CompTIA Security SY0-601 Exam: Attack Basics

Topics covered in this guide:

- Given a scenario, analyze potential indicators to determine the type of attack.
- malware
- ransomware
- Trojan
- worm
- potentially unwanted program (PUP)
- virus
- bot
- crypto-malware
- logic bomb
- spyware
- keylogger
- remote access trojan (RAT)
- rootkit
- backdoor
- rainbow table
- rootkit
- password attack
- skimming
- card cloning
- adversarial artificial intelligence (AI)
- cryptographic attack

Malware
Malicious software, or malware, has become a serious problem in today’s network environment. Malware is software designed to harm a user’s computer or data. The target is not only the information stored on local computers but also other resources and other computers. As a security professional, you must recognize malicious code and know how to respond appropriately. This guide covers the various types of malicious code you might encounter, including viruses, worms, Trojans, spyware, rootkits, botnets, and logic bombs. Increasingly malware is taking advantage of weaknesses throughout the system in which the manufacturing and processing of goods occurs. These supply-chain attacks often take advantage of other vendors that organizations rely on. For example, malware may be introduced into equipment such as point-of-sale terminals before they are deployed. Cloud-based services are often part of an organization’s supply chain, and malware within a cloud service provider can compromise partner organizations.
The most serious malware typically takes advantage of system vulnerabilities, which makes the malware more dangerous and enables it to spread more effectively. These threats, known as blended threats, involve various types of malware.

Endpoint protection technologies defend against malware by identifying and remediating security threats. Such software often provides a first line of defense by identifying that a machine has been targeted or compromised. Other symptoms of infection include unexpected system behavior and system instability. To determine whether a system has been infected, examine the following critical areas:
- Memory: After malware is executed, it might reside in memory. Tools such as Windows Task Manager and Activity Monitor for Macs provide insight into all running processes in memory and can help identify rogue processes.
- Registries: The Windows registry, for example, provides various system settings that malware often targets. Specifically, the Windows registry provides various entries that enable software to automatically start upon login. Malware can take advantage of these entries to ensure that malicious executables are run each time the computer starts up.
- Macros: Office applications such as Microsoft Word provide a powerful ability to automate procedures through the use of macros. However, these macros also give malware an opportunity to automatically generate instructions when such documents launch. Office software offers an option to generate alerts when macros are being run.

Viruses
A virus is a program or piece of code that runs on a computer, often without the user’s knowledge and certainly without the user’s consent. Viruses are designed to attach themselves to other code and replicate. A virus replicates when an infected file executes or launches. It then attaches to other files, adds its code to the application’s code, and continues to spread. Even a simple virus is dangerous because it can use all available resources and bring the system to a halt. Many viruses can replicate across networks and even bypass security systems.
Viruses are malicious programs that spread copies of themselves throughout a single machine. They infect other machines only if a user on another machine accesses an infected object and launches the code.
Viruses are executed by some type of action, such as running a program.

Viruses are classified and subclassified in several ways. The following classifications are based on how a virus lives in a system:
- Resident virus: This type of virus resides in memory, which means it is loaded each time the system starts and can infect other areas based on specific actions. This method allows a virus to remain active even after any host program terminates. To reside in memory, such viruses usually need to be called up from some type of storage. Fileless viruses, on the other hand, do not.
- Nonresident virus: Once executed, this type of virus looks for targets locally and also across the network. The virus then infects those areas and exits. Unlike a resident virus, it does not remain active.
- Boot sector virus: This type of virus is placed into the first sector of the hard drive so that when the computer boots, the virus loads into memory. As a result, the virus loads before the operating system even starts. Boot sector viruses were much more prevalent in the era of floppy disks because inserted disks supplied the means for infection and spread the virus when the computer booted up.
- Macro virus: This type of virus is inserted into a Microsoft Office document and emailed to unsuspecting users. A macro virus uses the macro language and executes when the document opens.

