CompTIA Security+ 501 Summary Part 7

Feb. 27, 2023, 5:30 a.m.

This is a summary of my notes on Chapter 7 of the CompTIA Security+ Get Certified Get Ahead by Darril Gibson, 5th Edition

Things to keep in mind:

CompTIA is releasing an updated version of the Security+ Exam in November 2020 so this edition will soon be outdated. 90% of the book will remain the same in accordance with the updated exam. New threats and cloud-computing technology will probably make up the majority of that new 10% of content.

Synthesizing paragraphs with a huge list of facts sometimes results in dreadful sentences. It also results in some streams of thought that end abruptly. Some notes cannot be digested any further and remain identical in this summary. In any case, these are just notes and not an essay.

Some things are repeated but this is simply to reinforce.

Hackers are referred to as actors.

1. Attacks

Spoofing attacks change data to impersonate another system or user. This can include IP spoofing, MAC spoofing, and Email spoofing. SYN Flood attacks corrupt the usual 3 way SYN-ACK Handshake used in networking by never sending the final ACKnowlege packet and thereby flood the target system with unfulfilled SYN handshake initializations. The actors barrage the target server with SYN packets and can cause it to freeze from the load. Man-in-the-Middle attacks, MITM, is active interception or eavesdropping between two parties in a conversation. A system is used to accept and forward traffic as the two parties communicate but they are unaware of this “middle man”. ARP poisoning is where actors corrupt the ARP cache to change MAC addresses for systems. ARP poisoning can be used in a DoS attack. For example, an actor can send out an ARP reply with a fake MAC address for the default gateway, or the IP address of the router connection that leads out into the public internet. All the systems that receives that fake MAC address of the default gateway and then when they try to communicate with the public internet, they send packets to the fake address instead of the real one and thereby the traffic never leaves the network. Amplification attacks increase the amount of traffic sent to or requested from a victim.

Pharming attacks try to corrupt a DNS server or client. It causes users to be redirected to different websites. While ping is usually unicast, one to one, a smurf attack sends the ping out as a broadcast which hits every machine in the network and because the actor spoofs the source IP, all of those requests are replied towards the victim IP. In essence, the victim gets flooded with ICMP replies.

Account lockout policies help prevent brute force and dictionary attacks, the former being an attack that guesses all possible character combinations and the latter being an attack that uses a dictionary of words to be used for a password.

Most systems store the hash of a password instead of the actual password. Pass the Hash attacks attempt to discover the hash of a user’s password if the authentication protocol being used passes the hash over the network unecrypted. Birthday attacks are when actors are able to create a password that produces the same hash as the actual password and is based off the Birthday Paradox in Mathematics. Creating an identical hash using different data is called hash collision and is a rare occurrence depending on the big-length and complexity of the algorithm.

Rainbow Table attacks are when an actor has already intercepted the hash of a password and then uses that hash as a key in searching through a Rainbow Table where the hash is connected to the string that created it. Replay attacks are when data is captured in one session and then used for impersonation later on in another session. Timestamps help prevent these.

2. Browser Attacks & Code Design

Typo Squatting is when an actor buys a domain name that looks very similar to a legitimate one and may use it to trick users into thinking they are on the legitimate website. Clickjacking tricks users into clicking something other than what they think they’re clicking. You can do this very easily with HTML by hiding the actual URL of a link behind a fake address:

The user viewing that HTML would see “google.com” but when they clicked on it they would go to the malicious website.

Session Hijacking is when an actor uses a user’s session ID to impersonate that user. This works because most web servers identify users only by their session ID. The actor must first somehow gain access to the session ID which is stored in browser cookies on a user’s computer. They can do this using Cross-Site Scripting, XSS.

Domain Hijacking is when an actor changes the registration of a domain. Man-in-the-Browser, MITB, attacks capture browser session data. This is usually done by using a trojan to first infect a vulnerable browser installed on a user’s machine.

A driver shim is code that can be run instead of the original driver. Refactoring code is the process of rewriting internal processing of code without changing its external behavior. Actors can write malicious driver shims that run instead of older drivers. The operating system intercepts requests for older drivers and redirects it to run the shim code instead. Dynamic Link Libraries, or DLLs, are commonly used by applications. Actors can use DLL Injection to inject a malicious DLL into active memory by attaching it to an already running process. The DLL uses the same allocated memory as the application to execute malicious functions.

