Course 5 - Assets, Threats, and Vulnerabilities Flashcards

1
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

After the core, the next NIST component we’ll discuss is its tiers. These provide security teams with a way to measure performance across each of the five functions of the core. Tiers range from Level-1 to Level-4. Level-1, or passive, indicates a function is reaching bare minimum standards. Level-4, or adaptive, is an indication that a function is being performed at an exemplary standard. You may have noticed that CSF tiers aren’t a yes or no proposition; instead, there’s a range of values. That’s because tiers are designed as a way of showing organizations what is and isn’t working with their security plans.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The practice of keeping data in all states away from unauthorized users

A

Information security (InfoSec):

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A catalog of assets that need to be protected

A

Asset inventory:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The practice of labeling assets based on sensitivity and importance to an organization

A

Asset classification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A __________ is a person who decides who can access, edit, use, or destroy their information.

A

data owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A __________ is anyone or anything that’s responsible for the safe handling, transport, and storage of information.

A

data custodian

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

____________ is the process of transforming information into a form that unintended readers can’t understand. Data of any kind is kept secret using a two-step process: encryption to hide the information, and decryption to unhide it.

A

Cryptography

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

An ___________ is a set of rules that solve a problem.

A

algorithm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Specifically in cryptography, a ________ is an algorithm that encrypts information.

A

cipher

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

A ____________ key is a mechanism that decrypts ciphertext.

A

cryptographic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

brute force attack —— a trial-and-error process of discovering private information.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Public key infrastructure, or PKI, is an encryption framework that secures the exchange of information online. It’s a broad system that makes accessing information fast, easy, and secure.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Symmetric encryption involves the use of a single secret key to exchange information.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

PKI addresses the vulnerability of key sharing by establishing trust using a system of digital certificates between computers and networks.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

A digital certificate is a file that verifies the identity of a public key holder. Most online information is exchanged using digital certificates. Users, companies, and networks hold one and exchange them when communicating information online as a way of signaling trust.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Digital certificates are a lot like a digital ID badge that’s used online to restrict or grant access to information. This is how PKI solves the trust issue.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

A hash function is an algorithm that produces a code that can’t be decrypted. Unlike asymmetric and symmetric algorithms, hash functions are one-way processes that do not generate decryption keys. Instead, these algorithms produce a unique identifier known as a hash value, or digest.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

_________ are access controls that serve a very basic purpose. They ask anything attempting to access information this simple question: who are you?

A

Authentication systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Single sign-on, or SSO, is a technology that combines several different logins into one. Can you imagine having to reintroduce yourself every time you meet up with a friend? That’s exactly the sort of problem SSO solves.

Instead of requiring users to authenticate over and over again, SSO establishes their identity once, allowing them to gain access to company resources faster. While SSO systems are helpful when it comes to speeding up the authentication process, they present a significant vulnerability when used alone.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Multi-factor authentication, or MFA, is a security measure, which requires a user to verify their identity in two or more ways to access a system or network. MFA combines two or more independent credentials, like knowledge and ownership, to prove that someone is who they claim to be.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

SSO and MFA are often used in conjunction with one another to layer the defense capabilities of authentication systems. When both are used, organizations can ensure convenient access that is also secure.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

When it comes to securing data over a network, there are a couple of frequently used access controls that you should be familiar with: HTTP basic auth and OAuth.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Some websites still use basic auth to tell whether or not someone is authorized to access information on that site. However, their protocol is considered to be vulnerable to attacks because it transmits usernames and password openly over the network. Most websites today use HTTPS instead, which stands for hypertext transfer protocol secure. This protocol doesn’t expose sensitive information, like access credentials, when communicating over the network.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

OAuth is an open-standard authorization protocol that shares designated access between applications. For example, you can tell Google that it’s okay for another website to access your profile to create an account. Instead of requesting and sending sensitive usernames and passwords over the network, OAuth uses API tokens to verify access between you and a service provider.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

An API token is a small block of encrypted code that contains information about a user. These tokens contain things like your identity, site permissions, and more. OAuth sends and receives access requests using API tokens by passing them from a server to a user’s device.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

HTTP uses what is known as basic auth, the technology used to establish a user’s request to access a server. Basic auth works by sending an identifier every time a user communicates with a web page.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Accounting is the practice of monitoring the access logs of a system. These logs contain information like who accessed the system, and when they accessed it, and what resources they used.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Anytime a user accesses a system, they initiate what’s called a session. A session is a sequence of network HTTP basic auth requests and responses associated with the same user, like when you visit a website. Access logs are essentially records of sessions that capture the moment a user enters a system until the moment they leave it.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Two actions are triggered when the session begins. The first is the creation of a session ID. A session ID is a unique token that identifies a user and their device while accessing the system. Session IDs are attached to the user until they either close their browser or the session times out.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

The second action that takes place at the start of a session is an exchange of session cookies between a server and a user’s device.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

A session cookie is a token that websites use to validate a session and determine how long that session should last. When cookies are exchanged between your computer and a server, your session ID is read to determine what information the website should show you.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Cookies make web sessions safer and more efficient. The exchange of tokens means that no sensitive information, like usernames and passwords, are shared. Session cookies prevent attackers from obtaining sensitive data. However, there’s other damage that they can do. With a stolen cookie, an attacker can impersonate a user using their session token. This kind of attack is known as session hijacking.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Session hijacking is an event when attackers obtain a legitimate user’s session ID. During these kinds of attacks, cyber criminals impersonate the user, causing all sorts of harm. Money or private data can be stolen. If, for example, hijackers obtain a single sign-on credential from stolen cookies, they can even gain access to additional systems that otherwise seem secure.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Pro tip: Another way to remember this authentication model is: something you know, something you have, and something you are.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

User provisioning is the process of creating and maintaining a user’s digital identity. For example, a college might create a new user account when a new instructor is hired. The new account will be configured to provide access to instructor-only resources while they are teaching. Security analysts are routinely involved with provisioning users and their access privileges.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

Pro tip: Another role analysts have in IAM is to deprovision users. This is an important practice that removes a user’s access rights when they should no longer have them.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

New vulnerabilities are constantly being discovered. These are known as zero-day exploits. A zero-day is an exploit that was previously unknown

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

The first layer of defense in depth is the perimeter layer. This layer includes some technologies that we’ve already explored, like usernames and passwords. Mainly, this is a user authentication layer that filters external access. Its function is to only allow access to trusted partners to reach the next layer of defense.

Second, the network layer is more closely aligned with authorization. The network layer is made up of other technologies like network firewalls and others.

Next, is the endpoint layer. Endpoints refer to the devices that have access on a network. They could be devices like a laptop, desktop, or a server. Some examples of technologies that protect these devices are anti-virus software.

After that, we get to the application layer. This includes all the interfaces that are used to interact with technology. At this layer, security measures are programmed as part of an application. One common example is multi-factor authentication. You may be familiar with having to enter both your password and a code sent by SMS. This is part of the application layer of defense.

And finally, the fifth layer of defense is the data layer. At this layer, we’ve arrived at the critical data that must be protected, like personally identifiable information. One security control that is important here in this final layer of defense is asset classification.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

One of the most popular libraries of vulnerabilities and exposures is the CVE list. The common vulnerabilities and exposures list, or CVE list, is an openly accessible dictionary of known vulnerabilities and exposures. It is a popular resource.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

Security teams commonly use the CVE list and CVSS scores as part of their vulnerability management strategy. These references provide recommendations for prioritizing security fixes, like installing software updates before patches.

Libraries like the CVE list, help organizations answer questions. Is a vulnerability dangerous to our business? If so, how soon should we address it?

These online libraries bring together diverse perspectives from across the world. Contributing to this effort is one of my favorite parts of working in this field. Keep gaining experience, and I hope you’ll participate too!

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

A CNA is an organization that volunteers to analyze and distribute information on eligible CVEs. All of these groups have an established record of researching vulnerabilities and demonstrating security advisory capabilities. When a vulnerability or exposure is reported to them, a rigorous testing process takes place.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

OWASP is a nonprofit foundation that works to improve the security of software. OWASP is an open platform that security professionals from around the world use to share information, tools, and events that are focused on securing the web.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

The NIST National Vulnerabilities Database uses what’s known as the common vulnerability scoring system, or CVSS, which is a measurement system that scores the severity of a vulnerability. Security teams use CVSS as a way of calculating the impact a vulnerability could have on a system. They also use them to determine how quickly a vulnerability should be patched.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q
A
78
Q

The NIST National Vulnerabilities Database provides a base score of CVEs on a scale of 0-10. Base scores reflect the moment a vulnerability is evaluated, so they don’t change over time. In general, a CVSS that scores below a 4.0 is considered to be low risk and doesn’t require immediate attention. However, anything above a 9.0 is considered to be a critical risk to company assets that should be addressed right away.

A
79
Q

The OWASP Top 10

One of OWASP’s most valuable resources is the OWASP Top 10. The organization has published this list since 2003 as a way to spread awareness of the web’s most targeted vulnerabilities. The Top 10 mainly applies to new or custom made software. Many of the world’s largest organizations reference the OWASP Top 10 during application development to help ensure their programs address common security mistakes.

Pro tip: OWASP’s Top 10 is updated every few years as technologies evolve. Rankings are based on how often the vulnerabilities are discovered and the level of risk they present.

Note: Auditors also use the OWASP Top 10 as one point of reference when checking for regulatory compliance.

A
79
Q
A
80
Q

A vulnerability scanner is software that automatically compares known vulnerabilities and exposures against the technologies on the network. In general, these tools scan systems to find misconfigurations or programming flaws.

Scanning tools are used to analyze each of the five attack surfaces that you learned about in
the video about the defense in depth strategy
:

  1. Perimeter layer, like authentication systems that validate user access
  2. Network layer, which is made up of technologies like network firewalls and others
  3. Endpoint layer, which describes devices on a network, like laptops, desktops, or servers
  4. Application layer, which involves the software that users interact with
  5. Data layer, which includes any information that’s stored, in transit, or in use
A
81
Q

External vs. internal

External and internal scans simulate an attacker’s approach.

External scans test the perimeter layer outside of the internal network. They analyze outward facing systems, like websites and firewalls. These kinds of scans can uncover vulnerable things like vulnerable network ports or servers.

Internal scans start from the opposite end by examining an organization’s internal systems. For example, this type of scan might analyze application software for weaknesses in how it handles user input.

A
82
Q

Authenticated vs. unauthenticated
Authenticated and unauthenticated scans simulate whether or not a user has access to a system.

Authenticated scans might test a system by logging in with a real user account or even with an admin account. These service accounts are used to check for vulnerabilities, like broken access controls.

Unauthenticated scans simulate external threat actors that do not have access to your business resources. For example, a scan might analyze file shares within the organization that are used to house internal-only documents. Unauthenticated users should receive “access denied” results if they tried opening these files. However, a vulnerability would be identified if you were able to access a file.

A
83
Q

Limited vs. comprehensive
Limited and comprehensive scans focus on particular devices that are accessed by internal and external users.

Limited scans analyze particular devices on a network, like searching for misconfigurations on a firewall.

Comprehensive scans analyze all devices connected to a network. This includes operating systems, user databases, and more.

Pro tip: Discovery scanning should be done prior to limited or comprehensive scans. Discovery scanning is used to get an idea of the computers, devices, and open ports that are on a network.

A
84
Q

Note: Organizations that are regulated by PCI DSS, HIPAA, or GDPR must routinely perform penetration testing to maintain compliance standards.

A
85
Q

Penetration testing strategies
There are three common penetration testing strategies:

Open-box testing is when the tester has the same privileged access that an internal developer would have—information like system architecture, data flow, and network diagrams. This strategy goes by several different names, including internal, full knowledge, white-box, and clear-box penetration testing.

Closed-box testing is when the tester has little to no access to internal systems—similar to a malicious hacker. This strategy is sometimes referred to as external, black-box, or zero knowledge penetration testing.

Partial knowledge testing is when the tester has limited access and knowledge of an internal system—for example, a customer service representative. This strategy is also known as gray-box testing.

Closed box testers tend to produce the most accurate simulations of a real-world attack. Nevertheless, each strategy produces valuable results by demonstrating how an attacker might infiltrate a system and what information they could access.

A
86
Q

Bug bounty programs
Organizations commonly run bug bounty programs which offer freelance pen testers financial rewards for finding and reporting vulnerabilities in their products. Bug bounties are great opportunities for amateur security professionals to participate and grow their skills.

Pro tip:
HackerOne
is a community of ethical hackers where you can find active bug bounties to participate in.

A
87
Q

Security hardening is the process of strengthening a system to reduce its vulnerabilities and attack surface.

