For Section 1 of the Security+ Sy-601 exam – Threats, Attacks, and Vulnerabilities, we will be covering various topics ranging from Social Engineering techniques, multiple forms of attacks, threat intelligence, vulnerabilities, and pen-testing.

1. Threats

Threats to any computer system may involve, though are not limited to, the use of various malicious software or Malwares (Worms, Viruses, or Trojans) or exploiting vulnerabilities in programs installed on underlying operating systems. Let’s try to understand commonly used terms related to the Threat for any system from the security standpoint.

• Malware – Malware is the software transferred and installed on end systems without the knowledge of the system owner. They can be transferred as the attachment in the email, requiring the user to click and open it for installation to be successful (or Virus), or can move on their own inside the web network (or Worms). Another form of Malware is Trojan, which gets inside the user system disguised as genuine software. All malware serves different specific purposes once installed in the system. They can deliver unwanted Ads (Adware), work as snooping software (Spyware), encrypt data for ransom (Ransomware), and use device processing power for mining (Cryptomalware). Additionally, we have two more malware purposes, which are created either by the developer or the system owner themselves. Backdoors are software code written to provide root access to the system even when passwords are changed, while Logic Bombs are malicious software code written to execute only when specific conditions are met. Rootkits are another form of Malware, which can hide, while actively performing administrative changes inside the system,
• Attackers – Threats to organizations can come from various types of attackers. Insider Threats are users working inside organizations with some level of access already to the systems. Insider threats can use the Privilege Escalation techniques to get access to the system which they are not supposed to access. Hacktivists are attackers who try to attack organizations with the idea of activism or revolution behind the hacking. Script Kiddies are the newbie attackers with little to no knowledge or experience of hacking or attacking the systems.
• Attack Vectors – Attack vectors are the path used by the attackers to spread the malware. Emails, Social Media, Pen drives, Credit Card readers, and Open APIs are a few of the attack vectors used in the modern world. Spoofing is one common attack vector, used to inject the attacker into the conversation path of two parties.
• Threat Intelligence – Gathering information about the latest threats from freely available sources (Open Source Intelligence) or Vulnerability databases can help companies identify Threat Indicators and spread information about threats in the industry using common language frameworks like STIX, or TAXII.

2. Attacks

Any sort of threat to users and systems in the cyber security can only lead to financial or reputational loss, or both, only if someone uses various techniques to attack users or systems. In a simple relational statement, we can put it simply, “Attacker exploits Vulnerabilities to Attack any organization creating Threat to them”.

Most commonly used attacks involve social engineering techniques.

Forms of Social Engineering Attack

From the name itself, we can assume social engineering techniques involve humans and their social nature somehow. So we may have system users either deliberately or unknowingly spreading malware, leaking information, or compromising the security structure of an organization because they are being intimated, influenced, or simply trying to be helpful.

• Identity Fraud – The attacker may try to impersonate innocent users to access their accounts by calling customer care of service providers using a technique called Pretexting, whereby the attacker does extensive research on users’ personal information.
• Spam – Spam is a generic email-based social attack, where an attacker sends junk emails to users, to sell products or unwanted donations newsletters, etc.
• Phishing, Spear Phishing, and Whaling – The attacker may send emails with hyperlinks to the login account or change their account password, with a technique called Prepending, adding tags in the email to make the mail look legitimate. Spear Phishing is a more advanced form of a Phishing attack, where attackers target a specific company or department of government for extracting information or placing worms in the system. Whaling is a subset of Spear Phishing attacks, where targets are executives or C-Level employees of a company.
• Pharming – Pharming uses the Typosquatting and DNS Poisoning technique to make users open a fake website with a similar look and feel like a legitimate website.
• Watering Hole Attack – In Watering Hole Attack, the attacker put Pop-up Ads or browser Ad-ons on a legitimate website, and waits for users to visit the website without knowledge of infected hyperlinks or ads on it.
• Physical Social Engineering Attack – Attackers may also indulge themselves in actual physical social engineering attacks using techniques like Shoulder Surfing (Checking the users’ devices while they are working), Dumpster Diving (Checking the company’s waste bin for getting thrown away documents), or Tailgating (Entering premise behind legitimate employee).
• Password Attack – By default, Passwords in an operating system are hashed before storing them. Yet, the attacker may use different techniques to break into the system. In the Brute-Force attack, the attacker exploits the habit of using short, commonly used passwords, by simply guessing them to access any system. The Dictionary attack uses a similar approach, where dictionary words are used to guess any password. Rainbow Table attack is a more advanced form of attack, where the attacker has pre-computed hash values and uses them directly to guess the password of any system. Password spraying is another scenario of the Brute-Force attack, whereby instead of attacking a single account, the attacker tries to break inside multiple systems with similar commonly used passwords.

3. Vulnerabilities

Vulnerabilities can systems impact in three different ways, Confidentiality (Data Breach), Integrity (Data Modified), and Availability (Data Access Denial). They can be present in the configuration of systems, architectural designs, or even part of the supply chain of the hardware or software. A few key terms related to Vulnerability in the context of the cyber security are,

• Asset Inventory – A List of all systems deployed in the company’s intranet is vital to ensure a regular and full vulnerability scan using third-party software like the NESSUS VA scanner.
• Vulnerability Scan – A Vulnerability scan can be performed at the Network level, Configuration level, or Application level, depending on the standard set by the organization’s info security team. The impact of a particular vulnerability on the system can be analyzed based on three criteria: Impact, Likelihood, and Criticality. Based on the result of the scan, we can categorize vulnerability as False Positive (Wrong Positive Value) or False Negative (Wrong Negative Values)
• Scan Viewpoint – Scan viewpoint or perspective, is important to visualize and understand how vulnerability may impact the system. While a scanner placed on the internet can help you provide a viewpoint of vulnerabilities from a hacker’s perspective, a scanner placed on the intranet can provide much more detailed information on vulnerabilities because of no firewall blocking access to the end systems.
• SCAP – All systems must adhere to the SCAP or Security Content Automation Protocol by NIST for ease of scanning and rating vulnerabilities found on the systems. The most commonly used SCAP components are CVSS (Common Vulnerability Scoring System) and CVE (Common Vulnerabilities and Exposures). CVSS assigns a score to each vulnerability out of 10, based on the criteria of Attack Vector, Attack Complexity, Privileges Required, and User Interactions Required, along with the impact of the vulnerability on the CIA of the system, and Scope of vulnerability impact on other components of the system. CVE is used to describe the vulnerability and recommended remediation for it.
• Zero-Day Vulnerability – Not all vulnerabilities can be found in the existing CVE database, because they may be reported recently and still have no remediation solution to resolve them. These Zer-Day vulnerabilities are critical since existing Anti Virus solutions may not know how to identify and fix them.

Penetration Testing

Penetration Testing is the process of conducting hacking attempts on the systems by a third-party Pen Testing vendor, after signing a proper Rule of Engagement (RoE) with all stakeholders. Pentest is conducted in two phases, Discovery Phase, in which the pen tester performs the reconnaissance to find maximum information and prospective vulnerability in a system. This is followed by the Attack Phase, where the tester tries to gain access and escalate privileges, to install hacking software and non-recommended changes. Pen testing can be performed either by providing complete information about the end system (White Box) or no information about the end system (Black Box).

An organization may choose to conduct an adversary mock attack scenario by the Red Team, with a team of cyber security professionals working to defend the attack called the Blue Team. A group of professionals called the Purple Team is made up of both the Red and Blue teams to maximize feedback and improve capabilities via knowledge transfer. Finally, the White Team acts as the judge, enforcing the rules of exercise, and handling all requests or questions during the activity.

This ends Section 1 of the CompTIA Security+ Sy-601 exam. In Part 3, we will proceed to the next section of the exam, Security Architecture and Design.