CompTIA Security+ 501
Cybrary - Ron Woerner 1
CompTIA Security+
SY0-501
Instructor: Ron Woerner, CISSP, CISM
CompTIA Security+
Domain 1 –Threats, Attacks and Vulnerabilities
1.2 Compare and contrast types of attacks
Part 1: Social Engineering Attacks
CompTIA Security+ 501
Cybrary - Ron Woerner 2
1.2 Attack Types
● Social engineering: Phishing; Spear phishing; Whaling;
Vishing; Tailgating; Impersonation; Dumpster diving; Shoulder surfing
● Application/service attacks: Buffer overflow; Injection; Cross-site scripting;
Cross-site request forgery; Privilege escalation; Impersonation/Masquerading;
Replay; Driver manipulation (Shimming; Refactoring);
● Cryptographic attacks: Birthday; Known plain text/cipher text; Rainbow tables;
Dictionary; Brute force; Pass the hash
● Hijacking and related attacks: Clickjacking; Session hijacking; URL hijacking;
Typo squatting); MAC spoofing; IP spoofing
● Network / Wireless Attacks: DoS; DDoS; Man-in-the-middle; Amplification;
DNS poisoning; Domain hijacking; ARP poisoning; Initialization Vector (IV);
Evil twin; Rogue AP; Jamming; Bluejacking; Bluesnarfing
Social Engineering
Definition:
● The process by which intruders gain access to facilities, network, systems,
data and even employees by exploiting the generally trusting nature of
people.
● The use of deception to manipulate individuals into divulging confidential or
personal information that may be used for fraudulent purposes.
● Reference: Chris Hadnagy, The Art of Human Hacking (Wiley, 2010)
CompTIA Security+ 501
Cybrary - Ron Woerner 3
Social Engineering Attack Types
● Online○ Phishing; Vishing; Whaling; Spear Phishing
○ Spoofing
● Offline / Physical○ Tailgating
○ Impersonation
○ Dumpster diving
○ Shoulder surfing
● Either
Communications Spoofing / Fraud
● Phishing: sending emails purporting to be
from reputable companies in order to induce
individuals to reveal personal information.
● Spear Phishing: sending emails ostensibly
from a known or trusted sender in order to
induce targeted individuals to reveal
confidential information.
CompTIA Security+ 501
Cybrary - Ron Woerner 4
Phishing Example
Communications Spoofing / Fraud
● Whaling: a phishing attack that is specifically aimed at
wealthy, powerful, or prominent individuals.
● Vishing: making phone calls or leaving voice
messages purporting to be from reputable companies.
● Pharming: traffic redirect to a spoofed web site
● Variants - SMiShing
CompTIA Security+ 501
Cybrary - Ron Woerner 5
Communications Spoofing
● Vishing: the fraudulent practice of
making phone calls or leaving voice
messages purporting to be from
reputable companies in order to
induce individuals to reveal
personal information.
● Variants: SMiShing
Communications Spoofing
● Hoax: Malicious actors issuing false warnings to
alarm users
● Swatting: Fraudulent calls to the police
● Watering Hole Attack: A security exploit in which
the attacker seeks to compromise a specific
group of end users by infecting websites that
members of the group are known to visit.
CompTIA Security+ 501
Cybrary - Ron Woerner 6
Social Engineering Attacks – Physical
Tailgating: Gaining entry to electronically locked systems is to follow
someone through the door they just unlocked
Social Engineering Attacks – Physical
Dumpster Diving: The practice of
foraging in garbage that has
been put out on the street in
dumpsters, garbage cans, etc.,
for discarded items that may still
be valuable, useful, or used to
commit fraud.
CompTIA Security+ 501
Cybrary - Ron Woerner 7
Social Engineering Attacks – Physical
● Shoulder Surfing: watching someone “over their shoulder” when they enter
sensitive data such as a password or credit card information.
Social Engineering – Principles
Reasons for effectiveness
● Authority
● Intimidation
● Consensus / Social Proof
● Scarcity
● Familiarity / Liking
● Trust
● Urgency
● Reciprocity
Reference: Cialdini, Influence, Science and Practice, 5th ed, 2009
CompTIA Security+ 501
Cybrary - Ron Woerner 8
Social Engineering – Prevention
● User education
● “Trust, but verify”
● “If you see something, say something”
Sample question
A user contacts you suspecting that his computer is
infected. Yesterday he opened an email that looked like
it was from a colleague. When he later talked to that
person, she said she never sent an email. What type of
attack is the most likely the cause of the infection?
