Ch1 Flashcards
What is Information Security?
Protection of information systems against unauthorized access to or modification of information, in storage, processing or transit, and against the DoS to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats. InfoSec aims to keep data in any form (physical and digital data) protected from unauthorized access, use, disclosure, modification, inspection, recording or disruption.
What is Cyber Security?
The ability to protect or defend the use of cyberspace from cyber attacks. It is a subset of information security, focused on the practice of protecting internet-connected systems, programs, data and networks from digital attacks, unauthorized digital access, or damage by implementing various processes, technologies and practices. Cyber security protects only digital data.
What’s the main difference between Information Security and Cyber Security?
Information Security aims to protect both physical and digital data, while Cyber Security focuses specifically on protecting only digital data. Cyber Security is considered a subset of Information Security.
What are the main security goals (objectives) in cybersecurity?
Confidentiality, Integrity, and Availability (CIA triad)
What is Confidentiality in cybersecurity?
Refers to the protection of data to ensure data/information is only accessible by the people authorized to see it. An organization needs to guard against the malicious actions that endanger the confidentiality of its information.
What are the attacks threatening Confidentiality?
- Stealing passwords
- Breaking encryption to get unauthorized access
- Sniffing - obtaining information by monitoring online traffic
What controls help attain Confidentiality?
- Encryption (Data at rest, Data in transmission)
- Access control (physical and technical)
- Awareness Training
What is Integrity in cybersecurity?
Refers to the protection of information and systems from being modified by unauthorized entities. It means that changes need to be done only by authorized entities and through authorized mechanisms.
What are the attacks threatening Integrity?
- Modification - attacker intercepts the message and changes it
- Masquerading or spoofing - attacker impersonates somebody else
- Replaying - attacker obtains a copy of a message sent by a user and later tries to replay it
What controls help attain Integrity?
- Hashing
- Message Authentication Code (MAC)
- Digital Signature
- Error detection and correction controls
What is Availability in cybersecurity?
Refers to the protection of systems to ensure reliable access to data and resources as and when needed. It also ensures all hardware and software are maintained properly and updated when needed.
What are the attacks threatening Availability?
Denial of Service (DoS) - may slow down or totally interrupt the service of a system
What controls help ensure Availability?
- Load balancing
- Redundant network and power
- Business continuity management & Disaster Recovery plans (Backup & restoration)
- Network and system performance monitoring
What is a Vulnerability in cybersecurity?
Any weakness that could be exploited. The weakness could be on software, hardware, process, or human. This includes unpatched systems, misconfigured network devices, etc.
What is a Threat in cybersecurity?
A potentially damaging event associated with the exploitation of a vulnerability. Actors that exploit vulnerabilities are called threat agents.
What is an Exposure in cybersecurity?
The potential that a security breach could occur. For instance, an unpatched system exposes the organization to a potential loss.
What is Risk in cybersecurity?
The likelihood that a vulnerability could be exploited and the corresponding impact of such an event. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact.
What is a Countermeasure in cybersecurity?
A control that is put in place to mitigate a risk. Controls include access control, deployment of firewalls, passwords, encryption, etc.
Explain the relationship between vulnerability, threat, risk, exposure, and countermeasure with an antivirus example.
- Vulnerability: Expired antivirus software with outdated signatures
- Threat: Viruses attacking the systems and disrupting productivity
- Risk: Likelihood of virus infiltration and potential damage
- Exposure: When vulnerability is exploited, company is exposed to loss
- Countermeasure: Purchase and install updated antivirus software on all computers
What are the types of security attacks based on origin?
- Outsider attacks - Actions originate from outside, attackers do not possess credentials
- Insider attacks - Actions originate from inside, attackers possess all credentials, highly difficult to prevent
What are Passive Attacks in cybersecurity?
Eavesdropping on or monitoring of information that is being transmitted. Purpose is to obtain message contents and perform traffic analysis. Types include reading the content of the message and traffic analysis (observing traffic patterns).
What are Active Attacks in cybersecurity?
