Security Forem

Cover image for Comprehensive Study Guide: CompTIA 2.4 Security+ SY0-701 - Malware and Attack Vectors
Andrew Despres
Andrew Despres

Posted on

Comprehensive Study Guide: CompTIA 2.4 Security+ SY0-701 - Malware and Attack Vectors

#comptia #securityplus #beginners #cybersecurity

This study guide provides a detailed synthesis of common cybersecurity threats, malware types, and application-level attacks as outlined in the CompTIA Security+ SY0-701 objectives. It is designed to help new learners grasp complex networking and security concepts through clear explanations and real-world comparisons.

1. Understanding Malware

Understanding Malware

Malware is a broad term describing any software designed to perform malicious actions on a system. These actions include stealing data, encrypting files for ransom, or turning a computer into a "zombie" for a larger network of compromised machines.

Common Malware Categories

  • Viruses: Malicious code that replicates itself by attaching to other files or systems.
    • Real-World Comparison: Like a biological virus, a computer virus requires a "host" (a human to click a link or run a program) to start the infection process.
    • Variants: Include Boot Sector Viruses (run when the system starts), Macro Viruses (embedded in documents like Microsoft Office), and Fileless Viruses (operate only in memory to avoid detection by traditional antivirus).
  • Worms: Software that self-replicates across a network without human intervention.
    • Key Difference: Unlike viruses, worms move at the "speed of the network" and do not need a user to click anything to spread.
  • Ransomware: Encrypts a user's data and demands payment (often in cryptocurrency) for the decryption key.
    • Safety Tip: Always maintain offline backups. If your system is infected, the ransomware cannot reach and encrypt an offline drive.
  • Trojan Horse: Software that appears to be legitimate (like a free utility) but installs malware in the background.
  • Rootkits: Malware that hides in the kernel of the operating system.
    • Real-World Comparison: Imagine a spy hiding inside the police station’s records room. Because they are "part of the system," they are nearly invisible to standard patrols (antivirus).
  • Logic Bombs: Code that waits for a specific event—such as a certain date/time or a specific user logging in—to execute its malicious payload.

2. Application and Injection Attacks

Application and Injection Attacks

Attackers often exploit vulnerabilities in how applications handle data or interact with users.

Input-Based Attacks

  • Injection Attacks: Occur when an application fails to validate user input, allowing attackers to submit malicious code.
    • SQL Injection: Targeting databases to steal or modify data (e.g., the Estonian Central Health Database breach).
    • HTML/XML/LDAP Injection: Similar attacks targeting different data types.
  • Buffer Overflow: An attacker sends more data to a memory variable than it can hold. The "overflow" spills into adjacent memory, potentially allowing the attacker to run unauthorized code.
  • Directory Traversal: Exploiting misconfigured web servers to access files outside the intended web directory using commands like ../.

Request Forgeries and Session Attacks

  • Cross-Site Request Forgery (CSRF/Sea Surf): This attack exploits the trust a website has in a user’s browser. If you are logged into your bank, an attacker might trick your browser into sending a "transfer money" request without your knowledge.
  • Replay Attacks: The attacker captures sensitive information (like a session ID or password hash) and "replays" it to the server later to pose as the victim.
    • Real-World Comparison: This is like someone recording the sound of you clicking your car’s remote unlock button and playing that recording back later to open your car.

3. Network and Service-Level Attacks

Network and Service-Level Attacks

These attacks target the infrastructure that makes the internet and local networks function.

DNS Attacks

  • DNS Poisoning: Modifying DNS records to redirect users to malicious websites. This can be done by attacking the DNS server or modifying the local hosts file on a computer.
  • URL Hijacking (Typosquatting): Registering domain names that are common misspellings of popular sites (e.g., professormesssor.com instead of professormesser.com) to steal credentials or show ads.

Denial of Service (DoS)

A DoS attack aims to make a service unavailable by overloading it or exploiting a design flaw.

  • DDoS (Distributed DoS): Using a Botnet (thousands of infected "robot" computers) to attack a single target simultaneously.
  • Amplification Attacks: An attacker sends a small request to a service (like DNS or NTP) using a spoofed IP address. The service sends a much larger response to the victim, overwhelming them.
    • Example: A 15-character DNS query can result in a 1,300-character response—an amplification of 86 times.

Wireless Attacks

  • Deauthentication Attack: Sending unencrypted "management frames" to a device to kick it off the Wi-Fi network.
  • RF Jamming: Sending noise over wireless frequencies to decrease the signal-to-noise ratio, making communication impossible.

4. Indicators of Compromise (IOC)

Indicators of Compromise

As a security professional, you must look for "bread-crumbs" left by attackers.

Chart describing indicators of compromise

Understanding the diverse landscape of malware and application attacks is the foundation of a successful career in cybersecurity. As you have seen, attackers don't just use one tool; they combine worms, exploits, and social engineering to bypass modern defenses.

Top comments (0)