Viruses exhibit several potential characteristics that further define their classifications:
- Program- and file-infecting virus: Many common viruses, particularly early ones, are this type. The virus infects executable program files and becomes active in memory. It then seeks out other files to infect. This type of virus is easily identified by its binary pattern, or signature, which works essentially like a fingerprint. Similar types of file-infecting viruses emerged in an effort to evade this signature detection, including polymorphic, stealth, and multipartite viruses (discussed shortly). Fortunately, security vendors are always improving their techniques as well. The evolving technology of security and antimalware vendors can help combat such attacks.
- Polymorphic virus: A polymorphic virus can change form or signature each time it is executed to avoid detection. The prefix poly means “many”; morphic means “shape.” Thus, polymorphic malware is malicious code that is capable of changing shape. Each time a polymorphic virus infects a new file or system, for example, it changes its code. As a result, detecting the malware becomes difficult without an identifiable pattern or signature to match. Heuristic scanning is one example. Instead of looking for a specific signature, heuristic-based scanning examines the instructions running within a program.
- Armored virus: As with a polymorphic virus, the aim of an armored virus is to make detection difficult. As the name suggests, armored viruses go one step further by making it difficult to analyze functions, creating a metaphorical layer of armor around the virus. Armored viruses use various methods of operation: Most notably, in addition to seeking to defeat heuristic countermeasures, they try to prevent disassembly and debugging. If a virus succeeds in these latter aims, security researchers have more difficulty analyzing the code and designing better countermeasures.
- Stealth virus: This memory-resident virus also uses techniques to avoid detection, such as temporarily removing itself from an infected file or masking a file’s size. For example, a stealth virus removes itself from an infected file and places a copy of itself in a different location.
- Multipartite virus: A multipartite virus infects executable files and also attacks the master boot record of the system. If the boot sector is not cleaned along with the infected files, the files can easily be infected again.

ExamTip:
Do not confuse polymorphic and armored viruses. Both try to defeat countermeasures, but armored viruses use mechanisms to prevent disassembly and analysis.

When looking at many of these attributes, you might notice that a common goal of viruses is to increase infection and avoid detection. A more recent virus type known as fileless malware is a lot like a memory-resident virus but more insidious. While a memory-resident virus requires some components of the virus to be written to disk, a fileless virus does not. Further, these viruses “live off the land” and use legitimate tools that are usually part of the operating system or development packages to do their work, such as Windows PowerShell, Windows Management Instrumentation, and macros.

Worms
Worms are similar in function and behavior to viruses, with one exception: Worms are self-replicating and do not need a host file. A worm is built to take advantage of a security hole in an existing application or operating system, then find other systems running the same software, and then automatically replicate itself to the new host. This process repeats and needs no user intervention. When the worm is successfully running on a system, it checks for Internet connectivity. If it finds connectivity, the worm tries to replicate from one system to another. Keep in mind that the key difference between a virus and a worm is that worms do not need to attach themselves to files and programs and are capable of reproducing on their own. Common methods of replicating include spreading through email, through a network, and over the Internet.

The term virus is often interchanged with worm, particularly because blended threats combine different characteristics of the two. However, remember that a worm can replicate itself without a host file.

Trojan
Trojans, or Trojan horses, are programs disguised as useful applications. Trojans do not replicate themselves as viruses do, but they can be just as destructive. Code hidden inside an application can attack a system directly or allow the code originator to compromise the system. A Trojan is typically hidden, and its ability to spread depends on the popularity of the software and users’ willingness to download and install the software. Trojans can perform actions without the user’s knowledge or consent, including collecting and sending data and causing a computer to malfunction. Trojans are often classified by their payload or function. The most common include backdoor, downloader, infostealer, and keylogger Trojans. Backdoor Trojans open a less obvious entry (or backdoor) into the system for later access.

Downloader Trojans download additional, often malicious, software onto infected systems. Infostealer Trojans attempt to steal information from the infected machine. Keylogger Trojans monitor and send keystrokes typed from an infected machine. Trojans can download other Trojans as well; this link is part of how botnets are controlled, as discussed later in this guide, in the section “Bots.”

Trojans are often associated with backdoors created intentionally as part of the Trojan. Backdoors are not malicious on their own, however; they are simply application code functions that trusted developers create either intentionally or unintentionally. During application development, software designers often add shortcut entry points to allow rapid code evaluation and testing. If the designers do not remove them before application deployment, such entry points can allow an attacker to gain unauthorized access later. Application designers might purposefully insert other backdoors as well, and those backdoors can present threats to the network later if no other application designer reviews them before deployment.

