Chapter 21 Β· Flashcards

Common Threat Vectors Flashcards

Click each card to reveal the answer.

0 / 16 flipped
What is a threat vector?
A threat vector (also called attack vector) is the specific pathway or method an attacker uses to gain unauthorized access to a system or network. It is the "door" β€” not the attacker, not the malware, but the mechanism of delivery or access. Examples: email, USB drive, open TCP port, default credentials, compromised vendor connection. Understanding threat vectors is the foundation of attack surface management.
What makes message-based vectors so effective?
Message-based vectors (email, SMS, IM) exploit human behavior rather than technical vulnerabilities. They reach victims directly, impersonate trusted sources, and use urgency and social engineering to override caution. Email is the most common initial access vector in documented breaches. SMS phishing (smishing) reaches victims on personal devices outside corporate security controls. SVG image attachments can deliver executable JavaScript inside what appears to be an image file.
Why are SVG files a threat vector?
SVG (Scalable Vector Graphic) is an XML file format β€” not a pixel-based image. Because it is XML, it can legally contain HTML elements and JavaScript. When a browser renders a malicious SVG, any embedded script executes. The file looks like a completely normal image visually β€” there is no indicator of the code inside. Browsers must perform input validation and content sanitization when rendering SVG to prevent code execution. SVG files sent as email attachments can also bypass email security tools that only scan document types.
What file types can contain hidden malware beyond .exe?
Four major categories: (1) Adobe PDF β€” supports embedded JavaScript and objects that exploit reader vulnerabilities. (2) ZIP/RAR archives β€” hide malware among hundreds of benign files; password-protected archives bypass scanning. (3) Microsoft Office documents β€” VBA macros execute automatically when enabled; the most-used delivery method for ransomware historically. (4) Browser extensions/add-ins β€” can read all page content, capture passwords, and exfiltrate data from within the trusted browser context.
What is the difference between vishing, SPIT, and war dialing?
Vishing: voice phishing β€” a human attacker calls a victim, impersonating a trusted authority (IRS, IT support, bank) to extract credentials or authorize fraudulent actions. Social engineering via voice. SPIT (Spam over IP Telephony): automated large-scale robocall campaigns over VoIP β€” the voice equivalent of email spam, reaching thousands with recorded vishing messages at near-zero cost. War dialing: automated dialing of phone number ranges to detect which numbers connect to computers, modems, or networked systems β€” still used against legacy industrial and government environments.
Why are USB drives dangerous on air-gapped networks?
Air-gapped networks have no internet or external network connections β€” they are physically isolated. USB drives can physically carry malware across this gap. Stuxnet was delivered to Iran's air-gapped Natanz nuclear facility via USB drops, destroying approximately 1,000 uranium centrifuges. USB drives also enable undetectable data exfiltration β€” terabytes can leave a facility with zero network bandwidth used, bypassing all network-based DLP and monitoring tools. Physical isolation is not absolute security without USB port controls.
What is the difference between client-based and agentless software vectors?
Client-based: software is installed on the endpoint device. Vulnerabilities affect that specific device. Patch the application on each device. Defense: push patches to all endpoints. Agentless: no local install β€” client connects to a server session and runs the application remotely. Vulnerabilities live on the server. If the server is compromised, every client that connects is affected simultaneously β€” the entire user population, often all at once when they log in. Defense: secure and patch the server; the client has nothing local to patch. Log4Shell was an agentless vector β€” server-side library, client-side impact.
Why are unsupported systems a security risk?
Unsupported systems run end-of-life software where the manufacturer no longer releases security patches. New vulnerabilities are discovered continuously β€” on an unsupported system, those vulnerabilities will never be fixed. The vulnerability window is permanent and grows over time. A single unsupported system can serve as an entry point to the entire network. WannaCry exploited Windows XP systems (EOL 2014) β€” hospitals running XP had no patch available, leading to cancelled appointments and diverted ambulances. Keep accurate inventories and establish upgrade plans before EOL dates.
What wireless protocols should replace WEP and WPA?
