1.2 Potential Indicators - Attack Type

Question 1

Malware - Virus

Answer 1

• A malicious computer program that requires user intervention (ex: clicking it or copying it to a media or host) within the affected system
• Most viruses self-replicate without the knowledge of the computer user.
• Can be passed along from one system to another (via email, IM, downloads, removable media, network connections)
• Probably the most common and prevalent type of system attack.
• Often tedious to repair or clean up. Sometimes can be fatal to the entire computer system and company operations.

Question 2

Boot Sector Virus

Answer 2

• Infect the boot sector or partition table of a disk.
• Boot sector is used by the computer to determine which OS are present on the system to boot.
• Most common way a boot sector virus finds its way into a system is through an infect disk or removable media device that is inserted into the computer.

Question 3

Boot Sector Virus

Answer 3

• Doesn’t allow computer to boot, rendering computer useless.
• Infect the boot sector or partition table of a disk.
• Boot sector is used by the computer to determine which OS are present on the system to boot.
• Most common way a boot sector virus finds its way into a system is through an infect disk or removable media device that is inserted into the computer.
• Best way to remove - is to boot the system using an anti virus or similar emergency recovering media
• This allows you to start up the computer with basic start - up files, bypassing the boot sector and then run the antivirus program on the recovery media.

Question 4

Companion virus

Answer 4

• Disguises itself as a legitimate program, using the name of a legit program but with a different extension.
• Typically it will also execute the legitimate program after installing the virus code so that the system appears to be performing normally.
• Some viruses replace the original file with their version that performs the same tasks but includes new malicious code to run with it.

Question 5

File Infector Viruses

Answer 5

• Generally infect files that have the extension .com or .exe
• Can be extremely destructive b/c they try to replicate and spread further by infecting other executable programs.
• Sometimes it destroys the original program by overwriting the original code.
• Caution: If your computer is afflicted with a file infector virus, DO NOT attach it to a network b/c it could infect files on other workstations and file servers.

Question 6

Macro Virus

Answer 6

• A macro is an instruction that carries out program commands automatically within an application.
• Typically used with Word and Excel.
• Uses the internal workings of the application to perform malicious operations

Question 7

Trojan Horse

Answer 7

• Software that pretends to be something else so it can conquer your computer
• Doesn’t really care about replicating
• Circumvents existing security
• Designed to look non-threatening to users and anti-virus software
• Some even disable Anti Virus
• Can configure backdoors or configure additional malware

Question 8

PUP

Answer 8

• Potentially Unwanted Program
• Could be undesirable, may not be malicious, may cause performance issue
• Might install a browswer toolbar that’s difficult to uninstall
• or a backup utility that always shows or hijacks browswer

Question 9

Backdoors

Answer 9

• Malware tends to open a backdoor on system
• Malware creates a new way to access system
• Sometimes the same backdoor is open other malware can potentially use it
• Difficult to find vulnerabilities and get users to click on links.
• Wants to find a way to easily access your system again (without having to make you click on something etc.)
• Ex: Old version of linux included a backdoor

Question 10

RAT

Answer 10

• Remote Access Trojan (or Remote Administration Tool)
• Ultimate backdoor
• Administrative control of a device
• Malware that is installed, might install the RAT
• Ex: can collect log of key strokes, screen shots, copy files, embed more malware

Question 11

Protecting against Trojan + RATs

Answer 11

• Similar to preventing other malware
• Don’t run unknown software
• Keep anti virus / malware up to date
• Have latest signature installs for software
• Have a backup so you can restore from known good backup

Question 12

Rootkit

Answer 12

• Foundation in Unix/Linux, but they can be found on any OS
• Common characteristic: instead of modifying files in OS, it modifies files in kernel (foundational building blocks of OS) everything that runs in OS runs on top of Kernel
• B/c malware becomes part of OS itself, it becomes invisivble to anti virus / malware
• Identifying and removing from rootkit is very difficult

Question 13

Zeus/ Zbot Malware

Answer 13

• Example of malware that combines rootkit with malware
• Very good at transferring money out of bank account and into theirs
• Combined Zeus malware with Necurs rootkit, almost impossible to delete from system

Question 14

Root kit removers

Answer 14

• Some anti virus/ malware that can identify malware on rootkits
• BIOs software example - Secure boot:
• EX: UEFI has secure boot will examine if any part of root kit has been modified and then won’t let it boot.

Question 15

Spyware

Answer 15

• More malicious than Adware, it is trying to gather information about you
• Ex: where you visit on the internet or PII
• Can be installed different ways, ex: Trojan horse, peer to peer or fake security software
• Common spyware will examine sites visiting, and examine strokes your using to get user names/ password
• Adware and spyware continue to be popular b/c users are very valuable
• Prevention: Always make sure you have the latest signatures, don’t install unverified third party software

Question 16

Adware

Answer 16

• Adware is one big advertisement, can cause performance in OS and slowdown and increased network traffic
• Sometimes it can be installed accidentally
• If you try to remove adware, you can find removal software that is also malware

Question 17

Bot

Answer 17

• Stands for robot
• Describes automation that occurs behind the scenes when this type of malware takes control of your machine
• Entry points: Trojan horse, through vulnerability in OS, or alongside a normal application installation

Question 18

Botnet

Answer 18

• When a group of bots on different machines is woking together and controlled with the C&C (Command and Control server)
• When all these systems are being controlled by a bad actor it can cause a DDoS (Distributed Denial of Service)
• Systems can act as proxies or relays for spam, network traffic and other types of tasks
• Can be rented out to 3rd parties to “rent a DDoS”
• map.lookingglass.cyber.com lists active botnets and live attacks and countries

Question 19

C&C Server

Answer 19

• Controls botnets
• ## Issues commands to bot nets

Question 20

How to stop a botnet

Answer 20

• Ensure your OS is running the latest patches
• Antivirus/malware and latestsignatures
• Can perform an on-demand network scan and look for any unusual network patterns
• Prevent C&C - If you know the patterns of the C&C can block it at the firewall or at the IPS / Firewall at the workstation level

Question 21

Logic Bomb

Answer 21

• Waits for a predefined event to trigger something
• Often left by someone with a grudge
• Ex: a person places file in a particular location or turning on or off a particular computer
• Difficult to detect logic bombs b/c they don’t follow any known signature, makes it difficult for anti virus/ malware
• Many logic bombs will also delete themselves once executed so can be hard to repair as well

Question 22

Time Bomb

Answer 22

• A specific type of Logic Bomb
• Occurs when a particular date/time is reached
• Ex: South Korea media / banks organizations targeted, installed trojan malwares. A day later the bomb went off and it started deleting master boot record and rebooting systems. Started looking for a OS and disabled a lot of ATMS.
  -Ex: Ukraine - focused on high voltage substations. Disabled electrical circuits

Question 23

SCADA Network

Answer 23

• Supervisory Control and Data Acquisition Network
• Supervisory Control and Data Acquisition (SCADA) is a system that aims to monitor and control field devices at your remote sites. … SCADA is a centralized system that monitors and controls the entire area. This supervisory system gathers data on the process and sends the commands control to the process.

Question 24

Preventing Logic Bomb

Answer 24

• Have formal process and controls in place to monitor if any changes in environment that deviate from process and procedures
• Automated processes that do this, host-based intrusion detection or tripwire.
• Constant auditing of alert and computer systems and make sure all system administrator changes are authorized

Question 25

Plaintext/ unencrypted passwords

Answer 25

• Some applications store passwords “in the clear”
• No encryption, you can read stored passwords
• This is relatively rate
• Do not store any passwords as plaintext
• Need to stop using this application or upgrade applications

Question 26

Best way to store passwords

Answer 26

• Hash - represents the password as a string of text (aka message digest) or “fingerprint”

Question 27

Hash

Answer 27

• Hash - represents the password as a string of text (aka message digest) or “fingerprint”
• Different inputs will not have the same hash
• It’s very secure b/c it’s a “one way trip”, once you create the hash of the password, you can’t restore the original password by using the hash

Question 28

Shah -256

Answer 28

• A very common hashing algorithm used in many algorithms

Question 29

Spraying Attack

Answer 29

• Tries using a few very common passwords and then moves on
• Ex: Often an application has the user names and the hash for the password stored, instead of using a brute force attack, they’ll use spraying
• Spraying attack avoids the lock out issue with too many incorrect guesses of a brute force attack
• no alarms, no alerts b/c they move on quickly

Question 30

Brute Force

Answer 30

• if a hacker wants to obtain every user name and account in a system
• going to try every combination of letters, numbers, special characters for a given account
• If you’re starting with a hash (a strong hash algorithm slows things down)
• generate a password and compare the resulting hash then they know the password
• (if you did this online it would be very slow, probably will lock out)
• more common that the hacker has already downloaded the password file and run the brute force offline

Question 31

Dictionary Attack

Answer 31

• Uses common words from the dictionary
• Certain passwords are unique to a particular type of job
• Can perform letter substitutions in these dictionary attacks

Question 32

GPU

Answer 32

• Graphical Processing Unit
• high speed cpu
• Can be used in brute force attacks to speed things along

Question 33

Rainbow table

Answer 33

• An optimized, pre-built set of hashes
• Saves time and storage space
• Doesn’t need to contain every hash
• Contains pre-calculated hash chains
• Very fast (bypasses the time it takes to create a hash)
• Challenges with Rainbow tables for hackers, a different application may have a different hash algorithm so you’ll need different rainbow tables

Question 34

Salt

Answer 34

• A little bit of extra random data added to the password before it is hashed
• Ex: if 2 users are using the same password, their hash will be different
• Can foil a Rainbow table
• Doesn’t stop brute force, but slows things down b/c hacker has to know how the salt was implemented

Question 35

Physical attacks

Answer 35

• Not all attacks occur over the network
• Ex: malicious usb cable
• Don’t plug in anything unknown
• Free flash drive!

