System threats & vulnerability

Type Vulnerability Additional Information Definition Examples Risk Countermeasures Defense in Depth
1. Hardware (Electromagnetic) Emanations Tempest: a US Gov project Energy that escapes an electronic Van Eck radiation 1. can read the 1. STP (Shielded Twisted
to study EMR systems and can be captured by phenomenon contents of he Pair)
(electromagnetic radiation) capacitance motion detector and be computer screen
or EMI (electromagnetic monitored remotely remotely 2. Fiber Optic Cable
Interference) (Confidentiality) (uses light instead of
electricity, no EMI)
2. Cross Talk
(Integrity of the 3. Faraday cage: a metal
communication) skin that prevents
electromagnetic
emanation from
existing. It's expensive
but effective

Thef Trust Platform Module

(TPM): an added
security to the
hardware. When an
encrypted hard drive is
moved to a new device,
having the password
will not allow read

2. Firmware Phlashing: DOS

Permanent attack targeting
sofware network based
programmed into a firmware
Read Only Memory
(ROM); a sofware
for hardware

3. Sofware virus need to attach to a carrier MBR (Master Boot and assessment, such as
Record):redirect the boot
process to load malware penetration test: usually
during the OS loading can identify OS
process Tools:
*Nmap (TCP/UDP port
scanning tool, to detect
Multipartite: use open/closed/filtered
multipropagation process ports; only scan a
mechanism to spread limited number of
between systems ports )
*Metasploit (a general
Macrovirus: written in the purpose tool)
same language used for MS
Office products (email etc) &
Malicious code Antimalware SW:
1. Signature Based vulnerability scanning
*Advanced Persitent Threat (APT): refer (known vulnerabilities)
to zero day exploit, no vendor supplied worms self propagation 2. Behavioral (Heuristic) Tools:
patch 3. Statically
 1. Signature Based
*Advanced Persitent Threat (APT): refer (known vulnerabilities)
to zero day exploit, no vendor supplied 2. Behavioral (Heuristic) Tools:
patch Trojans perform two functions: one benign, Login Spoofing: the user is to steal user's 3. Statically
one malicious presented with a normal credentials - use *sql map (for detecting
looking login prompt trusted path sql
login, such *Nikito: web
alt+Del+Ctrl applications
*Nessus
Rootkits enable access to a computer or system removal is difficult privilege MBSA (Microsof
that is not otherwise allowed and ofen especially if the rootkis escalation baseline Security
mask its existence resides in the Kernel Analyzer): close source
*OpenVAS (open
Packer a tool to compress/modify/encrypt a source)
malicious file's format to avoid
detection
Logic Bomb trigger when a logical condition is met
Time of Check/Time of Use (TOC/TOU) RACE condition ofen missed in test Code Review/Analysis
environment
Covert Storage Channel Used shared storage to allow 2 subjects gain
to signal each other unauthorized
access to
sensitive
information

Covert channel Covert Timing Channel Rely on the clock system to infer 1. Typing with the rhythm gain
sensitive information of Morse Code unauthorized
2. guessing password one access to
letter at a time based on sensitive
the system response time information

Back Door a short cut in the system to allow a user Maintenance hook Code Review
to bypass security check
XSS (cross site scripting) allow for codes execution, access cookies, 1. input validation, and
: take advantage of reflected input more harmful session tokens should be placed in the
where input provided by one user can backend of the
be seen by another webserver, not on the
client side.
2. web application
firewall (WAF)

