701 - Section 2 Flashcards
What is the entity responsible for an event that has an impact on the safety of another entity called?
Threat actor or a malicious actor
What are the three attributes of threat actors?
Internal or external, resources or funding, level of sophistication or capability
Why is it important to find the motivation of a threat actor?
Because it identifies the purpose of the attack
Name five or more motivations for attackers?
Data exfiltration, espionage, service disruption, blackmail, financial gain, philosophical or political beliefs, ethical, revenge, disruption or chaos, war
Constant nation state attacks with massive resources are also known as
An advanced persistent threat
What are the location, resources, sophistication attributes of a nation state threat actor?
External, extensive, very high
What are the location, resources, sophistication attributes for an unskilled threat actor?
External, limited, very low
What are the location, resources, sophistication attributes for a Hacktivist threat actor?
External, some funding, can be high
What are the location, resources, sophistication attributes for an insider threat threat actor?
Internal, many resources, medium
What are the location, resources, sophistication attributes for an organized crime thread actor?
External, often extensive, very high
What are the location, resources, sophistication attributes for a shadow IT threat actor?
Internal, many resources, limited
What are the possible motivations for a nation state thread actor?
Data filtration, philosophical, revenge, disruption, war
What are the possible motivations for an unskilled threat actor?
Disruption, data, exfiltration, philosophical beliefs
What are the possible motivation for a Hacktivist thread actor?
Philosophical beliefs, revenge, disruption chaos
What are the possible motivations for an insider threat threat actor?
Revenge and financial gain
What are the possible motivations for an organized crime thread actor?
Financial
What are the possible motivations for shadow IT thread actor?
Philosophical beliefs and revenge
What is the method used by an attacker to gain access or to infect a target?
A threat vector or an attack vector
What are three types of message based attack vectors?
Fishing attacks for example, providing a link in an email or a text, delivering malware to a user for example and attachment within an email, social engineering attacks for example, invoice or cryptocurrency scams
What image format is known as a threat?
The scalable vector graphic format, SVG
What are two attack types of an image based attack?
HTML injection and JavaScript attack
What can defend against an image based attack?
A web browser providing input validation
What are three file based threat vectors?
Adobe PDF, zip or RAR files, Microsoft Office files
What are the four types of voice call attack vectors?
Vishing which is fishing over the phone spam over IP, war dialing, call tampering
What does an attacker use for a removable device attack vector?
A USB drive
Which attack vector can infect an air gapped network?
A removable device attack vector
What are two types of software used for a vulnerable software attack vector?
Client and agentless
What are the differences between a client based vulnerability and an agent less software vector vulnerability?
For a client based, it is an infected executable that requires installation whereas agentless is not an installed executable, and the impact would affect all users using the service
What are two examples of unsupported system vectors?
A system that isn’t regularly patched and an outdated operating system
What is the best way to prevent an unsupported system attack vector?
Making sure every system is patched and has all the latest updates, as a single system could represent an entry point
What is the best way to prevent an open service port attack vector?
Adding firewall rules for every open port as each one represents a potential entry point for an attacker
What is the best way to prevent a default, credential attack vector?
Changing all default username and passwords, as it’s very easy to find the default credentials for every device.
Why is a supply chain attack vector difficult to defend against?
Because they provide many points of entry and some or most are out of an organizations control
What are two methods to defeat a fishing attack vector?
Check the URL of all links by hovering over them and usually there’s something not quite right with the spelling, the fonts or the graphics
What is at the root of a business email compromise attack vector?
Because we trust the email source and the attacker takes advantage of this trust
Why are tricks and misdirection attack vectors difficult to defend against?
Because of how realistic that they are. There may be a slight typo in the URL known as typosquatting or they use a highly believable character in a realistic situation also known as pre-texting
What are two types of fishing that use voice and SMS messages?
Vishing known as voice phishing and Smishing known as SMS phishing
Why are impersonation attacks so successful?
Because they include a realistic pretext or story
What are some of the methods used in an impersonation attack?
They use pieces of information that they know about you, they will act as if they are higher in rank, they will throw many technical details around, they will act as if they are your friend
What is the result of a successful impersonation attack against a person?
They have enough information regarding your identity to commit fraud such as credit card for fraud, bank fraud, loan fraud, government benefits fraud
What are ways you can protect against impersonation?
Never volunteer any personal information or personal details and always verify through third parties
How does a watering hole attack work?
By infecting a website or system, which an organization is known to use.. these infections can impact just those in the organization or they can infect all visitors
How do you defend against a watering hole attack?
Using a lay defense known as defense in depth, firewalls, update to date antivirus and anti-malware software
How does a misinformation or disinformation attack work?
