Chapter 7

Security Assessment and Testing

Terms you’ll need to understand:

  • Images Audit

  • Images Vulnerability assessment

  • Images Penetration testing

  • Images Trojan

  • Images Malware

  • Images Rootkit

  • Images Logic bomb

  • Images Interface testing

  • Images Synthetic transaction

  • Images Password cracking

  • Images Social engineering

  • Images Virus

Topics you’ll need to master:

  • Images Security assessment and testing

  • Images Assessment and test strategies

  • Images How to identify attack methodologies

  • Images Automated and manual testing techniques

  • Images Examples of penetration test methodology

  • Images Log reviews

  • Images Disaster recovery and business continuity

  • Images How to perform security assessments and penetration tests

  • Images Security metrics

  • Images Incident response technique

Introduction

When preparing for the (ISC)2 CISSP exam or reviewing the Security Assessment and Testing domain, you need to know which resources should be protected, types of tests that can be used for security control testing, and the threats you might encounter in a network.

This chapter examines audits, vulnerability assessments, and penetration tests, each of which plays a role in securing an organization. Organizations carry out penetration tests to see what a criminal hacker can access, how such access can be used, and what risk or impacts that access might have. Security violations aren’t always malicious, though; sometimes things break and accidents happen. Security testing is often conducted to deal with such incidents.

This chapter also discusses how the threat landscape has changed. The risks are many; in addition to viruses and worms, ransomware, supply chain attacks, and bitcoin mining have become more widespread. Attackers use a variety of different tools and techniques to hack, target, and monetize their activities. It is important to keep in mind that incidents can lead to outages, which requires disaster recovery planning and the implementation of a business continuity plan. An organization needs to have in place an incident response plan that has been tested and approved. This chapter covers these risks, along with investigations and legal proceedings.

Security Assessments and Penetration Test Strategies

The world of information security continually evolves. Today there are more tools available to attackers and defenders than ever before. It is therefore imperative that organizations periodically review their security. This section covers several techniques for remediation and review that can be used to meet this challenge, including policy reviews (audits), vulnerability scanning, and penetration testing. All these techniques are useful in identifying and resolving security architecture vulnerabilities.

Audits

Organizations use policy reviews—also called audits—to review the presence and strength of operation (management), technical, and physical controls and report on the capability of these controls to protect the organization. Most organizations want to do the right thing and are interested in proper controls, but many of them are overwhelmed by the day-to-day demands of business. It is important for auditors to verify both security and compliance and demonstrate due diligence.

An audit is a planned, independent, and documented assessment to determine whether agreed-upon requirements and standards of operations are being met. Basically, it is a review of the operation and activities of an organization. An auditor uses the organization’s policies, standards, and procedures to guide the audit and can also use appropriate laws, regulations, and industry standards and best practices. Some common types of audits include the following:

  • Images Internal audit: Internal audits can be quick because the team knows the environment, and they enable the organization to be more agile. However, internal audits can be problematic because there could be conflicts of interest, the team might not have a lot of depth of experience, and management might seek to steer the outcome toward a specific goal.

  • Images External audit: Today, most organizations focus on core competencies and outsource many activities. While you might not perform an audit on a partner, it is common to ask for proof of audit or bring in a third-party auditor to review specific parts of the organization’s processes that might impact your organization. The main advantage of an external or third-party audit is that the auditors have no vested interest in the outcome of the audit. As noted earlier, such objectivity might be lacking in an internal audit. The biggest disadvantage of this type of audit is cost.

Sometimes an organization has little choice about what type of audit to perform. Regulatory requirements such as the Sarbanes-Oxley Act require that compliance audits be conducted by third parties.

Note

One of the most widely used frameworks for auditing is the Control Objectives for Information and Related Technology (COBIT), which is a system of best practices.

Regardless of the type of audit you perform, you must determine what testing technique to use: automated or manual. Automated tests are executed via test automation frameworks without human assistance. With manual testing, an individual or a team performs the tests step by step, without test scripts.

Another important consideration is test coverage, or how much of a system’s output, coverage, or activity you are going to test. For example, an audit of a financial system that contains tens of thousands of records might examine only a subset of the records. The sampling plan allows an auditor to review a segment of the population by observing only a part of that group and to reach conclusions with a predictable level of certainty. In most cases, units from the group are picked at random. When using random sampling, all units/parts have the same likelihood of being selected for inspection. For example, your organization might have more than 200 security controls. Testing all of them would be difficult and time-consuming, so the sampling plan might indicate to sample only a portion of the controls such as 20% of areas picked at random.

During an audit, you might be asked to provide security metrics to demonstrate the effectiveness and state of security controls. It’s common for such metrics to track key performance indicators (KPIs) and key risk indicators (KRIs).

KPIs provide insight into the success of a security program by looking at historical performance. Information Technology Infrastructure Library (ITIL) is a framework of best practices for delivering IT services that lists nine KPIs:

  • Images Percentage decrease in security beaches reported

  • Images Percentage decrease in the impact of breaches reported

  • Images Percentage increase in service-level agreements (SLAs) that have appropriate security clauses

  • Images Number of preventive security measures the organization has implemented in response to security threats

  • Images Time lapse between identifying a threat and implementing appropriate controls

  • Images The number of major security incidents

  • Images The number of incidents that have created service outages

  • Images The number of security test/training/awareness events

  • Images The number of shortcomings identified during a security test

KRIs quantify security risk looking forward. ISACA (formerly Information Systems Audit and Control Association) recommends selecting KRIs based on four criteria:

  • Images Impact: The impact is the likelihood that the indicator will identify potential risk.

  • Images Effort: The effort is the work required for implementation, measurement, and support.

  • Images Reliability: An indicator is reliable if it is a good predictor of risk.

  • Images Sensitivity: Sensitivity refers to the ability to accurately capture variance in the risk.

Root Cause Analyses

Although audits can help verify that controls have been developed and are being implemented, an audit is just one part of ensuring operational security. Any time problems are found, an organization needs to follow its procedures to perform root cause analysis to discover the cause of the problem. Root cause analysis is a structured approach to identifying problems, assessing their magnitude, and determining what actions need to be taken to prevent the recurrence of similar situations.

Log Reviews

Closely related to audits are log reviews. A log review is a systemic examination of system logs in order to detect security events. Log files are a great source of information only if someone reviews them. The reality is that in many organizations, no one examines these logs until something goes wrong. When planning for log reviews, you must consider what logs you are going to store, how long you are going to store them, whether you will centralize this process, and how you will protect the integrity of the logs.

Security professionals should periodically monitor system logs to make sure no problems are occurring. The following are some of the logs that should be reviewed:

  • Images System logs: These logs should be exported to a central location, and someone should be assigned to periodically review them. A system log should be backed up and have a hash/timestamp applied to verify that no tampering has occurred.

  • Images Event logs: These logs are designed to record system occurrences related to memory, process, system performance, uptime, or hardware issues. While the event log is not focused on security concerns, it should be reviewed because it can provide useful information.

  • Images Audit logs: These logs monitor and record user activity. Audit logs are a detective control and can be used to track compliance with security policy.

  • Images Security logs: These logs track events that correlate directly or indirectly with security. Security logs record information such as user access, user-privileged operations, firewall issues, and intrusion detection system/intrusion prevention system (IDS/IPS) alerts.

  • Images Access logs: These logs record information pertaining to access activity. Access logs should be copied to centralized servers and protected from unauthorized access and modification.

  • Images Application: These logs are event logs that record software incidents.

Log files often require a great deal of storage as they are generated automatically during software and computer operations. Log files can be generated by web servers, computing devices, and applications. It is important to define log management policies for various sources and types of log files.

Note

One critical factor to consider with logs is time synchronization. If the time is off on just a few systems, log management review can be difficult or even impossible. One of the most common means to manage this issue is by using Network Time Protocol (NTP), which is the industry standard for synchronizing computer clocks between network devices.

An important standard for log management is National Institute of Standards and Technology (NIST) SP 800-92. This document provides a high-level overview and guidance for the planning, development, and implementation of an effective security log management strategy. NIST SP 800-92 defines a log management infrastructure as having four major functions:

  • Images General: Log parsing, event filtering, and event aggregation

  • Images Log storage: Rotation, archival, compression, reduction, normalization, and integrity checking

  • Images Log analysis: Event correlation, viewing, and reporting

  • Images Disposal: Data clearing

NIST SP 800-92 addresses the following security log management challenges:

  • Images Log volume exceeding the rate of analysis

  • Images Immutability during storage and transmission

  • Images Inconsistent vendor log formats

  • Images The importance of a consistent review schedule

  • Images Retention issues involving purging, long-term storage, and cost

NIST SP 800-92 makes the following recommendations for security log management:

  • Images Establish policies and procedures for log management.

  • Images Prioritize log management appropriately throughout the organization.

  • Images Create and maintain a log management infrastructure.

  • Images Provide proper support for all staff with log management responsibilities.

  • Images Establish standard log management operational processes.

Log management and reviews should be key components of compliance initiatives. Only with centralized logs in place can you monitor, audit, and report on file access, unauthorized activity by users, policy changes, and other critical activities performed in your organization. Many organizations have moved toward information security continuous monitoring (ISCM). This approach features ongoing awareness of information security in an organization, including, threats, vulnerabilities, and risk management. NIST 800-137 breaks ISCM into four phases:

  1. Implement an ISCM program.

  2. Analyze data and report findings.

  3. Respond to findings.

  4. Review and update the ISCM strategy and program.

Note

NIST 800-37 covers the Risk Management Framework (RMF) for information systems. The goal of the RMF is to transform the traditional certification and accreditation process into a structured six-step process.

Network Scanning

Network scanning is a procedure for identifying active devices on a network by using ICMP pings or port scanning. A basic network discovery scan can be performed with a ping sweep across the network range. The idea is to ping each device and see if a reply is returned. The following is an example of a ping:

C:Usersadmin>ping 192.168.1.253
Pinging 192.168.1.253 with 32 bytes of data:
Reply from 192.168.1.253: bytes=32 time<1ms TTL=64
Reply from 192.168.1.253: bytes=32 time<1ms TTL=64
Reply from 192.168.1.253: bytes=32 time<1ms TTL=64
Reply from 192.168.1.253: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.1.253:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Although a ping sweep of a network can be fast, it provides little detail. It simply lets you know whether the system responds. A more in-depth scan would involve performing a port scan of some or all of the TCP and UDP ports, using a tool such as Nmap. Regardless of the technique used, a network discovery scan does not probe systems for vulnerabilities but provides a report showing the systems detected on a network and a list of the ports exposed.

Scans can also be focused on web applications. Automated tools can scan web applications from the outside and search for security vulnerabilities such as cross-site scripting (XSS), Structured Query Language (SQL) injection, poor input validation/sanitization, path traversal, and command injection. The Open Web Application Security Project (OWASP) is an entity that focuses on these activities. Web application scanning should be performed at several crucial points:

  • Images During development

  • Images When new applications are moved into production

  • Images Before code changes go to production

  • Images On a recurring periodic basis

There are many software tools available for web application scanning, including Nessus, Acunetix, Nikto, Wapiti, and Burp Suite.

Vulnerability Scans and Assessments

Vulnerability scans are used to review all potential points on a computer or network that could be used to exploit the system, and vulnerability assessments are used to identify all potential vulnerabilities that could be exploited in an environment. Vulnerability assessment tools are software packages used to scan for known vulnerabilities.

Much has changed in the way the IT industry views vulnerability assessments since the first software program was created for this purpose in the early 1990s. At that time, two well-known security professionals, Dan Farmer and Wietse Venema, wrote a landmark paper titled “Improving the Security of Your Site by Breaking Into It.” They went on to develop SATAN (System Administrator Tool for Analyzing Networks), the first vulnerability assessment program used to scan for problems. Sun Microsystems actually fired Dan Farmer for releasing the program. At the time, the tool was seen as something that could be dual-use—for good and bad—and some people were also uncomfortable with the name.

Today, organizations around the world use vulnerability assessment tools to scan their networks for software problems, misconfigurations, and security vulnerabilities. A vulnerability scanner can be run against a single address or a range of addresses and can also test the effectiveness of layered security measures.

Many vulnerability assessment tools are now available. Vulnerability assessment software can be used to scan systems, compiled software, or even source code. Nessus is a good example of a system-level vulnerability scanner. Even though vulnerability assessment software tools are important controls that increase security, they cannot test for every conceivable vulnerability and might cause systems to crash. A vulnerability assessment tool is just one of many items that help provide for defense in depth. Recall that defense in depth means using multiple layers—such as vulnerability assessment software, audits, penetration testing, and antivirus—to ensure security.

Vulnerability assessment software is not a substitute for more thorough tests and examinations, but penetration testing can help fill the gap.

Penetration Testing

Penetration testing is the process of evaluating an organization’s security controls. Penetration tests can be performed in a number of ways, including the following:

  • Images Whitebox testing: With this type of testing, the test team knows everything about the network. The team of testers has been provided network maps, diagrams, and documents specifying all the details of the organization’s network.

  • Images Blackbox testing: With this type of testing, the test team has no details of the organization’s network. For example, last year my company did a blackbox test for an organization and was provided only the IP address range. The client wanted us to ascertain all other details during the penetration test.

  • Images Graybox testing: This type of test examines what is possible with insider access.

Penetration testing can be performed using a manual process or via automated software packages, such as Core Impact and Metasploit. Penetration tests can take a number of forms:

  • Images Outsider testing: This type of testing examines what threat actors or other outsiders can access or do.

  • Images Physical security testing: This form of penetration testing involves using physical access to see what can be accomplished. Some would argue that if physical barriers can be bypassed, there is no security at all.

  • Images Wireless network testing: This form of testing is done to verify the organization’s wireless access policies and to ensure that no misconfigured devices have been introduced that may cause additional security exposures. Such testing might include Bluetooth and RFID testing of devices on premises.

  • Images Application security testing: Many organizations offer access to core business functionality through web-based applications. Static testing, dynamic testing, and fuzz testing are different approaches to verifying that the controls over an application and its process flow are adequately designed.

  • Images Denial of service (DoS), or stress, testing: The goal of this type of testing is to evaluate the network’s susceptibility to DoS attacks and heavy loads.

  • Images War dialing: War dialing is an attempt to systematically call a range of telephone numbers and identify modems, remote access devices, and maintenance connections of computers that could exist on an organization’s network. While this method is considered dated today it continues to be used. One example is to target Zoom and other online meeting tools. See https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/.

  • Images Social engineering testing: This form of penetration testing involves using social interaction techniques with an organization’s employees, suppliers, and contractors to gather information and penetrate the organization’s systems.

Caution

Penetration testing can be performed with the full knowledge of the security staff, as a blind test, or as a double-blind test. A blind test is one in which only publicly available information is used. A double-blind test is one in which only publicly available information is used and security staff are not notified of the event. A double-blind test allows the organization to observe the reactions of the security staff.

In addition to determining the mode of a test, you need to consider the network infrastructure. Figure 7.1 illustrates a layered security infrastructure.

Images

FIGURE 7.1 Network Infrastructure

Security tests of any type are a large undertaking. An organization needs a team to carry out these duties. This team is responsible for determining the weaknesses, technical flaws, and vulnerabilities of the organization. This team is known as a penetration test team or, informally, a red team, and the individuals on it are known as ethical hackers or white hat hackers. (Black hat hackers are threat actors, and gray hat hackers are in between, sometimes doing both helpful and harmful activities.) Ethical hackers perform the same activities as threat actors, but they do so with the approval of the organization and without causing damage.

The goal of penetration testing is to test the network in much the same way a threat actor would. Because of the global nature of the Internet and the increased emphasis on networking, these types of activities have gained increased prominence in the past several years.

Regardless of what it knows about the network, the penetration test team typically starts with basic user access. Its goal is to advance to root access or administrator access and to try to control the network. The most critical factor distinguishing threat actors from ethical hackers is obtaining corporate approval. Without the signed consent of the organization’s owner or upper management, a penetration test team could very well be breaking the law.

Penetration testing typically involves the following phases:

  1. Discovery or reconnaissance: The team identifies and documents information about the targeted organization.

  2. Enumeration: The team uses intrusive methods and techniques to gain more information about the targeted organization (for example, using software tools to scan for live machines).

  3. Mapping the attack surface: The team conducts vulnerability mapping to discover the correlation between the findings from enumeration and known and potential vulnerabilities that could be used to gain access.

  4. Exploitation: The team attempts to gain user and privileged access by launching attacks against known vulnerabilities, performing lateral movement, and pivoting from one compromised host to another.

  5. Reporting to management: The team prepares a report of the findings of the penetration test and details the issues that need to be addressed, along with their priority.

Penetration testing methodologies can be broken into two broad categories:

  • Images Proprietary Vendors: Examples of organizations that provide proprietary penetration testing methodologies are IBM, ISS, McAfee/Foundstone, and the EC-Council.

  • Images Open -source Frameworks: Open-source penetration testing methodologies are available from OSSTMM, ISSAF, OWASP, and NIST.

Each of these methodologies offers guidance on performing tests and identifying key areas of concern.

Note

To address advanced persistent threats and block lateral movement, many organizations have moved to microsegmentation and zero trust infrastructure.

NIST provides documents that are helpful for organizations planning penetration testing. For example, NIST 800-115, which includes recommendations for tools intended for self-evaluation, addresses the following areas:

  • Images Risk analysis

  • Images Certification

  • Images Accreditation

  • Images Policy development

NIST divides penetration testing into four primary stages:

  1. Planning: As the saying goes, success is 90% preparation and 10% perspiration. Good planning is the key to success. You need to know where you are going, what your goals are, what the time frame is, and what the limits and boundaries are.

  2. Discovery: This stage consists of two distinct phases:

    • Images Passive: During this phase, information is gathered in a very covert manner. Examples of passive information gathering include surfing the organization’s website to mine valuable information and review job openings to gain a better understanding of the technologies and equipment used by the organization. This stage is deemed passive because the penetration test team is not port scanning or launching attack tools; it is only gathering information from available data sources.

    • Images Active: This phase of the test is split between network scanning and host scanning. As individual networks are enumerated, they are further probed to discover all hosts, determine their open ports, and attempt to pinpoint their OS. Nmap and Zenmap (which is a GUI-based Nmap tool) are popular scanning programs.

  3. Attack: During this stage, the ethical hacker attempts to gain access, escalate privilege, browse the system, and expand influence.

  4. Reporting: Although this stage is listed last, reporting and documentation should be conducted throughout each stage of the process. Documentation created throughout a test should be used to compile the final report, and the report should serve as the basis for corrective action. Corrective action can range from nothing more than enforcing existing policies to closing unneeded ports and adding patches and service packs.

At the completion of a penetration test, the results are delivered in a comprehensive report to management. Security of the report is an important issue, and distribution and storage are also crucial.

NIST 800-115 recommends making network security a routine feature of every network and using caution when testing. Things can go wrong! Employees should be trained in security testing so that when negative events occur, the organization has people already trained.

Although these are good guidelines, it’s also important to understand the limitations of security testing activities. Penetration testing cannot cure every conceivable problem. You need to build on vulnerability management by patching and updating systems regularly, implementing and following good policies, and training employees.

Table 7.1 provides some sample intervals for common security review functions.

TABLE 7.1 Security Review Intervals

Technique

Daily

Weekly

Monthly

Biannually

Annually

Antivirus

Log reviews

Audits

Vulnerability assessments

Penetration testing

Test Techniques and Methods

A variety of test techniques and methods can be used to test software, systems, and networks. Regardless of the methodology chosen, it is important to build security into a product. This concept of “baking in security” is the foundation of the secure software development lifecycle (SSDLC). Every phase of the SSDLC stresses the importance of incorporating security into the process:

  • Images Requirements gathering

    • Images Security requirements

    • Images Assessment of risk

  • Images Design

    • Images Design requirements identification from a security perspective

    • Images Design and architecture review

    • Images Threat modeling

  • Images Coding

    • Images Coding best practices

    • Images Static analysis review

  • Images Testing

    • Images Vulnerability assessment

    • Images Fuzzing

  • Images Deployment

    • Images Server, network, and platform configuration review

For example, code review and testing might focus on which programming language was used and which functions were implemented. The C language, for instance, has some functions that can be exploited (because they do not check for proper buffer size), including strcat(), strcpy(), sprintf(), vsprintf(), bcopy(), scanf(), and gets().