A. Phishing
B. Trojan
C. Spear phishing
D. Whaling
CompTIA Security+ 501
Cybrary - Ron Woerner 9
Sample question
You observe a delivery person entering your building
by following an employee through a locked door into
a secure facility. Which term best describes this type
of attack:
A. Shoulder surfing
B. Reciprocity
C. Tailgating
D. Whaling
Security+ Lab Guide
Social Engineering Reconnaissance
● Often a compromise in a company begins by
attackers searching through social media for
information on employees or the organization
● Attackers is looking to gain access to internal
systems by impersonating or exploiting
internal employees
CompTIA Security+ 501
Cybrary - Ron Woerner 10
CompTIA Security+
Domain 1 –Threats, Attacks and Vulnerabilities
1.2 Compare and contrast types of attacks
Part 2: Application/service Attacks
Attack Types
● Social engineering: Phishing; Spear phishing; Whaling; Vishing; Tailgating;
Impersonation; Dumpster diving; Shoulder surfing
● Application/service attacks: Buffer overflow; Injection; Cross-site scripting;
Cross-site request forgery; Privilege escalation; Impersonation/Masquerading;
Replay; Driver manipulation (Shimming; Refactoring); Zero-Day (0-Day)
Exploits
● Cryptographic attacks: Birthday; Known plain text/cipher text; Rainbow tables;
Dictionary; Brute force; Pass the hash
● Hijacking and related attacks: Clickjacking; Session hijacking; URL hijacking;
Typo squatting); MAC spoofing; IP spoofing
● Network / Wireless Attacks: DoS; DDoS; Man-in-the-middle; Amplification;
DNS poisoning; Domain hijacking; ARP poisoning; Initialization Vector (IV);
Evil twin; Rogue AP; Jamming; Bluejacking
CompTIA Security+ 501
Cybrary - Ron Woerner 11
Application Attacks
● Buffer overflow
● Injection
● Cross-site scripting (XSS)
● Cross-site request forgery (CSRF or XSRF)
● Privilege escalation
OWASP Top 10 Application Security Risks - 2017
https://www.owasp.org/index.php/Top_10-2017_Top_10
CompTIA Security+ 501
Cybrary - Ron Woerner 12
Application Attacks –
Buffer overflow
● When more data are written to
a buffer than it can hold
● An anomaly where a program,
while writing data to a buffer,
overruns the buffer's boundary
and overwrites adjacent
memory locations.
Application Attacks – Injection
● Occur when untrusted data is sent to an interpreter as
part of a command or query.
● The most common fall into the following categories:○ Escape characters not filtered correctly
○ Type handling not properly done
○ Conditional errors
○ Time delays
● The way to defend against this attack is always to filter
input.
● Examples: SQL Injection, OS, LDAP, XML
CompTIA Security+ 501
Cybrary - Ron Woerner 13
Application Attacks – Cross-site scripting &
Cross-site request forgery
● Cross-site scripting (XSS): occur whenever an application
includes untrusted data in a new web page without proper
validation or escaping, or updates an existing web page with
user-supplied data using a browser API that can create HTML
or JavaScript.○ Example: Ron<SCRIPT>alert(‘hello’)</SCRIPT>Woerner
● Cross-site request forgery (CSRF/XSRF): an attack that forces
an end user to execute unwanted actions on a web application.
Also known as a session riding or one-click attack
Application Attacks –
Privilege Escalation
The act of exploiting a bug, design flaw or configuration
oversight in an operating system or software
application to gain elevated access to resources that
are normally protected from an application or user.
CompTIA Security+ 501
Cybrary - Ron Woerner 14
Application Attacks –
Prevention & Response
● Good coding practices – See OWASP
● Filter and validate any user input
● Use a Web Application Firewall (WAF)
● Build security into the Software Development
Life Cycle (SDLC)
● Have an incident response plan in place
Zero-Day (0-Day) Exploits
● An attack that exploits a previously unknown security
vulnerability.
● It may take advantage of a security vulnerability on the
same day that the vulnerability becomes generally known.
● Example: Stuxnet
● Prevention:
○ Defense in depth;
○ Patch;
○ Keep AV up-to-date
CompTIA Security+ 501
Cybrary - Ron Woerner 15
Impersonation / Masquerading / Replay Attacks
● The act if pretending to be someone or something to gain unauthorized
access to a system.
