Course 5 - Assets, Threats, and Vulnerabilities

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

After the core, the next NIST component we’ll discuss is its tiers. These provide security teams with a way to measure performance across each of the five functions of the core. Tiers range from Level-1 to Level-4. Level-1, or passive, indicates a function is reaching bare minimum standards. Level-4, or adaptive, is an indication that a function is being performed at an exemplary standard. You may have noticed that CSF tiers aren’t a yes or no proposition; instead, there’s a range of values. That’s because tiers are designed as a way of showing organizations what is and isn’t working with their security plans.

Question 7

The practice of keeping data in all states away from unauthorized users

Answer 7

Information security (InfoSec):

Question 8

A catalog of assets that need to be protected

Answer 8

Asset inventory:

Question 9

The practice of labeling assets based on sensitivity and importance to an organization

Answer 9

Asset classification

Question 10

A __________ is a person who decides who can access, edit, use, or destroy their information.

Answer 10

data owner

Question 11

A __________ is anyone or anything that’s responsible for the safe handling, transport, and storage of information.

Answer 11

data custodian

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25

____________ is the process of transforming information into a form that unintended readers can’t understand. Data of any kind is kept secret using a two-step process: encryption to hide the information, and decryption to unhide it.

Answer 25

Cryptography

Question 26

An ___________ is a set of rules that solve a problem.

Answer 26

algorithm

Question 27

Specifically in cryptography, a ________ is an algorithm that encrypts information.

Answer 27

cipher

Question 28

A ____________ key is a mechanism that decrypts ciphertext.

Answer 28

cryptographic

Question 29

brute force attack —— a trial-and-error process of discovering private information.

Question 30

Public key infrastructure, or PKI, is an encryption framework that secures the exchange of information online. It’s a broad system that makes accessing information fast, easy, and secure.

Question 31

Symmetric encryption involves the use of a single secret key to exchange information.

Question 32

PKI addresses the vulnerability of key sharing by establishing trust using a system of digital certificates between computers and networks.

Question 33

A digital certificate is a file that verifies the identity of a public key holder. Most online information is exchanged using digital certificates. Users, companies, and networks hold one and exchange them when communicating information online as a way of signaling trust.

Question 34

Digital certificates are a lot like a digital ID badge that’s used online to restrict or grant access to information. This is how PKI solves the trust issue.

Question 35

Question 36

Question 37

Question 38

Question 39

Question 40

Question 41

Question 42

A hash function is an algorithm that produces a code that can’t be decrypted. Unlike asymmetric and symmetric algorithms, hash functions are one-way processes that do not generate decryption keys. Instead, these algorithms produce a unique identifier known as a hash value, or digest.

Question 43

Question 44

Question 45

Question 46

Question 47

Question 48

_________ are access controls that serve a very basic purpose. They ask anything attempting to access information this simple question: who are you?

Answer 48

Authentication systems

Question 49

Question 50

Question 51

Single sign-on, or SSO, is a technology that combines several different logins into one. Can you imagine having to reintroduce yourself every time you meet up with a friend? That’s exactly the sort of problem SSO solves.

Instead of requiring users to authenticate over and over again, SSO establishes their identity once, allowing them to gain access to company resources faster. While SSO systems are helpful when it comes to speeding up the authentication process, they present a significant vulnerability when used alone.

Question 52

Multi-factor authentication, or MFA, is a security measure, which requires a user to verify their identity in two or more ways to access a system or network. MFA combines two or more independent credentials, like knowledge and ownership, to prove that someone is who they claim to be.

Question 53

SSO and MFA are often used in conjunction with one another to layer the defense capabilities of authentication systems. When both are used, organizations can ensure convenient access that is also secure.

Question 54

When it comes to securing data over a network, there are a couple of frequently used access controls that you should be familiar with: HTTP basic auth and OAuth.

Question 55

Some websites still use basic auth to tell whether or not someone is authorized to access information on that site. However, their protocol is considered to be vulnerable to attacks because it transmits usernames and password openly over the network. Most websites today use HTTPS instead, which stands for hypertext transfer protocol secure. This protocol doesn’t expose sensitive information, like access credentials, when communicating over the network.

Question 56

OAuth is an open-standard authorization protocol that shares designated access between applications. For example, you can tell Google that it’s okay for another website to access your profile to create an account. Instead of requesting and sending sensitive usernames and passwords over the network, OAuth uses API tokens to verify access between you and a service provider.

