Vulnerability Ranking
The process of evaluating and ranking vulnerabilities in terms of the potential threat they may pose to the organization.
- CVSS is an open standard for ranking vulnerabilities.
− Quantifies vulnerability data through three metric groups.
Automated Vulnerability Scanners
- Will have signatures that tie into specific vulnerabilities.
- Vulnerability scanners are only able to detect the known vulnerabilities;
OpenVAS
- An all-in-one vulnerability scanner that leverages a variety
of built-in tests.
Nessus
- One of the most popular vulnerability scanners on the market.
- Like other vulnerability scanners, it contains a database of known
vulnerabilities across different platforms and protocols.
Cross-Compiled Code
- Code that has been compiled into an executable on one platform but is designed to run on a different platform.
- Common approach when crafting your own exploits.
Exploit Chaining
The act of using multiple exploits to form a larger attack.
* Success may depend on all exploits doing their part.
* Distributed nature makes them complex and difficult to defend against.
* Some chained exploits must run consecutively.
* Some run in parallel.
Proof of Concept Development
A benign exploit developed to highlight vulnerabilities.
* Usually created by security researchers.
* Demonstrates security issue to target organization or general public.
* Technical aspects might be published in great detail.
* Or researcher may not include specifics.
− Discourages malicious actors from using this exploit in the wild.
Social Engineering
- Attacker may need to persuade victim to do something for them:
− Disabling or bypassing security controls.
− Granting physical or network access.
− Creating or resetting credentials.
− Delivering messages.
− Installing software.
− Authorizing payments.
− Connecting or disconnecting devices.
− Reconfiguring systems.
Dictionary Attacks
An attack in which a password cracking tool goes through a list of words until it either finds the password or exhausts the list.
- Practical limitations:
− Must know username, though usernames can also be in wordlists.
− Lists can become unwieldy in their size (1.5 billion words ≈ 15 GB uncompressed).
− Lockout policies on authentication systems.
Rainbow Table Attacks
The passwords in the wordlist have been pre-computed into their corresponding hashes, then compressed in a highly efficient manner.
- Makes offline cracking much faster.
− No need to compute hashes of every password tried.
Credential Brute Force Attacks
An attack in which the attacker tries many passwords in the hope of eventually guessing the right one.
- If wordlist is exhausted, tool can try variations.
− Substitute numbers or special characters for letters.
− Combinations of characters. - Short passwords (e.g. 4-digit PIN) can be brute forced in minutes or even seconds.
