Common Threat Vectors - CompTIA Security SY0-701 - 2.2

A threat vector is the method that an attacker uses to gain access to your systems. Sometimes, you'll hear this referred to as an attack vector. The attackers are constantly trying to find new ways to gain access to your systems, and so they're spending all of their time trying to either discover or create new threat vectors.

We're not only looking for threat vectors that are well-known; we're also looking to see if there's any opportunity for someone to take advantage of an unknown threat vector. One very common place for attackers to start their threat vectors is with a messaging system, and that's probably because most of us use some type of messaging to be able to communicate with others. For example, it's very likely that you have an email address that you use, and that's a perfect place for an attacker to send information that they can use against you.

For example, they might put malicious links in an email and entice you to click that link, at which point they may install malicious software or try to gain access to one of your systems by providing a phishing page. Another good threat vector, especially on our mobile devices, is through Short Message Service (SMS). These are text messages, and the attackers will use text messages to try to get your attention and have you click links that you should not be clicking.

If you use a messaging system that includes instant messages or direct messages, it's a perfect way for the attacker to talk directly to you to try to gain access to your systems. Phishing attacks work exceptionally well using these messaging-based attacks because they can communicate with you directly and entice you to click links that normally you would not click. Once you click a link and visit a site, it may present you with a front page that looks exactly like your bank's login, but it's not really your bank.

That's where the phishing takes advantage of the trust that you have for your messaging system. The attackers might also use that message to either embed malware within the message itself or provide you with a link that takes you to a website, which then downloads the malware. This is also a great entry point for the attacker because they can also use many different social engineering techniques.

For example, the attacker could send you an invoice over email asking for payment, but in reality, it's payment for a service that was never rendered, or perhaps they're trying to use a cryptocurrency scam to either gain access to your existing cryptocurrency wallet or to try to sell you cryptocurrency that doesn't really exist. Here's an example of a spam message that I received in my text messages. This one was sent from an onmicrosoft.

com email address, and you can see that it says, "From the United States Postal Service: message you have a package that needs to be delivered, but it has been suspended due to an incorrect delivery address. " They expect you to click this link that's embedded within the text message. Obviously, I did not click this link, but undoubtedly, it would take me to a US Postal Service site or some other site that might have malware or some other malicious software.

For those of you wondering, I did click the "Report Junk" link, and hopefully, this particular message or sender was removed from the service. Not only can our messaging systems be used as an attack vector, but the images that we see on our screens can also be used as an attack vector. A good example of this would be the SVG image format; that's the Scalable Vector Graphics format, and it’s a format understood by most browsers.

This is actually more than just an image; it's an XML file that describes the image and allows you to embed other information within the XML. This means an attacker could put information within the image description that would then run inside of your browser. They might inject HTML code, or there may be JavaScript contained within the XML that describes an SVG image.

Some browsers allow you to enable or disable certain image types, or they may have the process to provide input validation for these SVG descriptions. Here's an XML file that contains a description of an SVG image and code that could potentially be used as an attack vector, and it's all within just a few lines of software. When you run this inside of your browser, it will show an image that is the description of this triangle that you can see within the XML, but as it shows you this image on the screen, it's also running any JavaScript that you have embedded within the XML.

In this case, it's a relatively benign message that simply says, "This is a cross-site scripting attack," and when you run this, it will put a message on your screen that says exactly that. Most browsers will look for cross-site scripting and will prevent these types of scripts from running. However, if your browser has a vulnerability, or if the JavaScript that it's trying to run is not necessarily a cross-site scripting attack, this may be able to get through using this XML embedding.

It may be relatively obvious that the files we run on our systems could be a potential threat vector, and this is certainly the case for executables since that's software that actively runs within the memory of your system. However, an executable is not the only type of threat vector you might see in a file format. For example, an Adobe PDF would be a very good place to try to fit some type of malicious software because it's effectively a holding place where you put other types of objects within it.

When you open a PDF, you'll find text, images, and in some cases, even scripting. This would be a perfect place to start an attack, or perhaps the attacker is simply hiding the threat within an existing set of compressed files that may be compressed with ZIP or RAR, or really any compression type. In many ways, this obviously indicates that there's an attack inside because all you see is the compressed file format, such as a ZIP file.

However, within the ZIP file, there may be hundreds or thousands of files, and one of those may contain malicious software. Our documents, spreadsheets, and other office-related files might also be a good place to use as a threat vector. For example, Microsoft Office allows you to include macros with your documents, and although most of those macros are probably very useful and relatively benign, it is possible for an attacker to write a macro that may gather personal information from your computer and send it to the attacker.

We also see this quite a bit with add-in files or extensions that you might have in your browser, where the extension itself contains malicious software. By simply adding it to your browser, you've now put your entire system at risk. Our mobile phones and call systems make another valuable threat vector for the attacker.

This is vishing, or voice phishing, where they may call you to try to get you to give up credit card information or other types of personal details. We've also seen spam over IP, where the attackers will use Voice over IP systems to send all of these spam messages through an automated process. There are also still instances where attackers are trying to find unpublished phone numbers that may gain them access to systems; we often refer to this as war dialing, and it is a process that we still see occurring even today.

Sometimes an attacker is not interested in gaining information but is instead trying to disrupt your systems through a denial-of-service attack. They can certainly do this by using your messaging systems as a threat factor. I've worked with companies that have spent millions of dollars to install the latest types of firewalls, intrusion prevention systems, and network filtering products, but an attacker can circumvent those millions of dollars of security products with a single $10 USB drive.

This can be especially useful if an attacker needs to get onto a network that is air-gapped, which means there's no direct network connection into that internal network. Instead, the attacker will go into the parking lot of that company, throw a few USB drives on the ground, and hope that someone will pick up the drive, take it inside the building, and plug it in. Of course, on the USB drive, there's malicious software that might disrupt operations or provide some way to get data out of those networks.

Many of the keyboards that we use on our computers today connect through USB, and specially modified USB drives can also appear to your computer as a keyboard. When you plug in the USB drive, suddenly your system is able to automatically type things on the screen, and it's all coming from this USB drive acting as a keyboard. Allowing someone to plug in a USB drive, even on an air-gapped network, makes it very easy for someone to transfer large amounts of data, unplug it, and now they have all of that information on a USB drive they can put into their pocket and walk out the door.

One of the challenges for the security professional is making sure that all of our software is always up to date to the latest version. That's because often we will find security issues and vulnerabilities built into existing versions of software that will require an upgrade. This might be a situation where an application has an infected executable, and if you run that application, you're effectively infecting your local computer.

If this is an unknown vulnerability and the attackers find that vulnerability first, they may have an advantage to get into your systems. This is why we're constantly updating the software on our systems; not only do we perform Microsoft updates, but we also update all of our other software whenever a security patch is released. But what about software that's not installed on your computer?

What if it's more of an agentless system where you have to connect to a separate system to be able to see that software? This is very common with web-based applications, for example, where you don't have to install anything local on your computer; you simply use your browser to connect to an external system. This means if an attacker does find a way to infect the central server, they could potentially also infect all of the connecting clients.

This would also be very easy for the attacker to distribute because they know that each person who is logging in for the day is running a new instance of that software, as everything is contained on the server. As we've already mentioned, patching is a great way to prevent an attacker from gaining access to a known vulnerability, and we spend a great deal of time and effort to keep all of our systems up to date to the latest version of software. However, there might be systems within your network or your data center that are unsupported systems, where the manufacturer no longer provides patches for those systems.

In that case, you may not have the option for installing new software. This is very common, for example, on unsupported versions of operating systems. Eventually, an operating system will no longer be supported by the manufacturer, and that makes it an enormous security risk if there are no security patches, and that system could potentially be a risk for.

. . your organization, and as many companies have found, you need to make sure that all of these unsupported systems are identified.

There have been instances where someone is running an older version of an operating system on an old computer that’s underneath someone’s desk, and the IT department has no idea that that system even exists. That’s why it’s so important to make sure you always have an updated list of your entire inventory of systems and that you’re able to access all of the individual devices on the network. This would allow you to scan your network periodically to ensure that you know all of these unsupported systems have been addressed and can be properly secured by your IT department.

The attackers know that your own network creates a digital highway that allows them to move very freely between all of the systems within your network, and they take advantage of vulnerabilities that are built into this networking infrastructure. For example, if you have a wireless infrastructure, you need to make sure that you’re using all of the latest security protocols. If you’re using WPA or WPA2, you may want to consider updating to the latest WPA3 protocol.

Many organizations will perform periodic scans of their network to see if anyone may have open or rogue wireless access points that would allow an attacker easy access to the rest of your network. For both wired and wireless networks, it’s usually a good idea to enable 802. 1x.

This is an authentication protocol that prevents anyone from gaining access to the network unless you provide the proper credentials. Even wireless protocols like Bluetooth could be used by an attacker as a threat vector. For example, they could use this for reconnaissance to see where a particular system might be, or the Bluetooth implementation in a system may have limitations or not the proper amount of security, making it a great entry point for the attacker.

When you install a web server into a data center, there are a number of open ports that are enabled to provide those services across the network. For example, a web server might use TCP port 80 and TCP port 443. Once you open those ports in a device, it provides a third party with a way to gain access to at least a portion of that system.

Normally, we have security in place that prevents unauthorized access, but if an attacker knows of a vulnerability in that web server software, they may be able to use these open ports as a way into that computer. This is another reason why we are always updating the software on these services so that we can patch any vulnerabilities that may be associated with our web services or other applications. Of course, it’s very easy to misconfigure one of these very complex applications, and sometimes a simple misconfiguration can allow unauthorized access into a system.

Each time you install a new service onto this computer, it needs to have its own port number to provide that service to the outside. Therefore, the more services you install, the more open ports there are, potentially making the system less secure. This is one of the reasons we use port-based firewalls or application-aware firewalls to create additional security for these systems with open ports.

For example, if we’ve installed five or six different services on a computer, we might limit access from the outside to only one of those services, which would certainly limit the number of possible attacks to that system. Let’s see if I can guess the credentials used for your cable modem or wireless router at home. Let’s say that you’re using the username of "admin" and the password of "admin.

" Those are the default credentials that are included on many access points and routers. This is a good example of using default credentials, and if you know what the default credentials are for a device, and someone has not updated those credentials, you now have complete access to that system. Fortunately, many of the devices we use today will require you to change that password the first time you log in, which means that the administrative access you would normally have by using these default credentials is no longer available.

Once you log in for the very first time, it’s very easy to find the default credentials for these devices, and there are even websites such as routerpasswords. com that document all of these default credentials across thousands of different devices. Once this video is over, you might want to check the devices that are on your network and make sure you’re not using any of these default settings.

Sometimes these threat vectors appear on your network through the front door by way of a supply chain vector. This allows a third party to gain access to your infrastructure by riding inside existing equipment that you’re installing. This might be added during the manufacturing process; the manufacturer might have no idea what’s going on, or it may be added after the manufacturing process by a third party that wants to gain access to your systems.

Sometimes these threat vectors are in place because you’re working with a third party that is part of your supply chain. For example, your network may be managed by an MSP, which is a Managed Service Provider. You may be paying this third party to monitor your systems and inform you if anything needs to be updated or changed in your infrastructure.

This also makes a perfect place for an attacker to start because if they gain access to the MSP, they will then have access to your systems. This was the threat vector used by attackers who gained access to Target’s network in 2013 and were able to install malware on all of. .

. Their point-of-sale systems, in order to steal credit card numbers, the attackers gained access to systems that were controlled by HVAC contractors that were hired by Target. Therefore, they were able to jump from the HVAC network to the Target network, and then to all of the stores in the Target systems.

There have been cases where counterfeit hardware itself was used as a threat vector. For example, in 2020, there was a documented case of fake Cisco Catalyst switches being installed. These switches were identified because they weren't able to update their software properly.

However, certainly, those systems could be used as a threat vector and could have malicious software that would allow an attacker to take over those switches.