Question 36

HID

Answer 36

• Human interface device (aka keyboard, mouse)
• Could be on a malicious USB cable
• When you plug it in, you can start typing, it can open files

Question 37

Malicious Flash drive

Answer 37

• Ex: Malicious PDF, macros in spreadsheets
• Can be configured as a boot device (which would infect the computer after a reboot)
• It can be an ethernet adaptor if is configured as a wireless gateway

Question 38

Skimming

Answer 38

• Stealing credit card information as we use the card for some other purpose
• Ex: stealing from the magnetic strip or the card reader itself
• Camera could also monitor ATM pad
• check card reader before using, pull on it to make sure nothing pops out

Question 39

Card Cloning

Answer 39

• Create an exact duplicate of credit card (including same CVC)
• They clone the magnetic stripe (not the chips)
• Ex: Gift cards are popular targets, they’ll clone the gift card, wait for it to be activated and then use it before legitimate person can

Question 40

Machine Learning

Answer 40

• Find patterns in data
• takes a lot of data to train computer system
• Ex: a spam folder can catch more spam with more spam examples
• All of the training data assumes that all the data is legitimate
• But if it used fake training data that would corrupt the learning
• Ex: Microsoft Ai chatterbot Tay (Thinking about you) - Added to twitter in 2016, didn’t add any type of anti-offensive behavior. Other uses realized they could poison Tay.
• Ex: Attackers tricked ML into revealing the actual SSN used to train the algorithm
• Ex: Once spammers know what the spam filter is trained on they can tweak their language

Question 41

Prevent issues with ML Training Data

Answer 41

• Cross check and verify the training data
• Constantly retrain with new data
• More data / better data
• Use same techniques attackers are using to help prevent your system from becoming vulnerable.

Question 42

Supply Chain

Answer 42

• Raw materials, suppliers, manufactures, distributors, customers, consumers
• Provides a lot of points of attack
• Tend to trust our suppliers
• Ex: Target Corp in 2013, started in HVAC company, there was a VPN connection the techs would use, there was an email with malware that stole VPN credentials
• Attack vector was a surprise

Question 43

Supply chain access points

Answer 43

• Can you trust your new: server, router, switch, firewall, software
• Supply chain cyber security is a big concern
• Many companies are narrowing vendor list to do more testing / auditing
• Many companies are requiring that suppliers have strict controls in their own supplier network

Question 44

Cloud based vs on premise

Answer 44

• 2 schools of thought: on site is more secure vs cloud is more secure
• Cloud security, everything is centralized so costs tend to be lower (don’t have to worry about data center/ purchasing software/ IT services)
• On site: have to have your own data center, but you know where all your data is can control what happens to data

Question 45

On Premise security

Answer 45

• You can control everything in house
• You can have your own IT team, what expertise, security controls are in place
• There are additional costs for all of this
• Can handle all the up time / availablity
• Making security changes can take time (re-config can require new software etc.)

Question 46

Cloud based system

Answer 46

• You can control how much security you have on your data
• usually no physical access
• concerning that there is a 3rd party access
• Benefits: these cloud providers provide security to a lot of people and they have a lot of past experience
• Challenge: want to make sure users are following best practices for access data
• Tends to be more available (more redundance)
• May also have additional options (ex: 3rd party firewall, might be less options with on premise)

Question 47

Cryptographic attacks

Answer 47

• How do we know if data that’s been encrypted is really secure from start to delivery?
• The attacker often doesn’t have the decryption key so they’ll try other things:
• Ex: Hackers look for vulnerability. Often it’s not the cryptography that’s the problem but the way we’ve implemented the cryptography

Question 48

Birthday Attack

Answer 48

• 23 ppl in a room, 50% chance of someone sharing a birthday
• B/c you’re comparing every student to every other student (Hash collision)

Question 49

Hash collision

Answer 49

• The same hash values for two different plaintexts
• Should never happen
• If you find one, attacker can find the other value that matches the hash
• Prevention: increase the length of the hash
• ## Hash should always be unique, however sometimes that doesn’t happen

Question 50

MD5

Answer 50

• Message Digest Algorithm 5
• Hash algorithm that had a hash collision
• Hackers created a fake certificate authority

Question 51

Downgrade Attack

Answer 51

• If you are securely communicating, two sides will have a conversations and both sides will determine what the best encryption algorithm will be
• If you can sit in the middle and influence conversation you can have two sides downgrade their encryption to one that is easily to break
• EX: TLS POODLE attack (Transport Layer Security) (Padding Oracle On Downgraded Legacy Encryption) successor to SSL, encryption used to communicate to webservers, in TLS they fell back to SSL 3.0.
• Now ppl program to not allow downgrading to SSL 3.0

Question 52

Privilege Escalation

Answer 52

• Gain higher level access to a system
• Often attacker will use a normal user (non-admin) and then gain greater access by exploiting a bug / design flaw. Often enabling this normal user to behave as an admin
• Sometimes it’s a horizontal escalation (gain access to resources of another user at the same level), doesn’t have to be a vertical escalation