Domain 2:

Understanding Vulnerabilities:

1: Vulnerabilities Impact:

Vulnerabilities in our infrastructure, systems and applications expose our

organizations to the risk of a security breach.

Before we explore vulnerabilities in detail, let's spend some time reviewing the goals
of cybersecurity and the types of risk that can occur in an organization.

When we think of the goals of information security, we often use a model known as
the CIA triad shown here. The CIA triad highlights the three most important
functions that information security performs in an enterprise.

- Confidentiality,
- Integrity,
- Availability.

Confidentiality ensures that only authorized individuals have access to information

and resources. This is what most people think of when they think about
cybersecurity. Keeping secrets away from prying eyes and confidentiality is in
fact how security professionals spend most of their time.

- Malicious individuals seeking to undermine confidentiality are said to engage

in disclosure, making sensitive information available to individuals or the
public without the owner's consent. When this type of data loss occurs, we
refer to the situation as a data breach.

We also use the term "data exfiltration" to describe the act of removing sensitive
data from an organization's systems and networks.

Security professionals are also responsible for protecting the integrity of an

organization's information. This means that there aren't any unauthorized changes to
that information. These unauthorized changes may come in the form of a hacker
seeking to intentionally alter information or a service disruption accidentally affecting
data stored in a system. In either case, it's the information security
professional's responsibility to prevent these lapses in integrity.

Availability, ensuring that authorized individuals can gain access to information when
they need it. If users can't access important business records or systems, that lack of
availability may have a profound impact on the business.

- Malicious individuals seeking to undermine availability, engage in attacks

known as denial-of-service attacks. These attacks try to either overwhelm a
 system or cause it to crash, therefore, denying legitimate users the access that
they need. The impacts of a security incident may be wide ranging depending
upon the nature of the incident and the type of organization affected.

We can categorize the potential impact of a security incident using the same
categories that businesses generally use to describe any type of risk.

Financial risk is, as the name implies, the risk of monetary damage to the
organization. This might include the cost of restoring damaged equipment and data,
conducting an incident response investigation, or notifying individuals that their data
was stolen and that they are now vulnerable to identity theft.

Reputational risk occurs when the negative publicity surrounding a security

breach causes the loss of goodwill among customers, employees, suppliers, and other
stakeholders.

- It's often difficult to quantify reputational damage as these stakeholders may

not come out and directly say that they will reduce or eliminate their volume of
business with the organization as the result of a security breach. But the reality
is that the breach may still have an impact on their future decisions about doing
business with your organization.

Strategic risk is the risk that an organization will become less effective in meeting its
major goals and objectives as the result of a breach. Suppose that you experience a
security incident where one employee loses a laptop that contained new product
development plans.

This incident may pose strategic risk to the organization in two different ways:

- First, if the organization doesn't have another copy of those plans, they may be
unable to bring the new product to market or may suffer significant product
development delays.

- Second, if competitors gain hold of those plans, they may be able to bring
competing products to market more quickly or even beat the organization to
market gaining first mover advantage.

Operational risk is the risk to the organization's ability to carry out its day-to-day
functions. Operational risks may slow down business processes, delay delivery of
customer orders, or require the implementation of time-consuming manual
workarounds to normally automated practices.

Compliance risk occurs when a security breach causes an organization to run afoul of
legal or regulatory requirements. For example, the Health Insurance Portability and
Accountability Act, HIPAA requires that healthcare providers and other covered
entities protect the confidentiality, integrity, and availability of protected health
information. If a hospital loses patient medical records, they run afoul of HIPAA
requirements and are subject to sanctions and fines from the US Department of Health
and Human Services.

- That's an example of a compliance risk. As you conduct vulnerability analysis,

you should keep all of these different types of risk in mind and use them to
assess the potential impact that an attacker exploiting a vulnerability
might have on your organization.

2: Supply Chain Vulnerabilities:

Every IT organization depends upon hardware, software, and services provided by

outside vendors. Whether that comes in the form of server operating systems, database
platforms, applications, managed services, or other technologies.

Administrators need to understand how security issues arising in the supply chain can
impact their organizations.

One of the most important vendor-related issues that security professionals need to
monitor is the end-of-life announcements made by vendors about products used within
the organization.

Every security professional knows that patch management is an incredibly important

security issue, and that staying current on patches protect systems against the many
new vulnerabilities that are discovered each year. When a vendor announces the end
of life of a product, they're announcing that they will eventually no longer provide
patches for that product, even when new vulnerabilities are discovered. That makes it
very difficult, if not impossible, to run that product in a secure manner. Now, there's a
lot of different terminology out there about the end of life of a product, and the exact
definitions of terms vary from vendor to vendor.

Let's talk about three common phrases used to describe how vendors end support for
products, but you should recognize that these terms may be used differently by
different vendors.