Question 57

An API token is a small block of encrypted code that contains information about a user. These tokens contain things like your identity, site permissions, and more. OAuth sends and receives access requests using API tokens by passing them from a server to a user’s device.

Question 58

Question 59

HTTP uses what is known as basic auth, the technology used to establish a user’s request to access a server. Basic auth works by sending an identifier every time a user communicates with a web page.

Question 60

Accounting is the practice of monitoring the access logs of a system. These logs contain information like who accessed the system, and when they accessed it, and what resources they used.

Question 61

Anytime a user accesses a system, they initiate what’s called a session. A session is a sequence of network HTTP basic auth requests and responses associated with the same user, like when you visit a website. Access logs are essentially records of sessions that capture the moment a user enters a system until the moment they leave it.

Question 62

Two actions are triggered when the session begins. The first is the creation of a session ID. A session ID is a unique token that identifies a user and their device while accessing the system. Session IDs are attached to the user until they either close their browser or the session times out.

Question 63

The second action that takes place at the start of a session is an exchange of session cookies between a server and a user’s device.

Question 64

A session cookie is a token that websites use to validate a session and determine how long that session should last. When cookies are exchanged between your computer and a server, your session ID is read to determine what information the website should show you.

Question 65

Cookies make web sessions safer and more efficient. The exchange of tokens means that no sensitive information, like usernames and passwords, are shared. Session cookies prevent attackers from obtaining sensitive data. However, there’s other damage that they can do. With a stolen cookie, an attacker can impersonate a user using their session token. This kind of attack is known as session hijacking.

Question 66

Session hijacking is an event when attackers obtain a legitimate user’s session ID. During these kinds of attacks, cyber criminals impersonate the user, causing all sorts of harm. Money or private data can be stolen. If, for example, hijackers obtain a single sign-on credential from stolen cookies, they can even gain access to additional systems that otherwise seem secure.

Question 67

Pro tip: Another way to remember this authentication model is: something you know, something you have, and something you are.

Question 68

User provisioning is the process of creating and maintaining a user’s digital identity. For example, a college might create a new user account when a new instructor is hired. The new account will be configured to provide access to instructor-only resources while they are teaching. Security analysts are routinely involved with provisioning users and their access privileges.

Question 69

Pro tip: Another role analysts have in IAM is to deprovision users. This is an important practice that removes a user’s access rights when they should no longer have them.

Question 70

Question 71

Question 72

Question 73

Question 74

Question 74

Question 75

New vulnerabilities are constantly being discovered. These are known as zero-day exploits. A zero-day is an exploit that was previously unknown

Question 76

The first layer of defense in depth is the perimeter layer. This layer includes some technologies that we’ve already explored, like usernames and passwords. Mainly, this is a user authentication layer that filters external access. Its function is to only allow access to trusted partners to reach the next layer of defense.

Second, the network layer is more closely aligned with authorization. The network layer is made up of other technologies like network firewalls and others.

Next, is the endpoint layer. Endpoints refer to the devices that have access on a network. They could be devices like a laptop, desktop, or a server. Some examples of technologies that protect these devices are anti-virus software.

After that, we get to the application layer. This includes all the interfaces that are used to interact with technology. At this layer, security measures are programmed as part of an application. One common example is multi-factor authentication. You may be familiar with having to enter both your password and a code sent by SMS. This is part of the application layer of defense.

And finally, the fifth layer of defense is the data layer. At this layer, we’ve arrived at the critical data that must be protected, like personally identifiable information. One security control that is important here in this final layer of defense is asset classification.

Question 76

One of the most popular libraries of vulnerabilities and exposures is the CVE list. The common vulnerabilities and exposures list, or CVE list, is an openly accessible dictionary of known vulnerabilities and exposures. It is a popular resource.

Question 76

Security teams commonly use the CVE list and CVSS scores as part of their vulnerability management strategy. These references provide recommendations for prioritizing security fixes, like installing software updates before patches.

Libraries like the CVE list, help organizations answer questions. Is a vulnerability dangerous to our business? If so, how soon should we address it?

These online libraries bring together diverse perspectives from across the world. Contributing to this effort is one of my favorite parts of working in this field. Keep gaining experience, and I hope you’ll participate too!

Question 77

A CNA is an organization that volunteers to analyze and distribute information on eligible CVEs. All of these groups have an established record of researching vulnerabilities and demonstrating security advisory capabilities. When a vulnerability or exposure is reported to them, a rigorous testing process takes place.

Question 77

OWASP is a nonprofit foundation that works to improve the security of software. OWASP is an open platform that security professionals from around the world use to share information, tools, and events that are focused on securing the web.

Question 78

Question 78

The NIST National Vulnerabilities Database uses what’s known as the common vulnerability scoring system, or CVSS, which is a measurement system that scores the severity of a vulnerability. Security teams use CVSS as a way of calculating the impact a vulnerability could have on a system. They also use them to determine how quickly a vulnerability should be patched.

Question 78

Question 78

The NIST National Vulnerabilities Database provides a base score of CVEs on a scale of 0-10. Base scores reflect the moment a vulnerability is evaluated, so they don’t change over time. In general, a CVSS that scores below a 4.0 is considered to be low risk and doesn’t require immediate attention. However, anything above a 9.0 is considered to be a critical risk to company assets that should be addressed right away.

Question 79

The OWASP Top 10

One of OWASP’s most valuable resources is the OWASP Top 10. The organization has published this list since 2003 as a way to spread awareness of the web’s most targeted vulnerabilities. The Top 10 mainly applies to new or custom made software. Many of the world’s largest organizations reference the OWASP Top 10 during application development to help ensure their programs address common security mistakes.

Pro tip: OWASP’s Top 10 is updated every few years as technologies evolve. Rankings are based on how often the vulnerabilities are discovered and the level of risk they present.

Note: Auditors also use the OWASP Top 10 as one point of reference when checking for regulatory compliance.

Question 79

Question 80

A vulnerability scanner is software that automatically compares known vulnerabilities and exposures against the technologies on the network. In general, these tools scan systems to find misconfigurations or programming flaws.

Scanning tools are used to analyze each of the five attack surfaces that you learned about in
the video about the defense in depth strategy
:

1. Perimeter layer, like authentication systems that validate user access
2. Network layer, which is made up of technologies like network firewalls and others
3. Endpoint layer, which describes devices on a network, like laptops, desktops, or servers
4. Application layer, which involves the software that users interact with
5. Data layer, which includes any information that’s stored, in transit, or in use

Question 81

External vs. internal

External and internal scans simulate an attacker’s approach.

External scans test the perimeter layer outside of the internal network. They analyze outward facing systems, like websites and firewalls. These kinds of scans can uncover vulnerable things like vulnerable network ports or servers.

Internal scans start from the opposite end by examining an organization’s internal systems. For example, this type of scan might analyze application software for weaknesses in how it handles user input.

Question 82

Authenticated vs. unauthenticated
Authenticated and unauthenticated scans simulate whether or not a user has access to a system.

Authenticated scans might test a system by logging in with a real user account or even with an admin account. These service accounts are used to check for vulnerabilities, like broken access controls.

Unauthenticated scans simulate external threat actors that do not have access to your business resources. For example, a scan might analyze file shares within the organization that are used to house internal-only documents. Unauthenticated users should receive “access denied” results if they tried opening these files. However, a vulnerability would be identified if you were able to access a file.

Question 83

Limited vs. comprehensive
Limited and comprehensive scans focus on particular devices that are accessed by internal and external users.

Limited scans analyze particular devices on a network, like searching for misconfigurations on a firewall.

Comprehensive scans analyze all devices connected to a network. This includes operating systems, user databases, and more.

Pro tip: Discovery scanning should be done prior to limited or comprehensive scans. Discovery scanning is used to get an idea of the computers, devices, and open ports that are on a network.

Question 84

Note: Organizations that are regulated by PCI DSS, HIPAA, or GDPR must routinely perform penetration testing to maintain compliance standards.

Question 85

Penetration testing strategies
There are three common penetration testing strategies:

Open-box testing is when the tester has the same privileged access that an internal developer would have—information like system architecture, data flow, and network diagrams. This strategy goes by several different names, including internal, full knowledge, white-box, and clear-box penetration testing.

Closed-box testing is when the tester has little to no access to internal systems—similar to a malicious hacker. This strategy is sometimes referred to as external, black-box, or zero knowledge penetration testing.

Partial knowledge testing is when the tester has limited access and knowledge of an internal system—for example, a customer service representative. This strategy is also known as gray-box testing.

Closed box testers tend to produce the most accurate simulations of a real-world attack. Nevertheless, each strategy produces valuable results by demonstrating how an attacker might infiltrate a system and what information they could access.

Question 86

Bug bounty programs
Organizations commonly run bug bounty programs which offer freelance pen testers financial rewards for finding and reporting vulnerabilities in their products. Bug bounties are great opportunities for amateur security professionals to participate and grow their skills.