A memory leak is when a program consumes more and more memory the longer is runs, eventually leading a system crash. An integer overflow attack is when an actor creates a numeric value way too big for the application to properly handle and can result in inaccurate results. Buffer Overflow attacks are when actors submit unexpected or unsanitized data that exploits the way system memory is allocated and results in malicious code being executed. Input validation is used to stop these kinds of attacks. Client-side input validation can be circumvented by disabling javascript. Server-side input validation is done entirely on the back-end server and therefore cannot be circumvented. Input validation is what protects against buffer overflow, SQL injections, and XSS.

3. Processes, Models, & Frameworks

Error and exception handling protect the integrity of operating systems and controls the errors shown to users. Programmers should include generic error messages for users but log detailed information for themselves. Static code analysis is the examination of code without running it. Dynamic analysis is the examination of code while running it. Fuzzing is the technique of sending random strings of data to applications to test for vulnerabilities and errors. Stress testing is testing how much load an application can take. Lots of popular games make use of stress tests to test server strength for multiplayer activities. Sandboxing is running an application within an isolated environment to test it. Model verification ensures that applications meet all specifications and fulfill intended purposes.

Software Development Life Cycle, or SDLC, models provide structure. The Waterfall model, which preceded the Agile Model, includes multiple stages where each stages feeds the stage below it in succession. It’s very difficult to go back one stage up once it is complete and that is why it lacks flexibility. Agile has taken over the workplace because is uses interactive cycles that include the collaboration of all the necessary teams. Each cycle creates a working product and testers can verify the product. Developers then move to the next cycle to add or remove features depending on what certain teams desire. Secure Devops is an agile-aligned development cycle that includes the input of security teams and their considerations.

Change Management ensures developers do not make unauthorized changes and version control tracks those changes with versions or enumerations of software; users who made the update are also tracked. User accounts can be provisioned, created and added to the system environment, or deprovisioned, removed. Provisioning an application refers to preparing and configuring that application while deprovisioning an application refers to removing it from a system.

Frameworks are structures used to provide a foundation to IT personnel. Regulatory framesworks are based on laws and regulations; HIPAA. Non-regulatory framworks are based on common standards and best practices that organizations can follow; COBIT. An example of a National framework would be NIST which focuses on cybersecurity activities and risks within the United States. An example of an International framework would be ISO, or International Organization for Standardization. Industry-specific frameworks only apply to specific industries. For example, Payment Card Industry Data Security Standard, PCI DSS, includes 12 requirements and over 220 sub-requirements that organizations who process credit card data must follow to protect the credit card data.

4. Web Servers & Databases

Web Servers host web sites on the Internet. Apache is the most popular web server software used. A database is simply a structured set of data and individual elements within that structure are called fields. Normalization of a database is the organizing of tables and columns to reduce redundant data and improve overall performance of that database. First Normal Form, 1NF, databases meet these three criteria: 1. Each row within a table is unique and identified with a primary key – 2. Related data is contained in a separate table – 3. None of the columns include repeating groups. A Second Normal Form, 2NF, database is when two or more columns make up the full primary key. A Third Normal Form, 3NF, database is when it is in 2NF(implies it is also in 1NF), and all columns other than the primary key are completely dependent on the primary key instead of non-primary key attributes.

SQL Injection is an attack where SQL queries are modified to reveal additional, unintended, data. The asterisk, *, means wildcard in most cases, including in SQL, and it will cause the database to return all columns in a table. The semicolon indicates the end of an SQL line and two dashes, - -, indicate an ignored comment. Two dashes are usually placed at the end of the query to prevent an SQL error by commening out the second single quote that is usually attached to submitted data.

Cross-site Scripting, XSS, is when actors embed malicious HTML or Javascript code into a website’s code. This malicious code then executes when another user visits the website. Cross-site Request Forgery, XSRF or CSRF, is an attack where an actor tricks a user into performing an action on a website. An example would be replacing a button with code that purchases an item off a website. The user would think they are doing on thing, but in reality the code behind the button makes them buy something off the website store.