WEP (Wired Equivalent Privacy): broken since ~2001 β€” crackable in minutes with freely available tools. Replace immediately. WPA (Wi-Fi Protected Access): deprecated, TKIP vulnerabilities. Replace immediately. WPA2: still widely deployed, reasonably secure but has known vulnerabilities (KRACK); patch all devices and consider upgrading. WPA3: current standard β€” uses SAE (Simultaneous Authentication of Equals) instead of PSK, resistant to offline dictionary attacks. All new wireless deployments should use WPA3; migrate existing infrastructure where hardware supports it.
What is 802.1X and why does it matter for network security?
802.1X is an IEEE standard for port-based Network Access Control (NAC). It requires any device attempting to connect to a wired or wireless network to authenticate through an authentication server (typically RADIUS) before the switch port grants network access. Without 802.1X: any device plugged into an Ethernet port or within Wi-Fi range gets automatic network access. With 802.1X: unauthorized devices are blocked at the port level regardless of physical access. Mercer Financial's unprotected conference room ports and lobby drops were direct examples of the gap 802.1X closes.
What is the risk of default credentials?
Most network devices ship with default factory usernames and passwords (admin/admin, root/root, etc.) for initial setup. These defaults are publicly listed on sites like routerpasswords.com for thousands of devices. If never changed, any attacker can find the model number and log in with the factory default β€” no exploit, no hacking, just looking up a credential. Default credentials = full administrator access. The Mirai botnet compromised 600,000+ IoT devices using only 61 known default credential pairs, then launched the largest DDoS in history. Change all defaults immediately on deployment.
How do supply chain attacks work?
Supply chain attacks target an organization indirectly by compromising a trusted upstream entity β€” a vendor, contractor, software provider, or hardware manufacturer. The attacker rides the trust relationship downstream to reach the hardened target. Mechanisms: injecting malicious code into software build pipelines (SolarWinds β€” attacker inserted backdoor into a software update, reaching 18,000 organizations); tampering with hardware during manufacturing (fake Cisco switches with backdoors); compromising vendors with network access to the target (Target 2013 β€” via HVAC contractor). The attack arrives through a channel the target deliberately trusts and allows.
What is an MSP and why are they a supply chain risk?
MSP (Managed Service Provider): a company that manages IT infrastructure for multiple client organizations from a centralized platform, typically with privileged remote access to all client systems. Supply chain risk: compromising one MSP grants authenticated access to all of its customer networks simultaneously. A single breach can expose dozens or hundreds of separate organizations β€” extraordinary attack leverage. Attackers specifically target MSPs for this reason. Customers of an MSP inherit the MSP's security weaknesses; vendor risk management and least-privilege access for MSP accounts are essential controls.
What is a "Hacker on a Chip" (HID Attack)?
A HID (Human Interface Device) attack uses a USB device that emulates a keyboard rather than a storage drive. The operating system grants keyboards immediate, trusted input access β€” no authentication required. When plugged in, the device automatically types a pre-programmed attack sequence at machine speed (hundreds of characters per second): opening a terminal, downloading malware, creating backdoor accounts, or exfiltrating files β€” all in seconds. The USB Rubber Ducky is the most well-known HID attack tool. Called "Hacker on a Chip" because the complete attack payload is programmed into the device's microcontroller.
Why does more open ports = larger attack surface?
Every open TCP or UDP port represents a service listening for connections. Each service has its own vulnerability history, its own configuration, and its own potential for misconfiguration. Every open port that accepts external traffic requires a firewall rule explicitly allowing that traffic β€” and firewall rules accumulate over years, rarely being cleaned up. More services = more attack vectors, more CVEs to track, more configurations to audit, more potential misconfigurations. Minimizing running services (principle of least functionality) directly reduces attack surface. A service that isn't running cannot be exploited.
What is the key lesson from the 2013 Target breach?
Target was breached not through Target's own systems, but through an HVAC vendor (Fazio Mechanical) that had network access for invoice submission and remote monitoring. Attackers compromised Fazio via phishing, used their credentials to enter Target's vendor portal, pivoted to the POS network (inadequate network segmentation), installed memory-scraping malware on point-of-sale terminals across all stores, and stole 40 million credit card numbers. Lesson: granting third-party vendors network access extends your attack surface to include their security posture. Vendor access must be least-privilege, network-segmented, and subject to the same security standards as internal access.