Attackers create fake users and fake content, they post on social media and amplify the message, real users begin to share the message, then the mass media picks up the story
What are the different types of processes that a memory injection attack can infect?
Malware can be hidden in all of these… DLLs, threads, buffers, memory management functions
What are the two types of memory injections?
Memory and DLL
How does a memory injection attack work?
By adding the malicious code into the memory of an existing process, which allows access and system privileges to the data in that process
How does a DLL injection attack work?
An attacker injects a path to the malicious DLL, which then runs as part of the target process
How does a buffer overflow attack work and what does it need to be successful?
By overwriting a buffer of memory which spills into other memory areas. This is not a simple exploit, and the buffer overflow needs to be repeatable.
How do you defend against a buffer overflow attack?
By having the developers perform bounds checking within their code
How does a race condition work?
It is a result of two conditions happening at the same time that can produce a vulnerability
What is another name for a race condition attack?
Time of check to time of use attack TOCTOU
What is the best defense against malicious updates?
Keeping your operating system and applications up-to-date
How do you prevent against a malicious update when downloading an update?
By having a good known backup , By confirming the source visiting the trusted download site directly and not disabling operating system security controls
How do you defend against an operating system vulnerability?
By having a good back up in case of an issue and always keeping the system up-to-date
How does a SQL injection attack work?
The attacker will add their own malicious bits of SQL code into a form field that is submitted to the server and executed within the DB
What is the best defense against a SQL injection attack?
Having the application properly validate and properly escape (using escape keys) all input and output
How does a cross site scripting attack work?
Attacker sends a link containing malicious script to a victim, the victim clicks the link and visits the legitimate site, the legitimate site loads in the victims browser and the malicious script is executed. the malicious script sends the victims information to the attacker. This includes credentials session IDs, and cookies.
What are the two types of cross scripting attacks?
A non-persistent or reflected attack and a persistent or stored attack
How does a non-persistent (aka reflected) cross scripting attack work?
An attacker emails a link that execute the script that sends credentials, session, IDs, cookies to the attacker…this script is embedded within a URL…
What is a common source of a cross site scripting attack? And why?
A website search box…Search boxes accept user input, which can be manipulated by attackers to inject malicious code. If the input is not properly sanitized or validated, it opens up the possibility for attacks like SQL injection or cross-site scripting (XSS).
What is a persistent or stored scripting attack?
When the attacker post a message to a social network that includes the malicious payload. It’s called persistent because everyone who views the page will get this malicious code.
How do you protect against a cross site scripting attack?
By avoiding clicking on untrusted links, disabling JavaScript in your browser, keeping your browser and applications properly updated and validating input fields
Why are hardware vulnerabilities so dangerous?
Because we are surrounded by intelligent hardware devices, many of which do not have an accessible operating system. Each of these pose an entry point for an attack
What are main security risks with hardware vulnerabilities?
The vendors are the only ones who can fix their issues, assuming they know about the problem, or care about fixing it… The end of life or the technological end of service life, which is the time when the product stops being sold and or stops being supported.
What is a legacy platform?
A device that has been running for a length of time and no longer is receiving updates to its software
What does a virtualization vulnerability pertain to?
A virtual machine
What are the different vulnerabilities associated with a virtualization vulnerability?
Local privilege escalations, command injection, information disclosure
What is VM escape mean?
An issue where an attacker is able to break out of the VM and interact with the host operating system or hardware… this will allow an attacker to potentially gain full control of the virtual environment…
Why does a VM escape happen?
Because the hyper visor manages the VM‘s on a server, and those resources can be reused between VMs allowing data to be in advertently shared between the VM’s
What is the best way to mitigate the risk of a virtualization vulnerability?
By properly updating your VM software
What are some of the reasons why we have cloud specific vulnerabilities?
Cloud adoption has been nearly universal, much sensitive data is in the cloud, the right protections are not being utilized by organizations including simple, best practices
What are some of the ways that a cloud service can be attacked?
Denial of service, taking advantage of week or faulty authentication, faulty directory traversal
configurations, remote code execution and taking advantage of unpatched cloud systems
What are some of the ways to mitigate a supply chain vulnerability?
Contractual ongoing security audits of all providers, using a small trusted supplier base, confirming digital signatures from updates provided by software vendors
What makes a supply chain so vulnerable to attack?
The chain contains many moving parts and an attacker can affect any step along the way which can infect the entire chain
What are the different types of misconfiguration vulnerabilities?
Open permissions which are easy for a hacker to find, unsecured administrator accounts, using insecure protocols vice their encrypted counterparts, using default settings, and ports opened by services that are not configured properly
What does MDM stand for?
Mobile device manager
What does jailbreaking or rooting mean?
When a mobile devices operating system is replaced by a different operating system
What makes jailbreaking or rooting dangerous?
