CompTIA Security+ 501
CompTIA Security+
SY0-501
Instructor: Ron Woerner, CISSP, CISM
CompTIA Security+
Domain 1 – Threats, Attacks and Vulnerabilities (21%)
Cybrary Instructor: Ron Woerner 1 CompTIA Security+ 501
CompTIA Security+ Domain 1 – Threats, Attacks and Vulnerabilities
1.1 Given a scenario, analyze indicators of compromise and determine the type of malware
1.1 Analyze IOC and Type of Malware
● Viruses ● Adware ● Spyware ● Crypto-malware ● Bots ● Ransomware ● RAT ● Worm ● Logic bomb ● Trojan ● Backdoor ● Rootkit ● Keylogger
Cybrary Instructor: Ron Woerner 2 CompTIA Security+ 501
Risk & Threat Definitions
NIST Information Security Glossary | Cybrary Glossary ● Risk: NIST | Cybrary ● Threat: NIST | Cybrary ● Impact: NIST | Cybrary ● Vulnerability: NIST | Cybrary ● Exploit: NIST | Cybrary ● Risk Assessment: NIST | Cybrary ● Risk Management: NIST | Cybrary
Malware attacks
● Delivery – How it gets to the target ● Propagation – How malware spreads ● Payload – What malware does once it’s there ● Indicators of Compromise (IoC) – An artifact observed on a network or in an operating system that with high confidence indicates a computer intrusion.
Cybrary Instructor: Ron Woerner 3 CompTIA Security+ 501
Types of Malware
● Viruses ● Adware ● Crypto-malware ● Spyware ● Ransomware ● Bots ● Worm ● RAT ● Trojan ● Logic bomb ● Rootkit ● Backdoor ● Keylogger
Viruses
Definition: A program intended to damage a computer system. Types: ● Armored Virus: A virus that is protected in a way that makes disassembling it difficult. The difficulty makes it “armored” against antivirus programs that have trouble getting to, and understanding, its code. ● Companion virus: A virus that creates a new program that runs in the place of an expected program of the same name. ● Macro virus: A software exploitation virus that works by using the macro feature included in many applications, such as Microsoft Office. ● Multipartite virus: A virus that attacks a system in more than one way.
Cybrary Instructor: Ron Woerner 4 CompTIA Security+ 501
Viruses
Definition: A program intended to damage a computer system. Types: ● Phage virus: A virus that modifies and alters other programs and databases. ● Polymorphic virus: Viruses the changes form or mutates in order to avoid detection. ● Retrovirus: A virus that attacks or bypasses the antivirus software installed on a computer. ● Stealth virus: A virus that attempts to avoid detection by anti-virus software and from the operating system by remaining in memory.
Crypto-malware & Ransomware
● Malware that uses cryptography as part of the attack ● Prevents users from accessing their system or personal files through encryption and demands ransom payment in order to regain access. ● Ransomware authors order that payment be sent via cryptocurrency, online payment systems, or credit card.
● Examples: CryptoLocker, WannaCry, Locky, zCrypt, NotPetya
Cybrary Instructor: Ron Woerner 5 CompTIA Security+ 501
Rootkit
● A clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. ● Software program that has the ability to obtain administrator or root-level access and hide from the operating system.
● Examples: NTRootkit, Zeus, Stuxnet, Knark, Adore
Trojan / Trojan Horse
● A harmful piece of software that looks legitimate or is included with legitimate applications. ● Any application that masquerades as one thing in order to get past scrutiny and then does something malicious. ○ One of the major differences between Trojan horses and viruses is that Trojan horses tend not to replicate themselves
● Examples: BackOrifice, Stuxnet, Zeus
Cybrary Instructor: Ron Woerner 6 CompTIA Security+ 501
Worms
● Use the network to replicate copies of themselves to systems or devices automatically and without user intervention. ● To spread, worms either exploit a vulnerability on the target system or use social engineering to trick users into executing. ● A worm takes advantage of file-transport or information- transport features on the system, allowing it to travel unaided.
Examples: ILoveYou, MyDoom, StormWorm, Anna Kournikova, Slammer
Logic or Time bomb
● Any code that is hidden within an application and causes something unexpected to happen based on some criteria being met. For example: ○ A programmer could create a program that always makes sure her name appears on the payroll roster; if it doesn’t, then key files begin to be erased. ○ Backdoor is created during certain times
Cybrary Instructor: Ron Woerner 7 CompTIA Security+ 501
Keylogger / Keystroke Loggers
● Software programs or hardware devices that track the activities from input devices ○ Keys pressed of a keyboard ○ Mouse clicks ○ Screen recorders or scrapers ● Keyloggers are a form of spyware where users are unaware their actions are being tracked ● Keylogger software typically stores your keystrokes in a small file, which is either accessed later or automatically emailed to the person monitoring your actions
Bots / Botnets
● Bot : An automated software program (network robot) that collects information on the web. In its malicious form, a bot is a compromised computer being controlled remotely ● Bots are also known as “zombie computers” due to their ability to operate under remote direction without their owners’ knowledge.
● Botnet : A network of compromised computers under the control of a malicious actor. ● The attackers that control botnets are referred to as “bot herders” or “bot masters.”
Cybrary Instructor: Ron Woerner 8 CompTIA Security+ 501
Backdoor
● An undocumented way of accessing a system, bypassing the normal authentication mechanisms.
● An opening left in a program application (usually by the developer) that allows additional access to systems or data. These should be closed when the system is moved to production.
RATs (Remote Access Trojans or Remote Administration Tools)
● Software that remotely gives a person full control a tech device. ● Programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim PC. ● Provide the capability for an attacker to gain unauthorized remote access to the victim machine via specially configured communication protocols or backdoors created upon infection ○ Often mimic similar behaviors of keylogger applications by allowing the automated collection of input data ● Examples: SubSeven, Back Orifice, ProRat, Turkojan, and Poison-Ivy
Cybrary Instructor: Ron Woerner 9 CompTIA Security+ 501
Spyware / Adware
● Applications that covertly monitors online behavior without the user’s knowledge or permission. ● Collected data is relayed to outside parties, often for use in advertising ● Otherwise, does not harm the infected computer, user or data. ● There is a line between illegal spyware and legitimate data collection.
Advanced Persistent Threat (APT)
● A set of stealthy and continuous computer hacking processes, often orchestrated by a person or persons targeting a specific entity. ● Usually targets either private organizations, states, or both for business or political motives. ● APT processes require a high degree of covertness over a long period of time. ○ The "advanced" process signifies sophisticated techniques using malware to exploit vulnerabilities in systems. ○ The "persistent" process suggests that an external command and control system is continuously monitoring and extracting data from a specific target. ○ The "threat" process indicates human involvement in orchestrating the attack
Cybrary Instructor: Ron Woerner 10 CompTIA Security+ 501
Exam Preparation
In your role as a security administrator, a user contacts you suspecting that his computer is infected. Yesterday he loaded a freeware program to help him perform a valid job function. What type of malicious software is most likely the cause of the infection? A. Rootkit B. Ransomware C. Trojan D. Worm
Exam Preparation
What type of malicious software is deliberately installed by an authorized user and sits dormant until some event invokes its malicious payload?
A. Logic bomb B. Spyware C. Trojan horse D. Armored virus
Cybrary Instructor: Ron Woerner 11 CompTIA Security+ 501
CompTIA Security+ Domain 1 – Threats, Attacks and Vulnerabilities
1.1 Given a scenario, analyze indicators of compromise and determine the type of malware
Cybrary Instructor: Ron Woerner 12