A
88
Q

The digital attack surface includes everything that’s beyond our organization’s firewall. In other words, it includes anything that connects to an organization online.

A
89
Q
A
90
Q
A
91
Q
A
92
Q
A
93
Q
A
94
Q
A
95
Q
A
96
Q
A
97
Q

An instance when a threat actor maintains unauthorized access to a system for an extended period of time

A

Advanced persistent threat (APT):

98
Q

All the potential vulnerabilities that a threat actor could exploit

A

Attack surface:

99
Q

A diagram that maps threats to assets

A

Attack tree:

100
Q

The pathways attackers use to penetrate security defenses

A

Attack vector:

101
Q

Programs that encourage freelance hackers to find and report vulnerabilities

A

Bug bounty:

102
Q

An openly accessible dictionary of known vulnerabilities and exposures

A

Common Vulnerabilities and Exposures (CVE®) list:

103
Q

A measurement system that scores the severity of a vulnerability

A

Common Vulnerability Scoring System (CVSS):

104
Q

An organization that volunteers to analyze and distribute information on eligible CVEs

A

CVE Numbering Authority (CNA):

105
Q

A layered approach to vulnerability management that reduces risk

A

Defense in depth:

106
Q

A way of taking advantage of a vulnerability

A

Exploit:

107
Q

A mistake that can be exploited by a threat

A

Exposure:

108
Q

Any person who uses computers to gain access to computer systems, networks, or data

A

Hacker:

109
Q

A collection of non-profit research and development centers

A

MITRE:

110
Q

The process of strengthening a system to reduce its vulnerability and attack surface

A

Security hardening:

111
Q

Any person or group who presents a security risk

A

Threat actor:

112
Q

A weakness that can be exploited by a threat

A

Vulnerability:

113
Q

The internal review process of a company’s security systems

A

Vulnerability assessment:

114
Q

The process of finding and patching vulnerabilities

A

Vulnerability management:

115
Q

Software that automatically compares existing common vulnerabilities and exposures against the technologies on the network

A

Vulnerability scanner:

116
Q

An exploit that was previously unknown

A

Zero-day:

117
Q

__________is a social engineering tactic that tempts people into compromising their security. A common example is USB baiting that relies on someone finding an infected USB drive and plugging it into their device.

A

Baiting

118
Q

________is the use of digital communications to trick people into revealing sensitive data or deploying malicious software. It is one of the most common forms of social engineering, typically performed via email.

A

Phishing

119
Q

__________ is a type of baiting used to trick someone into believing that they’ll be rewarded in return for sharing access, information, or money. For example, an attacker might impersonate a loan officer at a bank and call customers offering them a lower interest rate on their credit card. They’ll tell the customers that they simply need to provide their account details to claim the deal.

A

Quid pro quo

120
Q

_________ is a social engineering tactic in which unauthorized people follow an authorized person into a restricted area. This technique is also sometimes referred to as piggybacking.

A

Tailgating

121
Q

_________ is a type of attack when a threat actor compromises a website frequently visited by a specific group of users. Oftentimes, these watering hole sites are infected with malicious software. An example is the Holy Water attack of 2020 that infected various religious, charity, and volunteer websites.

A

Watering hole

122
Q

Email phishing is a type of attack sent via email in which threat actors send messages pretending to be a trusted person or entity.

Smishing is a type of phishing that uses Short Message Service (SMS), a technology that powers text messaging. Smishing covers all forms of text messaging services, including Apple’s iMessages, WhatsApp, and other chat mediums on phones.

Vishing refers to the use of voice calls or voice messages to trick targets into providing personal information over the phone.

Spear phishing is a subset of email phishing in which specific people are purposefully targeted, such as the accountants of a small business.

Whaling refers to a category of spear phishing attempts that are aimed at high-ranking executives in an organization.

A
123
Q
A
124
Q

A virus is malicious code written to interfere with computer operations and cause damage to data and software. Viruses typically hide inside of trusted applications. When the infected program is launched, the virus clones itself and spreads to other files on the device. An important characteristic of viruses is that they have to be activated by the user to start the infection.

A
125
Q

A worm is malware that can duplicate and spread itself across systems on its own. While viruses require users to perform an action like opening a file to duplicate, worms use an infected device as a host. They scan the connected network for other devices. Worms then infect everything on the network without requiring an action to trigger the spread.

