Professor Messer’s CompTIA SY0-601 Security+ Training Course

How to Pass Your SY0-601 CompTIA Security+ Exam

Are you planning to take your SY0-601 CompTIA Security+ exam? In this video, you’ll learn how to
prepare and which resources will give you the best chance for success.

Phishing – SY0-601 CompTIA Security+ : 1.1

One of the most prominent forms of social engineering is the phishing attack. In this video, you’ll learn
about the methods used for phishing, pharming, and whaling attacks and how to protect yourself
against phishing.

If I look into my spam folder right now, I bet I could find a number of emails that are pretending to be
from my internet service provider, my cable company, my bank, and many places that are not who they
say they are. This is called phishing. They’re trying to get me to click a link so they can gather some type
of personal information from me. This is generally a bit of social engineering combined with spoofing. So
the email is going to pretend to be from my email provider or my internet service provider, but when I
click the link, it’s going to bring up a page that looks almost exactly like the one that I would receive if I
was at my actual internet service provider’s website.

The one thing that the attacker can’t do though is make the address bar show the actual URL of your
internet service provider. It’s very often looking into your browser; you can see that this really did not
come from the Rackspace website because the URL will not show Rackspace.com at the top. And usually
there’s something that is not quite right with the screen that’s being presented.

In this example, it’s trying to get me to log in to my Rackspace email service, and you could see, it does
look like a legitimate login page. Although you’ll notice, they didn’t quite get the graphics right on the
page. There’s usually something about the page that isn’t quite right or doesn’t ring true. But you do
have to make sure and validate any link that you see in an email. That’s why we often say, never click a
link in an email. You should instead type in the website directly in the bar of the browser.

Here’s a comparison of the actual Rackspace Webmail login page and the one that I received on the left
side when I was phished to the Webmail login page. If you weren’t paying attention, you might think
that this is absolutely a legitimate page and you could type in your email address and your password,
and when you click that Login button, you’ve now sent your credentials directly to the phishing attacker.
The attackers try to use many different tricks to get us to click these links and input our personal
information into these pages and making the pages look very common and similar to what we would
expect is only one of the things that they do.

They also try to present to us a domain name in the address bar that looks very similar to what we are
expecting. For example, you might find a bad guy using typosquatting, which is a type of URL hijacking.
For example, professormessor.com almost looks like it’s legitimate, except my last name is spelled M-E-
S-S-E-R. This one is spelled M-E-S-S-O-R. But if the bad guy wanted to use that particular domain name
and then have a website that looked exactly like mine, they might be able to fool a few people into
typing in their email address and their password.
Another example of something they might do is to prepend to the address, which means they add onto
the beginning, and you could see pprofessormesser.com. It’s all spelled correctly except for the
additional text at the beginning. And if you aren’t looking closely, you might not even realize that text is
there.

Very commonly, these messages have some type of pretexting, which is a fancy way of saying that
they’re going to lie to you. They put some type of situation in place, and they try to see if they can get
you to act on it. For example, they may have a message that they’re calling with or an email that says, hi,
we’re calling from Visa regarding an automated payment to your utility service. And then they might
have click on something or offer to provide that particular payment over the phone.

Well, I definitely have an automated payment. I do pay my utility service automatically, and this might
get me relaxed enough to think that the person who’s calling me really is from Visa, and they really are
trying to take care of a financial problem. But of course, this is an attacker who’s trying to gather my
credit card information, and I would simply be handing over all of the details of that account to whoever
happened to be calling.

Of course, we often see these emails being sent to individuals, and the attackers are trying to gather this
information one person at a time until they have all of the information they need. But there are times
when the attacker might want to attack an entire group of people simultaneously. This is called
pharming, and it’s usually created when the attacker is able to take over an entire domain name system
server or be able to take over an entire website so that everybody who visited the DNS server or visited
the website will be automatically directed to the attacker’s website. This means that you could be typing
in the correct address in your browser, but because the DNS has been poisoned, now you’re at the
attacker’s website, and you would simply put in your user credentials, because to you, it looks like the
normal website.

So now there are two different kinds of attacks in place. The pharming is redirecting everybody who
visits that DNS server to the attacker’s website, and then the phishing takes place once they arrive there,
as they’re putting in their email address, username, password, and other personal information. In this
particular scenario, it’s very difficult for the end user to even realize they’re being phished. They’ve gone
to what they thought was a legitimate DNS, and they were able to go to a website that looks like the
legitimate website. So of course, they’re going to provide their normal credentials. And because
everything looks normal, it’s even difficult for third party products, like anti-malware or antivirus, to
even recognize that there’s any type of problem happening at all. These types of pharming situations are
thankfully relatively rare, but they do occur, and it’s something that you need to know how to mitigate if
you happen to find this situation on your network.

The attackers have moved to the telephone as a way to gather your personal information. Performing
this attack over a voice line is called vishing, for voice phishing. Very often, the attacker is spoofing the
phone number that’s appearing on the incoming call so it looks like it’s a local phone number. But in
reality, they could be calling from anywhere. The point of the phone call or the voicemail that they leave
ultimately leads to you giving up some type of personal information that they can use to gain access to
your accounts.

Of course, they may not even need to talk to you. They can do everything over SMS– that’s the Short
Message Service, or what we commonly refer to as text messages. This is also referred to as smishing or
 SMS phishing, where this phishing is all done over a text message communication. Often these text
messages have a link, and the attacker tries to entice you into clicking that link and providing them with
more information.

There are many, many different ways that attackers try to entice you to give up your information or your
money. Many of these scams can be found in a large list on Reddit. You can find it at
reddit.com/r/Scams.

With some of these attacks, the attacker isn’t after an email password. They’re instead trying to get
large sums of money transferred into their personal account. To be able to do that, they need to gather
as much information as possible on the victim. So they’ll perform a number of different steps of
reconnaissance prior to performing the actual phishing attack.

It’s remarkable how much open source information is available on the internet, and you can gather
information about individuals, groups of individuals, or large organizations by simply visiting third party
websites, Facebook, LinkedIn, and other locations. Based on the information they gather; they can
create a very believable pretext. They might be able to determine where you live, where you work, who
you work with, be able to use people’s names, be able to understand places that you shop, and put all of
that information into a very believable phishing attack.

These types of very directed phishing attacks are called spear phishing attacks. They’re going after a very
specific person or very specific group of people to be able to gather the information that they need. A
spear phishing attack that goes after a person who has control of a lot of money or a lot of information is
called whaling. It’s very common to go after the CEO or the head of the accounting department because
they have access to the entire corporate bank account.

All you need is one very well-crafted phishing attack to be able to convince somebody to log into a fake
user account that would then provide the attacker with all of the banking information for the
organization. These types of whaling attacks happen all too often. And if you’re in an organization that
has people who are in charge of these particular accounts, then you need to make sure that they are
very familiar with the type of phishing attacks that they might run into.

Impersonation – SY0-601 CompTIA Security+ : 1.1

A key technique for the social engineering attacker is their ability to pretend to be someone they aren’t.
In this video, you’ll learn how attackers use impersonation to gain access to information and commit
identity fraud.

All of the good attackers are very good at impersonation. This usually starts with a pretext which is
simply a lie that sets up the entire scenario for the particular attack. There is usually an actor.

This is usually the attacker who is trying to gain access or get information from you. And there is very
often a story. I went out to YouTube and transcribed a list of actual attacks that were used and the
pretext that were used during the attack itself.

Here is the first one. Hello, sir. My name is Wendy. And I’m from Microsoft Windows. This is an urgent
check-up call for your computer, as we have found several problems with it.
Obviously, they’re not calling from Microsoft Windows. And Wendy is not a representative of Microsoft.
This is someone who is trying to either gain access to your computer to convince you there is something
wrong with it and to pay them to fix it or to gain access to your computer so that it can then participate
in a botnet.

Here is another one. It’s a voicemail message that says, this is an enforcement action executed by the US
Treasury intending your serious attention. Not quite the best grammar, but it’s someone who is
pretending to be from the US Treasury, and ultimately, is trying to get even more money from you.

And lastly, congratulations on your excellent payment history. You now qualify for 0% interest rates on
all of your credit card accounts. Obviously, they want us to then fill out a financial application, which, of
course, will have our personal details that I’m handing right over to the attackers.

In each of these situations, the attacker was trying to pretend to be someone they were not. This was
not Wendy from Microsoft. This was not someone from the US Treasury. They were pretending to be
from those organizations.

This is called impersonation. And if you are someone who is an attacker, you need to be very good at
impersonating someone else. Very often, the attacker picks the person to impersonate based on some
reconnaissance that they’ve done of you or your organization.

They commonly know your name. They know the organization you work for. They know there is a help
desk. They might even know the city and state that the help desk happens to be in.

Very often, they impersonate as someone who is higher end rank than you happen to be. So they’re
calling from the executive offices. Or they’re the vice president in charge of a particular department, and
therefore, trying to get you to act quickly based on their particular role in the organization.

It wouldn’t be a good help desk impersonation if you didn’t throw around a lot of technical terms. And
it’s a way that the attacker can try to confuse the person who’s on the other end of the phone. And
lastly, maybe they just act very friendly, that of course they’re from this organization. And they might
even mention things that are occurring in the local area to make you feel comfortable with who you’re
talking to.

Once the attacker has the victim at ease, they can start extracting information very easily from that
person. This is called eliciting information from the end user. And it’s very often an easy way that the
attacker can get email addresses, passwords, or anything else that makes sense for that particular
attack. This is very commonly done with voice phishing or vishing, where somebody is performing this
attack over the phone instead of email or text messages. And of course, there are some very common,
well-documented, psychological methods that attackers use to be able to put people at ease and gather
this information from the end user.

Very often, these attackers are after your personal information. You may not realize how valuable your
personal details happen to be. Identity fraud is a massive problem around the world. And the attackers
know that they can use your personal details to be able to perform a lot of different kinds of attacks in
other places. For example, they can open up credit card information. Or they can use your credit card
information to be able to make purchases in their name.
 They might also be able to access your bank account and transfer money out of your account, because
now they have all of your personal details that, of course, your bank is going to ask as well to make them
prove that you whenever you call in to your bank line. You might often see this extended into things like
loan fraud where someone opens loans or leases in your name because they’ve effectively become you.
They know everything there is to know about being you because you provided that identity to them
using these types of attacks. You might also see your personal information used in government benefit
fraud or tax fraud where the attacker is able to get money sent to them by pretending that they are you.

To be able to avoid these situations, you want to be very protective of your personal information and
never volunteer anything to anyone who might be calling you. No one is ever going to ask you for a
password, because that information is not required to be able to perform technical support services.
You also don’t want to give someone personal details or more information about you that normally they
would not have.

And of, course it’s very useful if you can verify the person who is calling you. Let me hang up. I’ll check
the number. I’ll call you back directly. And we’ll make sure that you are the person who you say you are.
This verification of the people who might be calling for this information should be part of your normal
processes. Especially if you’re someone who is in charge of very important pieces of information, you
want to be sure that you’re communicating with someone who’s legitimate on the other end of the
phone.

Dumpster Diving – SY0-601 CompTIA Security+ : 1.1

An attacker can learn a lot from your trash. In this video, you’ll learn about dumpster diving and how
you can secure your garbage from prying eyes.

When you first became interested in IT security, were you ever thinking that you might spend your time
inside of a garbage bin, looking through pieces of personal information? This is the concept of Dumpster
diving. And it is a very valid way to gather important details from things that people have thrown out in
their trash.

We call this Dumpster diving because in the United States, this receptacle is a trademark name called a
Dumpster. This Dumpster is usually called other things in other countries. It’s a rubbish skip. It’s a
garbage disposal unit. But it is a place where people will throw away their garbage.

Think about all of the things that you might put into your garbage. There’s usually monthly statements,
information from business associates, friends, family. And all of this personal information can be used by
an attacker. All the attacker has to do is wait until you take out the trash. And they’ll simply pick it up
and take it with them.

One question that always comes up when we start talking about Dumpster diving is the legalities around
performing this particular kind of attack. If you’re in the United States, Dumpster diving is generally
something that is seen as legal unless there happen to be local laws or regulations that might prohibit it.

In many places, though, if it’s in the garbage, then it’s accessible to whoever happens to be around. This
is something that you’ve decided to throw away. So therefore, it’s something that anyone else would be
able to gain access to.
 In some places, you may find that there are no trespassing signs or restricted signs that would prevent
you from going into the area where this garbage happens to be. The rule is generally that you can’t
break the law to be able to gain access to the location that has the Dumpster.

Of course, there are nuances and gray areas of the law depending on where you happen to live. So if
you’re interested in performing this type of reconnaissance, make sure that you check with a legal
representative in your area.

To be able to prevent someone else from gaining access to your personal details, you want to make sure
that your particular garbage area is locked up and secured, especially if you’re in a large organization.
You might want to keep this behind a lock and key in a fenced area.

Another great way to prevent somebody from reading your documents is to cut your documents up into
very small pieces. There are shredders that can do this for you automatically. And in some very high-
security organizations, they will simply burn all of this information to make sure that you could not put it
all back together again.

So what’s in your garbage? You might want to look through the things that you’re throwing out and
make sure that you’re not handing over your personal information to an attacker that’s simply going
through all of your garbage cans.

Shoulder Surfing – SY0-601 CompTIA Security+ : 1.1

Someone looking over your shoulder can uncover all of your secrets. In this video, you’ll learn about
shoulder surfing and how you can prevent unwanted screen views.

The things that you have on your computer might be important spreadsheets, documents,
presentations, and things that you do in your day-to-day job. And you may not even realize just how
important that information might be for someone else to be able to gain access to. Well, one of the
ways that they are able to gather this details is by simply looking over your shoulder. This is called
shoulder surfing. And it’s a very common way for people to obtain password information and details
about documents that you might be viewing on your computer.

In previous jobs, I used to travel a lot in airports and on airplanes. And I would be able to find people
opening their laptop in the row in front of me and working on what was very obviously sensitive and
private information. And it was very easy to see what was going on because I was sitting directly behind
them and able to see everything that was on their computer screen.

In some areas, especially large cities, you could even do this from the next building over if you have
binoculars or a telescope. And you can see everything that happens to be on someone’s screen even
though you’re not in the same room or even the same building as that person.

If you are working on your computer, it’s important to understand who might be able to see the
information that’s on your screen. So be aware of your surroundings wherever you happen to be.
Another remarkable security tool is a privacy filter. This is something that completely blacks the screen
unless you’re the person who’s sitting directly in front of the computer.

I’ve been on flights with someone sitting immediately next to me. And they’re working on their
computer. But to me, it’s a completely black screen because they have a privacy filter that they are using
on their laptop. It’s obvious that someone in their IT department already thought ahead of the situations
where this person might have someone else nearby who would want to shoulder surf on their
computer.

If you’re in an office, it might be useful to keep your monitor turned away from a window or away from
a hallway. And of course, if you’re on a flight, make sure that you’re using all of these methods to be
able to prevent someone like me from being able to see the information that’s on your screen.

Hoaxes – SY0-601 CompTIA Security+ : 1.1

It’s the Internet, so you can’t believe everything you see or read. In this video, you’ll learn how to
identify hoaxes and I’ll share some hoaxes that I’ve found during my normal workday.

In the world of IT security, a hoax is a situation that seems like it could be real, but in reality, it’s not real
at all. This is something that can take many different forms, from an email, to a message on your screen,
to a voicemail that you might receive. And even though these situations aren’t real, they still use a lot of
your time, a lot of your energy, a lot of your resources. And you may even have to pull in other people in
your organization and use their resources as well.

One of the challenges with stopping a hoax is you’re never quite sure how it’s going to manifest itself. It
might be something on Facebook. It might be an email message that you receive. It might be something
that pops up in your browser.

Many of the current hoaxes tend to get money from you, but they tend to do it by making you purchase
gift cards and send the person on the other end of the hoax the code information from the gift card
itself. So they’re not tapping into your bank to take your money. They’re making you purchase the gift
card. And you’re handing the gift card to them.

We still sometimes even see hoaxes associated with viruses or with malware that aren’t actually viruses
or malware on your system. They’re just making themselves look as if you are infected with this
particular type of malware. Just so I could get a hoax that would be somewhat timely, minutes before
shooting this video, I went into my spam folder.

The fourth message down was this one. It’s from the Western Union Foundation. And it says,
congratulations. It gives me a reference number. And it says, you have been approved to receive the
sum of $850,000 US.

And that was in my spam folder. I almost missed it. It says, for more information to claim your grand
prize, please contact us. It gave a Gmail address. And it gave a WhatsApp number. And of course, if
you’re going to redeem $850,000 US, you’ll certainly do this over WhatsApp.

I did not send any messages to this WhatsApp number. I did not email this particular contact name. But I
can imagine they’d be trying to get some personal information out of me if I happened to respond to
this particular hoax.

I ran into another hoax. As I was putting together this training course, I was going to a website that I was
typing in. And the website was a .net website, but I typed in .com. And instead of going to the website, I
received this message inside of my browser which looks like a window on top of my browser, but it
actually was a graphic in the browser itself.
 And it looks like a really well-done software update page to update my Adobe Flash Player. And it even
says, you can download Flash and click the Update button here. And while I was on this screen, it even
popped open a new window on top of that and began an animation that showed it downloading this
particular update to my computer. I would imagine if I clicked the Update button, that it would have
installed some malware. And my machine would have been infected all because I saw this hoax appear
inside of my browser window.

If you’re receiving these unsolicited messages on the internet, then it’s probably a good idea to be a
little suspicious of what you’re reading. And you might want to double check before following through
with some of these messages. A good place to cross-reference some of these are some very popular
websites such as hoaxslayer.net and snopes.com.

You might also want to make sure that your spam filter is operating. For example, the one that was an
obvious hoax to me ended up going directly to my spam. I didn’t even see it. I was not affected by it. And
it would have been deleted automatically in 30 days.

Ultimately, if the thing that you’re reading sounds just too good to be true, then it probably is. You want
to be sure that you don’t fall victim to any of these hoaxes, regardless of how the attackers try to get
them in front of you.

Watering Hole Attacks – SY0-601 CompTIA Security+ : 1.1

A cybersecurity professional has to be prepared at home and away. In this video, you’ll learn about
watering hole attacks and how an attacker can use a third-party to gain access to your network.

An organization that is very secure creates a problem for attackers. They’re trying to infect the systems
that are inside of your network, but you’ve made sure that users are not going to pick up a USB key.
They’re not going to click on links inside of an email or give someone that is outside the organization
more access than they should have.

Because of this high level of security, the attackers have changed their strategy. Instead of going directly
to you, they’re going to go to a third party. And hopefully you’ll visit the third party and become
infected.

This third party is the watering hole. It’s the central place where they’re hoping users inside of your
organization are going to come and take a drink. Once they in fact the watering hole, your users visit
that website, become infected themselves. And now the attackers have a way into your network.

This usually takes a bit of research on the part of the attackers. They need to find out where your users
are visiting. Sometimes this might be an educated guess by the attackers.

They might try to infect a local sandwich shop. And then when you go to place an order, you become
infected. There might be another more industrial site that your organization often visits. And that
industrial site would be a perfect place to have a watering hole attack.

The attackers then focus their efforts on trying to find a vulnerability on this third-party site. The
attacker is trying to direct their attack towards a particular group or organization, but often they have to
put malware on a site that will affect everyone who visits that site. And what they’re hoping is that you
will be part of that larger group that visits and becomes infected by visiting the site.
 A good example of a watering hole attack occurred in January of 2017 on multiple websites. The
attackers infected the third-party sites that belong to the Polish Financial Supervision Authority, the
National Banking and Stock Commission of Mexico, and the state-owned bank in Uruguay. You’ll notice
that all of these sites had a similar financial focus.

And if we look into the payload that was sent from these watering hole attacks, it was downloading
malicious JavaScript files, but only to people who were visiting the site from very specific IP addresses.
And if we looked at the IP addresses that were in this list, it matched banks and other financial
institutions. So this watering hole attack was on very large sites visited by many people, but it was only
going to infect very particular visitors to that site. In this particular case, the watering hole attack was
discovered, but we still don’t know exactly the extent of who may have been infected prior to the
discovery of the attack.

There are ways to help prevent a watering hole attack. One of the things you can do is to make sure that
all of your systems are very well secured. And it’s not just using one particular type of security defense.
You need a layered defense, or something we call defense in depth. You might also want to consider
having a next-generation firewall or intrusion prevention system that is able to look for these types of
attacks or this type of malicious software and stop it before it gets onto your systems.

A good example of this layering of defense can be found with this Polish Financial Supervision Authority
attack. Users who visited this infected watering hole and were running Symantec’s antivirus software
found that it alerted on a generic JavaScript attack signature. If you are running this Symantec antivirus
and you visited the poisoned watering hole, then your system would block that JavaScript from running
on your system. And you would not be infected. It’s always important to be aware of these types of
attacks, whether they’re on the inside of your network or on a third-party site.

Spam – SY0-601 CompTIA Security+ : 1.1

If you have an email address, then you probably know about spam. In this video, you’ll see some
examples of spam from my junk mail folder and you’ll learn techniques for identifying and rejecting
incoming spam messages.

Most of us are pretty familiar with spam. It seems to clog up our inboxes on our email, but that’s not the
only place you might receive an unsolicited message that we would refer to as “spam.” You could be
reading online forums, for example, and see unsolicited messages that are posted there as well. If you
receive spam over instant messaging or over text messaging, then that is referred to as SPIM, or Spam
Over Instant Messaging.

The content within a spam message can take many different forms. Often it is a commercial message
where somebody is trying to sell you a product and they’re sending you this unsolicited message as,
effectively, an advertisement. You might also receive spam as a non-commercial message. This might be
an organization or an individual that’s trying to promote a particular world view. And of course, there is
spam that is malicious, that is trying to phish you for information and gather personal information from
you by using these spam messages.

Regardless of the content of these spam messages, the problem for the system administrator is many
and varied. We have security concerns, obviously, for a lot of this content. There is resource utilization,
 because all of these messages have to be stored somewhere. And they’re using network bandwidth to
be able to send these messages into your users.

You have to store all of this information somewhere. There are costs associated with that. And of
course, usually there is a spam management system to try to filter out this information before it arrives
in your user’s inbox. And of course, those systems cost money as well.

Let’s look at some spam messages that come directly from my personal spam folder. This first one says
“ATM CARD DELIVERY.” It says that there is a fund of $7.5 million that I can receive. And this is a
phishing spam, because they’re asking me for my full names, my address, and my telephone number.
And I guess they take it from there.

Another spam message in my spam folder is unsolicited advertising from a third-party company that’s
trying to sell me a heated vest that ships with the battery included. Well, being in Florida, I don’t have to
worry too much about needing a heated vest during the fall and the winter. And this spam-filtered
message can stay in my spam folder.

There are many different strategies for blocking spam and preventing it from getting into our mailboxes.
One strategy is to have your own spam filter that is either filtering in the cloud or perhaps filtering on
site on your own screened subnet. There will be a mail gateway.

Your mail comes in from the internet. It is filtered in that mail gateway. And anything identified as spam
can be thrown out before it is transferred into your internal mail server.

The email gateway or spam filter is looking at these messages for particular characteristics. One of these
might be an allowed list so that only email from trusted senders is allowed in. This requires quite a bit of
maintenance to make sure that your trusted senders list is always up to date, but it would certainly
prevent anyone else from sending messages to your users.

The people who are sending the spam message to you don’t always comply with the standards
associated with email transfer. So one of the things that your spam filter can do is identify when these
messages are not compliant with the RFCs. And they’ll throw out any messages that seem to go outside
the scope of the standards.

Another great test is to perform a reverse DNS. You’ll receive a message, perhaps from me, that says,
ProfessorMesser.com. Your spam filter will then perform a reverse DNS, look at the IP address
associated with ProfessorMesser.com, and make sure that the email they received is one that came
from this known IP address. If it came from a different IP address, your spam filter can mark that as
something that is suspicious and prevent that from going to your users.

Another technique that frustrates these spam senders is one called tar pitting. They want to be able to
send this spam to as many people as possible as quickly as possible. And what tar pitting does is slow
down your mail server and make the process of sending and receiving the messages back and forth take
an excessive amount of time. The slowing down of the conversation also slows down the spammer’s
email server. So they may choose to simply skip over you and go on to another user that doesn’t slow
down the conversation.
 And lastly, there is recipient filtering. Very often, the spammers will send messages into any particular
name they can find, even if that name doesn’t actually exist in your organization. And many
organizations will have a catch all where all of those messages are kept.

Another strategy is to, instead of accepting those messages, is to have them automatically reject it. And
that way the spammers will not be able to send any messages inbound unless they have a correct email
address as the recipient.

There is never any single strategy for stopping spam. You have to use many different techniques and
strategies to make sure that you can stop this before it arrives in your users’ inboxes.

Influence Campaigns – SY0-601 CompTIA Security+ : 1.1

Is what you’re seeing online real, or a work of fiction? In this video, you’ll learn about influence
campaigns and how fake users can be used to manipulate the thoughts and minds of large groups.

The advent of social media has dramatically changed the way the public opinion can be swayed. This
might be a completely legitimate person who’s trying to present a particular political perspective or a
social issue, but this might also be someone trying to manipulate how people are thinking in a particular
area. This is very commonly an attacker from a nation-state that is trying to change the way that people
are voting and the way that people are thinking in a particular country.

Sometimes, these bad actors will spend a lot of money on advertising as a way to change the opinion of
people who may be reading things online. Some of the most powerful influence campaigns use more
than just a single person posting on social media. They use an entire system to amplify that message and
get it into the eyes and the ears of many people.

This process usually starts by the bad actor creating a number of fake accounts. These are users that
don’t really exist, but online, they appear to be real people. These fake users now start creating content,
and they start posting this content on many different sites. So you could be on LinkedIn, Twitter,
Facebook, and many other places online and start to see the content that is being created by these
individual users.

By putting this message in many different places online, it amplifies the effect and the scope of who’s
able to read these messages. And once real people start to see this content, they start sharing it to other
people that they know. And then mass media will pick up this story because they notice that many
people are talking about this, and mass media wants to be read, as well. So they want to talk about the
things that you’re talking about. All of these now work together to start from what was a completely
fake user suddenly having a message appear on the standard media that we tend to trust day-to-day.

These influence campaigns can also have a military reason for existing. You might have one country that
is trying to change the way that people are thinking in another country. And if people change the way
they’re thinking, then they’ll ask their elected officials to vote on particular policies in a particular way.
This is not a new process. Militaries all over the world have tried to make this happen in different
countries. But the internet changes the way that they’re able to get that message out.

We often refer to this type of warfare as cyber warfare. It’s not happening on a military battlefield, but
instead is happening on the internet. Militaries that use these techniques are able to influence elections,
 they’re able to change the type of news that we receive, and it changes how these particular countries
are able to interact with other countries around the world.

Other Social Engineering Attacks – SY0-601 CompTIA Security+ : 1.1

Social engineering attacks can come from anywhere at any time. In this video, you’ll learn about
tailgating, invoice scams, and credential harvesting.

If you work in an office where you badge in to unlock a door to gain access to the inside, then you’ve
probably been told to prevent someone from tailgating. Tailgating is when an unauthorized individual
might follow you in through that open door without badging in themselves. This is very often not an
accident. They are intentionally trying to gain access to the inside, and they are doing it by using your
credentials.

There can be a significant social engineering aspect to tailgating. In Johnny Long’s book, No Tech
Hacking, he uses the clothing that would be from a third party vendor to gain access into a facility.
You’re blending in. You seem to have a legitimate reason for being inside, and someone might hold the
door open to allow someone in to fix the telephone system, for example.

Sometimes those individuals will sit in the smoking section, pretending that they are on break, and then
they’ll simply follow another smoker back into the building, saying that it’s time to get back to work. And
they’ll simply allow them back in, because they think that they originally started from inside of the
building. And I’ve seen a number of people gain access to a building by having their hands full of food or
treats, and making sure that someone can keep that door open so that you’re allowed in with all of this
food.

Tailgating is an important thing to prevent, because usually that door is the last security piece before
gaining access into a sensitive area. And you don’t want to be in a situation where you’re now allowing
people through that last line of defense, and now they would have access to the entire inside of the
building.

Most organizations will have a policy for visitors. You’re given a visitor badge. It’s very clear that you’re
allowed into the building or that you’re allowed in as long as you have someone with you who is a
member of that organization. You often see signs next to the locked door that says, no tailgating, or one
scan, one person, to remind people not to allow others to walk through behind them.

Some organizations will have an access control vestibule or some other type of process that would only
allow one person through at a time. You have to badge in. You’re allowed through, and the next person
has to badge in before they’re able to gain access through that locked door.

I’ve also been inside of many organizations as a visitor, and I left my visitor badge on a desk while I got
coffee and I’ve had people in the organization stopped me at the coffee machine and ask me who I was.
They’ve been trained very well to make sure that they know everybody who’s on the inside And what
they happen to be doing inside of their business.

Another common social engineering attack is an invoice scam. This is when the attacker has done the
work to figure out who pays the invoices in your organization, and they send an invoice directly to that
person with a bill that needs to be paid.
 This is obviously a fake invoice. This attacker has not provided any products or services, but they are
providing you with a bill that looks very much like something you should be paying. Often, the invoice is
for products that you are using in your organization, and often the email with the invoice is one that is a
spoofed address that looks like it’s from somebody of authority within the organization asking you to
pay this invoice.

With all of that information that looks legitimate, it’s common for an accounting department to then pay
that particular invoice without performing the normal checks to make sure that it’s legitimate. There
might even be a link on the invoice to pay online, in which case, the attacker now not only has payment,
but they also have information about your credit card or your bank account.

A social engineering attack that’s a little more unusual but still quite effective is the credential harvesting
attack. Credential harvesting is when the attackers are trying to gain access to your usernames and
passwords that might be stored on your local computer. We often have these credentials that are stored
in our browser or on our operating system, and obviously the attackers would love to have a copy of all
of your usernames and all of your passwords.

The different applications will store these credentials in different ways. So Chrome will store the
credentials in one way, and your Outlook or email client will store them in a different way. The attackers
are trying to find every place where these credentials are stored and be able to extract them so that
they can use them for themselves.

To be able to extract these credentials, a script needs to run on your local computer. So the bad guys
will often send an email that has an attachment that’s a Microsoft Word document. You open up the
Microsoft Word document, and a macro will run automatically that will then go into the operating
system, extract the credentials, and then email or send them off to the attacker.

This type of attack can also occur without the end user even realizing these credentials have been
stolen. That’s why it’s important to have antivirus and anti-malware software that can constantly watch
for these types of attacks to occur and stop them before your credentials are harvested.