Pro tip:
HackerOne
is a community of ethical hackers where you can find active bug bounties to participate in.

Question 87

Security hardening is the process of strengthening a system to reduce its vulnerabilities and attack surface.

Question 88

The digital attack surface includes everything that’s beyond our organization’s firewall. In other words, it includes anything that connects to an organization online.

Question 89

Question 90

Question 91

Question 92

Question 93

Question 94

Question 95

Question 96

Question 97

An instance when a threat actor maintains unauthorized access to a system for an extended period of time

Answer 97

Advanced persistent threat (APT):

Question 98

All the potential vulnerabilities that a threat actor could exploit

Answer 98

Attack surface:

Question 99

A diagram that maps threats to assets

Answer 99

Attack tree:

Question 100

The pathways attackers use to penetrate security defenses

Answer 100

Attack vector:

Question 101

Programs that encourage freelance hackers to find and report vulnerabilities

Answer 101

Bug bounty:

Question 102

An openly accessible dictionary of known vulnerabilities and exposures

Answer 102

Common Vulnerabilities and Exposures (CVE®) list:

Question 103

A measurement system that scores the severity of a vulnerability

Answer 103

Common Vulnerability Scoring System (CVSS):

Question 104

An organization that volunteers to analyze and distribute information on eligible CVEs

Answer 104

CVE Numbering Authority (CNA):

Question 105

A layered approach to vulnerability management that reduces risk

Answer 105

Defense in depth:

Question 106

A way of taking advantage of a vulnerability

Answer 106

Exploit:

Question 107

A mistake that can be exploited by a threat

Answer 107

Exposure:

Question 108

Any person who uses computers to gain access to computer systems, networks, or data

Answer 108

Hacker:

Question 109

A collection of non-profit research and development centers

Answer 109

MITRE:

Question 110

The process of strengthening a system to reduce its vulnerability and attack surface

Answer 110

Security hardening:

Question 111

Any person or group who presents a security risk

Answer 111

Threat actor:

Question 112

A weakness that can be exploited by a threat

Answer 112

Vulnerability:

Question 113

The internal review process of a company’s security systems

Answer 113

Vulnerability assessment:

Question 114

The process of finding and patching vulnerabilities

Answer 114

Vulnerability management:

Question 115

Software that automatically compares existing common vulnerabilities and exposures against the technologies on the network

Answer 115

Vulnerability scanner:

Question 116

An exploit that was previously unknown

Answer 116

Zero-day:

Question 117

__________is a social engineering tactic that tempts people into compromising their security. A common example is USB baiting that relies on someone finding an infected USB drive and plugging it into their device.

Answer 117

Baiting

Question 118

________is the use of digital communications to trick people into revealing sensitive data or deploying malicious software. It is one of the most common forms of social engineering, typically performed via email.

Answer 118

Phishing

Question 119

__________ is a type of baiting used to trick someone into believing that they’ll be rewarded in return for sharing access, information, or money. For example, an attacker might impersonate a loan officer at a bank and call customers offering them a lower interest rate on their credit card. They’ll tell the customers that they simply need to provide their account details to claim the deal.

Answer 119

Quid pro quo

Question 120

_________ is a social engineering tactic in which unauthorized people follow an authorized person into a restricted area. This technique is also sometimes referred to as piggybacking.

Answer 120

Tailgating

Question 121

_________ is a type of attack when a threat actor compromises a website frequently visited by a specific group of users. Oftentimes, these watering hole sites are infected with malicious software. An example is the Holy Water attack of 2020 that infected various religious, charity, and volunteer websites.

Answer 121

Watering hole

Question 122

Email phishing is a type of attack sent via email in which threat actors send messages pretending to be a trusted person or entity.

Smishing is a type of phishing that uses Short Message Service (SMS), a technology that powers text messaging. Smishing covers all forms of text messaging services, including Apple’s iMessages, WhatsApp, and other chat mediums on phones.

Vishing refers to the use of voice calls or voice messages to trick targets into providing personal information over the phone.

Spear phishing is a subset of email phishing in which specific people are purposefully targeted, such as the accountants of a small business.

Whaling refers to a category of spear phishing attempts that are aimed at high-ranking executives in an organization.

Question 123

Question 124

A virus is malicious code written to interfere with computer operations and cause damage to data and software. Viruses typically hide inside of trusted applications. When the infected program is launched, the virus clones itself and spreads to other files on the device. An important characteristic of viruses is that they have to be activated by the user to start the infection.