A backdoor Trojan is also known as a remote access Trojan (RAT). Specifically, RATs installed on a system allow a remote attacker to take control of the targeted system. This approach is similar to remote control programs that allow you to personally access your computer and control it even if you are not sitting at the keyboard. Clearly, the technology itself is not malicious; only the Trojan component is because it is installed without the victim’s knowledge.

Trojans trick users by disguising their true intent to deliver a malicious payload. When executed, a remote access Trojan provides a remotely accessible backdoor that allows an attacker to covertly monitor the system or easily gain entry.

Rootkits
Rootkits were first documented in the early 1990s. Today they are widely used and are increasingly difficult to detect on networks. A rootkit is a piece of software that can be installed and hidden on a computer mainly to compromise the system and gain escalated privileges, such as administrative rights. A rootkit is usually installed on a computer when it first obtains user-level access. The rootkit then enables the attacker to gain root or privileged access to the computer, which can lead to compromise of other machines on the network as well.

A rootkit might consist of programs that view traffic and keystrokes, alter existing files to escape detection, or create a backdoor on the system.

Rootkits can be included as part of software packages, can be installed through an unpatched vulnerability, or can be downloaded and installed by users.

Attackers are continually creating sophisticated programs that update themselves, making them harder to detect. If a rootkit has been installed, traditional antivirus software cannot always detect it because many rootkits run in the background. You can usually spot a rootkit by looking for memory processes, monitoring outbound communications, and checking for newly installed programs.

Kernel rootkits modify the kernel component of an operating system. These newer rootkits can intercept system calls passed to the kernel and can filter out queries that the rootkit software generates. Rootkits have also been known to use encryption to protect outbound communications and piggyback on commonly used ports to communicate without interrupting other applications. These tricks invalidate the usual detection methods because they make the rootkits invisible to administrators and detection tools.

Vendors offer applications that can detect rootkits, including RootkitRevealer. Removing rootkits can be complex, however, because you must remove both the rootkit itself and the malware that the rootkit is using. Rootkits often change the Windows operating system and cause it to function improperly. When a system is infected, the only definitive way to get rid of a rootkit is to completely reformat the computer’s hard drive and reinstall the operating system. In addition, most rootkits use global hooks for stealth activity. Using security tools that prevent programs from installing global hooks and stop process injection thus prevents rootkit functionality. In addition, rootkit functionality requires full administrator rights. Therefore, you can avoid rootkit infection by running Windows from an account with lesser privileges.

Logic Bombs
A logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or after a certain period of time. For a virus to be considered a logic bomb, the user of the software must be unaware of the payload. A programmer might create a logic bomb to delete all code from the server on a future date, most likely after he or she has left the company. In several recent cases, ex-employees have been prosecuted for their roles in this type of destruction. One of the most high-profile cases of a modern-day logic bomb involved Roger Duronio, a disgruntled computer programmer who planted a logic bomb in about 1,000 computer systems of investment bank UBS to delete critical files and prevent backups. UBS estimated the repair costs at $3.1 million, not including downtime, lost data, and lost business. The actions of the logic bomb coincided with Duronio’s stock transactions, so the company added securities and mail fraud charges to the computer crime charges. Duronio was found guilty of planting a logic bomb on the systems and of securities fraud. He was sentenced to more than 8 years in jail and fined $3.1 million.

A logic bomb is also referred to as slag code. The malicious code is usually planted by a disgruntled employee.

During software development, it is a good idea to evaluate the code to keep logic bombs from being inserted. Unfortunately, code evaluation cannot keep someone from planting a logic bomb after programming is complete.

Bots
A bot, short for robot, is an automated computer program that needs no user interaction. Bots are systems that outside sources can control. A bot provides a spam or virus originator with a venue to propagate. Many computers compromised in this way are unprotected home computers (although many computers in the corporate world are bots as well). A botnet is a large number of computers that forward transmissions to other computers on the Internet. You might also hear a botnet referred to as a zombie army.

A system is usually compromised by a virus or other malicious code that gives the attacker access. A bot can be created through a port that has been left open or an unpatched vulnerability. A small program is left on the machine for future activation. The bot master can then unleash the effects of the army by sending a single command to all the compromised machines. A computer can be part of a botnet even though it appears to be operating normally. This is because bots are hidden and usually go undetected unless someone is specifically looking for certain activity. The computers that form a botnet can be programmed to conduct a distributed denial-of-service (DDoS) attack, distribute spam, or perform other malicious acts.