A
126
Q

Attackers often use trojans to gain access and install another kind of malware called ransomware. Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access. These kind of attacks have become very common these days. A unique feature of ransomware attacks is that they make themselves known to their targets. Without doing this, they couldn’t collect the money they demand. Normally, they decrypt the hidden data as soon as the sum of money is paid. Unfortunately, there’s no guarantee they won’t return to demand more.

A
127
Q

Spyware is malware that’s used to gather and sell information without consent. Consent is a keyword in this case.

A
128
Q

A ________ is malicious code written to interfere with computer operations and cause damage to data and software. This type of malware must be installed by the target user before it can spread itself and cause damage. One of the many ways that viruses are spread is through phishing campaigns where malicious links are hidden within links or attachments.

A

virus

129
Q

A _______is malware that can duplicate and spread itself across systems on its own. Similar to a virus, a worm must be installed by the target user and can also be spread with tactics like malicious email. Given a worm’s ability to spread on its own, attackers sometimes target devices, drives, or files that have shared access over a network.

A

worm

130
Q

A _______, also called a ______________, is malware that looks like a legitimate file or program. This characteristic relates to how trojans are spread. Similar to viruses, attackers deliver this type of malware hidden in file and application downloads. Attackers rely on tricking unsuspecting users into believing they’re downloading a harmless file, when they’re actually infecting their own device with malware that can be used to spy on them, grant access to other devices, and more.

A

Trojan horse

131
Q

Advertising-supported software, or adware, is a type of legitimate software that is sometimes used to display digital advertisements in applications. Software developers often use adware as a way to lower their production costs or to make their products free to the public—also known as freeware or shareware. In these instances, developers monetize their product through ad revenue rather than at the expense of their users.

Malicious adware falls into a sub-category of malware known as a potentially unwanted application (PUA). A PUA is a type of unwanted software that is bundled in with legitimate programs which might display ads, cause device slowdown, or install other software. Attackers sometimes hide this type of malware in freeware with insecure design to monetize ads for themselves instead of the developer. This works even when the user has declined to receive ads.

A
132
Q

__________ is malware that’s used to gather and sell information without consent. It’s also considered a PUA. Spyware is commonly hidden in bundleware, additional software that is sometimes packaged with other applications. PUAs like spyware have become a serious challenge in the open-source software development ecosystem. That’s because developers tend to overlook how their software could be misused or abused by others.

A

Spyware

133
Q

Another type of PUA is ___________. This type of malware employs tactics to frighten users into infecting their own device. Scareware tricks users by displaying fake warnings that appear to come from legitimate companies. Email and pop-ups are just a couple of ways scareware is spread. Both can be used to deliver phony warnings with false claims about the user’s files or data being at risk.

A

scareware

134
Q

__________ does not need to be installed by the user because it uses legitimate programs that are already installed to infect a computer. This type of infection resides in memory where the malware never touches the hard drive. This is unlike the other types of malware, which are stored within a file on disk. Instead, these stealthy infections get into the operating system or hide within trusted applications.

Pro tip: Fileless malware is detected by performing memory analysis, which requires experience with operating systems.

A

Fileless malware

135
Q

A rootkit is malware that provides remote, administrative access to a computer. Most attackers use rootkits to open a backdoor to systems, allowing them to install other forms of malware or to conduct network security attacks.

This kind of malware is often spread by a combination of two components: a dropper and a loader. A dropper is a type of malware that comes packed with malicious code which is delivered and installed onto a target system. For example, a dropper is often disguised as a legitimate file, such as a document, an image, or an executable to deceive its target into opening, or dropping it, onto their device. If the user opens the dropper program, its malicious code is executed and it hides itself on the target system.

Multi-staged malware attacks, where multiple packets of malicious code are deployed, commonly use a variation called a loader. A loader is a type of malware that downloads strains of malicious code from an external source and installs them onto a target system. Attackers might use loaders for different purposes, such as to set up another type of malware—a botnet.

A
136
Q

A botnet, short for “robot network,” is a collection of computers infected by malware that are under the control of a single threat actor, known as the “bot-herder.” Viruses, worms, and trojans are often used to spread the initial infection and turn the devices into a bot for the bot-herder. The attacker then uses file sharing, email, or social media application protocols to create new bots and grow the botnet. When a target unknowingly opens the malicious file, the computer, or bot, reports the information back to the bot-herder, who can execute commands on the infected computer.

