2.2 Flashcards
Threat Vector and Examples
How an attacker gains access,
- message based, images or files sent, phishing, removable devices, unsecure networks
Attack Surface
Where attacker gain access
Social Engineering Threat Vector -Brand impersonation
pretending to be cisco on twitter
Social Engineering Threat Vector- Typo Squatting aka url hijacking
registering gnail.com
Social Engineering Threat Vector- Watering Hole
compromising the watering hole and waiting for users who normally would trust the website they are visiting. Waiting for someone to enter CC number in “bank’s” website
Social Engineering Threat Vector Pretexting
Giving some info that seems true so the user will provide more information.
This can involve piggybacking (pretending to be someone you’re not)
It can be a form of phishing and gathering info about a person so they divulge more
could be pretending to be a company they work with over the phone etv
Social Engineering Threat Vector Phishing
Impersonating a trusted entity to trick victims into revealing sensitive information about themselves
Baiting
attacker leaves a malware infected USB in a location where target may find it
Spear Phishing
sending fraudulent email that appear to be from reputable sources but targeted toward specific users. has a high success rate
Whaling
a form of spear phishing that targets high profile individuals like the CEO
BEC
Business Email Compromise. Phishing attack. Someone’s email is compromised and attacker takes it over to steal sensitive info, redirect payments etc
Smishing
SMS phishing
Fraud (includes identity fraud and theft)
wrongful or criminal deception that is intended to result in financial or personal gain for the attacker
Identity Fraud
attacker takes victims CC and tries to use it
Identity Theft
attacker fully assumes the identity of their bictim
Scams
Deceptive act or operation
Invoice Scam
a person is tricked into paying for a fake invoice for a product or service they didn’t order. (attacker uses pretexting to call a secretary and tell them toners are ready to ship out tmrw and once they say ok its on record so they have to pay for it)
Influence Campaign
Coordinated efforts to affect public perception or behavior towards a particular
cause, individual, or grou
Misinformation
false or inaccurate info shared without harmful intent
Disinformation
deliberate creation and sharing of false information with the intent to deceive or misleadD
diversion Theft
manipulating a situation or creating a distraction to steal valuable items or information
Hoaxes
malicious deception that is often spread through social media, email or other channelsSho
Shoulder Surfing
looking over someone’s shoulder to gather personal information
Dumpster Diving
looking through trash to find valuable information
Eavesdropping
listening to privately held conversations
Piggybacking
attacker convinces employee to let them into facility
Tailgating
attacker attempts to follow an employee through access control vestibule without employees knowledge
Supply Chain Attacks
an attack that targets a weaker link in the supply chain to gain access to a primary target. Exploit vulnerabilities in suppliers or service providers to access more secure systems
CHIPS Act of 2022
US funding to promote semi conductor research in the US.
Semiconductors
essential components in a wide range of product from smartphones, to medical devices
Firmware Vulnerabilities
Specialized software stored on hardware devices
● Can grant attackers full control, leading to unauthorized access or
takeover
End of Life System
no updates or support from manufacturer
Legacy System
outdated and superseded by newer alternatives
Unsupported
no official support, security updates or patches
Unpatched systems
devices apps or software without latest security patches