1. The first step in ending a product's lifecycle is often an announcement of the

product's end of sale. This simply means that the vendor will no longer offer the
product for sale but will continue to support existing customers.

2. Next, the end of support announcement provides a date that the vendor will
discontinue some level of support. This announcement may be the actual end of all
support for the product, or it may be the date that the vendor will stop correcting
non-security issues or providing minor enhancements.

- When you hear about an end of support announcement for a product

that you use, read it carefully to understand its impact on your
 organization. Operating legacy products runs the risk of introducing
uncatchable vulnerabilities into your environment.
3. Eventually, every product reaches the end-of-life stage where the vendor no
longer supports it at all and will not release any updates, even for critical security
issues. They also will no longer answer support questions other than helping
customers upgrade to a more current version of the product.

Organizations are left in a position where they're running unsupported systems and
applications and exposing themselves to significant risk. You should stay current on
the support status of all products used in your organization by monitoring vendor
announcements.

In addition to well-planned end of support processes, vendors sometimes simply fail

to provide adequate support for their products because they're understaffed or
not committed to a product. This informal lack of vendor support can be just as
dangerous as running an unsupported product, but more difficult to detect.

This risk is compounded if the vendor's system is integrated with other components of
your operating environment. Vendors may use embedded systems as components of
their products that are not visible to you as the end customer.
For example, a digital sign system may run on a version of the Linux operating
system that is completely hidden from end users. If a vulnerability arises in that Linux
version, the digital sign system may be open to attack. In these cases, customers of the
end product typically do not have access to upgrade the embedded systems but must
rely on vendors to provide the needed security updates.

Cloud Scenario: If you depend upon vendors to supply your organization with cloud
services, the risk profile changes. The vendor becomes responsible for managing
many risks on your behalf, and you must have confidence that the vendor is living up
to that responsibility. You also need to ensure that you're confident the vendor will
remain an ongoing viable business concern. If you use vendors for data
storage, consider the risks associated with the vendor being unable to provide you
with access to your data at some point in the future.

Solution: You may wish to mitigate this risk by keeping backups in a secondary
operating environment that's independent of your primary vendor. The use of vendors
is unavoidable in modern IT environments. Cybersecurity professionals must
monitor these vendor relationships to ensure that the relationships don't jeopardize the
security of their own environments.

As you analyze your supply chain for vulnerabilities, be sure that you look at the
many different types of suppliers and vendors in your environment.

- These include hardware providers, software providers, including suppliers of

both client-based and agentless software, and managed service providers.
3: Configuration Vulnerabilities:

Configuration vulnerabilities can also have serious impacts on enterprise security. A

few simple errors in a system configuration can result in very significant security
vulnerabilities that an attacker can exploit to gain access to sensitive information or
systems.

One common mistake that IT staff make is taking a system directly from a
manufacturer and installing it on their network without modifying the default
configuration. This is especially dangerous in the case of devices that contain
embedded computers but are not commonly managed as part of the enterprise IT
infrastructure. These include copiers, building controllers, research equipment, and
other devices that come directly from vendors. The default configurations on these
devices may contain misconfigured firewalls with open ports and services, open
permissions, guest accounts, default passwords, unsecured route accounts, or other
serious security issues. IT staff should always verify the security of devices before
connecting them to the network. System application and device configurations vary
widely and can often be very complicated. Systems that are misconfigured or
configured with weak security settings can be serious problems. Small errors can lead
to significant security flaws that may allow an attacker to gain complete control of the
device.

- IT professionals should always depend upon documented security standards

and configuration baselines to help them install systems in a secure manner.

Cryptographic protocols are another common source of misconfigurations. If an

administrator inadvertently configures weak cipher suites or weak protocol
implementations on a device, all the communications to and from that device may be
subject to eavesdropping and tampering. That error may be as simple as clicking the
wrong checkbox.

Administrators must also carefully manage encryption keys to ensure that they
don't fall into the wrong hands. If a private key becomes known to a third party, that
person can impersonate the keys legitimate owner, eavesdropping on
communications, engaging in false communications, and creating false digital
signatures.

Along those same lines, organizations must protect the issuance and use of digital
certificates, ensuring that they have strong certificate management processes in
place to prevent the issuance of false certificates and protect the secret keys
associated with digital certificates.

Patch management ensures that systems and applications receive all of the security
updates provided by manufacturers to correct known vulnerabilities.
 - Remember that you need to patch many different components of your operating
environment. Operating system patches often get the most attention, but don't
forget to patch applications and the firmware of devices used throughout your
environment. A single unpatched device can provide the open gateway that an
attacker needs to establish a foothold on your network.

