Security+: Common Types of Cyberattacks (SY0-401)
Please note: this article is based on information about the previous version of the Security+ exam (SY0-401), which expired in May of 2018. For updated information, please see our up-to-date Security+ listing.
As we know from studying history, no two battles are exactly the same. Not only do they pursue different goals, but they are also typically defined by a whole set of unique characteristics and conditions. The same can be said for today’s cyberattacks and that is why staying on top of the latest exploits is essential, especially if you plan to take the Security+ exam. In this ever-changing landscape, the need for skilled and knowledgeable professionals has never been more immediate. While your experience in the field is helpful, it’s likely not enough to prepare you for a security certification. For that, you will need to be able to perform threat analysis and risk mitigation based on an awareness of applicable policies, laws, and regulations.
So, what types of common cyberattacks do you need to know about to do well on the Security+ exam? Here’s a brief summary:
In computer security, this type of attack secretly interferes with a direct communication between two parties. By eavesdropping or intercepting information on an open network, a MITM attacker can gain unauthorized control over a private conversation and manipulate it to suit their needs. Because neither party realizes there is an intruder in the middle of their communication, they feel confident in their privacy and willing to divulge sensitive information. The attacker can then share their findings, alter the messages, or even create fraudulent ones. To successfully corrupt the process of mutual authentication, the attacker must be crafty and able to successfully impersonate the person on each end.
Denial of Service (DoS)
While this type of exploit also focuses on breaching online security, it employs an entirely different tactic. During a DOS attack, the server, system, network, or website being targeted is brought to its knees by a flood of traffic so heavy that it becomes overwhelmed and shuts down. Of course, this influx of activity is actually coming from just one source or multiple attack systems looking to shock the system. As a result, the network or website being attacked can no longer provide service to users and must reboot the system to regain functionality. While there have been cases of attackers demanding payment to end a DoS assault, financial gain is usually not the motive. Typically, a DoS exploit seeks to harm an organization or individual by creating chaos, confusion, and limited capabilities.
Distributed Denial of Service (DDoS)
While similar to a DoS attack, this exploit involves multiple systems instead of just one or two. The incoming flood of fake traffic originates from many different sources—possibly hundreds of thousands—which makes blocking just one IP address ineffective. And with so many points of origin, distinguishing legitimate user traffic from that of attackers is almost impossible. While there are many type of DDoS attacks, some of the more common ones include traffic flooding, target overload, and application-layer attacks.
Also known as a playback or reflection attack, this exploit fraudulently repeats or delays a valid transmission of data on a network. When information is stored without authorization and then retransmitted to trick the receiver into taking action, an attacker can steal valid login information and gain entry to the network. Even though the messages themselves may be encrypted, the exploit essentially impersonates an authorized entity and fools the computer into granting access.
Once a malicious actor gains access to a network, they can further exploit the access by impersonating another device in order to attack network hosts, steal information, spread malware, or bypass access controls. While there are many types of spoofing attacks, some of the more common ones use IP addresses to send packets around and overload targets with traffic. This includes ARP spoofing, which allows an attacker to send fake ARP messages onto a local area network. This associates the attacker’s media access control (MAC) address with the IP address of another host, giving them the ability to shanghai all traffic.
Just as a fisherman uses bait to catch a fish, the type of cyberattack known as phishing attempts to capture information by pretending to be something it’s not. In this type of exploit, an attacker may masquerade as a reputable entity, like a friend or professional organization. Using malware to entice the user to click an infected link, a phishing scam tries to “hook” you into believing the message is coming from a trusted source, like Facebook or another legitimate website. They will likely use logos and other familiar identifiers to appear more convincing. A targeted attack on a specific individual or company is known as “spear-phishing,” while a threat aimed at high-profile users, like C-level executives, is called a “whaling attack.”
This scamming practice installs malicious code on a personal computer or server and misdirects users to fake websites without their knowledge. Sometimes called “phishing without a lure,” this kind of attack can be done through changing an OS file on a victim’s computer or by exploiting the domain name system.
To remember the method of this attack, all you have to do is think about animals congregating at a water hole. It is a pool—a precious resource—they are known to visit, right? Predators often hang out by these wells to pick off tasty prey. This type of security exploit works in precisely the same way. The goal is to compromise a specific group of users by infecting websites they use regularly. Once the user’s computer is infected, access to the network can be gained.
The exam will also cover various aspects of password attacks, both on and offline. This happens when a malicious party tries to discover—or bypass completely—user passwords for authentication on systems and networks. Here are some of the ones to look for:
While many cyberattacks use subtle or devious methods to find information, a brute-force attack lives up to its pushier name. Just as someone might repeatedly pound on a door until they are let in, this type of attack uses trial and error to decode encrypted data. It does not use clever, intellectual strategies to find assets—it just continually tries to crack the safe by trying as many combinations as possible, as fast as possible. Although the strategy lacks finesse and speed, it is considered an infallible approach. A brute-force attack on a password will use its computing power to guess all the possible character combinations, eventually landing on just the right one.
As a type of brute force attack, this exploit uses cryptographic hash functions to solve problems. Based on the birthday paradox which says there must be 253 people in a room if you want to have a 50 percent chance of finding someone who shares your birthday. But to find a 50 percent chance of a birthday match for any two individuals, you only need 23 people. This works because the matches are based on pairs. In the same way, finding collisions in hashing algorithms is much harder than just looking for something that collides with a given hash. Finding two inputs that hash to same value is much easier and more successful.
While this approach might sound innocent enough, it has been used to find many a password. By using a “dictionary” of common password-type words, the exploit runs through them all until it hits on one. For convenience, many people use the numbers 1234 in their passwords, so that would be added to the attack dictionary.
During a brute force or dictionary attack—when a password is tried over and over—it is “hashed” using encryption so the clear text is never actually sent over the communication line. Instead, it is written in a garbled mass of letters and numbers. This prevents eavesdroppers from intercepting the password. To verify a user, a system takes the hash value and compares it to the one stored on the server—that’s how authenticity is determined. Rainbow tables are basically giant tables of precomputed hash values that are already pre-matched to possible plaintext password, so all an attacker has to do to find a password is use the this table to reverse the hashing function and find the word they are looking for. They don’t need to ever know the real password to gain entry—they just need to match the hash and they are off to the races.
As a hybrid of both a dictionary and a brute force attack, this method uses a little bit of both. It uses wordlists to find password, like the dictionary approach, but then applies brute-force pressure to apply each possible password to gain entry.
Anyone who has worked in the world of online security will tell you that the best way to prevent an attack is to understand the evolving landscape and its players. Effectively preparing for the Security+ exam will not only provide you with a stable foundation in information assurance, it will help you succeed in the security industry’s most sought-after entry-level certification.