Applications continue to be one of the most targeted portions of an organization’s IT infrastructure. Several approaches to deal with non-secure code include static testing of code, dynamic testing, and runtime protections. Static application security testing (SAST) might be performed to verify that security best practices have been built in. SAST is a manual review that is carried out without running the application; it involves analyzing the source code or the compiled application.

Interactive application security testing (IAST) is a post-build analysis tool that scans an application’s source code. While the application is running, testing is ongoing. IAST is typically performed in a QA or test/dev environment and requires an agent be installed. The goal is to identify any problematic code, note it, and request the developer remediate.

Both SAST and IAST look directly at code; IAST does so only in a post-build environment. IAST is highly scalable and can be performed by a human tester or automated.

Dynamic application security testing (DAST), in contrast, is conducted in a runtime environment where testers typically do not have access to underlying source code and is considered a blackbox testing technique.

Runtime application self-protection (RASP) is capable of controlling the application during runtime and execution. RASP can detect and prevent attacks on applications in real time. RASP analyzes the context of suspected malicious behavior and monitors its own behavior to automatically detect and mitigate attacks. RASP is useful protection against a range of threats including cross-site scripting (XSS), SQL injection, and data exfiltration. However, it can impact application performance. DAST works from the outside in.

Conducting synthetic transactions, referred to as synthetic monitoring, involves building scripts or tools that simulate processes typically performed by an application. These are real-time transactions that are performed on monitored objects. Synthetic transactions can be used to measure the performance of a monitored object and to see how it reacts when it is stressed. For example, you might configure a synthetic transaction on a web server that simulates a user browsing website pages and performing common activities. Synthetic transactions can be used to see whether monitoring settings, such as alerts and notifications, perform as expected.

Fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. It can be used in two different ways: With generation fuzzing, the software generates input values randomly from the specification, and with mutation fuzzing, you analyze real input and modify those real values. Regardless of the approach used, the program is monitored for exceptions such as potential memory leaks, application crashes, or failing built-in code assertions.

Fuzz testing is closely associated with misuse case testing. Think of this as a negative scenario: testing for things that should not happen. For example, if you enter a negative quantity in a field that requires a positive value, will the web application actually accept it? It shouldn’t!

During a source code review, a Fagan inspection might be performed. A Fagan inspection is a process that defines a particular activity with prespecified entry and exit criteria. It is typically used with software to search for defects during various phases of the software development process to prevent issues and outages before the software is placed in production. The steps in this process include planning, overview, preparation, meeting, rework, and follow-up. During the rework phase, the code review may transition to the inspection, follow-up, or planning phases. During the overview phase, the code review may transition to the planning or preparation phases. During the inspection phase, the code review may transition to the rework or preparation phases. Transitioning from the rework phase to the preparation phase is not acceptable during a code review.

Another type of testing examines integer overflow, which occurs when a program or an application attempts to store a number in a variable that is larger than that variable’s type can handle. Consider a situation where an allocated buffer can hold a value up to 65,535. If someone can exceed this value and tries to store a value in an unsigned integer type that is larger than the maximum value, only the modulus might remain; for example, 65,535 + 1 might become 0. Figure 7.2 shows an example.

Images

FIGURE 7.2 Integer Overflow

Source: https://en.wikipedia.org/wiki/Integer_overflow#/media/File:Odometer_rollover.jpg

Testing should focus on more than just input and output data. It should also look at how an application passes data from system to system, subsystem to subsystem, or variable to variable. This is where interface testing comes in. This type of testing is used to verify whether all the interactions between various modules and components are working properly and whether errors are handled properly.

Note

Attackers are always trying to tamper with data. One way they do so is with data diddling attacks. This type of attack works by changing data as it is keyed in or processed by a computer. It can be done to cancel debts without proper authority or assign a large hourly pay increase to an individual. Trying to track down the problem is difficult, and it could be months before such an attack is uncovered. However, regular testing can help bring such attacks to light.

Security Threats and Vulnerabilities

Now that we have examined some of the types of tests that an organization can perform, let’s turn our attention to some of the threats and vulnerabilities an organization might face. Knowing what threats and vulnerabilities exist allows an organization to build controls to address these specific issues. It is much cheaper to be proactive and build in good controls than it is to be reactive and figure out how to respond after an attack has occurred.

Threat Actors

The people who threaten the security of your network can be divided into two main groups:

  • Images Insiders (often disgruntled employees): These are individuals who either currently work for the organization or have been fired or quit yet still have access. Insiders could be disgruntled employees or current or former contractors.

  • Images Outsiders: These individuals have never worked for you—and you are probably lucky they haven’t. Outsiders can be segregated into several subgroups:

    • Images Script kiddies: These individuals cause harm with scripts, tools, and rootkits written by other, more skilled, individuals. Often, they don’t understand how the exploits they are using work.

    • Images Hacktivists: These hackers have an agenda in that their attacks are driven by the need to protest or make a statement. Hactivist groups, such as LulzSec and Anonymous, might use distributed denial of service (DDoS) tools or search for and publish private or identifying information about a target; this is known as doxing. Hacktivist is a combination of the words hack and activist. Hacktivists like to refer to themselves as protesters in cyberspace.

    • Images Corporate spies: These individuals work for rival firms. Their goal is to steal your proprietary information or open-source intelligence for competitive advantage.

    • Images Skilled hackers: Although they’re not driven by corporate greed or the desire to advance agendas (as are hacktivists), these individuals do have motives. Maybe they are looking for ways to proclaim their advanced hacking skills, or they might be at odds with a stand or position your organization has taken.

    • Images Hacker researchers: These individuals may accidentally (or intentionally) discover vulnerabilities in a product or infrastructure and then attempt to communicate the issue to the responsible parties.

    • Images Organized crime: The primary motivation of organized crime is to make money. Organized crime activities might include creating and renting botnets, monetizing personally identifiable information (PII), and generating revenue from exploit kits aka crimeware kits and ransomware.

    • Images Foreign government agents: These individuals seek ways to advance the interests of their country, and your data might be the target. These agents may spend months or years crafting highly customized attacks to achieve their objectives.

Note

Being a hacker researcher is not without risk. A hacker known as Weev was part of a group that exposed a flaw in AT&T security, which allowed the email addresses of 114,000 iPad users, including those of celebrities, to be revealed. Weev was charged and found guilty of identity fraud and conspiracy to access a computer without authorization. While the original conviction was later overturned, Weev did serve more than a year of his original sentence.

So, which group represents the biggest threat? The distinction between insiders and outsiders isn’t always useful. Security professionals should not really trust anyone. This has advanced a security concept known as zero trust, which means that nothing is trusted by default. This concept is discussed in NIST 800-207.

Insiders typically have the means, access, and opportunity to commit crimes. All they may lack is motive. Outsiders, on the other hand, are not trusted with access, and being outside the organization’s structure could leave them with little opportunity or means to launch an attack. However, outsiders can be driven by motivations like money, prestige, or national interests. Figure 7.3 shows examples of threat actors and sample attacks.

Images

FIGURE 7.3 Threat Actors and Attacks

Note

Early hackers, known as phreakers, focused on analog phone and telecommunication attacks in the 1980s. Some of these individuals would reverse engineer the specific tones used by telecommunications systems to route long-distance/international calls for free.

Attack Methodologies

Attacks typically target one or more items that are tied to the security triad: confidentiality, integrity, or availability. Whereas confidentiality and integrity attacks actually give the attacker access to your data, availability attacks do not. Availability attacks usually result in denial of service.

Hackers target a variety of devices, but their modus operandi remain fairly constant. Their methodology of attack generally proceeds as follows:

  1. Footprinting: The attackers identify potential targets, looking for information in places such as the organization’s website, public databases, WHOIS, NSLOOKUP, Google groups, and EDGAR financial records.

  2. Scanning: The attackers move beyond passive information gathering and use a variety of tools to scan for open ports and processes.

  3. Enumeration: Somewhat similar to scanning, this step involves obtaining more detailed information about target devices, such as operating system identification. Attackers are likely to probe for poorly protected network shares and weak passwords during this phase.

  4. Penetration: What makes this phase different from the previous one is that the hacker is attacking the network with the goal of gaining access. If access is not possible, the attacker might decide to launch a DoS attack.

  5. Escalation: Many times the initial level of access gained by an attacker is not root or administrator. During the escalation phase, a hacker attempts to escalate privilege, pilfer data, and gain access to restricted information.

  6. Expanding access: The attacker does not stop with access to just one system. Typically, attackers attempt lateral movement to expand their reach.

  7. Covering tracks: When they’re in control of the system, most hackers seek to destroy evidence of their activities. They are likely to attempt to plant tools and rootkits on the compromised system to further extend their stay. Rootkits typically serve the purpose of leaving backdoors so the attackers can come and go as they please.

Note

Escalation of privilege is required because some computer operations require special privileges to complete their tasks or can be run only from root, system, or administrative accounts. With horizontal privilege escalation, an attacker moves from one user account to another user account that has the same level of access. Vertical privilege escalation occurs when an attacker moves from an account with lower privileges to one with higher privileges.

Network Security Threats and Attack Techniques

Many threats to network security exist. Many attackers are opportunistic and typically take the path of least resistance, choosing the most convenient route and exploiting the most well-known flaws. Others, such as government spies and corporate hackers, might go to great lengths to gain access to the data or information they desire. In these instances, the attackers or advanced persistent threats (APTs) may spend large amounts of time and money to gain access to resources they covet. As discussed in the following sections, threats to network security can include session hijacking, sniffing, wiretapping, DoS and DDoS attacks, and botnets.

