Threats & Countermeasures

• Cryptanalytic Attacks

  • Ciphertext-Only Attacks

    • Ciphertext-Only Attacks are a type of cryptanalytic attack where the attacker only has access to the encrypted message and not the original plaintext.

    • Ciphertext-Only Attacks Countermeasure

      • strong encryption algorithms and keys should be used.

  • Known-Plaintext Attacks

    • Known-Plaintext Attacks are cryptanalytic attacks where the attacker has knowledge of both the plaintext and its corresponding ciphertext. By analyzing this known-plaintext pair, the attacker tries to deduce the key used for encryption.

    • Known-Plaintext Attacks Countermeasure

      • Encryption algorithms with strong key generation and large key spaces can effectively counter known-plaintext attacks. Additionally, using random or pseudorandom initialization vectors can enhance the security of encryption schemes.

  • Chosen-Plaintext Attacks

    • Chosen-Plaintext attacks are a type of cryptanalytic attack where the attacker can choose specific plaintexts and analyze the corresponding ciphertext to gain information about the encryption key or algorithm.

    • Chosen-Plaintext Attacks Countermeasure

      • Implement strong authentication mechanisms

  • Chosen-CiphertextAttacks

    • Chosen-Ciphertext Attacks are a type of cryptanalytic attack where the attacker can choose a ciphertext and obtain its corresponding plaintext.

      • In this type of attack, the attacker has the ability to submit chosen ciphertexts to a cryptographic system and observe the resulting decrypted plaintext.

        • By carefully selecting and manipulating the chosen ciphertexts, the attacker can gain information about the cryptographic key or exploit vulnerabilities in the system.

    • Countermeasures against chosen-ciphertext attacks

      • Encrypt-then-MAC

      • Adding Randomness

      • Using Authenticated Encryption

      • Key Wrapping

      • Limiting the Number of Queries

  • Differential Cryptanalysis

    • Differential cryptanalysis is a type of cryptanalytic attack that focuses on exploiting the differences in input and output data to uncover the secret key used in encryption.

  • Linear Cryptanalysis

    • Linear cryptanalysis is a cryptanalytic attack method that exploits the characteristics of linear approximations to break encryption algorithms.

      • It analyzes the linear relationships between plaintext, ciphertext, and the key to discover the key used in the encryption.

      • By finding enough linear approximations, the attacker can deduce the key, compromising the security of the encryption.

    • Countermeasures against linear cryptanalysis include using S-boxes with strong non-linear properties and carefully designing the encryption algorithm to resist linear attacks.

  • Side-Channel Attacks

    • Side-channel attacks are a type of cryptanalytic attack that exploit information leaked through side channels, such as power consumption or electromagnetic radiation.

    • Side-Channel Attacks countermeasure

      • Implementing power analysis resistance

  • Replay Attacks

    • Replay Attacks are a type of cryptanalytic attack where an attacker intercepts and maliciously replays valid data transmissions.

    • Replay Attacks countermeasure

      • A replay attack is when an attacker intercepts and maliciously retransmits a valid data transmission, causing it to be received multiple times. To counter this, the system can incorporate a timestamp or a nonce (a unique value) in each transmission to ensure that each message is unique and not a replay of a previous one.

  • Algebraic Attacks

    • Algebraic attacks are a type of cryptanalytic attack that exploit the algebraic structure of cryptographic algorithms. These attacks use mathematical equations and algorithms to break the encryption and gain unauthorized access to sensitive information. Algebraic attacks are particularly effective against symmetric encryption algorithms, such as block ciphers.

    • Countermeasures against algebraic attacks include using stronger encryption algorithms, implementing proper key management practices, and regularly updating cryptographic systems.

  • Analytic Attacks

    • Analytic attacks are a type of cryptanalytic attack that involves analyzing the cryptographic algorithm used in a system to find weaknesses or vulnerabilities. These attacks often rely on mathematical techniques and algorithms to break the encryption and gain unauthorized access to encrypted data.

    • Analytic Attacks countermeasure

      •  encryption, access controls, and intrusion detection systems.

  • Statistical Attacks

    • Statistical attacks are a type of cryptanalytic attack that exploit patterns and statistical properties of a cryptographic system to gain unauthorized access or information. These attacks analyze the frequency of occurrence of specific elements or patterns in encrypted data to deduce the underlying message or key.

  • Social Engineering Attacks

    • Social engineering attacks are manipulative tactics used by attackers to deceive and manipulate individuals into revealing sensitive information or performing actions that can compromise security.

  • Meet-in-the-Middle Attacks

    • Meet-in-the-Middle Attacks are a type of cryptanalytic attack where an attacker tries to find the encryption key by exploiting the vulnerability of a cryptographic algorithm that allows the attacker to perform both forward and reverse calculations simultaneously.

• Network Attacks

  • Phishing Attacks

    • Types

      • Email Phishing

        • Email phishing is a type of phishing attack that involves sending fraudulent emails to deceive recipients into revealing sensitive information such as passwords, credit card numbers, or social security numbers.

      • Spear Phishing

        • Spear phishing is a targeted form of phishing attack that focuses on specific individuals or organizations.

      • Whaling

        • Whaling is a type of phishing attack that specifically targets high-level executives or important individuals within an organization.

      • Vishing

        • Vishing is a type of phishing attack that involves voice communication.

      • Smishing

        • Smishing is a type of phishing attack that involves using SMS messages to trick victims into revealing sensitive information or downloading malicious software.

      • Social Media Phishing

        • Social media phishing is a type of network attack where attackers trick users into revealing sensitive information or performing malicious actions on social media platforms.

      • Watering Hole Attacks

        • Watering hole attacks are a type of network attack where the attacker compromises a website that the target frequently visits, with the goal of infecting their computer with malware. The attacker then waits for the target to visit the compromised website, unknowingly downloading the malware onto their system.

    • Countermeasure

      • Be cautious of suspicious emails

      • Do not click on unknown links

      • Verify the sender's identity

      • Use strong and unique passwords

      • Enable two-factor authentication

      • Regularly update software and applications

      • Educate employees about phishing techniques

  • Malware Attacks

    • Types

      • Viruses

        • Viruses are a type of malware that can infect computers and other devices. They are designed to replicate and spread, often causing damage to files and system functionality.

      • Worms

        • Worms are a type of malware that can replicate itself and spread across a network without any user interaction.

      • Trojans

        • Trojans are a type of malware that disguises itself as legitimate software or files, tricking users into downloading or executing them. Once activated, Trojans can perform various malicious activities such as stealing sensitive information, installing backdoors, or causing system damage.

      • Ransomware

        • Ransomware is a type of malware that encrypts the victim's files and demands a ransom to decrypt them.

      • Spyware

        • Spyware is a type of malware that is designed to secretly gather information from a computer or device.

      • Adware

        • Adware is a type of malware that is designed to display unwanted advertisements on a user's device. It can be installed without the user's knowledge and can affect the performance of the device.

      • Rootkits

        • Rootkits are a type of malicious software that allows unauthorized access to a computer system or network. They are often used to hide other malware or provide persistent control over the infected system.

    • Countermeasure

      • Install antivirus software

      • Keep antivirus software up to date

      • Regularly scan for malware

      • Use a firewall

      • Avoid downloading files from untrusted sources

      • Be cautious of email attachments

  • Denial of Service (DoS) Attacks

    • Types

      • Teardrop Attack

        • is a denial of service (DoS) attack that involves flooding a network with fragmented packets sent to a target device. Since the machine receiving such packets cannot
          reassemble them due to a bug in TCP/IP fragmentation reassembly, the packets overlap, crashing the target network device.

      • Fraggle Attack

        • is a denial of service (DoS) attack that involves sending a large amount of spoofed UDP traffic to a router's broadcast address within a network. It is very similar to a Smurf Attack , which uses spoofed ICMP traffic using a 3rd party network rather than UDP traffic to achieve the same goal.

      • Land Attack

        • is a Layer 4 Denial of Service (DoS) attack in which, the attacker sets the source and destination information of a TCP segment to be the same. A vulnerable machine will crash or freeze due to the packet being repeatedly processed by the TCP stack

      • Flooding Attacks

        • Flooding attacks are a type of denial of service (DoS) attack where the attacker overwhelms a system or network with excessive traffic or requests.

      • TCP/IP Attacks

        • TCP/IP Attacks involve exploiting vulnerabilities in the TCP/IP protocol suite, which is used for communication over the internet.

      • Distributed Denial of Service (DDoS) Attacks

        • DDoS attacks are a type of network attack where multiple compromised computers are used to flood a target system or network with a massive amount of traffic, rendering it inaccessible to legitimate users.

      • Application Layer Attacks

        • Application layer attacks target vulnerabilities in the application layer of the network stack. They exploit weaknesses in the protocols and services used by applications to communicate.

      • Volume-Based Attacks

        • Volume-based attacks are a type of denial of service (DoS) attack that flood a network or system with a high volume of traffic, overwhelming its capacity to function properly.

      • Protocol Attacks

        • Protocol attacks are a type of denial of service (DoS) attack that target vulnerabilities within network protocols.

      • Resource Exhaustion Attacks

        • Resource Exhaustion Attacks refer to a type of Denial of Service (DoS) attack where the attacker overwhelms a target system with a high volume of requests or consumes all its resources, causing it to become unresponsive or crash.

    • Countermeasure

      • Increase Network Bandwidth

      • Implement Traffic Shaping

      • Filter Traffic

      • Implement Intrusion Detection/Prevention Systems (IDS/IPS)

      • Configure Firewalls

      • Distribute Network Resources

      • Implement Rate Limiting

  • Man-in-the-Middle (MitM) Attacks

    • Types

      • IP Spoofing

        • IP spoofing is a type of network attack where an attacker disguises their IP address to make it appear as if it is coming from a trusted source.

      • ARP Poisoning

        • ARP Poisoning is a type of Man-in-the-Middle attack where an attacker sends falsified Address Resolution Protocol (ARP) messages over a local area network.

      • DNS Spoofing

        • DNS spoofing is a type of man-in-the-middle attack that manipulates the DNS resolution process to redirect users to malicious websites.

      • HTTPS Spoofing

        • HTTPS Spoofing is a type of Man-in-the-Middle (MitM) attack.

        • In HTTPS Spoofing, an attacker intercepts the communication between a user and a website.

        • The attacker then poses as the legitimate website to the user, making them believe they are interacting with the real website.

        • This can lead to the user unknowingly sharing sensitive information with the attacker.

      • Session Hijacking

        • Session hijacking is a type of man-in-the-middle attack where an attacker intercepts and steals a user's session ID to gain unauthorized access to a system or network.

      • SSL Stripping

        • SSL Stripping is a type of Man-in-the-Middle (MitM) attack where the attacker intercepts the communication between a user and a website, and downgrades the secure HTTPS connection to an unsecured HTTP connection.

      • Wi-Fi Eavesdropping

        • Wi-Fi Eavesdropping refers to the unauthorized interception of wireless network traffic.

        • Attackers can use specialized tools to capture and analyze data transmitted over Wi-Fi networks.

        • By eavesdropping on Wi-Fi communications, attackers can gain access to sensitive information such as login credentials, financial data, and personal information.

        • To counter Wi-Fi eavesdropping, it is important to use strong encryption protocols, such as WPA2, and avoid connecting to unsecured or public Wi-Fi networks.

    • Man-in-the-Middle (MitM) Countermeasure

      • Implementing strong encryption protocols

      • Using digital certificates and certificate authorities

      • Implementing secure authentication mechanisms

      • Monitoring network traffic for suspicious activities

      • Educating users about phishing and social engineering techniques

      • Regularly updating software and security patches

      • Implementing network segmentation to isolate critical systems

  • Password Attacks

    • Types

      • Dictionary Attacks

        • Dictionary attacks are a type of password attack where an attacker uses a pre-generated list of commonly used passwords to try and gain unauthorized access to a system or account.

      • Brute Force Attacks

        • Brute force attacks are a type of password attack where an attacker attempts to guess a password by systematically trying all possible combinations until the correct one is found.

      • Rainbow Table Attacks

        • Rainbow table attacks are a type of password attack.

        • In rainbow table attacks, precomputed tables are used to crack hashed passwords.

        • These precomputed tables contain a list of possible plaintext-password pairs.

        • By comparing the hash of a password with the entries in the rainbow table, the attacker can quickly find the original password.

      • Keylogging

        • Keylogging is a type of password attack where a malicious program records every keystroke made by a user.

      • Shoulder Surfing

        • Shoulder surfing is a type of password attack where an attacker looks over the victim's shoulder to gain access to their password.

      • Password Spraying

        • Password spraying is a type of password attack where an attacker tries a small number of commonly used passwords against multiple user accounts.

      • Credential stuffing

      • Mimikatz:

        • Read Passwords from Memory

        • Extract Kerberos Tickets

        • Extract Certificates and Private Keys

        • Read LM and NTLM Password Hashes in Memory

        • Read Cleartext Passwords in Local Security Authority Subsystem Service (LSASS)

        • List Running Processes

    • Countermeasure

      • implementing multi-factor authentication, using strong and unique passwords, and regularly updating passwords.

  • Wireless Attacks

    • Types

      • WEP Cracking

      • WPA/WPA2 Cracking

      • Evil Twin Attacks

      • Rogue Access Points

      • Packet Sniffing

      • Deauthentication Attacks

      • Bluejacking

    • Countermeasure

      •  security measures implemented to prevent or mitigate the risks associated with attacks on wireless networks.

  • Eavesdropping

    • simply listening to communication traffic
      for the purpose of duplicating it and/or
      extracting confidential information.

      • difficult
        to detect because it’s a passive attack

    • COUNTERMEASURES:
      maintain physical access security, encryption in
      transit ( Ipsec , SSH, TLS), one time authentication methods (pads, tokens)

  • Impersonation / Masquerading

    • usually implies that authentication
      credentials have been stolen or falsified in
      order to bypass authentication mechanisms.

    • COUNTERMEASURES:
      one time pads, token authentication systems 
      e.g. Kerberos), encrypt traffic, employee awareness training.

  • DNS attacks

    • Types

      • DNS poisoning

        • attacker alters the domain name to IP address mappings in a DNS system may redirect traffic to a rogue system OR
          perform denial of service against system.

      • DNS spoofing

        • attacker sends false replies to a
          requesting system, beating the real
          reply from the valid DNS server.

      • Homograph Attack

        • leverages similarities in character
          sets to register phony international
          domain names (IDNs) that appear
          legitimate to the naked eye.

    • Countermeasure                                                                  client-side: modern browsers that use punycode
      server-side: policies implemented by ICANN

  • Drive-by Download

    • A drive-by download occurs when a user visits a website that is hosting malicious code and automatically gets infected.

• Mobile Attacks

  • Mobile malware

    • Mobile malware refers to malicious software specifically designed to target mobile devices such as smartphones and tablets.

  • Wi-Fi eavesdropping

    • Wi-Fi eavesdropping is a type of mobile and wireless attack where an attacker intercepts and monitors the data transmitted over a Wi-Fi network.

  • Bluetooth attacks

    • Bluejacking

      • pranksters push unsolicited messages to engage
        or annoy other nearby Bluetooth through a
        loophole in Bluetooth messaging options

    • Bluesnarfing

      • data theft using Bluetooth. Vulnerable devices
        are those using bluetooth in public places with
        device in discoverable mode.

    • Bluebugging

      • developed a year after bluejacking, creates a
        backdoor attack before returning control of the
        phone to its owner.

  • SMiShing attacks

    • SMiShing attacks are a type of mobile and wireless attack where the attacker uses SMS or text messages to deceive and trick users into revealing sensitive information or downloading malicious software.

• Access Control Attacks

  • Unauthorized access

    • Password cracking

    • Brute force attack

    • Dictionary attack

    • Rainbow table attack

  • Privilege escalation

    • Exploiting software vulnerabilities

    • Exploiting misconfigurations

  • Social engineering

    • Phishing

    • Baiting

    • Tailgating

    • Impersonation

  • Insider threats

    • Data theft

    • Sabotage

    • Fraud

  • Sniffer Attacks

    • In a sniffer attack (or snooping attack) an attacker uses a packet capturing tool (such as a sniffer or protocol analyzer) to capture, analyze, and read data sent over a network.
      Attackers can easily read data sent over a network in cleartext. Encrypting data in transit stops this type of attack.

  • Spoofing Attacks

    • Spoofing is pretending to be something or someone else, and it is used in many types of attacks, including access control attacks. Attackers often try to obtain the credentials of
      users so that they can spoof the user’s identity. 
      Spoofing attacks include email spoofing, phone number spoofing, and IP spoofing. Many phishing attacks use spoofing methods.

  • Phishing Attack

    • A phishing attack is a type of cyber attack where the attacker pretends to be a trustworthy entity in order to trick the victim into revealing sensitive information, such as passwords or credit card numbers.

  • Access Aggregation

    • is a type of attack that combines, or aggregates, non
      sensitive information to learn sensitive information and
      is used in reconnaissance attacks.

  • Access Control CounterMeasure

    • Implementing principle of least privilege and Need-to-know

    • Implementing strong and complex passwords

    • Enforcing multi-factor authentication

    • Regularly updating access control policies

    • Implementing role-based access control

    • Monitoring and auditing access control activities

    • Implementing strong encryption for authentication credentials

• Application Attack

  • Buffer Overflow

    • Buffer overflow is an application attack where a program writes data outside the boundaries of a fixed-size buffer.

    • Countermeasures: prevent with INPUT VALIDATION !

  • Back Door

    • A back door is a hidden entry point in an application that allows unauthorized access to the system.

    • Countermeasures: firewalls, anti malware, network monitoring, code review

  • Time of Check to Time of Use

    • a timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request.

    • Countermeasure: file locking, transactions in file system or OS kernel

  • Rootkit (escalation of privilege)

    • freely available on the internet and exploit known vulnerabilities in various operating systems enabling attackers to elevate privilege.

    • Countermeasures: keep security patches
      up to date anti malware software

  • Countermeasure, Prevention & Best practice

    • Code Security

      • Code Signing

      • Code Reuse

      • Software Diversity

      • Code Repositories

      • Resilience

    • Secure Coding Practices

      • Input Validation

      • Authentication and Password Management

      • Cryptographic Practices

      • File/Database Security

      • Memory Management

• Multi-Attack Prevention

  • Multi-Factor Authentication

    • Something you know (pin or Password)
      Something you have (trusted Devices)
      Something you are (Biometric)

    • Prevents

      • Phishing

      • Spear phishing

      • Keyloggers

      • Credential stuffing

      • Brute force and reverse brute force attacks

      • Man in the middle (MITM) attacks

• Web Application Attack

  • Exploiting Web Application Vulnerabilities

    • Cross-Site Scripting (XSS)

      • Reflected XSS

      • Stored/persistent XSS

    • Request Forgery

      • Cross-Site Request Forgery (CSRF/XSRF)

      • Server-Side Request Forgery (SSRF)

    • Session Hijacking

  • Injections Vulnerabilities

    • SQL Injection

    • Blind Content-Based SQL Injection

    • Blind Timing-Based SQL Injection

    • Code Injection Attacks

    • Command Injection Attacks

  • Exploiting Authorization Vulnerabilities

    • Insecure Direct Object References

    • Directory Traversal

    • File Inclusion\

  • Countermeasure, Prevention & Best practice

    • Application Security Controls

      • Input Validation

      • Web Application Firewalls

    • API Security

      • Authentication and Authorization (Access Token/Oauth)

      • Encryption (TLS)

      • API Gateways

      • Data Validation

      • Quotas and Throttling

      • Testing and Validation

• RDBMS threats and vulnerabilities

  • Aggregation

  • Inference

  • Other attacks on RDBMS
    include SQL injection, TOC/TOU, backdoor, and DoS.

  • Countermeasure

    • Database Security

      • Parameterized Queries and stored Procedure

      • Obfuscation & Camouflage

• Computer Virus

  • Virus Technologies

    • Multipartite Viruses

    • Stealth Viruses

    • Polymorphic Viruses

    • Encrypted Viruses

  • Virus Propagation Techniques

    • Master Boot Record Viruses

    • File Infector Viruses

    • Macro Viruses

    • Service Injection Viruses

• Kerberos Exploitation Attacks

  • Pass-the-hash (pth)

  • Overpass the Hash

  • Pass the Ticket

  • Silver Ticket

  • Golden Ticket

  • Kerberos Brute-Force:

  • Kerberoasting

• Other Attacks

  • Tempest

    • Electromagnetic radiation attacks

    • Compromised display cables

    • Bispectral analysis attacks

    • Timing attacks

    • Acoustic cryptanalysis

    • Optical surveillance attacks

    • Protecting against Tempest attack

      • White Noise

      • Physical security measures

      • Electromagnetic shielding

      • Encryption techniques

      • Monitoring and detection systems

  • Human Elements

    • Collusion

    • Fraud

    • Espionage

      • when a competitor tries to steal
        information, and they may use an
        internal employee.

    • Sabotage

      • malicious insiders can perform
        sabotage against an org if they
        become disgruntled for some reason

    • Countermeasure

      • Separation of duties

        • a basic security principle that ensures that no single person can control all the elements of a critical function or system.

      • Job rotation

        • employees are rotated into different jobs, or tasks are assigned to different employees.

  • Computer Crimes

    • 6 Types

      • Military and intelligence attacks

      • Business attacks

      • Financial attacks

      • Terrorist attacks

      • Grudge attacks

      • Thrill attacks

• Malicious Code and Application Attacks

  • Viruses

    • Virus Technologies

      • Multipartite Viruses

        • Multipartite viruses are a type of malicious code that infects both the boot sector and executable files of a computer system.

      • Stealth Viruses

        • Stealth viruses are a type of malicious code that are designed to hide their presence on a computer system.

      • Polymorphic Viruses

        • Polymorphic viruses are a type of malicious code that can change their own code in order to evade detection by antivirus software.

      • Encrypted Viruses

        • Encrypted viruses are a type of malicious code that are designed to be difficult to detect and analyze.

    • Virus Propagation Techniques

      • Master Boot Record Viruses

        • Master Boot Record (MBR) viruses are a type of malicious code that infects the master boot record of a computer's hard drive.

        • These viruses typically spread through infected storage devices or by exploiting vulnerabilities in the boot process.

        • Once the MBR virus infects a computer, it can overwrite or modify the existing boot code, allowing it to execute its malicious payload during the boot process.

        • Countermeasures against MBR viruses include using reliable antivirus software, regularly updating system software and firmware, and practicing safe browsing habits.

      • File Infector Viruses

        • File infector viruses are a type of malicious code that infects executable files.

        • Once infected, these viruses can spread to other files when the infected file is executed or opened.

        • File infector viruses often modify the host file's code, making it difficult to detect and remove the virus.

        • Countermeasures against file infector viruses include using antivirus software, regularly updating software, and practicing safe browsing habits.

      • Macro Viruses

        • Macro viruses are a type of malicious code that infects software applications by embedding themselves in macros, which are small programs that automate tasks within the application.

      • Service Injection Viruses

        • Service injection viruses are a type of malicious code that targets vulnerabilities in software services to gain unauthorized access or control over a system.

  • Worms

    • Code Red worm

    • Stuxnet

  • Logic Bombs

    • Logic bombs are a type of malicious code that is designed to execute a harmful action when a certain condition is met.

  • Trojan Horses

    • Trojan horses are a type of malicious code that masquerades as a legitimate program or file. They are designed to trick users into downloading or executing them, allowing attackers to gain unauthorized access to their systems.

    • Countermeasure: good defense? 1) only allow software from
      trusted sources. 2) don’t let users install software 

    • Variant

      • Ransomware

        • Countermeasure: - Back up your computer
          - Store backups separately
          - User awareness training

        • Prevention: - Update and patch computers
          - Use caution with web links
          - use caution with email attachments
          - Verify email senders
          - Preventative software programs

  • Malicious Scripts

    • Malicious scripts are small pieces of code that are designed to harm a computer system or steal sensitive information.

  • Spyware & Adware

    • Spyware is a type of malicious software that secretly collects information about a user's activities and sends it to a third party. Adware, on the other hand, is a type of software that displays unwanted advertisements on a user's device.

  • Malware Prevention

    • Platforms Vulnerable to malware

    • Antimalware Software

    • Integrity Monitoring

    • Advance Threat Protection