Botnets can be particularly tricky and sophisticated because they can make use of social engineering. A collection of botnets known as Zbot stole millions from banks in four nations. The scammers enticed bank customers with a ruse to click a link to download an updated digital certificate. Zbot then installed a program that allowed it to see the next time the user successfully accessed the account. While the victims did their online banking, Zbot automatically completed cash transfers to other accounts.

The main issue with botnets is that they are securely hidden. The botnet masters can perform tasks, gather information, and commit crimes while remaining undetected. Worse, attackers can increase the depth and effect of their crimes by using multiple computers because each computer in a botnet can be programmed to execute the same command.

Crypto-Malware
Crypto-malware is specifically designed to find potentially valuable data on a system and uses cryptography to encrypt the data to prevent access. The decryption key is then required to access the data. Crypto-malware is often associated with ransomware. And just as the name indicates, ransomware is a form of malware that attempts to hold a user’s information or device for ransom: The attacker provides the decryption key only after the victim has made a ransom payment.
With ransomware, an attacker typically has already compromised a system and demands payment to prevent negative consequences such as deleting files. Payment is typically demanded in cryptocurrency such as bitcoin. 

Note
This demand for payment is actually an evolved and more demanding form of scareware. Such scare tactics are common with fake antivirus ads that supposedly find malware on a user’s machine; making a purchase simply removes the annoying notices.

CryptoLocker is an example of crypto-malware that became prevalent in 2013. CryptoLocker attempts to encrypt a user’s data by generating encryption keys and storing the private key on a command-and-control server. Thereafter, the user’s data is held for ransom. If the user does not pay, the malware threatens to delete the private key, which is required to unencrypt the files and thus restore access.

In 2017, crypto-malware known as WannaCry affected hundreds of thousands of systems around the world. WannaCry specifically exploited unpatched vulnerabilities on Windows systems. It even targeted hospitals, holding data hostage and demanding that infected users pay for access to their files. The below figureprovides an example of a ransomware demand and is a close approximation of what WannaCry looked like on the machines it impacted. The WannaCry attack resulted in damages of billions of dollars.


An example of what users see when they are infected with ransomware

Crypto-malware combined with ransomware is unique, in that the attacker directly demands payment, often through cryptocurrencies. The amount requested often is relatively low to make payment more likely.

Potentially Unwanted Programs (PUPs)
A potentially unwanted program (PUP) is a program that is most likely unwanted, despite the possibility that users consented to download it. PUPs include spyware, adware, and dialers, and these programs are often downloaded in conjunction with programs that users actually want.

Spyware
Undesirable code sometimes arrives with commercial software distributions or downloaded from the Internet. Spyware is associated with behaviors such as advertising, collecting personal information, and changing a user’s computer configuration without obtaining consent to do so. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user.
Much like a Trojan horse (see above), spyware sends information across the Internet to some unknown entity. However, spyware monitors user activity on the system, potentially including keystrokes typed, and sends this logged information to the originator. The information collected—such as passwords, account numbers, and other private information—is then no longer private.

Some clues indicate that a computer might contain spyware:
- The system is slow, especially when browsing the Internet.
- The Windows desktop is slow in coming up.
- Clicking a link does nothing or takes you to an unexpected website.
- The browser home page changes, and you might not be able to reset it.
- Web pages are automatically added to your favorites list.

Spyware monitors user activity on the system, possibly including keystrokes typed. The information is then sent to the originator of the spyware.

Adware
Advertising-supported software, or adware, is a form of spyware that gives advertisers an online way to make a sale. Companies offer to place ads in their web properties. A portion of the revenue from banner sales goes to the company placing the ad. However, this novel concept presents some issues for users. These companies also install tracking software on your system that remains in contact with the company through your Internet connection. The software reports data to the company, such as your general surfing habits and the sites you visit. The company might affirm that it will not collect identifying data from your system. However, the situation is still sensitive because software on your system is sending information about you and your surfing habits to a remote location.
U.S. federal law prohibits secret installation of software that forces consumers to receive pop-ups that disrupt their computer use. Adware is legitimate only when users are informed up front that they will receive ads. In addition, if the adware gathers information about users, it must inform them. Privacy issues arise even with legitimate adware, however. For instance, although legitimate adware discloses the nature of data collected and transmitted, users have little or no control over what data is being collected and dispersed.