Session Hijacking

A session hijacking attack allows an attacker to take over an existing connection between two hosts that are communicating. It is an effective type of attack because most TCP services perform authentication only at the beginning of the session. In such a case, the attacker simply waits until authentication is complete and then jumps in and takes control of the session. Session hijacking can be performed at the host-to-host layer or the application layer. Protocols like FTP and Telnet can be targeted through prediction of sequence and acknowledgment numbers, and applications can be targeted at the application layer. You may have noticed that some sites log you in using HTTPS, but they use HTTP for the remainder of the connection. In such situations, the session ID and variable are passed via a plaintext cookie over port 80 instead of port 433.

Preventive measures include limiting incoming connections and using encryption provided by tools like Kerberos or IPsec. Plaintext protocols like FTP and Telnet are very vulnerable to session hijacking because all communication is sent in plaintext. Secure Shell (SSH) is a good alternative. SSH establishes an encrypted channel between the local and remote hosts. Detection can be improved by using IDSs or IPSs. You can make session hijacking more difficult for an attacker by using switches, protocols like SSH, and software that uses more random initial sequence numbers (ISNs).

Sniffing

A sniffer is a packet-capturing program that captures network traffic and can decode the captured frames. Sniffers work by placing the hosting system’s network card in promiscuous mode, which means the network card can receive all the data it can see and not just packets addressed to it.

When sniffing is performed on a switched network, it is known as active sniffing. There can be exceptions to this rule, however, because some switches can have one port configured to receive copies of all the packets in the broadcast domain. In such a case, passive sniffing can be performed.

When attackers do not have physical access to a switch, they might use techniques like Address Resolutions Protocol (ARP) poisoning and Media Access Control (MAC) address flooding to bypass the functionality of a switch.

Sniffers operate at the data link layer (Layer 2) of the OSI model. Sniffers can intercept whatever they see on the wire and record it for later review. They allow the user or attacker to see all the data contained in a packet—even information that should remain hidden. For sniffers to be successfully used by an attacker, the attacker must be on your local network or on a prominent intermediary point, such as a border router through which traffic passes.

Plaintext protocols are particularly at risk to sniffing. Figure 7.4 shows an example of a plaintext FTP session, which an attacker could use to steal password information. To reduce the threat of sniffing, you should use protocols like IPsec, SSL, and SSHv2 to pass usernames, passwords, and data.

Images

FIGURE 7.4 Sniffing Plaintext Passwords

Wiretapping

Wiretapping traditionally involved connecting to telephone wires, but today it can involve network sniffing, VoIP sniffing, and radio frequency sniffing (for 802.11 networking, cellular traffic, Bluetooth, and so on). If an organization does not encrypt communication before transmission takes place over public networks, attackers can passively or actively eavesdrop on that communication.

In the United States, the Communications Assistance for Law Enforcement Act (CALEA) requires that all telecommunication providers, regardless of the technologies involved, must make it possible to eavesdrop on all forms of communication so that law enforcement can collect information when a proper search warrant is issued. Some of the techniques used to intercept traffic include intercept access points, mediation devices, and programs installed at the ISP that perform the collection function. Although you might not be too concerned about the government intercepting data, you should be concerned about the fact that an attacker could also attempt to use techniques like these to intercept your sensitive and private information.

DoS and DDoS Attacks

The goal of DoS and DDoS attacks is to destroy the availability of information or information systems. Malicious users often attempt these attacks to bring down a network, extort money, or hold the network hostage—sometimes as a last-ditch effort (that is, “If I can’t get in, I’ll make sure no one else does either”). Today, DoS attacks often take a hostage-type ransom approach and are designed to make money for the attackers or to disrupt network communications.

A DDoS attack is an amplified DoS attack. As with a DoS attack, the goal of a DDoS attack is disruption of service. However, a DDoS attack is more powerful in that it uses a large number of previously compromised systems to direct a coordinated attack against the target. These systems, known as zombies, wait until the attacker signals the attack. Botnets, discussed in the next section, are used to facilitate DDoS attacks. A DDoS attack can be devastating because of the tremendous amount of traffic generated.

Note

In 2007, a large-scale DDoS attack was launched against a nation for the first time. This attack against Estonia caused severe outages and was blamed on Russian attackers.

Note

Booters are websites that offer DDoS services. These sites are operated by cybercrime groups that provide paying customers with DDoS attack capabilities on demand. These services can hide behind multiple layers of IP addresses and can be very difficult to take down.

Botnets

Attackers are no longer content with just making a name for themselves. Today’s attacks are often about making money. Attackers might be out-of-work Eastern European and Russian computer engineers or others working all over the globe. Attacks might be performed for extortion or to generate revenue. These attacks often depend on botnets, which were first seen around the year 2001. A botnet is a massive collection of computers that have been compromised or infected and become bots, or zombies (see Figure 7.5). Botnets are used to distribute spam, steal passwords used at banking and shopping websites, launch DoS attacks for extortion, and spread infections to other computer systems. They are not showing any signs of going away. In February 2020, Amazon Web Services (AWS) reportedly defended against a 2.3 Tbps DDoS attack staged by an army of bots.

Images

FIGURE 7.5 Botnet Example

Note

In 2010, a large group of hacktivists was able to organize a large-scale opt-in botnet attack. The attack, which was organized by the group Anonymous, targeted sites like MasterCard and Visa. These attacks used the application Low Orbit Ion Cannon (LOIC) to flood these sites and disrupt communication.

A botnet attack starts when the controller (called a bot herder) seeks to bypass the access control of third-party computers. These computers can be broadband users, home users, or even poorly configured corporate systems.

Bot herders can use a variety of techniques to avoid detection. For example, a fast-flux botnet has numerous IP addresses mapped to one domain name, which means an attacker can swap out IP addresses at an extremely high frequency to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts that act as proxies. Figure 7.6 shows an example.

Images

FIGURE 7.6 Fast-Flux Botnet

The evolution of botnets has now progressed to the point that they are packaged into exploit kits. These prepackaged botnets offer attackers everything they need and typically include detailed instructions.

Note

Botnets have evolved into a multi-million-dollar industry. In October 2020, Microsoft announced legal action seeking to disrupt a botnet cybercrime operation that uses more than 1 million zombie computers to loot bank accounts and spread ransomware (see https://apnews.com/article/technology-malware-elections-crime-cybercrime-913ee5d56affa97fc5d9c639c4a284ab).

Botnets pose a real threat to computer operations, and an organization needs multiple layers of defense to counter this threat. Defenses include the following:

  • Images Patched and hardened computers

  • Images Web security appliances

  • Images Updated antivirus software to identify known threats

  • Images Firewalled networks and the use of intrusion detection and prevention (IDP) systems to monitor traffic

  • Images Routers configured to block spoofed traffic from within a network

  • Images User training to guard against APTs and to adopt safer computing practices

Although these techniques might not prevent all attacks, they are a good starting point. Organizations must develop better security practices to deal with the threat of botnets.

Other Network Attack Techniques

In addition to the attack techniques already discussed, hackers might attempt the following techniques to violate network security:

  • Images ARP poisoning: This type of attack is usually attempted to redirect traffic on a switch during the resolution of IP addresses to MAC addresses. An attacker may attempt a series of attacks, including sniffing, session hijacking, and interception of confidential information. Tools such as Bettercap and Ettercap are available to help attackers perform ARP poisoning.

  • Images Database attack: This type of attack targets an organization’s databases. SQL injection is one common attack vector. Although the techniques vary, the results are the same: Malicious users can run their code on the victim’s database server or steal information from the server. This can present a serious threat to the integrity or confidentiality of the organization.

  • Images DNS spoofing: Much like ARP poisoning, this type of attack attempts to poison the DNS process while addresses are being resolved from FQDNs to IP addresses. Individuals who succeed have their fake DNS entry placed into the victim’s DNS cache or anywhere else the address resolution is taking place, such as on a cooperating DNS server. Victims can then be redirected to the wrong Internet sites or to a rogue server infected with malware, sitting in someone’s basement and collecting your private information.

  • Images Email bombing: This type of attack is used to target a victim with a large amount of bogus email. The attacker attempts to send so much email that the user’s email account becomes completely full.

  • Images Pharming attack: This is another type of attack that misuses DNS. Normally DNS is responsible for translating web addresses into IP addresses. Pharming attacks hijack the DNS server and force it to redirect your browser to another site, allowing fake software updates to install malware.

  • Images Traffic analysis: This type of attack involves sniffing encrypted traffic to deduce information. Even with encrypted data, inferences can be made; for example, frequent communications can signal that planning is occurring.

  • Images War driving: This type of attack involves driving, flying, boating, or walking around an area to find wireless access points. Many individuals who perform this activity look specifically for unsecured wireless networks to exploit. The primary threat is that these individuals might then have a direct connection to your internal network or unrestricted Internet access. This access can then be used to conduct attacks on other Internet sites, send spam, promote pump-and-dump financial schemes, or sell counterfeit goods.

  • Images Zero-day exploits: A zero-day exploit can target corruption, modification, release, or interruption of data. This attack takes advantage of an exploit that might not be known to the vendor and for which there is no patch available.

Access Control Threats and Attack Techniques

Access control is probably one of the most targeted security mechanisms. After all, its job is to keep out unauthorized individuals. To try to bypass or subvert access control, attackers can use a variety of tools and techniques, such as unauthorized access, access aggregation, password attacks, spoofing/masquerading, sniffers, eavesdropping, shoulder surfing, and wiretapping. The following sections discuss a number of access control threats and attack methods.

Unauthorized Access

Information needs to be properly protected from unauthorized access, modification, disclosure, and destruction. To protect data, you need to select the best method of authentication for the situation. One important step to help determine what authentication should be used is to perform an asset valuation, which means assigning the dollar and non-dollar values to an asset. When the value of an asset is known, you can determine the appropriate access controls to prevent unauthorized access.

Caution

You can use threat modeling to examine the security risks of an application, including the problem of unauthorized access. A threat model details potential attacks, targets, and any vulnerabilities of an application. In part, threat modeling can help determine the types of access control mechanisms that are needed to prevent attack.

