This document discusses advanced attacks and secure coding concepts. It compares common attacks like denial-of-service, privilege escalation, and spoofing. It also summarizes secure coding practices such as input validation, error handling, and normalization. Application attacks like SQL injection, cross-site scripting, and cross-site request forgery are identified. Finally, it touches on security frameworks and guides.

1. Chapter 7
Protecting Against
Advanced Attacks
CompTIA Security+
Get Certified Get Ahead
1

2. Introduction
• Comparing common attacks
• Summarizing secure coding
concepts
• Identifying application attacks
• Understanding frameworks and
guides

3. Common
Attacks
• Denial-of-service (DoS)
– Comes from one system
• Distributed denial-of-service
(DDoS)
– Multiple attacking computers
– Typically include sustained,
abnormally high network traffic

4. Common
Attacks
• Privilege escalation
– Gain additional privileges after initial
exploit
• Spoofing
– Impersonating or masquerading
as someone or something else
– MAC spoofing
– IP spoofing

5. Common
Attacks
• SYN flood attack
– Common attack against Internet
servers
– Disrupts the TCP three-way handshake
– Withholds 3rd packet

6. Common
Attacks
• Man-in-the-middle
– Active interception
– Active eavesdropping
• ARP poisoning

7. ARP
Poisoning
• ARP request
• ARP reply

8. ARP Man-in-
the-Middle

9. DNS Attacks
• DNS poisoning
– Attempt to corrupt DNS data
– Protect against with DNSSEC
• Pharming
– Redirects a web site’s traffic to another
web site
• DDoS DNS attacks
– DNS amplification attack

10. Amplification
Attack
• Smurf
– A ping is normally unicast
– Smurf attack sends the ping out as a
broadcast
– Smurf attack spoofs the source IP
– Directed broadcast through an amplifying
network
– Disable directed broadcasts on border
routers

11. Amplification
Attack
• DNS
– Request as much zone data as possible
– Mirai attack did this
• NTP
– Monlist command

12. Amplification
Attack
• DNS
– Request as much zone data as possible
– Mirai attack did this
• NTP
– Monlist command

13. Password
Attacks
• Online password attack
– Attempts to discover a password from an
online system
• Online password attack
– Attempts to discover passwords from a
captured database or captured packet scan

14. Password
Attacks
• Password hashes
– Password: IC@nP@$$S3curity+
– Hash 75c8ac11c86ca966b58166187589cc15
• http://www.md5online.org/
– Password 12345
– Hash 827ccb0eea8a706c4c34a16891f84e7b

15. Password
Attacks
• Pass the hash
– Attacker discovers the hash
– Attacker uses the hash to log on
– Older protocols susceptible
• Microsoft LAN Manager (LM)
• NT LAN Manager (NTLM)
• Use NTMLv2 instead

16. Password
Attacks
• Birthday attack
– Birthday paradox
– Hash collision
– Prevent attack with strong hashing
• Rainbow table attack
– Prevent with salted hashes

17. Password
Attacks
• Birthday attack
– Birthday paradox
– Hash collision
– Prevent attack with strong hashing
• Rainbow table attack
– Prevent with salted hashes

18. Common
Attacks
• Replay
– Replays data in an attempt to impersonate
client
– Timestamps and sequence numbers are
effective countermeasures
• Can be
– An application/service attack
– A wireless attack
– A cryptographic attack

19. Common
Attacks
• Known plaintext
– Attacker has samples of both the plaintext
and the ciphertext
• Compare with chosen plaintext
The information contained in this email and any
accompanying attachments may contain proprietary
information about the Pay & Park & Pay parking garage.
Nr55tySu3IFIf7f3Cjn540fSs0j0QbshCN0yOAvhN3UKr85uE
kvawEPG3lhLIklwBz7hBzhaRZ96KUYIT3wQbf2cSkWHtN8Z
QrQ+ZGJHhe8HkL42CPjHIGc0HW4urJ+NNLnNxqHyRo34a
zbnXsd3qd3Ce5GE7blWtY0duwNKy0xqhmDihUJs9nDhXB
V4nBkZ6shcmKGEUSyvCr/hOEpAYw==

20. Common
Attacks
• Typo squatting / URL hijacking
– Attackers purchase similar domain names
for various malicious purposes
– Users visit the typo squatting domain when
they enter the URL incorrectly with a
common typo
• Clickjacking
– Tricks users into clicking something different
– Typically uses frames

21. Common
Attacks
• Session hijacking
– Impersonate the user with the session ID
– Session IDs stored in cookies
• Domain hijacking
– Attacker changes the registration of the
domain name
– Typically done by using social engineering
techniques to guess owner’s password

22. Common
Attacks
• Man-in-the-browser attack
– Type of proxy Trojan horse
– Can capture browser session data
• Driver manipulation
– Shimming
– Refactoring

23. Common
Attacks
• Zero-day vulnerabilities
– Undocumented and unknown to the public
– Vendor might know about it, but has not yet
released a patch to address it
• Zero day attack
– Attempts to exploit zero-day vulnerabilities
– Also known as zero day- exploit

24. Memory
Buffer
Vulnerabilities
Application bugs
• Memory leak
– App consumes more and more memory
– Can crash operating system
• Integer overflow
– App attempts to use or create numeric value
too big for the available storage
– 8-bit storage
– 95 x 59 = 5,605 (needs at least 13 bits to
store)

25. Memory
Buffer
Vulnerabilities
• Buffer overflow and buffer overflow
attack
– Occur when an application receives data
that it can’t handle
– Exposes system memory
– Often includes NOP instructions (such as
x90)
– Can then insert malicious code into memory
– Input validation helps prevent buffer
overflow attacks

26. Memory
Buffer
Vulnerabilities
• Pointer dereference
– Failed dereference operation
can cause app to crash
• DLL injection
– Modifies DLL with malicious code
– When DLL runs, malicious code runs

27. Secure Coding
Concepts
• Compiled code
– Optimized
– Run as an executable
– Compiler checks the program for errors and
• Runtime code
– Code is evaluated, interpreted, and executed
when the code is run
– HTML is interpreted by web browsers and
displayed as web pages

28. Input
Validation
• Verifies validity of data before using it
– Verifies proper characters
– Uses boundary and/or range checking
– Blocks HTML code
– Prevents the use of certain characters
• Client-side vs server-side
– Server-side is more secure (many sites use
both)
• Input validation prevents
– Buffer overflow, SQL injection, command
injection, and
cross-site scripting attacks

29. Secure Coding
Concepts
• Avoid race conditions
– Occur when two modules attempt to access
the same resource
– First module to complete the process wins
– Database locks prevent race conditions

30. Error and
Exception
Handling
• Catch errors and provides feedback
– Prevent improper input from crashing an
application providing information to
attackers
– Errors to users should be general
– Logged information should be detailed

31. Secure Coding
Concepts
• Cryptographic techniques
– Encryption
– Authentication
– Code signing

32. Secure Coding
Concepts
• Code reuse
– Avoid dead code
• Software development codes (SDKs)
– Provide software tools easy to reuse
• Code obfuscation
– Camouflage code

33. Code Quality
and Testing
• Static code analyzers
• Dynamic analysis
• Stress testing
• Sandboxing
• Model verification

34. Code Quality
and Testing
• Fuzzing
– Sends random strings of data to applications
looking for vulnerabilities
– Attackers use to detect strings of data that
can be used in an attack
– Administrators use fuzz testing to test
applications

35. SDLC Models
Software development life cycle (SDLC)
models
• Waterfall
– Multiple stages going from top to bottom
– Strict
• Agile
– Starts with set of principles
– Uses iterative cycles with incremental
changes
– Flexible

36. Secure
DevOps
• Security automation
• Continuous integration
• Baselining
• Immutable systems
• Infrastructure as code

37. Secure Coding
Concepts
• Change management
– Ensures developers do not make
unauthorized changes
– Provides accounting structure
• Version control
– Tracks software versions
– Identifies who made the change and when

38. Secure Coding
Concepts
• Provisioning (an application)
– Preparing to deploy it
– Configuring for different applications
• Deprovisioning (an application)
– Removing it completely

39. Secure Coding
Concepts
• Web servers host web sites
– Apache
– IIS
• Protected by placing in DMZ

40. Database
concepts
• Tables related to each other with keys
• Database schema

41. Database
concepts
Tables
• Rows (also called records or tuples)
• Columns (also called attributes)
• Cells hold individual values (such as
“Lisa”)

42. Database
concepts
Normalization
• Organizing tables and columns to
reduce redundant data and improve
performance
• First normal form (1NF)
• Second normal form (3NF)
• Third normal form (3NF)

43. Database
concepts
1NF
• Each row within a table is unique
and identified with a primary key
• Related data is contained in a
separate table
• None of the columns include
repeating groups

44. Database
concepts
2NF (must be in 1NF)
• Non-primary key attributes are completely
dependent on the composite primary key
Composite key Publisher column in this
table violates this rule

45. Database
concepts
3NF (must be in 2NF and 1NF)
• All columns that aren’t primary keys are only
dependent on the primary key
• None of the columns in the table
are dependent on
non-primary key attributes.
PublisherCity column violates this rule
It is dependent on the BookID column
It is dependent on the Publisher column

46. SQL Queries
• Used to access data
• Commonly used with web pages
SELECT * FROM Books WHERE Author = ‘Darril Gibson’
Attackers enter this instead: Darril Gibson'; SELECT *
FROM Customers;--
Result:
SELECT * FROM Books WHERE Author =
‘Darril Gibson’;
SELECT * FROM Customers

47. SQL Queries
SELECT * FROM Customers WHERE
name = 'Homer Simpson‘
• Using SQL Injection
SELECT * FROM Customers WHERE
name = ' ' or '1'='1' --'
• Result
SELECT * FROM Customers WHERE
name = ' '
SELECT * FROM Customers WHERE
'1'='1'

48. SQL Injection
Attack
• Used on unprotected web pages
to access backend databases
• Often use the phrase ' or '1'='1 '
• Tricks database into providing
information
• Best protection
– Input validation & stored procedures
• XML injection (similar to SQL
injection)

49. Application
Attacks
• Other injection attacks
– Command injection attack
• Attempts to run operating system
commands from within an
application

50. Application
Attacks
• Cross-site scripting (XSS)
– Attackers embed malicious HTML or
JavaScript code
– Can be in web site or links in email
– Prevented with server-side input
validation
– OWASP recommends use of library

51. Application
Attacks
• Cross-site request forgery (XSRF)
– Causes users to perform actions on
websites without their knowledge
– Attackers can use to steal cookies and
harvest passwords
– XSRF tokens successfully block this attack

52. Frameworks
and Guides
• Frameworks
– Regulatory
– Non-regulatory
– National versus international
– Industry-specific
• Guides
– Vendor-specific
– Platform-specific
– Role- or goal-specific

53. Chapter 7
Summary
• Comparing common attacks
• Summarizing secure coding concepts
• Identifying application attacks
• Understanding frameworks and
guides