Session 03

• COMMON SOFTWARE AND HARDWARE VULNERABILITIES.

• SQL Injection.
• Can allow an attacker to view, insert, delete, or modify records in a database.

• HTML Injection.
• A vulnerability that occurs when an unauthorized user is able to control an input point and able to inject arbitrary
HTML code into a web application.

• Authentication-based Vulnerabilities.
• An attacker can bypass authentication in vulnerable systems by using several methods.
• Most common ways of authentication-based vulnerabilities in an affected system:
- Credential brute forcing
- Session hijacking
- Redirecting
- Exploiting default credentials
- Exploiting weak credentials
- Exploiting Kerberos vulnerabilities

• CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY

• Confidentiality.
• The requirement that private or confidential information not be disclosed to unauthorized individuals.
• Guaranteed by permissions and encryption.

SCOR Page 1
• Data classification is important when you’re deciding how to protect data.
• Integrity.
• Protecting the data from unauthorized alteration or revision.
• Often ensured through the use of a hash.
• Availability.
• Making systems and data ready for use when legitimate users need them at any time.
• Guaranteed by network hardening mechanisms and backup systems.
• The most common attack against availability is a denial-of-service (DoS) attack.
• DoS attack typically uses one system to perform a denial-of-service condition to a targeted system.
• DDoS attacks use multiple computers and network connections that can be geographically
dispersed (that is, distributed) to perform a denial-of-service condition against the victim.
• Direct DDoS attacks.
• When the source of the attack generates the packets, that are sent directly to the victim of the attack.

SCOR Page 2
•

• Reflected DDoS.
• Occurs when the sources of the attack are sent spoofed packets that appear to be from the victim, and then the
sources become unwitting participants in the DDoS attacks by sending the response traffic back to the intended
victim.
• UDP is often used as the transport mechanism because it is more easily spoofed due to the lack of a three-way
handshake.

SCOR Page 3
• Botnet DDoS attack.
• Many attackers use botnets to launch DDoS attacks.
• A botnet is a collection of compromised machines that the attacker can manipulate from a command-and-control
(often referred to as a C2 or CnC) system.

• Access Control Management

• Access controls are security features that govern how users and processes communicate and interact with
systems and resources.
• Ensures that authorized users and processes are able to access information and resources.
• Open approach (default allow)
• Means that access not explicitly forbidden is permitted.
• Secure approach (default deny)
• Means that access not explicitly permitted is forbidden.

SCOR Page 4
• Means that access not explicitly permitted is forbidden.
• Least privilege means granting subjects the minimum level of access required to perform their job.
• Mandatory Access Control (MAC)
• In a MAC model, access is controlled strictly by the administrator.
• The administrator is the one who sets all permissions.
• Users cannot set permissions themselves, even if they own the object.
• Discretionary Access Controls (DACs).
• Are defined by the owner of the object.

• A cybersecurity incident.
• An adverse event that threatens business security and/or disrupts service.
• False positive.
• A term that describes a situation in which a security device triggers an alarm but there is no malicious activity or
an actual attack taking place.
• False negatives.
• A term used to describe a network intrusion device’s inability to detect true security events under certain
circumstances.
• True positive.
• A successful identification of a security attack or a malicious event.
• True negative.
• When the intrusion detection device identifies an activity as acceptable behavior and the activity is actually
acceptable.
• Traditional IDS and IPS devices need to be tuned to avoid false positives and false negatives.
• Most common evasion techniques against traditional IDS and IPS devices:
• Fragmentation.
• When the attacker evades the IPS box by sending fragmented packets.
• Using low-bandwidth attacks.
• When the attacker uses techniques that use low bandwidth or a very small number of packets in order to evade the
system.
• Address spoofing/proxying.
• Using spoofed IP addresses or sources, as well as using intermediary systems such as proxies to evade inspection.
• Pattern change evasion.
• Attackers may use polymorphic techniques to create unique attack patterns.
• Encryption
• Attackers can use encryption to hide their communication and information.

• The NIST (National Institute of Standards and Technology) Cybersecurity Framework.

• A well-known organization that is part of the U.S. Department of Commerce.
• NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity,
facilitate trade, and improve quality.
• The CSD (Computer Security Division) is one of seven divisions within NIST’s Information Technology
Laboratory.
• NIST’s Cybersecurity Framework is a collection of industry standards and best practices to help organizations
manage cybersecurity risks.
• https://www.nist.gov/cyberframework
• NIST Guidance and Documents:
• Federal Information Processing Standards (FIPS).
- This is the official publication series for standards and guidelines.
• Special Publication (SP) 800 series.
- This series reports on ITL research, guidelines, and outreach efforts in information system security and its