To learn more about threat modeling, review the information on Microsoft’s Threat Modeling tool at https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling.

Access Aggregation

Access aggregation, or privilege creep, involves collection of access permissions in one or more systems. For example, say that Grace starts as a help desk employee, and in six months she moves to tech support. If those in charge of access permissions are not paying attention, Grace gains access to the rights and permissions of a technical support representative while maintaining her help desk rights and privileges. Access aggregation can cause employees to potentially end up with a greater level of access than they should have. This is a big problem for many organizations, and it violates the security principle of least privilege. I have witnessed access aggregation at almost every organization I have worked at, but it can be managed with regular user audits and a good policy based on the principle of least privilege.

Password Attacks

Do you think your passwords are secure? In 2019, a breach at Evite exposed records including 100 million passwords, and a breach at Canva exposed details of 137 million user accounts.

Many individuals don’t practice good password security and reuse passwords. This can lead to problems such as credential stuffing, which is a cyberattack in which credentials obtained from a data breach on one service are used to attempt to log in to another unrelated service. Password hashes can be recovered in several different ways, as discussed in the following sections.

Dictionary Cracking

Dictionary cracking involves using a predefined dictionary to look for a match between an encrypted password and an encrypted dictionary word. Many dictionary files are available, ranging from files for Klingon to popular movies, sports, and the MBA. Many times, these cracks can be performed in just a few minutes because individuals tend to use easily remembered passwords. If passwords are well-known dictionary-based words, dictionary tools can crack them quickly.

Just how do dictionary cracking programs recover passwords? Passwords are commonly stored in a hashed format, and most password-cracking programs use a technique called comparative analysis (see Figure 7.7):

  1. The hashed password must be recovered.

  2. The recovered password and the dictionary list are loaded into the cracking program.

  3. Each potential password found in a dictionary list is hashed and compared to the encrypted password.

  4. If a match is obtained, the password has been discovered. If not, the program continues to the next word, computes its hashed value, and compares that to the hashed password.

Images

FIGURE 7.7 Dictionary Cracking

Dictionary cracking programs are comparatively smart because they can manipulate a word and use its variations. For example, a dictionary-cracking program would process the word password as Password, password, PASSWORD, PassWord, PaSSword, and using all other common permutations of the word.

Caution

Never store passwords as plaintext, don’t write them on sticky notes attached to your computer, don’t share them with others. Passwords should always be created and stored by means of a one-way hashing process.

If a dictionary attack does not recover a password, the attacker can also try simple modifications of each dictionary word. Those modifications might include adding common prefixes, suffixes, and extended characters to try to crack the password. This is called a hybrid attack. Using the previous example, these attempts could include 123password, abcpassword, drowssap, p@ssword, pa44w0rd, and so on. These various approaches increase the odds of successfully cracking an ordinary word or any common variation of it.

Caution

Don’t make passwords public. Only use passwords once and don’t use the same password for multiple sites. Once passwords are breached it is easy for hackers to find them. The www.hackersforcharity.org/ghdb/ website provides resources that can highlight how big this password exposure problem is. At the site you will find various search strings to search for exposed passwords and other sensitive data.

Brute-Force Cracking

Attackers don’t tend to give up easily. A brute-force crack is a type of password assault (usually associated with encryption, though it doesn’t have to be) and can take hours, days, months, or years, depending on the complexity of the password and the key combinations used. The attacker attempts every possible combination of letters, numbers, and characters, and with enough time, recovery is possible. The speed of this type of password cracking depends on the power of the CPU being used to carry out the attack. For example, password crackers have been developed to recover weak passwords quickly. There are also many online sites that can be used for cracking or to test password strength.

Rainbow Tables

What if you do not have a week to crack passwords? An alternative to traditional brute-force password cracking is to use a rainbow table. Whereas traditional password cracking encrypts each potential password and looks for a match, the rainbow table technique precomputes all possible passwords in their hashed value in advance and stores them in a table. This is considered a time/space/memory trade-off technique. Precomputing the hashes requires the creation of massive databases of hashed values for every potential password, from single characters on up, using all keyboard characters. Creating hashes for the character set ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&* ()-_+=~’[]{}|:;”’<>,.?/ would require about 64 GB and a considerable amount of time. When this process is complete, the passwords and their corresponding encrypted values are stored in a file called a rainbow table. An encrypted password can be quickly compared to the values stored in the table and cracked within a few seconds. For those who do not have the time or want to build their own, rainbow tables are available via BitTorrent and online.

Caution

Rainbow tables currently exist for Windows LAN Manager passwords up to 14 characters in length. These precomputed hashes have been demonstrated to attack and crack passwords with a 99% success rate in less than three hours. This means that if an attacker can recover a basic LAN Manager password, the encrypted password can most likely be cracked!

To protect your organization from these password attacks, you can implement two-factor authentication and lockout thresholds, monitor access to electronic password files, and enforce a strong password policy using as many different types of characters as possible, including lowercase and uppercase letters, numbers, and symbols. Users should change their passwords frequently, never reuse previous passwords, and not use the same password for more than one account.

Caution

Some organizations and government agencies require passwords to be longer than 15 characters. Having a longer password makes cracking it via brute force more difficult and requires the hacker to use additional time and resources to discover the password. NIST 800-63C provides guidelines on passwords and their complexity.

Spoofing

Spoofing, which is pretending to be something other than what you are on a network, can take place at different layers of the OSI model as it can be used on protocols, processes, services, and humans. User spoofing, which occurs when one user pretends to be another user, can involve changing usernames, IP addresses, or even MAC addresses. Process spoofing occurs when a process pretends to be a valid process when in fact it is not. An example of process spoofing involves use of a fake login screen (either inside an organization or on the Web). When a victim attempts to log in, the first attempt to the fake login screen is unsuccessful, and the victim, who thinks he simply mistyped the password the first time, is redirected to the real login page for a second attempt. However, the attacker used the attempt at the fake login screen to gather the credentials and store them for later use at the actual site.

Eavesdropping and Shoulder Surfing

Securing voice communication is a critical component of good security. There are plenty of opportunities to eavesdrop on or intercept phone calls and conversations. For example, during a recent trip, I had an interesting breakfast at the hotel: Someone a few tables away gave out their username and password to someone on the phone who needed assistance. Eavesdropping is the act of overhearing sensitive information or data, either on purpose or by accident. Eavesdropping can occur with telephone, network, email, or instant messaging traffic. Shoulder surfing is a related activity in which someone glances over your shoulder while you enter a password or username. Employees should be trained in how to avoid such potential problems. To combat shoulder surfing, for example, users may use monitor mirrors to see if anyone is looking over their shoulder or privacy screens to make it impossible for anyone who is not right in front of the screen to read it.

Identity Theft

Identity theft involves obtaining key pieces of information about an individual. Most attacks in the past were launched for notoriety and fame. Today’s attackers seek money and access to valuable resources. Identity thieves may dig through the trash looking for information, or they may attempt to trick users into providing the information they need. Identity theft is big business. According to the FBI, 157,688 credit card fraud reports were filed in the United States in 2018, and about $1.48 billion was lost due to identity theft.

Social-Based Threats and Attack Techniques

Social engineering attacks use a variety of techniques and can be launched in person, remotely via phone, or via a computer. The target of such an attack may be known or unknown. Social engineering attacks take many forms.

Think of phishing as throwing out a broad net to all users (for example, emails from a person in Nigeria offering to give you $1 million). Some phishing scams work by sending the victim an email from what appears to be an official site, such as a bank or credit card company. The email usually contains a link the user can click to update, change, or modify her account information. The real purpose of the email and link is to steal the victim’s username, PIN, account number, or password. Employees should be trained to always be wary of links obtained in emails, be alert to messages that request password verification or resetting, be skeptical of emails requesting information, and verify that the correct URL is listed in the address bar. To see what PayPal has to say about phishing, see www.paypal.com/us/webapps/mpp/security/suspicious-activity.

Spear phishing is targeted phishing. For example, a phishing email might be sent only to people who use a particular service. Whaling is an attempt to capture an important user, such as an executive or a CEO. Some social engineering attacks make use of the SMS messaging service used on mobile phone devices; this is known as smishing.

Another social engineering attack vector is pretexting, the practice of obtaining personal information about an individual under false pretenses. Pretexting is usually done to gather more information about a certain individual in order to sue him, to steal his assets, obtain credit in his name, or gain access to resources at his place of employment. Pretexters use a variety of techniques, all of which are simple variations of social engineering techniques. A pretexter might, for example, call your cell phone provider and ask for a reprint of a bill or call and say they lost their checkbook or even contact your credit card provider. In most cases, pretexting is illegal, and there are laws against pretending to be someone else to gain personal information.

Regardless of how the victim is targeted, social engineering attacks are designed to lure victims into disclosing confidential information, passwords, or other sensitive data. Social engineering is not new; in fact, it predates the computer era. Social engineering is much like an old-fashioned con game in that the attacker uses the art of manipulation to trick a victim. Social engineering attacks are often combined with technical attacks. For example, you might find a thumb drive that is labeled “spring break photos” in a parking lot. If you insert the thumb drive into a computer, you will unleash remote control software, such as Trojans, designed to infect your computer.

Table 7.2 lists some social engineering techniques.

TABLE 7.2 Social Engineering Techniques

Technique

Description

Impersonation

Pretending to be someone or something else

Spoofing

Using someone else’s IP address, domain name, or MAC address

Shoulder surfing

Looking over someone’s shoulder to view sensitive information

Virus hoax

Sending a pretend virus to elicit a specific response

Tailgating and piggybacking

Driving or walking behind someone at a checkpoint

Dumpster diving

Digging through trash to look for items of value, such as passwords, manuals, and account names

The best defense against social engineering is to educate users and staff never to give out passwords and user IDs over the phone, via email, or to anyone who isn’t positively identified. Users should be leery of links and login pages that don’t look right. Training can go a long way toward teaching employees how to spot social engineering.