Finally, account management is an incredibly important task for security

professionals. If an account is improperly configured with excess permissions, the
user owning that account may use those extra privileges to cause damage. This may be
intentional in the case of a malicious insider, or it may be accidental when a
user simply doesn't know what they're doing. Remember the principle of least
privilege. A user should only have the minimum necessary set of permissions required
to perform their job function. Security professionals must pay close attention to the
proper configuration of systems, devices, applications, and accounts, and follow the
principle of least privilege to protect their organizations against attack.

4: Architecture Vulnerabilities:

Architectural vulnerabilities arise when a complex system is improperly

designed. These may create fundamental flaws in a system that are very difficult to
remediate.

IT architecture is a set of well-defined practices and processes used to build complex

technical systems. IT architects’ function in a role like that of a traditional
architect. Instead of putting together complex buildings, IT architects are putting
together different technologies in a way that meets business requirements. Security is
one of the most important of those requirements.

The key to avoiding security weaknesses in architecture and systems designs is to

incorporate security requirements early, making them design criteria rather than after
the fact concerns.

- One recipe for disaster is designing the system first and then trying to bolt on
security after the fact.

When you're considering the security of a system, don't just look at the technical
architecture and design.

- You also need to think about the business processes and people surrounding the
design as well.

- For example, if a system carefully encrypts sensitive information, but a

business process has users printing it out and leaving it in an unsecured copy
room, that data is vulnerable to theft.
Untrained users and insecure business processes can have a significant impact on
security. In today's world, almost every organization has thousands of systems and
devices connected to their networks and the number grows every day. This results in a
phenomenon known as system sprawl, where devices are often connected to the
network regularly, but they are not managed using a full system lifecycle.

- This means that they get turned on when they're new and necessary, but they
often don't get disconnected from the network when they're no longer
useful. This can result in serious system security issues, especially when those
assets are undocumented because nobody is patching and maintaining
them from a security perspective, leaving them as open holes in the
organization's network security.

Finally, make sure that you are very careful about the use of legacy hardware and
firmware in your organization. Using unsupported systems in your environment can
expose you to uncorrectable security vulnerabilities.
Malware:
Definition: Malicious software that infects systems and performs harmful actions like
stealing information or disrupting normal usage.
Components:
Propagation Mechanism: Method of spreading between systems.
Payload: Malicious action performed, which can include data theft, encryption for ransom,
or monitoring keystrokes.
Types of Malwares:
Viruses: Spreads through user actions (e.g., opening email attachments, clicking malicious
links, or inserting infected USB drives).
- Does not spread unless facilitated by a user.
- Protection includes user education.
Worms: Spread autonomously, without user intervention.
- Exploit vulnerabilities to infect systems, then use them as a base to continue spreading
across networks.
- Defense includes keeping systems up to date with security patches.
Trojan Horses: Appear to be legitimate software but hide a malicious payload.
- Once installed, perform expected actions while causing harm in the background.
Remote Access Trojans (RATs): Special type providing hackers remote control over
infected systems.
- Application control limits system software to pre-approved titles/versions.

Malware Payloads:
Definition: Malware has a propagation mechanism (how it spreads) and a payload (malicious
content delivered to infected systems).
Types of Malware Payloads:
Spyware:
Function: Gathers information without user consent and sends it to the malware author.
- Purpose: Identity theft, financial account access, or espionage.
Techniques:
- Keystroke Loggers: Record keystrokes and may monitor specific websites for sensitive
credentials.
 - Web Browsing Monitoring: Observes browsing activity for targeted ads or user behavior
analysis.
- System File Searches: Searches hard drives/cloud storage for sensitive data like Social
Security numbers.
- Delivery Method: Often bundled with other software via click-through installers that trick
users or don't obtain explicit permission (bloatware).
Ransomware:
Function: Blocks legitimate use of computer/data until a ransom is paid, typically by
encrypting files. Examples:
WannaCry (2017): Exploited Windows vulnerability EternalBlue; encrypted valuable files
and demanded ransom for decryption keys.
- LockBit: An ongoing ransomware strain.
- CryptoLocker: Early ransomware that earned over $27 million via Bitcoin ransoms.
- Challenge: Deciding whether to pay the ransom, as a survey showed over 40% of
infected users pay.
- Impact: Users lose access to critical files (e.g., documents, CAD drawings) unless the
ransom is paid.
Crypto Malware:
Function: Takes over computing resources to mine cryptocurrencies, generating revenue for
the malware author.
Difference from Ransomware:
- Ransomware uses encryption to demand ransom.
- Crypto malware exploits computing resources for cryptocurrency mining.
Prevention Measures:
1. Anti-Malware Software: Install and keep updated.
2. Security Patches: Apply promptly.
3. End-User Education: Teach the risks and methods of malware infection.