A
137
Q

Ransomware describes a malicious attack where threat actors encrypt an organization’s data and demand payment to restore access. According to the Cybersecurity and Infrastructure Security Agency (CISA), ransomware crimes are on the rise and becoming increasingly sophisticated. Ransomware infections can cause significant damage to an organization and its customers. An example is the
WannaCry
attack that encrypts a victim’s computer until a ransom payment of cryptocurrency is paid.

A
138
Q
A
139
Q

A reflected XSS attack is an instance where a malicious script is sent to the server and activated during the server’s response. A common example of this is the search bar of a website. In a reflected XSS attack, criminals send their target a web link that appears to go to a trusted site. When they click the link, it sends a HTTP request to the vulnerable site server. The attacker script is then returned or reflected back to the innocent user’s browser. Here, the browser loads the malicious script because it trusts the server’s response. With the script loaded, information like session cookies are sent back to the attacker.

A
140
Q

In a stored XSS attack, the malicious script isn’t hidden in a link that needs to be sent to the server. Instead a stored XSS attack is an instance when malicious script is injected directly on the server. Here, attackers target elements of a site that are served to the user. This could be things like images and buttons that load when the site is visited. Infected elements activate the malicious code when a user simply visits the site. Stored XSS attacks can be damaging because the user has no way of knowing the site is infected beforehand.

A
141
Q

In a DOM-based attack, a malicious script can be seen in the URL. In this example, the website’s URL contains parameter values. The parameter values reflect input from the user. Here, the site allows users to select color themes. When the user makes a selection, it appears as part of the URL. In a DOM-based attack, criminals change the parameter that’s expecting an input. For example, they could hide malicious JavaScript in the HTML tags. The browser would process the HTML and execute the JavaScript.

A
142
Q

A SQL injection is an attack that executes unexpected queries on a database.

A
143
Q

A prepared statement is a coding technique that executes SQL statements before passing them on to the database.

A
144
Q

SQL injection categories
There are three main categories of SQL injection:

In-band

Out-of-band

Inferential

A
145
Q

In-band, or classic, SQL injection is the most common type. An in-band injection is one that uses the same communication channel to launch the attack and gather the results.

For example, this might occur in the search box of a retailer’s website that lets customers find products to buy. If the search box is vulnerable to injection, an attacker could enter a malicious query that would be executed in the database, causing it to return sensitive information like user passwords. The data that’s returned is displayed back in the search box where the attack was initiated.

A
146
Q

Out-of-band SQL injection
An out-of-band injection is one that uses a different communication channel to launch the attack and gather the results.

For example, an attacker could use a malicious query to create a connection between a vulnerable website and a database they control. This separate channel would allow them to bypass any security controls that are in place on the website’s server, allowing them to steal sensitive data

Note: Out-of-band injection attacks are very uncommon because they’ll only work when certain features are enabled on the target server.

A
147
Q

Inferential SQL injection
Inferential SQL injection occurs when an attacker is unable to directly see the results of their attack. Instead, they can interpret the results by analyzing the behavior of the system.

For example, an attacker might perform a SQL injection attack on the login form of a website that causes the system to respond with an error message. Although sensitive data is not returned, the attacker can figure out the database’s structure based on the error. They can then use this information to craft attacks that will give them access to sensitive data or to take control of the system.

A
148
Q

Threat modeling is a process of identifying assets, their vulnerabilities, and how each is exposed to threats. We apply threat modeling to everything we protect. Entire systems, applications, or business processes all get examined from this security-related perspective.

A
149
Q

An attack tree is a diagram that maps threats to assets.

A
150
Q

The first is to define the scope of the model. At this stage, the team determines what they’re building by creating an inventory of assets and classifying them.

The second step is to identify threats. Here, the team defines all potential threat actors. A threat actor is any person or group who presents a security risk. Threat actors are characterized as being internal or external. For example, an internal threat actor could be an employee who intentionally expose an asset to harm. An example of an external threat actor could be a malicious hacker, or a competing business.

After threat actors have been identified, the team puts together what’s known as an attack tree. An attack tree is a diagram that maps threats to assets. The team tries to be as detailed as possible when constructing this diagram before moving on.
Play video starting at

Step three of the threat modeling process is to characterize the environment. Here, the team applies an attacker mindset to the business. They consider how the customers and employees interact with the environment. Other factors they consider are external partners and third party vendors.
Play video starting at

At step four, their objective is to analyze threats. Here, the team works together to examine existing protections and identify gaps. They then rank threats according to their risk score that they assign.