Malicious Software Threats and Attack Techniques

During the 1970s, when mainframes were prominent, the phrase computer virus did not exist. Fred Cowen is credited with coining the term in 1983. Early computer crimes included malware, such as the Brain (1986), which was written by two Pakistani brothers who said they were just out to make a name for themselves. Even the 1988 Morris worm was said to have been an accident. As described in the following sections, today’s malicious software is much more advanced than the simple viruses and worms from years ago.

Tip

Can a 75-cent error lead to the discovery of foreign government hackers? It did for Cliff Stoll. He used the accounting error to track down and find KGB hackers. The FBI initially refused to take him seriously as his focus was in astrophysics, but he persisted. You can read more about it in his book The Cuckoo’s Egg.

Viruses

Virus propagation requires human activity, such as booting a computer or opening an email attachment. The following are some of the basic techniques used to propagate viruses:

  • Images Master boot record infection: In this original method of attack (which is now obsolete), a virus attacked the master boot record of a floppy disk or hard drive.

  • Images File infection: This slightly newer technique relies on the user to execute the file. Extensions like .com and .exe are typically used. Usually, some form of social engineering is used to get the user to execute the program. Techniques include renaming the program or changing the .exe extension to make the file appear to be a graphic or document.

  • Images Macro infection: Macro viruses exploit scripting services installed on a computer. The I Love You virus is a prime example of a macro infector. Macro viruses infect applications like Word or Excel by attaching themselves to the application’s initialization sequence or automated tasks within the application. These tasks run without user intervention, and when the application is started, the virus’s instructions execute before control is given to the application. Then the virus replicates itself, infecting additional parts of the computer.

  • Images Fileless infection: This modern type of infection started gaining prominence around 2017. With fileless infection, no files are written to the infected system’s hard drive; fileless malware infection exists exclusively in computer memory. Virus and malware creators use fileless infections to trade persistence for stealth. Keeping the malware infection concealed while it triggers the intended action is the goal.

As virus writers change their approaches, antivirus companies have to develop better ways of detecting viruses, such as using artificial intelligence (AI). To keep pace, malware authors get clever and try to postpone detection by security vendors as long as possible. Another technique that virus developers have attempted is to make viruses polymorphic (from the Greek poly, meaning “many,” and morph, meaning “shape”). A polymorphic virus can make copies of itself and change its signature every time it replicates and infects a new file. Fuzzy hashing is a technique that can be used against polymorphic viruses and malware. The concept is to execute a type of compression function to calculate and flag similar digital files. Fuzzy hashing helps automate the process of grouping and identifying similar malware.

Worms

Worms are unlike viruses in that they can self-replicate, whereas viruses require user interaction. True worms require no intervention and are hard to create. A worm does not attach to a host file but is self-contained and propagates across networks automatically. The first worm released on the Internet was the 1988 Morris worm. Robert Tappan Morris developed the worm as only a proof of concept. The Morris worm targeted aspects of sendmail, finger, and weak passwords, disabling roughly 6,000 computers connected to the Internet. Its accidental release was a rude awakening to the fact that worms can do massive damage to the Internet. The cost of the damage from the worm was estimated to be between $10 million and $100 million. Many other worms have been created since then. A relatively recent well-known worm is Stuxnet.

Worms, like viruses, are becoming less commonplace as malware creators focus their time on ventures that will generate revenue. For the CISSP exam, keep in mind that today’s malware is sophisticated and can actually perform the tasks of both viruses and worms.

Note

Spam is one of the techniques used to spread viruses and worms. While much of the spam of the past was simply junk mail, more and more of it today is malicious in nature.

Logic Bombs

Logic bombs are somewhat different from viruses and worms as they are hidden in code. The malicious programming code is placed within an application’s code and set to execute under given circumstances, such as after a certain amount of time has elapsed or when a specific event occurs.

Note

Logic bombs and other kinds of malware can be used to launch salami attacks. This financial crime works by taking small amounts of money from accounts over an extended period. For the attackers to be successful, they must remove an amount so small that it will go unnoticed. The 1999 movie Office Space offers a good example of this type of attack.

Backdoors and Trojans

Trojans get their name from Homer’s epic tale The Iliad. To defeat their enemy, the Greeks built a giant wooden horse with a hollow belly and tricked the Trojans into bringing it into the fortified city of Troy. Unbeknown to the Trojans, Greek soldiers were stowed in the belly of the horse, and they crawled out, under the cover of darkness, opened the city’s gate, and allowed the waiting Greek soldiers in; the complete fall and destruction of the city ensued.

In computer security terms, Trojans are programs that seem to do something you want but actually perform another, malicious, act. Before a Trojan program can act, it must trick the user into downloading it or performing some other type of action.

Consider a home user who sees nothing wrong with illegally downloading a movie from the Internet. After it has been downloaded, however, the user finds that the movie will not play and receives a message about a missing driver or codec. The user is prompted to go to a site that has a movie player with the right codec installed. The user does as instructed and, sure enough, everything works. It seems like a movie without any cost, but at the time the user installed the movie player, he also installed a remote-access Trojan (RAT) that was actually part of the player.

A Trojan may be configured to do many things, such as log keystrokes, add the user’s system to a botnet, or give the attacker full access to the victim’s computer. A user might think that a Trojan masquerading as a Word doc, a PDF, an image, or some other file looks harmless and is safe to run but, once executed, it delivers its malicious payload.

You might be wondering at this point how users get infected with Trojans. Often, the infection results from a combination of factors that includes social engineering. Email, social media, instant messaging (IM), and Internet Relay Chat (IRC) can be used to spread malware. You might, for example, get an email that appears to be from HR but that is actually spoofed and has an attachment named “pending fall layoffs.” It would be tempting to open it; you want to see attachments that are important or that you believe are sent by friends or coworkers. Again, this is an area where education is essential.

Wrappers, Packers, and Crypters

Distributing Trojans or any malware is no easy task. Users are more alert, less willing to click email attachments, and more likely to be running antivirus or other antimalware tools than in the past.

Today, it is not uncommon for attackers to use multiple layers of techniques to obfuscate code—such as making hostile code undetectable by antivirus programs and using techniques to prevent others from examining the code. These layers improve the attacker’s chances of controlling a computer infected by Trojans or other malware and using it for many types of illegal purposes. Techniques to be aware of are wrappers, packers, and crypters.

Wrappers provide hackers a method to slip past a user’s normal defenses. A wrapper is a program used to combine two or more executables into a single packaged program, essentially creating a new executable file. Some wrappers only allow two programs to be joined; others allow three, four, five, or more programs to be bound together. Basically, these programs perform like installation builders and setup programs. Wrappers also add additional layers of obfuscation and encryption around the target file. Wrappers are commonly made to seem like graphic files, music files, and non-executables.

Packers work much like programs such as WinZip, Rar, and Tar, in that they compress and/or encrypt files. Whereas compression programs do this to save space, packers do it to obfuscate the activity of the malware. The idea is to prevent anyone from viewing the malware’s code until it is placed in memory. Packers serve a second valuable purpose for an attacker: They bypass network security protection mechanisms, such as intrusion detection systems. It is not until the malware packer decompresses the program in memory that the program’s original code is revealed.

Crypters function to encrypt, manipulate, or obscure code. Some crypters obscure the contents of a Trojan, for example, by applying an encryption algorithm. Crypters can use any encryption scheme, from AES or RSA to Blowfish, or they might use more basic obfuscation techniques, such as XOR obfuscation, Base64 encoding, or ROT 13. These techniques are used to conceal the contents of the executable program, making it undetectable by antivirus software and resistant to reverse-engineering efforts. Figure 7.8 shows Tejon Crypter, a tool used to wrap malware to avoid detection.

Images

FIGURE 7.8 Tejon Crypter

Rootkits

A rootkit is a collection of tools that allows an attacker to take control of a system. Although the use of rootkits is widespread, many security professionals still don’t know much about them.

Once installed, a rootkit can be used to hide evidence of an attacker’s presence and provide backdoor access to the system. A rootkit can contain log cleaners that attempt to remove all traces of the attacker’s presence from the log files. Even if you can detect and clean a system that has a rootkit installed, you are unlikely to find the attacker. The fact is that a majority of individuals who attack systems go unpunished.

Rootkits can be divided into several different types, including applications, kernel modules, hardware, firmware, and bootloaders. For example, a loadable kernel module (LKM) rootkit is loaded as a driver or kernel extension. Because LKM rootkits corrupt the kernel, they can do almost anything, and they are by far the most dangerous rootkits.

Rootkits can avoid detection by many software methods, but there are means to detect them. Tools like MD5sum, Tripwire, and GMER can be a big help in uncovering some types of rootkits.

Exploit Kits

Exploit kits offer someone with no or little programming experience the ability to create, customize, and distribute malware. A large proportion of exploit kits are sold by hackers from Eastern Europe and Russia.

Some exploit kits also offer bulletproof hosting, which protects malware-infected websites from being shut down by their service providers. In the United States, when a website is found to contain malware, there are legal ways to take the site offline and prevent it from being used to infect other websites. However, in some countries such as in Russia, infected websites are often bulletproof: They are protected from being taken down, and cybercriminals have safe platforms for hosting their malware and infecting U.S. consumers and businesses.

Advanced Persistent Threats (APTs)

An advanced persistent threat (APT) is a highly sophisticated and well-organized group, government, or organization that has the capability and determination to target a very specific victim organization for an extended period of time with the goal of a success attack. Such attackers might use sophisticated malware, zero-day exploits, and other techniques to exploit vulnerabilities in targeted systems. Stuxnet is an example of an APT.

Ransomware

Imagine that you come in to work one day, boot up your laptop, and find a warning message on your screen like the one shown in Figure 7.9. Sometimes these types of messages claim to be from the FBI or an international law enforcement agency, and sometimes they accuse users of illegal activity, such as visiting illegal or inappropriate websites. This type of message is a sign that a hacker has taken over your computer and wants money before he or she will give it back. This is ransomware, a type of malware that hackers install on your computer so they can lock it from a remote location and then demand money. Ransomware forces victims to experience financial damage either by paying the ransom or by absorbing the cost of recovering from the attack. Ransomware has become a widely used instrument in the toolkit of cybercriminals.