SCOR Page 5
- This series reports on ITL research, guidelines, and outreach efforts in information system security and its
collaborative activities with industry, government, and academic organizations.
- Download from https://csrc.nist.gov/publications/sp800
• Special Publication (SP) 1800 series.
- This series focuses on cybersecurity practices and guidelines.
• NIST Internal or Interagency Reports (NISTIR).
- These reports focus on research findings, including background information for FIPS and SPs.
• ITL bulletins.
- Each bulletin presents an in-depth discussion of a single topic of significant interest to the information systems
community.
• International Organization for Standardization (ISO)
• ISO has developed more than 13,000 international standards on a variety of subjects.
• The ISO/IEC 27000 series (also known as the ISMS Family of Standards) comprises information security
standards published jointly by the ISO and IEC.
• The first 6 documents in the ISO/IEC 27000 series provide recommendations for "establishing, implementing,
operating, monitoring, reviewing, maintaining, and improving an Information Security Management System"
• ISO 27001: the specification for an Information Security Management System (ISMS).
• ISO 27002: describes the Code of Practice for information security management.
• ISO 27003: provides detailed implementation guidance.
• ISO 27004: outlines how an organization can monitor and measure security using metrics.
• ISO 27005: defines the high-level risk management approach recommended by ISO.
• ISO 27006: outlines the requirements for organizations that will measure ISO 27000 compliance for certification.

• CLOUD SECURITY THREATS

• NIST authored Special Publication (SP) 800-145 " The NIST Definition of Cloud Computing"
• This is to provide a standard set of definitions for the different aspects of cloud computing.
• The SP 800-145 document also compares the different cloud services and deployment strategies.
• Cloud deployment models include the following:
• Public cloud: Open for public use.
• Private cloud: Used just by the client organization on the premises (on-prem) or at a dedicated area in a cloud
provider.
• Community cloud: Shared between several organizations.
• Hybrid cloud: Composed of two or more clouds (including on-prem services).
• Cloud computing basic models:
• Infrastructure as a Service (IaaS).
• IaaS describes a cloud solution where you are renting infrastructure.
• You purchase virtual power to execute your software as needed.
• Platform as a Service (PaaS).
• PaaS provides everything except applications.
• Software as a Service (SaaS).
• SaaS is designed to provide a complete packaged solution.
• Cloud Computing Issues:
- Who has access? Access control is a key concern because insider attacks are a huge risk.
- Do you have the right to audit.
- What type of training does the provider offer its employees.
- How is your data separated from other users’ data
- Is encryption being used.
- What is the long-term viability of the provider Will the provider assume liability in the case of a breach? If a
security incident occurs, what support will you receive from the cloud provider?.
- What is the disaster recovery/business continuity plan (DR/BCP)?

SCOR Page 6
• Cloud Computing Attacks.
• Session hijacking.
• This attack occurs when the attacker can sniff traffic and intercept traffic to take over a legitimate connection to a
cloud service.
• DNS attack.
• This form of attack tricks users into visiting a phishing site and giving up valid credentials.
• Cross-site scripting (XSS).
• Used to steal cookies that can be exploited to gain access as an authenticated user to a cloud-based service.
• SQL injection.
• This attack exploits vulnerable cloud-based applications that allow attackers to pass SQL commands to a database
for execution.
• Distributed denial-of-service (DDoS) attack.
• Man-in-the-middle cryptographic attack.
• Authentication attack.

• IOT SECURITY THREATS.

• The Internet of Things (IoT).
• Includes any computing devices (mechanical and digital machines) that can transfer data over a network without
requiring human-to-human or human-to-computer interaction
• Data collection.
• Centralized data collection presents a few challenges for an IoT environment to be able to scale.
• Network resource preservation.
• Network bandwidth may be limited.

• Fog computing.
• A concept of a distributed intelligence architecture designed to process data and events from IoT devices as close
to the source as possible.
• IoT devices typically communicate to the cloud via a fog-edge device or directly to the cloud.

• The fog-edge device then sends the required data to the cloud.

SCOR Page 7
• Numerous IoT devices are inexpensive devices with little to no security capabilities.
• IoT devices are typically constrained in memory and compute resources and do not support complex and evolving
security and encryption algorithms.
• Several IoT devices are deployed with no backup connectivity if the primary connection is lost.
• Physical protection is also another challenge, because any IoT device could be stolen, moved, or tampered with.
• Popular IoT protocols:
• Zigbee
• Bluetooth Low Energy (BLE) and Bluetooth Smart
• Z-Wave
• Long Range Wide Area Network (LoRaWAN)
• Wi-Fi
• Low Rate Wireless Personal Area Networks (LRWPAN) and IPv6 over Low Power Wireless Personal Area
Networks (6LoWPAN)
• Cellular Communication.

• Examples of tools and methods to hack IoT devices.

• Hardware tools:
• Multimeters.
• Oscilloscopes
• Soldering tools
• UART debuggers and tools
• Universal interface tools like JTAG, SWD, I2C, and SPI tools
• Logic analyzers
• Reverse engineering tools, such as disassemblers and debuggers:

SCOR Page 8
• Reverse engineering tools, such as disassemblers and debuggers:
• IDA
• Binary Ninja
• Radare2
• Ghidra
• Hopper
• Wireless communication interfaces and tools:
• Ubertooth One (for Bluetooth hacking)
• Software-defined radio (SDR), such as HackRF and BladeRF, to perform assessments of Z-Wave and Zigbee
implementations.

SCOR Page 9