Shared Flashcard Set

Details

CompTIA Sec+ 1.6
Explain the impact associated with types of vulnerabilities
28
Computer Science
Professional
11/06/2018

Additional Computer Science Flashcards

 


 

Cards

Term
Areas where vulnerabilities and associated impacts are assessed
Definition
Understanding where vulnerabilities exist in:
-Hardware, Software, Networking
-Configuration Errors
-Business Process
-Architectural and Unplanned Growth
Term
Race Condition
Definition
Two or more routine programming calls in an application do not perform in the sequential manner that was intended.
-Authentication: Causes application to fail leaving trust assigned to untrusted entity
-Integrity: Malicious code may be inserted
-Confidentiality: Data compromised, information disclosure
Term
Time of Check
Definition
A race condition where attacker gains access prior to an authentication check
-Admin action to address the intrusion such as resetting passwords, but attacker remains logged in with old credentials
-Attacker inserts code or alters authentication to disrupt authentication processes
Term
Support Lifecycle Vulnerabilities
Definition
Maintaining systems past EOL (End of Life), maintaining multiple versions of hardware and software.
-EOL
-Embedded Systems
-No Vendor Support
Term
Impact of Vulnerabilities
Definition
Life Cycle Management on Hardware
-Laptops
-Storage
-Servers
-Smart TVs
-IoT - Internet of Things, embedded devices are often overlooked and should be not be ignored for vulnerabilities and end of life.
Term
Secure Coding - Improper Input Handling
Definition
Guidelines - Recommendations from NIST
Web Form Validation to validate and sanitize entries before accepting and processing them.
-XSS attacks
-SQL Injection Attacks
Term
Secure Coding - Improper Error Handling
Definition
When a web server, application server, or database application fails, detailed internal error messages such as stack traces, database dumps, and error codes are displayed to the user (hacker). These messages reveal implementation details that should never be revealed.
Term
Open Web Application Security Project (OWASP)
Definition
A site dedicated to unbiased, practical, cost-effective information about application security. A non profit that provides guidelines and testing for application security.
Term
Impact of improper error handling
Definition
Potential Impact
-Crash leaves a session open with elevated privileges
-Application crashes leaving internal error messages that provide internal system information to hackers

-
Term
SEI
Definition
Software Engineering Institute. Runs Cert.org Dedicated to helping create Better Software Through Secure Coding Practices.
Term
Misconfiguration / Weak Configuration
Definition
-False sense of security with weak config
-Gaping holes in defenses
-Increased attack surface
Mitigation:
-Vulnerability Scan
-Security Audit - Make sure secure config baseline for each system is applied
Term
Default Configuration
Definition
-Not Secure out of the box
-Change admin accounts, default passwords
-Harden systems if possible
-Establish baseline config and audit for compliance
Term
Resource Exhaustion
Definition
Code executes on a target machine over and over until all resources are used
Term
Resource Exhaustion Attack Types
Definition
DoS
DDoS
Botnet attack
Term
Untrained Users
Definition
-Tailgating
-Application Updates
-Maintain Proper Config
-Social engineering don't give passwords
offer to call back.
-Phishing Scams
-Document Handling and proper disposal
Term
Improperly Configured Accounts and Shared Accounts
Definition
-Sharing Accounts: No audit or log of who did anything
-No Non-repudiation: Being able to identify and validate user activity
Term
Vulnerable Business Processes - BPC
Definition
Business Process Compromise
-Targets the unique processes or the systems facilitating those processes to covertly manipulate them
Term
Weak Cipher Suites and Implementations
Definition
RC4
3DES Triple DES
NULL

Use AES-128 or AES-256 instead
Term
Cipher Suites 4 components
Definition
1. Key Exchange
2. Authentication
3. Encryption
4. Integrity Algorithm
Term
Memory Leak
Definition
Application keeps using memory but fails to release it once it is no longer needed.

Lowers system performance
Crashes system
Denial of Service
Abnormal System Behavior
May take time to occur and problem may not be readily apparent. Reboot may appear to fix it and then the problem reoccurs overnight
Term
Integer Overflow
Definition
When result of arithmetic operation exceeds the size of the data type used to store it. Can lead to negative values which can reverse a monetary transaction since a credit now becomes a debit.
Term
Pointer Dereference
Definition
A vulnerability that can cause an application to throw an exception error. Causes the application to crash.
-DoS Attack
-Potential for Remot code execution
Term
DLL Injection
Definition
Inserting code into a running process
1. Attach to process
2. Allocate Memory within the process
3. Copy the DLL or the DLL Path into the processes's memory and determine the appropriate memory addresses
4. Instruct the process to execute your DLL
Term
Creating DLL Injection attack
Definition
Manual creation
Pen Testing Tools
Metasploit
Term
System Sprawl and Undocumented Assets
Definition
New devices added to network increase the attack surface. More targets.
-Hosts
-Printers
-IoT
-Wireless AP's
-Mobile Devices
-Dual homed systems access to other networks
Term
Architecture Design Weakness
Definition
Business pressure to develop applications quickly can cause design to suffer due to lack of security not being included in the beginning.
-Security looked at as a road block or gating factor
Term
New Threats / Zero Day
Definition
Government/Nation States - Hoard these vulnerabilities, and keep them for when they need them
Dark Web - Sells them
Hackers - Derive Income from discovering and creating
-Organized Crime
-Script Kiddies
Term
Improper Certificate and Key Management
Definition
-Manual Key Management
-Lack of insight, no automated reporting
-No centralized policies
-No method to replace compromised CA certs
Supporting users have an ad free experience!