Cryptomining Software
Many cryptocurrencies, such as bitcoin, are “mined” using compute resources in a process known as cryptomining. Cryptomining software is often on dedicated mining hardware; however, organizations have been concerned about such software being on their systems. Cryptomining software consumes compute resources, making heavy use of the CPU. Criminals have been using malware to deliver malicious cryptomining software in order to use distributed resources of others (often as part of a botnet) to mine for cryptocurrency. Such an attack is known as cryptojacking. Cryptojacking compromises a victim’s computer and uses its resources to mine for cryptocurrency. Such an attack can also take place in a web browser, when a user visits an infected website or ad that automatically executes a script. In this situation, no files exist on the computer, and as long as the browser remains open, the script runs, consuming CPU resources to mine cryptocurrency for the criminal.
 

Physical Attacks
In addition to the social engineering techniques covered in “Basic Social Engineering Techniques,” the physical world opens up opportunities for attacks often through the use of or attacks on peripheral devices. As part of a university study years ago, researchers left hundreds of unmarked USB flash drives around the campus and found that about half of them were later plugged in to computers. If an attacker had loaded malware onto those devices, it would have infected the machines either when users plugged the devices in to their computers or when users opened files from the devices on their computers.

A similar approach goes beyond small storage devices and uses malicious cables and plugs, such as generic USB cables, mobile device charging cables, and wall or power adapters. In addition to potentially infecting a system with malware, these cables and adapters can be fitted with advanced technology such as wireless chips to allow nearby attackers to control or provider further instructions to the now vulnerable device.

Skimming is an attack type that has gained more widespread attention. It involves copying data from a credit or debit card by using a specialized terminal. The card can subsequently be cloned, in a process known as card cloning. The terminal where the card is swiped could be an ATM outfitted with a nefarious swipe mechanism over the legitimate one or might be a special-purpose device that is used to quickly store the data when a user presents a card to a third party. In most cases, skimmers read data from the magnetic stripe; chip cards (that is, EMV cards) provide some protection against such cloning attacks. And while proximity access and smart cards employ stronger controls, these too have proven susceptible to physical attacks. In one example, by just having physical access to a proximity reader, it was possible to get the encryption key. With this key, an attacker could read, manipulate, and clone a card.

Adversarial Artificial Intelligence (AI)
Artificial intelligence (AI) involves the application of various techniques to solve a variety of problems and challenges. Machine learning (ML) is one of the key techniques used in AI. Machine learning, as its name implies, allows a machine to learn. It allows machines to be able to do analysis and perform tasks without specifically being programmed. Machine learning is now everywhere. It is used in many ways across various applications. ML can be applied to applications such as web searching, photo tagging, spam detection, video surveillance, virtual assistants, business decision making, customer support, product recommendations, fraud detection, security automation, and weather forecasting.

Machine learning involves mathematical models that often result in predictions made by a computer. However, these models aren’t very useful without data—and good data matters! Data known as sample or training data serves as input to a machine learning model.

Just as information security has benefited from machine learning, the technology can also be used for nefarious purposes by an adversary. Attackers are not only using machine learning for their gain but are perpetrating attacks against ML algorithms. This can have huge impacts across both information and operational security. Given that these algorithms rely on data, it shouldn’t be surprising that tainted data can have negative impacts. Both training data and input received by a system could be tainted. For example, tainted data may be used to trick autonomous vehicles into misinterpreting streets signs; an attacker could simply make minor modifications to physical signs. Data can also be poisoned. Imagine a fraud detection system that is provided with tainted data that will always ignore a specific type of fraudulent transaction. The data might be tainted or poisoned during development. Also, because such systems are constantly learning, data could be tainted while the system is operating. Streaming accounts such as Netflix accounts can be tainted. These services tend to offer unique profiles for each user so they can apply ML to constantly learn about the tastes of each user and make recommendations. With access to someone else’s profile, consider how you might be able make future recommendations inaccurate by purposely watching specific content—tainting the input data.