Uncontrolled access to the device that circumvent security features and the MDM becoming relatively useless with a jailbreak or rooted device
What is sideloading?
Apps that are loaded onto a mobile device that do not come from an approved App Store
What is a zero day vulnerability?
It is a vulnerability that the vendor has no awareness of… applications have vulnerabilities, they just have not yet been identified…
What is a zero day attack?
An attack on an unknown vulnerability for which the vendor has no fix for this unknown problem…
What is an IDS?
Intrusion detection system
What is an IPS?
Intrusion prevention system
What is an SIEM?
Security information and event manager system, think SPLUNK
What is another name for malicious software?
Malware
Name three things that malware can do to your system
Gather information such as your keystrokes, show you advertising, encrypt your system
Name five malware types and methods?
Viruses, worms, ransomware, Trojan horse, root kit, key logger, spyware, bloatware, logic bomb
What are the ways your system get malware?
A link in an email, a webpage pop-up, a drive-by download, a worm
What is the name of malware that makes your data unavailable until you provide cash? And how does it work?
RansomWare… With malware, your system will run, but because everything is encrypted it will effectively not work upon payment. A description key will be provided to you.
How do you protect against ransomware?
Always have a good off-line backup, keep your system up-to-date with security patches, keep your antivirus anti-malware signature up-to-date
What type of malware can reproduce itself?
A virus
What are the four types of viruses?
A program virus which is part of an application, a boot sector virus, a script virus, a macro virus which are common in Microsoft Office
What type of virus is good at avoiding detection, is never installed in any file or application and operates in memory?
A file less virus
What type of virus self replicates, spreads quickly and uses a network as a transmission medium
A worm
What can mitigate many worm infestations?
A firewall, an IDS, and IPS
What does a fireless virus use to be restarted?
It adds an auto start to the registry
What is malware that spies on you by monitoring your browser, and capturing your key strokes?
Spyware
How do you protect against spyware?
Keeping your antivirus and anti-malware software up-to-date, watch additional options during installation of software, having an offsite back up
What do you call applications that are preinstalled on a system but are not needed and can cause a system to run slower?
Bloatware
To remove bloatware, what do you need to do?
Identify and remove it
To remove bloatware, what do you need to do?
Identify and remove it
What is the malware that captures your key strokes, including such things as login, IDs, passwords, etc.?
Keyloggers
What is the type of malware that waits for a predefined event whether it be a date or time, or a user event?
A logic bomb
How do you prevent against a logic bomb even though it is difficult to recognize?
Have a formal change control procedure and process, electronic monitoring of the system that alerts on any changes, constant auditing by the administrator
What is a root kit? And why is it difficult to deal with?
Malware that modifies core system files in other words, part of the kernel… It is not a separate task so it won’t be seen in task manager, and it is also invisible to traditional antivirus utilities
How do you find and remove a root kit?
Look for anything unusual with anti-malware, scans, use a remover specific to the root kit, which are usually built after the root kit is discovered
What does secure boot with UEFI provide
It provides security in the bios, which helps protect against a root kit
Name four types of physical attacks?
Brute force to gain access to the server, RFID cloning, environmental attacks.
Which type of physical attack would use a counterfeit badge or fob?
RFID Cloning
Which type of physical attack would attack everything supporting the technology, the power, HVAC or any other structure/device supporting the system
An environmental attack
What kind of attack forces a service to fail by overloading it?
Denial of service
What are the different types of denial of service?
A friendly one, a DDOS, a DDOS reflection and amplification
Which denial of service will turn a small attack into a big one by reflecting off of another device or service?
DDOS reflection and amplification
What does a DDOS reflection and amplification attack use?
It uses protocols with Lil if any authentication or checks… NTS, DNS, ICMP are examples
Which denial of service relies on an army of computers using all the bandwidth or sources? And what is the name given to this army of computers?
A distributed denial of service attack… a botnet
How can a friendly denial of service attack happen?
By performing network intensive operations or by using a lot of bandwidth, for example, by downloading a large file
What are three ways that DNS poisoning can occur?
By modifying the DNS server, modifying the client host file or by sending a fake response to a valid request (on path attack)
What is it called when an attacker gets access to the domain registration, which controls where all of the traffic flows?
Domain hijacking
What kind of attack relies on a slight change to a URL to confuse users?
URL hijacking
Using typo, squatting/brand jacking, outright misspellings or using different top level domains are all examples of what?
Types of URL hijacking
What wireless standard includes a number of management features that protect against attackers?
802.11
Which standard protects against wireless deauth attacks? And how does it protect?
802.11W… By encrypting certain important management frames that are used in a deauth attack…
What kind of wireless attack prevents wireless communication by transmitting, interfering wireless signals?