CSRF (cross site request forgery) only happens in steal credentials, 1. input validation
forces the end user to execute authenticated session when not data
unwanted/unaware actions on a web server trusts the 2. Can be prevented by
application in which they are currently user/browser - not the creation and
authenticated validating input exchange of ant forgery
4. Web Architecture state token during the
authentication
Dynamic web
languages make
webpages more
powerful, ex:
1. PHP (Hypertext
Preprocessor):
2. XML (Extensible 1. Nikito: great for
Markup Language): scanning web servers
encoding and applications related
documents in a vulnerabilities
format that's both
readable be 2. OWASP: free
machines and resources for web
humans. application security
3. Applets: Java and
ActiveX
3.SOA (Service
Oriented
Architecture):not
Dynamic web
languages make
webpages more
powerful, ex: SQL Injection target data driven 1. a malicious code is injected into an dump the entire database spoof identity 1. sqlmap (for
1. PHP (Hypertext applications, mostly known entry field for execution content to the attacker tamper data detection)
Preprocessor): for attacking websites but 2. single quotation mark repudiation
2. XML (Extensible can be used to attack any (voiding 2. input validation: filter 1. Nikito: great for
Markup Language): SQL database transaction) for escape characters (a scanning web servers
encoding character which invokes and applications related
documents in a an alternative on vulnerabilities
format that's both subsequent character in
readable be a character sequence) 2. OWASP: free
machines and resources for web
humans. 3. parameterization application security
3. Applets: Java and
ActiveX 4. limiting database
3.SOA (Service permission
Oriented
Architecture):not
dependent on a
particular
programming
language
Buffer Overflow AKA: Ping of Death (sending programs failed to perform bounds write into areas that holds privilege escation 1. Code
malformed ping packet that checking, causing the transaction to executable codes and gain Review/Analysis, such
target system can't write past end of the buffer replace with malicious unauthorized as Fuzzing Testing (Tool:
reassemble and cause code, causing unintended access to the ZZUF) which is a
bufferoverflow) behavior system dynamic testing, black
box testing to test
boundary checking

2. Input validation

3. parameterization

5. Database Inference deduction 1. NDA (Non disclosure

Security Agreement)

2. allow
polyinstantiation (allow
two entries with the
same primary key)

Aggregation addition limit the amount of

queries a user can have
 Open System Interconnect (OSI) Refernce Model TCP/IP Model (ARPA Net)
Layer Data Name / Hardware Other Information Running Protocol Protocol Definition Protocal Vulnerability Countermeasures Layer
packet Data Unit
(PDU)
Application Data Stream FTP uses cleartext use SSH Application
(File Transfer passwords for
Application Layer Protocol) authentication
Proxy Firewall:
dedicated proxies Telnet no builtin securoty
for each application HTTP
(Hypertext
Transfer Protocol)

HTTPS 1. transfer encryped

webbased data via SSL/TLS
SMTP/POP3
(Simple Mail
Transfer Protocol

DHCP 1. assign IP address and other

(Dynamic Host network configuration to a PC
Configuration (server usually uses a static
Protocal) IP)when it connects to the
network

DNS 1. transalating a domain name 1. DNS Cache

(Domain Name to an IP address Poisoning: change the
Seystem) 2. utilizes a hierarchical domain to IP mapping
system server; TLD (top level 2. DNS Spoofing:
domain) ex: com.gov attacker replys to the
DNS request before
*DKIM (DomainKeys Identifier the valid DNS server
Mail: email authentication does
method by verifying the mails
come from the claimed
domain

SSH secure alternative for FTP and

(Secure shell) Telnet
SET
Presentation Data Stream JPEG
MIDI
MPEG
ASCII
S/MIME includes a secure envelope
(Secure S/MIME and PGP are two
Multipurpose popular email security
Internet Mail method.
Extensions) *PGP (Pretty Good Privacy):
asymmetrical encryption
without preshared key;
extensible trust; great for
providing strong encryption of
files to be sent via email

Session Data Stream SQL

(Structured
*Circuit Level Query Language)
Proxies Firewalls:
including SOCKS, NFS (Not NTFS)
monitor TCP (Network File
handshake beween System)
packets to
determine if a
request session is
legitimate

Transport Segment (TCP) TCP 1. three step handshake for Teardrop: a DOS Transport
Datagram (UDP) (Transmission each session attack, sending
Control Protoco) 2. acknowledge the state of fragmented packet
Proxy Firewall: the communication that can't be
terminate the 2. requires more overhead reassemble at the
connection, no target machine
passing through like Xmas Tree: attack all
packet filter and TCP flags on a packet
stateful firewalls

