SYO-701 Threats, Vulnerabilities, and Mitigations Study Guide for the CompTIA Security+

Vulnerabilities

A vulnerability in cybersecurity is a weakness that can be exploited by a threat actor. Vulnerabilities can occur on any level of the Open Systems Interconnection (OSI) model, each with a distinct set of associated security concerns. You must be able to explain various types of cybersecurity vulnerabilities.

Application

Indicators of application attacks can be used to determine which vulnerability was taken advantage of and the potential targets of the attack. Application attacks are the most difficult to defend against due to the open nature of applications and the diverse input scenarios they must be able to handle.

Memory Injection

A memory injection attack inserts malicious code into an application. The attack is designed to trick an application into executing supplied code or passing supplied code along to a third party.

Buffer Overflow

A buffer overflow attack occurs when more data is written into a memory area than is allowed for use. This results in the overwriting of data in the memory with new data that can be used to execute malicious processes on the target network.

Race Conditions

Race conditions occur when the security of code is dependent upon other events occurring in a specific sequence. Vulnerabilities exist when there is a discrepancy between the sequence of events. The time-of-check to time-of-use (TOCTTOU) race condition is when a resource check occurs before the resource is actually used, resulting in a time lag between check and use during which the resource can be altered. For example, if a user is currently logged in to a system and, while still logged in, the administrator revokes the user credentials, the user will not be logged out of the system. They will still have access to the system for the remainder of that session.

Time-of-Check (TOC)

TOC is the process of verifying a system’s state or condition before performing an action or function.

Time-of-Use (TOU)

TOU is when the results of the TOC are actually used to perform the action or function requested in the TOC.

Malicious Update

A malicious update is made to look like a legitimate software update, but it contains malicious code and is released by a threat actor.

Operating System (OS)

The OS is the center of the computer system and manages all software, memory, and hardware components. The OS can access every aspect of the software and hardware it is attached to. Developers of OSs like Windows and Mac release patches and updates regularly to address known vulnerabilities and operational concerns. An unpatched OS will leave the entire system open to attack.

Web

Vulnerabilities are common in web-based applications, software, programs, and websites. Web-based programs are accessed via the internet and communicate with the resources required for the web-based program, including servers and databases.

Structured Query Language Injection (SQLi)

An SQL injection is designed to take advantage of vulnerabilities in SQL database retrieval processes to garner information. It can be achieved by adding a second query to a valid query. The SQL database will complete both queries without realizing the second query is malicious. SQL injections are often indicated by the OR 1=1 structure.

Cross-Site Scripting (XSS)

XSS occurs when a web application allows the threat actor to insert their own HTML code into a website. The two primary types of XSS attacks are reflected and stored/persistent. With a reflected XSS attack, a threat actor inserts a reflected value into the HTML field to create a modified or reflected page of the authentic page. A stored/persistent XSS attack attempts to store the modified HTML code on the remote web server hosting the attacked site so the attack remains active even when the threat actor is not actively attacking. The appearance of a script tage is a common indicator of an XSS attack.

Hardware

Hardware includes the physical components used in a device, system, or network, including the routers, computers, switches, and the physical components within each device. Hardware also includes the base internal computing components native to the physical device, such as firmware.

Firmware

Firmware is a software program that provides low-level control of hardware devices. Attacks on firmware attempt to access the firmware through any path, including updates or malicious downloads.

End-of-Life

End-of-life hardware is hardware that is no longer sold but still has vendor support in the form of patches and updates.

Legacy

Legacy platforms are platforms that are no longer supported by the developer, so no new patches or updates will be available for download. Legacy platforms are often incompatible with more secure protocols, which means that to run a legacy platform, the protocols it employs will have to be downgraded to a less secure protocol. Legacy platforms, if necessary, should be run in an environment isolated from the main network.

Virtualization

Virtualization is used in personal computing and data centers around the world to allow one or many hosts on a physical machine. Virtualization on a device is created using a hypervisor, which creates, controls, and allocates resources to the different virtual machines on the hypervisor.

Virtual Machine (VM) Escape

VM escape occurs when a threat actor is able to infiltrate one VM instance and leverage that instance to access other instances on the VM, effectively escaping the confines of the original VM instances. While the hypervisor is supposed to prevent this from occurring, a difference in the security levels of VM instances can leave the hypervisor vulnerable.

Resource Reuse

Resource reuse occurs when the physical resources upon which the hypervisor sits, such as memory and CPUs, are reused and shared between different virtual machines. Since the virtual machines use the same resources, data may be inadvertently accessible to an unauthorized VM.

Cloud

Vulnerabilities to a network can exist at both the cloud and on-premise levels. In a cloud-based network, the cloud provider manages the physical security of the cloud. The cloud user, however, is responsible for the security of their network in the cloud. For example, the cloud user is responsible for proper authentication protocols, configurations, and patch management of resources that it houses in the cloud.

Supply Chain

The supply chain is composed of multiple providers, each with its own unique vulnerabilities. Any vulnerability within the supply chain can create an access point to other entities in the supply chain. For example, when a host receives switches from a third party, while in transit to the host location, the ordered switches can be intercepted and injected with malware prior to delivery. This is a supply chain vulnerability.

Service Provider

A service provider in the supply change is any entity that provides third-party services to other entities. Service providers may handle logistics, inventory management, or technological management of the supply chain.

Hardware Provider

A hardware provider in the supply chain is an entity that supplies the physical components required in the supply chain. For example, a microprocessor manufacturer is a hardware provider that supplies the microprocessors needed to build computing devices.

Software Provider

A software provider in the supply chain is an entity that supplies the software required in the supply chain, such as applications, operating systems, or programs.

Cryptographic

Vulnerabilities may also be present in the cryptographic solutions used to secure a device, system, or network. Weak encryption can occur in one of two ways: by implementing encryption that is easy to crack with known vulnerabilities or through improper key management. Improper key management can allow the threat actor to access the key that decrypts the applied encryption method.

Misconfiguration

Weak configurations or misconfigurations of applications, devices, or settings are the most common security vulnerabilities that allow access to a system. Misconfigurations may be the result of general errors, open permissions, or insecure protocols or root accounts.

Mobile Device

Mobile devices are devices that are designed to be easily portable and accessible, such as smartphones, laptops, and tablets. Mobile devices, by nature, are highly vulnerable and difficult to secure physically and logically.

Side Loading

Side loading is the process of sharing data between two devices without using an official distribution method. For example, downloading an application onto a mobile device directly from another mobile device rather than using the official OS application store is an example of sideloading.

Jailbreaking

Mobile devices have native manufacturer restrictions installed to prevent misuse or cross-platform use. Jailbreaking, most commonly associated with cellular phones, is the process of removing these restrictions from the device. Jailbreaking allows unauthorized software to be installed on the device.

Zero-Day

A zero-day threat is a threat that has not yet been identified or has not yet been remediated through patches or updates.