CompTIA Security+ 501

CompTIA Security+

SY0-501

Instructor: Ron Woerner, CISSP, CISM

CompTIA Security+

Domain 1 – Threats, Attacks and Vulnerabilities (21%)

Cybrary Instructor: Ron Woerner 1 CompTIA Security+ 501

CompTIA Security+ Domain 1 – Threats, Attacks and Vulnerabilities

1.1 Given a scenario, analyze indicators of compromise and determine the type of

1.1 Analyze IOC and Type of Malware

● Viruses ● ● Crypto-malware ● Bots ● ● RAT ● Worm ● ● Trojan ● ● Keylogger

Cybrary Instructor: Ron Woerner 2 CompTIA Security+ 501

Risk & Threat Definitions

NIST Glossary | Cybrary Glossary ● Risk: NIST | Cybrary ● Threat: NIST | Cybrary ● Impact: NIST | Cybrary ● Vulnerability: NIST | Cybrary ● Exploit: NIST | Cybrary ● Risk Assessment: NIST | Cybrary ● Risk Management: NIST | Cybrary

Malware attacks

● Delivery – How it gets to the target ● Propagation – How malware spreads ● Payload – What malware does once it’s there ● Indicators of Compromise (IoC) – An artifact observed on a network or in an that with high confidence indicates a computer intrusion.

Cybrary Instructor: Ron Woerner 3 CompTIA Security+ 501

Types of Malware

● Viruses ● Adware ● Crypto-malware ● Spyware ● Ransomware ● Bots ● Worm ● RAT ● Trojan ● Logic bomb ● Rootkit ● Backdoor ● Keylogger

Viruses

Definition: A program intended to damage a computer system. Types: ● Armored Virus: A virus that is protected in a way that makes disassembling it difficult. The difficulty makes it “armored” against antivirus programs that have trouble getting to, and understanding, its code. ● Companion virus: A virus that creates a new program that runs in the place of an expected program of the same name. ● Macro virus: A software exploitation virus that works by using the macro feature included in many applications, such as Microsoft Office. ● Multipartite virus: A virus that attacks a system in more than one way.

Cybrary Instructor: Ron Woerner 4 CompTIA Security+ 501

Viruses

Definition: A program intended to damage a computer system. Types: ● Phage virus: A virus that modifies and alters other programs and databases. ● Polymorphic virus: Viruses the changes form or mutates in order to avoid detection. ● Retrovirus: A virus that attacks or bypasses the installed on a computer. ● Stealth virus: A virus that attempts to avoid detection by anti-virus software and from the operating system by remaining in memory.

Crypto-malware & Ransomware

● Malware that uses cryptography as part of the attack ● Prevents users from accessing their system or personal files through and demands ransom payment in order to regain access. ● Ransomware authors order that payment be sent via cryptocurrency, online payment systems, or credit card.

● Examples: CryptoLocker, WannaCry, Locky, zCrypt, NotPetya

Cybrary Instructor: Ron Woerner 5 CompTIA Security+ 501

Rootkit

● A clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. ● Software program that has the ability to obtain administrator or root-level access and hide from the operating system.

● Examples: NTRootkit, , Stuxnet, Knark, Adore

Trojan /

● A harmful piece of software that looks legitimate or is included with legitimate applications. ● Any application that masquerades as one thing in order to get past scrutiny and then does something malicious. ○ One of the major differences between Trojan horses and viruses is that Trojan horses tend not to replicate themselves

● Examples: BackOrifice, Stuxnet, Zeus

Cybrary Instructor: Ron Woerner 6 CompTIA Security+ 501

Worms

● Use the network to replicate copies of themselves to systems or devices automatically and without user intervention. ● To spread, worms either exploit a vulnerability on the target system or use social engineering to trick users into executing. ● A worm takes advantage of file-transport or information- transport features on the system, allowing it to travel unaided.

Examples: ILoveYou, MyDoom, StormWorm, Anna Kournikova, Slammer

Logic or

● Any code that is hidden within an application and causes something unexpected to happen based on some criteria being met. For example: ○ A programmer could create a program that always makes sure her name appears on the payroll roster; if it doesn’t, then key files begin to be erased. ○ Backdoor is created during certain times

Cybrary Instructor: Ron Woerner 7 CompTIA Security+ 501

Keylogger / Keystroke Loggers

● Software programs or hardware devices that track the activities from input devices ○ Keys pressed of a keyboard ○ Mouse clicks ○ Screen recorders or scrapers ● Keyloggers are a form of spyware where users are unaware their actions are being tracked ● Keylogger software typically stores your keystrokes in a small file, which is either accessed later or automatically emailed to the person monitoring your actions

Bots /

● Bot : An automated software program (network robot) that collects information on the web. In its malicious form, a bot is a compromised computer being controlled remotely ● Bots are also known as “ computers” due to their ability to operate under remote direction without their owners’ knowledge.

: A network of compromised computers under the control of a malicious actor. ● The attackers that control botnets are referred to as “bot herders” or “bot masters.”

Cybrary Instructor: Ron Woerner 8 CompTIA Security+ 501

Backdoor

● An undocumented way of accessing a system, bypassing the normal mechanisms.

● An opening left in a program application (usually by the developer) that allows additional access to systems or data. These should be closed when the system is moved to production.

RATs (Remote Access Trojans or Remote Administration Tools)

● Software that remotely gives a person full control a tech device. ● Programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim PC. ● Provide the capability for an attacker to gain unauthorized remote access to the victim machine via specially configured communication protocols or backdoors created upon infection ○ Often mimic similar behaviors of keylogger applications by allowing the automated collection of input data ● Examples: SubSeven, Back Orifice, ProRat, Turkojan, and Poison-Ivy

Cybrary Instructor: Ron Woerner 9 CompTIA Security+ 501

Spyware / Adware

● Applications that covertly monitors online behavior without the user’s knowledge or permission. ● Collected data is relayed to outside parties, often for use in advertising ● Otherwise, does not harm the infected computer, user or data. ● There is a line between illegal spyware and legitimate data collection.

Advanced Persistent Threat (APT)

● A set of stealthy and continuous computer hacking processes, often orchestrated by a person or persons targeting a specific entity. ● Usually targets either private organizations, states, or both for business or political motives. ● APT processes require a high degree of covertness over a long period of time. ○ The "advanced" process signifies sophisticated techniques using malware to exploit vulnerabilities in systems. ○ The "persistent" process suggests that an external command and control system is continuously monitoring and extracting data from a specific target. ○ The "threat" process indicates human involvement in orchestrating the attack

Cybrary Instructor: Ron Woerner 10 CompTIA Security+ 501

Exam Preparation

In your role as a security administrator, a user contacts you suspecting that his computer is infected. Yesterday he loaded a freeware program to help him perform a valid job function. What type of malicious software is most likely the cause of the infection? A. Rootkit B. Ransomware C. Trojan D. Worm

Exam Preparation

What type of malicious software is deliberately installed by an authorized user and sits dormant until some event invokes its malicious payload?

A. Logic bomb B. Spyware C. Trojan horse D. Armored virus

Cybrary Instructor: Ron Woerner 11 CompTIA Security+ 501

CompTIA Security+ Domain 1 – Threats, Attacks and Vulnerabilities

1.1 Given a scenario, analyze indicators of compromise and determine the type of malware

Cybrary Instructor: Ron Woerner 12