Images

FIGURE 7.9 Ransomware

If a computer gets infected with ransomware, it may difficult or impossible to open the files on that machine. This is one of the reasons it’s so important to constantly back up your data and encrypt it yourself; then, in the event that it is stolen, you can tell the threat actors to keep your encrypted data because it is useless to them, and you can just restore your backup. There are many ways to back up either locally or to a cloud-based provider. It is important to be prepared for a disaster like this.

Closely related to ransomware is rogue security software. This fake antivirus software attempts to convince users that their computer is infected and manipulates them into buying and downloading the fake software. However, the link takes the user to malware that infects the computer.

Investigating Computer Crime

Security incidents can come in many forms. They can result from honest mistakes by employees who thought they were helping, or they may result from intentional attacks by insiders or outsiders. One of the basic tests to help identify or eliminate potential suspects is means, opportunity, and motive (MOM), also known as the crime triangle (see Figure 7.10). MOM demonstrates why insiders pose a greater threat to security than outsiders: Insiders possess the means and opportunity to launch an attack, whereas outsiders might have only a motive.

Images

FIGURE 7.10 Crime Triangle

Whatever the motive or reason, the response to a security incident should always be the same: It should be investigated in a structured, methodical manner. Most organizations would not operate a business without training their employees to properly respond to fires, but many organizations do not build good incident response and investigation procedures for cybercrime.

Computer Crime Jurisdiction

The unpleasant truth is that tracking and prosecuting hackers can be a difficult job because international law is often ill-suited to deal with these problems. Unlike a conventional crime that occurs in one location, a hacking crime might originate in India, use a compromised computer network located in Singapore, and target a computer network located in Canada. Different countries’ conflicting views on what constitutes cybercrime and disagreements on how—or even if—the hackers should be punished can cause legal nightmares. It is hard to apply national borders to a medium like the Internet that is essentially borderless. The United States has proposed legislation to claim jurisdiction over any criminal activity that travels through a U.S.-controlled portion of the Internet, regardless of the starting or destination country.

Incident Response

The Defense Advanced Research Projects Agency (DARPA) formed an early emergency response team in 1988. Many people attribute the founding of its Computer Emergency Response Team (CERT) to the Morris worm, which occurred earlier that year. The “Information Superhighway” was little more than a dirt road in 1988, so the delayed response wasn’t fatal. Few of us today have the luxury of waiting until after an attack to form an incident response plan. To reduce the amount of damage that attackers can cause, organizations need to have incident response and handling policies in place. These policies should dictate how the organization responds to various types of incidents. Most organizations set up a computer security incident response team (CSIRT) or computer incident response team (CIRT) because CERT is now a registered trademark of Carnegie Mellon University. A CSIRT or CIRT is responsible for the following:

  • Images Analyzing an event notification

  • Images Responding to an incident if the analysis warrants it

  • Images Conducting escalation path procedures

  • Images Resolving, conducting post-incident follow-up, and reporting to the appropriate individuals

  • Images Deterring future attacks

An event is a noticeable occurrence. For example, say that an IDS alert is tripped. This requires investigation because you must determine whether the event is an incident—that is, an adverse event or series of events that violates law, policy, or procedure. The individuals investigating the incident need a variety of skills, including the following:

  • Images Recognition skills and abilities

  • Images Technical skills and abilities

  • Images Investigative and response skills

The individuals in charge of handling an incident must be able to recognize that something has happened. In the example of the IDS alert, recognition is not enough because those responsible must also have the ability to look at logs and event records and perform incident analysis. They also need to have the skills to properly investigate the incident and understand concepts such as chain of custody.

The Incident Response Team

Incident response team members need to have diverse skill sets. Internal teams should include representation from various departments, including the following:

  • Images Information security

  • Images Legal

  • Images Human resources

  • Images Public relations

  • Images Physical security

  • Images Network and system administration

  • Images Internal auditing

  • Images Information technology help desk

Many people need to be involved in an incident if the attack came from inside the organization. Legal, HR, and others must determine what will be done. Incidents traced to outside the organization must also have many groups involved. Will management want to involve the police? If so, someone will need to act as an organizational spokesperson. Roles must be clearly defined, as must the process for escalating incidents to the proper authority.

The Incident Response Process

The incident response process spells out the specific steps an organization will carry out when an incident takes place. Good incident response procedures give an organization an effective and efficient means of dealing with an incident in a manner that reduces the potential impact. These procedures should also provide management with sufficient information to decide on an appropriate course of action. By having these procedures in place, an organization can maintain or restore business continuity, defend against future attacks, and prosecute violators to deter further attacks.

The primary goals of incident response are to contain the damage, find out what happened, recover from the incident, get systems back online, and prevent such an event from reoccurring. The following are the basic steps of incident response (see Figure 7.11):

  1. Planning and preparation: The organization must establish policies and procedures to address the potential for security incidents.

  2. Identification and evaluation: Automated systems should be used to determine whether an event occurred. There must be a means to verify that an event was real and not a false positive. Tools used for identification include IDSs, IPSs, firewalls, audits, logging, and observation.

    Note

    An event is a noticeable occurrence, whereas an incident is a violation of policy or law.

  3. Containment and mitigation: Preplanning, training, and the use of predeveloped procedures are key to this step in the process. The incident response plan should dictate what action needs to be taken. The incident response team requires training to the desired level of proficiency to properly handle the response. This team also needs to know how to contain the damage and determine how to proceed.

    Note

    Management needs to make a decision about whether law enforcement should be called in during a security breach. There are reasons both for and against notifying law enforcement.

  4. Eradication and recovery: Containing a problem is not enough. It must also be removed, and steps need to be taken to return to normal business processes.

  5. Investigation and closure: When the investigation is complete, a report, either formal or informal, must be prepared. The report should be used to evaluate any needed changes to incident response policies.

  6. Lessons learned: At this final step, all those involved in the incident response need to review what happened and why. Most importantly, what changes must be put in place to prevent future problems? Learning from what happened is the only way to prevent it from happening again.

Images

FIGURE 7.11 Incident Response Steps

There are several specialized incident response methodologies available, such as the MITRE ATT&CK six-stage framework and the Lockheed Martin seven-stage Cyber Kill Chain framework. Both of these methodologies describe the structure and lifecycle of a cyberattack.

Incident Response and Results

Incident response procedures must be of such detail that they specify unique types of incidents and provide advice on what the proper response would be. Documentation that addresses potential incidents is critical because investigating computer crime is complex and involved. Missteps can render evidence useless and unusable in a court of law. Members of the incident response team must be knowledgeable of the proper procedures and must be trained in how to secure and isolate the scene to prevent contamination. Table 7.3 outlines some sample response strategies.

TABLE 7.3 Sample Incident Response Strategies

Incident

Response Strategy

Possible data theft

Contact legal department, make forensic image, secure evidence

External hacker attack

Capture logs, monitor activities, gather evidence, contact management

Unauthorized use of computer resources

Gather evidence, make forensic image, analyze data, review corporate policy

In the end, incident response is about learning. The results of the team’s findings should be fed back into the system to make changes or improve the environment so that the same incident isn’t repeated. Tasks you might end up doing as a result of an attack include the following:

  • Images Figuring out how the attack occurred and looking for ways to prevent it from happening again.

  • Images Upgrading tools or software in response to finding out what the team lacked that prevented effective response to the incident.

  • Images Finding things that went wrong and making changes to the incident response plan to improve operations during the next incident.

Note

The massive SolarWinds breach in 2021 is a good case study in incident response and how attackers have changed the way they operate. Modern attacks are much more sophisticated than attacks in the past. One common tactic today is the use of lateral movement. In the SolarWinds attack, a software update process in a network management tool was compromised, and threat actors were able to gain deep access into targeted networks. The attackers were able to easily pivot from one system to another, gaining access and data as they moved. See https://www.cisecurity.org/solarwinds/ for more information.

Although no one ever wants to end up in court or to take incident response to the next level, sometimes those steps are inevitable. An organization must handle incident response meticulously in order to be prepared for whatever unfolds in an investigation.

Note

Ultimately, incident response is about learning. These are the questions that should be answered: What happened? How did it happen? Can we prevent it from happening again? How can we better prepare and respond for the next time? What did we learn?

Disaster Recovery and Business Continuity

Disaster recovery and business continuity deserve mention because the threats discussed in this chapter can disrupt mission-critical operations. Disaster recovery is a subset of business continuity activities. Imagine your organization being hit with a ransomware attack that encrypts all data in your data center. Mission-critical operations would not be able to continue, and business continuity could not be maintained. Mission-critical operations are operations that are required to keep your business going. Most organizations cannot afford to be without operations for very long. When a disaster occurs, operations halt, and business continuity has failed. Business continuity is about keeping critical process up and running. Anyone can trigger an alert in an emergency situation. However, only the business continuity plan (BCP) coordinator or the appointed person can declare the situation a disaster and trigger the fallover to another site, cloud provider, facility, and so on.

Disaster recovery is a subset of the BCP effort that is more closely focused on restoring systems after an outage or event. Disaster recovery focuses on the immediate measures to restore operations and is concluded when the organization is back to normal operations.

Tip

It is important to validate backups before they are needed. This activity should be built in to your normal processes. Two common means of validation are restoring a file from a random date and restoring a server or the entire service from backup. Assume during the recovery that you will start with nothing.

An organization needs to perform test and discovery drills at least once a year. While there are multiple ways to test a business continuity plan, it is most important to understand that you should have no confidence in the plan until it has been tested. As part of testing, you should look at your backup solutions such as uninterruptible power supplies (UPS) and generators. While generators can be used for longer-term outages, UPSs are typically for short-term outages and graceful shutdown of systems.

Note

When testing business continuity and disaster recovery plans, there are two main objectives: validate that the plan functions properly and identify updates to the plan that are needed due to technology/business process changes.

Investigations

An investigation is typically a probe or an inquiry into questionable activities and can occur after an incident response or in conjunction with forensic activities. IT professionals do not have the same investigative abilities as law enforcement professionals. The following sections cover some areas of concern in investigations.

Search, Seizure, and Surveillance

In the workplace, surveillance can be broken down into two categories:

  • Images Physical: Examples of physical surveillance include closed-circuit television (CCTV) cameras, observation, and security guards.

  • Images Logical: Examples of logical surveillance include system monitoring, keystroke logging, and network sniffers.

Caution

Before you attempt any type of monitoring, be sure to check with your organization’s legal department. Laws at both the state and federal levels require notification as to the expectation of privacy that someone has while using computer resources. You need to know the laws to avoid breaking them.

Interviews and Interrogations

At some time during an investigation, it might be determined that interviews and interrogations need to be conducted. Areas of concern include the possibility that disclosing the investigation might tip off the suspect to halt his or her activities. The suspect might also flee to avoid prosecution. Some suspects might try to deceive the investigator to prevent further action. Many individuals will lie or misrepresent the truth to avoid being fired or facing legal action.

Investigators must be properly trained to carry out interviews and interrogations. For example, investigators must understand the difference between enticement and entrapment. Enticement is legal and ethical. For example, a honeypot is a form of enticement and is legal. Entrapment, on the other hand, is illegal. For example, sending someone a phishing email to lure him in your network and then accusing him of breaking in, is illegal.

Exam Prep Questions

1. IP spoofing is commonly used for which of the following types of attacks?

images A. Salami

images B. Keystroke logging

images C. DoS

images D. Data diddling

2. Which of the following best describes session hijacking?

images A. Session hijacking works by subverting the DNS process. If this is successful, an attacker can use an already established TCP connection.

images B. Session hijacking subverts UDP and allows an attacker to use an already established connection.

images C. Session hijacking targets the TCP connection between a client and a server. An attacker who learns the initial sequence might be able to hijack a connection.

images D. Session hijacking works by subverting the DNS process. If this is successful, an attacker can use an already established UDP connection.

3. Several of your organization’s employees have been hit with email scams over the past several weeks. One of these attacks successfully tricked an employee into revealing his username and password. Management has asked you to look for possible solutions to these attacks. Which of the following is the best solution?

images A. Implement a new, more robust password policy that requires complex passwords.

images B. Start a training and awareness program.

images C. Increase the organization’s email-filtering ability.

images D. Develop a policy that restricts email to official use only.

4. You have been asked to manually review audit logs to detect malicious activity. Which statement is correct?

images A. The audit logs are a compensating control for the detection of malicious activity.

images B. The manual review is a compensating control for the audit logs.

images C. The manual review is a technical control that supplements automated processes.

images D. The audit logs, when combined with review processes, are a detective control.

5. Which of the following groups presents the largest threat to an organization?

images A. Insiders

images B. Corporate spies

images C. Government spies

images D. Script kiddies

6. Which of the following documents would you reference to determine the frequency for monitoring a control when implementing an information security continuous monitoring system?

images A. ITIL

images B. NIST 800-137

images C. NIST 800-92

images D. NIST 800-115

7. Which type of SOC report is typically shared with the general public?

images A. SOC 2

images B. SOC 1

images C. SOC 4

images D. SOC 3

8. Which of the following individuals in an organization can declare a disaster?

images A. Owner/CEO

images B. Disaster recovery and business continuity planning personnel

images C. Anyone

images D. Business continuity planning coordinator

9. Which of the following is the best solution for a graceful shutdown during a disaster?

images A. Generator

images B. UPS

images C. Redundant power supply

images D. Dual power feeds

10. In which of the following ways are ethical hackers different from threat actors?

images A. They have permission to destroy a network.

images B. Their goal is to do no harm.

images C. They cannot be held liable for any damage.

images D. They cannot be prosecuted or jailed for their actions.

11. Which of the following describes actions run against a monitored system to see how it responds?

images A. Fagan inspection

images B. Static code testing

images C. Synthetic transactions

images D. Fuzzing

12. Which of the following best describes SATAN?

images A. It is used for password cracking.

images B. It is used for reviewing audit logs.

images C. It is used to exploit systems.

images D. It is used to find vulnerabilities.

13. Which of the following is a powerful way to test how an application reacts to various inputs?

images A. Synthetic transactions

images B. Fuzzing

images C. Dynamic code analysis

images D. Static code analysis

14. What type of penetration test examines what insiders can access?

images A. Whitebox

images B. Graybox

images C. Blackbox

images D. Bluebox

15. Which of the following individuals are known for their attacks on analog phone and telecommunication systems?

images A. Script kiddies

images B. Phreakers

images C. Crackers

images D. Hackers

Answers to Exam Prep Questions

1. C. IP spoofing is a common practice when DoS tools are used to help an attacker mask his identity. Salami attacks, data diddling, and keystroke logging do not typically spoof IP addresses, so answers A, B, and D are incorrect.

2. C. This more advanced spoofing attack works by subverting the TCP connection between a client and a server. If it is successful, the attacker has a valid connection to the victim’s network and is authenticated with his credentials. This type of attack is very hard to do with modern operating systems but is trivial with older operating systems. Answer A is incorrect because session hijacking does not involve DNS; it functions by manipulating the TCP sequence number. Answer B is incorrect because session hijacking does not use UDP; UDP is used for stateless connections. Answer D is incorrect because, again, session hijacking is not based on DNS and UDP. These two technologies are unrelated to TCP sequence numbers.

3. B. The best defense against social engineering is to educate users and staff. Training can go a long way toward teaching employees how to spot scams. Although the other answers are not bad ideas, they will not prevent social engineering, so answers A, C, and D are incorrect.

4. D. Audits are a detective control. Answers A, B, and C are incorrect because they are not detective or compensating controls.

5. A. Insiders are the biggest threat to an organization because they possess two of the three things needed to attempt malicious activity: means and opportunity. Answers B, C, and D are incorrect because although outsiders might have a motive, they typically lack the means or opportunity to attack an organization.

6. B. NIST 800-137 defines ISCM. Answers A, C, and D are incorrect. NIST 800-92 addresses log management, NIST 800-115 deals with penetration testing, and ITIL is a framework of best practices for delivery of IT services.

7. D. SOC 3 for Service Organizations reports are general use reports that can be freely distributed. Answers A, B, and C are incorrect because SOC 1 reports are for evaluating the effect of controls at the service organization on users’ financial statements. SOC 2 reports provide detailed information about how a service organization handles users’ data and the confidentiality and privacy of the information processed by these systems. There is no SOC 4 designation.

8. D. While anyone can declare an emergency, only a business continuity planning coordinator can declare a disaster. Therefore, answers, A, B, and C are incorrect.

9. B. A UPS is best option for a graceful shutdown. Answer A is incorrect because a generator is for long-term recovery. Answers C and D are incorrect because redundant power supplies and dual power feeds are not short-term solutions.

10. B. Ethical hackers use the same methods as crackers and black hat hackers, but they report the problems they find instead of taking advantage of them. Ethical hacking has other names, such as penetration testing, intrusion testing, and red-teaming. Answer A is incorrect because ethical hackers do not have permission to destroy networks. Answer C is incorrect because ethical hackers can be held liable. Answer D is incorrect because ethical hackers can be jailed if they break the law or exceed the terms of their contract.

11. C. Synthetic reactions are run against a monitored system to see how it responds. Answer A is incorrect because Fagen inspections are carried out during code development. Answer B is incorrect because static code analysis is a type of manual review. Answer D is incorrect because fuzzing uses random variables as inputs to evaluate the output.

12. D. SATAN, the first vulnerability assessment program, was designed to find vulnerabilities in a network. Programs like Retina and Nessus are also used for vulnerability assessment. SATAN is not used for password cracking (answer A) or auditing logs (answer B), and it is not used to exploit systems (answer C).

13. B. There are two types of fuzzing: generation based and mutation based. Answer A is not correct because synthetic transactions are real-time transactions that are performed on monitored objects. Answer C is incorrect because dynamic code analysis is designed to test a running application for potentially exploitable vulnerabilities. Answer D is incorrect because static code analysis is a method of debugging that involves examining source code before a program is run.

14. B. Graybox testing aims to determine what type of activities can be performed. Answer A is incorrect because with whitebox testing, everything is known about the network. Answer C is incorrect because with blackbox testing, nothing is known about the network. Answer D is incorrect because blueboxing is a term used by phreakers to make free phone calls via a mechanical device.

15. B. Phreakers are individuals who are known for their attacks on analog phone and telecommunications equipment. Answers C and D are incorrect because hackers and crackers are both types of computer criminals. Answer A is incorrect because script kiddies are junior hackers who rely on using others’ processes and programs to attack computers.

Need to Know More?

RFC 1087: www.faqs.org/rfcs/rfc1087.html

NIST 800-137: https://csrc.nist.gov/publications/detail/sp/800-137/final

COBIT versus ISO 27001: https://advisera.com/27001academy/blog/2019/05/06/cobit-vs-iso-27001-how-much-do-they-differ/

DOJ site on cybercrime: www.cybercrime.gov

Fagan inspection: http://www.osel.co.uk/presentations/fitsbnwtf.pdf

Log management (NIST 800-92): https://csrc.nist.gov/publications/detail/sp/800-92/final

Synthetic transactions: www.logicmonitor.com/blog/an-introduction-to-executing-synthetic-transactions-with-logicmonitor/

Misuse case testing: https://sqa.stackexchange.com/questions/1804/abuse-cases-and-misuse-cases

Detecting vulnerabilities with SCAP and OVAL: https://www.integrigy.com/security-resources/stigs-scap-oval-oracle-databases-and-erp-security

EU privacy laws: en.wikipedia.org/wiki/Data_Protection_Directive

Generation and mutation fuzzing: www.f-secure.com/us-en/consulting/our-thinking/15-minute-guide-to-fuzzing

Federal rules of evidence: www.law.cornell.edu/rules/fre/

CVEs and CVSS defined: www.imperva.com/learn/application-security/cve-cvss-vulnerability/

Passive vulnerability monitoring: www.honeynet.org

Hearsay defined: https://en.wikipedia.org/wiki/Hearsay

Best practices for log review: www.computerweekly.com/tip/Best-practices-for-audit-log-review-for-IT-security-investigations

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
44.200.179.138