Question 125

A worm is malware that can duplicate and spread itself across systems on its own. While viruses require users to perform an action like opening a file to duplicate, worms use an infected device as a host. They scan the connected network for other devices. Worms then infect everything on the network without requiring an action to trigger the spread.

Question 126

Attackers often use trojans to gain access and install another kind of malware called ransomware. Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access. These kind of attacks have become very common these days. A unique feature of ransomware attacks is that they make themselves known to their targets. Without doing this, they couldn’t collect the money they demand. Normally, they decrypt the hidden data as soon as the sum of money is paid. Unfortunately, there’s no guarantee they won’t return to demand more.

Question 127

Spyware is malware that’s used to gather and sell information without consent. Consent is a keyword in this case.

Question 128

A ________ is malicious code written to interfere with computer operations and cause damage to data and software. This type of malware must be installed by the target user before it can spread itself and cause damage. One of the many ways that viruses are spread is through phishing campaigns where malicious links are hidden within links or attachments.

Answer 128

virus

Question 129

A _______is malware that can duplicate and spread itself across systems on its own. Similar to a virus, a worm must be installed by the target user and can also be spread with tactics like malicious email. Given a worm’s ability to spread on its own, attackers sometimes target devices, drives, or files that have shared access over a network.

Answer 129

worm

Question 130

A _______, also called a ______________, is malware that looks like a legitimate file or program. This characteristic relates to how trojans are spread. Similar to viruses, attackers deliver this type of malware hidden in file and application downloads. Attackers rely on tricking unsuspecting users into believing they’re downloading a harmless file, when they’re actually infecting their own device with malware that can be used to spy on them, grant access to other devices, and more.

Answer 130

Trojan horse

Question 131

Advertising-supported software, or adware, is a type of legitimate software that is sometimes used to display digital advertisements in applications. Software developers often use adware as a way to lower their production costs or to make their products free to the public—also known as freeware or shareware. In these instances, developers monetize their product through ad revenue rather than at the expense of their users.

Malicious adware falls into a sub-category of malware known as a potentially unwanted application (PUA). A PUA is a type of unwanted software that is bundled in with legitimate programs which might display ads, cause device slowdown, or install other software. Attackers sometimes hide this type of malware in freeware with insecure design to monetize ads for themselves instead of the developer. This works even when the user has declined to receive ads.

Question 132

__________ is malware that’s used to gather and sell information without consent. It’s also considered a PUA. Spyware is commonly hidden in bundleware, additional software that is sometimes packaged with other applications. PUAs like spyware have become a serious challenge in the open-source software development ecosystem. That’s because developers tend to overlook how their software could be misused or abused by others.

Answer 132

Spyware

Question 133

Another type of PUA is ___________. This type of malware employs tactics to frighten users into infecting their own device. Scareware tricks users by displaying fake warnings that appear to come from legitimate companies. Email and pop-ups are just a couple of ways scareware is spread. Both can be used to deliver phony warnings with false claims about the user’s files or data being at risk.

Answer 133

scareware

Question 134

__________ does not need to be installed by the user because it uses legitimate programs that are already installed to infect a computer. This type of infection resides in memory where the malware never touches the hard drive. This is unlike the other types of malware, which are stored within a file on disk. Instead, these stealthy infections get into the operating system or hide within trusted applications.

Pro tip: Fileless malware is detected by performing memory analysis, which requires experience with operating systems.

Answer 134

Fileless malware

Question 135

A rootkit is malware that provides remote, administrative access to a computer. Most attackers use rootkits to open a backdoor to systems, allowing them to install other forms of malware or to conduct network security attacks.

This kind of malware is often spread by a combination of two components: a dropper and a loader. A dropper is a type of malware that comes packed with malicious code which is delivered and installed onto a target system. For example, a dropper is often disguised as a legitimate file, such as a document, an image, or an executable to deceive its target into opening, or dropping it, onto their device. If the user opens the dropper program, its malicious code is executed and it hides itself on the target system.

Multi-staged malware attacks, where multiple packets of malicious code are deployed, commonly use a variation called a loader. A loader is a type of malware that downloads strains of malicious code from an external source and installs them onto a target system. Attackers might use loaders for different purposes, such as to set up another type of malware—a botnet.

Question 136

A botnet, short for “robot network,” is a collection of computers infected by malware that are under the control of a single threat actor, known as the “bot-herder.” Viruses, worms, and trojans are often used to spread the initial infection and turn the devices into a bot for the bot-herder. The attacker then uses file sharing, email, or social media application protocols to create new bots and grow the botnet. When a target unknowingly opens the malicious file, the computer, or bot, reports the information back to the bot-herder, who can execute commands on the infected computer.