Principles of Social Engineering – SY0-601 CompTIA Security+ : 1.1

Social engineering attackers know how to convince their victims to get information. In this video, you’ll
learn the principles of social engineering and how to watch for these methods of manipulation.

Social engineering is a constantly changing attack, and that’s because the world around us is constantly
changing. The attackers are constantly changing their strategies. You never know exactly what direction
they’re going to come from next.

These days, we see these attacks occurring from more than one person or organization. They’ll use
multiple people to ultimately perform the social engineering attack. We’re also seeing social engineering
attacks that are more automated and using a lot more open source intelligence.

They’re able to find out more information about you, or the organization you work for. They might call
in as an aggressive customer. Or they might find out the name of someone you know, and send you an
email with a funeral notification, even though this person you know hasn’t passed away. But they know
 that they can take advantage of your emotion and have you click on the things that are inside of that
email as this social engineering attack.

Social engineering attackers use many different principles one of the principles. They use is authority.
They’ll call in and say that they are calling from the CEO’s office, or they’re calling from the help desk, so
they have a bit of authority when they are talking to you.

Another technique they use is intimidation. They want you to perform a function. They want you to give
them information, and they are going to intimidate you to be able to do that. They might say that the
payroll checks won’t go out because you’re holding up the process. You have to provide them with this
information so that everybody in the organization will be properly paid.

They can also take advantage of social proof, or consensus in the organization. They may say that
someone in your department, like Jill, did this for them last week, so it would be OK if you did it for them
this week.

There might also be an element of scarcity, which means there is a clock ticking and we have to get this
done in a certain amount of time. This goes hand in hand with the characteristic of urgency, where they
want to make it seem like this is something that needs to happen very quickly, whether this is something
that will go away, in the case of scarcity, or just something that needs to be done immediately with
urgency. Both of these try to make us react without thinking about what we’re doing.

There might also be a method of familiarity, or liking. They want to be able to be your buddy. And they’ll
talk about people that both of you might happen to know. If this attacker has gone through your
Facebook friends list, they may be able to name drop and say that you both know the same people, so
it’s OK to provide this information or to perform this function.

And another important principle of social engineering is trust. The attacker want you to gain some level
of trust with them, so they’ll say that they’re from your IT department, they’re helping everyone with
this particular problem, and all you have to do is click these things on the screen and everything will be
taking care of.

A good example of these social engineering techniques being used is the case of Naoki Hiroshima. This is
the case where a one letter Twitter username was stolen by using social engineering techniques. You
can read about this in the story by visiting ProfessorMesser.link/twittername. In this attack, the attacker
called PayPal and used social engineering to obtain the last four digits of the Naoki’s credit card number.
They then called the hosting provider, GoDaddy, with this information of the last four digits and used
that to help prove to the person on the phone that they were the proper owner of these accounts.

The attacker was so good at social engineering that even though they didn’t have the entire credit card
number, they only had the last four digits, they were able to work with the GoDaddy representative to
guess at the first two digits of the card until they were able to get that right. At that point, the account
was turned over to the attacker, and the attacker had full control of their internet service provider
accounts.

Now the attacker is in control of these domain names, but the attacker ultimately wanted that one letter
Twitter username . So they extorted and said, we’ll give you all of these domain names back if you turn
 over the access to that one letter Twitter username, and ultimately, Naoki agreed that that’s what
should happen.

After the domain names were back in control, a case was opened with Twitter. They looked over the
situation for about a month, and then decided that the username should be back in control of its original
owner.

There were many different techniques used by the attacker to be able to gain access to this particular
account. It wasn’t just one single thing. And so we always have to keep in mind that the attackers are
going to use many of these techniques to be able to get what they want by using this social engineering
attack.

An Overview of Malware – SY0-601 CompTIA Security+ : 1.2

Malware comes in many types and forms. In this video, you’ll learn about malware types, methods, and
the process that malware uses to infect your system.

Malware is malicious software. It’s software that is going to do something that will probably have a
negative impact on you. Very often, malware will be set up together information from your machine. It
will collect keystrokes. It’ll collect information that’s on your screen. And it will send that information off
to the attacker.

There is also malware that would cause your computer to be controlled by a third party. This is software
that would turn your computer into a bot. And it would participate with a much larger group of
computers called a botnet. There would then be a third party, the attacker, who would be able to
control all of those systems and have those computers participate in a denial of service attack, visit
different websites, or do whatever they would like your computer to do, because they’ve installed that
malware on your system.

There is also malware that might show advertisements on your computer. And on every advertisement,
some money goes back to the malware owner. If they can distribute this to a million different
computers, then they can make quite a lot of money by simply adding malware to your system for
advertising. And some of the worst malware these days is malware that might encrypt all of your private
files on your computer and require you to pay to get the decryption key from the attacker.

In the next series of videos, we’ll look at many different types of malware. We’ll look at viruses and how
they might differ from crypto-malware. We’ll also see how ransomware and crypto-malware are closely
related.

We’ll investigate how worms can be used to transfer their malware from system to system without any
type of human intervention. We’ll also talk about Trojan horses can fool you into installing malware on
your own systems. You’ll also learn about rootkits, key loggers, adware and spyware, and botnets.

Malware can find itself onto our systems in many different ways. And once the malware begins the
process of installing itself, it can use other types of malware to install other types of software on your
computer. For example, your computer might be susceptible to a vulnerability that a worm might take
advantage of. And the worm would then install some initial malware onto your computer. That malware
might have a remote access back door that is then going to pull other software down to your computer
and install additional software and malware on top of that.

There might even be a botnet included with that malware. So now once this worm has installed the
malware, a botnet has been installed. And your computer now participates with all of the other
computers that are in that botnet. That is just one of many different ways that malware can install itself
and disrupt the normal operation of your computer.

There are many different ways that you can prevent the installation of malware. One is to never click a
link inside of an email message. The malware authors will send you an email that looks legitimate and
looks like it’s something you should be clicking, but instead, it’s going to download and install malware
all because you click the link that’s in that email.

Malware authors will also use websites to embed their links and have pop-up messages to entice you to
click those links and download the software so that they can then run that malware on your local
computer. They might also use these web pages to automatically download software to your computer
and then encourage you to run that software using a technique called a drive-by download. And if the
operating system happens to have a vulnerability that might be exploited by a worm, this would be a
common way to have malware installed onto your system. That’s why it’s so important to always
maintain the latest security updates on your computer.

Vulnerabilities can also be found within the applications that run in your operating system. So make sure
that you update not only the OS, but all of the applications running on that operating system as well.

Viruses and Worms – SY0-601 CompTIA Security+ : 1.2

A computer virus can cause significant problems on a system. In this video, you’ll learn about viruses,
fileless viruses, and how worms can be used to infect other systems without any human intervention.

A virus is malware that can reproduce itself, but one of the unique characteristics of a virus is that it
needs you– the end user– to click on or launch that application to start the virus replication process. This
is something that differentiates a virus from a worm. The virus needs a human being to start the
process, whereas a worm can jump from machine to machine without any human intervention
whatsoever. Once the end user has launched the executable that starts the virus, it can use the existing
file system or the network to replicate itself.

What happens next depends on the virus itself. Some viruses are very malicious– can delete files, can
encrypt your data, and can cause some serious problems on your computer– whereas other viruses may
be relatively benign. They may simply put advertising on your screen, or they may be simply gathering
information from your computer, and you may have no idea the virus is even installed. This is one of the
main reasons we keep antivirus software running on our computers. It’s able to recognize when a virus
is starting, and then it can stop the virus before it begins to execute.

It’s always important to keep our signatures updated so our antivirus software can recognize and stop
these viruses from executing. We tend to put viruses into different categories. One of the most common
virus types is a program virus, whereas the virus is part of an application that is running, and you clicking
on that application– or launching that application– is what causes the virus to execute on your system.
 A relatively rare virus these days is a boot sector virus. This is a virus that exists in the boot sector of
your storage device, and when you start your computer, the virus itself is launched. All you have to do is
start the operating system, and the virus is started, along with the boot sector. Some viruses operate as
scripts on your system. They may operate as a script in the operating system, or they might be a script
that runs inside of your browser.

Another type of virus that’s very similar to a script virus is a macro virus. A macro virus is usually running
inside of another application. These are commonly associated with Microsoft Office apps. A newer style
of virus is a fileless virus. It is a virus that never installs itself or saves itself as a file on your file system.
This is a method that the virus uses to try to avoid some of the techniques that the antivirus software
uses, especially if the antivirus software is looking at what you save to a storage drive.

If the virus is never saving itself to the storage drive, then it may be able to evade the antivirus software.
Instead of existing as a file that might execute, the fileless virus operates solely in the memory of the
computer. Once it’s started, all of the operations happen inside of RAM, and nothing is ever written to
the storage drive on your system. A common way to execute a fileless virus is to click a link on a website
or click a link that’s inside of an email. This will then download software that will run as a Flash file, a
Java file, or perhaps it takes advantage of a Windows vulnerability to begin executing.

These vulnerabilities in Flash, or Java, or Windows might allow a script to be run in PowerShell, for
example. PowerShell would then download the virus from a third-party website and then execute that
virus in the memory of your local computer. Once this virus is executing in the memory of your system,
it can encrypt files, it can delete information, it can exfiltrate data, and do anything else that you as an
end user may have access to run on that computer. And, since the virus writers would like to have this
fileless virus execute again later, they might even change your registry so that this entire process can
start itself all over again every time you boot your computer.

As we mentioned earlier, a traditional virus requires an end user to click on an executable and start the
process, but a type of virus that doesn’t need any type of user intervention is a worm. A worm takes
advantage of a vulnerability in operating systems or applications to be able to move itself from system
to system without requiring any type of user intervention. Worms take advantage of the connectivity we
have on our local networks and our internet-connected systems to be able to move very quickly and
very easily from computer to computer.

These worms are so good at propagating themselves that it’s not unusual for hundreds of thousands or
even millions of systems to be infected in a very short period of time. Once the worm has been
identified, and a signature has been created, we can usually stop the propagation of the worm at the
firewall or the IPS. This obviously requires that we know the worm exists and that we can create a
signature for it, and it also requires that you’re able to put a firewall or an IPS in place between two
systems so that you can block that flow of communication.

A major worm infestation occurred on Friday, May the 12th of 2017. This is the WannaCry worm. This
worm not only propagated itself automatically– because it was a worm– but it also was very destructive
because it installed crypto malware and began encrypting people’s personal files. This started with a
system that was already infected, and it began looking for other vulnerable systems. This worm took
advantage of a vulnerability in Microsoft Server Message Block version 1– or SMB v1– and it used an
exploit called EternalBlue to be able to find other systems that are on the network and then infect those
systems.

Once another vulnerable system was identified by the EternalBlue worm, then it installed a backdoor
application called DoublePulsar. DoublePulsar then downloaded the WannaCry ransomware and began
encrypting the files on the person’s computer. This process then automatically began again. The worm
was able to propagate itself from computer to computer without needing any type of human
intervention.

Ransomware and Crypto-malware – SY0-601 CompTIA Security+ : 1.2

How valuable is your data? In this video, you’ll learn how attackers use ransomware to force users into
exchanging money for their important files.

Very often, the most valuable thing we own is our data. This may be documents that we keep stored on
our computer or family videos or photos that can’t be replaced.

The data owned by a company is even more valuable. This might include planning documents of the
company, employee PII, or Personally Identifiable Information, financial information, or proprietary and
private data that only the company would have. With all of this valuable data on our systems, what if all
of it suddenly disappeared?

How much would you pay to get all of that data back? There is a number. And the attackers know that
you will be willing to give them money if they could restore access to your files.

This method of taking away your data and requiring you to pay to get that data back is called
ransomware. This is a very popular way that the attackers are starting to make a lot of money by
embedding malware on your system and requiring you to send them Bitcoin or some other kind of
payment. Early forms of ransomware weren’t even real. They were hoaxes.

This is an example of a ransomware hoax that says that inappropriate information was found on your
computer by the Department of Justice of the Federal Bureau of Investigation. And to unlock your
system, you have to pay a fine of $200. The reality is that no inappropriate information was found on
this computer.

This message is not from the Department of Justice, but it is malware that has locked the computer. And
in some cases, a security professional may be able to remove this malware. And you would gain access
to the system again.

The attackers realized very quickly that having a hoax as part of the ransomware wasn’t good enough.
They really needed a way to lock your personal files and your private information, so they created a new
form of ransomware called crypto-malware. Crypto-malware uses cryptography to be able to encrypt all
of your personal information and make it so that none of that information can be decrypted unless you
have the proper key. The way that you obtain that key is that you send the attackers money or Bitcoin.
And they will send you the key that will then decrypt all of your personal information.

This is the infection screen shown with WannaCry, which tells you that your files have been encrypted. It
explains what happened to your computer, how you can recover your files, and most importantly for the
attacker, how you pay to get the key to decrypt all of your personal information.
There are some relatively simple ways to protect yourself against ransomware. One of the most obvious
ones is to always have a good backup. And this needs to be backup that is not an online backup or an
immediately accessible backup from your computer.

That’s because ransomware looks at all of the things connected to your computer. And if they find a
backup, they will also encrypt the backup that you’ve created. This is also why we tell people to always
maintain the security patches on your system so that all of those known vulnerabilities are not available
to this ransomware.

The same thing applies to the applications that you run on your computer, to make sure there is no
vulnerabilities with those. And you want to be sure that your antivirus and anti-malware software are
always running the latest signatures. If your system is up to date and you have a known good backup,
even if the malware was able to get onto your system and ransomware was to be installed, you would
still be able to recover everything from your backup. And you’d be back up and running without having
to send any money to the attacker.

Trojan and RATs – SY0-601 CompTIA Security+ : 1.2

Malware can often find its way onto your system through misdirection. In this video, you’ll learn about
Trojan horses, potentially unwanted programs (PUPs), backdoors, RATs, and more.

In history, a Trojan horse was a large wooden horse that was used by the Greeks to capture Troy from
the Trojans. In our computers, there is a digital version of this Trojan horse used by attackers to be able
to sneak their software onto your system. This Trojan horse software is software that pretends to be
something else and it looks like software that is perfectly normal.

You may think you’re installing a spreadsheet, an imaging editing program, or a game. But in reality,
you’re installing malware that’s only pretending to be that software. Trojan horse software is not only
designed to look innocuous to you, it’s also designed to look non-threatening to your antivirus software.
And very commonly, Trojan horse software can get onto your system, disable all your security tools, and
then have free reign of your computer.

Now that the Trojan horse is running, it can configure back doors or download additional malware to
install on your system. One type of software that’s commonly downloaded by this Trojan horse software
is a PUP. This is a potentially unwanted program. This may not be malicious software, but it could be
undesirable and may cause performance problems on your computer.

For example, it might install a browser toolbar that becomes very difficult to uninstall or remove from
your browser. Or it may be a backup utility that constantly shows advertising even when it’s not backing
up. Or it might be software that hijacks your browser, and every time you try to search something in
Google, it redirects you to a different search engine.

Here’s a list of potentially unwanted programs that I found on one of my very infected Windows
systems. And it’s a mixture of software that’s designed for backups, looks like there is a download
process and a toolbar that’s installed. And these potentially unwanted programs with names like
Conduit, MyPC Backup, Spigot, and Mobo Genie were very easily found by my anti-malware software.
 We mentioned earlier that when malware finds itself a way to run on your computer, one of the things
that it tends to do is to open up a back door on your system. That’s because it’s very, very difficult to
find vulnerabilities and to get users to click on these links. And once malware is running, it wants to find
a way to easily reconnect to your system later on without having to go through that very difficult
process again.

To be able to do that, it starts up some new software on your computer that opens a back door. This
would be very similar to the back door of your house. The malware simply creates a new way to get into
your system without having to go through the front door. What’s interesting about some of these back
doors is that the same backdoor process can be used by multiple types of malware. So once one type of
malware gets onto your system, other types of malware are able to get into and infect your computer
through that same back door that was created originally.

You might even find that software or hardware that you thought was secure may also include a
backdoor into its code. For example, very old versions of Linux had a back door that was built into the
kernel. And you might also find that applications and other equipment that’s connected to your network
might inadvertently include back doors as part of the software that’s running on those systems.

A type of software that attackers might install as part of the back door is a Remote Access Trojan, or a
RAT. You might also hear this referred to as a Remote Administration Tool. This is a remote access tool
that gives a third party access to your computer to have nearly complete control over the operating
system. The malware that gets installed onto a computer might install this Remote Access Trojan. And
from that point on, the third party is able to access your computer remotely and control many aspects of
what the operating system is doing.

It can collect a log of all the keys you press, including your usernames and passwords. It might record
the screen or take screenshots and transfer those back to the attacker. It can copy files, either from your
computer or to your computer. And of course, it can then run and embed more malware on your
system.

This is a screenshot from the attackers perspective who’s taking advantage of a system that’s infected
with the DarkComet RAT. And you can see this graphical administration frontend allows the attacker to
perform many different functions. They can change the configurations of the registry. They can run
scripts. They can transfer files or even restart the computer, all from this graphical administration
frontend.

The process of preventing a Trojan or RAT from running on your system is very similar to preventing any
other type of malware. You don’t want to click any unknown links or links inside of your emails. You
always want to be sure that your antivirus software is running and that you have the latest signatures
installed for that software. It’s always good to have a backup so that if a system does become infected
and you’re not able to remove that software, you can easily restore your system from that known good
backup.

Rootkits – SY0-601 CompTIA Security+ : 1.2

Some malware embeds itself in the kernel of your operating system. In this video, you’ll learn about
rootkits and how to find and remove this dangerous malware.
 The term “rootkit” has a foundation in Unix or Linux, where root is the administrative account on that
particular system. But rootkits can be found on any operating system, Windows, Linux, Mac OS, and
anything else. A common characteristic of a rootkit is, instead of modifying files in your operating
system, it’s modifying files in the kernel of the operating system. These are the foundational building
blocks of the operating system. And everything that runs in the OS runs on top of that kernel.

Because this malware now becomes part of the operating system itself, it effectively becomes invisible
to antivirus and anti-malware software. And that’s one of the reasons why identifying and removing a
rootkit from a system can be a very difficult process.

Malware authors were starting to combine rootkit functionality with their malware functionality to
create a botnet that would be very difficult to remove from a system. A good example of malware that
was starting to combine a rootkit with the malware itself was the Zeus, or the Zbot malware. This was
malware that was very good at transferring money out of your bank account and into the bank account
of the malware author.

They combined the Zeus malware with the Necurs rootkit. This created a type of malware that, once it
was installed, it made it almost impossible to delete it from your system. Any time you would try to
delete the files, the rootkit would be part of the operating system and would prevent you from deleting
any part of the botnet malware. If you tried to stop the Windows process the malware was using, the
access would also be denied. Anything that you tried to do to stop that malware from running would be
stopped by the underlying rootkit in the operating system.

There are some anti-malware and antivirus software that can look for and identify rootkits that may be
running on a system. And there are specific rootkit removers that are designed to remove specific
variants or specific types of rootkits. Fortunately, we’ve created new types of BIOS software such as the
UEFI BIOS that includes a feature called secure boot. This secure boot feature will look to see if any part
of the kernel has been changed. And it will not boot a system that may have been modified, thereby
preventing rootkits from being installed on our modern systems.

Spyware – SY0-601 CompTIA Security+ : 1.2

Your malware might be watching you. In this video, you’ll learn about adware, spyware, and protect
yourself against this malicious software.

If your computer is infected with adware, then you’re seeing advertisements almost everywhere on your
system. They’re inside of your browser. They’re on your Windows desktop. Everywhere you look, there
is probably an advertisement to be seen.

This can cause performance problems in your operating system. It can cause slowdowns inside of your
browser. And you’ll probably see an increase in traffic across the network.

This adware can sometimes be installed accidentally. Sometimes when you’re installing one application,
it will install additional applications along with it. And sometimes those additional applications include
adware. If you try to remove adware, you may find applications that say they are specifically designed to
remove hardware, but what you may find is that software itself is malware or adware. Always use
known, good, antivirus and anti-malware software if you ever need to remove adware.
 Spyware is a bit more malicious than adware, because it’s trying to find out things about you or to
gather information about you. Spyware might be looking to see where you visit on the internet. It might
be trying to identify personal information about you so that it can use that for identity theft, and
anything else that it may be able to use by spying on you.

Spyware it can be installed a number of different ways. And often, it’s a Trojan horse. You think you’re
installing some peer-to-peer software or security software, but in reality, you’re installing spyware.
Some of the most common spyware will examine the types of pages that you visit in your browser,
identify some of the sites that you’re visiting, and capture any keystrokes you may be typing in so that it
can identify usernames, passwords, and other important information.

It seems like adware and spyware is a type of malicious software that simply won’t go away. That’s
because you as an individual are very valuable to the malware author. They know that if they can put
advertisements in front of you, that they can make money by making you watch those ads.

They can spread these ads across thousands or even millions of users’ desktops, meaning that they can
multiply the amount of money, and time, and resources being used to watch those advertisements. And
of course, if they can install spyware and track your usernames and passwords, they could potentially
gain access to important financial information or your bank accounts.

Like most malware prevention, you need a good antivirus and anti-malware software installed. And you
want to be sure your signatures are always up to date. You also want to be sure you know exactly what
you’re installing. Installing unknown software from a third-party website is probably at pretty high risk
for adware or spyware.

Once this malware gets on your system, it’s very difficult to remove it. The adware authors do not want
you removing their adware or their spyware. And in some cases, it may be almost impossible to
completely remove that malware from your system. That’s why it’s so important to have a known good
backup. That way you can delete everything on your system and restore everything to the way it was
before you were infected.

And you may find some software that is specifically written to be able to remove this type of malware.
The Malwarebytes anti-malware for Windows and for Mac are very good examples of software that is
specifically written to clean your system of this very annoying type of malware.

Bots and Botnets – SY0-601 CompTIA Security+ : 1.2

Is your computer under the control of someone else? In this video, you’ll learn about bots, botnets, and
how to stop the bot in its tracks.

The malware term “bot” stands for robot. And it’s a term to describe the automation that occurs behind
the scenes when your system is taken over by this type of malware. Once it gets on your computer, it
can control almost any aspect of your operating system. This type of software is installed in your system
through a Trojan horse, through vulnerability in an operating system or an application, or alongside an
application that you’re installing normally.

The bot malware on a computer is working along with other computers that are infected with the same
bot malware to create a botnet. This botnet is controlled through a Command and Control server or C&C
 server. The C&C server is responsible for sending out commands. Those commands will be received by
the botnet. And then the botnet will perform whatever function has been asked of it by the C&C.

As you can imagine, all of these systems, under the control of somebody nefarious, can create some
significant problems. Having all of these systems work together can create a massive denial of service.
And because it’s so many different systems located in so many different places, it’s a DDoS, a Distributed
Denial of Service. These systems can also act as proxies or relays for spam, network traffic, and other
types of tasks. And very large botnets can be rented out to third parties, effectively creating a
distributed denial of service as a service.

If you’d like a view of what botnets may be active anywhere in the world at any time, you can visit
map.lookingglasscyber.com. And you can see the number of infections per second, live attacks, the
number and type of botnets, and the countries where those botnets are communicating.

One way to stop a botnet is to make sure that it’s not installed in the first place. So you want to be sure
that your operating system and your applications are running the latest security patches. And make sure
that your antivirus and anti-malware software have all of the latest signatures.

You can often identify an active infection by scanning an on-demand anti-malware scan and watching
the network for any unusual traffic patterns. And if you know the type of network flows that will be used
for the command and control, you can block that at the firewall or with an IPS or firewall at the
workstation level.

Logic Bombs – SY0-601 CompTIA Security+ : 1.2

A logic bomb can be difficult to identify prior to the event. In this video, you’ll learn about logic bombs
and some of the techniques they use to create chaos on our networks.

A logic bomb is a type of attack that occurs when a separate event is triggered. Very commonly these
logic bombs are left by disgruntled employees or someone who has a grudge against an organization.
One very common type of logic bomb is a time bomb. This is one that occurs when a particular date and
time is reached.

A logic bomb can be more than just a date and time that’s reached, of course. You could have certain
other events occur. If someone places a file in a particular folder, that may be what causes this particular
logic bomb to execute. Or perhaps someone turns on or off a computer and that is the trigger that
causes the bomb to go off.

It’s difficult to identify if a logic bomb has been placed in a system because it doesn’t follow any known
signature. It’s not possible for antivirus or anti-malware to automatically recognize that a logic bomb
may exist. It also might be difficult to gather evidence after the fact, because many logic bombs will
delete themselves once they’ve executed.

A good example of a time-based logic bomb occurred on March 19 of 2013 in South Korea. There were
organizations in South Korea that were primarily media organizations and banks that received email
messages that had malicious attachments in them. They looked like they were emails from a bank. And if
someone ran that attachment, a Trojan installed malware on those systems.
 And a day later, on March 20, at 2:00 PM local time, the bomb activated. And it began deleting master
boot records and rebooting systems. Without a master boot record, these systems restarted and
showed that a boot device was not found, please install an operating system on your hard disk. Not only
did this affect many workstations and servers, it also disabled many automatic teller machines
throughout South Korea.

A more disruptive type of time bomb occurred on December 17th of 2016 at 11:53 PM in Ukraine. This
focused on high voltage substations. These were the substations that sent power between different
locations within the country. And at this particular time, the logic bomb began disabling electrical
circuits and bringing down electrical connections throughout the country.

The malware that had been installed had begun mapping out the controlled network of these systems
and began disabling power at a particular date and time. This malware was customized to work with
these SCADA networks. These are the supervisory control and data acquisition networks that are used to
manage these types of electrical systems.

As I mentioned earlier, it’s difficult to know when someone may have installed a logic bomb because
there’s no known signature that you can use to alert you that something has been identified as a logic
bomb. But there are things you can do with your processes and procedures to help prevent a logic bomb
from being installed in the first place. A good example of this might be to have a formal set of processes
and controls if any changes are made in the environment.

That way, if you notice that something has been modified on a server but there were no plans and no
processes in place to make those changes, that might be suspicious and might cause you to do a little
more research into what might have changed on that system. There are also automated processes of
doing this. You can configure host-based intrusion prevention or applications like Tripwire that will look
for certain changes to occur.

And if those changes happen, you’ll be alerted and notified that someone tried to make a change to that
system. And of course, it’s important to have constant auditing of these alert systems and the computer
systems themselves. System administrators, for example, have full control to these systems. So it’s good
to have an auditing process in place to make sure that all of the changes that are being made are
authorized.

Password Attacks – SY0-601 CompTIA Security+ : 1.2

There are many different techniques that the attackers can use to find your password. In this video,
you’ll learn about spraying attacks, brute force attacks, hashing, dictionary attacks, rainbow tables, salt,
and more.

An attacker loves applications that store passwords as plain text. They take the password, they store it in
a readable format in a database, and if the attacker finds this database, then they have access to
everyone’s usernames and passwords without any additional work. Obviously, if you are storing login
credentials, you don’t want to store any passwords as plain text. Fortunately, this is a very unusual
situation if you ever run into it. But there are the rare applications that tend to save these passwords in
a form that is readable to anyone.
Unfortunately, if you run into one of these situations, you don’t have much of a choice. You need to stop
using that particular application or find an upgrade to that application that doesn’t store any of these
passwords as plain text in the database.

Well, if you don’t store password as plain text, how should you store passwords? The best way to store
password is in a format that uses a hash. This hashing of a password takes the password and represents
the password as a string of text information. We call this a message digest. You’ll sometimes hear this
referred to as a fingerprint.

The idea with a hash is you can provide an input to the hash like your password. And the resulting hash
is something that is very unique. So hashes will not be duplicated on a system and they’ll be very specific
to a particular password.

The reason a hash makes such a perfect place to store password is that it is a one way trip. It’s a
cryptographic algorithm that cannot be reversed. So once you create the hash of a password, you can’t
somehow restore that password back to its original format by simply using the hashed value. Here’s an
example of some hashes that I’ve created from some very common passwords. This hashing algorithm is
the SHA-256 hashing algorithm. It’s a very common one to find. Here are some passwords that I’ve
hashed.

If you hash 1, 2, 3, 4, 5, 6 with the SHA-256 you get this message digest. You’ll notice this is very
different than the 1, 2, 3, 4, 5, 6. You’re not able to tell what this password might be by looking at the
hash. And there’s no way to reverse the hash back to that original password. I’ve also got hashes here
for 1,2, 3, 4, 5, 6, 7 for the word querty and the word password. You’ll notice that all these hashes are
the same length. But all of them are very, very different than the original passwords that were used as
the input.

Inside of the application or the operating system that you’re using, you’ll often have a password file that
then has the usernames for the user and then the hash that is created from the password for each
individual account. Instead of trying to brute force the hash and determine what the original password
might have been, some attackers will use a spraying attack.

A spraying attack avoids the results of a locked account for trying the wrong password over and over
again without success. Instead, a spraying attack is going to try to use some very common passwords
and only try a few of them before moving on. A good example of some of these common passwords can
be found on Wikipedia under the list of the most common passwords. And the top five passwords I put
right here, which are 1, 2, 3, 4, 5, 6, 1, 2, 3, 4, 5, 6, 7, 8, 9, querty, password, and 1, 2, 3, 4, 5, 6, 7.
Probably not unusual that these would be the top five passwords that someone would try to use.

So an attacker using a spraying attack would try an account name and then they might try the top three
of these top passwords to see if any one of those happened to be in use. If they gain access by using
these top passwords, they can then continue their attack. If they do not gain access by using these top
passwords, then they stop what they’re doing, they move on to the next account, and they try these top
three passwords again. By only trying a few passwords for a single account, they can often avoid any
alarms, alerts, or account lockouts that might signal that somebody’s trying to break in to these
accounts.
 Some attackers, though, are interested in obtaining the username and password of every account on a
system. And if they want to be able to determine what those passwords are, then they’ll need to
perform a brute force attack against every account. A brute force attack is going to try every
combination of letters, numbers, special characters, or anything that could make up a password. And it’s
going to try every combination of those for a single account until it finds a matching password.

This can obviously take some time. If it’s a very long password, you have to go through a lot more
iterations to be able to find that. And if you’re starting with the hash of a password, then you also have
to perform that hash so that you can then compare the hashes to see if you found a match. Let’s say
that attacker has gained access to a system and they’ve downloaded the password file that contains
usernames and password hashes. Now they happen to have one of the hashes associated with a
particular user. And they would like to perform a brute force attack to find the password associated with
that hash.

They’ll start at the very beginning of what possible passwords might be. And the beginning here would
be the password AA A A A. They’ll perform a hash of that password and they’ll get the resulting hash
value. They’ll then compare that hash value to the hash value they’re trying to match. They’ll see that
those don’t match so they’ll go to the next password on their list which is AA A A B, they’ll perform a
hash of that password, they’ll compare that hash to the hash they’re trying to match, and so on until
they find one that matches.

They may have to go through a very long list, but eventually they’ll come up with the combination of
letters that makes up the word password. They’ll perform a hash of password, they’ll get the hash value,
and they’ll see that the hash value of password matches the hash they were looking for. Therefore the
password associated with this account is the word password.

If an attacker was trying to do this online, it would obviously be a very slow process as they were typing
in a username and password. And there’s probably going to be delays as they try each wrong password.
And very quickly, they’re going to lock out this account because they’re going to try three, five, or seven
passwords before the account is automatically disabled for brute force attacks. It’s usually more
common for the attacker to have already downloaded the password file. They can then perform an
offline attack of those hashes where they can programmatically step through every possible
combination and do it very quickly on their local machine.

This obviously requires a lot of computational requirements on the local computer but it allows them to
go very quickly through this list of passwords. It obviously takes a long time to incrementally go through
every possible combination of letters, and numbers, and special characters. So instead of going through
all of those, some attackers will use a subset of those that you might find in a dictionary. We call this a
dictionary attack where we can use common words taken from a dictionary and see if those happen to
be the passwords that we’re looking for.

You’ll find a lot of different kinds of dictionaries on the internet, especially some groups of passwords
that are unique to a particular type of job. For example, there might be a medical dictionary where there
are a lot of medical phrases that you can use for passwords that may be from a hospital or an insurance
company. These dictionary related brute force programs can also perform letter substitutions. So if
you’re using the word password as your password but you’re changing the letter A to the ampersand
and the letter O to the number zero, these programs are already expecting you to do that and they’ll try
those combinations as they go through the dictionary attack.

This type of cracking can take quite a bit of time as it goes through all of these different words and
combinations of letter substitutions. It’s not unusual for attackers to use a distributed cracking format
where multiple systems might be used. They might also take advantage of the high speed CPUs that you
might find in a graphical processing unit or a GPU. These external video cards are very high capacity
processors and they can perform these calculations very quickly.

So after performing a dictionary attack, they can go through and find common passwords like ninja,
dragon, football, or let me in, and of course, are able to identify the hashes associated with all of those.

Well, if we’re going through every possible iteration in a brute force attack and creating hashes to
compare, one of the things you might want to do is save all of those hashes and simply do a quick search
of those hashes in the future. This type of database that contains a massive number of hashes that was
created earlier is called a rainbow table. This is an optimized table. You’re able to search through it very,
very quickly. And you’re able to find passwords almost instantly on many of these types of rainbow
tables.

Because you don’t have to go through the calculation process of creating the hash, especially with
longer types of passwords, this type of rainbow table can be an almost instantaneous lookup to find all
of the passwords that might exist in a single set of hashes.

The challenge with rainbow tables is that each type of application or operating system may use a
different method to create that hash. And if that is the case, then you’ll have to have different rainbow
tables that are specific to that particular application or that particular operating system. Another
technique that all programmers should use when they’re storing these passwords is to include a salt.

A salt is a little bit of extra random data added to the password before it is hashed. This means that if
two users happen to be using exactly the same password, the hash that’s stored in the password table is
going to be different between the two even though their password is exactly the same because a
different type of random salt was added to each one of those user’s passwords. This means that any
pre-built tables like rainbow tables will not work if all of these passwords have been salted because
there’s this randomness that has been added to every single password.

Although this doesn’t completely stop the brute force process, it does slow things down and requires
that the attacker know exactly how the salt has been implemented so that it can then process and begin
the brute forcing of those passwords. Let’s see what the hash looks like when we take a single password
like the word dragon and we add a bit of salt to it. This is the hash you would see if there was no salt
added to the password.

We’re going to take the password dragon and we’ll add a different set of random salt for each individual
user. You’ll notice the hash for every single one of these users is very, very different even though they’re
password is exactly the same. This makes it very difficult for an attacker because they’ll look at this hash
and they’ll have no idea that any of this information happens to be identical.

A good example of what happens when attackers are able to get their hands on these hash passwords
occurred in January of 2019 when a large collection of passwords was released called collection number
 one. This consisted of over 12,000 files and 87 gig of data. Within collection number one was over 1.1
billion unique emails and passwords. This was a very large data breach. And within the collection, there
were 772 million unique usernames across many different accounts.

This meant that there could be as many as 773 million people that were affected by this data breach.
Although there were over one billion unique emails and passwords, there were only 21 million unique
passwords in this entire group. This is another good reason why you might want to have a password
manager that makes a different password for every single one of your accounts.

If you’re interested in knowing if you were part of this data breach, you can go to this website, which is a
legitimate and well trusted website in the industry called haveibeenpwned.com. This site allows you to
simply put in your email address. And it will tell you if that address is part of one of many different
breaches. And they’re always adding new breaches to the list. So this should be a site that you’re always
going back to see if maybe your username and password may have been released.

Physical Attacks – SY0-601 CompTIA Security+ : 1.2

Attackers often use physical devices to assist with their attack. In this video, you’ll learn about the use of
malicious USB cables, malicious flash drives, skimming, and card cloning.

Attacks aren’t always done across the network. There are many attacks that are physical attacks. One
type of physical attack might be with a malicious USB cable. This looks like a perfectly normal USB cable.
We would use it to plug into our computer and charge our systems, except it has some additional
electronics inside. It could, in fact, tell your operating system that it is a HID, or a human interface
device. This is the categorization for keyboards and a mouse, so when you plug in this malicious USB
cable, it’s able to start typing anything that it would like into your system. So you might plug in the
cable, it would start up a command prompt, it would type in some commands to download some
malware from a third party site, and now your system is infected. This is why you shouldn’t simply plug-
in any USB cable that you happen to find. You need to have some trusted knowledge of where this cable
came from, and trust that it came from a reliable source.

Similar to the malicious USB cable is the malicious flash drive. This may be a perfectly normal working
flash drive, but it may have some additional electronics inside that could cause problems on your
system. You might be walking through the parking lot, there’s a flash drive on the ground. Most people
would want to know what’s on this flash drive, and could they use this flash drive themselves, but
plugging in this device is probably going to be a bad idea. In older operating systems, we automated the
processes that occurred when you plugged in a flash drive, and would have programs run automatically
from that particular storage device. Obviously, this is a significant security concern, and in most modern
operating systems, this automated functionality has been removed. But just as with our USB cable, we
could still run things from a USB flash drive by adding additional electronics inside that have this device
recognized as a HID, or human interface device. So it appears to be a keyboard or mouse, and when you
plug in the flash drive, you’ll notice the command prompt will open, a lot of things start typing in, and
suddenly your system is now infected with malware.

Even without that human interface device functionality, there are ways for attackers to simply put files
on the flash drive that might infect your system. For example, you can put malicious software inside of
PDF files, or have malicious macros run inside of spreadsheets. If your USB interface is configured with a
 boot device, you might forget that you have this USB drive installed, and when you restart the system,
the USB drive infects your system during the boot process. Add some additional electronics, and this
flash drive can turn into a wireless interface that can then act as a host for other devices to connect into
your system, and you now become a jumping off point for an attacker who may want to gain access to
your internal network. These are just some of the reasons why you want to be very careful about what
USB devices you connect to your computer.

Stealing credit card information has become a big business, and there’s so many different ways that the
bad guys are trying to gain access to our credit card numbers. One way they’re able to do this is with
skimming. This is stealing our credit card information as we use the card for some other purpose. It’s
copying information, either from the magnetic stripe that’s on that credit card, or it may be gathering
information from the computer system that you’re plugging it into. This would have your credit card
number, expiration dates, the cardholder’s name, and anything else that’s on that magnetic stripe. The
attackers are usually adding additional hardware to the card reader on the device that you’re using, and
if you’re at an ATM, they may also have a camera that’s monitoring what buttons you press when you
put your PIN into the system. The attackers will, obviously, skim your credit card numbers, and then use
that information to perform other financial transactions. This is why you should always check very
carefully when using a card reader– maybe pull on the card reader itself and make sure it doesn’t pop
out of the system, and make sure that everything associated with the card reader looks like it is built
into the original unit.

Here’s an example of a card reader where the attacker had to create a little bit of a wider connection to
be able to fit their card reader in, and this piece of plastic on the inside is the one put there by the
attacker. You can see they didn’t do a very good job. They damaged the system itself, and if you walked
up to this system and examined it prior to you putting your card in, you would notice that something
about this did not look quite right. Some banks have tried to put some oddly-molded plastic around the
outside of their ATMs as a way to try to prevent somebody from adding their own skimmer into the
system. They might also put some type of colored or lighted piece of plastic on the outside, so you can
see this is original to the ATM and not added by a third party.

Sometimes, attackers are going to use this credit card information that they’ve skimmed to perform
online transactions, but sometimes the attacker needs another physical card to use. In that case, they’re
going to clone the details of your card. They’ll create an exact duplicate of your credit card, with all the
same numbers and information, and they’ll put even the same CVC, or card validation code, on the back
of the card as well. The attackers are cloning the magnetic stripe that’s on the back of the card, so
obviously they would only be able to use this card in transactions that took that magnetic stripe. The
chips that are on the inside of our cards are not able to be duplicated and can’t be cloned by the
attackers.

One very common use of magnetic stripes on cards is gift cards. The attackers will clone a gift card,
they’ll wait for that card to be activated, and then they’ll use the gift card before the legitimate user is
able to do so.

Adversarial Artificial Intelligence – SY0-601 CompTIA Security+ : 1.2

 Attackers use many different techniques to manipulate artificial intelligence and the machine learning
process. In this video, you’ll learn about poisoning training data, evasion attacks, and securing the
learning algorithms.

We’re able to make our computers much smarter these days by using machine learning. Our computers
are able to sift through enormous amounts of data, find different patterns within that data, and then be
able to provide us with services or information based on the patterns that it finds. One challenge with
doing this is that it takes a lot of data to be able to train our machine learning systems.

If we’re doing face recognition, we need to have our computers analyze millions of faces to see the
nuances between every individual. If this is machine learning that’s in a car, we need that car to
understand all of the different things that can happen while somebody’s driving on the road. This means
we have to put a lot of data into these systems to be able to train it properly.

But once we’ve done that, we can now start using this data. For example, our spam folder is able to
capture a lot more spam because our system has been trained to recognize what spam might look like.
Or if we’re in an online retailer, we might see things pop up that are recommended for us based on what
our past history is with that particular retailer. Or you might be on a streaming video service and it’s able
to offer you movies that it knows you would like based on its machine learning.

And if we’ve trained our cars to recognize harmful situations, it may be able to keep us out of a car
accident. All of this training data assumes that everything that’s going into the learning process is
legitimate data. But what if the attackers used malicious data or invalid data during the training process?
That would mean that the resulting artificial intelligence would be invalid as well.

A good example of poisoned training data occurred with a Microsoft AI chatter bot named Tay. Tay
stands for thinking about you. And Tay was added to Twitter on March 23, 2016. It interacted with
Twitter users, was able to have conversations with people on Twitter. But Microsoft didn’t add any type
of anti-offensive behavior or anti-offensive learning algorithms to Tay.

So once Tay started interacting with other users and other users realized that they could poison the
learning process, they turned into a racist, sexist, and inappropriate bot. And ultimately, Microsoft had
to turn off Tay and end this particular project. The users on Twitter knew that the artificial intelligence
was only going to be as good as the programming and only going to be as good as the data going in
during the training process. And if they can find holes or vulnerabilities in that training process, they
could change the way the machine learning was able to understand the world around it.

Attackers might also change their approach once the learning process is over. For example, if a spam
filter has now learned what spam looks like, the attackers can slightly change the way they’re formatting
their spam messages and circumvent the machine learning that was done previously. For example, there
have been cases where machine learning has used actual social security numbers and personal
information. And attackers were able to interact with that machine learning after the training was over
and extract those details and use that private information.

That’s why it’s important during the learning process that all of the data going into the machine learning
is legitimate. You might also want to retrain with new data occasionally and make sure that the machine
learning is always up to date with the latest type of information. And as a good security technologist,
you might want to use some of the same techniques that the attackers are using just to make sure that
your machine learning process does not become vulnerable.

Supply Chain Attacks – SY0-601 CompTIA Security+ : 1.2

Supply chain attacks are designed to affect many victims from one broad attack vector. In this video,
you’ll learn about supply chain attacks and how companies are managing their supply chains.

The supply chain is the chain of manufacturing that gets a product from the very beginning to the very
end of its process. This includes the raw materials, suppliers, manufacturers, distributors, customers,
and consumers. With all of these different points along the chain, there’s a lot of opportunity for
someone to be able to attack any one of these and affect anybody else who might be downstream in
that chain.

One of the reasons this works so well is that we tend to trust what we receive from our suppliers, not
realizing, of course, that somewhere up the chain there was an attack that now has shown itself in the
equipment, the software, or the technology that we’re now putting onto our network. And with so many
other steps before that technology arrives on our doorstep, there are plenty of places for an attacker to
be able to infect that supply chain.

A notable supply chain breach occurred in November of 2013 with the Target Corporation where 40
million credit card numbers were stolen. This attack did not start at Target. It instead started in
Pennsylvania for an HVAC company. That’s a Heating, Ventilation, and Air Conditioning company.

This is an organization that had people that took care of and maintained the HVAC systems for many of
the Target locations. To be able to interact with Target, there was a VPN connection that these
technicians would use to be able to send and receive information about these HVAC systems. There was
an email with malware that was delivered to this firm in Pennsylvania, and that malware was able to
obtain the VPN credentials so that the attackers were able to access the VPN themselves.

This was the breach of the supply chain. The attackers were able to take advantage of the HVAC
suppliers and gain access to the inside of the Target network. Unfortunately, the Target network did not
have any additional security on the inside to prevent vendors from gaining access to other parts of the
network. So once the attackers got onto the Target network, they then had access to every single
register at all 1,800 Target stores. This is a good example of how a supply chain attack can occur because
the attack vector isn’t one you were expecting. The folks that are on the roof taking care of the air
conditioning and heating are not where you would expect a breach to come that would then attack and
steal over 40 million credit cards.

Supply chain cybersecurity has become a significant concern for organizations. You have to know and
trust that your server, your router, your switch, your firewall, or any of the software you’re installing is
something that you can trust to put on your network. Many organizations are narrowing down the
number of vendors they work with so that they can do more testing and more auditing and make sure
that what they’re receiving from those suppliers is trusted. Organizations are also requiring that those
suppliers have very strict controls over everything that they’re doing and that audits can occur within
the suppliers network so that everybody can trust exactly what’s being delivered to the end user. If you
have relationships with your suppliers, this is a good chance to team up with them and make sure that
everyone is able to get a safer product all the way through the supply chain.
 Cloud-based vs. On-Premises Attacks – SY0-601 CompTIA Security+ : 1.2
Which is safer, a cloud-based infrastructure or an on-premises data center? In this video, you’ll learn
about the advantages and disadvantages of securing data in both environments.

There are two schools of thought when it comes to data security. One school says, if you have data that
is on-site– or on-premises– that is the most secure way to store data. Another group says that having
the data in the cloud is much more advantageous and much more secure for your data. With cloud
security, everything is centralized, and therefore your costs tend to be lower. You don’t have to worry
about having your own data center or purchasing any hardware, and you have a third party that handles
all of the IT services for you.

If all of your data is on-site, you obviously have your own data center. And you have to incur all of those
data center costs, but you know where all of your data is, and you’re the one who gets to control what
happens with that data. Of course, the attackers don’t care where your data happens to live– you just
have to be sure that it’s secure no matter where it’s stored. If your data is on-premises, you have
complete control. You’re in charge of the facility. You’re in charge of your users and your support team.
And you’re in charge of what happens with that data.

If you have your own team to manage your IT infrastructure, then you get to decide what expertise and
what type of security controls are in place. You can hire exactly the right people to make sure that all of
your data is secure, but, of course, if you’re hiring these people and having them on staff, there are
additional costs associated with that, especially if you want to get people who are knowledgeable in
how to protect data. With all of the data in your local premises, you have a team that can handle all of
the uptime and all of the availability. You don’t have to call out to a third party to provide any type of
maintenance.

Since this does rely on your services and your infrastructure, making security changes can also take time.
It may take a reconfiguration. You may have to purchase new software or new hardware and have all of
that already on-site in your premises. If this was a cloud-based service, there may be options for simply
clicking a few buttons and adding additional security to your system. In a cloud-based system, you get to
control how much security you have on that data. There’s usually no physical access to the servers and
services that are in these cloud-based systems, although you do have to be concerned that there’s a
third party that would have access to your data and your systems.

One advantage in the cloud is that most cloud providers are providing very large-scale security. They’ve
seen a lot of different security technologies and understand how to implement it to make sure that your
data stays secure. One challenge with this is you want to be sure that your users are following best
practices for this security in the cloud. There’s a different process for accessing this data, and you want
to be sure that your users are following the correct processes and procedures to keep that flow of traffic
as secure as possible.

The data in the cloud also tends to be more available. Since this is a larger infrastructure, and much
more redundancy is built in, you can usually maintain a higher degree of uptime. Security from a cloud-
based provider may also give you some additional options. If you need to install a new third-party
firewall, it may just be a click away to bring that firewall online and have it protected your data. This may
not be as customizable as it might be inside of your own data center, but it might provide you with some
additional options that you wouldn’t have if your data was on-premises.

Cryptographic Attacks – SY0-601 CompTIA Security+ : 1.2

Some attackers will use shortcomings in cryptographic protocols and techniques to gain access to data.
In this video, you’ll learn about the birthday attack, hash collisions, and downgrade attacks.

Let’s say that you’ve encrypted some data, and you’ve put it into an email. And you’re sending me this
encrypted message. How do we know if that data that you’re sending to me was really secure all the
way between you and me and that nobody in the middle was able to gain access to that information?
This is a challenge we have when dealing with cryptographic attacks.

The attacker often doesn’t have the key to be able to decrypt what’s there. So instead they use other
techniques to try to gain access to the data. Very often, even though they don’t have the combination of
the safe, they may be able to break in through other parts of the safe to gain access to what’s inside.

Attackers spend a lot of time trying to find inconsistencies, problems, and cryptographic vulnerabilities
with these methods that we use to transfer data from point A to point B. And very often it’s not the
cryptography that’s the problem. It’s the way that we’ve implemented the cryptography that allows the
attackers to gain access to the data.

One type of attack is the birthday attack, and the birthday attack is based around this particular
problem. You have a classroom of 23 students. What is the chance that two students in the classroom
share a birthday? The answer’s 50%, which is a pretty high number considering there’s only 23 students.

If we had 30 students, this would increase to about 70% of a chance. That’s because we’re not
comparing to individual students to see if they share a birthday. We’re comparing every student to
every other student to see if there’s a shared birthday.

In the digital world, we call this a “hash collision.” A hash collision is when you have two very different
types of plain text, but both of those plain text create exactly the same hash. This is something that
should never happen.

And if we’re able to find a hash collision, we may be able to take advantage of this inconsistency in the
hash algorithm. With the hash collision, the attacker spends their time finding that other type of plain
text that matches that hash. One way to prevent this is to increase the size of the hash, which decreases
the potential to have a collision.

Collisions are bad because the hashes are always supposed to be a unique value. If you put in one type
of plain text, it should be a unique hash. If you put in a different plain text, it should never be exactly the
same hash.

One well-known collision hash occurred with MD5. This was the Message Digest Algorithm version 5,
which was first published in April of 1992, and we identified collisions with this hashing algorithm in
1996. Researchers were able to expand on this hash collision. And in December of 2008, they created a
certificate authority certificate that appeared legitimate if you looked at the MD5 hash.
 So they were effectively able to create a fake certificate authority that looked like a completely
legitimate CA. This is obviously going to create some significant concerns if you’re relying on these CA
signatures for the trust of your website certificates. Here’s an example of a collision that occurs with
MD5.

These are two separate inputs. And you can see they’re mostly similar, but there are some differences
between the two that are highlighted in red. If you perform an MD5 hash against both of these, you
should receive a very different hash. But in reality, you receive exactly the same hash, and that is a hash
collision.

Another type of attack is a downgrade attack. Normally when you want to communicate securely to
another device, there’s a conversation that initially takes place where both sides determine what the
best possible encryption algorithm might be. If you’re able to somehow sit-in the middle and influence
that conversation, you could have the two sides downgrade to a type of encryption that might be very
easy to break.

A popular example of a downgrade attack occurred in 2014. These were researchers that found a
vulnerability in the transport layer security. This was the security that was the successor to SSL or Secure
Sockets Layer, or the encryption mechanism that we use to communicate to web servers.

They were able to sit-in the middle of a conversation between two devices. That would be in on-path
attack. And they forced the two sides to communicate at a much downgraded level of encryption. They
fell back to SSL version 3.0.

Well, with SSL 3.0, there are some significant cryptographic vulnerabilities, which is why we don’t use
SSL 3.0 any longer. And because of that, the rest of the conversation was one that was susceptible to
being decrypted by the third party. After this particular vulnerability was released, we all configured our
servers not to allow SSL 3.0. We changed our browser configuration. And these days, it’s very difficult to
find a browser that even supports SSL 3.0 all because of this poodle downgrade attack.

Privilege Escalation – SY0-601 CompTIA Security+ : 1.3

Some attacks can use an existing user account to gain elevated access. In this video, you’ll learn about
privilege escalation vulnerabilities and how to prevent them.

We often worry about an attacker getting administrative login rights or some type of route log in to gain
full access to a system, but often the attacker is using a normal users log in to somehow gain elevated
rights on the system. This is often done through a privilege escalation where a vulnerability or some type
of design flaw is allowing a normal user to suddenly gain extended capabilities on that system. Very
often this higher level access is the administrative or the root account. That’s why it’s so important to
patch and make sure there are no vulnerabilities on a system that would allow simply any user logging in
to gain full access of the operating system.

We often think of privilege escalation as a higher level account, but in some cases it’s a horizontal
privilege escalation. This is where one user is able to gain access to resources that would normally only
be available to another user of the same level. It doesn’t have to be an administrator account or a root
account. Simply user A is gaining access to files and resources for user B.
 Privilege escalation vulnerabilities are usually made very aware. They usually have a higher priority
associated with them, so it’s very important that we patch these vulnerabilities quickly. It’s very
common for our antivirus and anti-malware software to also be aware of these vulnerabilities and stop
any malicious software that may try to take advantage of them. The operating system itself may have
safeguards in place to prevent someone from taking advantage of a privileged escalation.

One of these safeguards is called data execution prevention it’s a way to only allow applications to run in
certain areas of memory where that particular function is allowed. Vulnerabilities that try to run an
application from the data section of memory would be blocked using data execution prevention. And
many operating systems will randomize where information is stored in memory so that if attacker finds a
way to take advantage of a memory address on one system, they would not be able to duplicate that on
another operating system.

Here’s a practical example of a privileged escalation. This was a CBE 2020-1530, and it’s titled the
Windows Remote Access Elevation of Privileged Vulnerability. It was released on August of 2020. This is
specific to Microsoft Windows and the Windows Remote access application, which runs on server 2008,
2012, 2016, 2019, Windows 7, Windows 8.1, and Windows 10.

You can see that this particular vulnerability is one that affects many different operating systems going
back a number of years. If the victim’s machine had this remote access vulnerability, the attacker would
only need to run a single program and they would have elevated access on that system. With a
vulnerability that has this scope associated with it, you can see why it’s so important to always make
sure you’re up to date that you have the latest security patches on your operating system.

Cross-site Scripting – SY0-601 CompTIA Security+ : 1.3

Cross-site scripting takes advantage of a trusted browser to attack other systems. In this video, you’ll
learn about reflected and stored XSS attacks and I’ll demonstrate a cross-site scripting attack on a
vulnerable system.

In this video, we’ll describe some techniques around cross-site scripting. If you ever see this abbreviated,
it’s abbreviated with an XSS, instead of a CSS that you might think with cross-site scripting. But CSS is
commonly associated with cascading style sheets, and when you’re working in web publishing, that’s a
very popular topic, so keep in mind that a cross-site script is an XSS.

We call this cross-site scripting because this was originally associated with a browser vulnerability that
allowed information from one site to be shared with another site. These days it’s common to simply
have this information shared from someone else’s browser and sent to the attacker. This is also an
extremely common vulnerability to find on web-based applications, so it’s very important that if you’re
developing a web-based application, that you look for and prevent these types of scripting
vulnerabilities in the input of your application.

We use JavaScript for so much in our browsers to be able to automate and add additional functionality,
but the attackers know that they can also use JavaScript in conjunction with a vulnerable website to be
able to gather information from your computer without you even knowing it happened.

One type of cross-site scripting vulnerability is the non-persistent, or what we sometimes refer to as a
reflected, cross-site scripting attack. This is found on a website that would allow someone to run scripts
 within the user input fields on that device. This might be in a search field, or some other input field on
the web page.

To be able to take advantage of this attack, the attacker needs the victim to click a very specific kind of
link. Very often this is sent to the victim through an email, and the attacker will encourage the victim to
click that email link to start the reflective cross-site scripting attack. The victim often clicks that link to
run malicious scripts that are embedded within that URL, and whatever the output or payload from that
particular result is usually sent to the attacker.

This can often be session IDs, or user credentials, or anything else the attacker would like to gather from
that victim’s machine. Here’s a web application with a vulnerable field that would allow a cross-site
scripting attack. This is a purpose-built application that has this flaw in it, and this is from something
called WebGoat. If you wanted to run this WebGoat utility on your computer, you could load this up and
perform your own cross-site scripting attacks.

This is a shopping cart. In the shopping cart, you can modify the quantities. You can put in credit card
numbers and access codes. We’re going to put a little bit of JavaScript right at the end of the credit card
number.

Let me back up a bit so we can really see what’s happening. At the end of the credit card number, it has
a quote, and then starts a JavaScript, which, in this particular case, puts an alert on the screen. Usually
the attacker doesn’t send an alert to the screen. They simply send that information off to the attacker’s
computer, instead of showing anything on the victim’s workstation.

But for this example, we’re going to put this script alert on the screen, and it’s going to show your
session information, and then it’s going to show cookie and session ID information for this particular
user. If that information was to get into the hands of the attacker, the attacker would be able to log in
and gain access to this information without needing a username and password. They would simply use
the stolen session ID information.

Once we click the Purchase button, we get a message at the top of our screen that is the session
information, the JSESSIONID, and the PHP session ID, all in that alert message. This would normally be
sent to the attacker, and they would be able to authenticate to this website as if they were us, and of
course, they would then gain access to all of our personal information.

For the reflected cross-site scripting attack, we have to have that user click a very specifically-crafted link
for that particular vulnerability to be exploited. There’s another type of cross-site scripting attack that
can be stored permanently on a server, and anyone visiting that page would be running the script. This is
a persistent, or stored cross-site scripting attack.

You’ll often see this kind of attack on websites that have messages, or forum posts, and the cross-site
scripting attack is embedded within that post. Once the attacker posts their malicious message,
everyone who reads through that particular post will also get that malicious script and run it on their
local machine.

With the reflective attack, the attacker could specify the user that they were targeting, but with
something like a stored cross-site scripting attack, that particular script is on the page, and anyone
visiting the page would be running this script. As you can imagine, if anyone visiting the page is a victim
of this particular attack, it can spread very quickly over social media. Someone liking a page or sharing a
page might bring other folks to the page, and their machines would also run this particular malicious
script.

A practical example of a cross-site scripting attack was found by Aaron Guzman in June 2017. He’s a
security researcher that found when he logged into the Subaru website, his particular session was given
a token. This login token and session ID allowed him to connect back to the site without having to log in
with his username and password.

But what he found was that the token never expired, so any time his computer accessed the Subaru
website, he was automatically authenticated and would not have to re-input his username and
password. Well, this also meant that if anyone else gained access to this authentication token, they
would also be able to gain access to his account details.

This authentication token provided access to service requests on the Subaru website. For example, if
you wanted to add a different user’s email to your particular vehicle, you could simply add that within
your account information. This also meant that an attacker could add their email address to your car,
and have full access to the online capabilities available for your Subaru.

Compounding this problem was that the Subaru website had a cross-site scripting vulnerability in one of
these input fields, and this means that anyone logging into the system could have their tokens sent to an
attacker, who would then be able to add their email and gain full access to your car. This is yet another
reason why we always tell you to never click a link in your email. It’s very difficult to see what that link
consists of, and even if you could see it, it’s very easy to hide malicious information within that link. It’s
better, instead, to go to the website that’s referenced in the email and log in yourself, manually.

Another option might be to disable JavaScript entirely, but that’s very difficult to do on today’s modern
websites. It’s probably more practical to have an extension or security tool that would allow you to
manage the use of JavaScript on your system. Many of these vulnerabilities are also part of the browser,
so keeping your browser up-to-date is also a good way to maintain the security of your system.

And if you’re a developer, make sure that you’re validating all of the fields on a website. That way no
one can take advantage and exploit something that might be a cross-site scripting vulnerability on your
site.

Injection Attacks – SY0-601 CompTIA Security+ : 1.3

An injection attack can be used to add or remove information from a data stream. In this video, you’ll
learn about SQL injection, XML injection, DLL injection, and more.

A code injection attack is when the attacker puts their own code into an existing data stream. This is
often enabled because of bad programming with an application. An application shouldn’t allow you to
put your own code into a data stream. But, often, the code is not checked by the application, and
attackers are able to exploit that vulnerability. There’s many different types of code that you can inject.
You can inject HTML, or LDAP, or SQL code– and any one of those may be able to manipulate or gather
information from a machine, especially if you have control over the type of code that you would put into
that data stream.
One very common code injection type is a SQL injection. SQL stands for Structured Query Language– or
SQL. This is a very common relational database used on many websites. If you can circumvent the web
front end, then you can gain access to the data that’s in that database. Of course, the web front end
should not allow these types of requests, but if the input is not validated, it’s very easy to be able to get
around the application and be able to run whatever queries you would like on that database directly.

Let’s run a database injection on this intentionally vulnerable application that is found in WebGoat. You
could load WebGoat on your own machine and run through your own SQL injection lesson. This
particular lesson has a form, and it’s used by an employee to gain access to their own personal
information. The employee name is John Smith, and this particular application has a transaction
authorization number that’s used. The number in this one is 3SL99A.

The way that it would work is the employee would put their last name into the box and then put the
authorization number 3SL99A. And when they click Get Department, they would gather information
specific to them. But this particular web front end does not validate anything typed into the
authentication number field. So we can modify this just a bit by adding an OR 1 equals 1 to the end of
this, which is SQL code that basically says find everything with the authentication number 3SL99A or
anything where 1 equals 1.

And, of course, 1 does equal 1, which means anything that would be true. That means we can dump the
entire database contents to our screen by simply adding on just a little bit of text on the end. And if we
click that button, we can now view the names, departments, and salaries for everybody in the company.
There are other types of injection attacks you might see. Another one might be with XML.

XML is the Extensible Markup Language. It’s very commonly used to transfer data between two different
kinds of devices, and you can perform an XML injection by sending this malformed XML off to a separate
device. Obviously, a well-written application will validate that XML as it’s being put into the system.
Another type of valuable data injection might be to an LDAP server. LDAP is a Lightweight Directory
Access Protocol. LDAP is commonly used to store information about authentication, such as username
and password, or other information about devices or users. If you’re able to inject data and gather
details from that LDAP database, you may be able to gather a lot of information that you normally would
not have access to.

Another type of injection is DLL injection. This is a Dynamic-Link Library. And a DLL injection is a way to
inject some code into an application to have that application execute the code for us. In this DLL
injection example, we have two processes– a process B, that is the attacker, and a process A, that is the
victim. Process B is going to attach to that first process, allocate some memory for this DLL library, and
then copy the DLL into process A. At that point, process A will execute that DLL as a new thread, running
it as process A, which may give it additional rights and additional capabilities that process B would not
normally have.

Buffer Overflows – SY0-601 CompTIA Security+ : 1.3

A vulnerable application can allow memory buffers to be manipulated by a crafty attacker. In this video,
you’ll learn about buffer overflow vulnerabilities and how they can be used by an attacker.

A buffer overflow attack occurs when one section of memory is able to overwrite a different section of
memory. This type of overriding or spilling over of memory should not occur, and if someone is able to
 replicate that in a way that’s controllable, they may be able to gain access to the system or cause an
application to perform the way that they would like. This is a type of vulnerability that takes advantage
of poor programming, and application developers need to make sure that they perform bounds checking
to make sure that no one is able to overwrite different sections of memory.

This is not a simple exploit to find, and it’s not an easy exploit for an attacker to take advantage of. It’s
very difficult to find some software that would allow this buffer overflow, and then it’s very difficult to
have a buffer overflow that might not cause the system to become unstable or to crash. A good buffer
overflow for an attacker is one that they can both replicate and one that they can control.

Here’s a visual example of what a buffer overflow might look like. In this particular computer, we have
an application that’s running with two variables– a variable A and a variable B. Right now, the only
variable that has data inside of it is variable B, which has the value 1979. If we looked at that in
hexadecimal, it would be the value 07 BB. You can see that nothing has been set for variable A. If this
application was vulnerable to a buffer overflow, we might be able to overwrite the value of variable A
and have it spill over into the area that’s currently used by variable B.

Here’s the aftermath of a buffer overflow, where we’ve taken the word “excessive” and put it into
variable A. Now, notice that variable A has enough room for the E-X-C-E-S-S-I-V, and then the E at the
end doesn’t fit into that specific area set up for that variable, so it overflows into the next variable in
memory and has that 65, which is the E stuck on to variable B. And notice that it has changed the value
of variable B. It may be that changing that value of variable B allows the attacker to gain elevated rights
or a section of the operating system that they would not normally have, or maybe it allows the attacker
to be able to crash the system whenever they’d like, creating a denial of service by using this buffer
overflow attack.

Replay Attacks – SY0-601 CompTIA Security+ : 1.3

A replay attack can allow an attacker to access an account without the use of login credentials. In this
video, you’ll learn about different replay attacks and how to prevent them.

The communication that we send from our computer to other devices on the network will very often
have information that a crafty hacker can use against us. This might be a session ID, it might be login
credentials, but they want to be able to find the information in those network flows and be able to use it
as an advantage during an attack. This means the attacker needs to find a way to gather that network
information.

If they have physical access to the network, they can physically install a network tap that will redirect or
send a copy of all network traffic to their workstation. If they don’t have physical access to the network,
then they need to find some logical way to redirect that information. And one way they might do that is
through something like ARP poisoning. Or they might just simply add their own code or malware onto
your computer and they’ll use your computer to gather that information and then send it back to the
attacker.

If the attacker can capture information that can then be replayed across the network to make it seem as
if it was coming from you, this is called a replay attack. And they want to be able to gather session IDs or
credentials and be able to use those credentials later on across the network. Although the initial
gathering of the information may involve the attacker being on the path between the two devices, that’s
 not a requirement for the actual replay attack. The replay attack can be done afterwards. The original
user does not even need to be on the network at that time.

One very simple kind of replay attack is called pass the hash. This is referring to the hash value that is
associated with a password that is sent across the network during the authentication process. If the
attacker can gain access to the hash, they may be able to replay that hash back to the server and
pretend that they are the original workstation.

In our network here, we have three devices. We have the client device that will be the victim, we have
an attacker that’s on the network, and we have the server that is communicating back and forth with
the client. During the initial authentication process where the client sends username and password
information to the server, what’s usually sent across the network is the username and a password hash.
As that information is being sent to the server, the attacker puts something in the middle of the
network. This might be a redirection of the network or an ARP poisoning of some kind, and redirects
that hash down to their device as well.

That means that they’re going to have a copy of that hash on their computer. Now that the attacker has
that hash, they can pretend to be the original user by sending the username and hash information off to
the server as if they were doing this from the original client’s workstation. From the perspective of the
server, this looks like a normal authentication coming from a legitimate user. And that means that the
attacker would then have access to that user’s account on that server.

One way that developers can avoid this type of pass the hash attack is to make sure that the client and
the server are always communicating over an encrypted channel such as SSL or TLS. If that channel is
sending encrypted data, it doesn’t matter what the attacker gathers. They won’t be able to find any of
the hash or anything else inside of that encrypted information.

Another technique developers use is to salt the hash. They might salt it with the session ID. And when
that session idea is sent across to the server to authenticate, it’s a one-time authentication process.
Even if somebody was to gather that information across the network as it was being sent originally, they
would not be able to reuse it. And the replay attack of this kind would not be successful.

This is also why we want to be sure that the cookies saved in our browser configuration on our
computers are secure. The browser cookies that are on your computer may contain information that an
attacker might be able to use for a replay attack. These browser cookies often have information that’s
specific to you. It may have personalization details or session management information. And it usually is
something that’s very unique to your sessions that you’re using in the browser.

Not only is there personal or private information that might be in these cookies, these cookies can often
contain session IDs as well. And if somebody was to gain access to an active session ID, they could pose
as you when communicating with another service. The key to a session hijack or sidejack, is for the
attacker to somehow gain access to the session ID.

When the client first logs into the server, they are assigned a session ID. And from that point going
forward, the victim is including that session ID when communicating with the service. This means that
the user doesn’t have to constantly keep logging in with their username and password every time they
communicate back to that website server. Instead, they’ll simply send the session ID and that will
confirm that the user that’s communicating to the web server has already been authenticated.
 If that attacker gains access to that session ID, they could have used that information to pose as the
victim and communicate directly to that service without requiring a username or password. This is why
it’s important to use an encrypted protocol such as SSL or TLS when communicating across the network,
which means that the attackers would have no way to gather that session ID off of the network flows.

For this session ID attack to work, the attacker needs to first get the session information. They might
gather that directly from the network using Wireshark or Kismet to gather it from the wired or the
wireless networks. If the server has a cross site scripting vulnerability, the attacker could use the server
to have session IDs sent directly to the attacker instead of gathering them from the network. Once the
attacker has the session ID information, they need to modify the headers that are being sent to the
server and they might use a third party utility to be able to do that in real time.

The attacker could also modify their browser cookies to make them look identical to those that would
come from the victim’s computer. One way to prevent these types of replay and session attacks is to
make sure that all of the communication between both sides is always encrypted. They can’t capture
session IDs if it happens to be in this encrypted traffic flow.

Turning on encryption on a web server adds some additional overhead. But is going to protect all of the
data that’s being sent back and forth. There are some browser extensions you can get that will force
communication to be HTTPS or TLS, but many sites these days will only operate as an HTTPS or
encrypted channel. So if you were to go to professormesser.com you will always be connected over
HTTPS.

If you’re communicating to a service that doesn’t support HTTPS, or it’s using a different type of
communication mechanism, then you may want to use something like an encrypted tunnel to at least
have part of the communication flow be in this encrypted channel. That way, if anybody does gather
that information on that encrypted flow, they would not be able to use any of the information inside of
that network traffic.

Request Forgeries – SY0-601 CompTIA Security+ : 1.3

An attacker can take advantage of legitimate cross-site requests and turn them into a malicious exploit.
In this video, you’ll learn about cross-site request forgeries and server-side request forgeries.

In this video, we’re going to talk a lot about cross site request. This is something that you’ll normally see
when communicating with a website. For example, you might visit my website at professormesser.com.
And when you visit the site, there’s going to be text that’s loaded directly from my particular web server.
The browser is also going to load videos if there happens to be one on a page. That video is not coming
from the professormesser.com server. That’s coming from the YouTube servers. And it might also
involve loading some information that’s from Instagram. So all of those pictures and images that you’re
seeing are coming from the Instagram servers.

It’s the HTML that’s in your browser that determines where your browser is going to go to gather the
information that’s required to make up that page. That is a completely normal and expected process.
And it works that way no matter whose website you happen to be visiting. What’s interesting about a lot
of the requests that are made from the browser when you visit my website is when you’re gathering this
information from YouTube and from Instagram, you’re not having to log in to get that information.
That’s information that is simply provided to your browser without any type of login credentials.
It’s this ability to use this trust that’s in your browser to be able to gather information from a third party
site, very often without the victim even knowing that it’s happening.

When you visit a website, there’s usually a combination of code that’s running. Some of the code is
running in a browser that’s on the client and some of the code is running on the web server itself. On
the client side, you’ve got information that’s rendering in the browser to show graphics and text. And
it’s usually something presented as HTML or JavaScript to the browser itself. There’s also code that’s
executing on the web server that’s often HTML and PHP. And this is used to perform back end processes.

For example, you might ask your bank to transfer data. And all that transfer is occurring on the server
side. There are also server side components used for doing things like posting videos to YouTube. When
you upload the video, there’s an entire re rendering process and posting process that all takes place
behind the scenes on the server without your client on your computer being involved at all.

Let’s first take advantage of the browser that’s on a client computer by using a cross site request
forgery. This is sometimes called a one click attack or session writing. You might see it abbreviated as
XSRF or CSRF. We often refer to this as a sea surf. With this attack, we’re taking advantage of the
inherent trust that a site has for your browser. You might have already logged into Facebook, for
example. So every time you visit facebook.com, it shows as your credentials whenever you’re visiting
that page.

This potentially means that an attacker could get your computer to create requests on their behalf using
your credentials. And that’s why this is a cross site request forgery and not an actual cross site request
that’s done normally. These types of forgeries obviously should not be happening. So the application
developers of the web server need to make sure that they’re putting anti forgery techniques into the
code of the service. Usually there’s something like a cryptographic token that’s used so that someone
would not be able to use a forgery to obtain information from that server.

Here’s an example of a cross site request forgery that takes advantage of a client’s browser. We’ll start
with the attacker that’s going to communicate with a visitor to a bank site’s web server. And the bank
site web server is down here. The attacker is going to create a request that takes advantage of this bank
site’s visitor’s browser and it’s going to send them that request in some way. Maybe this request is a
hyperlink inside of an email and the attacker wants the client to click on that hyperlink to perform the
forgery.

The attacker is hoping when the user clicks on this link that they will already be logged in to the bank
site’s server. When they click that link, it sends the request sometimes without the user even realizing it
to the bank’s web server. And because this user is logged in properly, this request is performed as if it’s
coming directly from the bank site’s visitor. If this request is a funds transfer, then the bank web server
transfer the funds to the attacker and pulls it out of the bank site’s visitor’s account and the request
forgery is complete.

Another type of forgery gets rid of the client completely. We don’t have to worry about trusting that a
browser is logged in. We’ll instead perform the forgery directly on the server side. This is a server side
request forgery, or SSRF. This requires that the attacker find a web application that is susceptible to this
particular kind of attack. And if we send specially crafted packets to the web server, we might be able to
have the web server do some work for us on its behalf.
 This type of attack needs a vulnerable application running on a web server. The attacker will send a
request to the web server and the web server will then perform those requests on behalf of the
attacker. This allows the attacker to access services that normally would be inaccessible. They might be
on the inside of a private network that only the web server might have access to. But because they’re
using this server side request forgery, they can now gain access to those services that normally would be
unavailable.

This is a type of attack that occurs because the web application is vulnerable. The developers have to
make sure that any of the requests that are input are not going to be used by the server to perform
additional functions. The server should always evaluate the input to the server and evaluate the output
to make sure that none of that information is unexpected. These are relatively uncommon types of
vulnerabilities. But when one is found, it’s very important to close it before someone’s able to take
advantage of that forgery.

Here’s a visual breakdown of the server side request forgery. We’ll start with an attacker who’s
communicating to a web server. They will send a request that is going to require that web server to
perform some other function in the background. For example, they may be sending a request to the web
server that has the web server query information on a file storage device. That file storage device sends
a file, or some type of response, to the web server. And the web server responds back to the attacker
with the information that was requested. That effectively means the attacker has access now to the file
storage even though there is no direct access from the outside. They’re having the web server perform
that access by using this forgery vulnerability.

Here’s an example of a server side request forgery that occurred in 2019. This was one where an
attacker was able to execute commands on the Capital One bank website. This is an attack type that’s
normally prevented if you’re using a web application firewall, or a WAF. In this particular case, they
believe that the WAF itself was misconfigured and the attacker was able to query that WAF and gather
information directly from that service.

We believe that by using this SSRF attack, the attacker was able to get security credentials of the WAF,
and by using those security credentials was able to access a bucket on Amazon’s simple storage service,
or S3. This is a file system that exists in the Amazon cloud. Those credentials were able to access those
S3 buckets. And inside of those buckets on the Capital One Amazon account where credit card
applications that range from 2005 through 2019. That was 106 million names, addresses, phone
numbers, emails, and dates of birth that consisted of 140,000 social security numbers, and over 80,000
bank account numbers all because they were able to perform this forgery that ultimately gave them
access to that bucket.

Driver Manipulation – SY0-601 CompTIA Security+ : 1.3

If they can’t infect your application, an attacker might try infecting your drivers. In this video, you’ll learn
about driver manipulation and how shimming and refactoring can be used to exploit your operating
system.

The anti-virus and anti-malware software that we run on our workstations is very good at stopping
known vulnerabilities. There are a set of signatures that are downloaded that integrate with the
software. And if anything enters your system that matches one of those signatures, it is blocked by the
antivirus software. But of course, our systems continue to get infected. So the attackers must be finding
other ways to get into our systems.

The attackers would love to find things like a zero day attack, which is a type of attack that is unknown.
There are no signatures for a zero day attack, which would be perfect for an attacker to use against any
one system. Attackers are also looking for new attack types, different ways that they could use to infect
your computer, that are different than anything you may have seen before.

An unusual kind of attack, would be to attack with the drivers that are used on your system. These are
the hardware drivers that are effectively the conduit between the hardware of your computer and the
software of your operating system. These drivers are trusted by your operating system, making them a
perfect conduit for a malware attack.

A good example of the vulnerability that a driver can bring to a system occurred in May of 2016, with
audio drivers on Hewlett-Packard systems. These drivers manage the audio chips that were embedded
on these HP systems, and they included some audio controls software that interacted with the driver.
This audio control software included a debugging feature. And that debugging feature included a key
logger.

This key logger meant that the attacker, or anyone using or taking advantage of this driver, would be
able to gather information on what keystrokes were typed on this computer. This really speaks to the
scope of the vulnerabilities that can occur with our drivers. Since we have video drivers, and keyboard
drivers, and mouse drivers, be very easy for an attacker to gather information and be able to use the
information that’s going into or out of our computers.

A shim is something you would use to fit into the gap that’s created between two different objects. If
you’re installing a door, you may need some wood to use as a shim that would go between the
doorjamb and the wall itself. Or if you’re in a restaurant and the table is uneven, you can use a sugar
packet as a schism between the bottom of the table and the floor that’s underneath.

There are also shims built into your operating system. Windows has one called the Windows
compatibility mode. You can run an application, but have Windows run that application as if it is running
in a different operating system. This allows older applications to run in newer versions of Windows. You
just have to tell the newest version of Windows, what version of Windows should this application run as.

This also uses an application compatibility shim cache, to be able to cache this information that’s being
transferred between the existing operating system, and the one that is being used as the previous
operating system. Malware authors have found that they can take advantage of this shimmed area to be
able to put malware onto a computer, and could get around some of the security features like the user
account control that exists inside of Windows.

A good example of a malware author taking advantage of this was in January of 2015. Microsoft released
a vulnerability statement that said that someone can take advantage of this compatibility mode, to
elevate the privilege of the current user on that system. Another way that malware authors get around
the existing antivirus or anti-malware software, is to use refactoring.

You might see this also referenced as metamorphic malware. This means that when your system is
downloading this malware, it’s downloading a unique version of that malware that will not match any of
 the signatures that are in your antivirus or anti-malware software. The malware author will add
additional code to the malware, such as a no op instruction, that’s a no operation instruction that
effectively doesn’t do anything, but it makes the malware look different.

Or they might add loops or pointless code strings, to make it so that a signature can’t match for this
particular executable. This executable uses refactoring to reorder functions, modify the flow of the
application itself, or to reorder the code so that it looks different than any other signature that might
already be in the antivirus software. This means that if you’re trying to stop this particular kind of
malware, you’re going to need other types of layered approaches to try to identify and stop anything
that might have been refactored.

SSL Stripping – SY0-601 CompTIA Security+ : 1.3

An attacker might be able to perform an HTTP downgrade attack to view traffic that you assumed was
encrypted. In this video, you’ll learn about SSL stripping and how attackers can use on-path attacks to
manipulate the SSL negotiation process.

Attackers know that most of the communication between your computer and a web server is going to
be over an encrypted channel. Very commonly, we use HTTPS to be able to send information back and
forth, and know that all of the data in that channel is encrypted and away from the prying eyes of the
attacker.

But the attacker knows that it could find some ways to get into that data, if it’s able to start
manipulating the data flow. And that is the SSL stripping, or what’s called the HTTP downgrade attack.
This is the way that an attacker can sit on the path of the communication and modify the
communication between the client and a server, so that it’s able to see all of the data in that data flow.

For this attack to work, the attacker has to sit in the middle of the communication between the client
and the server. So there might be a proxy server configuration. They might use ARP spoofing, or it might
be a rogue Wi-Fi hotspot that allows the attacker to get in the middle of this conversation.

From the victim’s machine, everything looks normal. There’s nothing unusual on the screen. There’s
nothing visual that really shows what’s happening, except the browser page itself that normally would
be encrypted is not encrypted. It’s communicating via HTTP, instead of communicating via HTTPS, for
secure.

This is a type of attack that has to be resolved by upgrading and maintaining software on both the client
and the server workstation. If you can make sure that the browser you’re using and the web server
software you’re using are not susceptible to a downgrade, then you can avoid this type of attack.

Although the details of when these particular versions of SSL and TLS were released are not part of the
exam, I want to step through what the evolution of this has been over time. If we start with SSL, which is
Secure Sockets Layer– this is SSL version 2.0. It was released in 1995, and deprecated in 2011.

Deprecated means that the industry best practices are that you not continue to use this software going
forward. There’s an SSL 3.0 that was released in 1996. It was one that is found to be vulnerable to a
number of cryptographic vulnerabilities. And so it was deprecated in June 2015.
 After SSL 3.0 came a change to the name of this encryption method, and it’s now called transport layer
security, or TLS. TLS 1.0 was released in 1999. It was effectively an upgrade to SSL 3.0. But it does have a
downgrade functionality that allows it to communicate with SSL 3.0. And as I mentioned, there are
vulnerabilities in SSL 3.0. So this would effectively not be a good version to use either.

TLS 1.1 was released in 2006, but it was deprecated in January of 2020 by most modern browsers that
you would run into. Here at the end of 2020, TLS 1.2 and 1.3 are the latest standards and the ones
commonly used to communicate to web servers.

With an SSL stripping attack, you’ve got a website visitor that’s communicating to a web server, but in
the middle of the communication is this attacker. This attacker will be proxying, or sitting in the middle
on this on-path attack to modify any communication that might be going back and forth between these
two devices.

To start a normal web server communication, a client usually will send a get command. And in this case,
the visitor is sending an HTTP URL to the web server itself. Since this attacker is sitting on path, it will
receive this command, and effectively send it unchanged to the web server.

The web server evaluates this, and notices that the client is asking for the non-encrypted version of this
page, but wants all of the pages on the server to be sent as encrypted. So it’s going to send a message
back to the client saying, let’s try this again. But instead of communicating via HTTP, let’s communicate
via HTTPS.

The attacker doesn’t want HTTPS communication to occur. So it’s going to intercept that request, and
simply send back the HTTPS version of that request to the web server. This will set up an encrypted
channel between the attacker and a web server, but not between the attacker and the website visitor.

This web server will then send this page of information over this encrypted channel with HTTPS. The
attacker will decrypt it, because the communication is between the attacker and the web server, and
then will send back the in the clear or non-encrypted HTTP page to the website visitor.

This is a normal response to the request that was made earlier, and the website visitor has no idea the
attackers made these changes in the middle. This process can continue, because the website visitor
might send a post command to log in to that server with their username and their password.

Since this is set in the clear, and the attacker is in the middle of the conversation, the attacker will also
see the username and password, but will pass that through to the web server over this encrypted
channel using HTTPS. This process can continue with the web server responding back to that login
request, and the attacker can, of course, view all of that information and forward it on to the website
visitor.

To avoid this type of attack, we’ve configured many of our web browsers not to communicate to servers
using that HTTP method, and we’ve configured web servers not to respond to HTTP, and to instead
expect HTTPS that’s coming directly from the website visitor, effectively locking out anyone who might
be in the middle.

Race Conditions – SY0-601 CompTIA Security+ : 1.3

 Developers must plan for every possible contingency. In this video, you’ll learn how attackers can use
race conditions to exploit applications and systems.

In today’s modern computing environments, there are a lot of different things all happening at the same
time. And developers have to be aware of exactly what might happen and when. You do have problems
that can occur though if multiple things are occurring simultaneously and you weren’t expecting them to
occur simultaneously. This is called a race condition.

And if you haven’t written your software to plan for these types of situations, the results can be
disastrous. Attackers can take advantage of this using something called a time-of-check to time-of-use
attack, a TOCTOU. This type of attack is checking for things to occur on the system and making changes
but knowing that there might be other changes occurring behind the scenes at the same time.

Let’s look at a race condition example. This is one where we’re going to take money in one account and
transfer it to another account. There are two starting accounts– account A and account B. Both accounts
start with $100. We also have user 1 and user 2. These will both be performing these transactions at
close to the same time.

We’ll start with user 1, who’s going to perform a check balance to see what the current balance is in
both of these accounts. And both account A and account B both have $100. Just after that, user two also
performs a check balance and also sees that account A is $100 and account B has $100 as well.

Now user 1 is going to add $50 to account B, which means that account A remains at $100. And we’ve
added $50 to account B. It increases to $150. User 2 performs exactly the same function– adds $50 to
account B. Account A, of course, still has $100. And notice that account B has increased by $50 to $200.

Since this is a transfer of $50 and we’ve added the $50 to account B, we need to remove the $50 from
account A. And if we remove it from that $100 balance, account A’s balance goes down to $50. Notice
that account B is at $200 because that’s the additional $50 that was added by user 2.

Now we’re going to perform the same $50 removal from account A by user 2. User 2 performed a check
balance and saw that account A was $100 and has not performed another check balance. So it doesn’t
know that $50 has already been removed from account A. So it thinks that account A has $100. It
removes 50, and that takes it down to $50.

And the transfer is complete on both sides. Both sides were going to transfer $50 from account A to
account B. But the ending value has account A at $50 and account B at $200. This is a very simple
example of a race condition. But you can see the results of this race condition have very significant
outcomes. It’s important that developers are taking into account every possible scenario and when
those scenarios might occur.

An example of a race condition that occurred in space was in January of 2004 in the Mars rover Spirit.
The Spirit rover is designed to reboot its operating system whenever it runs into a problem that it can’t
resolve. And in fact, it found a problem with the file system, so it rebooted itself because of that but
found that the file system was corrupted during the boot process. And so it rebooted itself again.

So it found itself in a reboot loop because of this race condition. They ultimately told the rover to reboot
into a limited safe mode so that they could repair the file system, reboot the system, and get back up
and running.
 Another race condition occurred in 2003 from the GE Energy Management System that was used to
monitor electrical lines. Three power lines failed at the same time. But due to a race condition, a limited
number of alerts was shown to technicians. This got quickly out of hand and caused the Northeast
Blackout of 2003. It took a week or two for power to be restored. And it affected 10 million people in
Ontario and 45 million people in the Northeast United States.

And a deadly race condition occurred with a radiation therapy machine in the 1980s that used software
as a security mechanism. If operators changed the software settings too quickly, the software interlocks
failed. And that caused a race condition that had 100 times the normal dose of radiation. This resulted in
six patients being injured and three patients dying.

You can see how these race conditions can be caused by many different things. So it’s important that the
developers always consider every possible scenario and plan for that in their software.

Other Application Attacks – SY0-601 CompTIA Security+ : 1.3

There are many options available for the knowledgeable attacker. In this video, you’ll learn about
memory vulnerabilities, directory traversal, improper error handling, API attacks, and resource
exhaustion.

If an attacker can manipulate the memory of a device, then they can control it to do almost anything.
However, finding a vulnerability and memory and being able to manipulate it in a way that gives you
that advantage can be very difficult.

One type of memory vulnerability that often ends with the system crashing or the application failing is a
memory leak. In a normal application, memory is allocated for storage or for calculations and when that
memory is no longer in use it’s returned back to the system. With a memory leak, that memory is never
returned back to the system and the application continues to use more and more and more memory
until eventually it uses all of the available memory, and ultimately that crashes either the application or
the operating system it’s running on.

If an attacker is looking for a way to create a denial of service to bring down a system, a memory leak
would be a very good choice. When applications are using memory, they’re storing information into a
section of that memory. And then when they want to reference that information again, they simply
point to that area of memory. If an attacker can make an application point to a null section of memory
where nothing exists rather than the part of memory where the application data might exist, that’s
called a null pointer dereference. And if you’re pointing to nothing in memory, it very commonly causes
the application to crash. They’ll probably be debug information on the screen and this could cause the
denial of service the attacker has been hoping for.

Another way that attackers like to manipulate memory is with an overflow. An integer overflow is where
a large number might be placed into a smaller section of memory, which means that that extra space
has to go somewhere, and usually it goes into an area of memory that’s overflowed. Applications should
not work in this way. Application developers should make sure they’re not storing information into
smaller areas and causing some of that information to overflow into other parts of memory. It’s very
difficult to find an integer overflow situation like this that is something that is repeatable by an attacker,
but if an attacker can find an overflow that can be duplicated and it’s one that allows them to
manipulate the system in a way that’s advantageous to them, this makes for a very powerful attack.
Another vulnerability that might give a way for attackers to move around your file system is a directory
traversal attack. This allows attackers to read from different parts of a server, even areas of a server
where normally they should not have access. Let’s look for example, in this particular drive. This is my C
drive of my Windows machine, and I’m running a web server on this. This area in the lighter color are
the folders that are used in that web server. People who are accessing the web server should not have
access to these other folders that are on my system. Folders like the Windows operating system folder,
for example.

But there are vulnerabilities that you can find. For example, in certain versions of web server that might
allow people to browse outside the scope of the web server software. Or there might be vulnerabilities
in the software that you’re running on that web server that would allow attackers to move outside the
scope of the web server file system. And sometimes a web server misconfiguration might allow an
attacker to use the two dots and a slash be able to move backwards through the file system.

So in this particular case, there’s a web server and they’re trying to access show.asp which would be in
the root of this particular web server. And then they’re moving backwards through the file system twice.
So they would move up to the inet pub, and then finally the root of the entire C drive. Then they’re
going to access the Windows folder and view the system.ini file. By using this type of directory traversal,
they were able to break out of the web server and view files that were in my Windows folder.

We all know that eventually the systems that we’re using are going to have some type of error
associated with them. It might be in the operating system or the application or some other component
of what’s running on that device. When that error occurs, there’s probably going to be messages on the
screen. These messages might have information about the error, might have a code associated with it,
and it may show a little too much information about the underlying system it’s running on.

You should make sure that your error messages are showing just enough information so that people
understand what the error might be and they might be able to report that to someone else. But you
want to be sure to avoid information, such as the network you’re connected to, maybe a dump of
memory or stack traces or even database dumps. If you’re showing that as part of an error message, an
attacker may be able to use those details to learn more about the underlying system. Fortunately, this is
a relatively easy issue to fix as long as you have control of the development process for that application.

In earlier videos, we talked about the danger of invalid input going into a system and what the results
might be of the data coming out. All applications we’re using will have some type of input. We may have
to put in usernames or passwords or we may have to input information into a spreadsheet or a word
processing document. The data that’s being input by the users is going to be evaluated and acted on by
the application. So the application developers need to make sure that the data that’s being input is not
malicious or trying to circumvent any security mechanisms within the system itself.

For example, having a very specific string of input into a field might allow someone access to an entire
database of information. Or it might cause a denial of service and cause the application or the operating
system to fail completely. It may be difficult for attackers to find these instances where this type of input
might cause these issues, but as soon as they’re able to identify that in a vulnerable application they will
take advantage of it.
 When an attacker tries to manipulate the application programming interface of an application, that’s
considered an API attack. They’re trying to manipulate that API so that they can gain additional access or
gain access to data that would not normally be available to them. And in some cases, they can
manipulate the API to bring down the application or the system, creating a denial of service. In a
traditional application that we would run from our browser, we would have an HTTP GET command. This
might be a very complex GET command that’s sent to the web server. The web server interprets that
command, sends information on the back into the database that is then going to respond, and the web
server will give us an HTTP response.

An API based application is usually something running from a mobile phone, for example. And instead of
sending an HTTP GET, there will be many, many different application programming interface requests
being sent to the server. The server is going to perform similar functions on the back end to talk to the
database server, and then the responses to those API requests are going to be a series of API responses
which will be interpreted by the application running on the mobile device.

