kenpat/comptia-a-plus-core2
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
comptia-a-plus-core2/notes/SEC-5-social-engineering-attacks.md

306 lines
7 KiB
Markdown
Raw Blame History

# SEC-5: Social Engineering and Attacks
Status: not started
Domain:
- 2.0 Security
Objective alignment:
- 2.5 Social engineering and attacks
## What You Need To Know
This objective is scenario-heavy. The exam describes an attack and expects you to identify the type or best prevention.
Think in categories:
- Human manipulation
- Availability attacks
- Spoofing/on-path attacks
- Password attacks
- Web app attacks
- Insider/supply chain risks
- Vulnerable systems
## Memory Trick
Use **PHISH-DOS-PASS-WEB-SUPPLY**:
- **PHISH**: phishing, vishing, smishing, QR phishing, spear phishing, whaling
- **DOS**: DoS and DDoS
- **PASS**: brute force, dictionary, plaintext passwords
- **WEB**: SQL injection and XSS
- **SUPPLY**: service provider, hardware, software supply chain
Physical/social trick:
- **Tailgating = no consent**
- **Piggybacking = with consent**
## Phishing Variants
Phishing:
- Fraud messages that trick users into clicking, logging in, paying, or sharing data.
- Often uses spoofed email, fake sites, urgency, or suspicious links.
Vishing:
- Voice phishing by phone or voicemail.
Smishing:
- SMS/text phishing.
QR code phishing:
- Malicious QR code points to a fake or harmful site.
Spear phishing:
- Targeted phishing aimed at a specific person or group.
Whaling:
- Spear phishing aimed at executives or high-value targets.
Business Email Compromise (BEC):
- Attacker uses email trust to request money, gift cards, payroll changes, or wire transfers.
- Prevention: verify requests through a separate trusted channel.
## Physical/Social Attacks
Shoulder surfing:
- Watching someone enter or view sensitive information.
- Prevention: privacy screens, awareness, monitor placement.
Tailgating:
- Unauthorized person follows through a secure door without consent.
Piggybacking:
- Authorized person knowingly lets someone follow them in.
Impersonation:
- Pretending to be someone trusted, such as help desk, vendor, executive, or employee.
Dumpster diving:
- Searching trash for information useful in later attacks.
- Prevention: shredding, secure disposal, clean desk policy.
## Availability Attacks
DoS:
- Denial of Service.
- One system/attack source makes a service unavailable.
DDoS:
- Distributed Denial of Service.
- Many systems, often botnets, attack at once.
Prevention/mitigation:
- ISP filtering
- Cloud DDoS protection
- Firewall/rate-limit patterns
- Redundancy
## Spoofing and On-Path Attacks
On-path attack:
- Attacker intercepts/redirects traffic between victim and destination.
- Formerly called man-in-the-middle.
ARP poisoning:
- Local network attack that tricks devices about MAC-to-IP mappings.
Evil twin:
- Fake Wi-Fi access point that looks legitimate.
- Prevention: VPN, HTTPS, avoid unknown Wi-Fi, verify SSID, use enterprise authentication.
On-path browser attack:
- Malware in the browser proxies or manipulates traffic from the victim's own machine.
## Zero-Day Attacks
Zero-day:
- Exploit for a vulnerability not yet known or patched by the vendor.
Exam clue:
- No patch exists yet, or the vulnerability was unknown before exploitation.
Mitigation:
- Defense in depth, least privilege, behavior detection, segmentation, rapid patching when fixes arrive.
## Password Attacks
Plaintext password storage:
- Passwords stored unencrypted.
- Bad design.
Hashing:
- One-way representation of a password.
- Used for password storage.
Brute force:
- Try every possible password combination.
Dictionary attack:
- Try likely words/password lists and substitutions.
Mitigation:
- Long passwords
- MFA
- Account lockout/rate limiting
- Strong hashing
- Password managers
## Web App Attacks
SQL injection:
- Attacker modifies database queries through unsafe input.
- Example effect: view, change, or delete database data.
- Prevention: input validation, parameterized queries, secure coding.
XSS:
- Cross-site scripting.
- Attacker injects scripts into trusted web pages or links.
- Can steal cookies/session tokens or act as the user.
- Prevention: input validation/output encoding, secure coding, browser updates.
Memory trick:
- **SQL injection attacks the database.**
- **XSS attacks the user's browser trust.**
## Insider and Supply Chain
Insider threat:
- Employee, contractor, or trusted person misuses access.
- May be malicious or careless.
Supply chain attack:
- Attacker compromises a vendor, provider, update, hardware, or software source.
- Trusted relationship becomes the attack path.
Service provider risk:
- Third-party providers may have access to internal systems.
Mitigation:
- Vendor audits
- Least privilege
- Contract security requirements
- Monitor provider access
- Verify software signatures
## Vulnerable Systems
Non-compliant systems:
- Do not meet organization standards.
Unpatched systems:
- Missing security updates.
Unprotected systems:
- Security controls disabled or absent.
EOL/EOSL:
- End of life/end of service life.
- No normal security patches or support.
BYOD:
- Bring Your Own Device.
- User-owned device accessing company data.
- Needs policy, MDM, data separation, and security requirements.
## Commands To Enter
Windows:
```powershell
arp -a
```
What it does:
- Shows ARP cache entries.
- Useful conceptually for ARP poisoning discussions.
```powershell
netstat -ano
```
What it does:
- Shows active network connections and listening ports.
```powershell
ipconfig /all
```
What it does:
- Shows IP, DNS, gateway, and adapter information.
```powershell
whoami /groups
```
What it does:
- Shows group membership and helps discuss insider/privilege risk.
Linux:
```bash
ip neigh
```
What it does:
- Shows neighbor/ARP table entries.
```bash
ss -tulpn
```
What it does:
- Shows listening sockets and processes when allowed.
```bash
ip route
```
What it does:
- Shows routes, including default gateway.
## Mini Lab
Goal:
- Practice identifying attack types safely.
Windows:
1. Run `arp -a`.
2. Run `netstat -ano`.
3. Run `ipconfig /all`.
4. Record:
- Default gateway:
- One ARP entry:
- One active/listening connection:
Linux:
1. Run `ip neigh`.
2. Run `ss -tulpn`.
3. Run `ip route`.
4. Record:
- Default gateway:
- One neighbor entry:
- One listening service:
Scenario practice:
1. A CFO gets an email asking for a wire transfer.
2. A user scans a QR code on a parking meter and lands on a fake payment site.
3. A fake Wi-Fi network copies the hotel SSID.
4. An attacker tries every possible password.
5. A vendor software update is compromised.
6. A website search box runs attacker-supplied JavaScript.
7. A database query is manipulated through form input.
For each:
- Name the attack.
- Name one prevention or mitigation.
## Quick Check Before Quiz
You are ready for the SEC-5 quiz when you can answer these without looking:
- What is the difference between phishing, vishing, smishing, spear phishing, and whaling?
- What is the difference between tailgating and piggybacking?
- What does an evil twin imitate?
- What is the difference between SQL injection and XSS?
- What is a supply chain attack?
- What is the difference between DoS and DDoS?
Reference in a new issue View git blame Copy permalink