Backdoors and Logic Bombs

Context: Unlike traditional malware (viruses, worms, Trojan horses, adware, spyware,
ransomware) that operate as independent programs, backdoors and logic bombs are malicious
code pieces embedded within other applications.
Backdoors:
Definition: A backdoor provides a means for a programmer or another party to gain future
access to a system, often included for benign purposes like simplifying development or
providing customer support.
Risks:
- May be used without the system owner's consent.
- Can be exploited if discovered by unauthorized parties.
Mechanisms:
- Hard-coded Accounts: Specific usernames and passwords always grant access.
- Default Passwords: Factory-set passwords that users might not change.
- Unknown Access Channels: Methods to access systems bypassing normal
authentication.

Logic Bombs:
Definition: Malware that executes a malicious action when certain conditions are met (e.g., a
specific date/time, file modifications, or API call results).
Examples:
Hypothetical: A programmer embeds a logic bomb in a payroll system to check if they are
still employed; if not, it triggers malicious actions.
Real-world:
- 2003: A logic bomb affected multiple government systems in South Korea.
- 1989: The "Friday the 13th" logic bomb activated on systems when the date matched
the criteria.
Risk Mitigation: Requires vigilance beyond standard anti-malware measures, including
changing default passwords, disabling unused accounts, and monitoring for security
vulnerabilities.
Security Practices:
Regular Updates: Ensuring systems and applications are up-to-date to avoid known
vulnerabilities.
Password Management: Routine changes and avoidance of default settings.
Monitoring: Keeping abreast of security news related to potential backdoors and logic bombs
in commonly used software.

Advanced Malware: Rootkits and Fileless Viruses

Advanced Malware Concepts:
Introduction: Malware authors are sophisticated developers who adapt to evade traditional
anti-malware measures.
Rootkits:
Definition: Originally designed for privilege escalation, rootkits are now also used to conceal
other software on a system.
- Access Goal: Targeting the root account, which provides unrestricted system access.
- Evolution: Expanded from simple privilege escalation tools to complex systems hiding
malicious software.
- Payloads: Can include backdoors, botnet agents, adware, or spyware.
- Design Intent: Not solely malicious; some are used as anti-theft for copyrighted content.
Operating Levels:
- User Mode Rootkits: Run with normal user privileges, easy to create but hard to
detect.
- Kernel Mode Rootkits: Operate with high system privileges, hard to create but easier
to detect.
- System Model: Reflects in the ring protection model where most programs operate
under user mode, and the operating system under kernel mode.

Fileless Viruses:
Definition: Avoid detection by not writing data to disk; they operate entirely within the
system's memory.
Infection Methods:
- Early Example: Microsoft Office macro viruses operating within Office scripting.
- Modern Techniques: Execute as JavaScript downloaded from websites, or utilize
persistent mechanisms like modifying the Windows registry to reload on system
reboot.
- Persistence: Achieved without traditional file creation, often through registry
modifications that trigger memory reloading after system restarts.

Understanding Botnets and Malicious Script Execution

Botnets: Collections of infected computers ("zombie computers") used for malicious

activities. They form a network of systems controlled by hackers.
Infection and Control:
- Hackers infect individual systems using various malware techniques.
- Once infected, systems are added to the botnet and remain dormant until activated.
Utilization:
- Botnets are commonly rented or sold for various purposes:
- Sending spam.
- Conducting distributed denial-of-service (DDoS) attacks.
- Mining cryptocurrency.
- Performing brute-force attacks.

Command and Control (C&C) Mechanisms:

- Communication Methods: Internet Relay Chat (IRC), Twitter accounts, and peer-to-
peer networks within the botnet.
- Challenges: C&C mechanisms must be redundant and hidden to avoid detection and
shutdown by security professionals.

Lifecycle:
1. Infection of multiple systems globally.
2. Systems become bots and may spread the infection further.
3. Bots connect to a C&C network to receive instructions.
4. Execution of commands such as spam distribution or DDoS attacks.

Security Measures: Security professionals need to understand botnet mechanics, monitor for
signs on their networks, and counteract potential threats.

Malicious Script Execution:

Scripts: Sequences of instructions for automating tasks. They can be beneficial but also used
maliciously.
Script Types:
- Shell Scripts: Run at command lines, often integrated with operating systems.
- Application Scripts: Integrated within software applications for programmatic
interaction.
- General Purpose Programming Languages: Allow execution of diverse tasks.

Script Usage in Security:

- Bash: Shell scripting for Linux and Mac systems.
- PowerShell: Automates routine tasks on Windows systems.
- Macros and VBA: Automate tasks within applications, especially within Microsoft
Office.
- Python: A versatile scripting language used widely in software development.

Security Concerns:
- Scripts can be exploited to create backdoors, modify file permissions, or execute
other malicious actions.
- Importance of controlling script execution on devices to prevent unauthorized
activities.

Preparation for Security Exams: Familiarity with scripting languages and their common
uses, understanding the potential for misuse, and recognizing secure scripting practices.