Any attempt to modify, destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset. Types include masquerade, replay previous messages, modify messages, and denial of service.
List the types of active attacks.
- Masquerade: Using someone’s identity with authority to perform certain actions
- Replay previous messages: Capture message from sender to receiver and later replay to receiver
- Modify messages: Attacker captures the message from sender to receiver and modifies the contents
- Denial of service: Attacker disrupts services by flooding requests to the server
What are the common security tools used by defenders?
- Encryption
- Anti-virus software & Spam filters
- Firewalls
- Intrusion detection/prevention software
- Strong authentication
- Access control
- Authorization management
- Application security gateways and filters
- Digital signatures
- Disaster Recovery
- Awareness/Education
What are the common tools used by attackers (hackers)?
- Password cracking
- Intrusion and penetration attacks
- Eavesdropping attacks (esp. wireless)
- Hijacking and injection attacks
- Denial of service attacks
- OS/Application vulnerability attacks
- Trojan horses, viruses/worms, spyware, keyloggers
- Phishing
- Social Engineering
What are the elements of a cyber attack?
- Reconnaissance - gathering information about the target
- Enumeration - analyzing results to identify specific targets
- Exploitation - probing and exploiting vulnerabilities to gain unauthorized access
- Action on objectives - exfiltrating/stealing data, modifying data, or destroying data
What information might attackers gather during the reconnaissance phase?
- Domain names
- Corporate information
- Network diagrams
- Names of employees and key managers
- Social media information
- Ingress/egress points
- etc.
What happens during the enumeration phase of a cyber attack?
The attacker analyzes reconnaissance results to identify specific targets such as people, organizations, departments, facilities, capabilities, data, vendor names, and information systems.
What occurs during the exploitation phase of a cyber attack?
Probing and exploiting specific vulnerabilities to gain unauthorized access to the enterprise. It uses weapons like phishing, malware, scripting, and attacks to gain unauthorized access to systems and data.
What happens in the ‘action on objectives’ phase of a cyber attack?
- Exfiltration/stealing data (compromise of confidentiality)
- Modifying data (compromise of integrity)
- Destroying data and otherwise disrupting the environment (compromise of availability)
What is Defense-in-Depth?
The concept that an organization should not rely on just one control for protection, but instead should use layers of controls to increase the work factor of potential attackers. It is the coordinated use of multiple security controls in a layered approach to minimize the probability of successful penetration and compromise.
What is a Denial of Service (DoS) attack?
An attack against computer or network which reduces or prevents accessibility of system resources to authorized users. DoS implies that an attacker disables or corrupts networks, systems, or services with the intent to deny services to intended users. DoS attacks involve either crashing the system or slowing it down to the point that it is unusable.
What areas can be affected by DoS attacks?
- Network resources like Routers/Switches/other Equipment
- Servers and sometimes End-User PCs
What are the classifications of DoS attacks?
- Routing and DNS attacks - manipulate routing tables to route to attacker’s net
- Bandwidth consumption - consume all available network bandwidth
- Resource consumption - consume system resources (CPU, memory, storage space)
What are the levels/layers of DoS attacks?
- Network Level Device (routers, switches, firewalls)
- OS Level Equipment (vendor OS, end-user equipment)
- Data Flood (amplification, simple flooding)
- Protocol Feature Attacks (servers, client PC, DNS servers)
Give examples of Network Level DoS attacks.
Ascend Kill II, ‘Christmas Tree Packets’ - Attacks attempt to exhaust hardware resources using multiple duplicate packets or a software bug.
Give examples of OS Level DoS attacks.
Ping of Death, ICMP Echo Attacks, Teardrop - Attacks take advantage of the way operating systems implement protocols.
Give examples of Data Flood DoS attacks.
Smurf Attack (amplifier attack), UDP Echo (oscillation attack) - Attacks in which massive quantities of data are sent to a target with the intention of using up bandwidth/processing resources.
Give examples of Protocol Feature DoS attacks.