A resource exhaustion is a denial of service attack that can often be done by a single device over low
bandwidths. It’s a type of attack that uses up the available resources on a device so that the application
or the service that’s being used by it is no longer accessible by others. Here is a historically well-known
resource exhaustion. It’s a zip bomb. It is a very small zip file which is a compressed file, a 42 kilobytes in
size, which is very, very small. But if you were to uncompress this file, it would uncompress to a 4.5
petabyte, that’s 4,500 terabytes, file size. You can imagine unzipping this on a traditional computer. It
would very quickly use all available storage space.

This is such a well-known resource exhaustion that most antivirus software will immediately identify this
and prevent it from running. A network based resource exhaustion would be a DHCP starvation where
an attacker is starting to flood a network with what seems to be many new devices hitting the network
that will need IP address requests.

The attackers usually running from a single device, but is sending these requests with multiple Mac
addresses to make it seem as if there are many, many machines on the network and it will very quickly
use up all of the available IP addresses that might be inside the DHCP pool. This means that anyone else
who tries to connect to this network will not receive an IP address because they have all been used by
this resource exhaustion. There are configurations that can be made to switch that can limit the number
of requests made for DHCP addresses and that might limit the scope or at least the time frame that
somebody might have to be able to perform a DHCP starvation.

Rogue Access Points and Evil Twins – SY0-601 CompTIA Security+ : 1.4
An unwanted wireless access point can be a significant security concern. In this video, you’ll learn about
rogue access points, evil twins, and how to prevent or limit the use these wireless technologies.

A rogue access point is an access point that has been added to your network without your authorization.
This might be an end user, an employee of the company who goes out and purchases a relatively
inexpensive access point, brings it back into the office, and uses that to connect their own devices. This
would obviously be a security concern, but not necessarily someone looking to cause any harm.

But obviously, this could be a very significant security issue if someone was to gain access to that
wireless access point and then ultimately access to your corporate network.
 It’s becoming easier and easier to create a rogue access point on the network. It’s certainly easy to
purchase an access point, bring it into the office, and plug it in wherever you happen to have an
Ethernet network connection. You might also turn on wireless sharing inside of the operating system of
your mobile device or your laptop or desktop. Those devices can also look like an access point to other
devices, and would effectively turn into a rogue access point inside of the computer that you’re already
using.

This is why it’s always a good idea to perform periodic reviews of your wireless environment to make
sure that the only access points you happen to see on your network are the ones that you put there.
There are many third-party devices that can help you understand the wireless spectrum and who may
be using the frequencies in your environment. And there’s third-party tools, like the Wi-Fi Pineapple,
that can set themselves up as a rogue access point to see if other people on the network happen to use
it.

This is why it’s important to use network access control mechanisms, like 802.1x, that requires that
everyone connecting to the network provide a username, password, or some other type of
authentication before they are allowed access onto the network. This means if somebody was to install
a rogue access point and someone from the outside accessed that rogue access point, they still would
not be able to gain access to your network, because they would have to authenticate with a proper
username and password, as long as you were running 802.1x.

A more sinister type of rogue access point is a wireless evil twin. This is an access point that is designed
to look exactly like the access points that are already on your network, but they were put there for a
malicious reason. This is usually an attacker that’s trying to get your users to connect to their access
point by using a similar SSID name, similar configuration settings, or putting the access point in an area
where your users might happen to be.

If the attacker does manage to get the wireless evil twin installed somewhere close by to your users,
that evil twin could overpower the signal from the other access points and become the primary access
point on the network.

This is an even larger concern on networks that may already be open, such as a public Wi-Fi hotspot.
Those networks make it very easy for someone to maliciously install a wireless evil twin and then have
other people connect to that device, thinking they’re connecting to the legitimate public Wi-Fi network.

If you’re using a wireless network, and especially if you’re using a public Wi-Fi open network, you want
to be sure that all of your communications sent across that network is encrypted. Make sure that you’re
communicating to all websites over HTTPS, or even better install a VPN client, and all of your traffic,
regardless of where it’s going, will always be encrypted over that wireless network.

Bluejacking and Bluesnarfing – SY0-601 CompTIA Security+ : 1.4

Bluetooth technology is now quite robust and secure, but it wasn’t always that way. In this video, you’ll
learn about unwanted Bluejacking messages and how attackers were able to retrieve information from
your phone with Bluesnarfing.

Bluejacking is an attacker sending an unsolicited message to a victim’s machine, usually this is a mobile
phone or tablet, and the attacker is sending this message over Bluetooth. This does not use the cellular
 frequencies from a mobile carrier or 802.11 networks. It’s exclusive to using the Bluetooth
communications channel.

Since Bluetooth usually operates in a radius of about 10 meters, the attacker would need to be relatively
close to the victim’s machine to be able to send these Bluejacking messages. Some Bluetooth
implementations allow the Bluejacker to also send other types of information along with the Bluejacking
message. So instead of sending just the message you are Bluejacked, you could send the message but
also include a contact card, a video, or some other type of media.

Bluejacking is a relatively low priority security concern because it’s only sending a message to someone’s
device. It’s not accessing anything else in that mobile device or providing any enhanced capabilities. But,
of course, your user should always be trained on what to do if they happen to see an unsolicited
message appear on their mobile device.

A security concern that is a higher priority is Bluesnarfing. Bluesnarfing is when an attacker can access
data that’s on your mobile device using the Bluetooth communications channel. Using Bluesnarfing, an
attacker would be able to access contact lists, emails, calendar information, or any other data you might
keep on that mobile device.

This was a significant security concern when it was released in 2003, but it was patched relatively
quickly. And if you’re using a modern device with Bluetooth, it is not going to be susceptible to
Bluesnarfing. However, if you do have an older device that communicates via Bluetooth, it may be
susceptible to this Bluesnarfing attack so you need to make sure that the proper security procedures are
in place and that device is not one that could be accessed over Bluetooth.

Wireless Disassociation Attacks – SY0-601 CompTIA Security+ : 1.4

An encrypted wireless network may not stop all types of attacks. In this video, I’ll demonstrate a wireless
disassociation attacks and you’ll learn how to prevent them.

Let’s say you’re using your wireless network and it’s working exactly the way you would expect, except
suddenly the wireless network disappears completely. You have no wireless connectivity. And then
finally, it comes back and you can start using the wireless network again. Except then it disappears
again. And it keeps coming back and disappearing over and over and over again. And because it’s on a
wireless network, there’s really nothing you can do to maintain that connection to the wireless access
point.

If you’re not able to communicate, then you simply aren’t able to send any information over the
network. You would have to get a patch cable and physically plug in on a wired ethernet connection if
you needed to regain any type of connectivity. It may be what you’re seeing as a wireless disassociation
or sometimes what we call a wireless deauthentication attack. This is a denial of service attack that is
specifically causing devices that are on the wireless network to suddenly not be able to communicate at
all to the access point.

In order to understand how this attack works, we need to know more about the way that devices
connect to a wireless network and disconnect from a wireless network. To be able to perform these
functions, your mobile device has to send a number of management frames to the access point and the
access points replying back to your mobile device also using these management frames. These are
 conversations that all take place between the mobile device and the access point. And we as the end
users never see these conversations occurring.

And these are important conversations. These management frames manage quality of service
communication, they allow devices to associate to access points, and disassociate themselves from the
access point. And any other management functions occur because these management frames are sent
between those two endpoints.

Unfortunately, the original 802.11 standard didn’t provide any type of protection for these management
frames. They are sent in the clear over the network. And there’s no way to authenticate or verify that a
management frame that was received by the access point really did originate on your device. This means
that an attacker could send these management frames to an access point, and cause problems with your
communication.

Here’s a packet capture of an association request made over this 802.11 network. You can first see that
everything in this frame is in the clear. You’re able to read through all of this. None of this is encrypted
information. You’re able to see receiver address, destination address, transmitter address, and so on.
And here’s the wireless management frame details that discuss the SSID parameters, the supported
rates for speeds, power capabilities, and also other information that’s important when a device is trying
to authenticate or associate with an access point.

Let’s try to take advantage of this vulnerability. I have my mobile device. My mobile phone is on the left
side. And on the right side is a Linux device that I’m going to use to perform this disassociation attack. I
pulled up the about page on my mobile device so that we can see the Wi-Fi address of this device ends
in two echo fox delta. That’s going to be an important Wi-Fi address to use if we want to direct this
disassociation attack to just this device on the network.

The first thing I’ll do is run a utility that shows me what’s running on the network. This is arrow dump
NG. And it shows me BSS ID that is the access point and all of the stations that may be communicating to
that access point. And if you look closely, you can see the Wi-Fi address on my mobile phone that ends
in two echo fox delta is also this station address two echo fox delta. And you can see there were frames
being sent back and forth actively while this capture was being made.

Now I’ve brought up the Wi-Fi screen on my mobile device. And I’m going to use a utility called air replay
to be able to send deauthentication frames, that’s what the dash zero does, and I’m going to send it to
this specific BSS ID, that’s the access point, and this specific station which is my mobile device. When I
hit Enter, watch the connected network which is the PM network as soon as I start sending these
deauthentication frames, it disconnects itself completely from the Wi-Fi network. And now this mobile
device is no longer connected.

And as long as I’m still sending these deauthentication frames, this device is not going to be able to
reconnect to this wireless network. Obviously, this is a significant vulnerability. And the IEEE has already
made changes to the 802.11 specification to address this specific issue. The update was made in the
802.11w update that was made available in July of 2014.

Now some of the more important management frames are encrypted, things like disassociation,
deauthentication, and any time you’re switching between channels is all something that is over a
 protected channel instead of being sent in the clear. This also means that some third party on the
network would not be able to send these types of frames and remove you from the network.

Of course, not all management frames will be encrypted. There are certain management frames that
have to be unencrypted so that you’re able to first connect to the device. Frames such as beacons,
probes, authentication, and association frames are still sent in the clear. This update with 802.11w was
rolled into the 802.11ac standard. So if you’re running 802.11ac or a later version of 802.11, then this
protection is already in your access point. If you’re using those newer standards, then an attacker would
not be able to use a disassociation or deauthentication attack to remove you from your wireless
network.

Wireless Jamming – SY0-601 CompTIA Security+ : 1.4

A wireless network relies on a clear frequency spectrum for optimal operation. In this video, you’ll learn
about different wireless jamming techniques and how to locate the source of the interference.

Radio frequency jamming, or RF jamming, is a way for an attacker to disrupt a wireless network and
effectively create a denial of service situation. The goal is to decrease the signal-to-noise ratio at that
receiving device, whether that’s the end station or the access point. The signal-to-noise ratio describes
the relationship between the good signal received by a device and all of the other type of wireless signal
that is received by that device.

As long as the good part of the wireless signal is received and understood above all of the other noise
that may be in that particular spectrum, then the signal is able to be received and communication can
continue. But if the amount of noise is able to overwhelm the good signal, then the signal-to-noise ratio
will be decreased and the receiving device would not be able to communicate on that wireless network.

Sometimes this disruption of the signal is not something that’s intentional. It could be that someone’s
turned on a microwave oven and the oven is sending interference that’s causing this signal not to be
received by the end stations. But, of course, if this is some type of attack, then someone maliciously may
be sending additional noise on to the network to prevent someone else from receiving that wireless
signal.

Attackers will use many different techniques to create noise and conflict on the wireless spectrum. One
way is to send constant, random amount of information over the network to overwhelm the good
signal. This might also be a constant amount of traffic sending legitimate frames as well, and simply
using up all of the available bandwidth to do that.

This type of wireless jamming might also be something that’s intermittent. The attacker may be
intermittently sending random data or intermittently sending legitimate frames to disrupt the normal
flow of communication. The attacker might also put a little bit of a spin on the jamming by only sending
jamming signals when someone else tries to communicate on the network, effectively finding one
individual device and limiting that device from communicating on the network.

To be able to disrupt devices that are on a local wireless network, the jamming device would need to be
relatively close so that it could overwhelm the good signal. This means that an attacker would either
physically need to be somewhere near that wireless network or they would have needed to install a
device somewhere near that physical network.
 Trying to find the source of this particular jamming signal could be challenging. Many times we’ll do
what’s called a fox hunt, where you have a directional antenna and headphones and you can move that
antenna around to see where the strongest signal is coming from. And then as you get closer to the
signal, you can attenuate the signal or make it less strong so that you’re then able to get a better reading
and eventually you can triangulate where that signal may be coming from.

Finding and resolving these jamming issues can be challenging, but if you have the right equipment and
the right techniques, you’ll be able to locate and remove those from the network.

RFID and NFC Attacks – SY0-601 CompTIA Security+ : 1.4

RFID and NFC have become common technologies on our mobile devices. In this video, you’ll learn
about security concerns associated with RFID and NFC and what type of attacks might be associated with
these technologies.

RFID stands for Radio-Frequency Identification. And it’s a technology that you’ll find in many different
places. It’s inside the access cards we use at work.

You may find that it’s on an assembly line to be able to track where a particular component may be.
There might be even RFID tags put in your animals or your pets so that you can track where they happen
to be. It’s a technology that’s used in anything that you might want to track.

Here is one type of RFID tag. It’s right next to a grain of rice to give you an idea of how small some of
these can be. The kind of RFID tag you commonly see in something like an ID card is the flatter version
that you see here. It’s one that uses radar technology because there’s no battery inside of this RFID tag.
Instead, the signal that we are sending to the tag powers the tag itself. And then it is able to transmit its
ID back to us.

Although many RFID implementations are unidirectional in communication, there are some RFID
implementations that do provide for bidirectional communication. And although this RFID tag does not
have a battery, there are some RFID tags that do support a powered implementation. So it does not
need to have energy transmitted to the tag to have that tag then send information back to you.

This is a wireless communication. So many of the vulnerabilities you would get with any wireless
communication would also apply to RFID. For example, capturing the data between the RFID tag and the
RFID reader is certainly something you would need to consider, especially if that communication is in the
clear and not encrypted. If this is an active tag that contains information that can be changed, you could
even spoof the reader and send information to the tag that might modify the contents of that RFID tag
itself.

If someone was able to jam the frequencies that were associated with this RFID communication, then
they may create a denial-of-service situation. And no one would be able to read this RFID information.
And even in cases where someone has encrypted the communication between the RFID reader and the
RFID tag, unfortunately, a number of these keys have gotten out. And people are able to decrypt this
information by simply performing a few Google searches and then finding the decryption key.
Another type of RFID technology that is very common in today’s mobile devices is NFC. That is Near Field
Communication. You will commonly see NFC used in stores so that you can use your mobile phone or
your smartwatch to be able to pay for goods during checkout.

Bluetooth also uses NFC to simplify the pairing process. So instead of having PIN numbers and turning
on the pairing process, you can simply move your mobile device near the Bluetooth device. And it will
automatically pair that Bluetooth function. And since NFC allows us to associate with a particular mobile
device, we could use this NFC functionality as an authentication factor or a key to unlock a door.

The security concerns we have with RFID are very similar with NFC. We, of course, are concerned about
someone being able to capture information, especially if that NFC communication is sent in the clear.
This is a wireless communication. So any interference of those frequencies will create a denial-of-service
situation.

If the NFC communication is in the clear and not encrypted, someone may be able to sit in the middle of
the conversation and be able to relay or modify that information between endpoints. And, of course, we
need to make sure that the apps that rely on NFC are able to authenticate you properly so that someone
could not steal your mobile phone and then use that to perform an NFC transaction.

Randomizing Cryptography – SY0-601 CompTIA Security+ : 1.4

Cryptography isn’t very useful without randomization. In this video, you’ll learn about cryptographic
nonces, initialization vectors, and salting.

One of the core elements of cryptography is that there is a sufficient amount of randomization that the
resulting encrypted data looks nothing like the original plain text. If there was encrypted data that
looked similar to the original plain text, then there may be a way for an attacker to reverse engineer and
determine what the original text may have been. An example of cryptography without any type of
randomization can be seen here. I have a picture of this little puppy. And I performed an encryption of
this puppy.

And as you can see, the encrypted form of this looks almost exactly the same as the puppy I had
originally, except in a reverse form. You can easily see the image that I started with because this type of
cryptography did not add any type of randomization. This was an encryption done with 128-bit ECB,
which is Electronic Code Book, which is a way to take blocks of data and encrypt it.

So I took a block of data, encrypted it with a password, and wrote that encrypted data into this image.
The problem is that there’s no randomization to the key that I use. So each block of data looks very
similar to the block of data that was there previously, because most of this is either a color white or a
color black. And then we’re left with this very non-random result when we see the final encrypted form
of this image.

To be able to add randomization to this cryptographic process, we need to add a nonce. A nonce is an
arbitrary number that you would use one time. It comes from the term “for the nonce,” which means
for the time being. This nonce would be a random value or something that would be randomized
enough so that an attacker would not be able to guess it or easily replicate it. This could even be a
counter, as long as both sides are able to keep track on what the counter’s values might be.
 We often use a cryptographic nonce during a login process. This might start with a server that would
send us this random nonce. And we would then use our password hash and combine it with this nonce
and send all of that information back to the server. The server would then evaluate the password hash
and nonce with what it thought the password hash and nonce should be to be able to authenticate you
to that system.

The benefit of this is that the server is going to send you a different nonce each time you log in. So every
time you send that hash back to the server, it will be different every time. This means that if someone
was to capture that password hash being sent from the client to the server, they would not be able to
use this in a replay attack because that password hash will be different every single time you log in.

A type of nonce we commonly use in encryption is an Initialization Vector, or an IV. This is a way to add
randomization to the encryption scheme that’s being used. If we’re able to add this initialization vector
to an encryption key that we’re using, especially a key that we’re using over and over again, it will make
the overall encryption method that much stronger. You may see an IV used in encryption methods such
as the WEP encryption that we see here in this block diagram and in some implementations of SSL.

Not only would we use a nonce during the interactive login process, but we might also include a nonce
for the password hashes that we’re storing permanently in our database. This type of password
randomization is called a “salt.” And it’s a way to make sure that the passwords that we’re storing are
randomized across all users on the system.

If we use a different salt for every user that has a password stored on our system, every user could be
using exactly the same password. But the stored hash value would be very different between all of
them. This means if somebody was to gain access to our password store, they would not be able to see
that all of the users had similar passwords. They would see a random value for every single user
account.

On-Path Attacks – SY0-601 CompTIA Security+ : 1.4

An attacker in the middle of a conversation can access information and modify data flows. In this video,
you’ll learn about on-path attacks on the network and in the browser.

An on-path attack is an attacker that sits in the middle between two stations and is able to intercept,
and in some cases, change that information that’s being sent interactively across the network. This is a
type of attack that can occur without anyone knowing that anyone is sitting in the middle of the
conversation. In fact, you might hear this referred to often as a man-in-the-middle attack. The key to the
on-path attack is that the original data stream will be intercepted by the person in the middle of the
conversation, and that information will then be passed on to the destination. This allows the attacker
who’s sitting in the middle to read everything going back and forth between these two devices, and it
may also allow the attacker to modify the information as it’s being transmitted.

A common on-path attack on a local IP subnet is an ARP poisoning. This is an Address Resolution
Protocol poisoning. And that’s because ARP, as a protocol, does not have any type of security associated
with it. Devices receive and modify ARP tables without any type of authentication or any type of
encryption. This would allow an attacker to send ARPs to any device on the local subnet, and those local
devices would interpret the ARPs as if they were coming from a legitimate source.
 Here’s the way ARP normally works. You’re on a workstation, and you’re communicating to a router
that’s on your local subnet, and you can see the workstation here is 192.168.1.9, and the router is
192.168.1.1. Also, you can see that the Mac address of this device and the Mac address of the router are
also listed. Those will be important when we go through the ARP process.

When this device first connects to the network, it needs to know the Mac address of this router, but all
it has is the IP address, so it will send an address resolution protocol, or ARP, message out, and that
message will ask who is 192.168.1.1 in the expectation they will receive the Mac address in return. Well,
since this router is on this local subnet and it can see all of these broadcasts, it will see this request for
192.168.1.1, which is its IP address, and it will send back its Mac address to that requesting station. At
that point, the requesting station will store that information in a local ARP cache. This is a cache that’s in
the memory of this device, and that means that every time this device wants to transmit, it won’t have
to go through that address resolution protocol process again. It can simply check its cache, know what
the Mac address is, and send that information directly.

For an on-path attack using ARP poisoning, that attacker will need to be on the local network. And in this
case, the attacker has an IP address of 192.168.1.14, and you can see the Mac address of that attacker’s
device. To perform this ARP poisoning, the attacker will send an address resolution protocol response
message to the device that it would like to poison.

This device did not ask for this information. This is completely unprompted. But because ARP doesn’t
have any security associated with it, those types of messages will be received and interpreted by the
receiving device.

This victim device receives the ARP message, changes the information in the cache, and going forward,
anything that’s sent to 192.168.1.1 will not be sent to the router directly, but instead will be sent to this
Mac address, which is belonging to the attacker. The poisoning is now complete on the victim computer,
and now to complete the conversation and be in the middle of the conversation in both directions, the
attacker will perform exactly the same poisoning to the router. Once that poisoning is complete on both
sides, anything sent between the victim’s machine and the router will be relayed through the attacker’s
device.

An on-path attack is not an easy attack to execute. In the example with ARP poisoning, you saw that we
needed to be on the local network, and that’s not always something that’s accessible to an attacker. It
would be much easier if the attacker was on the same computer as the victim. With an on-path browser
attack, the malware that is the relay between the victim and the other devices exists on the same
computer as the victim. It’s effectively in the browser of the victim’s computer.

This type of attack has malware that’s running on the victim’s machine, and it’s usually not a person
that’s handling the relay, but an automated process within the malware. Having malware on the same
machine perform this on-path attack provides a number of advantages. Over the network, any
encrypted data, even though it was proxied or relayed through a secondary device, would still be
encrypted.

There’s no way for someone to be able to decrypt that data as it’s going by without one side or the
other knowing that that’s happening. But if you’re on the same computer as the victim, you’re able to
see all of the data in its raw, unencrypted form. It’s these types of on-path browser attacks that sit
 behind the scenes, wait for you to log into your bank, for example, and then begin transferring
information out of your account because they’re able to grab all of that data on your machine.

With the on-path browser attack, the malware simply sits in the background and waits for you to log
into your bank. Once you log into your bank, the bank trusts the browser that you’re using, it trusts the
computer IP address that it’s coming from, and the authentication is now complete. The malware
behind the scenes can capture login credentials, capture keystrokes, understand that you’re logged into
your bank account, and then begin transferring information from one bank account to another or
making modifications to your bank account. This is another good example of why keeping your antivirus
and anti-malware up to date so that it can always be looking for an on-path browser attack.

MAC Flooding and Cloning – SY0-601 CompTIA Security+ : 1.4

An attacker can sometimes manipulate network traffic to gain unauthorized access to information. In
this video, you’ll learn about MAC flooding and MAC cloning or spoofing.

In networking, the term MAC address refers to the Media Access Control address of a network card. We
often refer to this MAC address as the physical address of the card because every single adapter card
has a different MAC address. In ethernet, the MAC address is 48 bits long, which is the same as being 6
bytes long, and we write all 6 bytes in hexadecimal.

The 6 bytes are broken up into two sections. The first three bytes are the Organizationally Unique
Identifier, or OUI. We often refer to this as the manufacturer portion of the MAC address because this
particular value has been assigned to a manufacturer, and all of the network interface cards they create
will start with the same three bytes. The last three bytes of the MAC address are the serial number, and
the manufacturer will increment that serial number for every network interface card they manufacture.

The switches that we have on our local area networks are designed to work at this MAC address level.
They will interpret what’s in the frame and will forward or drop that traffic between different interfaces
on the switch. The switch maintains a list of all of the MAC addresses that it knows about on the local
network so that it knows when it receives a particular frame where it should be sending that frame as
the destination. Another significant operational requirement for a switch, especially in larger
environments, is that the switch maintains a loop-free environment. This keeps the network up and
running, and it usually is able to do this by using Spanning Tree Protocol, or STP.

Let’s look at the process that a switch goes through to maintain its internal MAC address table. We have
two devices on this network, Sam and the SGC server, and between both of them is a switch. Right now,
no one has sent any traffic to this switch, and so the MAC address table of the switch is completely
empty. If the switch receives any traffic that is not currently listed in this MAC address table, then it will
add that MAC address and the output interface to that table inside the switch.

Let’s look at an example where Sam is sending information to the SGC server. Sam’s MAC address is
1000 and all 1s, and the SGC server is 1000 and all 5s. So we can see the source MAC and the destination
MAC are listed in that frame. When that frame is received by the switch, the switch notices that the
source MAC address is not currently listed in the MAC address table, so it’s going to make a note that
anything associated with that MAC address must be located out on interface F0/1. So you can see the
MAC address table now shows the 1000 all 1s, which is Sam’s device, is located on the fast ethernet 0/1
interface of the switch.
 Now let’s look and see what happens when traffic goes the other direction. The SGC server is going to
send information to Sam, so the destination MAC address is 1000 and all 1s. When that frame hits the
switch, the switch will compare that destination MAC address to the list of destination MAC addresses
that it already has in its table.

And in this particular case, it knows that that MAC address is located on fast ethernet interface 0/1. It
then continues to send that traffic on to Sam’s machine out that particular interface. And of course,
since that SGC server’s MAC address was not added to the switch, the switch also adds that MAC
address to the table, and now any traffic destines for Sam’s machine or the SGC server will be properly
switched because those MAC addresses are listed in the switch’s MAC address table.

This is the process that occurs every time the switch receives a frame and needs to determine where to
send that information. Even with multiple devices on the network, any time a frame is received, the
destination MAC address is evaluated and compared to the existing MAC address table of the switch. If
there is a match, the switch will identify the output interface and then send that particular frame out
that specific interface.

One challenge with this table of MAC addresses is that there’s only so much room in a switch to
maintain this list. If you look at the specifications for a switch that you’re using, it will tell you how many
maximum MAC addresses can be held in that table. Attackers know that if there’s a limitation of any
kind, they can start taking advantage of that.

So one of the things that they might do is start sending traffic with different source MAC addresses to
that switch. Every time a frame is received by the switch with a MAC address it doesn’t recognize, it will
add it into the table. And if that switch continues to see thousands and thousands of new MAC
addresses, it will continue to add those thousands of new MAC addresses to its MAC address lookup
table. Eventually, that MAC address table will fill up, it will be at maximum capacity, and the switch will
recognize that it’s not able to add any more devices to the table. When this happens, a switch will no
longer start directing individual frames.

Instead, it will start sending every frame to every interface on the switch because it has no idea where
those devices might be, and it has no way to store that information in its MAC address table. This
effectively now means that your switch has turned into a hub. It’s now a multiport repeater without any
type of intelligence of where a frame may be transmitted to. Instead, all frames are sent to all interfaces
on the switch.

When this happens, it’s a great opportunity for the attacker to start collecting all of the traffic that’s
being transmitted on the network. Since some of the information is no longer directed to an individual
device and instead is sent to all devices, the attacker can simply start capturing packets and view
anything that may be traversing the network. Fortunately, most switches have configuration settings
that will look for and protect against this type of MAC flooding. It’s often called flood guard or a similar
feature, and it restricts one particular interface from sending multiple MAC addresses out over the
network and overloading that MAC address table.

Another method than an attacker may use to circumvent existing security devices is to spoof or clone a
MAC address. This is when an attacker will modify the MAC address of their device to match the MAC
address of a legitimate device that is either on the network or has recently left the network. If you’ve
 ever configured MAC address filters inside of a wireless access point, then you can see how spoofing a
MAC address might allow someone to match an existing allow list and gain access to a network that
normally they wouldn’t have.

This could also be used to create a denial-of-service situation on the network. If an attacker is using the
same MAC address as someone else, then the switch internal MAC address table may change to send all
of the traffic to the attacker instead of the legitimate original user. That will certainly create a denial-of-
service situation for the user, as the switch switches back and forth and back and forth between where
this MAC address might be on the network.

It’s quite easy to modify the MAC address of a device. Usually it’s a burned in address or one that is
assigned to the hardware of the network interface card itself, but most network drivers will allow you to
modify the MAC address to be anything you’d like it to be. This means that it doesn’t take any special
software or knowledge to be able to clone or modify a MAC address to match an existing device.
Fortunately, many switches include features that will look for and block MAC address cloning or MAC
address spoofing so that these types of problems don’t occur on your network.

DNS Attacks – SY0-601 CompTIA Security+ : 1.4

The Domain Name System is a critical part of the network communication process. In this video, you’ll
learn about DNS poisoning, domain hijacking, URL hijacking, and the importance of domain reputation.

One way that attackers can manipulate a DNS is by poisoning the DNS server. It takes a bit of knowledge
to be able to execute a DNS poisoning attack, but it is very effective way to redirect traffic to an
attacker’s website.

One way to perform a DNS poison is to modify the host file that’s located on each individual device. The
host file in the machine takes precedence over any DNS queries, so it doesn’t matter what is configured
in a DNS. Your computer is going to follow whatever is listed in that host file.

Another way to poison DNS is for someone to sit in the middle of the conversation with an on-path
attack and be able to modify a query that’s being sent to a client. This would allow an attacker to change
the IP address to be whatever they would like it to be. And another way to poison the DNS query is to
modify the DNS information on the legitimate DNS server itself.

In this example, we have two users that will be querying a DNS server and we have an attacker that’s
also wanting to query this DNS server. The DNS server has the legitimate IP address of
professormesser.com as 162.159.246.164. But the attacker would like the IP address of
professormesser.com to resolve to 100.100.100.100, which is probably a web server that is under their
control.

User 1 is going to perform a DNS query where they’ll ask the DNS server what is the IP address for
professormesser.com. This DNS server is going to respond back with that answer and User 1 is going to
put that information into the DNS cache on this local machine. The attacker is now going to gain access
to this DNS server and modify the DNS configuration files on the server so that this DNS believes that
professormesser.com is located at 100.100.100.100.
 This means that any subsequent request to this legitimate DNS server, for instance from User 2, will be
responded to with the incorrect IP address. And now the attacker has poisoned the DNS server. Another
way you can modify DNS information is to modify the domain configuration of a particular domain
name. So if the attacker can gain access to the account that’s in charge of that domain at that registrar,
they can begin making those DNS changes.

There are many different ways for the attacker to do this. They could simply brute force the password
that you’re using on that registrar’s account. Or maybe they’re using social engineering. They’ll send you
a phishing attempt in the hopes that you’ll send that information back to them. Or the attacker might try
to gain access to the email address associated with the account that’s at that registrar or use many
other methods in order to gain authentication and make changes to that domain information.

An example of an attacker doing exactly this occurred on Saturday, October 22, 2016 at 1:00 PM. 36
domains were changed for a Brazilian bank. This covered their domains for desktops, for mobile devices,
and almost everything else associated with the bank.