During step five, the team decides how to mitigate risk. At this point, the group creates their plan for defending against threats. The choices here are to avoid risk, transfer it, reduce it, or accept it.

The sixth and final step is to evaluate findings. At this stage, everything that was done during the exercise is documented, fixes are applied, and the team makes note of any successes they had. They also record any lessons learned, so they can inform how they approach future threat models.

A
151
Q

PASTA is a popular threat modeling framework that’s used across many industries.

PASTA is short for

Process
Attack
Simulation
and
Threat Analysis.

A
152
Q
A
153
Q

Stage one of the PASTA threat model framework is to define business and security objectives. Before starting the threat model, the team needs to decide what their goals are. The main objective in our example with the fitness company app is protecting customer data. The team starts by asking a lot of questions at this stage. They’ll need to understand things like how personally identifiable information is handled. Answering these questions is a key to evaluate the impact of threats that they’ll find along the way.

Stage two of the PASTA framework is to define the technical scope. Here, the team’s focus is to identify the application components that must be evaluated. This is what we discussed earlier as the attack surface. For a mobile app, this will include technology that’s involved while data is at rest and in use. This includes network protocols, security controls, and other data interactions.

At stage three of PASTA, the team’s job is to decompose the application. In other words, we need to identify the existing controls that will protect user data from threats. This normally means working with the application developers to produce a data flow diagram. A diagram like this will show how data gets from a user’s device to the company’s database. It would also identify the controls in place to protect this data along the way.

Stage four of PASTA is next. The focus here is to perform a threat analysis. This is where the team gets into their attacker mindset. Here, research is done to collect the most up-to-date information on the type of attacks being used. Like other technologies, mobile apps have many attack vectors. These change regularly, so the team would reference resources to stay up-to-date.

Stage five of PASTA is performing a vulnerability analysis. In this stage, the team more deeply investigates potential vulnerabilities by considering the root of the problem.

Next is stage six of PASTA, where the team conducts attack modeling. This is where the team tests the vulnerabilities that were analyzed in stage five by simulating attacks. The team does this by creating an attack tree, which looks like a flow chart. For example, an attack tree for our mobile app might look like this. Customer information, like user names and passwords, is a target. This data is normally stored in a database. We’ve learned that databases are vulnerable to attacks like SQL injection. So we will add this attack vector to our attack tree. A threat actor might exploit vulnerabilities caused by unsanitized inputs to attack this vector. The security team uses attack trees like this to identify attack vectors that need to be tested to validate threats. This is just one branch of this attack tree. An application, like a fitness app, typically has lots of branches with a number of other attack vectors.

Stage seven of PASTA is to analyze risk and impact. Here, the team assembles all the information they’ve collected in stages one through six. By this stage, the team is in position to make informed risk management recommendations to business stakeholders that align with their goals.

A
154
Q
A
155
Q

When performing threat modeling, there are multiple methods that can be used, such as:

STRIDE

PASTA

Trike

VAST

A
156
Q

STRIDE
STRIDE is a threat-modeling framework developed by Microsoft. It’s commonly used to identify vulnerabilities in six specific attack vectors. The acronym represents each of these vectors: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.

A
157
Q

PASTA
The Process of Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling process developed by two OWASP leaders and supported by a cybersecurity firm called VerSprite. Its main focus is to discover evidence of viable threats and represent this information as a model. PASTA’s evidence-based design can be applied when threat modeling an application or the environment that supports that application. Its seven stage process consists of various activities that incorporate relevant security artifacts of the environment, like vulnerability assessment reports.

A
158
Q

Trike
Trike is an open source methodology and tool that takes a security-centric approach to threat modeling. It’s commonly used to focus on security permissions, application use cases, privilege models, and other elements that support a secure environment.

A
159
Q

VAST
The Visual, Agile, and Simple Threat (VAST) Modeling framework is part of an automated threat-modeling platform called ThreatModeler®. Many security teams opt to use VAST as a way of automating and streamlining their threat modeling assessments.

A
160
Q

Participating in threat modeling
Threat modeling is often performed by experienced security professionals, but it’s almost never done alone. This is especially true when it comes to securing applications. Programs are complex systems responsible for handling a lot of data and processing a variety of commands from users and other systems.

