CISSP study notes: Malicious code and application attacks

Enterprise 2023-10-04 21:05:23 views: null

Chapter 21 Malicious Code and Application Attacks

21.1 Malicious code

Malicious code objects include a wide range of computer security threats in the form of code that exploit various network, operating system, software, and physical security vulnerabilities to deliver malicious payloads to computer systems.

21.1.1 Sources of malicious code

Malicious code comes from quite experienced software developers as well as some script kiddies, and a large number of viruses are currently proven by anti-virus agencies to allow anyone with minimal technical knowledge to create viruses and spread them on the Internet.

21.1.1 Viruses

Viruses have two main functions, propagation and destruction, which can have any negative impact on the confidentiality, integrity and availability of a system or data

  1. Viral technology
    • Viruses must include techniques that enable them to spread between systems. 4 common spreading techniques:
      • Master Boot Record Virus: The system reads an infected MBR. The virus directs the system to read and execute code in another location, thereby loading the virus into memory and potentially triggering the spread of the virus payload.
      • File Program Infection Viruses: Infect different types of executable files and are triggered when the operating system master and apprentice execute these files. File Program Infection Viruses are variants of the same class of viruses that use similar but slightly different file names to legitimate operating system files. to evade inspection
      • Macro virus: An application that implements certain functions to assist in automating repetitive tasks
      • Server-injected virus: Ability to bypass detection by any antivirus software running on the host by successfully compromising a trusted process
  2. Platforms vulnerable to virus attacks
    • Most computer viruses are designed to disrupt activities running on Windows
  3. Anti-virus mechanism
    • When using signature-based anti-virus, the effectiveness of the software package only depends on the effectiveness of the basic virus definition file.
    • Many antivirus programs use heuristic-based mechanisms to detect potential malware infections
    • Most modern antivirus software products are capable of detecting, removing, and cleaning a wide range of different types of malicious code on your system
    • Other software packages also provide secondary anti-virus functionality
  4. Virus technology:
    • Composite viruses: Masters and apprentices using multiple propagation techniques to infiltrate systems that are only protected against one of them
    • Stealth virus: Hidden by actual tampering with the operating system to trick anti-virus packages into thinking everything is working fine
    • Polymorphic viruses: Polymorphic viruses actually modify their own code as they travel between systems. The virus's propagation and destructive techniques remain the same, but the virus's characteristics differ slightly each time it infects a new system.
    • Cryptovirus: Use password input to avoid detection, and modify the storage method on the disk to avoid detection.
  5. scam
    • Virus scams such as receiving a virus-laden email

21.1.3 Logic bomb

  • A logic bomb is malicious code that infects a system and remains dormant until one or more logical conditions are met.

21.1.4 Special Logic Trojans

  • A Trojan horse is a software program that appears friendly but actually carries a malicious payload with the potential to cause damage to networks and systems. Another variant is ransomware, which infects the target computer and then uses encryption technology to encrypt it. Documents, spreadsheets, and other files stored on the system

21.1.5 Worms

Worms contain the same destructive potential as other malicious code objects, with the additional means of spreading themselves without anyone's intervention

  1. Code Red Worm: System administrators must ensure they use appropriate security patches issued by software vendors for Internet-connected systems
  2. Stuxnet: Highly sophisticated worm uses a variety of advanced techniques to spread and appears to have started in the Middle East

21.1.6 Spyware and Adware

  • Spyware monitors your movements and transmits important details to remote systems that are spying on your activities
  • Adware uses a variety of techniques to place ads on infected computers

21.1.7 Countermeasures

  • The main protection against malicious code is to use anti-virus filtering software. Consider anti-virus software filtering in at least three key areas.
    • client system
    • Server system
    • Content filtering system: Content filtering of inbound and outbound email and web traffic is highly advisable
  • The existence of zero-day vulnerabilities makes it necessary to have strong patch management in the organization to ensure that applications are updated in a timely manner

21.2 Password attacks

  • One of the simplest techniques for an attacker to gain unauthorized access to a system is to learn the usernames and passwords of authorized system users

21.2.1 Password guessing attack

  • The attacker only guesses the user's password

21.2.2 Dictionary attack

  • Password attackers use automated tools to run automated dictionary attacks

21.2.3 Social engineering attacks

  • Social engineering is one of the most effective tools used by attackers to gain access to systems

21.2.4 Countermeasures

  • Security personnel should frequently remind users of the importance of choosing secure passwords to keep confidentiality
  • Give users the knowledge they need to secure their passwords, tell them about the techniques attackers use when guessing passwords, and give users some advice on how to build strong passwords

21.3 Application attacks

21.3.1 Buffer overflow

  • Buffer overflow vulnerabilities exist when developers improperly validate user input and the input is too large, affecting other data stored in the computer's memory.

21.3.2 From inspection time to use time

  • A timing vulnerability occurs when the time it takes for a program to check access permissions greatly exceeds the time it takes to request a resource.

21.3.3 Backdoor

  • Undocumented command sequences that allow software developers to bypass normal access restrictions

21.3.4 Privilege escalation and rootits

  • One of the most common ways for attackers to escalate their privileges is through rookits
  • System administrators must be aware of the latest patches released for the operating systems used in their environment and consistently apply these fixes

21.4 Security of Web Applications

21.4.1 Cross-site scripting (XSS) attacks

  • When web applications contain reflective input types, they are prone to cross-site scripting attacks

  • Ways to defend against cross-site attacks: Determine the permitted input types, then verify the actual input to ensure it matches the specified pattern

    • Non-persistent XSS (reflected type), the attacker tricks the victim into processing a URL written with a rogue script, thereby stealing the victim's sensitive information such as cookies, session IDs, etc. The attack principle is to exploit the lack of appropriate input or output confirmation on dynamic websites.
    • Persistent XSS (stored, second order) usually targets websites that allow users to enter data stored in a database or anywhere else (forums, message boards, opinion books, etc.). The attacker posts some text containing malicious JavaScript, and when other users view these posts, their browsers render the page and execute the attacker's JavaScript.
    • Document Object Model (Document Objec Model, DOM, also called local cross-site scripting) XSS, DOM is a standard structural layout that represents HTML and XML in browsers. In such an attack, document components like form fields and cookies can be referenced via JavaScript. The attacker exploits the DOM environment to modify the original client-side JavaScript. This causes the victim's browser to execute the resulting JavaScript code.

  • **CSRF:** The attack works by including links or scripts in pages accessed by authorized users.

    • For example: a website user Bob may be browsing a chat forum, while another user Alice is also in this forum, and the latter has just posted an image message with a link to Bob's bank. Imagine that Alice writes a link to submit a form for withdrawing money on Bob's bank site and uses this link as the image src. If Bob's bank saves his authorization information in a cookie, and this cookie has not expired, then Bob's browser will submit the withdrawal form and his cookie when trying to load the image, thus authorizing without Bob's consent. this incident.

21.4.2 SQL injection attack

SQL injection attack uses input that is not expected by the web application

  1. Dynamic Web Applications: If a web application is flawed, it could allow a user using SQL master attacks to tamper with the database in an unintended and unauthorized manner.
  2. SQL injection attack: Violates isolation and directly completes SQL transactions that attack the internal database
  3. Protect against SQL injection
    • Perform input validation: Input validation operations can limit the type of data users can enter in a form.
    • Limit user privileges: The database account used by the web server should have the smallest set of privileges possible
    • Use stored procedures: Leverage database stored procedures to limit an application's ability to execute arbitrary code

21.5 Reconnaissance attacks

Reconnaissance allows attackers to find weaknesses and exploit them directly with their exploit code

21.5.1

IP Probing: A type of network reconnaissance performed on a target network

21.5.2

port scan

21.5.3

Vulnerability scanning: Use the database of known vulnerabilities to locate security flaws by detecting targets

  • Almost complete fixing of all vulnerabilities in vulnerability scanners is only possible if the operating system is upgraded to the latest security patch level

21.5.4 Spam search

How to protect yourself from spam searches:

  • Make it difficult for attackers to operate
  • Trash is kept in a safe place

21.6 Disguise attack

  • The easiest way to gain access to a resource that you are not entitled to is to impersonate someone with the appropriate system access permissions.

21.6.1 IP spoofing

  • Someone with malicious intent reconfigures their system to have the IP address of a trusted system and then gains access to other external resources
  • Measures to prevent IP spoofing
    • Address packets with internal source IP cannot enter the network from the outside
    • Packets with external source IP addresses cannot leave the network from the inside
    • Packets with private IP addresses cannot pass through the router in either direction

21.6.2 Session Hijacking

  • A session hijacking attack occurs when a malicious person intercepts a portion of the communication data between an authorized user and a resource.

Guess you like

Origin blog.csdn.net/Runnymmede/article/details/133364236
Recommended
Ranking
2019 JD pen questions - Choir
Grafana installation & basic configuration
How to solve the high gas fee of Filecoin? The official attitude is bright!
Informatization development 59
Date,DateFormat,Calendar,
Introduction to MySQL - Understanding MySQL
win10 conexão de área de trabalho remota ubuntu20 (RDP)
52. Customize generics on methods
Detailed explanation of CAP, ACID, BASE theory and NWR practice strategy
UnknownHostException:XXX:Name or service not know
Daily
More
2024-08-01(0)
2024-07-31(0)
2024-07-30(0)
2024-07-29(0)
2024-07-28(0)
2024-07-27(0)
2024-07-26(0)
2024-07-25(0)
2024-07-24(0)
2024-07-23(0)

Code World

© 2018 codetd.com