Radio, frequency, RF jamming, it is effectively a denial of service attack
What type of wireless attack is similar to RF jamming but instead is sending #DATA to jam the communications?
Wireless jamming
What does ARP stand for?
Address resolution protocol
Which attack passes the communication through the attacker who redirects the traffic and then passes it to the destination?
And on path network attack formally known as a man in the middle attack
Which attack is similar to an on path network attack, but the attacker, using malware, proxies all of the network traffic from the same computer as the victim
On path, browser attack, formally known as man in the browser
Which attack takes advantage of the useful information from a user that is transferred over the network, including things such as cookies and session IDs?
A replay attack
Which type of replay attack is where the attacker captures the username and password hash and uses it to send their own request from the captured credentials?
Pass the hash
Which type of replay attack is where the attacker intercepts the session ID and uses it to access the server with the victims credentials
Session hijacking also known as side jacking
Which type of replay attack modifies the headers and or the cookies?
Header manipulation
What are two ways to prevent session hijacking?
Encrypt end to end using HTTPS and encrypt end to somewhere using a VPN
What might a layered defense use to protect against malicious code attacks?
Firewall, anti-malware and anti-virus, continuous updates and patches, using secure computing habits
Which type of attack allows an attacker to gain a higher access level to a system by exploiting a vulnerability within an application?
Privilege escalation
Which attack takes advantage of the trust that a web application has for a user? And what can be used to prevent such an attack?
Cross site request forgery, aka XSRF or CSRF… anti-CSRF tokens
How does a cross site request forgery attack work?
An attacker creates a funds transfer request, that request is sent as a hyperlink to a user who may be already logged into the website, the user click the link which unknowingly sends the transfer request to the bank website, the bank validates the transfer and sends the funds to the attacker
Which type of cryptographic attack Requires an attacker to generate many versions of plain text in an attempt to find a collision? And how do you protect yourself against a birthday attack?
A birthday attack By using a large hash output size
What is the type of an on path attack, which rewrites the URL by removing the S on the request? And why is it dangerous?
SSL stripping because the attacker reverts the original HTTPS request to HTTP and the user unknowingly communicates via HTTP and all of their subsequent requests are sent clear text
What form of a password attack is when the attacker might use a few common passwords against each account?
A spraying attack
What type of password attack would attempt to match every password or password against a users password?
A brute force attack
What is an event that indicates an intrusion?
An indicator of compromise
What are five indicators of compromise?
Unusual amount of network activity, changes to file hash values, irregular international traffic, uncommon login patterns, spikes of read request to certain files, DNS data changes
This indicator of compromise locks a users account from a brute force attack?
Account lockout
This indicator of compromise shows up as an account logging in from multiple locations at the same time?
Concurrent session usage
This indicator of compromise shows up as a user logging into system from two locations that is not physically possible within the timeframe of each login?
Impossible travel
This indicator of compromise may show up as activity at an unusual time?
Resource consumption
This indicator of compromise shows up when these are no where to be found?
System logs
What are the two lists that are used by an operating system to limit usage? And what are they also known as? And which one is more restrictive?
Allow or Whitelist, Deny or Blacklist…the allow list is more restrictive
What is another name for separating the physical logical or virtual devices on a network?
Segmenting the network
What is a mitigation technique that requires prompt updating of systems?
Regular Patching or updating
Name five mitigation techniques?
Patching, encryption, monitoring, least privilege, configuration enforcement, decommissioning
Which medical mitigation technique requires a physical device to be formatted or destroyed after initial usage?
Decommissioning
Which mitigation technique performs a security posture assessment upon each device connection?
Configuration enforcement
Which mitigation technique, assigns rights, and permissions to the bare minimum of what’s needed to execute the system?
Least privilege
Which mitigation technique aggregates logging information from all the sensors (IPS, firewall logs, web servers logs, DB logs, email logs, etc?
Monitoring
What does an SIEM do?
It aggregates and collects all types of sensor/logging data and provides an engine in which a user can compare and query the data… Think spunk
What mitigation technique prevents easy viewing of system data? And what are some of the types?
Encryption… file system, full disk (bit locker or FileVault), file level (Windows EFS) , application data
What is it when you apply best practices to a system across all defense layers?
Hardening techniques
What does EDR stand for and what is it?
Endpoint detection and response…it is software that continuously monitors for threats and provides the ability to detect, investigate and respond to threats
What is software that allows or disallows, incoming or outgoing application traffic and can identify and block unknown processes?
Host based firewall
What is a prevention system that recognizes and blocks known attacks and validates incoming service request?
Host based intrusion and prevention system a.k.a. HIPS
Name three other best practice hardening techniques?
Closing of all ports except for those that are required, require default password changes, removal of unnecessary software
What is another name for a layered defense?
Defense in depth