● Capturing network traffic via eavesdropping, then reestablishing a
communications session by replaying captured traffic using spoofed
authentication credentials.
● Prevention: Token authentication (Kerberos),
MFA/TFA, Encryption, Sequenced session identification
Driver manipulation
● Driver: A program that controls a device (printers,
media, keyboards, etc.)
● Shimming: creating a library—or modifying an existing
one—to bypass a driver and perform a function other
than the one for which the API was created.
● Refactoring: set of techniques used to identify the flow
and then modify the internal structure of code without
changing the code’s visible behavior
CompTIA Security+ 501
Cybrary - Ron Woerner 16
Cryptographic attacks
See section on Cryptography
● Birthday: an attack on cryptographic hash that looks for
hash collisions – exploiting the 1-to-1 nature of hashing
functions.
● Known plain text/cipher text: An the attacker attempts to
derive a cryptographic key by using pairs of known plain
text along with the corresponding cipher text.
● Frequency analysis: Looking at the blocks of an
encrypted message to determine if any common
patterns exists
Cryptographic attacks
Password attacks:
● Dictionary: systematically entering each word in a
dictionary as a password
● Brute force: systematically attempting all possible combinations of
letters, numbers, and symbols. Usually automated.
● Rainbow tables: all of the possible password hashes are computed in
advance and those hash values are compared with the password
database.
● Pass the hash: An attacker attempts to authenticate to a remote
server or service by intercepting password hashes on a network.
CompTIA Security+ 501
Cybrary - Ron Woerner 17
Sample question
During a breach investigation, you notice that the attacker
entered the database through a web front end application
by manipulating the database code to exploit a
vulnerability. What is the most likely name for this type of
attack?
A. SQL parsing
B. Database injection
C. SQL injection
D. Session hijacking
Sample question
Which of the following type of attack is the result of
software vulnerabilities and is caused by supplying
more data than is expected in an input field?
A. Buffer overflow attack
B. Cross site scripting
C. Denial-of-Service (DoS) attack
D. App overloading
CompTIA Security+ 501
Cybrary - Ron Woerner 18
Sample question
Which form of attack uses special programs that attempt
all possible character combinations to determine
passwords?
A. brute-force attack
B. dictionary attack
C. password guessing
D. birthday attack
CompTIA Security+
Domain 1 –Threats, Attacks and Vulnerabilities
1.2 Compare and contrast types of attacks
Part 2: Application/service Attacks
CompTIA Security+ 501
Cybrary - Ron Woerner 19
CompTIA Security+
Domain 1 –Threats, Attacks and Vulnerabilities
1.2 Compare and contrast types of attacks
Part 3: Network & Wireless Attacks
Attack Types
● Social engineering: Phishing; Spear phishing; Whaling; Vishing; Tailgating;
Impersonation; Dumpster diving; Shoulder surfing
● Application/service attacks: Buffer overflow; Injection; Cross-site scripting;
Cross-site request forgery; Privilege escalation; Impersonation/Masquerading;
Replay; Driver manipulation (Shimming; Refactoring);
● Cryptographic attacks: Birthday; Known plain text/cipher text; Rainbow tables;
Dictionary; Brute force; Pass the hash
● Hijacking and related attacks: Clickjacking; Session hijacking; URL hijacking;
Typo squatting); MAC spoofing; IP spoofing
● Network / Wireless Attacks: DoS; DDoS; Man-in-the-middle; Amplification;
DNS poisoning; Domain hijacking; ARP poisoning; Initialization Vector (IV);
Evil twin; Rogue AP; Jamming; Bluejacking
CompTIA Security+ 501
Cybrary - Ron Woerner 20
Hijacking and related attacks
● Clickjacking: tricking a web user into clicking a spoofed button or graphic.
● Session hijacking (Cookie hijacking): exploiting a valid computer session, or
session key, to gain unauthorized access to information or services.
● URL hijacking / Typo squatting: the act of registering domains that are
similar to those for a known entity but based on a misspelling or typographical
error. (examples: g00gle.com, gooogle.com)
Network Hijacking Attacks
MAC spoofing: The Media Access
Control (MAC) address is a hard-coded
on a network interface controller (NIC)
number. Many drivers allow the MAC
address to be changed. A technique for
changing a factory-assigned MAC
address of a network interface on a
networked device.