Question 137

Ransomware describes a malicious attack where threat actors encrypt an organization’s data and demand payment to restore access. According to the Cybersecurity and Infrastructure Security Agency (CISA), ransomware crimes are on the rise and becoming increasingly sophisticated. Ransomware infections can cause significant damage to an organization and its customers. An example is the
WannaCry
attack that encrypts a victim’s computer until a ransom payment of cryptocurrency is paid.

Question 138

Question 139

A reflected XSS attack is an instance where a malicious script is sent to the server and activated during the server’s response. A common example of this is the search bar of a website. In a reflected XSS attack, criminals send their target a web link that appears to go to a trusted site. When they click the link, it sends a HTTP request to the vulnerable site server. The attacker script is then returned or reflected back to the innocent user’s browser. Here, the browser loads the malicious script because it trusts the server’s response. With the script loaded, information like session cookies are sent back to the attacker.

Question 140

In a stored XSS attack, the malicious script isn’t hidden in a link that needs to be sent to the server. Instead a stored XSS attack is an instance when malicious script is injected directly on the server. Here, attackers target elements of a site that are served to the user. This could be things like images and buttons that load when the site is visited. Infected elements activate the malicious code when a user simply visits the site. Stored XSS attacks can be damaging because the user has no way of knowing the site is infected beforehand.

Question 141

In a DOM-based attack, a malicious script can be seen in the URL. In this example, the website’s URL contains parameter values. The parameter values reflect input from the user. Here, the site allows users to select color themes. When the user makes a selection, it appears as part of the URL. In a DOM-based attack, criminals change the parameter that’s expecting an input. For example, they could hide malicious JavaScript in the HTML tags. The browser would process the HTML and execute the JavaScript.

Question 142

A SQL injection is an attack that executes unexpected queries on a database.

Question 143

A prepared statement is a coding technique that executes SQL statements before passing them on to the database.

Question 144

SQL injection categories
There are three main categories of SQL injection:

In-band

Out-of-band

Inferential

Question 145

In-band, or classic, SQL injection is the most common type. An in-band injection is one that uses the same communication channel to launch the attack and gather the results.

For example, this might occur in the search box of a retailer’s website that lets customers find products to buy. If the search box is vulnerable to injection, an attacker could enter a malicious query that would be executed in the database, causing it to return sensitive information like user passwords. The data that’s returned is displayed back in the search box where the attack was initiated.

Question 146

Out-of-band SQL injection
An out-of-band injection is one that uses a different communication channel to launch the attack and gather the results.

For example, an attacker could use a malicious query to create a connection between a vulnerable website and a database they control. This separate channel would allow them to bypass any security controls that are in place on the website’s server, allowing them to steal sensitive data

Note: Out-of-band injection attacks are very uncommon because they’ll only work when certain features are enabled on the target server.

Question 147

Inferential SQL injection
Inferential SQL injection occurs when an attacker is unable to directly see the results of their attack. Instead, they can interpret the results by analyzing the behavior of the system.

For example, an attacker might perform a SQL injection attack on the login form of a website that causes the system to respond with an error message. Although sensitive data is not returned, the attacker can figure out the database’s structure based on the error. They can then use this information to craft attacks that will give them access to sensitive data or to take control of the system.

Question 148

Threat modeling is a process of identifying assets, their vulnerabilities, and how each is exposed to threats. We apply threat modeling to everything we protect. Entire systems, applications, or business processes all get examined from this security-related perspective.

Question 149

An attack tree is a diagram that maps threats to assets.

Question 150

The first is to define the scope of the model. At this stage, the team determines what they’re building by creating an inventory of assets and classifying them.

The second step is to identify threats. Here, the team defines all potential threat actors. A threat actor is any person or group who presents a security risk. Threat actors are characterized as being internal or external. For example, an internal threat actor could be an employee who intentionally expose an asset to harm. An example of an external threat actor could be a malicious hacker, or a competing business.

After threat actors have been identified, the team puts together what’s known as an attack tree. An attack tree is a diagram that maps threats to assets. The team tries to be as detailed as possible when constructing this diagram before moving on.
Play video starting at

Step three of the threat modeling process is to characterize the environment. Here, the team applies an attacker mindset to the business. They consider how the customers and employees interact with the environment. Other factors they consider are external partners and third party vendors.
Play video starting at

At step four, their objective is to analyze threats. Here, the team works together to examine existing protections and identify gaps. They then rank threats according to their risk score that they assign.

During step five, the team decides how to mitigate risk. At this point, the group creates their plan for defending against threats. The choices here are to avoid risk, transfer it, reduce it, or accept it.

The sixth and final step is to evaluate findings. At this stage, everything that was done during the exercise is documented, fixes are applied, and the team makes note of any successes they had. They also record any lessons learned, so they can inform how they approach future threat models.

Question 151

PASTA is a popular threat modeling framework that’s used across many industries.

PASTA is short for

Process
Attack
Simulation
and
Threat Analysis.

Question 152

Question 153

Stage one of the PASTA threat model framework is to define business and security objectives. Before starting the threat model, the team needs to decide what their goals are. The main objective in our example with the fitness company app is protecting customer data. The team starts by asking a lot of questions at this stage. They’ll need to understand things like how personally identifiable information is handled. Answering these questions is a key to evaluate the impact of threats that they’ll find along the way.

Stage two of the PASTA framework is to define the technical scope. Here, the team’s focus is to identify the application components that must be evaluated. This is what we discussed earlier as the attack surface. For a mobile app, this will include technology that’s involved while data is at rest and in use. This includes network protocols, security controls, and other data interactions.

At stage three of PASTA, the team’s job is to decompose the application. In other words, we need to identify the existing controls that will protect user data from threats. This normally means working with the application developers to produce a data flow diagram. A diagram like this will show how data gets from a user’s device to the company’s database. It would also identify the controls in place to protect this data along the way.

Stage four of PASTA is next. The focus here is to perform a threat analysis. This is where the team gets into their attacker mindset. Here, research is done to collect the most up-to-date information on the type of attacks being used. Like other technologies, mobile apps have many attack vectors. These change regularly, so the team would reference resources to stay up-to-date.

Stage five of PASTA is performing a vulnerability analysis. In this stage, the team more deeply investigates potential vulnerabilities by considering the root of the problem.

Next is stage six of PASTA, where the team conducts attack modeling. This is where the team tests the vulnerabilities that were analyzed in stage five by simulating attacks. The team does this by creating an attack tree, which looks like a flow chart. For example, an attack tree for our mobile app might look like this. Customer information, like user names and passwords, is a target. This data is normally stored in a database. We’ve learned that databases are vulnerable to attacks like SQL injection. So we will add this attack vector to our attack tree. A threat actor might exploit vulnerabilities caused by unsanitized inputs to attack this vector. The security team uses attack trees like this to identify attack vectors that need to be tested to validate threats. This is just one branch of this attack tree. An application, like a fitness app, typically has lots of branches with a number of other attack vectors.

Stage seven of PASTA is to analyze risk and impact. Here, the team assembles all the information they’ve collected in stages one through six. By this stage, the team is in position to make informed risk management recommendations to business stakeholders that align with their goals.

Question 154

Question 155

When performing threat modeling, there are multiple methods that can be used, such as:

STRIDE

PASTA

Trike

VAST

Question 156

STRIDE
STRIDE is a threat-modeling framework developed by Microsoft. It’s commonly used to identify vulnerabilities in six specific attack vectors. The acronym represents each of these vectors: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.

Question 157

PASTA
The Process of Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling process developed by two OWASP leaders and supported by a cybersecurity firm called VerSprite. Its main focus is to discover evidence of viable threats and represent this information as a model. PASTA’s evidence-based design can be applied when threat modeling an application or the environment that supports that application. Its seven stage process consists of various activities that incorporate relevant security artifacts of the environment, like vulnerability assessment reports.

Question 158

Trike
Trike is an open source methodology and tool that takes a security-centric approach to threat modeling. It’s commonly used to focus on security permissions, application use cases, privilege models, and other elements that support a secure environment.

Question 159

VAST
The Visual, Agile, and Simple Threat (VAST) Modeling framework is part of an automated threat-modeling platform called ThreatModeler®. Many security teams opt to use VAST as a way of automating and streamlining their threat modeling assessments.

Question 160

Participating in threat modeling
Threat modeling is often performed by experienced security professionals, but it’s almost never done alone. This is especially true when it comes to securing applications. Programs are complex systems responsible for handling a lot of data and processing a variety of commands from users and other systems.

One of the keys to threat modeling is asking the right questions:

What are we working on?

What kinds of things can go wrong?

What are we doing about it?