SYN (connection exhaustion) - Attacks in which ‘bugs’ in protocol are utilized to take down network resources. Methods include IP address spoofing and corrupting DNS server cache.
What is a Bot and Botnet?
A bot (short for ‘robot’) is a type of software application or script that performs automated tasks on command. Bad bots perform malicious tasks that allow an attacker to remotely take control over affected computers (zombies). A botnet is a network of compromised computers controlled by an attacker.
What are the beneficial uses of bots?
Web spiders (web crawlers) - automated programs or bots that systematically search websites and index the content on them. Primarily used to index pages for search engines.
What are the malicious uses of botnets?
- Coordination and operation of automated attacks on networked computers
- Performing distributed denial-of-service attacks (DDoS)
- Stealing data
- Sending spam
- Allowing the attacker to access devices and their connections
What is a Distributed Denial of Service (DDoS) attack?
A type of denial-of-service attack in which the attacker gains illegal administrative access to multiple computers on the Internet and uses those computers to send a flood of data packets to the target computer. A master program communicates to agent programs installed on compromised computers to initiate the attack simultaneously.
How does a DDoS attack work?
- A DDoS master program is installed on one computer using a stolen account
- The master program communicates to any number of ‘agent’ programs installed on computers anywhere on the internet
- When they receive the command, the agents initiate the attack
- The master program can initiate hundreds or thousands of agent programs within seconds using client-server mode
What is SYN Flooding?
A DoS attack that exploits the TCP three-way handshake. The attacker sends SYN packets with spoofed IP addresses to the victim, who replies with SYN-ACK but never receives ACK from the non-existent IP addresses. The victim keeps potential connections in a queue, and when flooded with multiple SYN packets, the queue fills up, resources are exhausted, and legitimate requests are rejected.
What is a Reflection/Amplification attack?
A technique that allows attackers to both magnify the amount of malicious traffic they can generate and obscure/hide the sources of the attack traffic. Attackers send small requests to vulnerable servers with spoofed IP addresses (appearing as the target’s IP). Often using botnets to send numerous spoofed requests, they leverage multiple vulnerable servers to create huge amounts of data with minimal effort. Examples include DNS amplification and NTP amplification.
How does a Reflection/Amplification attack work?
- Attackers send small requests to vulnerable servers with spoofed IP addresses to appear as the target’s IP
- Attackers often use botnets to send numerous spoofed requests, further magnifying the traffic
- By leveraging multiple vulnerable servers, they create huge amounts of data with minimal effort, making the attack highly effective and difficult to mitigate
What are the DoS countermeasures?
- Use of Firewalls and Demilitarized Zone (DMZ)
- Use up-to-date anti-virus and IDS/IPS tools
- Perform network/packet analysis
- Shut down unnecessary services in the target network
- Add load balancers to absorb traffic and set up throttle logic
- Use strong encryption mechanisms
- Use IPsec to protect against session hijacking and DoS
- Prevent SYN flood attacks by discarding the SYN packets
How does Confidentiality balance with Integrity and Availability?
Disconnecting a computer from the Internet increases confidentiality but availability and integrity may suffer due to lost updates. Balancing confidentiality with usability is crucial. Access controls and encryption should be implemented to protect sensitive data while allowing legitimate access.
How does Integrity balance with Confidentiality and Availability?
Having extensive data checks by different people/systems increases integrity, but confidentiality suffers as more people see data, and availability suffers due to locks on data under verification, degrading performance. Data integrity for critical systems should be prioritized using digital signatures and regular checks while avoiding excessive validation for non-critical data.
How does Availability balance with Confidentiality and Integrity?
Focusing on availability of systems anywhere, anytime, and to any staff increases availability but may leave systems vulnerable to attacks that can disrupt services. Redundancy and failover systems should be maintained to ensure availability, while risk assessments should be conducted to identify critical systems and allocate resources accordingly.
What is the main objective of security controls?
The main objective of security controls is to reduce the risk of security breaches, protect organizations from threats, and align security objectives with organizational objectives.