CompTIA Security+ 501
Cybrary - Ron Woerner 21
Network Hijacking Attacks
IP spoofing: A technique used to gain unauthorized access to
machines, whereby an attacker illicitly impersonates another machine
by manipulating IP packets. IP Spoofing involves modifying the packet
header with a forged (spoofed) source IP address, a checksum, and the
order value.
Network Hijacking Attacks
ARP spoofing: when an attacker sends a
fake ARP (Address Resolution Protocol) messages
over a local area network. This results in the linking of an
attacker's MAC address with the IP address of a
legitimate computer or server on the network.
CompTIA Security+ 501
Cybrary - Ron Woerner 22
Man-in-the-Middle Attacks
● An attack where the attacker secretly relays and
possibly alters the communication between two parties
who believe they are directly communicating with each
other.
● The attacker may either observe (confidentiality attack)
or alter (integrity attack)
Denial of Service Attacks (DoS)
● Preventing access to resources by users authorized
to use those resources. Attacking systems availability.
● May accomplish:
○ Deny access to information, applications, systems, or communications.
○ Bring down a website while the communications and systems continue
to operate.
○ Crash the operating system (a simple reboot may restore the server to
normal operation).
○ Fill the communications channel of a network and prevent access by
authorized users.
CompTIA Security+ 501
Cybrary - Ron Woerner 23
Distributed Denial of Service Attacks
(DDoS)
● A DoS attack utilizing multiple
compromised computer systems
as sources of attack traffic
● Amplifies the concepts of a DoS
attack by using multiple
computer systems (often through
botnets) to conduct the attack
against a single organization
DoS & DDoS – Prevention
● Work with your ISP / network provider
● Border protection / Intrusion Detection & Protection System
● Update Network Appliances, Operating Systems and Applications
● End users’ systems are up-to-date and deploy anti-virus – bot prevention
CompTIA Security+ 501
Cybrary - Ron Woerner 24
Amplification Attacks
● The goal of the attacker is to get a response to their
request in a greater than 1:1 ratio so that the additional
bandwidth traffic works to congest and slow the responding
server down.
● The ratio achieved is known as the amplification factor ,
and high numbers are possible with UDP based protocols
such as NTP, CharGen, and DNS.
● Usually employed as a part of a DDoS attack
Domain Hijacking /
DNS Poisoning / DNS Spoofing
● AKA Resolution Attacks
● Poisoning: When an attacker alters the
domain-name-to-IP-address mappings in a DNS system
to redirect traffic to a rogue system or perform a DoS attack.
● Spoofing: When an attacker sends false replies to a requesting system in
place of a valid DNS response.
● Protect any internal DNS servers
● Use authoritative DNS sources
CompTIA Security+ 501
Cybrary - Ron Woerner 25
Wireless Attacks
● Evil twin: A rogue wireless access point poses
as a legitimate wireless service provider to intercept
information that users transmit
● Rogue AP: Any wireless access point added to your
network that has not been authorized
● Initialization Vector (IV): an arbitrary number that can
be used along with a secret key for data encryption.
This number, also called a nonce, is employed only one
time in any session. If the IV is weak, as in WEP, it may
be reused.
● Jamming: Causing interference with a wireless signal.
PAN Wireless Attacks
● Bluejacking: the sending of unsolicited
messages (think spam) over a Bluetooth
connection
● Bluesnarfing:
○ The gaining of unauthorized access through
a Bluetooth connection
○ Intercepting data through a Bluetooth
connection
CompTIA Security+ 501
Cybrary - Ron Woerner 26
Sample question
Of the below term, which one best describes the
type of attack that captures portions of a session to
play back later to convince a host that it continues to
communicate with the original system?
A. IP hijacking
B. Jamming
C. Trojan
D. Replay
Sample question
You have a user call you from a hotel saying
there’s an issue with your organization’s web site
and that it looks like it’s been compromised. You
check it from your work at it appears fine. What is a
likely cause associated with the user at the hotel?
A. Logic bomb
B. DNS Poisoning
C. Trojan horse
D. Evil twin
CompTIA Security+ 501
Cybrary - Ron Woerner 27
CompTIA Security+
Domain 1 –Threats, Attacks and Vulnerabilities
1.2 Compare and contrast types of attacks
Part 3: Network & Wireless Attacks
CompTIA Security+
Domain 1 –Threats, Attacks and Vulnerabilities
1.2 Compare and contrast types of attacks
Part 1: Social Engineering Attacks
Top Related