The attackers were able to maintain control of this domain information for six hours. So anyone who
accessed that DNS server and gathered that information was redirected to the hacker’s website instead
of the legitimate bank website. This bank had over $5 million customers and over $27 billion in assets
and, at this point, we still don’t know the extent of what may have occurred during the six-hour domain
hijack.

Another type of attack might not involve changing the legitimate domain name but instead creating a
domain name that was close enough to seem legitimate. This is also known as a URL hijack, and it’s
commonly used to redirect people to pages that would show them ads instead of taking them to the
legitimate website. Another moneymaking opportunity for an attacker is to sell the badly-named
domain name to the legitimate owner so that everyone who is visiting the incorrect URL would then be
redirected to the legitimate URL.

And although there may be legal issues associated with it, some attackers will take a domain name
similar to one company and redirect all of that traffic to the competitor of that company. It’s probably
more common though for an attacker to try to use this as a phishing opportunity. They can get people to
visit that site and think they’re on the legitimate site. They may be able to gain personal information or
login credentials. And if you can get someone to visit a site, you may be able to then download
something into their browser and perform some type of malicious software installation– all because
they visited an incorrect URL.

There are a number of different ways an attacker might be able to use this difference in your URL to
their advantage. One way is to take advantage of maybe bad spelling. A domain like
professormesser.com has many opportunities for misspellings, and an attacker might buy multiple
domain names in the hopes that someone might type it in incorrectly and visit their website instead.

Some of these might be very obvious. For example, the legitimate professormesser.com can be easily
misspelled professormessor.com with an “or” at the end. These look very similar to each other, but
someone who’s typing in the second URL may not be visiting a legitimate site. An attacker may try to
take advantage of people not spelling things properly when they’re typing it in. If an attacker purchases
 professormeser.com with one “s” instead of two, they may be counting on someone not typing it in
correctly into the address bar of their browser.

And depending on what their purpose was, they could try a different phrasing of the domain name to be
something relatively close like professormessers.com. And if you weren’t paying a lot of attention to the
domain itself, you could probably find professormesser.org or some other top-level domain and use that
instead of the legitimate professormesser.com.

Companies have to be very careful with the reputation associated with their email and web services.
Email reputation is determined on the type of email that is being sent from an organization and what
the users are clicking in their mail clients. If many people start clicking that a particular type of email
sent from a company is spam, that will affect the reputation and the ability for that company to send
mail to others.

A good example of this reputation problem is if a company might be infected with malware that sends
spam using the company’s email server. Users will receive that spam message and they will click that
button inside of their mail client that says, “This is spam.” As companies begin receiving more and more
reports from their users that you’re sending spam, they will start limiting or restricting your ability to
send any emails to their users.

There are many websites that can check and constantly monitor the reputation of your email IP address
so that you can stop any of these problems before they become a significant issue. Not only do you have
to be aware of the reputation of your email servers, you also have to be aware of the reputation of your
web servers. If an attacker was to put malware onto a web server, that web server will be indexed by
the major search engines and those search engines will identify the malware that’s on your server. Then
any time anyone visits your website, they will get a message that says the site ahead contains malware
with a big red message warning them that the site they are visiting is not safe.

This will obviously be a significant problem if you have sales from this website and users will avoid your
brand and your overall reputation will suffer. Once you’ve been indexed with this malware on your
website, most of the damage is now done. Even if you remove it quickly, it’s going to take some time to
be re-indexed by the search engines and then finally have these messages removed from your domain
name.

Denial of Service – SY0-601 CompTIA Security+ : 1.4

An attacker can use many different techniques to cause a service to become unavailable. In this video,
you’ll learn about denial of service, distributed DoS, DDoS amplification, application DoS, and
operational technology DoS.

A Denial of Service is when an attacker causes a service to become unavailable. They might cause a web
server to stop responding, or perhaps emails can no longer be sent. This is usually because there’s some
type of vulnerability in the software that runs the service, or there’s some type of design failure with the
systems surrounding the operation of that service.

That’s why it’s always so important to make sure that you always keep your operating system, and your
applications up to date with the latest versions. Sometimes this is done by a competition. They would
like to see your web server be offline so that people would visit their site instead.
 Or they may be using this Denial-of-Service, to be more of a smokescreen, for something else they’re
doing on your network. If they bring down your DNS server, all of your efforts will be on getting your
DNS server back up and running, in the meantime, they’re pulling all of your data from your database.

We often think of denial of service, as being thousands of people hitting a website at one time, there’s a
botnet that’s being controlled. But the reality is, many Denial of service can be very simple. An attacker
walking up to a building and pulling the power switch is a very effective Denial-of-Service, and it
certainly causes services to be unavailable.

Sometimes, we cause these problems ourselves. It doesn’t always have to be an attacker causing a
Denial-of-Service. For example, if you plug in the wrong cables to the wrong switch, you may
inadvertently create a loop in your network, and cause the entire network to become unavailable.

That’s why we always tell you to turn on Spanning Tree Protocol so that you won’t inadvertently cause
these types of layer to loops. If you have limited access to the internet, one person downloading a very
large file could create an outage for everybody. You want to be sure that you have a way to manage the
bandwidth over your internet connections so that you’re not causing a Denial-of-Service for everybody
else.

And of course, we have to think about our physical facility as well. Something like, a water line break,
can certainly create a problem, especially if that water line happens to be in the ceiling above your data
center.

A well-equipped attacker isn’t going to use one system to attack one service, they’re instead going to
use many, many, systems to attack a single service, and what’s called a Distributed Denial of Service
attack. This is where many devices might be used simultaneously to create bandwidth spikes or attack a
particular service and cause it to be unavailable.

The attackers often use botnets to be able to perform these Distributed Denial of Service attacks or
DDoS attacks. They might have thousands or even millions of computers at their disposal, and they
might decide to send a certain group of those towards your web server, and cause it to be unavailable.

For example, at its peak, the Zeus botnet infected over 3.6 million computers. This allowed whoever was
running the botnet, to be able to control all of those systems, and create Distributed Denial of Service
attacks among other things. With Adidas, it’s very common for all of these individual attackers to have
fewer resources, than the device they happen to be attacking. But because all of them are attacking at
the same time, they’re able to easily overwhelm the resources of the victim.

The attackers have also found ways to increase the amount of traffic that’s being sent during these DDoS
attacks. One way to do this is to create DDoS amplification. It’s a way to take a small attack, and
suddenly have it arrived at the victim’s machine as a much larger attack.

This usually involves reflecting a particular type of protocol from one service, onto the victim’s machine.
This might use ICMP, it could use DNS, or maybe NTP, as a way to send a little bit of information into a
service, that is then amplified and sent to the victim’s computer.

Here’s an example of how you can use DNS, to amplify a Distributed Denial of Service attack. DNS is
usually a very simple and small conversation between two devices. A single client asks a DNS server for
an IP address, and that IP address is sent back to the client.
In this query though, that’s sent to iac.org, you can see the query appear in the blue, this entire answer
section is the information that is sent back. That is a very large amount of information that is sent for
such a simple query to a DNS server. A query that is 28 characters in length created a response that is
over 1,300 characters in length.

For an attacker to take advantage of this, they need to find DNS resolvers that are open and available for
anyone to query this device, and be able to query this device with a spoofed IP address. That starts with
a botnet command and control service, that is going to send a message to the botnet, and it’s going to
ask the botnet to send that 28 byte DNS query, to these open DNS resolvers.

At this point, that’s a very small query to make across the network, and so those devices will send that
request in. Now those DNS servers are receiving this query from a spoofed IP address, and the IP
address that’s being spoofed is this web server. Of course, this query that was 28 characters, turns into a
response of over 1,300 characters, and all of those DNS servers, are going to send that response to the
web server that was spoofed in the original query.

This large amount of traffic can easily overwhelm a web server, and of course, the command and control
can continue to have those botnets, constantly send those DNS queries, and constantly amplify the
amount of traffic being sent to that website server.

If an application has a type of vulnerability, an attacker could take advantage of that to cause a Denial-
of-Service. An example of an application Denial-of-Service would be something like a zip bomb. A zip
bomb is a 42-kilobyte zip compressed file. That’s a relatively small file.

But when you uncompress that zip file, it expands to 4.5 petabytes, which is probably much larger than
the amount of available drive space in your computer. So you could send somebody the zip file, ask
them to uncompress it, and it will very quickly overwhelm the available storage on that system, creating
a Denial-of-Service.

Another type of application, Denial-of-Service might be with a cloud-based service. Many organizations
will configure their cloud-based services to automatically add more resources as the application
becomes busier. This is called rapid elasticity. It’s a very common way to maintain uptime, especially on
a cloud-based service.

But if an attacker is able to start using more and more resources of that application, your web-based
service will continue to start adding more and more application instances. And every time more
application instances are created, there are more resources in use, and more money that is being spent,
to maintain that cloud-based service.

If an attacker can slow down that application to make the response times become much slower, that
might also cause more application instances to be created. In all of these cases, the attacker is trying to
find a way to create and use more resources, make the system more difficult to manage, and in some
cases, make it much more expensive for the end-user.

Our society relies on industrial equipment to maintain things like electric grids, make sure that our traffic
lights are working properly, or that our manufacturing plants are working the way we would expect. But
if an attacker is able to take advantage of these Operational Technology environments, or OT
environments, they could create Denial-of-Service situations.
 There’s much more at stake here than having a web server become unavailable. A Denial-of-Service of
operational technology means that the power grid stops operating, or the traffic lights, all turn green in
all directions. These would be significant problems that would create Denial-of-Service over a very large
area, for a large number of people.

There’s a very different security posture you would use for operational technology. You can’t simply put
a firewall in place and believe that you have all of the security you need. In these technologies that
handle such critical infrastructure, we usually have a completely different approach to how we segment
and protect these components.

Malicious Scripts – SY0-601 CompTIA Security+ : 1.4

An attacker might use different scripting methods depending on the situation. In this video, you’ll learn
about PowerShell scripts, Python, shell scripts, macros, and Visual Basic for Applications (VBA).

If you’ve ever done any type of automation or scripting with an operating system or devices on your
network, then you know what a benefit it can be. You don’t have to be there to perform these functions.
They can be done for you automatically. And if problems occur, they can be automatically identified and
a series of tasks can occur to resolve the problem without any type of human intervention.

This also happens very quickly because it’s happening at the speed of the computer. You’re able to
identify and resolve these problems much faster than anyone would be able to type interactively into a
keyboard.

And from the attacker’s perspective, having an automated attack function means that they can sit back
and let many different automated functions find the vulnerable systems wherever they happen to be.

PowerShell is a specially built command line for Windows. This is included with Windows 8, 8.1, and
Windows 10. And you’ll often see PowerShell scripts have a PS1 file extension. This takes the idea of the
normal Windows command line and extends its’ functionality to be able to manage almost every aspect
of the Windows operating system.

PowerShell can run functions at the command line, called command-lets, can also run PowerShell
specific scripts, or run executables right from the PowerShell command prompt.

If an attacker wants to control Microsoft Windows, then Windows PowerShell is a perfect jumping off
point. They’re able to administer the system, access Active Directory, or modify files that are in the file
system.

A more generalized scripting language would be Python. That usually has a .py extension. Python is used
across many different operating systems, including Windows, Mac OS, and Linux, which means you
could create Python scripts that might work across different operating systems.

Python is also commonly used in a cloud based environment. So if you’re building or tearing down
application instances, that orchestration is often managed using Python scripts. And if an attacker is
interested in hacking cloud based system servers, routers, switches, and other infrastructure devices,
then Python might be a good choice.
 In Microsoft Windows, we have the command prompt. But in Unix and Linux, we have the shell script.
This is a very flexible scripting environment. And it can be customized with a bash shell, a Bourne shell, a
Korn shell, a c shell, and other types of shells as well.

This is an example of a shell script. It starts with a special set of characters on the very first line, called a
shebang, it’s a hash-bang. And that designates that this is a shell script that would run with the shell
type that is listed immediately afterwards.

If an attacker is using Linux as a jumping off point or is trying to attack Linux systems, then the shell
script may be what they use to perform that functionality. Since effectively everything in the Linux or
Unix environment can be done at the command line, it makes sense that the shell script would be a
perfect way to automate some of these attacks.

Some applications have their own way of performing scripts. These are macros. And they’re written
specific to certain types of applications. These are designed to make the application easier to use by
automating certain functions within the usability of the application itself. But attackers have found that
they can use these macros to also perform malicious attacks against the applications as well. They just
need the user to open the file that has the macro, and have the macro execute, and then whatever
malicious payload they put inside of the macro will now execute on the user’s workstation.

In the Microsoft Office line of products, Microsoft has taken the idea of macro to a completely new level.
This is Visual Basic for Applications, or VBA. And it’s a way to provide extensive automation inside of
Microsoft Office. Not only is VBA able to interact inside of Microsoft Office, there are also hooks in VBA
that can talk directly to the operating system. As you can imagine, this might be a very good place for an
attacker to try gaining access to an operating system.

An example of a vulnerability that might cause exactly that type of access for an attacker is in CVE-2010-
0815. In this vulnerability, VBA does not properly search for ActiveX controls in a document. This allows
the attacker to run their own code on this device, which means they could install malware, have a
backdoor installed, or have any other type of malicious software execute on that computer.

Threat Actors – SY0-601 CompTIA Security+ : 1.5

here are many different sources of threats with many different motivations for attacking your network.
In this video, you’ll learn about threat actors and the differences between these different types of
attacker.

The definition of a threat actor is an entity responsible for an event that has an impact on the safety of
another entity. Sometimes you’ll hear this referred to as a malicious actor. This is usually the entity that
you’re trying to protect your network and your data from. This is the bad guy.

There are many different categories of threat actors. And in this video, we’ll step through some of those
major categories and examine some of the motivations they use behind their attacks. In many of these
examples, you’ll find that the threat actors are looking to implement an APT, that is an advanced
persistent threat.

It is a threat that’s able to get into your network because it is advanced. It’s persistent because once
they get into your network, they are there until you take them out. And obviously, the threat part of this
means that they are after something that’s on the inside of your network. What’s interesting about this
is how long it takes to finally identify that one of these threat actors has infiltrated and is living inside of
your network.

In a report from FireEye in 2018, they showed the average is 71 days in North and South America for
attackers to be in the network and undetected. This goes up to 177 days in Europe, the Middle East, and
Africa. And in Asia-Pacific, 204 days before anyone realizes that the attacker is now inside of the
network.

Some of the most dangerous threat actors are the ones that are inside of your network already. These
may be employers or contractors that work for your organization. And these are the insiders that have a
lot of control and a lot of reign over what they can do inside of your network. It’s unlikely that a threat
actor who’s an insider is someone who works at being a hacker 24 hours a day, seven days a week. They
probably have a different job that they’re doing inside of your organization, and therefore, the attacks
they use may not be as sophisticated as perhaps a more advanced attacker.

But the insider knows things that the hacker doesn’t. They know where your data center is located. They
know how your network is designed. They understand the security tools that you already are using
inside of your network. So they can direct their efforts towards the most vulnerable systems or the
systems that they may have the most access to. This is a huge advantage that an insider has over
someone who may be trying to get in from the outside. And because the insider is walking through the
front door every day and connecting to your network, they have a huge number of resources available
to try to find data and exfiltrate that information from your organization.

A threat actor who is a nation state is usually a government. This is an organization, usually in charge of
national security. And it’s almost always an external government entity. Governments tend to have
many resources available so they can hire the smartest technologists and gather the security experts in
that particular area.

A good example of a nation state being a threat entity is the United States and Israel team together, to
destroy about 1,000 nuclear centrifuges with a worm that was sent to Iran. This worm was able to get
inside of these centrifuge facilities, and its entire goal was to connect to a very specific type of centrifuge
and cause that centrifuge to work incorrectly. This is just one example of a government using an APT to
gain access, and in some cases, destroy equipment that may be inside of another government facility.

A Hacktivist is a threat actor that is both a hacker and an activist. This is a hacker who has a purpose or
goal in performing these threats or attacks against a third party. This is commonly associated with a
political or social message, but it doesn’t have to be limited to those particular areas. These attacks can
be very sophisticated, and they’re very focused on a single message or a single theme. It may be that the
hacker is trying to perform a denial of service or deface a website or find private information that can
then be released to the public. There’s not usually a financial gain to this hacktivism, so often the
hacktivist has to go outside of the organization to try to raise funds to keep going.

A Script Kiddie is a threat actor who may not necessarily be a kiddie, but they may be focused on
running very simple scripts to be able to gain access to someone’s network. The script kiddie is usually
someone who’s on the outside who’s trying to gain access to internal resources. But they just don’t have
the knowledge or experience to know exactly what to do to gain that access.
 We often call them a script kiddie, because what they’re doing is simply throwing a lot of different
scripts and a lot of different attacks at a system. And they’re hoping that one of them is going to find a
way in. Even though they don’t know exactly how these scripts work, they’re hoping that one of them is
going to give them the access they need. This is also a threat actor who doesn’t necessarily have a
financial gain as the result of this, so often there are limited resources for the script kiddie. But they’re
motivated by the process itself. They’re looking to brag that they gained access to someone’s network or
they were able to exfiltrate some data.

Organized crime is a threat actor that certainly transcends computers, but they certainly have made a
name in information technology. This is a set of professional criminals. This is what they do for a living,
and they are almost always motivated by a financial gain. Because there’s usually significant financial
benefit to these types of hacks, there’s usually enough money to purchase the best hackers.

And this group may be structured just like any other business. There may be someone who’s hacking,
another person managing the exploits that they use, another person selling the data that is gathered
from all of these efforts, and someone else handling, for example, customer support. From the outside
this may look like a normal company, but of course, this is a threat actor that has access to a lot of funds
and a lot of resources to be able to keep these threats going.

The term hacker has a very broad definition, but it usually refers to an expert with technology. This may
be an expert who’s working for good, or it may be an expert who’s being malicious. There are many
ethical hackers. These are people who are hired to look at a network try to gain access, find the weak
points, and then help resolve those weak points to make the network even stronger. This is usually
someone who has permission to perform these hacking functions because they’re going to help make
the entire system much more secure.

The other end of the spectrum is a hacker who is simply malicious. They’re looking to cause problems.
They’re looking to gain access to your data, and they’re looking to cause the most amount of mayhem as
possible. There are hackers that are in the middle of these two extremes. These are semi-authorized
hackers who may be looking for vulnerabilities, but don’t necessarily act on those vulnerabilities. This is
a hacker who is more of a researcher and trying to find access to someone’s network without necessarily
taking advantage of that access.

You may work in an organization that has an IT department, but you may not be part of that IT
department. And there may be times when you need to get something done with technology, but the IT
department is not able to do that for you. So instead of going through the IT professionals at your
organization, you would instead start creating your own separate IT entity. This would be the shadow it
of your organization.

This is a case where you’re performing your own it functions without interacting with your internal
information technology department. People who don’t work in IT often don’t understand some of the
restrictions and the policies that are in place. They feel that those types of policies are roadblocks that
restrict them from doing their job. So to work around these restrictions, they might create their own
Cloud Infrastructure, they might purchase their own equipment. But they’re doing this outside the
purview of the IT processes and procedures.
Although there may be some short-term benefits that would allow an organization to move very quickly
without being encumbered, they are very often significant disadvantages for being a shadow IT group.
For example, you’ve probably wasted time and money because IT department can do things usually
faster and less expensive. There are also security risks associated with this. And if you’re not an expert in
it security, you may be creating risks that you had no idea even existed.

Of course, there can be significant compliance issues. And depending on your organization and where
your organization might be, there might be some significant legal requirements. And of course internal
infighting creates dysfunction. And that dysfunction usually costs money, efficiency, and time.

The competitors to your business would love to see you out of the market. They might be interested in
causing a denial of service to your company. They might be performing espionage against you, or just
making your reputation one that is tarnished or harmed in the industry. Since this type of threat actor
can be a for-profit company, there are usually significant financial resources they can apply towards
these types of threats.

And you can imagine the disruption that would occur if a competitor was to gain access to your network.
They could shut down your organization while you’re having a big event, or maybe they steal all of your
customers’ data. They could also corrupt the manufacturing process and prevent you from creating any
new product. Or they might take all of your financial information and use that for their own purposes.

Attack Vectors – SY0-601 CompTIA Security+ : 1.5

If you’re going to stop the attack, you have to know where the attack is focused. In this video, you’ll
learn about direct access, wireless, email, supply chain, and many other attack vectors.

The attack vector is the method that the attacker will use to gain access to your computer or your
network. They are trying to find all of the different ways that they could somehow get around the
existing security and find their way to the inside of your network. As you’ll see as we go through this
video, the attackers spend a lot of time trying to find these vulnerabilities.

All they need is that one single vulnerability, and they’ve now gained access to the target. As a security
professional, you’ll spend a lot of time watching these attack vectors. You’re going to be patching a lot of
systems to close existing vulnerabilities, and you’ll be of course watching to see if someone takes
advantage of other attack vectors that simply have not yet been discovered.

If an attacker has direct access to the hardware that is running an operating system, then they have a lot
of attack vectors available to them. They will find a way into that operating system if they have physical
access. This is one of the reasons why all of our data centers are locked up and are usually very highly
secured. With many operating systems, you can reboot the system into a particular administrative
mode, make a change to an administrative password, reboot again, and now you have full access to the
operating system. And although that’s a very common attack vector, there are ways to prevent someone
from gaining this type of access to the system, but it’s very difficult to do if they have direct access to
that piece of equipment.

Another common direct access attack vector is to attach a keylogger to a keyboard. The keyboards are
usually directly on these servers, and the administrators are walking up to the systems and typing in
 their usernames and passwords. The attackers will put a keylogger into the keyboard system, so they’ll
simply disconnect the keyboard and put that right in the middle.

You can see it’s very small. You may not even realize that it’s connected to your computer. That
keylogger will remain on that system for a certain amount of time, and then the attacker will stop back
by, remove the keylogger, and then take it somewhere else to see exactly what everyone typed into that
keyboard while that keylogger was attached.

Another direct access vector is one where you can simply connect a flash drive or some other type of
portable media and just simply copy all of the files from that server onto a piece of media that you can
then take outside the building with you. And of course, if someone has physical access to the computer,
they can simply pull the power cord, pour water into the system, and create a denial-of-service.

On wireless networks, there are a number of attack vectors you have to be aware of. Of course, you
have to make sure that your access point is secure. Usually these have usernames and passwords to
authenticate the administrator into the system, and you want to be sure you’re not using the default
credentials, which of course will be very easy for an attacker to use.

You also have to make sure that your network is not designed to allow rogue access points. This would
be someone who brings in an unauthorized wireless access point and plugs it in. If one of your end users
is able to do that, then they can effectively turn on a wide open access point that anyone would be able
to connect to.

A more malicious form of a rogue access point is an evil twin. An evil twin is specifically designed to be a
hacking tool, and it’s made to emulate or look very similar to the access points that are already on your
network. This evil twin is designed to fool your users and get them to connect to the evil twin access
point instead of the legitimate corporate access point. Once your users are sending data to this
malicious access point, the attacker is able to see all of the data going by and even change that data by
using an on-path attack.

You also have to make sure that your access points and your clients are using the latest technologies.
For example, in 2017, a vulnerability was found with many clients that used WPA2, and they found a key
reinstallation attack called KRACK that would be able to gain access to WPA2 networks. This is a
vulnerability that was very quickly resolved by updating most of the wireless clients. There are also some
older encryption technologies that have significant vulnerabilities, technologies like WEP and WPA, so
you want to be sure that you’re running WPA2 or later on your wireless access points.

Email has traditionally been a very successful attack vector for threat actors, and that’s because so many
people have an email account. The attackers can send phishing links through email and gather personal
information directly from the end user, or they may be attaching malware or other malicious software to
the email and having people launch that software from their email client. This is also a great place to
perform social engineering attacks, like sending in a fake invoice and convincing people to pay a bill that
is not legitimate. This is one of the largest and most difficult attack vectors to manage, and if you’re
someone working in IT, you’re probably very focused on keeping all of your email messages as secure as
possible.

It’s very likely that most of the things in your organization were purchased from a third party. There’s an
entire supply chain designed to provide you with these products, and many different manufacturers and
entities were connected with that supply chain until it reached you. Each one of those steps along the
way is an attack vector, so it’s important that you know exactly where your technology comes from and
that it is as safe as possible.

In the 2013 credit card breach from Target, the attackers took advantage of the supply chain to gain
access to the Target network. Those attackers used a third party to Target. This was one of Target’s
vendors that then had access to the internal Target network. And once the attacker was able to gain
access inside of the Target network, they effectively had access to all of the cash registers at every
Target location.

A good example of using the supply chain to disrupt a manufacturing process was in 2010 with the
Stuxnet worm. This was a partnership between the United States and Israel that put a worm into Iran’s
uranium enrichment program and disrupted the centrifuges that were used during that manufacturing.
And in 2020, network administrators started to notice that their Cisco switches weren’t exactly what
they were expecting. There were at least two models of Cisco switches that did not originate at Cisco.
The details of where these switches came from and what the purpose of having these fake switches
might have been is still a bit of a mystery, but it certainly speaks to how important it is to be very secure
with your supply chain.

Attackers can gather a lot of information from social media, and sometimes it’s too much information.
Just by watching someone’s timeline, they may be able to determine where you are and when you may
have visited a location, or they might see that you’re on vacation for two weeks, and you’re going to be
nowhere near your home. These social media attack vectors could also be used to attack multifactor
authentication.

They might be able to look at your social media account and know where you were born or when you
were born, or they might know the name of your school mascot based on your Facebook profile. This
information can then be used during a password reset that would then allow the attacker access to your
account. And there’s more than one example where someone was pretending to be a friend to gain
access to your social media account, and so you have to be very careful about who you allow access to
your data and who is kept on the outside and away from your personal information.

One way to gain access to data that may not normally be accessible is to find ways around the existing
security technologies. One way to do this is to get on the inside and connect up a system that would
allow you to transfer data out of an organization. This can be very easy with a USB drive, and attackers
use USB connections constantly to be able to gather information and circumvent existing security
controls.

This type of attack may be required if a particular area of a network isn’t connected to the internet. It
may be air gapped, and there may be no direct connection to be able to communicate with it. But if you
can somehow plug in an infected USB drive, you may be able to infect the system and then have it
communicate out to the attacker.

As we mentioned in an earlier video, you may have a USB device that looks just like a flash drive, but in
reality, it looks and acts as if it’s a keyboard. So the instant you plug it in, it will start typing on your
computer as if it was a person on a keyboard. This is effectively a hacker that’s on a chip inside of this
USB-connected device, and it makes it very easy for the attacker to gain access to your systems. And of
course, the storage capabilities of these flash drives are getting much larger, while the flash drives and
devices continue to get smaller. This makes it very easy to plug in, transfer a bunch of data, disconnect,
and then hide that data as you walk outside the building and exfiltrate everything that may have been
on the inside.

Cloud-based applications have brought an entirely new set of attack vectors to consider. Very often,
these applications are publicly-facing, so it’s not only important that the application is secure, but the
entire configuration of that application. For example, if you’re putting data in the cloud, you want to be
sure that data is protected from prying eyes. The application should be the only thing gaining access to
that data, but unfortunately, misconfigurations can be made, and certain areas of data may be opened
up for anyone to be able to see.

Attackers are usually very good at brute forcing access to these publicly-facing applications, but they
might also use phishing techniques to have users send them their own usernames and passwords.
Attackers might also have you waste resources by increasing the load on a particular cloud-based service
and requiring additional instances of that application to be created. This may not allow the attacker
access to your data, but it would certainly cost resources and money. And because these applications
are public-facing, it’s important that you plan for any denial-of-service. Anyone would be able to access
that device from the outside, so you want to be sure you have all of the security tools in place to
mitigate or prevent any type of denial-of-service attack.

Threat Intelligence – SY0-601 CompTIA Security+ : 1.5

There are many ways to research and prepare for threats. In this video, you’ll learn about OSINT,
vulnerability databases, information sharing, and other intelligence sources.

As a security professional, you may be spending quite a bit of time researching threats that could be
potentially dangerous to your organization. These threats can come from public or private threat
databases, you may get information directly from the hackers, or it may be information that you’re able
to gather from other sources on the internet.

The important part is knowing that a threat exists, and that’s why it’s important to constantly stay up to
date with the latest threat posts, and understand exactly what threats may apply to your organization.
These threat intelligence reports can be used by almost anybody in IT security. So it’s important to know
exactly where you should go to get this information.

A good place to start with gathering this intelligence is from open sources. This is OSINT or Open-source
intelligence. This may be directly from the internet and discussion groups, or social media sites, or it may
come from a governmental organization, where they’ve compiled information from meetings or reports,
and they’re making that available publicly to everyone.

And there’s also intelligence that you can gather from commercial resources. So financial information,
databases maps, and other publicly available information. As you can imagine this threat information
can be very valuable, and a number of organizations are in the business to compile this information
together and make it available to you for a cost.
These threat intelligence services, are in the business, to make this information available to you. They
will compile this information from many different sources, and provide you with a method that you can
use, to gather and look through the threats that may affect your organization.

This threat intelligence is made available to you in a format, that allows you to easily see what threats
may be affecting your organization. And it also allows you to automate some workflows that you can
automatically be identified when a particular threat appears.

A common source of threat intelligence are vulnerability databases. These are large databases that
compile information, coming from many different researchers. The researchers will find a vulnerability,
they’ll report that into the Vulnerability Database, and then they will publish that database to everyone.

One popular database is the Common Vulnerabilities and Exposures database or CVE. This is sponsored
by the US Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency.
All of this information is compiled into a database that you can find online, at the US National
Vulnerability Database, or the NVD.

It’s a summary of all of the CVEs, and you can search and browse through that database to find
vulnerabilities that may affect you. An additional value that the NVD provides, is that they will compile
all of these CVEs together, provide severity scoring so that you can get an idea of just how severe a
particular vulnerability might be, and they’ll even give your ideas of how you may patch that particular
vulnerability, so it won’t affect you in the future.

This is the National Vulnerability Database dashboard you can find on the NVD website. They’ve already
received 11 new CVEs today and analyzed 34. You can get a summary of the score distributions of the
vulnerabilities that exist in the database. So you can see instantly, how many are critical, high, medium,
and low.

If we scroll down a bit, you can get a summary of the last 20 scored vulnerability IDs. So for example, the
one at the top of the list is CVE-2020-29041, a misconfiguration of web sesame 2020.1.1-3375, allows an
unauthenticated attacker to download the source code of the application.

They’ve identified this as a 5.3 or a medium severity on the 3.1 scoring and then you can click on this
CVE and read more about this particular vulnerability. This will give more detail about the vulnerability
of links to backgrounds, and patches associated with this vulnerability, and you can get an idea of
exactly what software is known to be affected by this particular CVE.

As you might expect sharing this vulnerability information, can be valuable for everyone. When one
person identifies a vulnerability, they can let everyone else know that vulnerability exists. There are a
number of different ways to share this data. There are public threat intelligence databases, that
sometimes will provide information that has been classified, but made available by the federal
government.

They’re also private companies that share information, especially organizations that work in the security
industry. With all of this data, one of the biggest challenges is making sure that you can receive data
quickly, and that the information you’re receiving is of the highest quality.
 To help work towards these goals, the Cyber Threat Intelligence or CTA was created, where members
upload the information they have about a particular threat. That information is evaluated and made
available to the other members of the organization.

And then other members of the CTA can evaluate that information, and validate what they’re seeing on
their network, matches what everyone else is seeing as well. It’s another way that members can react
faster to these types of threats with higher quality information.

As you can imagine, there is an extensive amount of threat information that needs to be disseminated,
and this information needs to be transferred in a way that’s secure. That’s why the industry has created
AIS or Automated indicator sharing. It’s a way to automate this process and move this information,
between organizations at the speed of the internet.

To be able to transfer this data, there needs to be a standardized format for these threats, and the
standardized format is called STIX. This is a Structured Threat Information eXpression, that includes
information such as motivations, abilities, capabilities, and response information.

In order to securely exchange this information, you need some type of trusted transport. And that
trusted transport is a TAXII. It’s the Trusted Automated eXchange of Indicator Information. We use this
standard TAXII format, to be able to transfer the STIX data between organizations.

One unique and significant type of threat intelligence comes from the dark web. This is an overlay to the
existing internet that requires specialized software to be able to access these private websites. There’s
extensive information to gather from the dark web, including the activities of hacker groups.

You can understand the tools and techniques they use to be able to gain access to people’s networks,
and you’ll even find websites dedicated to selling the information that they gather such as credit cards
and other account information. There are a number of communications channels available on the dark
web, and these forums can also be a valuable tool to use in your search for intelligence against the
attackers.

Not only do you need to constantly monitor for potential threats to your network, you also need to have
an understanding of when your network may have been breached. This would be an indicator of
compromise, or an IOC. You’re looking for a specific activity that could indicate that someone is now on
the inside of your network.

For example, you may notice that a particular amount of network traffic has increased, which could be a
normal result of what’s happening on your network, or it could be an indicator that someone is trying to
transfer information outside of your network.

Or perhaps files that normally would never change, suddenly have hash values that are different than
they were yesterday, which could indicate that an attacker is making modifications to existing trusted
files.

Perhaps the information that is sent from your organization to other countries is different, or maybe
things have changed in your DNS server. You might identify unusual patterns for people logging in at odd
times of the day, or there may be certain files that are suddenly read or executed more than they would
have normally been in the past.
 This is just a subset of indicators that could potentially identify a compromised network. It’s important
that you’re able to put all of these indicators in place and more to be able to understand, when and
where, someone may be attacking your network.

In some cases, we may be able to predict, when a compromise may be attempted. We can do this based
on a number of different criteria. One goal is to analyze very large amounts of data very quickly and be
able to understand where attackers may be focusing their efforts, and if those efforts may lead them to
your particular network.

An example of this might be to evaluate in real-time the type of DNS queries you’re getting to your DNS
servers or perhaps understand any changes that may be occurring with traffic patterns to your website.
There might also be ways to combine this with location data so that you can understand that this is
domestic traffic, or coming from an international source.

If you start combining these characteristics, with vulnerabilities that has suddenly been identified, you
may be able to predict if a particular system may be attacked. And knowing that the potential exists,
may allow you to set up additional security for those particular systems.

You can also see from this list that we’re not looking for a particular known signature. It’s not something
that’s a very specific attack type, we’re instead looking at a very large amount of data, and trying to
make inferences from that very large Data Source. There’s been an increasing emphasis in machine
learnings, that we’re able to take all of this data and find better ways to analyze it, to protect our
networks.

Sometimes, it’s useful to get a visual perspective of where attacks may be originating and where they
may be going to. There are a number of threat maps that you can view on the internet, that give you a
perspective of different types of attacks, and how often these attacks are occurring throughout the day.
These threat maps are often created from real-time data pulled from many different sources. So it’s
another piece of intelligence you can use to help protect your network.

There are a number of file or code repositories on the internet that can give you even more intelligence
about what to protect yourself against. Locations like GitHub are sometimes used by the hackers, to be
able to put together the tools that they then use to attack your network.

These code repositories are often used to keep data private between developers, but sometimes
misconfiguration can cause the source code to be released publicly. The attackers would love to get
their hands on the source code. So they’re constantly monitoring these repositories, to see if someone
may have accidentally made this information public.

The attackers might look through the source code to try to find vulnerabilities that they could then use
in exploits later. Or they may use the data within the code in future phishing attacks. Either way, it’s a
great source of information for the attackers, and it’s something that you can use as another intelligence
source to protect your network.

Threat Research – SY0-601 CompTIA Security+ : 1.5

Researching and understanding potential threats is an ongoing part of any security professional’s job. In
this video, you’ll learn about vendor websites, vulnerability feeds, academic journals, RFCs, and more.
 To be able to stop a threat you have to know the threat exists. And as an IT professional, you will be
doing a lot of research around these threats. The threats are changing all the time, the scope of the
threats is different every time. And although you may understand how an attacker gets into one
network, it’ll be a completely different method they use for a different network. You also find yourself
collecting research information from many different resources. Every resource has a different emphasis
and a different amount of information they can provide and you’re going to have to bring all of that
information together to really understand these threats.

If you’re interested in knowing the threats associated with an operating system or an application, you
should start with the companies that wrote the operating system or the application. Those vendors
know their products better than anyone else. And they’re also often the first one to know about
vulnerabilities. There’s usually a page on a vendor’s website where they keep track of all of the known
vulnerabilities. And usually there’s some type of notification process so they can inform you immediately
when a new vulnerability is discovered.

The National Institute of Standards and Technology maintains a comprehensive database of

vulnerabilities. This is the National Vulnerability Database and it keeps within that database a list of CVEs
or Common Vulnerabilities and Exposures. It’s common to supplement this database with third party
feeds from other organizations. You might roll up all of those vulnerability feeds into one central
vulnerability management system. This allows you to keep track of all the latest vulnerabilities, identify
vulnerabilities that may be specific to your environment and have some method to be able to be
informed immediately when a vulnerability is disclosed.

Another good source of information comes from conferences. This is a place you can go to learn the
latest of vulnerabilities and threats that could be affecting you. There are usually researchers that will
present information at these conferences that can help explain things that they found that are new,
trends that may be occurring in the industry or information about the latest hacks. This is also a good
place where you can learn from people who’ve gone through these attacks. Very often there’s some
lessons that can be taken away and their stories can help give your ideas of how to protect your network
even better. And since this is a grouping of people who have similar goals, it’s a great opportunity to
forge some professional relationships and have people you can talk to after the conference is over.

If you want to get detailed information about attack types and how people have had to deal with them,
then you want to reference some academic journals. These are usually periodicals or online resources
that are written by industry experts. They usually provide information about existing security
technologies and evaluate which types of security technologies may be better than others. These are
also great resources to learn detailed information about the technology. It’s common to find a deep dive
into a type of malware where it has been broken apart, decompiled, and you really understand exactly
the way the malware operates.

These journals are also great places to learn more about very specific aspects of the technologies you
may be using today. If you want to learn more about the details behind the scenes, these academic
journals will provide it. If you’ve done any type of work in information technology, then you’ve probably
heard the term RFC referred to a standard or a method of doing a particular task. RFCs are a way to
track and formalize a set of standards that anyone on the internet can use. And although many of these
RFCs are standards documents, you’ll also find other types of documents such as Experimental, Best
Current Practice, Standard Track, and Historic Documents.
Some of these RFCs also provide a detailed analysis of certain types of threats. For example, RCF 3833 is
the threat analysis of the domain name system. By reading through these RFCs, you can not only
understand how these standards are supposed to operate. But you can understand some of the
vulnerabilities that may exist within the standards themselves. On my monthly study group meetings,
you’ll often hear me encourage people to visit their local user group meetings. That’s because there is a
wealth of information that you can gather not only from the people presenting at the user group but
from the members of the user group as well. These are often local chapters where you can visit monthly
or quarterly meetings to stay up to date on the latest news.

You may also find valuable information at user groups that are not specific to IT security but still very
much a technology organization such as a Cisco user group, Microsoft user group or others. Not only are
you learning valuable technical information at these user groups, you’re meeting the local people in
your area that you can use whenever you might need some type of resource. There is a wealth of
security information on social media. For example, the large hacker groups will often put information on
Twitter that will describe recent vulnerabilities they’ve discovered or recent attacks that they’ve
completed. There’s also a number of resources on Twitter that can give you details about new
vulnerabilities that are discovered or new attacks that may be occurring. For example, there’s some
honeypot accounts on Twitter that will tell you when new exploits are being attempted against those
honeypots.

The search feature on Twitter can also be a valuable information gathering tool. You can search for a
particular CVE or look for the terms bugbounty or 0-day to see what other people may be announcing or
what they may be seeing on their network. This is also a good place to see other professionals having
conversations about these threats and understanding more about ways to block these threats should it
occur on your network. And it’s not too unusual to see social media used as a method of command and
control. You may be able to monitor how certain malware is operating based on the posts that are being
made to Twitter.

And although it’s useful to do these ad hoc social media searches, it’s also important to be informed
immediately when a threat is emerging. That’s why you should have some type of automated threat
feed that’s going to give you information about the most important threats you need to know about.
There are many different resources for these threat feeds, for example, the US Department of
Homeland Security, the FBI, the SANS Internet Storm Center, VirusTotal Intelligence, and other feeds as
well.

The information you’re often looking for is a TTP. This is a tactic, technique, and procedure. This is
understanding the methods that the attackers are using to get into your network and the process
they’re going through once they get access. The more you understand the attacker’s TTP, the better
you’re going to be at recognizing these tactics if they happen to appear on your network. And of course,
one of the challenges with this is that the TTP will change depending on the situation. For example, an
attacker might use a different tactic if it was a finance company versus a manufacturing company. It’s
also good to know where an attacker likes to spend their time.

If you know they spend a lot of effort trying to find vulnerabilities in DNS or an IP address vulnerability,
then you can focus your defense in those areas. Or you may find that a particular type of malware has
become very popular and you’re able to put the proper mitigations in place to prevent that malware
from operating on your network.
 Vulnerability Types – SY0-601 CompTIA Security+ : 1.6
There are many ways for attackers to find their way into your network. In this video, you’ll learn about
zero-day attacks, open permissions, unsecured root accounts, and much more.

There are many ways for attackers to find their way inside of your network. And in this video, we’ll look
at some of these common vulnerability types.

The applications we use on our computers and our workstations every day have vulnerabilities inside of
them. We just haven’t found those vulnerabilities yet, but hidden somewhere within the code of these
applications is potentially a way that an attacker can use to get into your network.

Security researchers are interested in closing these holes before the attackers find them. And they’re
doing research every day to try to identify these vulnerabilities that may be hidden in our software. But
of course, the attackers would rather find these vulnerabilities first. They can use these vulnerabilities to
find their way into your network or they can sell these vulnerabilities to the highest bidder.

If the attackers do use this vulnerability against you and this vulnerability has never been seen up to this
point, then we have a zero-day attack. A zero-day attack means that we’ve never seen this vulnerability
before. It’s brand new. And because of that, there’s probably not a patch or a way to prevent this
vulnerability from being exploited. Obviously a zero-day attack is something that we should all take very
seriously because often it’s very difficult to mitigate these. It’s very difficult to stop something that you
had no idea existed in the first place.

You always want to keep an eye on what the latest vulnerabilities might be and one place to go would
be the common vulnerabilities and exposures database, the CVE, that can be located at cve.mitre.org.

Sometimes, attackers don’t need to find a hidden vulnerability that’s inside of software instead they
wait for you to leave the door open and they simply walk in to that open door. This is an open
permissions problem, where information has been put onto the internet but no security has been
applied to that data. And it makes it very easy for anyone on the internet to access that information.
This used to be much more difficult when all of our data was in our private data center and there was no
way to gain access to that data from the outside. But of course, we’re putting an increasing amount of
data on the cloud. And because this data is now located somewhere that can be accessed from
anywhere in the world, it’s becoming increasingly common to see misconfigurations that would allow
access to this data.

One of many examples of this occurred in June 2017 when Verizon accidentally exposed 14 million
records of data. This was in an Amazon S3 data repository. And instead of applying the proper
passwords and security to the repository, it was left open. Fortunately, a researcher found this data
before someone malicious could get their hands on it and they were able to close this hole without this
data becoming public.

Attackers spend a lot of time on these cloud repositories, trying to find sections of data that may have
been left open. So make sure that if you’re storing data in the cloud that you’re putting the proper
security in place.
Not only do we sometimes leave our data open, we also sometimes leave our accounts open. And if this
account is an administrator account or root account, then an attacker may have full control over an
operating system. Sometimes, this is a misconfiguration that allows someone access to an administrator
account or perhaps the password associated with the administrator account is not strong enough to
prevent a brute force attack.

On many systems, the administrator has chosen not to allow interactive access to log into the
administrator account. This means no matter how hard the attacker tries to find the correct username
and password combinations; they’ll never gain access to the operating system by logging in with the
administrator or the root account. Access to the root or the administrative account should be closely
monitored. And we should always have policies and procedures in place to prevent casual use of these
accounts.

If you’re using an application and an error occurs, it’s very common to see an error message pop up on
the screen. But occasionally, we can give too much information in that error message and that
information could be used against us. For example, the error message may show the service that’s being
used or the application that we’re using. It might show version information associated with that
application. And the message may display debug information that could be memory values or
information that’s not commonly seen from the outside.

An example of an error message turning into a vulnerability and, ultimately, an exploit was in December
of 2015 on the website Patreon. They had installed a debugger to help monitor a problem they were
having with their website. Normally this is something that would not be visible to the public, this is only
used for internal use. But unfortunately, they left it turned on and it was exposed to the internet side.
Attackers found a way to access this well-known debugger and they were able to start using it to
perform executions of code on the web server itself. Using that vulnerability, they were able to transfer
gigabytes of customer data and then release all of that information online.

We often emphasize the need to encrypt our data. Encrypt data that we’re storing on our drives. And
encrypt data as we’re transferring it across the network. But just because we’re encrypting data doesn’t
necessarily mean that it’s well protected.

There’s many different kinds of encryption. That’s why you need to be sure that you’re using encryption
protocols that are strong protocols. Encryption protocols, such as AES and triple DES, are very common
to see used. And of course, you want to be sure that the length of the encryption key is long enough to
provide the proper amount of security.

You also want to be sure that the hashes you’re using don’t have any known vulnerabilities.

And if you’re communicating over a wireless network, make sure you’re using the latest wireless
encryption protocols.

There are many different cipher suites. And you’re using different types of ciphers in different places on
your network. So it’s always good to stay up to date with what the industry believes are the best ciphers
to use on your network.

A good example of a technology where it’s important to stay up to date is the TLS protocol. This is the
transport layer security protocol that we commonly use in our browsers to encrypt data. But there are
over 300 cipher suites in TLS. Some of them are very secure. And some of them are not secure at all. So
it’s important that you configure your web servers and your clients to make sure that they are using the
strongest protocols.

There are many documents for best practices on the internet that will help you know exactly which of
these cipher suites is the best to use. But in general, you want to be able to avoid any ciphers that are
weak or have null encryption. This would be encryption keys of 128 bits or smaller, which tend to be
very easy to brute force. You also want to be sure that you’re not using any outdated hashes, like MD5,
where known vulnerabilities may exist.

And with some of our applications, we’re simply sending the application data in the clear. Anyone who’s
watching this data go back and forth on the network would be able to read everything that we’re
sending back and forth.

Protocols, such as Telnet, FTP, SMTP, and IMAP, are good examples of these in the clear protocols. If
you’re not sure if your application is sending this information in the clear, then you may want to capture
those packets and see if you can read through the packet capture. If it looks like a plain English
description of the information that’s being sent across the network, then it is not being encrypted during
transport.

In many cases, you can reconfigure the application to use an encrypted protocol instead of the in the
clear protocol. So you might want to change the application to use SSH, SFTP, or IMAPS.

If you don’t configure your application to use these secure protocols and you go to an industry event
such as Defcon, you may find yourself on the wall of sheep. This is a list of everybody communicating on
the network in the clear along with the passwords and the application they happen to be using. This is
something that is easily captured from the traffic going over the wireless network and now it has been
put on the front board for everyone to be able to see.

We’re connecting more and more devices to our networks these days. And most of these devices have a
default username and default password. The attackers know that many people will plug these in and
never change that username and password. And they found ways to use this to their advantage.

One such use is the Mirai botnet. It takes advantage of these default usernames and passwords to gain
access to these systems and take them over for their own use. These devices now become part of a
much larger botnet and are now under the control of the botnet owner. This is a botnet that takes
advantage of many different kinds of devices and includes cameras, routers, doorbells, garage door
openers, and many other IoT, or internet of things, devices.

To make this even worse, the Mirai botnet is now open source. So attackers can download the software,
modify it for their own purposes, and control even more IoT devices.

To be able to use these services over a network, we have to open ports on the server, so that our
applications can talk to the server itself. Unfortunately, opening these ports also creates an opening into
the server. And we have to make sure that we’re properly adding the security that we need to let the
good people in and keep the bad guys out.

We often manage this flow of traffic with firewalls. We’ll have software based firewalls running on the
server and we’ll have network based firewalls on the ingress and egress parts of the network. The
firewall will commonly have a rule set that will allow or disallow access to certain ports on the IP address
and thereby keep out anyone who may be trying to attack that device.

Unfortunately, these rule sets tend to become very large, very complex. And as time goes on, they
become even more unwieldy. It may become very easy to accidentally allow access to a service that was
not intended. In fact, it’s very common for someone who is managing one of these firewalls to
occasionally audit the rule base, make sure that all of the rules are up to date, and that no mistakes have
been made with IP addresses, port numbers, or any of the other services that are configured in that rule
base.

We know that these vulnerabilities exist in our software and, of course, many organizations will
occasionally release updates to the software that didn’t need to be deployed on all of our systems.
Many organizations will have processes in place to be able to keep all of their systems up to date with
the latest patches. This is a priority for many organizations because most of these patches are associated
with security vulnerabilities.

There’s usually a group of people that will test these patches, make sure that they will operate properly
in your environment, and then load them on a central server, which will then deploy to all of the other
systems in your organization. These patches may be associated with the firmware, or the BIOS, of the
device. These may be operating system patches, which work on the core Windows, Linux, or other
operating systems. Or they may be patches associated with the particular application and so we would
need to patch all of these types of systems to keep everything up to date. If the patches on your systems
are not kept up to date, then the results could be very damaging.

For example, in 2017 between May and July, Equifax had a data breach of 147.9 million Americans, 15
million British citizens, and others. The information that was released included names, social security
numbers, birth dates, addresses, and more. The attackers were able to get into these systems because a
server on the Equifax network had not been properly patched.

This was from a vulnerability with Apache Struts that was identified on March the 7th. The attackers
were able to take advantage of this system on March the 12th. And the system had not been patched,
so the attackers were able to take advantage of this vulnerability. This wasn’t patched by Equifax until
July the 30th. By that point of course, the attackers were already in the network, they were already
gathering this information, and it was much too late for that patch to have any effect. A disclosure of the
breach was made public on September the 7th. And just a week later, the CIO and CSO were told that
they no longer were part of the organization. Two years later, Equifax paid over half a billion in fines, all
because they weren’t able to patch their systems quickly and properly.

If you go into any data center of really any size, you’re going to find systems and components in there
that may have been sitting there for a very long time. We refer to these older systems as legacy systems.
These legacy devices may be running older operating systems, old applications. There may be
middleware that’s installed, but these are systems that we can’t easily turn off or convert because
perhaps they’re performing a particular function that can’t be duplicated or no one is really put in the
effort to upgrade it to the latest version.

In many cases, these systems are running software that has been far beyond the end of life. There are
no longer patches being released for these. And it now becomes a security concern. It’s, of course, up to
 the security administrator to determine the advantage and disadvantage of having this system on the
network and finding ways to protect it, even though there may be no way to patch the operating
system. This means you may keep some of this legacy equipment around, but you may be adding
additional firewalls or other security tools around that system to make sure that you can keep it as
secure as possible. This may not be the best possible option when you have software and devices this
old on the network. But occasionally, you need to have some type of transition in place, so that you can
remove the legacy software and put something in place that’s much more secure.

Third-party Risks – SY0-601 CompTIA Security+ : 1.6

Interacting with third-parties adds additional security concerns. In this video, you’ll learn about system
integration risk, lack of vendor support, supply chain risk, outsourced code development, and data
storage risks.

No matter the size of your organization, there will be some type of third party that has access to your
systems, your applications, or your data. And because these third parties exist does not mean that we
can have less security. We need just as much security because these third parties are on our network.

It may be that the third parties are people that you can trust. But you should always plan for the worst
possible scenario and make sure that your security policies and procedures are expecting those types of
problems. And of course, these issues may not be malicious. It may just be errors that are created
because everyone is human, and occasionally, problems will happen. You need to make sure that the
security you’re putting in place for the technology and the physical security that you’re installing is
taking into account all of these third parties.

It may be that the third party is handling your hosting services, or maybe you contract with a third party
to be able to do development work. In most of these cases, the system integrators have additional
access to the systems because they need that access to be able to do their jobs.

Even if the systems integrators are not on site, they still have access to the data. They may have virtual
access to the data or through a terminal screen, or they may be physically on site and be able to install
equipment, such as keyloggers or USB flash drives.

And because these integrators are on the inside of the network, they’re past the firewalls and the
security devices that we commonly put on the perimeter. That means they might be able to run
software such as port scanners or capture data directly from the network without needing to go through
any type of security controls.

And if you’re on the inside, it’s much easier to put malware into an existing network, because you’ve
now gone past all of those security filters. And in some cases, running software that you thought was
safe may inadvertently install malware on systems. And now that those integrators are on the inside, it
becomes much easier to deploy those instead of having to go through an existing email filter or firewall.

We rely a lot on our vendors to be able to maintain the security of the systems that we’re putting into
our environment. And very often, we have to make sure that the vendors know a problem exists and
that they can fix the problem in a timely manner. This isn’t always the case. You have to, of course, make
sure that the vendor is aware of the problem, and then the vendor themselves has to be motivated
enough to make sure that they can keep those systems up to date and safe.
For example, we can look at the situation that occurred with Trane Comfortlink II thermostats. These are
thermostats that can be remotely managed and maintained. Trane was notified in April of 2014 that
there were three security vulnerabilities associated with these thermostats, but it took a long time to
have Trane finally resolve these particular vulnerabilities. Two of these were patched in April of 2015, a
year later, and another one in January 2016, almost two years after these vulnerabilities were identified.

These are the types of security issues that we rely on our vendors to be able to resolve. We can’t make
these changes ourselves. So you have to make sure that you partner with vendors that will be aware of
these problems and be able to react to them quickly.

Almost everything that we use in our networks and our systems all come from a third party. We may be
purchasing equipment from a third party or getting raw materials that are brought in from a third party.
And with all of those products, every step along the supply chain, there is the potential for a security
issue. That’s why it’s always important to maintain your security controls, whether these are devices
that you have in-house or things that you bring in from a third party.

For example, it’s rare, but certainly not unheard of, to bring software into the organization that may
have previously been infected with malware. And although you trusted the software coming from this
third party, it, in fact, was able to infect your systems once you installed the trusted software.

And these days, you also have to check the hardware that you’re getting from a third party. Some
people have purchased Cisco switches, but what arrived, although it looked like a Cisco switch, was, in
fact, a counterfeit switch. Organizations need to have processes and procedures in place so that they’re
able to monitor all of this coming through the supply chain and be able to react to any type of security
concern.

Not every organization has the resources available to do their own in-house development. You often
have to go outside to a third party to have some programming services done for you. In those cases, you
need to make sure that you’re building a secure environment for the developers to work in and for you
to be able to evaluate the code that’s being created.

For example, you have to decide where the code itself will be stored. If you have the code in-house, you
may want to provide the developers with a VPN connection to all of that data, or you may want to have
the data stored on a centralized cloud-based server. In both of those situations, you need to make sure
that you’re putting in the correct security controls for where the data happens to be and how people are
accessing it.

It’s also a good best practice to make sure that wherever that data is stored and where the developers
may be working is isolated and secure from the rest of the network. The production services should be
on a separate, isolated part of the network, and the development team should not have access to the
production site of the network.

And once the code has been completed, it needs to be checked to make sure there’s no other ways to
gain access into that application. And you want to be sure that the data that’s being used by that
application is being stored in a secure way and is being transmitted across the network in encrypted
form.
With cloud-based services, we are storing a lot of information in a separate, third-party location. Some
of this data needs to be evaluated for security. This data may contain customer information. There may
be healthcare data or financial details. And we need to make sure that we’re applying the proper
security around the type of data that we’re storing.

For example, there may be a mandate that healthcare information or financial information is stored in
encrypted form, especially when storing it at a third party. This certainly protects the data against a third
party gaining access, but it also increases the complexities around managing the encryption process.
And if we are storing that data at a third-party location, we need to be sure that the transfer of data in
and out of that facility is all done over an encrypted channel.

Vulnerability Impacts – SY0-601 CompTIA Security+ : 1.6

Vulnerabilities can have an effect on many parts of an organization. In this video, you’ll learn about data
loss, identity theft, financial loss, reputation impacts, and availability loss.

In February of 2018, the United States Council of Economic Advisors produced a report called The Cost
of Malicious Cyber Activity to the US economy. And they found that the costs were between $57 and
$109 billion in the year of 2016. This is a significant financial issue, and one that we need to be
concerned with regardless of our organization. Of course, the impacts of vulnerabilities are not just
associated with finances, there are many other concerns that we’ll talk about in this video as well. It is
these costs and effects of vulnerabilities that drive us in security to make sure our systems are as safe as
possible.

One result of vulnerabilities may be the loss of data, and in some cases losing the data may be more
damaging than losing money. For example, a database that has no password or is using default
passwords can be at risk for losing the data within that database. An example of this data loss started in
July 2020 with what the internet is calling the meow attack. This is databases that had no password or
were using the default password, and all of the information in this database was being deleted without
any type of warning.

Researchers who were tracking this attack, say that thousands of databases has been deleted and
instead of the data being in the database, all of that information has been replaced with the word,
meow. This is an extreme example of what can happen if databases are not properly secured, and
another reason why it’s very important to always have a backup. Some attackers don’t delete the data,
but instead prefer to steal the data and then use that data for their own purposes.

A good example of this is the identity theft that occurred between May and July of 2017 at Equifax.
Equifax stored information of over 147.9 million Americans, over 15 million British citizens, and over
19,000 Canadian citizens. The attackers were able to gain access to names, social security numbers, birth
dates, address information, and more. With all of this information, they’re then able to steal people’s
identities, open up new lines of credit, and create problems for all of the people affected by this theft.

The vulnerability that allowed this particular identity theft, was a vulnerability in Apache Struts that was
announced on March the 7th. Attackers took advantage of a system that was not patched, on March the
12th got into the Equifax network, and were able to remove all of this data from their systems. This was
such an extreme attack with such a large amount of data, that both the CIO and CIS were asked to leave
the organization and ultimately Equifax paid over half a billion dollars in fines for this particular breach.
 And of course, these vulnerabilities can cause financial loss as well. This particular example is in March
of 2016 at the Bank of Bangladesh, and this is around a vulnerability that took advantage of the Society
for Worldwide Interbank Financial Telecommunications, or what the industry refers to as SWIFT.
Attackers sent messages over the SWIFT network to transfer nearly $1 billion from accounts at the Bank
of Bangladesh to accounts that are in the Philippines and Sri Lanka.

Fortunately, for the Bank of Bangladesh, most of these requests were rejected because they were not
formatted properly when they were sent. However 35 of the requests were processed and the bank lost
$81 million that got laundered through the Filipino Casino industry. This is not the first time that this
particular type of vulnerability resulted in financial loss. A similar swift vulnerability has taken $12
million from Wells Fargo, and $60 million from the Taiwanese Far Eastern International Bank.

Of course, getting hacked is not very good for public relations, and it can make your organization have
an impact to its reputation. In many countries there’s laws that require an organization to disclose the
results of a hack. And in some cases, especially with public companies, that can have an effect on the
company’s value, especially in the stock market.

An example of one of these reputation impacts occurred in October of 2016 with the company Uber.
This particular breach allowed attackers to gain access to 25.6 million customer names, email addresses,
and mobile phone numbers. Instead of disclosing this breach, Uber instead decided to have the hacker
sign a non-disclosure agreement and gave them $100,000 to not say anything. Ultimately, the pressure
regarding this breach required Uber to announce the hack in November of 2017, and in 2018 they paid
$148 million in fines.

The hackers associated with this breach pleaded guilty in October of 2019. And to continue the
reputation impact to Uber, Uber’s former Chief Security Officer was charged with obstruction of justice,
and misprision of a felony. If you don’t lose any data and you don’t lose any money, you could still lose
uptime and availability. Someone taking advantage of a vulnerability could cause outages, downtime,
and cause a system to become unavailable. A good example of this are the outbreaks of ransomware
that we’re seeing that are bringing down some of the world’s largest networks.

For example, in September of 2021 of Chile’s largest banks Banco Estado was attacked with ransomware
that took out all of their internal systems. The bank was effectively out of business internally, and were
not able to process anything on their internal network. Fortunately, their network was segmented and
the public facing services were still up and running. The bank had to delete everything that was on these
internal systems, restore from known good backups, and that process caused the bank to be out of
business for an extended period.

Threat Hunting – SY0-601 CompTIA Security+ : 1.7

If you can’t find the threat, then you can’t stop it. In this video, you’ll learn about intelligence fusion, big
data analytics, and cybersecurity maneuvers.

The attackers are constantly trying to find a way into your network to gain access to your data. This is a
constant process that is coming from many different locations and many different attackers all
simultaneously. This is also attacking different systems all at the same time. And the strategies that we
use to protect against attacks today will be very different than the strategies that we need to follow
tomorrow.
The attackers are constantly changing the approach they use with their attacks, and they’re modifying it
based on what your reaction is. One of the problems we have in reacting to these attacks, of course, is
that we can’t react until the attack occurs. This is a constant problem when you’re trying to prevent
anyone from getting into the network and you can’t stop them until they try to break into the network.
The goal then is to speed up this reaction time or perhaps prevent the attack from occurring before the
attacker even arrives on your network.

One of the challenges we have when trying to identify these types of attacks is that there is a huge
amount of data we have to sift through to even be able to understand if an attack is occurring. This is a
massive amount of data coming from many different locations. And it’s nearly overwhelming to be able
to understand the data that you’re receiving, be able to parse that data out, and then be able to make
decisions on what you’re seeing.

These data sources are also very different. The information you would get from a server is very different
than what you would receive from an IPS, and that’s also very different than the logs you might get from
a firewall. You also have different team members in your organization that are looking at different types
of data, and sometimes those teams need to talk together to be able to identify some of these threats.
You have security operations, security intelligence, threat response teams, operations teams, security
operations centers, and more people that are looking at data that can help identify these threats.

The key, then, is to take all of this data, put it into a massive database, and then use big data analytics.
That’s going to allow us to correlate, identify, and pick out individual important pieces of data that can
give us some insight into when attacks may be occurring. So let’s start with our raw data. We know that
we’re collecting logs on almost all of the devices on our network. So we need that log data.

We also need information about the network itself and where data may be coming into and out of our
network. There can certainly be events occurring elsewhere on the internet that may be of interest to us
and might help us understand when an attack might be incoming. And then you have intrusion detection
and other active monitoring tools that can give you metrics about what’s happening right now.

Add into this mix of raw data information about what’s happening in the rest of the world. You have
threat feeds that are coming from third parties. Governmental agencies have information about alerts
that you should be aware of. There are advisories and bulletins relating to software and vulnerabilities
that you need to know about. And social media is constantly giving information about who’s being
attacked and what they’re being attacked with.

This is all of the data that goes into this unstructured database that we can begin analyzing with big
data. This is a mathematical process that allows us to begin performing predictive analysis. We can start
understanding where potential problems may come from, even if an actual attack is not yet occurring. If
we were the physical military, we would then start deploying the Army, Navy, Air Force, Marines, and
Coast Guard to all parts of our network to help protect against it. But since we’re in the virtual world,
and much of our virtual world is Cloud based, we can start deploying security technologies into these
areas.

We can deploy additional firewalls, intrusion prevention, and scanning systems to understand what’s
happening on the network right now. We can have the firewalls look for particular types of data flows to
block. We can look for IP address ranges that we don’t want to have in our network at this particular
time. And of course we can have these systems delete any software coming through that we feel may be
malicious. Unlike a military that takes time to deploy, these systems are virtualized. We can deploy them
instantly.

So the moment that our big data analytics decides that a particular type of threat is a concern, it can
immediately deploy these pieces out to those parts of the network to prevent any of those threats from
occurring. And since all of this is automated, it can identify those threats coming from many different
places simultaneously, even if those threats are very different in scope. The process continues
constantly with the collection of data, identification of potential threats, and deployment of systems
that can protect our network against these attacks.

Vulnerability Scans – SY0-601 CompTIA Security+ : 1.7

It’s important to find vulnerabilities in your network before the attackers. In this video, you’ll learn
about vulnerability scans, false positives, credentialed scans, and more.

If you’re working in IT security you are undoubtedly going to be performing some vulnerability scans.
These scans are designed to look at systems to see if potential vulnerabilities might exist in an operating
system, a network device, or an application. These are a little bit different than a penetration test, which
is really trying to gain access into the inner workings of your devices. Instead the vulnerability scan is
trying to determine from the outside if there is the potential to gain access to those systems.

One common type of a vulnerability scan is a port scan. That’s when we will look at a device and
determine what ports happen to be responding on that particular IP address. From here you may be
able to gather information about things that might be less than secure. For example, in this device port
23 running over TCP which would be the Telnet service is an open port on this device. And without
knowing anything else about the system we know that telnet inherently sends information that is not
secure, it is not encrypted.

So this would be something to bring up as a potential vulnerability on this computer. It’s common to run
vulnerability scans on all of the devices connected to the network. This would be servers, workstations,
laptops, and other devices that are connected to the network as well. You want to be able to perform
these vulnerability scans from the perspective of the attacker. So you want to perform these from the
outside, on the internet side, coming inbound to your devices. But you might also want to run these
scans internally as if you are an insider who had full access to these systems.

We’ll want to gather as much information as possible, and these vulnerability scans collect a lot of
information. There’s plenty of details that we’ll need to examine in the log to determine what we want
to do with this information once the scans are complete. The vulnerability scanners use are very
powerful pieces of software that are designed to look at many different aspects of how your systems are
running in the hopes that it will find some vulnerabilities on that device. We call these non-intrusive
scans, but of course, there’s a little bit of intrusiveness as it’s scanning the different port numbers and
perhaps trying to find out if a potential vulnerability might exist.

But these aren’t penetration tests. These vulnerability scanners will not try to attempt to take advantage
of the vulnerability. Instead they’ll simply decide if a vulnerability might exist or not. After the scan is
complete you can run your own tests to see if that vulnerability really does exist. You can run a
penetration test on its own or you can find a specific exploit that might attack that vulnerability and see
if that vulnerability does exist.

There are different approaches to performing these scans. One approach is to scan as if you are
someone who does not have access to the network. This would be a non-credentialed scan. This user
doesn’t have the credentials to be able to log on to a device and gain additional rights and permissions.
You might want to think of this as someone who is out on the internet, who doesn’t have any access to
your network, and this would be a scan that’s run from their perspective. But of course, there is the
perspective of someone who is on the inside of your network and trying to exploit a system. So you
might want to run these types of vulnerability scans as a user who has rights and permissions to log in.
This is a credential scan and it’s a way to tell how much of a vulnerability might exist if you were
someone who had a little bit of access to these systems.

Let’s look at the results of a vulnerability scan that I ran on my network. I ran this with the Nessus
Essentials product that was able to look at an individual IP address at 10.1.10.13. It’s important to
remind you at this point that you should never run a scan on your network where you do not have
specific permission to do so. You should also make sure that if you’re running a scan on the network.
That you understand exactly what that scan is going to do. There is some conversations that takes place
between the scanner and that remote device, and there have been cases where a vulnerability scanner
has found a bug in a piece of software that caused that particular system or application to suddenly
become unavailable.

So you could potentially crash a system or make the system unavailable simply by performing one of
these vulnerability scans. Make sure that everybody knows what’s happening and that you’re ready if
anything should happen to those systems. On this device 10.1.10.13 I ran a vulnerability scan it only took
two minutes to scan this particular device. Let’s click on this host and see what the results of this report
might be. Let’s start with these two critical vulnerabilities at the top.

The first is a Debian OpenSSH SSH OpenSSL package random number generator weakness. This means
that someone could gain a shell remotely into that system. I can see why they would have qualified this
as a critical vulnerability. When we click on that, we can see more information about this specific
vulnerability. The remote SSH host has been generated on a Debian or Ubuntu system which contains a
bug in the random number generator of its OpenSSL library. This says that the attacker can easily obtain
the private part of the remote key. That means that they’ll be able to decipher the remote sessions or
set up man in the middle attacks because this vulnerability exists on the system.

It also gives you places to go to read more about it and things that you can do to resolve this particular
problem. Let’s go back in these vulnerabilities and look at the other critical vulnerability, which is a Unix
operating system unsupported version detection. I ran the scan against a very old version of Linux and in
fact the vulnerability tells us that this is a very old Unix system that is no longer supported. There will be
no security patches for the product. So this will have additional vulnerabilities as time goes on. The
output from the vulnerability scan is listed here. And we can see that it is Ubuntu 8.04. That support
ended many years ago and that was one where we now can make decisions about upgrading that
system or putting a system in place that would have security patches ongoing.

Let’s go back to the listing of vulnerabilities. And you can see there are other vulnerabilities in here, such
as mixed vulnerabilities, medium, low, and a lot of informational vulnerabilities are listed here. You now
 have to make a decision over which of these vulnerabilities are important, which of them you should
cover first, which should be second on the list, and there may be vulnerabilities in this list that don’t
affect you or do not have a concern in your environment. You’re going to have to go through each one
of these and make those decisions. And that vulnerability scanner went out to that device and looked
for every possible vulnerability that it might have, or at least every possible vulnerability that the
vulnerability scanner knows about. There’s a database within the vulnerability scanner that’s to
constantly be updated so that it knows what to look for and where to look for these types of
vulnerabilities.

You will certainly find vulnerabilities associated with particular applications like desktop apps, or mobile
apps. In fact, here’s a desktop app vulnerability CVE-2020-1889 which has a security feature bypass issue
in WhatsApp desktop. And you’ll need to update the application to be able to resolve that security
vulnerability. There are also vulnerabilities that you may find associated with web based applications,
this is software that’s running on a web server. Here’s an example of one in a PHP file for an
organization UCMS that has a product 1.4.8. And this results in an information leak via an error message
and provides information that it should not be providing. And of course, there could be scans against
network devices on your network where you get information about misconfigured firewalls, devices that
have ports that are open that perhaps should not be open, and other vulnerabilities as well.

This is a vulnerability CVE-2022-5079. An issue was discovered on D-Link DCS-2530L before version
1.06.01 Hotfix and et cetera. This allows authenticated command injection. So this would be a
vulnerability that is on the router itself that would need to be resolved with a firmware upgrade. If
you’re performing these vulnerability scans you’ll be doing a lot of research prior to the scan, and a lot
of research after the scan is complete. And there are many resources online that can give you the
information you need to be able to make decisions when these vulnerabilities are found.

One very common place to go is the consolidated CVE database at the National Vulnerability Database.
You can find that at nvd.nist.gov. This is a summary of all of the CVEs that you can also find at the
common vulnerabilities and exposures database, those are the CVEs. And you’ll find that at
cve.mitre.org. You might also want to go directly to the manufacturers themselves. And one great place
to get information about Microsoft Windows is directly from Microsoft. You’ll find those Microsoft
security bulletins at www.microsoft.com/technet/security/current.aspx.

There will be some vulnerabilities identified by the scanner that cannot be tied back to a specific known
CVE. So you might also need to do some additional research to really determine the scope of this
particular vulnerability. I mentioned earlier, one of the best places you can go to get a summary of these
CVEs is the National Vulnerability Database at nvd.nist.gov. This is a list that is synchronized with the
CVE list from mitre and has some nice search capabilities on it as well. But another feature that is inside
the National Vulnerability Database is the Common Vulnerability Scoring System. This provides a
number associated with the vulnerability that can give you a perspective of just how severe this
vulnerability might be. Each vulnerability gets a score between 0 and 10 and this allows you to at least
have some measure that you can use to determine which vulnerabilities may be more severe than
others.

There’s currently two different scoring methods that are used, a scoring version 2.0, and another one
that is currently version 3.1. These He’s use different criteria to create the score so you need to make
sure that you pick the version that you would like to follow and then compare that against all of the
 vulnerabilities that you found. The National Vulnerability Database is a critical summary of these
vulnerabilities and if you’re putting together a record keeping program or trying to automate the
processes that you have around vulnerabilities, you will absolutely want to involve this National
Vulnerability Database. As you saw in the vulnerability scan that I had created there were a number of
different vulnerabilities that were identified and from different categories as well.

One of these categories is a lack of security control. These devices should be running antivirus, anti-
malware, and its own personal firewall to allow or restrict access to that system. So vulnerability scan
might be able to determine that certain security procedures are not in place on that device. There might
also be misconfigurations. On the vulnerability scan I ran it found that there was an NFS
misconfiguration that allowed anybody to see the NFS shares that were on that device. Vulnerability
scans might also inform you that the guest log in access is enabled on that system. So that you can then
go to that device and disable that type of access,

And of course there are operating system and application vulnerabilities that are found every day. So
this vulnerability scan will give us the heads up to let us know if a particular piece of software needs to
be updated. One of these challenges with vulnerability scans is you will occasionally find a vulnerability
that is reported, you’ll go and investigate that vulnerability, and what you’ll find is that the vulnerability
scan didn’t get it right. That in fact that vulnerability doesn’t exist on that particular device. We call
these false positives because our vulnerability scan has positively identified this vulnerability. But after
doing research, we find that positive indication was actually false. And the false positive now can be
dismissed and we can continue with our research.

False positives of course, are different than a low severity vulnerability. Sometimes people will dismiss
the low severity vulnerabilities as being something that they don’t have to worry about on this particular
system. That’s different than a false positive. At least a low severity vulnerability is a real vulnerability
that exists, albeit at a very low priority level. A false positive is one that doesn’t exist at all. So we need
to be sure to categorize those properly when we’re trying to evaluate how to take the next steps with
this system to make it more secure.

Perhaps worse than a false positive would be a false negative. This is when a vulnerability exists on a
system but our scanner was not able to identify it and did not tell us anything about that vulnerability
existing on that particular device. To be able to resolve problems around false positives and false
negatives, you want to be sure that you have the latest version of the signatures running for that
vulnerability scanner. This will allow it to filter out anything that it knows is not valid and find all of the
vulnerabilities on the system that might have been missed if you were using an older database.

If you do run a scan and you get a false positive or false negative, you want to work with the
vulnerability scanner manufacturer and see if they can create an updated database that resolves these
issues. Of course there are a number of vulnerabilities you can look for without using some type of
formal vulnerability scanner. For instance, you could do a configuration review of an operating system to
see if there may be any obvious security issues. For example, you may want to validate what the security
settings are in a device.

It’s easy to log into the device and see what the firewall settings might be set o or see if antivirus has
been updated recently. You can look at workstations and see what the account configurations are and
make sure that nobody’s turned on any particular security shares that might put the entire device at
 risk. On servers themselves we are concerned with the access control to those servers and the
permissions of users who are connecting to that server. And we want to look at our security devices
themselves and make sure that we haven’t missed configured a firewall rule to allow access when really
we wanted to deny access.

Security Information and Event Management – SY0-601 CompTIA Security+ : 1.7

If you are monitoring the security of your network, then you are almost certainly using a SIEM. In this
video, you’ll learn about SEIMs, using syslog, and the fundamentals of SOAR.

To be able to manage the massive amount of information you receive from log files and event
notifications, you’ll want to use a Security Information and Event Management Device or SIEM. A SIEM is
designed to collect information from anything on the network that can create log files, security alerts, or
any type of real time information that can tell us about what’s happening on the network right now. The
SIEM is commonly used as a central repository. So everything will be logged and aggregated into the
central database of the SIEM. From there, you can create reports and historical perspectives of what’s
been happening on the network over time.

You might also be able to correlate data from different devices to see if you can start to see events
occurring even though the data sources that you’re receiving are very different between these different
devices. And, of course, since you’re collecting all of this information into a central database, it’s a
perfect place to go to be able to perform forensics after a security event has occurred.

The data that’s being fed into the SIEM is coming from very different devices. A Windows server works
very differently than a Linux workstation, which works very differently than a router or a switch. So
there needs to be a standard way to be able to send log files from other devices into this central
repository. And the name of that standard is called syslog. There is usually a syslog compatible collector
that is part of the SIEM itself. This collector is waiting for messages to be sent from all of those different
diverse devices on the network. And the format of those messages coming in to the syslog collector are
in this standard syslog format.

As you could have probably already guessed, being able to store all of this data from all of these devices
over a long period of time is going to require a lot of storage space. So it’s very common on a SIEM to
allocate terabytes and terabytes of storage so that you can collect a lot of this information and store it
for a long period of time.

So what types of information would be valuable to store in a SIEM? Well, from a security perspective
you’d love to be able to see who may be attempting to authenticate into a server. Maybe you’d like
some record, a VPN connectivity or firewall session logs. Or perhaps you want to see people that are
trying to communicate outbound from your network to a location that you would not like to allow–
those would be the denied outbound traffic flows– or maybe just a generic overview of network
utilization and something that you can track and trend over time. It’s also common to grab raw packet
captures as well. Especially if an event occurs, and you can add the packet captures into the event to
add more information about what may have happened during that time frame. It’s common in larger
organizations to have a Security Operations Center, or a SOC. Someone in the SOC is able to monitor all
of these SIEMs, evaluate the type of data that may be coming in, and be able to react to some of the
information that’s provided from the dashboard of the SIEM.
 As you can imagine, there is a constant flow of traffic and information being put into the SIEM. So it’s
very important that you’re able to react to the data that you’re receiving. The logs that are being added
to the SIEM are able to be parsed and then the Sim can identify if a security exception might exist within
those log files. From there, notifications can be sent over email or text message to inform people of the
exceptions that have been found. And this could even be automated through a ticketing system, so that
as soon as a problem is identified, it can be assigned to a technician who can then evaluate what the
next steps might be.

At the core of the SIEM is the log information. This is a screenshot from a SIEM that shows an example
of the logs you would get from a Windows system. For example, here is a log entry that shows a user
account was enabled. It shows a security ID, an account name of “Administrator”– and here’s the
domain name associated with that– and then some additional account information from that computer
as well. Obviously, there is a large amount of log information that is stored on the system with an
extensive amount of data. That’s why most SIEMs are going to have a dashboard that rolls up that
information into a mode that can be easily identified and easy to understand what’s happening. So you
can see trending of logs, how many types of security events have been received, the top devices that are
reporting in, and even the severity of those Windows events. We can see that we’ve had successes, a
large number of failures, and some informational severities as well.

Most Sims also include report writers. So you’ll be able to gather information into the logs and then
create a more readable view of that data, especially over a long period of time. Being able to pull
important information from this very large amount of data relies on different techniques and analytics.
One of these would be big data analytics which is the ability to look through large amounts of very
diverse data to be able to identify patterns that normally would be invisible to a human being.

Another type of analytics looks at how people are acting. So you would have user and entity behavior
analytics which examine how people are using the network. Even if they’re not directly attacking a
device, there may be a way to tell if that particular type of pattern could cause potential problems in the
future.

And another type of analytics is a sentiment analytics. This examines how the public views a particular
organization. For example, if a public opinion of an organization happens to be very bad, it tends to
attract hackers who can then create problems on that network. So being able to measure how your
organization is viewed on social media may have a direct impact on the type of security you would need
on your network.

These days organizations are trying to take advantage of all of this data and all of this technology by the
use of SOAR. SOAR stands for Security Orchestration Automation and Response. The goal of SOAR is to
take these processes in security that were manual or tedious and automate them so that all of it is done
at the speed of the computer.

With orchestration, we’re managing many, many different devices and automating the access that we
have to those devices. In some cases, we are configuring or reconfiguring devices with this
orchestration. So we might modify firewall rules, or change the permissions associated with a particular
account, or change the email filters we’re seeing and do this all dynamically as this information is being
evaluated by our systems.
 Instead of having an individual configure our firewalls, or our accounts, or these email filters, we will
have our systems themselves provide this through automation. This is an important key of this, because
the computers much faster than we happened to be. And it can identify what may be happening at any
time of the day and put barriers or mitigation in place to prevent those problems from happening on our
network.

And the response part of SOAR means that we’re able to have this orchestration and automation occur
at any time of the day and be able to react to anything that may be occurring in our network.

Penetration Testing – SY0-601 CompTIA Security+ : 1.8

The process of exploiting a vulnerability in a controlled environment is a penetration test. In this video,
you’ll learn about pen testing, rules of engagement, exploiting vulnerabilities, and more.

If you’re performing a penetration test, then you are actively trying to gain access to a system. This is
simulating the same type of exploits and attacks that would be done by an attacker that is external to
your organization. This is similar to the process you go through with vulnerability scanning, but you’re
taking it one step further. You’re actually trying to exploit the vulnerabilities you find, to see if you can
gain access to these systems.

This is often a process that is mandated. You have to do this by some type of set of rules or regulations,
and you’ll usually contract with a third party that will perform these penetration tests on a regular
schedule.

A great document to view some of the information that can help you design, and plan for these
penetration tests, is from NIST. This is their Technical Guide to Information Security Testing and
Assessment, and you can find that at professormesser.link/800115.

Penetration tests can be very invasive. And it’s important that everybody understands exactly what the
rules are for these particular tests. These rules of engagement defined the purpose of the test, and what
the scope will be for the people who are performing this test on the network. This means that
everybody will be aware of what systems will be considered, and perhaps the time of day that will be
used to perform these tests.

Most organizations will define a type of test. So this may be a test of a third party coming in from the
outside, or it might be a test that you’re performing internally to your network. And then you also have
to make sure that everybody understands this is something that might be occurring during the normal
working hours, or it might be something done after everyone’s gone home.

Also in the rules of engagement will be a list of IP addresses of devices that are in scope for the
penetration test, and the devices that should not be used or considered as part of the test. You also
want to be sure that you have the emergency contacts listed in the rules of engagement because
occasionally things will happen and you’ll need to make sure that everyone is aware of the situation.

There’s also probably going to be some type of sensitive information discovered, especially if you’re
performing vulnerability exploits against some of these systems, you could very easily gain access to
databases and documents, that normally you would not have access to.
Depending on the type of penetration tests you want to do, will depend on what information you make
available to the person performing that test. For example, there might be an unknown environment,
where you tell the penetration tester nothing about the systems. They have to go into the test
completely blind and build out the database of everything they find as they go.

There might also be penetration test where the person performing the test knows everything about the
environment. That’s certainly very common if you’re performing your own test internally. And it could
be a mix of known and unknown. You may be contracting with a third party and you may provide them
with information about some key systems, that they can then perform the penetration tests based on
the information they have at hand.

Now that everybody understands the rules of engagement, and understands what systems they’ll be
attacking, we can perform the actual penetration test. It’s important that the person performing these
tests have permission to exploit the vulnerabilities that are on that system. We’re actively trying to
break into these systems and gain access to that data.

During the process of doing that, there’s certainly potential for creating a denial of service, or crashing
the system that this particular data might be on. So keep in mind, that if you are performing one of
these tests, and something does fail there needs to be a process in place to get that system back up and
running.

There’s also never one single way to be able to gain access to these systems, and a good penetration
test will try many different techniques to gain access. You might try performing password brute-force,
based on what the known passwords or popular passwords might be. There might be a little social
engineering to try to get a password out of someone else.

You could try database injections, buffer overflows, in path attacks. There could be many different
scenarios and a good penetration tester is going to find the best way to gain access to those systems.

If the person performing the penetration test is able to get through your security, and be able to take
advantage of these exploits, then conceivably, anyone would be able to do that. That’s why it’s so
important to perform these penetration tests so that you can identify these holes, and fill the holes
before the attackers do.

Getting access to a system during a penetration test is really just the first part. We need to get into a
system and gain that access, so from there we can start moving to other devices on the inside of the
network.

This is called lateral movement, as we move from device to device on the inside of a network. It’s very
common to have very strong security on the perimeter of the network, and security that is less involved
on the inside. That makes some of this lateral movement a little bit easier than perhaps that initial
exploit into the system.

Once you’ve worked so hard to gain access to these systems, you want to be sure that you’re able to
return. But you don’t want someone to close these vulnerabilities and leave you without a way back.

So once you gain access to these systems, you need to create persistence. You’ll create a back door,
you’ll reconfigure an existing account so that you can gain access to the system through those accounts,
 or change, or configure default passwords for a particular service, that will allow you into that system
later on, even if the exploit happens to be fixed.

Many pen testers will take advantage of a pivot point. They’ll gain access to one system, and that will be
the jumping-off point to get to any other system that’s on the inside of the network. They could use this
as a proxy, they could use it as a relay, but it will be the central point that they can start their efforts on
the inside of the network and from there they’re able to gain access to other trusted systems on the
inside.

The process of performing the penetration test can sometimes modify systems and change some of the
files on these devices. After the test is over, we need to make sure that all of these systems are reverted
back to the way they were prior to the test taking place. So we want to make sure that any network
reconfigurations are put back to their original form. If there were files or executables added to a system,
to assist with the penetration test, we need to make sure those files are removed.

We also want to make sure that any back doors or pivot points are removed from the network, and if
there were accounts that were created during the test to assist with the pen test, we need to make sure
those accounts are removed as well.

In some cases, people are able to make a living performing penetration tests on devices and
applications, in the search for a bug bounty. This is a reward that is provided by the owner of these
systems, to people that identify vulnerabilities, or exploits that can be taken advantage of. These are
usually exploits that are identified by researchers. The more exploits they identify, the more bug
bounties they can submit, and ultimately, the more money they can make.

Reconnaissance – SY0-601 CompTIA Security+ : 1.8

Before performing a penetration test, it’s often useful to gather information about the intended target.
In this video, you’ll learn about reconnaissance methods used for passive foot printing and active foot
printing.

Before you perform a penetration test, it’s always good to gather information about the systems that
will be attacked. This is the reconnaissance phase and this is the part where we will begin to footprint all
of the different devices that are in an organization.

We need to understand exactly what security tools are in place. So it’s good to do some research and
find out what firewalls and other security devices may be operating. This is also the time where will
determine exactly what devices we want to attack. There are hundreds or even thousands of devices on
these enterprise networks. So it’s always good to understand what the key systems are and to focus our
efforts on getting into those devices.

To get a better understanding of the networks and devices you’ll be attacking during this penetration
test, you may want to create a network map. This may be able to build out an understanding of IP
address schemes, the locations of certain devices and perhaps specific VLAN the different devices may
be located on.

A good place to start would be to gather information in a way that would not be seen by the victim, this
is a passive footprint. And it’s a way to use data that’s located in the open source areas to be able to
understand more about the systems you’ll be attacking. A good example of passive foot printing, might
be to look at social media pages for a particular organization. Or look at the corporate website itself to
gather details about what might be on the network.

There are also many online forums and spreadsheets that contain information about many
organizations. Then you may be able to perform some social engineering by calling directly into the
organization. You could also dive into the dumpsters around back and look through their trash for
details. There might also be a way to look at other business organizations and see how they are
interacting with this potential victim.

Much of this information in the open source can be categorized as open source intelligence or OSINT.
The data that you can gather through these open sources is extensive. And a good location that gives
you a framework of information that you can gather can be found at osintframework.com.

Just the first level of this framework provides information such as username, email address, search
engine information, dating sites, archives, the dark web and so much more. Gathering this information
manually could take time. But there are many tools available that can go to many different websites to
gather this information for you.

Another source of data for your passive foot printing might be wardriving or warflying. This is where
we’re combining Wi-Fi analysis with GPS locations to be able to know exactly where a wireless network
might be. We can also gather information about the wireless network itself, such as the name of the
wireless network where the access points might be located. And some of the information about what
frequencies may be in use.

With wardriving we’re gathering this information as we drive around the streets of the city. We can also
do warflying where we combine this with a drone and simply float above all of these organizations to
gather these wireless details. Once we start accumulating information we can find all of the SSID or
wireless network names. Will understand more about whether encryption is turned on or not with these
particular networks.

And you can get strength values of the signals to know just how far away an access point might be.
There can be an extensive amount of data collected over time. And all of this can be done for free. There
are tools available on the internet such as Kismet and inSSiDer that can gather this information and
combine it with a map of the geography.

You can see a combination of that at wigle.net, W-i-g-l-e.net. Or where you can see the results of this
wardriving overlaid onto a map. So you can see exactly where all of the wireless networks might be. And
then you can drill down into any of those to gather more information about that particular site.

With active foot printing, we’re going to actively send information into this network or the devices on
this network in order to gain more information about what might be there. If someone is monitoring
network communication or capturing the packets on this network they will see us perform these active
foot printing tasks.

To gather this information will commonly perform ping scans, port scans, analyze DNS information from
the local DNS servers. And we might perform more detailed analysis of the operating systems that are
 running on these devices. And using tools like unmap we can even determine what the version of an
operating system or the version of a service might be on a particular device.

All of this active foot printing helps us understand what these devices might be on the network. But just
keep in mind because it’s active foot printing that someone else could see that we’re performing these
reconnaissance tasks.

Security Teams – SY0-601 CompTIA Security+ : 1.8

It’s common for organizations to separate IT security tasks into teams. In this video, you’ll learn about
the red team, blue team, purple team, and white team.

IT security is a broad field and there will be many different tasks, with many different goals and job
descriptions. There will be people that are performing operational security, another group of folks may
be your penetration testers, there may be another group of people that perform research on all of the
exploits that you’re seeing on your network, and other people may be in charge of hardening systems
such as your web servers, database servers, and other devices.

You don’t generally find one person at these organizations, who’s performing all of these tasks, instead,
you’ll find individuals who have focused their efforts into niches within these particular areas. So they
become an expert in penetration testing, exploit research, operational security, and the like.

This is usually separated into different teams. There’s a red team, a blue team, a purple team, and a
white team. The red team is usually referring to the team of folks who are on offense. These are folks
that are performing the penetration test themselves. You might hear those referred to as ethical
hacking, because they’re working for us, to try to find the holes that might be in our network.

These would be groups of people that can gain access to these systems using exploits, but they have to
find the vulnerabilities in these systems to be able to do it. They might also perform other types of
attacks such as social engineering attacks, to see just how susceptible your organization might be to a
third party, calling into the organization, or sending emails. They might also have daily tests that are
done on all of the web servers to scan the applications and see if they can identify any vulnerabilities.

We often think of the blue team as being the opposite of the red team. This is the team that’s on
defense, that’s trying to protect themselves against the attacks coming from the red team. These are the
folks that are performing the day-to-day operational security to keep your devices and your data safe,
and they’re also the ones that are responding to incidents that may occur in your organization.

If there’s any type of damage control or reconstruction that needs to be done, it will be done by the blue
team. This is also the team that will stay up to date with the latest set of published vulnerabilities, and
make sure that all of the systems are patched and up to date. And if an attack does occur, this will be the
team that puts together the information about what happened during the attack, and what they were
able to do to stop this attack.

Of course in an organization that has a red team and a blue team, both of those teams are working
towards a common goal. You want to be sure that all of the systems and all of the data in your
organization is safe. To be able to facilitate these common goals, many organizations will combine these
teams together, into a purple team.
 This means that instead of competing with each other, they’re both sharing information about what
they find on the network, and that way they’re able to fix the applications, secure the data and make
sure that everything remains secure that much faster.

In organizations that have a purple team, there’s usually a feedback loop that works back and forth
between both of those teams. So as soon as the red team finds a problem, they can inform the blue
team, and as soon as the blue team knows their particular vulnerability has been released, they can let
the red team know what systems have been patched.

The white team is not on the red team or the blue team, instead, the white team is overseeing what’s
happening with both of those teams, on the network. You can think of them as the referee or the
manager of a particular set of processes, so they can enforce any rules that may be in place between the
red team and the blue team.

If there are any issues that need to be resolved, the white team would do that as well. And in
organizations that keep score over the performance of the red team and the blue team, the white team
handles that scoring process.

This is also the team that is in charge of putting together the results of a particular penetration test, so
they can identify what things worked well during the pen test, which things did not work well, and
things they might want to change the next time they perform this test.