One of the keys to threat modeling is asking the right questions:

What are we working on?

What kinds of things can go wrong?

What are we doing about it?

Have we addressed everything?

Did we do a good job?

A
161
Q

A technique where attackers impersonate customer service representatives on social media

A

Angler phishing:

162
Q

Instances when a threat actor maintains unauthorized access to a system for an extended period of time

A

Advanced persistent threat (APT):

163
Q

A type of legitimate software that is sometimes used to display digital advertisements in applications

A

Adware:

164
Q

A diagram that maps threats to assets

A

Attack tree:

165
Q

A social engineering tactic that tempts people into compromising their security

A

Baiting:

166
Q

A collection of computers infected by malware that are under the control of a single threat actor, known as the “bot-herder”

A

Botnet:

167
Q

An injection attack that inserts code into a vulnerable website or web application

A

Cross-site scripting (XSS):

168
Q

A form of malware that installs software to illegally mine cryptocurrencies

A

Cryptojacking:

169
Q

An instance when malicious script exists in the webpage a browser loads

A

DOM-based XSS attack:

170
Q

A type of malware that comes packed with malicious code which is delivered and installed onto a target system

A

Dropper:

171
Q

Malware that does not need to be installed by the user because it uses legitimate programs that are already installed to infect a computer

A

Fileless malware:

172
Q

A collection of processes and technologies that helps organizations manage digital identities in their environment

A

Identity and access management (IAM):

173
Q

Malicious code inserted into a vulnerable application

A

Injection attack:

174
Q

Programming that validates inputs from users and other programs

A

Input validation:

175
Q

An application that monitors system activity and alerts on possible intrusions

A

Intrusion detection system (IDS):

176
Q

A type of malware that downloads strains of malicious code from an external source and installs them onto a target system

A

Loader:

177
Q

Software designed to harm devices or networks

A

Malware:

178
Q

A popular threat modeling framework that’s used across many industries

A

Process of Attack Simulation and Threat Analysis (PASTA):

179
Q

The use of digital communications to trick people into revealing sensitive data or deploying malicious software

A

Phishing:

180
Q

A collection of software tools needed to launch a phishing campaign

A

Phishing kit:

181
Q

A coding technique that executes SQL statements before passing them onto the database

A

Prepared statement:

182
Q

A type of unwanted software that is bundled in with legitimate programs which might display ads, cause device slowdown, or install other software

A

Potentially unwanted application (PUA):

183
Q

A type of baiting used to trick someone into believing that they’ll be rewarded in return for sharing access, information, or money

A

Quid pro quo:

184
Q

Type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access

A

Ransomware:

185
Q

An instance when malicious script is sent to a server and activated during the server’s response

A

Reflected XSS attack:

186
Q

Malware that provides remote, administrative access to a computer

A

Rootkit:

187
Q

Malware that employs tactics to frighten users into infecting their device

A

Scareware:

188
Q

The use of text messages to trick users to obtain sensitive information or to impersonate a known source

A

Smishing:

189
Q

A manipulation technique that exploits human error to gain private information, access, or valuables

A

Social engineering:

190
Q

A malicious email attack targeting a specific user or group of users, appearing to originate from a trusted source

A

Spear phishing:

191
Q

Malware that’s used to gather and sell information without consent

A

Spyware:

192
Q

A programming language used to create, interact with, and request information from a database

A

SQL (Structured Query Language):

193
Q

An attack that executes unexpected queries on a database

A

SQL injection:

194
Q

An instance when malicious script is injected directly on the server

A

Stored XSS attack:

195
Q

A social engineering tactic in which unauthorized people follow an authorized person into a restricted area

A

Tailgating:

196
Q

The process of identifying assets, their vulnerabilities, and how each is exposed to threats

A

Threat modeling:

197
Q

Malware that looks like a legitimate file or program

A

Trojan horse:

198
Q

The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source

A

Vishing:

199
Q

A type of attack when a threat actor compromises a website frequently visited by a specific group of users

A

Watering hole attack:

200
Q

A category of spear phishing attempts that are aimed at high-ranking executives in an organization

A

Whaling:

201
Q

Malicious code or behavior that’s used to take advantage of coding flaws in a web application

A

Web-based exploits: