If you’re planning to take the SY0-501 version of the Security+ exam, you should understand new threats and new security trends. The single best protection against many attacks, such as social engineering, is to train and raise the security awareness of users.
For example, can you answer this question?
Q. Your organization recently suffered a loss from malware that wasn’t previously known by any trusted sources. Which of the following BEST describes this attack?
A. Phishing
B. Zero-day
C. Open-source intelligence
D. Hoax
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Untrained users provide a significant risk to any organization and are often one of the largest vulnerabilities. They don’t need to be malicious insiders. They can simply be unaware of the risks. Think back to the Fancy Bear and Cozy Bear APT attacks mentioned in this chapter. No matter how much money an organization is spending on technology, it can all be bypassed by a single user clicking on a malicious link in an email. The impact can be the infection of an entire network.
The single best protection against many attacks, such as social engineering and phishing attacks, is to train and raise the security awareness of users. Many users simply aren’t aware of the attackers’ methods. However, once they understand the risks and methods used by social engineers and other attackers, they are less likely to fall prey to these attacks. Similarly, raising users’ security awareness helps them recognize and respond appropriately to new threats and security trends.
Security-related awareness and training programs take many forms. Some common methods include formal classes, short informal live training sessions, online courses, posters, newsletters, logon banners, and periodic emails. These programs often keep users aware of new threats and new security trends and alerts, such as new malware, current phishing attacks, and zero-day exploits.
New Viruses
Criminals are constantly releasing new viruses and some prove to be exceptionally damaging. Many of these require administrators to take quick action to mitigate the threat. For example, when vendors discover a vulnerability that attackers can exploit, they release patches and updates to remove the vulnerability. Administrators then need to evaluate, test, and implement the patches or upgrades to servers. Similarly, home users should keep their systems and applications up to date.
Phishing Attacks
In addition to releasing new viruses regularly, criminals are also launching new phishing attacks. Some new attempts are tricky and fool many people. The best way to prevent successful attacks is to educate people about what the criminals are doing now.
As an example, criminals crafted a sophisticated attack on Gmail users that fooled even tech-savvy users. Once they had captured the Gmail credentials of one user, they quickly logged on to that user’s account and scoured it for sent emails, attachments, and subject lines.
They then used this account to send emails to people this person previously emailed, often using similar subject lines. Additionally, they often include what looks like a thumbnail of a document. Typically, clicking the thumbnail provides a preview of the document. However, this instead opened up another tab within the browser with a URL like this: data:text/html,https://accounts.google.com/ServiceLogin?service=mail…
When users see accounts.google.com, it looks legitimate. Additionally, the page shows a sign-in page that looks exactly like the Google sign-in page. It isn’t, though. Users who were tricked into “logging on” on this bogus but perfectly created web page were compromised. Attackers quickly logged on to this account and started the process all over again, hoping to snare other unsuspecting users.
In one publicized example, the attackers used a compromised account to resend a team practice schedule to all the members of the team. It included a similar subject line and screenshot of the original attachment. Some recipients who received the email clicked the thumbnail and were taken to the same URL with accounts.google.com in it. Some were tricked and entered their credentials to apparently log on to Google. Attackers quickly logged on to the newly compromised accounts and started the process again.
Zero-Day Exploits
As a reminder, a zero-day vulnerability is a vulnerability or bug that is unknown to trusted sources, such as operating system and antivirus vendors. Operating system vendors write and release patches once they know about them, but until the vendors know about them, the vulnerability remains. As an example, the Heartbleed vulnerability existed for a couple of years before it was widely published. Up until the time that OpenSSL developers released a fix, everyone using it was vulnerable.
Users might adopt the idea that up-to-date antivirus software will protect them from all malware. This simply isn’t true. No matter how great an antivirus company is at identifying new malware, there is always going to be a lag between the time when criminals release the malware and the antivirus company releases new signatures to discover it. This is especially true when attackers are releasing more than 200,000 new variants of malware daily. This includes malware designed to take advantage of zero-day vulnerabilities.
Q. Your organization recently suffered a loss from malware that wasn’t previously known by any trusted sources. Which of the following BEST describes this attack?
A. Phishing
B. Zero-day
C. Open-source intelligence
D. Hoax
Answer is B. A zero-day exploit is one that isn’t known by trusted sources such as antivirus vendors or operating system vendors.
Phishing is malicious spam and it can include malware, but there isn’t an indication this loss was from an email.
Attackers use open-source intelligence to identify a target. Some typical sources are social media sites and news outlets.
A hoax is not a specific attack. It is a message, often circulated through email, that tells of impending doom from a virus or other security threat that simply doesn’t exist.
See Chapter 6 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on threats, vulnerabilities, and common attacks.