2 cissp ® Official Study Guide Eighth Edition

Understanding Access Control Attacks 
651
A zero-day vulnerability is one that application vendors either don’t know 
about or have not released a patch to remove the vulnerability. The Adobe 
PDF attack exploited a vulnerability in PDF files. Even though Adobe 
patched that vulnerability, attackers discover new application vulnerabili-
ties regularly.
Whaling
Whaling
is a variant of phishing that targets senior or high-level executives such as chief 
executive offi cers (CEOs) and presidents within a company. A well-known whaling attack 
targeted about 20,000 senior corporate executives with an email identifying each recipient 
by name and stating they were subpoenaed to appear before a grand jury. It included a link 
to get more information on the subpoena. If the executive clicked the link, a message on the 
website indicated that the executive needed to install a browser add-on to read the fi le. 
Executives that approved the installation of the add-on installed malicious software 
that logged their keystrokes, capturing login credentials for different websites they visited. 
It also gave the attacker remote access to the executive’s system, allowing the attacker to 
install additional malware, or read all the data on the system.
Vishing 
While attackers primarily launch phishing attacks via email, they have also used other 
means to trick users, such as instant messaging (IM) and VoIP. 
Vishing
is a variant of phishing that uses the phone system or VoIP. A common attack 
uses an automated call to the user explaining a problem with a credit card account. The 
user is encouraged to verify or validate information such as a credit card number, expira-
tion date, and security code on the back of the card. Vishing attacks commonly spoof the 
caller ID number to impersonate a valid bank or fi nancial institution.

Download 19,3 Mb.

Do'stlaringiz bilan baham: