Credentials/Account Hijacking**: Weak or stolen credentials allowing unauthorized access. - **Social Engineering Attacks**: Manipulating cloud users to reveal confidential information. - **Compliance Violations**: Failing to meet data privacy or security regulations, leading to potential legal and financial penalties. --- #### 1.1.15 Application Threats - **Application Domain**: Encompasses all critical applications and systems that support an organization’s operations, including email, databases, and security monitoring tools, often increasingly hosted in the public cloud. - **Common Application Threats**: - **Unauthorized Access**: Intrusions into critical areas such as data centers or computer rooms. - **Server Downtime**: Application downtime due to maintenance, affecting productivity. - **Software Vulnerabilities**: Flaws in web or client-server applications exploitable by attackers. - **Data Loss**: Accidental or malicious deletion, leading to a risk of data integrity loss. --- #### 1.1.17 Threat Complexity - **Advanced Persistent Threats (APTs)**: Long-term, highly coordinated attacks often targeting high-profile entities like governments or corporations. These attacks aim to remain undetected, using advanced tools and tactics, often sponsored by states or well-funded organizations. - **Algorithm Attacks**: Attacks that exploit flaws in software algorithms to disrupt normal operations, such as consuming system resources to the point of exhaustion or triggering unnecessary system actions. --- #### 1.1.19 Malware Types: Backdoors and Rootkits - **Backdoors**: Programs or methods allowing attackers to bypass normal authentication, providing continued unauthorized access. Backdoors are often installed through Remote Access Trojans (RATs), giving attackers administrative control over a system. - **Examples**: Netbus and Back Orifice. - **Rootkits**: Malware designed to hide itself by modifying the operating system, granting attackers ongoing access. Rootkits often require a complete system wipe to remove, as they manipulate system files and monitoring tools to avoid detection. --- #### 1.1.20 Threat Intelligence and Research Sources - **CVE (Common Vulnerabilities and Exposures)**: A publicly available dictionary of known vulnerabilities maintained by MITRE, providing identifiers, descriptions, and references for each vulnerability. - **Dark Web Monitoring**: Monitoring encrypted, unindexed content on the dark web, which often requires special access, to identify emerging threats and vulnerabilities. - **Open Source Intelligence (OSINT)**: Publicly available information collected from various sources, aiding in identifying potential threats. OSINT collaboration across sectors helps organizations improve security by sharing threat intelligence data. >[!Warning]Recap >A threat domain is an area of control, authority, or protection that attackers can exploit to gain access to a system. Cyber threat categories include software attacks and errors, sabotage, human error, theft, hardware failures, utility interruptions, and natural disasters. Internal threats are typically carried out by current or former employees and other contract partners, while external threats usually stem from amateur or skilled attackers who exploit vulnerabilities in networked devices or use social engineering techniques. A user domain includes anyone with access to an organization’s information system, with common user threats like poorly enforced security policies, data theft, unauthorized downloads and media, unauthorized VPNs, unauthorized websites, and the destruction of systems, applications, or data. Individual devices, LANs, and private and public clouds are also susceptible to attacks. Complex threats, such as Advanced Persistent Threats (APTs) and algorithm attacks, exploit sophisticated techniques. Cybercriminals use backdoor programs to bypass normal authentication and gain unauthorized access to systems, allowing continued access even if the initial vulnerability is patched. Most rootkits exploit software vulnerabilities to access resources and modify system files, making them hard to detect by altering forensic and monitoring tools. > >The dark web is encrypted content not indexed by conventional search engines, requiring specific software, authorization, or configurations for access. Indicators of Compromise (IOCs), like malware signatures or domain names, provide evidence of security breaches. Automated Indicator Sharing (AIS) enables real-time exchange of cybersecurity threat indicators using standardized languages such as STIX and TAXII. >[!Note]Flashcards >You can find Quizlet flashcards associated with this topic by clicking [here](https://quizlet.com/746581628/module-1a-cybersecurity-threats-vulnerabilities-and-attacks-flash-cards/?funnelUUID=d14bb4ab-7ef0-4bcf-996f-01ecb1459653). ### 1.2 Deception --- #### 1.2.1 Social Engineering - **Definition**: Social engineering is a non-technical method of cyberattack that manipulates individuals to perform certain actions or divulge confidential information. - **How It Works**: Instead of exploiting software or hardware, social engineering relies on human psychology, targeting traits like helpfulness, greed, or fear. - **Common Types of Social Engineering**: - **Pretexting**: An attacker fabricates a scenario (pretext) to obtain information, such as pretending to need financial data to confirm someone’s identity. - **Quid Pro Quo (Something for Something)**: Attackers request personal information in exchange for a reward, like a gift. Example: A malicious email asks for sensitive details in exchange for a free vacation. - **Identity Fraud**: Using someone’s stolen identity to obtain goods or services. Example: A cybercriminal acquires your data and tries to issue a credit card in your name. --- #### 1.2.2 Social Engineering Tactics Cybercriminals frequently use the following tactics to manipulate victims: - **Authority**: Attackers pose as authority figures to increase compliance. - **Example**: An employee opens an email attachment they think is a legal document, but it’s malware. - **Intimidation**: Attackers use threats to coerce action. - **Example**: A caller pressures a secretary to send files immediately, claiming the boss’s presentation depends on it. - **Consensus (Social Proof)**: Attackers imply others have done something, encouraging the victim to do the same. - **Example**: A social media post promotes a “business opportunity” with positive comments to lure more victims. - **Scarcity**: Attackers create urgency by claiming limited availability. - **Example**: An email offers a luxury item at a discount, claiming only a few are left to prompt quick action. - **Urgency**: Attackers press victims to act fast by implying limited time. - **Example**: A fake time-limited offer encourages a victim to click a malicious link. - **Familiarity**: Attackers build rapport to gain trust. - **Example**: An attacker clones a friend’s social media profile to communicate with the victim. - **Trust**: Attackers establish a relationship over time to build trust. - **Example**: A “security expert” offers help, finds a “serious error,” and convinces the victim to grant access to resolve it. **Note**: Attackers often combine multiple tactics to increase their success. --- #### 1.2.6 Shoulder Surfing and Dumpster Diving - **Shoulder Surfing**: A technique where attackers observe sensitive information over a victim’s shoulder, like PINs or access codes. This can also be done remotely using binoculars or cameras. - **Dumpster Diving**: Attackers search through discarded items to find valuable information. Organizations should shred sensitive documents or store them in burn bags for secure disposal. --- #### 1.2.7 Impersonation and Hoaxes - **Impersonation**: Pretending to be someone else to deceive victims into performing actions they wouldn’t normally do. - **Example**: A cybercriminal poses as a tax official demanding immediate payment, threatening arrest if the victim doesn’t comply. - **Hoaxes**: Deceptive messages that cause unnecessary fear or reaction. - **Example**: A message warns of a fake virus, urging recipients to share the warning and causing widespread panic. --- #### 1.2.8 Piggybacking and Tailgating - **Definition**: Piggybacking (or tailgating) is when an attacker follows an authorized individual to gain physical entry into secure areas. - **Methods**: - Pretending to be escorted by an authorized person. - Blending with a large group entering the facility. - Targeting individuals who disregard security protocols. - **Prevention**: Use two sets of doors (mantraps) where the outer door must close before the inner door opens, preventing unauthorized entry. --- #### 1.2.9 Other Methods of Deception Attackers have additional techniques to deceive victims: - **Invoice Scam**: Sending fake invoices to trick victims into entering credentials on a phishing page, often with threatening language. - **Watering Hole Attack**: Infecting a frequently visited website with malware, targeting specific users within an organization. - **Typosquatting**: Using fake websites with common URL typos. Victims who mistype URLs land on the attacker’s site, designed to capture personal data. - **Prepending**: Removing the “external” email tag in a phishing email, making it appear as though it originated from within the organization. - **Influence Campaigns**: Coordinated efforts (e.g., fake news, disinformation) aimed at manipulating public opinion, commonly used in cyberwarfare. --- #### 1.2.11 Defending Against Deception Organizations should increase awareness of social engineering tactics and educate employees on preventive measures. Key practices include: - Never disclose confidential information or credentials through unverified channels (email, chat, or phone). - Avoid clicking on suspicious emails or links. - Be cautious of automatic downloads and unfamiliar attachments. - Establish and strictly enforce security policies. - Encourage employees to report and take ownership of security issues. - Resist pressure from unknown individuals demanding immediate action. >[!Warning]Recap >Social engineering is a non-technical strategy to manipulate individuals into actions or divulging confidential information. Tactics include pretexting (creating a fabricated scenario to gain access), quid pro quo attacks (requesting personal information in exchange for something), and identity fraud (using a person’s stolen identity to obtain goods or services). Techniques include impersonating authority figures, intimidation, building consensus, exploiting perceived scarcity or urgency, and creating familiarity with employees. Shoulder surfing involves observing a target’s screen or PIN entry, sometimes from a distance with binoculars or security cameras. Dumpster diving is searching discarded items for sensitive information. Tailgating, or piggybacking, occurs when a criminal follows an authorized person to enter a secure area. Additional deception methods include invoice scams, watering hole attacks, typosquatting, prepending, and influence campaigns. Organizations need to educate employees on recognizing and preventing these tactics. >[!Note]Flashcards >You can find Quizlet flashcards associated with this topic by clicking [here](https://quizlet.com/749976075/module-1b-cybersecurity-threats-vulnerabilities-and-attacks-flash-cards/?funnelUUID=9957ed7d-10d1-4d1c-865c-b512ab2d772a). ### 1.3 Cyber Attacks --- #### 1.3.1 Malware - **Malware**: Malicious software used to steal data, bypass controls, or harm a system. Common types include: - **Virus**: A self-replicating program that attaches to files, often requiring user action to activate. It spreads via removable media, downloads, and email attachments. Example: The Melissa virus (1999), which caused $1.2 billion in damage. - **Worm**: Self-replicating malware that exploits network vulnerabilities to spread without user action, often slowing networks. Example: The Code Red worm (2001), which infected over 300,000 servers in 19 hours. - **Trojan Horse**: Malware disguised as legitimate software, often embedded in files like images or audio. Trojans don’t replicate but can allow attackers control over the infected system. --- #### 1.3.2 Logic Bombs - **Definition**: Malicious code that remains inactive until triggered by a specific event (e.g., a date or database entry). - **Function**: Once activated, a logic bomb can erase files, sabotage databases, or damage hardware by overloading components until failure. --- #### 1.3.3 Ransomware - **Definition**: Malware that encrypts data or locks a system, demanding payment to restore access. - **Spread**: Often delivered via phishing emails or exploiting software vulnerabilities. - **Risks**: Even if victims pay, they may not regain access to their data. Ransomware can lock down a system or encrypt critical files, preventing access until a ransom is paid through untraceable means. --- #### 1.3.4 Denial of Service (DoS) Attacks - **Definition**: Attacks designed to disrupt services by overwhelming a network, system, or application. - **Types**: - **Overwhelming Traffic**: Excessive data floods the target, causing slowdowns or crashes. - **Maliciously Formatted Packets**: Sending malformed data packets that the receiver cannot process, causing crashes or reduced performance. --- #### 1.3.5 Distributed Denial of Service (DDoS) Attacks - **Definition**: A DoS attack originating from multiple sources, often using a botnet (network of infected devices). - **Process**: - Attackers create a botnet of "zombie" computers, controlled by handler systems. - The botnet scans for and infects additional hosts. - The attacker triggers the botnet to launch a coordinated attack, overwhelming the target with traffic. --- #### 1.3.6 Domain Name System (DNS) Attacks - **DNS**: Translates domain names (e.g., www.example.com) into IP addresses. - **Common DNS Attacks**: - **DNS Spoofing/Cache Poisoning**: Injects false data into a DNS cache, redirecting traffic to attacker-controlled sites. - **Domain Hijacking**: Gaining unauthorized control over a domain by changing DNS settings, often through social engineering. - **URL Redirection**: Redirecting users to malicious websites by tampering with URLs. --- #### 1.3.7 Layer 2 Attacks - **Layer 2**: Data link layer of the OSI model, responsible for moving data across a physical network using MAC addresses. - **Common Layer 2 Attacks**: - **MAC Address Spoofing**: Attackers disguise their device as a trusted one on the network, bypassing authentication. - **ARP Spoofing**: Attackers send false ARP messages to link their MAC address to an IP address of a trusted device, intercepting or altering data. ![60a6663bdbb715467fb11cfb](https://hackmd.io/_uploads/r10jyG9Wkx.png) - **MAC Flooding**: Flooding the network switch with fake MAC addresses, causing it to become less secure or to malfunction. ![60a66658a502341ce0b3cb11](https://hackmd.io/_uploads/rJw1lf5Z1l.png) --- #### 1.3.9 Man-in-the-Middle (MitM) and Man-in-the-Mobile (MitMo) Attacks - **Man-in-the-Middle (MitM)**: An attacker intercepts communications between two parties, modifying or relaying messages without detection. - **Man-in-the-Mobile (MitMo)**: A variation targeting mobile devices. Example: ZeuS malware captures two-step verification SMS codes to intercept user data. --- #### 1.3.10 Replay Attacks - **Definition**: Attackers capture legitimate communication between hosts and retransmit it to trick the recipient, bypassing authentication. --- #### 1.3.11 Zero-Day Attacks - **Definition**: Exploiting software vulnerabilities before they are publicly known or patched. High-risk as networks are vulnerable between the time of discovery and the vendor patch release. --- #### 1.3.12 Keylogging - **Definition**: Recording keystrokes to capture sensitive information, like usernames and passwords. - **Methods**: Through software or physical hardware attached to the computer. - **Detection**: Anti-spyware can detect and remove unauthorized keyloggers. --- #### 1.3.15 Defending Against Attacks - **Firewall Configuration**: Block packets from outside the network that appear to originate from inside. - **Regular Patching**: Ensure software is up to date to prevent exploitation of known vulnerabilities. - **Traffic Load Distribution**: Spread workload across server systems to mitigate DDoS impact. - **ICMP Blocking**: Configure firewalls to block ICMP packets to prevent certain DoS and DDoS attacks. >[!Warning]Recap >Malware is any code used to steal data, bypass access controls, or compromise a system. Variants include viruses, which replicate by inserting their code into other files; worms, which spread by exploiting network vulnerabilities; Trojan horses, which mask malicious operations; logic bombs, which activate based on specific conditions; and ransomware, which holds data or systems hostage until a payment is made. DoS attacks overload systems, often causing slowdowns or crashes, while DDoS attacks amplify this effect through multiple sources. DNS attacks can involve spoofing or hijacking, while Layer 2 attacks include ARP and IP spoofing, MAC flooding, and man-in-the-middle. Zero-Day attacks exploit unknown software vulnerabilities. Keylogging monitors keystrokes, potentially capturing sensitive information like usernames and passwords. > >To defend against these attacks, we should use firewalls, regularly update and patch systems, distribute workloads across servers, and block external ICMP packets. >[!Note]Flashcards >You can find Quizlet flashcards associated with this topic by clicking [here](https://quizlet.com/749979668/module-1c-cybersecurity-threats-vulnerabilities-and-attacks-flash-cards/?funnelUUID=ff962466-8ea0-4080-8d1d-571b1cc14b93). ### 1.4 Wireless and Mobile Device Attacks --- #### 1.4.2 Grayware and SMiShing - **Grayware**: Unwanted applications that, while not inherently malicious, act in undesirable ways. Grayware can track user activity or display ads and is often embedded in app license agreements that users overlook, especially on mobile devices. - **SMiShing** (SMS Phishing): Attackers send fake text messages prompting users to visit malicious websites or call fraudulent numbers, potentially leading to malware downloads or personal information disclosure. --- #### 1.4.3 Rogue Access Points - **Definition**: Unauthorized wireless access points on a secure network. Often, they are installed by employees for convenience or by attackers to gain network access. - **Threats**: - Attackers can set up a rogue access point as a **Man-in-the-Middle (MitM)** device to intercept login information. ![608af606684c9f4f169b36ea](https://hackmd.io/_uploads/HJ9AA-9b1x.png) - **Evil Twin Attack**: An attacker sets up an access point that mimics a legitimate one, enticing users to connect, enabling attackers to monitor their network activity. ![60a66676ce235f4fb0d991d5](https://hackmd.io/_uploads/r1mbkMqWkx.jpg) --- #### 1.4.4 Radio Frequency Jamming - **Definition**: Interfering with wireless signals by emitting signals at the same frequency, preventing legitimate signals from reaching their destination. - **Methods**: Attackers match the frequency, modulation, and power of the device they intend to disrupt. Common sources include electromagnetic interference (EMI) and radio frequency interference (RFI). --- #### 1.4.6 Bluejacking and Bluesnarfing - **Bluejacking**: Attackers use Bluetooth to send unsolicited messages or images to nearby devices. Typically harmless but intrusive and alarming to recipients. - **Bluesnarfing**: A Bluetooth-based attack where attackers gain access to data like emails and contacts from a target’s device, often without the target’s knowledge. --- #### 1.4.7 Attacks Against Wi-Fi Protocols - **Wi-Fi Security Protocols**: - **WEP (Wired Equivalent Privacy)**: Early Wi-Fi security protocol intended to provide encryption but is weak due to limited key management and a small, static initialization vector (IV), making it vulnerable to attackers. - **WPA (Wi-Fi Protected Access)**: Improved on WEP, introducing dynamic key management, but still has some vulnerabilities. - **WPA2**: Further secures Wi-Fi by enhancing encryption and authentication; however, attackers may still analyze traffic with packet sniffers to capture encrypted packets. --- #### 1.4.9 Wi-Fi and Mobile Defense **Key Defense Measures**: - Enable **authentication and encryption** features on wireless networks by adjusting default configurations. - **Restrict Access Point Placement**: Position access points outside the firewall or in a demilitarized zone (DMZ) to protect the internal network. - Use **WLAN detection tools** (e.g., NetStumbler) to identify rogue access points or unauthorized devices. - Establish and enforce policies for **guest Wi-Fi access**. - Require employees to use **VPNs** for secure remote access to WLANs. >[!Warning]Recap >Grayware includes unwanted applications that behave annoyingly or undesirably. SMiShing involves fake text messages prompting recipients to visit malicious websites. Rogue access points are unauthorized wireless points on a network. Evil twin attacks set up an access point resembling a legitimate one to lure users. Radio frequency jamming disrupts wireless communications, while bluejacking sends unsolicited messages to nearby devices. Bluesnarfing allows attackers to extract data from Bluetooth-enabled devices. Wireless security protocols like WPA2 provide stronger protection than earlier standards like WEP, which is more vulnerable. > >To defend against wireless and mobile device attacks, change default configurations, restrict access point placement, use WLAN tools to detect rogue devices, establish Wi-Fi guest access policies, and require remote access VPNs for WLAN connections. ### 1.5 Application Attacks --- #### 1.5.2 Cross-Site Scripting (XSS) - **Definition**: A vulnerability in web applications allowing attackers to inject malicious scripts into web pages. - **Process**: - The attacker injects a malicious script into a web page. - When a victim visits the page, the script executes in their browser, granting the attacker access to cookies, session tokens, and other sensitive data. - The attacker can then impersonate the user and access restricted information. ![60a4cc1de10cd01cfa4a41ef](https://hackmd.io/_uploads/H1CE6z9Zye.png) --- #### 1.5.3 Code Injection Attacks - **Definition**: Attackers exploit vulnerabilities in applications that accept user input by injecting malicious code into a database or application. - **Types**: - **XML Injection**: Alters XML data processing to manipulate queries, granting attackers access to sensitive data or allowing them to corrupt data. - **SQL Injection**: Attackers insert malicious SQL statements into input fields, gaining unauthorized database access and the ability to manipulate data or escalate privileges. - **DLL Injection**: Trick applications into executing a malicious dynamic link library (DLL) file in Windows, enabling attackers to take over target processes. - **LDAP Injection**: Manipulates queries to an LDAP server to extract sensitive information, exploiting input validation vulnerabilities in directory services. --- #### 1.5.4 Buffer Overflow - **Definition**: Occurs when data exceeds the memory space allocated to a buffer, potentially affecting adjacent memory areas. - **Consequences**: - Buffer overflow can cause applications to crash, corrupt data, or allow privilege escalation. - Attackers may overwrite instructions to execute malicious code, gaining control over the device or network access. --- #### 1.5.6 Remote Code Execution (RCE) - **Definition**: Exploits application vulnerabilities to execute commands remotely with the user’s privileges. - **Example**: The Metasploit Framework, a cybersecurity tool, enables controlled penetration testing through payloads like Meterpreter, which allows remote system control and can evade antivirus detection by operating in memory. --- #### 1.5.7 Other Application Attacks - **Cross-Site Request Forgery (CSRF)**: Attackers trick users into submitting unauthorized commands from their browser to a trusted application, often through hidden forms or JavaScript. - **Race Condition Attack**: Also known as TOC/TOU, this occurs when attackers exploit timing issues to execute multiple operations simultaneously, potentially altering data or causing errors. - **Improper Input Handling**: Poor input validation can lead to buffer overflow or SQL injection, causing vulnerabilities. - **Error Handling Attack**: Attackers use error messages to gain insights into systems, such as directory structures or table names, to craft SQL injections. - **API Attack**: Abuses API endpoints to manipulate interactions between systems, often to extract or alter data. - **Replay Attack**: Attackers capture valid data transmissions, amend them, and resend them to deceive the recipient. - **Directory Traversal Attack**: Attackers access files outside the website’s directory by manipulating paths, potentially exposing configuration files. - **Resource Exhaustion Attack**: Similar to a DoS, but targeting hardware resources to crash or slow down a server. --- #### 1.5.11 Spam - **Definition**: Unsolicited or junk email, often containing ads or malicious links. Indicators include cryptic links, missing subject lines, or unusual attachment requests. - **Defense**: Most email providers filter spam, but users should remain vigilant, particularly with emails urging urgent action or requesting personal information. --- #### 1.5.12 Phishing - **Phishing**: Attackers pose as legitimate entities via email or messaging to steal personal information. - **Example**: Fake emails claim users have won prizes, prompting them to enter personal information on a fake website. - **Spear Phishing**: Targeted phishing using personal information about the victim. - **Example**: Attackers send an email related to the victim’s interests or professional activities, with a link containing malware. --- #### 1.5.13 Vishing, Pharming, and Whaling - **Vishing (Voice Phishing)**: Attackers use phone calls to collect sensitive information, often spoofing numbers to appear legitimate. - **Pharming**: Misdirects users to fake websites that mimic legitimate sites, capturing credentials. - **Whaling**: A type of phishing targeting high-profile individuals, such as executives or celebrities, often with customized content. --- #### 1.5.15 Defending Against Email and Browser Attacks **Best Practices**: - **Spam Filtering**: ISPs and antivirus programs filter spam, but organizations should educate users on identifying suspicious emails. - **Attachment Scanning**: Even attachments from trusted contacts should be scanned for security. - **Anti-Phishing Memberships**: Organizations can join groups like the Anti-Phishing Working Group (APWG) to stay informed on phishing threats. - **Regular Software Updates**: Applying security patches reduces vulnerabilities and protects against attacks. --- #### 1.5.17 Additional Common Attacks - **Physical Attacks**: Intentional damage or unauthorized access to physical hardware. - **Examples**: Malware-loaded USB devices, modified charging cables, or skimming devices on card readers. - **Adversarial AI Attacks**: Attackers exploit machine learning systems by introducing tainted data, leading to incorrect predictions or actions, such as autonomous vehicles misreading street signs. - **Supply Chain Attacks**: Attackers intercept third-party software or components, introducing vulnerabilities that may be exploited once integrated into an organization’s system. - **Cloud-Based Attacks**: Cybercriminals target data, applications, or infrastructure in the cloud, exploiting sensitive information or vulnerabilities in cloud environments (e.g., SaaS, PaaS, IaaS). >[!Warning]Recap >XSS is a vulnerability often found in web applications, alongside code injection attacks like XML, SQL, DLL, and LDAP injection. Buffer overflow occurs when data exceeds a buffer’s limits. Remote code execution exploits application vulnerabilities to execute commands with user privileges. Other application threats include CSRF, race conditions, improper input handling, error handling, API misuse, replay attacks, directory traversal, and resource exhaustion. Spam is bulk, unsolicited email, sometimes from infected computers, and phishing involves fraudulent emails posing as legitimate contacts. Spear phishing targets specific individuals, while other types include vishing, pharming, and whaling. Additional threats include physical equipment attacks, adversarial AI attacks, supply chain compromises, and cloud-based vulnerabilities. > >To defend against these, employ solid code practices, validate all inputs, keep software updated, use antivirus software, avoid assuming email attachments are safe, and join groups like the Anti-Phishing Working Group. >[!Note]Flashcards >You can find Quizlet flashcards associated with this topic by clicking [here](https://quizlet.com/751714444/module-1d-1e-cybersecurity-threats-vulnerabilities-and-attacks-flash-cards/?funnelUUID=2e4d1495-3874-42cc-b8aa-4b59b1006a61).