Security Concepts
In this sample chapter, you will learn fundamental concepts of common threats against on-premises and cloud environments, and the impact of moving to the cloud has on your security threat model. You will also learn about data breaches, insecure APIs, DoS and DDoS, and VPN types. This chapter covers SCOR 350-701 exam objectives.
This chapter is from the book
This chapter is from the book
This chapter is from the book
This chapter prepares you for exam questions related to security concepts of the SCOR 350-701 exam. You will learn fundamental concepts of common threats against on-premises and cloud environments, and with many workloads moving to the cloud, this shifts and impacts your security threat model.
This chapter also covers data breaches, insecure APIs, denial of service (DoS) and distributed denial of service (DDoS), and compromised credentials. We will also discuss the functions of the cryptography components and get into various virtual private network (VPN) types.
Explain Common Threats Against On-Premises and Cloud Environments
For over three decades, data assets remained tied to the corporate headquarters and data centers. With the advent of cloud computing, co-location, managed hosting, and Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), the threats to these systems haven’t been eliminated or reduced. They have simply shifted, and new types of threats have even been created. Two threats that are often overlooked are the availability of technical resources and the expertise to support these systems. When we are unable to staff well-trained persons capable of identifying, mitigating, responding to, and recovering from attacks, we are at higher risk of threats being missed and attackers impacting operations.
Common Threats Against On-Premises Assets
Common on-premises threats include viruses, Trojans, DoS/DDoS attacks, phishing, rootkits, MitM attacks, SQL injection, cross-site scripting, and malware.
When defending on-premises assets from threats, we must first have a good accounting of what those threats consist of, which can range from software, firmware, hardware, and systems to the operating system (OS) versions, patches, and each of their exposures to threats. The three most common assets for any company are:
First and foremost, employees are the number-one asset. Without them, there is no innovation, product, or sales.
Second is data, which contains company proprietary information. Understand that data drives business operations.
Third is the systems themselves, their ability to provide service, and their availability (that they are online and ready to use when needed).
Table 1-1 provides an overview of these three assets and some of their threats and mitigations.
TABLE 1-1 Assets and Threats
Assets |
Threats |
Mitigations |
|---|---|---|
Employees |
Phishing, malware, virus, ransomware |
Security awareness and training programs |
Data, trade secrets |
Ransomware, corruption, deletion, exfiltration |
Offline/offsite backups, data leak prevention (DLP) |
Systems, compute |
Malware, OS and firmware attacks, DDoS |
Updates, patches |
Let’s take a closer look at the first asset—people. Protecting employees from cyber criminals and potential workplace hazards, such as a hacker gaining control of a power generation plant or water supply, is necessary. While employees can be a company’s greatest asset, they can also be its weakest link.
Employees can be social-engineered, phished, have their endpoints infected with a virus, or they can download ransomware, malware, or other Trojans that could comprise employee personal data as well as spread and affect the corporate networks. Securing the employees should be one of a company’s top priorities. Employee awareness programs, monthly awareness newsletters, quarterly training, and biannual training and certification programs can help reduce the negative impacts. Some companies hire phishing companies to try and trick users and then warn them they could have been compromised. Employees can also be insider threats. An employee who is angry or not happy with their position or pay could sabotage or sell intellectual property.
Another highly valuable item is the companies’ data. Data often holds the company’s customers, products, research, and trade secrets. Attackers could be looking to steal the data to resell it, corrupt the data to harm the business, or encrypt it with cryptography for ransomware and hold the organization hostage. Data is what drives business decisions and provides the organizations with a potential advantage over their competition.
Finally, the systems themselves that serve up the data can be a target. Hackers can attack the operating system, modify firmware, set up man-in-the-middle attacks, perform code or SQL injections, and code errors causing scripting vulnerabilities. Once an attacker has access to the underlying host (operating system or apps), they can impact performance, steal data, redirect data flow, and make the system unavailable for usage. The various types of attackers are summarized in Table 1-2 along with their capabilities.
TABLE 1-2 Attacker Types and Capabilities and Motivations
Hacker Type |
Capabilities/Motivations |
|---|---|
Black hat |
Motivated by money, revenge, or notoriety and wants to sabotage and do harm to systems. |
White hat |
Generally, the good person who finds vulnerabilities. |
Gray hat |
An explorer, may do iffy type activity, or may have done borderline bad things. Typically is engaged in the discovery of “what if.” |
State sponsored |
Government-sanctioned hackers or hackers hired to attack other governments. |
Hacktivist |
Hacking and leaking data as a noble cause. |
Cyber terrorist |
Causes maximum harm to an organization; usually tied to publicity. |
Suicide hacker |
Knows they will get caught, wants to cause damage, and understands there is a consequence. |
Script kiddie |
No real skills, likes to point and click, uses tools and scripts of others. |
Physical attacker |
Has physical access to systems and wants to cause damage. |
The most advanced attackers are nation-state actors and organized crime. With unlimited budgets and resources, they tend to be formidable adversaries. Generally defending against attackers requires understanding their motivation. Table 1-2 lists the most common types. This context will best position you to stop them when you encounter them in the wild. Nation-states usually target governments, utilities, and businesses, with the intent to disrupt capabilities, steal trade secrets, and extort money.
Another on-premises threat is keyloggers, which can be software or hardware based and can be used on any device, such as a PC, server, tablet, or phone. Keyloggers are used to monitor all keystrokes and send them off the system via a covert channel. This way, attackers can obtain your passwords and much more.
Before we get into malware, viruses, Trojans, and vulnerabilities, let’s review some terms:
Threat: Any potential danger to an asset, such as theft, fire, water, natural disaster, an attacker, and so on.
Vulnerability: A weakness in a system, system design, or its implementation. Can be in hardware and software. No software or hardware is immune to vulnerabilities.
Exploit: A script or tool that can take advantage of a vulnerability. An exploit leads to access.
Threats come in many shapes, sizes, and delivery methods. Someone can steal your compute device, such as your laptop or phone, or just the data on your systems. Your data center can be exposed to a fire, flood, or a natural disaster. Vulnerabilities can be defined as a weakness in hardware, firmware, or software, and they can be the result of a misconfiguration or a system design flaw. To identify vulnerabilities, a program was developed by MITRE, called the Common Vulnerabilities and Exposure, or CVE. The format of each vulnerability is the “year” and the “ID” assigned, such as CVE-2023-1234. This allows everyone to be on the same page. As defined previously, an exploit is a script, code, or a tool, much like a recipe, designed to take advantage of a weakness in firmware, OS, software package, or system. Exploits generally lead to privilege escalation, loss of integrity, or denial of service. A collection of exploits built into a tool is called an attack framework. Examples include Metasploit, Cobalt Strike, and Immunity Canvas. Professionals use these tools to help find weaknesses and then help an organization defend against those weaknesses, whereas attackers use them to carry out automated, widespread, multiple attacks with a single click. In Table 1-3, we examine the types of attacks and their effects.
TABLE 1-3 Types of Attacks
Malware |
Virus |
A malicious computer program that, when executed, inserts its own code into computer programs and replicates itself. A virus is designed to spread. |
Trojan |
A malicious computer program posing as a useful program that, when executed, creates backdoors for hackers to access the system(s). |
|
Ransomware |
Malicious script or code that allows an attacker to execute unauthorized actions on a victim’s system and lock them out of the data by encrypting it. Hackers demand ransom for decrypting the data. |
|
Denial of service (DoS) |
Direct |
Generates packets sent to the victim or target system to overload the target system and deny legitimate users’ access to the system. |
Reflected |
Spoofing an unwilling system to originate the DoS attack. |
|
Amplification attack |
Spoofing attack where the response is larger than the query, such as the DNS query response is larger than the initial query. |
|
Botnet DDoS |
Many (zombie) systems make up a botnet under the control of the attacker who requests all of them to initiate traffic to the target. |
|
Phishing |
An email attack |
Emails purporting to be from a reputable company in order to induce an individual to expose their data or system to an attacker. |
Rootkit |
System, low-level attack |
Infects at a low level in order to manipulate information reported on the system to stay hidden. |
Man-in-the-middle attack (also known as an on-path attack) |
Attacker sits between the victim and the destination |
MitM Attacks on-path attacks are hard to detect and give the attacker ability to inject data into the stream. |
SQL injection |
SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed. |
SQL injection process works by prematurely terminating a text string and appending a new command. |
Cross-site scripting (XSS) |
Malicious JavaScript is executed in the user’s browser, recording all the user’s interactions with the site. |
Cross-site scripting occurs when attackers or malicious users can manipulate a website or web application to return malicious JavaScript to users. |
Viruses and worms are scripts or program code mobilized to exploit a weakness in a system. Since the dawn of PC computers in the mid-1980s, there have been viruses, and in 1988 the infamous Morris Worm infiltrated the Internet. A virus requires human interaction such as opening an email attachment, accessing a file, or clicking an executable. The unique characteristic of a virus is that it requires people to interact with a file or program to start the infection. All viruses contain search, infection, and payload routines. The search routine will locate new storage space, files, RAM, and available hard disk space. Then the infection routine will multiply the virus by attaching itself to any vulnerable items found. Finally, a payload, which is designed to do harm, such as altering, encrypting, or deleting files or exfiltrating data, is executed. Modern viruses steal or exfiltrate files and data or delete files to cause issues. More recently, ransomware variants encrypt files and hold the data ransom until the company pays for the key to decrypt. Virus propagation is done by infecting files, the computer’s master boot record (MBR), and macros, and it’s accomplished across the network by scanning for vulnerable systems to spread to. More advanced viruses have anti-detection stealth capabilities so they may run in a virtual machine, disable antivirus software, or hide messages from the operating system indicating that there is malware.
Malware is a catch-all term that describes any malicious software that is designed to act badly. Examples include viruses, Trojans, spyware, adware, and ransomware. Malware writers obfuscate their programs to avoid detection by security controls as long as possible. There are many different infection and payload techniques. Profiling and search routines look to find new files to infect and to determine if the system is “infection worthy” by checking available RAM and disk space. A second component of the malware/virus is the infection routine that looks to copy itself to other files and systems. Payload can mean different things. It can just be the routine set to erase the entire disk, it can generate pop-ups to get the user to click them, or it can use the address book in the user’s email application to propagate the malware to their contacts.
Trojans are typically programs that appear to do one thing but instead do something quite different—typically a malicious act. Some “Trojaned” PDF and Word documents will drop files to the target’s hard disk and set up a method to auto-load other programs. A remote access Trojan (RAT) is one such program and is used to gain full control of a system. Click-fraud Trojans are feed lists of sites to visit to help the fraudster make money by causing infected computers to visit specific sites with ads. There are data-hiding Trojans that will hide themselves and user data from view. E-banking Trojans intercept and use the victim’s bank information for financial gain. DoS, FTP, and proxy Trojans allow attackers to use the victim’s computer to attack other systems.
Spyware monitors the system’s usage, such as the websites you browse, files you work on, calls you make, text messages you send, photos you take, programs you run, and games you play. Consider it surveillance. This information is sent to various third parties such as criminals, marketing companies, nation-states, law enforcement, and others. This information can then be used to market directly to you, cause pop-ups and hijack and redirect your browser to specific sites, or to steal your data and photos. Reporters have seen this done to them by nation-states that use the collected data to intimidate and silence opposition.
Distribution of viruses and malware is done via a wrapper (also known as a binder or packager) used to avoid detection by antivirus software. It combines two or more executables into a single packaged program and makes it more difficult to discern its intent. For example, you could download a game from an untrustworthy website, the game or its packer would be the Trojan, and when its executed, it launches a second program (a virus), which starts to perform its nefarious actions. Packers (which can be custom or off the shelf) such as winrar, winzip, and tar are used to compress and obfuscate the code, making it harder for antivirus software to read. The idea is to prevent viewing of the true intent of the code until it is placed in memory.
Crypters are specifically designed packers with the sole purpose of encrypting and obscuring the malware code to avoid detection. More advanced crypters use advanced algorithms such as AES and Blowfish. Crypters are becoming a more common way to avoid detection by antivirus and intrusion detection systems (IDSs).
Droppers are single-purposed software designed to install malware on the victim’s system. They utilize a host of complex antidetection techniques to avoid discovery and evade security controls.
Rootkits utilize advanced persistent threat (APT) methods to infect the system, and they typically hide at a very low level on a device, such as the boot sector or drivers. Rootkits remain quiet in the background. This allows them to intercept and change the operating system processes so that they can stay hidden and exfiltrate data unseen. After a rootkit infects a device, you cannot trust any information that the device reports about itself, and a complete rebuild is generally required. A rootkit can display all the information on the system and exclude anything associated with itself so that the system looks normal.
Man-in-the-middle attacks can use many different techniques. We will discuss a few here. The first method is IP spoofing, where every device on a network has an IP address and MAC address. By spoofing an IP address, an attacker can redirect traffic to their device first and then forward it out, where you wouldn’t even be aware of the interception. This is typically done via ARP poisoning. Here are some other techniques use for MitM attacks:
ARP spoofing is where the attacker floods the network with ARP misinformation, pointing all devices to itself.
Session hijacking (or cookie theft) happens when the attacker sits between a system and a web resource and collects cookies and tokens and then replays them on certain websites so they look like the original connection. This allows the attacker to gain access to your email, banking website, and more.
DNS spoofing or DNS cache poisoning is where the attacker corrupts the Domain Name System’s resolver cache function, thus diverting the user to the attacker’s website.
Wi-Fi eavesdropping is where the attacker creates a twin network, and because of its proximity and signal strength, the victim connects to the attacker’s fake network, allowing the attacker to intercept all traffic, messages, passwords, and more.
SSL stripping involves the attacker downgrading the communication between the client and the server to an unencrypted format to be able to intercept cleartext traffic. The user may notice the lock icon in the address bar has changed to “untrusted.” There is a tool called SSLstrip, created by Moxie Marlinspike, that tests if an implementation is vulnerable to this attack. It allows for interception of web server traffic, and when an HTTPS URL is encountered, SSLstrip replaces it with an HTTP link and keeps a mapping of the change.
In Table 1-4, we examine the attack methods, activity types, and results of the attack.
TABLE 1-4 MitM Attack Methods
Attack Method |
Attack Activity |
Attack Results |
|---|---|---|
IP spoofing |
Spoofing the IP and MAC addresses |
ARP spoofing allows an attacker to broadcast the default route to redirect traffic to itself. |
DNS spoofing |
Poisoning the DNS |
Corrupts the Domain Name System data and introduces incorrect results. |
Wi-Fi eavesdropping |
Creating a fake access point |
Attacker creates a twin network that the victim connects to, allowing for the interception of all traffic. |
SSL stripping/hijacking |
Downgrading the connection from HTTPS to HTTP |
Attacker intercepts HTTPS traffic and strips the “S,” resulting in an HTTP connection. |
Browser cookie theft |
Hijacking a session |
The attacker collects the cookies (“tokens”) the user is sending over the network and then replays them to trick the receiving end. |
Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks are designed to disrupt, disable, and deny service to legitimate users of a system or program. They do this by flooding a network or system with requests or crafted network traffic. The most common method is an ICMP (ping) attack, where many hosts will send ICMP requests to a single host, overwhelming it and causing a depletion of available resources (RAM, network, and CPU). DoS attacks are typically against a single host, whereas DDoS attacks involve multiple machines attacking a single host. These can be done either on a local network or externally with a command and control (C2) network such as a botnet.
Phishing attacks are generally designed to trick a user into interacting with an email. This can allow the attacker to steal sensitive user data such as login credentials and passwords in order to get a foothold on the victim’s network/systems. This attack is a social engineering attack and is most often achieved through email. Many of these emails are spoofed and meant to look like something the user would trust, basically tricking the user into doing something that is harmful to their organization or themselves.
SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of a SQL Server database for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries it receives. Even parameterized data can be manipulated by a skilled and determined attacker.
The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and then executed. A less-direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed. The injection process works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the attacker can string commands together.
SQL is a well-known standard language used for accessing and interacting with databases. As previously mentioned, SQL injections specifically attack database resources, usually through web applications. If a backend SQL database has a vulnerability or was not set up securely, an attacker can make specially crafted requests to trick, for example, a web login form. Instead of logging in, the injection can request data from the database, such as usernames and passwords, private data, or it can interact and modify the data. There are three types of SQL injections, as described in the following list:
In-band SQL injection: The requested data is visible directly on the response web application or web page, allowing the attacker to copy the page off to their system.
Out-of-band SQL injection: The attacker performs a specially crafted request, and the data is transmitted via an email or inside a file. The data is sent to the attacker’s system or a C2 collector, ultimately ending up with the attacker.
Blind SQL injection: This is where the attacker crafts many special requests to illicit responses from the database to learn more about it. Based on each response, even if the database isn’t displaying data back, it might display errors that lead the attacker to understand the structure of the database and its type, version, or brand.
Cross-site scripting (XSS) attacks come in three types. Cross-site scripting occurs when attackers or malicious users can manipulate a website or web application to return malicious JavaScript to users. When this malicious JavaScript is executed in the user’s browser, all the user’s interactions with the site (including but not limited to authentication and payment) can be compromised by the attacker.
DOM-based XSS is a type of cross-site scripting that occurs when user input is manipulated in an unsafe way in the DOM (Document Object Model) by JavaScript. For example, this can occur if you were to read a value from a form and then use JavaScript to write it back out to the DOM.
Reflected XSS occurs when the web server receives an HTTP request and “reflects” information from the request back into the response in an unsafe manner. An example would be when the server places the requested application route/URL in the page that is served back to the user. An attacker can construct a URL with a malicious route that contains JavaScript, such that if a user visits the link, the script will execute.
Stored XSS occurs when user-created data is stored in a database or other persistent storage and is then loaded into a page. Common examples of types of applications that do this include comment areas, forums, response plug-ins, and similar applications. Stored XSS is particularly dangerous when the stored content is displayed to many or all users of the application, because then one user can compromise the site for any user who visits it, without requiring that they click a specific link.