CompTIA A+ Exam 220-902 sub-objective 3.1 –Identify common security threats and vulnerabilities
Detailed (and official) description of CompTIA A+ sub-objective 3.1
3.1 Identify common security threats and vulnerabilities.
Zero day attack
Violations of security best practices
Welcome to Exam Notes by CertBlaster! This edition brings us into the next A+ domain 3.0 Security and its first objective 3.1 where you identify common security threats and vulnerabilities. The keyword is common. These threats are not operating system specific (unless noted) and can be effected on most platforms or circumstances as you will see. You will also see the cost of non-compliance with policies or practices. Here we go!
Malware is a generalization intended to cover that which intentionally causes harm or damage in the operating environment. There symptoms associated with malware often are clues to the type of attack you are fighting. The items listed below categorize these attack types.
This simply put is software that is installed on your device without your consent that collects your data and sends it to a third party without your consent. These programs can monitor and record keystrokes, browsing information including login data, credit card numbers and passwords or PINs. Your confidential information way well be compromised. It is important that you have adequate defenses. Built into Windows you have Windows Defender, offering real-time protection and background AV scanning.
A layered approach can be considered when dealing with malware. This type of protection is also available in paid or premium versions of protection packages. Do be careful when selecting products for system defense. As programs commonly installed with the OS can conflict with the products you purchase. Also avoid freeware that you never heard of as some programs are “wolves in sheep’s clothing” containing malicious payloads.
New virus attacks are practically a daily occurrence. Viruses infect your system with the desired malicious payload and also replicate themselves onto connected devices. They can spread over a network or by infected shared writable devices. Always write protect a USB thumb drive before inserting it into a system lest it become infected. A virus will reveal its presence by increased network activity or sluggish system performance. Possibly by tricking the unsuspecting with a false warning similar to below. If you ever see this DONOT click OK and certainly DONOT call anyone.
Use Ctrl-Alt-Del to launch the Task Manager or Command-Option-Esc on a Mac to launch Force Quit and kill the browser instance(s). If that fails power off the system immediately. Reboot and perform a virus scan immediately. This is a typical malware trick. After agreeing you will be asked to install harmful software under the guise of helping. In the phone call you will ultimately be asked to allow the technician to take over your machine.
A good sign of infection is the inability to reach anti-virus and anti-virus sites. Norton, Symantec and McAfee programs will be unable to reach their servers nor will you. Here is an anti-malware program that is unable to connect to its update server. Note the unable to access message in the white field in below screenshot.
In the worst cases even the built in safeguards are unable to update. Here is a Windows Defender update attempt on an infected machine. Note the progress after an hour and a half. Although it has not failed officially, this is not going to happen.
The best repairs to an infected machine are accomplished by booting to an antivirus repair disk or USB Drive. This process allows the system to boot to the repair media and thoroughly scan your PC before any system files or malware programs have a chance to launch. If you have not made one, make one now. In the absence of a repair disk scan your system in safe mode with your primary AV solution. Here is a look at Norton 360.
This was supplied by the ISP, no doubt to address their inability to control the issue, sorry it was an added value, yes that’s it! Whenever possible do a Full scan. You want to scan as much as possible. Browser files and Temp files are hiding spots for malware so be certain those locations get checked. If you are going to scan do a full scan as opposed to a quick one.
Worms will attack your connected devices and other network hosts by exploiting vulnerabilities in the operating system. I contrast to Virus and Trojans the Worm does not A Worm will consume network bandwidth and overloading the network servers. The primary purpose of a Worm is to replicate itself to every possible node on a given network. Upon suspicion of an infection disconnect your computer from the network and/or internet. Here again running your antivirus solution after booting to a repair disk or into safe mode will help. To prevent this type of attack keep your protection signatures up to date and avoid opening odd email attachments.
Trojans are fundamentally infected versions of real files. Be careful what you download and scan it before you open or install it. This is particularly important when dealing with email attachments. They are designed to do any of a number of things. They can delete files, compromise your information and even allow the perpetrator to access and control your machine. You will recognize a Trojans infection by poor performance, increased or bogged down network and servers and generally unpredictable behavior accompanied by new or deleted files in your system often causing system failure.
Rootkits are a particularly sinister malware variant. A rootkit can infect a computer and allow the kits owner the ability to gain privileged access to the target PC without the user’s knowledge or consent. Your defense as always is to keep your protection software up to date and apply any and all security patches to the OS. Rootkits are usually well hidden and undetectable by conventional means. There are Rootkit detection packages but rootkits are often hidden inside system files where detection is impossible. This makes prevention a primary defense.. Download only from trusted sources and be cautious of emails from unknown sources.
Ransomware is another malicious program. In this case the ransomware Blocks your access to your system and data until a ransom is paid. Ransomware can be installed on your system by accessing an infected or compromised website, downloading a malicious file or opening a malicious email attachment or hyperlink. You may only get a pop-up that informs you of a block and includes instructions. The block may look like it is from a police or law enforcement agency. The result of the newer ransomware infection can be as serious as modifying your MBR and or encrypting your hard drive contents (crypto-ware). The result is that you must pay in the specified anonymous manner and hope that you get an unlock key or decryption key. Since it takes time to encrypt your files you need to power off the machine immediately upon discovery to lessen the impact of the encryption.
Phishing is an overt attempt to trick you into doing something stupid that will compromise your personal information. A form of social engineering this attack works by sending you an email containing a malicious attachment or hyperlink.
A typical phishing email will contain the malicious content, but will be recognizable by the end user if they read the email and notice typographical errors and bad grammar in the message. Further if you receive one of these emails that contains a hyperlink, you can hover over the link with your mouse the link and see where it is actually going as opposed to the benign text label of the link. Always report these attacks to the appropriate party. For example if you get a phishing (spoof) email seemingly from a known entity that you may deal with look carefully at the email examine the grammar and spelling then check the general appearance A phishing email will look less than perfect in several ways as mentioned and also look carefully at the graphics they will be the exact logo of let’s say eBay, but the eBay logo will be just a little fuzzy, less crisp. Stop and Think before You Click. If you suspect an email as a phishing attempt send it to the Party being spoofed. Phishing and Spear phishing are prime vehicles for assorted malware.
Spear phishing is targeting specific groups for attack based on things they have in common. Where they work is a good example as is where they shop or do their banking. This adds trust to the phishing communication if the user is not careful. Here Charles Schwab is the entity that “legitimizes” the message. If you look at the message carefully section by section you will be able to scan the header information for irregularities which are definitely present. The sender’s return address has very little to do with the reported company. Always look past the name and check the actual sender’s address. The recipient is incorrect as you (probably) don’t work for Charles Schwab. The message body begins with an image. Images in the message body can be hyperlinks to malicious sites. This particular email client is set to block imbedded images and display on demand giving you a chance to discriminate. Then it asks you to log in through a link that asks you to verify recent activity information. Then finally the hyperlink address is anything but legitimate. The link will go to or through a man-in-the-middle (see below) that will capture all the data entered, not good. This will hold true for both phishing attack types. The spear phishing attack targets a more specific number of users.
Spoofing is the practice of misrepresenting yourself by using a false IP address, or more commonly a false email address. The person being spoofed does not realize immediately that the email address is fake. Always read your email carefully and think about what you are being asked to do. Is the request legitimate? Would your employer really need your social security number, or is it more likely to be on your job application? Microsoft does not email or call you. The FBI does not call you, they knock if you are lucky. So it comes back to consider the source and think before you click.
Social engineering can be best explained as influencing the actions of others by gaining their confidence and trust. Once that has been accomplished the attacker, or your new friend, gets you to disclose information or provide access to a network or a computer. It is widely known that in the security world a human can always be considered the weakest link in a defense. Whether it is an email or a phone call it is imperative that you disprove this consideration by thinking, taking your time and trusting no one. You may have a friend whose email has been hijacked. An email from anyone, known or unknown, needs to be examined with the same level of care.
Shoulder surfing is the time honored method of capturing usernames and/or passwords by simply looking over a person’s shoulder. This is a surprisingly effective technique and can also be used at ATM’s.
Zero day attack
A Zero day attack is an exploit of an operating system or software vulnerability that is unknown to and unpatched by the author of the product. The name comes from the fact that there is no warning of the attack and this is compounded by the fact that the attack will be successful until it is discovered and patched by the vendor. It does not take long for a zero day attack to be effective considering the time it takes to program a patch and get it distributed to the public. These attacks can take place between the time they are discovered and when the patch is issued.
When discussing a Zombie and its relationship to a botnet, think of an army of zombies. With your PC as one of the potentially millions of PCs infected with the same malware and commandeered by a single host. The entity that controls the botnet can literally use the machines for a single purpose like a DDoS, Spam or malware distribution. Hundreds of billions of dollars in losses or damage can be attributed to botnets.
Brute forcing (Brute Force Cracking) can be best described as cracking a username, password, or even a Wi-Fi encryption protocol or decryption key by using trial, error and result evaluation using a pre-defined set of values for the attack. Use long and complex passwords to defend against this attack.
Dictionary attacks are a form of brute force attack that uses words found in the dictionary to attempt to discover passwords and decryption keys. Here you need to avoid words found in the dictionary for your security. It is helpful to use a mix of upper and lower case letters along with numbers and special characters (!@#$%).
Businesses that need to protect their assets set system compliance standards and monitor host configurations to assure that all of their attached systems meet a certain pre-defined level of antivirus updates, system and application security patches along with up to date drivers for the hardware. The monitoring is done by a configuration reporting tool installed on the host. The configuration report is sent to the configuration monitor and scanned for compliance. Any system reported to have missing or out of date software, antivirus or old drivers is considered to be a non-compliant system and thereby determined to be in violation of security best practices.
Violations of security best practices
As noted above a security best practices violation occurs when a non-compliant system attempts network access on a managed network. You need to recognize that while the compliance standards may or may not be monitored on your system(s), they are an excellent guideline for fundamental system security. If you look at it these compliance elements they are essential to safe operation with or without administrative oversight. But be ready to distinguish between the business terminology and the private.
Tailgating occurs when an unauthorized party follows the secure access of an authorized party closely enough to appear as a single entity to security systems. This attack is the seemingly innocent, even courteous in a case where the authorized party holds the door a secure entry point. This term also covers an unauthorized party commandeers an authorized parties’ workstation while they are away from it.
A Man-in-the-middle (MitM) attack uses a webserver that is in the route from the client to its destination. All client internet activity is processed through the malicious server while it quickly skims your personal data for anything of value. Man-in-the-middle attacks are generally transparent to the client and the server. If you feel like you are a victim of MitM look at the lag time between a page request and its delivery. Also compare the displayed content on a frequently used site with another pc running the same software. Any loss of image quality or access speed are signs of possible MitM. Treat this as any other malware in terms of removal. Many AV packages offer a “Real Site” or similar mode where you can check links for their validity.
And with this we will wrap up the first installment in the 220-902 Main Domain 3.0 “Security”, sub-objective 3.1 “Identify common security threats and vulnerabilities.” Hopefully this post will add to your A+ skills providing you with the additional insight to protect you and your clients against the threats that surround you.
Good luck on the test!
Back to the main 902 ExamNotes page