UDP 1. no sequencing, no state, no Fraggle: a DDOS attack,

(User Datagram acknowledgement targeting UDP traffic
Protocol) 2. less transmission overhead, form Port 7 & 19
suitable for media

TLS (Transport 1. The successor to SSL

Layer Security)
2. First Cients and servers
communicate using a
ephemeral (short lived)
symmetric session key which
is exchanged using
asymmetric cryptography.
Subsequent communication is
protected by symmetric key
 SSL brough the power of PKI to
(Socket Security the web
Layer)
Network packet Router route traffice from one LAN to another. IP 1. Connectionless Non-IP routing Internet
*static and default routers: fixed routing entries (Internet Protcol) 2. Unreliable/Best Effort protocols:
*Packet Anatomy: *Routing Protocal: aimed to autmatically the 3. Tunneling: assessing a IPV6 1. NetBEUI
Ethernet Header + netwotl topology network via an IPV4 network 2. AppleTalk
IP Header + Data + - Linkstate Routing (LSR) protocol: consider other 3. IPS/SPX
CRC (Cyclical metrics, such as bandwidth Firewalls unable to
Redundancy Check; - Distance Vector: use "hop count" to measure filter them
receipant distance
recalculated this to - OSPF (Open Shortest Path First): uses LSR for
ensure he data is faster convergence IPSEC 1. contains "Authentication
not garbled; - RIP (Routing Information Protocol): implemeting Header" and "Encapsulated
reproduced in a a limit on the hop Security Payload"; AH acts as
confused and *Convergence: all routers on the network agree digital signature, providing
distored way) on the state of routing integrity; ESP providing
confidentiality
2. Can be used in Tunnel &
*Packet Filter Transport mode:
Firewall: no ESP tunnel: end to end IPSEC
"state"concept; tunnel; encrypt the entire
doesn't reference packet
the past packets to ESP transport: only encrypt
make current data, AH is not encrypted
decision 3. Supprots VPN
(PPTp/L2F/L2TP also supports
*Stateful Firewall: VPN; L2TP can use IPSEC)
allow firewall to 4. Security Association is a
compare current oneway connection that used
packet to the to negotiate ESP/AH
previous ones 5. ISAKMP (International
Security Association and Key
Management Protocol)
manges the SA creation
process

ICMP 1. to add intenllengence to IP,

(Internet Control error reporting, not correcting
Message Protocol (stateless)
2. Could ping and see which
host is up and listening

NAT 1. remapping internal IP

(Network Address address from internal traffic;
Translation) IP addresses can't be the
same inside/outside of a NAT
router
2. ofen times several internal
ip address will use one public
ip address
3. used to translate
noroutable private addresses
(RFC 1918)

Data Link frame 1. Bridge 1. network device that connet network segments ARP 1. uses an IP address to obtain ARP Poisoning = Hardcoding ARP Link
2. Switch together (Address a MAC address MITM: providing fake entries
2. bridge that has more than two ports. Resolution MAC address; only
*Bridge can be used to create VLANs. Protocol) works in LAN
*Port isolation is useful for multitenants
environment to separate customers served by the EAP 1. part of 802.1X port based
same hypervisor (Extensible authentication
*SPAN (Switched Port Analyzer) aka port Authentication 2. nod needs to be
mirroring/monitoring, which will allow IPS to see Protocol) authenticated before
the traffic inside the VLAN. Virtulization causes connecting to the network
losing the visibility within the same VLAN. 3. LEAP (dated) and PEAP
(Secure)

PAP (Password network authentication use CHAP or EAP

Authentication protocol. instead
Protocol)

CHAP (Challenge
Handshake
Authentication
Protocol)

MAC (Media Tied back to the manufactor

Access Control) of the hardwares

Physical bit (Presented by 1. Repeater 1. receives bit on one port and repeat it out the
energy, such as Amplifier other port
light, elecricity, and 2. Hubs 2. A repeter that has more than two ports
radio waves 3. NIC 3. enables a computer to connect to a network
(Network
Interface Card) or
Ethernet cars
 20
FTP (File Transfer)
21
22 SSH
23 Telnet
25 SMTP
53 DNS
80 HTTP
TCP 110 POP3
137-139 NetBIOS
143 IMAP (Internet Message Access Protocol)
445 AD
443 HTTPS
515 LPD (Printing)
636 LDAP (Light Weight Directory Access Protocol)
1433 SQL Server

NIST
SP 800-12 Introduction to Computer Security
SP 800-34 Contigency Planning
SP 800-53A Assessing Security and Privacy Control
SP 800-61 Guide to Handle Computer Security Incidents
SP 800-86 Guide to Integrating Forensic Technique into Incident Response
SP 800-115 Guide to Information Security Testing and Assessment
SP 800-137 Information Security Continuous Planning (ISCM)

Common nformation System Framworks

SSAE 16 based on ISAE 3402; replace SAS-70 SOC1; SOC 2
ISO 27001 formal specification of an information security management
system
ISO 27002 Internationally Accepted Control Objective Framework for
Information Security
SCAP Security Content Automation Protocal; community sourced
specification fro security flaw and security configuration. It is
used to handle vulnerability mangement data to allow security
administrator to scan devices based on predetermined security
baseline

COBIT Broader than ITIL; IT governance framework

ITIL Focusing on IT serivce management

x.500 series of standards covers directory sevice x.25 WAN Technology

802.1x Port Authentocation Protocol 802.11 Wireless Secutiry standard

120.0.0.1 a loopback address

255.255.0.0 class B network subnet mask

Certification validates security control, usually internally

Verification a step further than verification, invloving indepent third party
Accredidation the act of managemnt (DAA, Designated Approving Authority)
officially accepting an evaluating system
 Type Name Service Other Information Vulnerabilty Countermeasures Application Cryptanalysis
/Cryptanalytic Attack
One Way Hash or Message MD5 Integrity Deprecated Public Key Exchange (PKI): 1. Brute Force Cracking: simple guessing bt iteration; work
Digest SHA-1 (Secure Hash Integrity Deprecated uses all three forms of factor
Algorithm) encryptions
No key 2. Ciphertext Only Attack: no clues and extremely difficult
SHA 256 Integrity Replacing SHA1 1. Certification uthority:
Symmetric Key or Block Cipher DES (Data Confidentiality Code Book Mode: Deprecated issue and revoke Digital 3. Knowntext Attack: rely on known text
(encrypt a specific number of Encryption lacking "initiation" certificates; X.509 standard
text at a time) Standard) and "chaining" and governs the creation and 4. Methematical Attack: attack against the mathematical
patterns can be seen validation of Digital flaw; snake oil
1. Key management is certificates *Kerckhoff Principal: a cryptographic system should be
challenging Double DES: subkect secure even if everything about the system, except the key,
to Meet In The *Digital Signature: to verify is public knowledge
2. Non repundiation (usually Middle (MITM) a particur document or
involves proving to the thord attack message 5. Cryptography Man In The Middle: attackers placing
party) DSA (Digital Signature themselves between two parties exchanging keys
ALgorithm), RSA, and
3. more efficient key size, ECDSA are approved DS 6. Birthday Attack: some number are more likely to occur
meaning achieving same work algorithm
factor (given enough time, Triple DES Confidentiality Deprecated 7. Dictionaty Attack: orangelike; orangehate; orangegood
everything can be decrypted) AES (Advanced *Digital Certificate: (Countermeasure: add salt)
Confidentiality Blow Fish (allow user to choose key incorporates digital *Salt: allow one password to hash multipal times or add
with shorter key Encryption length 32 to 448; Used by Linux bCrypt) signatures, used by random value to the password before it is hashed
Standard) Two Fish (Suceesor of Blow Fish) websites to enhance user
4. Speed
trust 8. Rainbow Tables: a precomputed hash to compare to
Addround Key=Xor matching cipertexts (countermeasure: add salt)
2. Organizational
Asymmetric Diffie Helma Key Exchange 1. allow two parties to securely agree on Registration Authority 9. Hybrid: relace letters with special chareacters
symmetric key via public channel (ORA)
1. Based on prime Number Confidentiality without prior key exchange 10. Social Engineering
( One way function) 3. Certificate Holders
Digital Signature 2. Great for encrpting data in motion,
2. easier key management (Integrity+Authentica ex:IPSEC/VPN/SSH/HTTPS 4. Clients that validate
tion) their signatures
3. Provide non-repudiation
(Integrity+Authentication) 5. Certificate Revocation
RSA Key Exchange List (CRL): remove the
4. Slower serial number of the
Confidentiality certificate

Digital Signature
(Integrity+Authentica
tion)

Elliptical Curve Key Exchange Elliptical Curve Digital Signature

Crypto (ECC) Alogorithm (ECDSA)
Confidentiality
Great for encrypting mobile devices with
Digital Signature limited storage/processing
(Integrity+Authentica
tion)
 Transmission Other Protocal
Information
LAN Copper Cable Linear (Bus) Ethernet
Tree (Bus) ARCNET
Ring
STAR FDDI
Mesh (Fiber Distributed Data Interface)

CSMA
(Carrier Sense Multiple Access)

WAN T1, T3, E1, E3 Internet Service Frame Relay

Provider (ISP) and
other long haul
network provider
ofen use this
topology X.25
MPLS
(Multiple Protocol Layer switch)
ATM (Asychronous Transfer
Protocol)
Converged providing services, VOIP
(Voice Over IP)

DNP3 (Dirtributed Network

Protocol)
Virtual SAN
FCOE
(Fiber Channel Over Ethernet)
ISCSI
(Internet Small Computer System
Interface)
Wireless Radiowave FHSS/DSSS/OFDM
Electricity
Light
Wireless Radiowave
Electricity
Light
802.11
802.11 NIC can operate in:
Manged
Ad Hoc (P2P)
Master
Monitored (sniffing only)

WEP (Wired Equivalent Privacy)

WPA 2(Wifi Protected Access)

Bluetooth

SDN decouple
(Software networking from
Defined hardware; treating
Network) network like codes

Remote ISDN
Access DSL (Digital 1. Last mile solution; use existing
Subcriber Line copper pairs to provide digital
services to home and small offices
2. User got highspeed bandwidth
from a phone walljack

Cable Modem providing internet access via

broadband TV cable modem
(modulate binary data into analog
so it can be carried over the
phone)

Screen Scraping
RDT (Remote
Desktop)
Protocol Information Vulnerability Countermeasures

a bus topology
token ring
uses a pair of token ring with
the traffic flowing opposite
direction
designed to address collision
since Ethernet is a baseband
media. Once collision is
detected, all host stop
transmitting and waits a
random of period before
resending

focus on speed, CIR

(Committed Information
Rate); supports PVC (private
virtual circuits)

custom cable plants; high

performance
fixed length cell

*Private Branch Exchange 1. SPIT (Spam Over 2. use physically

(PBX): traditional phone; Internet Telephony) seperated switch.
subject to eavesdrpping 2. VLAN hopping: happens Encryption will not work
(Physical security); subject to when pc and phone on the b/c switch needs to read
phreaking (stealing long same switch address
distance call), ex: blackbox
phreaking: manipulating the
line voltage

commonly used for

SCADA/ICS

Storage Protocol

spreadspectrum technique to
transmit more than one
frequency at the same time
the first wireless security
standard that provides
reasonable security

unsecure; uses a change to WPA2

preshared static key and a
limited number of
initiating vectors

1. CCMP (Counter Mode CBC-

MAC Protocol)is the security
standrd used by WPA2;
2. Use AES encryption
3. Use "RADIUS"
authentication, instead a
preshared static key

1. only has 4 digit pin BlueSnarfing 1. turnoff when not use

2. no encryption 2. refrain from doing
confidential activities,
such as banking
3. Set to non-
discoverable

All broadband technology

Modern dial up modem

uses PPP (Point to Point
Protocol

such as MS RDT