3.6 Fundamentals Of Cyber Security Flashcards
Cyber security definition:
= the technologies, practices and processes used to protect networks, data, programs & computers against damage, cyber attacks & unauthorised access
List the cyber security threats:
- social engineering techniques
- malicious code
- weak and default passwords
- misconfigured access rights
- removable media
- unpatched and/or outdated software
Social engineering techniques:
-
Malicious code
web scripts designed to create system vulnerabilities in order to upload malware
(leading to back doors, security breaches, information and data theft, and other potential damages to files and computing systems)
Weak and default passwords
- big security risk as can be easily cracked
hackers use: - brute force attacks to get past short/simple passwords easily
- social engineering to figure out commonly used passwords (birthdays/addresses)
Misconfigured access rights
Users being given access to info they should not have access to
Explain removable media:
- malware can get onto device by being hidden in removable media
Unpatched and/or outdated software
- could be more easily exploited by hackers, malware, viruses
Penetration testing definition:
= process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means of access
= when organisations employ specialists to stimulate potential attacks to their system to identify possible weaknesses in their cyber security
what does White-box penetration testing do?
= simulates a malicious insider who has knowledge of the target system (employee)
(Given some credentials)
what does Black-box penetration testing do?
= simulates an external hacking/cyber warfare attack, (not given any credentials)
Social engineering definition:
= art of manipulating people so they give up confidential information (of networks)
List the forms of social engineering:
- pharming
- phishing
- shouldering (shoulder surfing)
- blagging
What is pharming?
Cyber attack intended to redirect a websites traffic to another, fake site using malware
- fake site designed to look the exact same
- user will enter personal info which will be taken by the criminal
Reduce risk by ensuring anti-malware software up-to-date
What is Phishing?
Technique of fraudulently obtaining private info, often using email/SMS
- criminals send emails/texts to people claiming to be a well-known business (bank), often lead to fake websites
Reduce risk = many email programs, browsers, firewalls have anti-phishing features (reduces amount of phishing emails received),
other giveaways = poor grammar, urgency, unknown email address,
Be cautious around emails asking to follow links/update personal details
What is Shouldering (shoulder surfing)?
Observing a person’s private info over their shoulder (cashpoint machine PIN numbers)
Reduce risk = be discreet/careful
What is Blagging?
Act of creating & using invented scenario to engage targeted victim in a manner that increases the chance victim will reveal info or perform actions unlikely in ordinary circumstances (money for friend)
- someone makes up story/pretends to be someone they aren’t
- someone phones the victim , trying to gain their trust
Reduce risk = use security measures that can’t be given away (biometrics)
Malware (malicious software) definition
= refers to a variety of forms of hostile/intrusive software, designed to cause harm/gain unauthorised access to computer system
Types of malware:
- computer virus
- Trojan
- spyware
- adware
What is a computer virus?
- attach (by copying themselves) to certain files
- users spreads them by copying infected files & activate them by opening infected files
What is a Trojan?
- malware disguised as legitimate software
- don’t replicate themselves, unlike viruses/worms
- users install them not realising they have a hidden purpose
What is Spyware?
- secretly tracks actions (key presses) and sends info to hacker (who might be able to work out things like passwords/bank details
What is Adware?
- can cause pop-up ads that can’t be closed
How can you protect against malware?
-
List the types of security measures/user authentication:
- biometrics
- passwords
- CAPTCHA
- email confirmation
- automatic software updates
Explain biometric measures:
- use scanners to identify people by unique part of their body (fingerprint, retina)
- many different uses (smartphones contain fingerprint scanners to prevent unauthorised access)
- usually quite secure/convenient for users (don’t have to remember password) - but often more expensive to implement as require special hardware
Explain password systems:
- simple method of checking someone’s identity
- should be strong (many characters long, combination of letters /numbers / symbols) and changed regularly
- weak/default passwords = big security risk as can be easily cracked
- hackers can use brute force attacks to get past short/simple passwords easily & social engineering to figure out commonly used passwords (birthdays/addresses)
Explain CAPTCHA
= ‘Completely Automated Public Turing test to tell Computers and Humans Apart’
- designed to prevent programs automatically doing certain things (creating user account on website)
- usually consists of simple task (recognising animals, typing blurred/distorted words)
- tests rely on computers not being able to read images as well as human can
- but as image recognition software & artificial intelligence developing, machines becoming more capable of passing these tests
Explain email confirmation:
- used by most web services that require account registration to confirm email address belongs to person registering
- used to stop people from using fake email addresses to sign up
- however as lots of webmail services free, people can usually sign up for new email address whenever they want, so not always effective for confirming someone’s identity
Explain automatic software updates:
- used to patch/fix any identified security holes in piece of software
- so software is less easily exploited by hackers, malware, viruses
