Initial Core 2 study project

notes/SEC-5-social-engineering-attacks.md

@@ -0,0 +1,306 @@
+# SEC-5: Social Engineering and Attacks
+
+Status: not started
+
+Domain:
+- 2.0 Security
+
+Objective alignment:
+- 2.5 Social engineering and attacks
+
+## What You Need To Know
+
+This objective is scenario-heavy. The exam describes an attack and expects you to identify the type or best prevention.
+
+Think in categories:
+- Human manipulation
+- Availability attacks
+- Spoofing/on-path attacks
+- Password attacks
+- Web app attacks
+- Insider/supply chain risks
+- Vulnerable systems
+
+## Memory Trick
+
+Use **PHISH-DOS-PASS-WEB-SUPPLY**:
+
+- **PHISH**: phishing, vishing, smishing, QR phishing, spear phishing, whaling
+- **DOS**: DoS and DDoS
+- **PASS**: brute force, dictionary, plaintext passwords
+- **WEB**: SQL injection and XSS
+- **SUPPLY**: service provider, hardware, software supply chain
+
+Physical/social trick:
+- **Tailgating = no consent**
+- **Piggybacking = with consent**
+
+## Phishing Variants
+
+Phishing:
+- Fraud messages that trick users into clicking, logging in, paying, or sharing data.
+- Often uses spoofed email, fake sites, urgency, or suspicious links.
+
+Vishing:
+- Voice phishing by phone or voicemail.
+
+Smishing:
+- SMS/text phishing.
+
+QR code phishing:
+- Malicious QR code points to a fake or harmful site.
+
+Spear phishing:
+- Targeted phishing aimed at a specific person or group.
+
+Whaling:
+- Spear phishing aimed at executives or high-value targets.
+
+Business Email Compromise (BEC):
+- Attacker uses email trust to request money, gift cards, payroll changes, or wire transfers.
+- Prevention: verify requests through a separate trusted channel.
+
+## Physical/Social Attacks
+
+Shoulder surfing:
+- Watching someone enter or view sensitive information.
+- Prevention: privacy screens, awareness, monitor placement.
+
+Tailgating:
+- Unauthorized person follows through a secure door without consent.
+
+Piggybacking:
+- Authorized person knowingly lets someone follow them in.
+
+Impersonation:
+- Pretending to be someone trusted, such as help desk, vendor, executive, or employee.
+
+Dumpster diving:
+- Searching trash for information useful in later attacks.
+- Prevention: shredding, secure disposal, clean desk policy.
+
+## Availability Attacks
+
+DoS:
+- Denial of Service.
+- One system/attack source makes a service unavailable.
+
+DDoS:
+- Distributed Denial of Service.
+- Many systems, often botnets, attack at once.
+
+Prevention/mitigation:
+- ISP filtering
+- Cloud DDoS protection
+- Firewall/rate-limit patterns
+- Redundancy
+
+## Spoofing and On-Path Attacks
+
+On-path attack:
+- Attacker intercepts/redirects traffic between victim and destination.
+- Formerly called man-in-the-middle.
+
+ARP poisoning:
+- Local network attack that tricks devices about MAC-to-IP mappings.
+
+Evil twin:
+- Fake Wi-Fi access point that looks legitimate.
+- Prevention: VPN, HTTPS, avoid unknown Wi-Fi, verify SSID, use enterprise authentication.
+
+On-path browser attack:
+- Malware in the browser proxies or manipulates traffic from the victim's own machine.
+
+## Zero-Day Attacks
+
+Zero-day:
+- Exploit for a vulnerability not yet known or patched by the vendor.
+
+Exam clue:
+- No patch exists yet, or the vulnerability was unknown before exploitation.
+
+Mitigation:
+- Defense in depth, least privilege, behavior detection, segmentation, rapid patching when fixes arrive.
+
+## Password Attacks
+
+Plaintext password storage:
+- Passwords stored unencrypted.
+- Bad design.
+
+Hashing:
+- One-way representation of a password.
+- Used for password storage.
+
+Brute force:
+- Try every possible password combination.
+
+Dictionary attack:
+- Try likely words/password lists and substitutions.
+
+Mitigation:
+- Long passwords
+- MFA
+- Account lockout/rate limiting
+- Strong hashing
+- Password managers
+
+## Web App Attacks
+
+SQL injection:
+- Attacker modifies database queries through unsafe input.
+- Example effect: view, change, or delete database data.
+- Prevention: input validation, parameterized queries, secure coding.
+
+XSS:
+- Cross-site scripting.
+- Attacker injects scripts into trusted web pages or links.
+- Can steal cookies/session tokens or act as the user.
+- Prevention: input validation/output encoding, secure coding, browser updates.
+
+Memory trick:
+- **SQL injection attacks the database.**
+- **XSS attacks the user's browser trust.**
+
+## Insider and Supply Chain
+
+Insider threat:
+- Employee, contractor, or trusted person misuses access.
+- May be malicious or careless.
+
+Supply chain attack:
+- Attacker compromises a vendor, provider, update, hardware, or software source.
+- Trusted relationship becomes the attack path.
+
+Service provider risk:
+- Third-party providers may have access to internal systems.
+
+Mitigation:
+- Vendor audits
+- Least privilege
+- Contract security requirements
+- Monitor provider access
+- Verify software signatures
+
+## Vulnerable Systems
+
+Non-compliant systems:
+- Do not meet organization standards.
+
+Unpatched systems:
+- Missing security updates.
+
+Unprotected systems:
+- Security controls disabled or absent.
+
+EOL/EOSL:
+- End of life/end of service life.
+- No normal security patches or support.
+
+BYOD:
+- Bring Your Own Device.
+- User-owned device accessing company data.
+- Needs policy, MDM, data separation, and security requirements.
+
+## Commands To Enter
+
+Windows:
+
+```powershell
+arp -a
+```
+
+What it does:
+- Shows ARP cache entries.
+- Useful conceptually for ARP poisoning discussions.
+
+```powershell
+netstat -ano
+```
+
+What it does:
+- Shows active network connections and listening ports.
+
+```powershell
+ipconfig /all
+```
+
+What it does:
+- Shows IP, DNS, gateway, and adapter information.
+
+```powershell
+whoami /groups
+```
+
+What it does:
+- Shows group membership and helps discuss insider/privilege risk.
+
+Linux:
+
+```bash
+ip neigh
+```
+
+What it does:
+- Shows neighbor/ARP table entries.
+
+```bash
+ss -tulpn
+```
+
+What it does:
+- Shows listening sockets and processes when allowed.
+
+```bash
+ip route
+```
+
+What it does:
+- Shows routes, including default gateway.
+
+## Mini Lab
+
+Goal:
+- Practice identifying attack types safely.
+
+Windows:
+1. Run `arp -a`.
+2. Run `netstat -ano`.
+3. Run `ipconfig /all`.
+4. Record:
+   - Default gateway:
+   - One ARP entry:
+   - One active/listening connection:
+
+Linux:
+1. Run `ip neigh`.
+2. Run `ss -tulpn`.
+3. Run `ip route`.
+4. Record:
+   - Default gateway:
+   - One neighbor entry:
+   - One listening service:
+
+Scenario practice:
+1. A CFO gets an email asking for a wire transfer.
+2. A user scans a QR code on a parking meter and lands on a fake payment site.
+3. A fake Wi-Fi network copies the hotel SSID.
+4. An attacker tries every possible password.
+5. A vendor software update is compromised.
+6. A website search box runs attacker-supplied JavaScript.
+7. A database query is manipulated through form input.
+
+For each:
+- Name the attack.
+- Name one prevention or mitigation.
+
+## Quick Check Before Quiz
+
+You are ready for the SEC-5 quiz when you can answer these without looking:
+- What is the difference between phishing, vishing, smishing, spear phishing, and whaling?
+- What is the difference between tailgating and piggybacking?
+- What does an evil twin imitate?
+- What is the difference between SQL injection and XSS?
+- What is a supply chain attack?
+- What is the difference between DoS and DDoS?
+