Have we addressed everything?

Did we do a good job?

Question 161

A technique where attackers impersonate customer service representatives on social media

Answer 161

Angler phishing:

Question 162

Instances when a threat actor maintains unauthorized access to a system for an extended period of time

Answer 162

Advanced persistent threat (APT):

Question 163

A type of legitimate software that is sometimes used to display digital advertisements in applications

Answer 163

Adware:

Question 164

A diagram that maps threats to assets

Answer 164

Attack tree:

Question 165

A social engineering tactic that tempts people into compromising their security

Answer 165

Baiting:

Question 166

A collection of computers infected by malware that are under the control of a single threat actor, known as the “bot-herder”

Answer 166

Botnet:

Question 167

An injection attack that inserts code into a vulnerable website or web application

Answer 167

Cross-site scripting (XSS):

Question 168

A form of malware that installs software to illegally mine cryptocurrencies

Answer 168

Cryptojacking:

Question 169

An instance when malicious script exists in the webpage a browser loads

Answer 169

DOM-based XSS attack:

Question 170

A type of malware that comes packed with malicious code which is delivered and installed onto a target system

Answer 170

Dropper:

Question 171

Malware that does not need to be installed by the user because it uses legitimate programs that are already installed to infect a computer

Answer 171

Fileless malware:

Question 172

A collection of processes and technologies that helps organizations manage digital identities in their environment

Answer 172

Identity and access management (IAM):

Question 173

Malicious code inserted into a vulnerable application

Answer 173

Injection attack:

Question 174

Programming that validates inputs from users and other programs

Answer 174

Input validation:

Question 175

An application that monitors system activity and alerts on possible intrusions

Answer 175

Intrusion detection system (IDS):

Question 176

A type of malware that downloads strains of malicious code from an external source and installs them onto a target system

Answer 176

Loader:

Question 177

Software designed to harm devices or networks

Answer 177

Malware:

Question 178

A popular threat modeling framework that’s used across many industries

Answer 178

Process of Attack Simulation and Threat Analysis (PASTA):

Question 179

The use of digital communications to trick people into revealing sensitive data or deploying malicious software

Answer 179

Phishing:

Question 180

A collection of software tools needed to launch a phishing campaign

Answer 180

Phishing kit:

Question 181

A coding technique that executes SQL statements before passing them onto the database

Answer 181

Prepared statement:

Question 182

A type of unwanted software that is bundled in with legitimate programs which might display ads, cause device slowdown, or install other software

Answer 182

Potentially unwanted application (PUA):

Question 183

A type of baiting used to trick someone into believing that they’ll be rewarded in return for sharing access, information, or money

Answer 183

Quid pro quo:

Question 184

Type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access

Answer 184

Ransomware:

Question 185

An instance when malicious script is sent to a server and activated during the server’s response

Answer 185

Reflected XSS attack:

Question 186

Malware that provides remote, administrative access to a computer

Answer 186

Rootkit:

Question 187

Malware that employs tactics to frighten users into infecting their device

Answer 187

Scareware:

Question 188

The use of text messages to trick users to obtain sensitive information or to impersonate a known source

Answer 188

Smishing:

Question 189

A manipulation technique that exploits human error to gain private information, access, or valuables

Answer 189

Social engineering:

Question 190

A malicious email attack targeting a specific user or group of users, appearing to originate from a trusted source

Answer 190

Spear phishing:

Question 191

Malware that’s used to gather and sell information without consent

Answer 191

Spyware:

Question 192

A programming language used to create, interact with, and request information from a database

Answer 192

SQL (Structured Query Language):

Question 193

An attack that executes unexpected queries on a database

Answer 193

SQL injection:

Question 194

An instance when malicious script is injected directly on the server

Answer 194

Stored XSS attack:

Question 195

A social engineering tactic in which unauthorized people follow an authorized person into a restricted area

Answer 195

Tailgating:

Question 196

The process of identifying assets, their vulnerabilities, and how each is exposed to threats

Answer 196

Threat modeling:

Question 197

Malware that looks like a legitimate file or program

Answer 197

Trojan horse:

Question 198

The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source

Answer 198

Vishing:

Question 199

A type of attack when a threat actor compromises a website frequently visited by a specific group of users

Answer 199

Watering hole attack:

Question 200

A category of spear phishing attempts that are aimed at high-ranking executives in an organization

Answer 200

Whaling:

Question 201

Malicious code or behavior that’s used to take advantage of coding flaws in a web application

Answer 201

Web-based exploits: