More on this book
Community
Kindle Notes & Highlights
Read between
January 9 - January 13, 2020
Malware includes a wide variety of malicious code, including viruses, worms, Trojans, ransomware, and more. A virus is malicious code that attaches itself to an application and runs when the application is started. A worm is self-replicating and doesn’t need user interaction to run.
A logic bomb executes in response to an event, such as when a specific application is executed or a specific time arrives.
A backdoor provides another way to access a system. Many types of malware create backdoors, allowing attackers to access systems from remote locations. Employees have also created backdoors in applications and systems.
Attackers are increasingly using drive-by downloads to deliver Trojans.
Another Trojan method that has become popular in recent years is rogueware, also known as scareware. Rogueware masquerades as a free antivirus program.
A Trojan appears to be something useful but includes a malicious component, such as installing a backdoor on a user’s system. Many Trojans are delivered via drive-by downloads. They can also infect systems from fake antivirus software, pirated software, games, or infected USB drives.
A remote access Trojan (RAT) is a type of malware that allows attackers to take control of systems from remote locations.
Ransomware is a type of malware that takes control of a user’s system or data. Criminals then attempt to extort payment from the victim. Ransomware often includes threats of damaging a user’s system or data if the victim does not pay the ransom. Ransomware that encrypts the user’s data is sometimes called crypto-malware. Some ransomware has added in a new blackmail technique called doxing. If the user doesn’t pay the ransom to decrypt the files, the attacker threatens to publish the files along with the victim’s credentials. Malware that uses doxing is sometimes called doxingware.
Privacy-invasive software tries to separate users from their money using data-harvesting techniques.
Spyware is often included with other software like a Trojan.
Keyloggers capture a user’s keystrokes and store them in a file. This file can be automatically sent to an attacker or manually retrieved depending on the keylogger. Spyware monitors a user’s computer and often includes a keylogger.
Generically, bots are software robots.
It includes multiple computers that act as software robots (bots) and function together in a network (such as the Internet), often for malicious purposes. The bots in a botnet are often called zombies and they will do the bidding of whoever controls the botnet.
Botnet herders sometimes maintain complete control over their botnets. Other times, they rent access out to others to use as desired.
A rootkit is a group of programs (or, in rare instances, a single program) that hides the fact that the system has been infected or compromised by malicious code.
Rootkits have system-level access to systems. This is sometimes called root-level access, or kernel-level access, indicating that they have the same level of access as the operating system. Rootkits use hooked processes, or hooking techniques, to intercept calls to the operating system. In this context, hooking refers to intercepting system-level function calls, events, or messages. The rootkit installs the hooks into memory and uses
system’s behavior.
Another method used to detect rootkits is to boot into safe mode, or have the system scanned before it boots, but this isn’t always successful.
Rootkits have system-level or kernel access and can modify system files and system access. Rootkits hide their running processes to avoid detection with hooking techniques. Tools that can inspect RAM can discover these hidden hooked processes.
A hoax is a message, often circulated through email, that tells of impending doom from a virus or other security threat that simply doesn’t exist. Users
Tailgating is the practice of one person following closely behind another without showing credentials.
Dumpster divers search through trash looking for information. Shredding or burning papers instead of throwing them away mitigates this threat.
A watering hole attack attempts to discover which web sites a group of people are likely to visit and then infects those web sites with malware that can infect the visitors. The attacker’s goal is to infect a web site that users trust already, making them more likely to download infected files.
Phishing is the practice of sending email to users with the purpose of tricking them into revealing personal information or clicking on a link. A phishing attack often sends the user to a malicious web site that appears to the user as a legitimate site.
Spam is unwanted email. Phishing is malicious spam. Attackers attempt to trick users into revealing sensitive or personal information or clicking on a link. Links within email can also lead unsuspecting users to install malware.
One solution that deters the success of these types of spear phishing attacks is to use digital signatures.
Whaling is a form of spear phishing that attempts to target high-level executives.
A spear phishing attack targets specific groups of users. It could target employees within a company or customers of a company. Digital signatures provide assurances to recipients about who sent an email, and can reduce the success of spear phishing. Whaling targets high-level executives.
Vishing attacks use the phone system to trick users into giving up personal and financial information. It often uses Voice over IP (VoIP) technology and tries to trick the user similar to other phishing attacks.
Vishing is a form of phishing that uses the phone system or VoIP. Some vishing attempts are fully automated. Others start automated but an attacker takes over at some point during the call.
Heuristic-based detection attempts to detect viruses that were previously unknown and do not have signatures. This includes zero-day exploits, mentioned later in this chapter.
Antivirus software detects and removes malware, such as viruses, Trojans, and worms. Signature-based antivirus software detects known malware based on signature definitions. Heuristic-based software detects previously unknown malware based on behavior.
Data execution prevention (DEP) is a security feature that prevents code from executing in memory regions marked as nonexecutable.
The primary purpose of DEP is to protect a system from malware.
DEP is enforced by both hardware and software.
AMP analyzes a network to prevent attacks using threat intelligence and analytics. It collects worldwide threat intelligence from Cisco’s Security Intelligence organization, Talos Security Intelligence and Research Group, and Threat Grid intelligence feeds. This information helps it detect and alert on malware similar to any antivirus software.
this, most spam filters err on the side of caution, allowing spam through rather than potentially marking valid email as spam. Although the science behind spam filtering continues to improve, criminals have also continued to adapt.
Using consensus, sometimes called social proof, is most effective with Trojans and hoaxes.
Scarcity and urgency are two techniques that encourage immediate action.
Spear phishing and whaling are types of phishing.
• Data execution prevention (DEP) prevents code from executing in memory locations marked as nonexecutable. The primary purpose of DEP is to protect a system from malware.
They are authority, intimidation, consensus, scarcity, urgency, familiarity, and trust.
A denial-of-service (DoS) attack is an attack from a single source that attempts to disrupt the services provided by another system. A distributed denial-of-service (DDoS) attack includes multiple computers attacking a single target. DDoS attacks typically include sustained, abnormally high network traffic.
Spoofing attacks typically change data to impersonate another system or person. MAC spoofing attacks change the source MAC address and IP spoofing attacks change the source IP address.
Although this prevents the SYN flood attack from crashing the system, it also denies service to legitimate clients.
Address Resolution Protocol (ARP) poisoning is one way that an attacker can launch an MITM attack.
Kerberos helps prevent man-in-the-middle attacks with mutual authentication. It doesn’t allow a malicious system to insert itself in the middle of the conversation without the knowledge of the other two systems.
ARP poisoning attacks attempt to mislead systems about the actual MAC address of a system. ARP poisoning is sometimes used in man-in-the-middle attacks.
MD5 has been in use since 1992. Experts discovered significant vulnerabilities in MD5 in 2004 and later years. As processing power of computers increased, it became easier and easier to exploit these vulnerabilities. Security experts now consider it cracked and discourage its use.
Two popular hashing algorithms used to verify integrity are MD5 and SHA. HMAC verifies both the integrity and authenticity of a message with the use of a shared secret. Other protocols such as IPsec and TLS use HMAC-MD5 and HMAC-SHA1.
