This chapter covers the fourth objective in Domain 2.0, Threats, Vulnerabilities, and Mitigations, of the CompTIA Security+ exam.

In this chapter, we will examine indicators of malicious activity and the diverse types of malware and attacks that we may encounter on a daily basis.

This chapter will help you analyze indicators of malicious activities to keep your environment safe and ensure you are prepared to successfully answer all exam questions related to these concepts for your certification.

Note

A full breakdown of Exam Objective 2.4 will be provided at the end of this chapter.

Malware (short for “malicious software”) refers to any software program or code that is specifically designed to disrupt, damage, or gain unauthorized access to computer systems, networks, or devices. Malware is created with malicious intent, and it can take various forms, including viruses, worms, trojans, spyware, adware, ransomware, and more. Each type of malware has its own specific functions and goals, but they all share the common objective of causing harm to or compromising the targeted system or data. The following sections will introduce each of the most common types of malware attacks, including their methods and goals, as well as some techniques for their prevention.

Potentially Unwanted Programs (PUPs)

Potentially Unwanted Programs (PUPs) are programs that are downloaded inside other programs. They often overconsume computer resources and slow your computer down. PUPs are seen as grayware as they are neither malicious nor legitimate....

A physical attack involves the use of sneaky tactics to breach actual physical spaces. Think of it as the bad guys using tactics beyond the screen—such as trying different passwords repeatedly until they break in, copying secret signals to access secure areas, or even causing chaos by disrupting power during storms. Let’s look at some of these physical attacks in turn.

Physical Brute Force

A physical brute-force attack is a direct attack in which someone takes a physical implement (such as a sledgehammer or crowbar) and breaks down a door to gain access and steal the equipment inside. These should not be confused with password brute-force attacks, mentioned later in the Password Attacks section of this chapter.

Radio Frequency Identification (RFID) Cloning

Imagine a scenario in which sneaky cyber intruders copy the signals from key cards or badges that allow people to enter secure areas. This method is referred to as RFID cloning, and armed...

A network attack is an unauthorized and malicious attempt to disrupt, compromise, or gain access to computer systems, data, or communication within a network, often for malicious purposes.

Network attacks target organizations and households alike. Most of these attacks are called server-side attacks as they target an organization’s servers, such as domain controllers, which hold user accounts, or SQL database servers, which hold confidential customer data and credit card information.

The following sections will investigate several types of network attacks.

Pivoting

A pivoting attack is implemented when an attacker gains access to the network via a vulnerable host and targets a critical server, such as a domain controller or a database server.

On a virtual network, this type of attack is called VM escape, which is covered in Chapter 7.

When an attacker launches a pivoting attack, they will likely be armed with the Network Mapper (nmap) tool,...

Application attacks are a category of cyber threats that exploit vulnerabilities in software applications, targeting weaknesses in design, development, and implementation. These attacks aim to compromise data, breach user privacy, and disrupt functionality. There are six prominent types of application attacks, as described in the sub-sections that follow.

Injection Attack

An injection attack involves the malicious insertion of untrusted data into application inputs, exploiting flaws that allow the execution of unintended commands. Common forms of this type of attack include SQL injection (where malicious SQL statements are injected) and XSS, which embeds malicious scripts into web applications. An example of SQL injection can be found under the Web-Based Vulnerabilities section in Chapter 7, Explain various types of vulnerabilities. XSS was just covered in this chapter in the preceding Malicious Code section.

Reminder

An instance of SELECT* or 1=1 indicates...

There exists an invisible battlefield where cryptographic attacks reign supreme. These adversaries, like modern-day phantoms, employ arcane techniques to breach the very foundations of digital security, unraveling algorithms crafted to safeguard our virtual domains. Among their arsenal are three ominous strategies: downgrade, a manipulation of trust; collision, a disruption in order; and birthday, where time is transformed into a weapon. These attacks can take multiple forms, but the most common are defined in the following sections.

Downgrade Attacks

A downgrade attack manipulates the trust-building process. In this attack, a malicious actor intercepts and alters the communication between two parties, causing them to downgrade to a weaker encryption protocol. Attacks of this nature include the following:

• SSL/TLS downgrade: SSL/TLS downgrade attack is where an attacker exploits vulnerabilities in the communication between a client (such as a web...

Passwords are still a common means of authentication, and as a cybersecurity professional, you need to be aware of the following common password attacks so that you can identify them:

• Dictionary attack: In a dictionary attack, an attacker attempts to crack passwords using an exhaustive list of words found in a dictionary. Passwords with misspellings or special characters such as $ or % that are not found in dictionaries are typically resistant to this type of attack.
• Password spraying: Instead of checking every single combination, sprayers focus on a few common usernames (such as admin, root, or user) and try a list of common passwords (such as 123456, password, password123, letmein, and changeme). You can prevent password spraying by implementing strong password policies, MFA, and monitoring systems for unusual login patterns.
• Brute force: Brute-force attacks may use password lists or rainbow tables, which are precomputed tables of hash values for...

Indicators of Attack (IoAs) provide early warnings of potential threats by identifying suspicious activities or behaviors within a network, thereby helping organizations proactively defend against cyberattacks. The following are some common indicators that will help you identify attacks:

• Account lockout: Account lockout serves as an early warning sign that something is wrong. Frequent or unexpected lockouts, especially for privileged accounts, could indicate malicious attempts to gain unauthorized access. A brute-force attack, for instance, will lock accounts out as most companies only allow three attempts.
• Concurrent session usage: Monitoring the number of concurrent user sessions can reveal suspicious activity. Sudden spikes or a significantly higher number of concurrent sessions than usual might indicate unauthorized access or a breach in progress.
• Blocked content: Attempts to access valuable data can be revealed by blocked content indicators...

This chapter covered various types of malware attacks, ranging from ransomware to rootkits. Then, we looked at attacks that affect networks, passwords, and applications. Other key topics included PUPs and bloatware, and their effects on system performance, as well as a look at physical attacks, such as brute force and tactics exploiting environmental factors. The chapter also looked at network attacks including DDoS attacks and ARP poisoning, illustrating the complexity of network security challenges.

We explored various application attacks, highlighting injection and buffer overflow techniques, and their impact on software vulnerabilities. Cryptographic attacks, such as downgrade and collision attacks, were also discussed, emphasizing the evolving nature of digital security threats. Finally, we covered the nuances of password attacks, distinguishing between online and offline methods, and outlined general indicators of attacks to help identify and respond to potential threats...

Given a scenario, analyze indicators of malicious activity.

• Malware attacks: Malicious software attack
  • Ransomware: Attacker demands payment for decryption
  • Trojans: Unauthorized system access, unexpected system changes
  • Worms: Rapid network congestion, unusual traffic patterns
  • Spyware: Unexplained data exfiltration, suspicious process activity
  • Bloatware: Excessive resource consumption, slowed system performance
  • Viruses: Infected files or software, replication in files and memory
  • Keyloggers: Keystroke logging, unusual data transfer
  • Logic bombs: Specific trigger events, sudden system crashes
  • Rootkits: Hidden processes, unauthorized access
• Physical attacks:
  • Brute force: Repeated login attempts, account lockouts
  • RFID cloning: Unauthorized RFID tag usage, duplication
  • Environmental: Physical damage, tampering with hardware
• Network attacks:
  • DDoS attacks: Service unavailability
  • Amplified DDoS: Magnifying attack traffic for greater disruption
  • Reflected DDoS: Redirecting and...

The following questions are designed to check that you have understood the information in the chapter. For a realistic practice exam, please check the practice resources in our exclusive online study tools (refer to Chapter 29, Accessing the online practice resources for instructions to unlock them). The answers and explanations to these questions can be found via this link.

1. On Monday morning at 9 am, the files of a company’s Chief Financial Officer (CFO) are deleted without any warning. The IT Support team restored the data, but on the following Monday morning at 9 am, the files were again deleted. Which of the following BEST describes this type of attack?
   1. A logic bomb
   2. A buffer overflow
   3. A Trojan
   4. A rootkit
2. You are the lead cybersecurity analyst at a large financial institution. Lately, your organization has been facing a series of security incidents. In one incident, sensitive customer data was stolen, leading to a data breach. In another, an...