Password Attacks

The most common form of authentication and user access control is the username/password combination, which can be significantly weakened as a security measure if the user selects a weak password. Automated and social engineering assaults on passwords are easiest when a password is short, lacks complexity, is derived from a common word found in the dictionary, or is derived from easily guessable personal information such as birthdays, family names, pet names, and similar details. There are four common methods of attacking passwords:
- Dictionary attack
- Brute-force attack
- Spraying
- Rainbow table

Passwords should never be stored unencrypted in plaintext. Access to the password database would then make it quite easy to compromise every account. As a result, cryptographic concepts are heavily used in the storing of passwords. Passwords are typically stored as hashes. A hash is a one-way function, which means you can’t turn a hashed value into a password. But if you hash a password, you can compare that output to a previously hashed password.

Attacks against passwords usually fall into two broad categories: online and offline attacks. An online attack might, for example, involve an automated or manual attack against your web-based email account, in which the attacker attempts to log in with your username and password. Or an attacker might gain access to an entire hashed (unreadable) database of passwords from the web-based email provider. The attacker might use techniques offline to crack the hashed passwords before attempting to log in online. Security best practices can help avoid online attacks—for example, locking accounts after several failed attempts—but offline attacks give the attacker the convenience of iterating through different methods and countless attempts. Online attacks occur while connected directly to a system. Users getting locked out of their accounts could be a result of forgetting passwords or could indicate attacks against the accounts. An offline attack occurs when the attacker has access to the material independent of the source system; for example, the encrypted password database might have been downloaded. An offline attack is less risky and affords the attacker the opportunity to circumvent controls without being detected.

Imagine trying every word in the dictionary to gain access to a system. This is a dictionary attack. In essence, software tools are available to automate such tasks to perform attacks on passwords. Dictionary attacks can use different and custom dictionaries. Such files can even contain lists of passwords that are not typically found within a traditional dictionary, such as 1234 and abcde. Dictionary attacks are most successful on simple passwords because the attack simply tries each word from the supplied list. The word password, for example, can easily be compromised through a simple dictionary attack; however, simply changing the letter o to the numeral 0, and the letter a to the @ sign could thwart a dictionary attack.

Brute-force attacks, however, are quite capable of defeating such passwords. Unlike a simple dictionary attack, a brute-force attack relies on cryptanalysis or hashing algorithms that are capable of performing exhaustive key searches. Brute-force attacks can crack short passwords more quickly than can dictionary attacks. However, a brute-force attack can take a lot of time and computing power with larger, more complex passwords because it attempts to exhaust all possible combinations of letters, numbers, and symbols.

Dictionary and brute-force attacks can also be combined into hybrid attacks. A hybrid attack uses the dictionary attack method and then builds on that by adding numbers to the end of the words, substituting certain letters for numbers, and capitalizing the first letter of each word. This hybrid method can also be a useful tool to help identify weak passwords and controls for audit purposes.

A common countermeasure to mitigate password attacks is account lockouts. Password spraying seeks to circumvent account lockouts by spreading the use of a single password attempt across multiple accounts. Password spraying is a slow approach, but what it lacks in speed across a single account it gains in scale across multiple accounts at once. A single failed password across an account may be benign. However, a single failed login across many accounts at the same time should serve as an indication to a security administrator that password spraying may be occurring.

A rainbow table can thought of as a very large set of precomputed hash values for every possible combination of characters that is able to reverse a cryptograph hash function. If an attacker has enough resources to store an entire rainbow table in memory, a successful attack on hashed passwords can occur with great efficiency. Further, such an attack can occur offline. Thus, the attacker does not need to hash every potential password, as a rainbow table has already done this, and the attacker only needs to perform a search against the required password hashes. Adding an additional input of random data to the function that creates the hashes is known as a salt and can help make a rainbow table attack ineffective.

A user being locked out of his or her account may indicate an attack against the user’s password—especially if that user has no history of failed repeated logon attempts.

Birthday Attacks
A birthday attack is a cryptographic method of attack against a secure hash. Keep in mind that a dictionary attack or a brute-force attack is successful when each guess is hashed, and then the resulting hash matches a hash being cracked. A birthday attack finds collisions within hash functions and so is a more efficient method of brute-forcing one-way hashing.

This type of attack is called a birthday attack because it is based on what is known as the birthday paradox. Simply put, if 23 people are in a room, the probability that two of those people have the same birthday is 50%. Hard to believe? True. That’s why it is called a paradox. Without getting into complex math, let’s try to simplify the reasoning here (though this is not easy to do!). The birthday paradox is concerned with finding any match (not necessarily a match for you). You would need 253 people in a room to have a 50% chance that someone else shares your birthday. Yet you need only 23 people to create 253 pairs when cross-matched with one another. That gets us to a 50% chance. This same theory applies to finding collisions within hash functions. Just as it would be more difficult to find someone who shares (collides with) your birthday, it is more difficult to find something that would collide with a given hash. However, just as you increase the probability of finding any two birthdays that match within the group, it is easier to find two inputs that have the same hash.
 

Downgrade Attacks
Cryptographic attacks are made simpler through downgrade attacks. The cryptographic protocols used for secure web browsing are a common example. A downgrade attack is often a result of security configurations not being updated. Failure to update often stems from the desire to maintain backward compatibility. When a web browser is communicating over a secure channel with a web server, the two must first agree on the version of the cryptographic protocol to use. The server might require the latest and most secure version of a protocol; however, if the browser does not support this specific method, the connection cannot happen. For this reason, security might give way to preventing operational impact. However, if the server allows negotiation to downgrade to a lesser version, the connection is susceptible to further attacks. An attacker might therefore purposely choose to use a client implementation that supports less secure cryptographic versions.
A man-in-the-middle attack in which the attacker uses an older browser might indicate a downgrade attack. You should ensure that web servers aren’t configured to allow for such backward compatibility with older cipher suites.

Quiz

1. A user in finance opens a help desk ticket identifying many problems with her desktop computer, including sluggish performance and unfamiliar pop-ups. The issues started after she opened an invoice from a vendor. The user subsequently agreed to several security warnings. Which of the following is the user’s device most likely infected with? A. Ransomware B. Spyware C. Backdoor D. Adware

2. A user has reported consistent activity delays with his PC when using a specific web browser. A quick investigation reveals abnormally high CPU usage. Which of the following types of malware is most likely affecting the user’s PC? A. Crypto-malware B. Worm C. Macro virus D. Keylogger

3. Which of the following are unique characteristics of a rainbow table attack but not of a brute-force attack? (Select two.) A. This attack doesn’t require the hashed passwords. B. This attack involves precomputed hash values. C. This attack must be conducted online. D. This attack circumvents account lockout restrictions.

4. Which of the following allow machines to solve problems and do analysis without specifically being programmed? (Select two.) A. RATs B. PUPs C. AI D. ML

5. Which of the following attacks often occurs when security configurations are not updated? A. Birthday B. Downgrade C. Spraying D. Skimming

Answer 1: C. Because the user opened an attachment that masqueraded as something legitimate and required agreement to various security prompts, it is most likely a backdoor installed on the system. Answer A is incorrect because with ransomware, the attacker would be asking for a ransom payment. While both spyware and adware may cause problems with performance, they would not likely prompt the user with security dialogs. Thus, answers B and D are incorrect.
Answer 2: A. Crypto-malware is most likely. While crypto-malware may have worm-like capabilities, such malware is known for heavy CPU use, and, because this particular issue happens when using the web browser, the problem is likely to be a cryptojacking variant. The other choices may result in anomalous CPU behavior, but that is not as likely as it would be with crypto-malware. Further, a macro virus would involve the use of office software. Thus, answers B, C, and D are incorrect.
Answer 3: B and D. A rainbow table is a large set of precomputed hash values used to reverse cryptographic hash functions, and such an attack may be performed offline. Answer A is incorrect, as the attack needs the hashed password values in order to do a lookup or search. Answer C is incorrect as rainbow table attacks may be performed offline.
Answer 4: C and D. Artificial intelligence (AI) involves applying various techniques to solve a variety of problems and challenges, and machine learning (ML) is one of the key techniques used in AI. Answer A is incorrect because remote access Trojans (RATs) installed on a system allow a remote attacker to take control of the targeted system. Answer B is incorrect. PUPs (potentially unwanted programs) include spyware and adware that are often downloaded with a program the user wants.
Answer 5: B. A downgrade attack may occur when security configurations are not being updated. Often this stems from the desire to maintain backward compatibility. Answer A is incorrect because a birthday attack is a cryptographic method of attack against a secure hash. It is based on what is known as the birthday paradox. Answer C is incorrect. Password spraying is an attack that attempts to access a large number of user accounts with a very small number of commonly used passwords. Answer D is incorrect because skimming involves copying data from a card (ATM or other) by using a specialized terminal. The card can subsequently be cloned, by encoding a blank card with the stolen data.