Cyber Security Flashcards
What is the cyber security triad?
Confidentiality, integrity, availability
What is integrity?
Guarding against improper information modification/destruction
What are the integrity-related concepts?
Authenticity & accountability
What 4 steps of cyber attack countermeasures are there?
Detection, prevention, mitigation, recovery
What is a checksum?
A function that maps file contents to a numerical value
List the 5 main cyber attackers
Cybercriminals, nation states, hacktivists, insider threats, script kiddies/noobs
What is the relation between an instigator and a perpetrator?
A perpetrator can be hired/bribed by an instigator
What are 3 potential motivations of Nation States?
Garner high quality intelligence
Sabotage critical infrastructures
Subversion e.g. political elections
What are 3 potential attacks hacktivists may perform?
Web defacements
Data breaches (to prove beliefs)
DDoS
List the stages of the Kill-Chain model
Reconnaissance, weaponisation, delivery, exploitation, installation, command & control, actions on objectives
What is the difference between exploitation & installation?
Exploitation: execution of payload to exploit vulnerability
Installation: ensurance of payload persistence within the target
What 8 cyber attacks are there?
Cryptojacking
Data breaches
DDoS
Influence campaigns
Money theft
Personal document ransom
Supply chain attacks
Web defacements
What 3 types of money theft attacks are there and what do they involve?
Banking trojan horse: seemingly legitimate software captures credentials
Cyber banking fraud: attacks launched from compromised machines to transfer stolen funds
BEC (Business Email Compomise)/Whaling: attacker requests large money transfer pretending to be CEO
What 4 steps are there in personal document ransom / ransomware?
1) Attacker sends email with attachment user is lured to open
2) Attachment either prompts user to execute a macro or lanuches powershell to download & execute final payload
3) Ransomware encrypts specific file types
4) Files can only be decrypted by paying a ransom
What is cryptojacking?
The practice of hijacking computer resources to mine cryptocurrency
What 3 things could happen to stolen data in data breaches?
Public disclosure
Private intelligence
Sold on the black market
What is a supply chain attack?
Where the adversary compromises the weakest link in the supply chain to reach the target from there
What is Social Engineering?
A technique to either pschologically manipulate people into performing an action or gather information left around by people
What 3 ways is information gathered in Social Engineering?
Via the web (company website / social media)
Dumpster diving
Shoulder surfing
What 4 ways may an adversary interact with the target in Social Engineering?
Phishing: sending emails incl. spear phishing (specific individual/organisation) & whaling (high-profile)
Vishing: using video calls
Smishing: using SMS (text)
Physical impersonation
What is baiting in Social Engineering?
A real-world trojan horse e.g. infected removable media, gift with wiretap
What 5 essential defences are there in corporate security?
Firewalls
User access control
Malware protection
Patch management
Secure configuration
Ineffective against advanced attacks e.g. SE
Firewalls
Sit at the edge of a network
Blocks all incoming traffic by default, inspects each packet passing through, accepts packets that satisfy rules
Allows all outbound traffic.
The 3 steps of secure configuration
Unnecessary software removed
Auto-run features disables
Default password changed
User access control
Ensure user accounts are only assigned to authorised individuals
1) Authenticate before granting access
2) Remove accounts when no longer required
3) Use two-factor authentication
What are the 2 requirements of malware protection?
Anti-malware software
Application whitelisting
(Security update) / (patch) management
Keep everything updated, licensed, and supported
Remove when unsupported
What 6 additional defences are there in corporate security?
Data protection, segregation of duties, network fragmentation, network monitoring, honeypots, pentesting
What are the 4 ways of protecting data?
Encrypting data
Fragmenting data (split & store in diverse locations)
Backing-up data
Privacy protection (removing PII)
What is the benefit of segregating a task?
If N accounts required to execute a task, N accounts must be compromised
Give an example of network fragmentation
e.g. Front-end, back-end, office, and Internet split with access between managed with firewalls at bboundaries
Network monitoring
Uses intrusion detection systems (signature-based & anomaly-based) and intrusion prevention systems
Observes & records all traffic on network
Alerts on suspicious traffic
Honeypots (4 types)
A decoy to lure attackers
Research HPs: gather info about attackers (broader trends)
Production HPs: detect & deflect attackers from CIs
High-Interaction HPs: gain detailed insights into attacker behaviour (specific attacker behaviour)
Low-Interaction HPs: detect & deflect automated attacks
Pentesting (6 phases)
An authorised simulated attack to assess the system’s security
1) Pre-engagement interactions - goals definition
2) Inteligence gathering - security mechanisms used
3) Threat modelling - how target can be attacked
4) Vulnerability analysis
5) Exploitation - actual attack
6) Post exploitation - what to do once compromised
What makes an attack an APT?
If its advanced, persistent, and a threat
If it’s targeted and nation-state supported
What are Critical Infrastructures?
Facilities, systems, sites, information, people, networks, and processes that are necessary for a country to function and on which daily life depends
What is the impact of losing a Critical Infrastructure?
Major detrimental impact on availability, delivery, and integrity of essential services
Severe economic/social consequences
Potential loss to life
What are Industrial Control Systems?
Systems that control & monitor CIs
What 6 reasons are there for damaging CIs with malware rather than with an air strike?
Lower development costs
No casualties
No loss of employed weapons/equipment
Less chance of severe retaliation
Almost speed of light attacks
Anonymous / no attribution
What are the 6 hacktivism ethics?
1) Everyone should have unrestricted access to computers
2) Information should be free
3) Authorities can’t be trusted
4) Hackers should solely be judged on ability
5) Hacking is considered an act of art
6) Computers are a positive phenomenon
What actors are involved in cyberwarfare?
Nation states
What are the 3 objectives of cyberwarfare?
Espionage: steal sensitive information from government to gather intelligence
Sabotage: disrupt/damage CIs
Propaganda: influence public opinion
Why is cyberwarfare not considered to be warfare?
There is no use of physical force
What is symmetric encryption?
The same key is used to encrypt & decrypt a piece of information
The key is shared between sender & recipient
What is asymmetric encryption?
Each user has a private key and a public key
Sender encrypt with recipient’s public key
Recipient decrypts with its own private key
What is a digital signature?
A form of asymmetric encryption
Sender encrypts with its own private key
Recipient decrypts with sender’s public key
What is a key ring?
All the public keys a sender/recipient has
What does a hash function do?
Converts in input into a fixed size string of bytes
What 2 ways are there to initially exchange keys?
Public key encryption
Diffie-Hellman key exchange protocol
How does public key encryption work?
Sender sends their public key and identity (PUa, IDa)
Receiver sends sender’s public key and a secret key encrypted Enc[PUa, Ks]
How is public key encryption vulnerable to man-in-the-middle attacks?
Man in the middle attacks
MITM forwards sender’s message to receiver but with their own public key
MITM receives secret key and forwards message to sender, replacing their public key with the senders to avoid detection
How does the Diffie-Hellman key exchange protocol work?
1) A & B agreed publically on a prime modulus (e.g. 3) and a generator (e.g. 17)
2) A selects a private random number (e.g. 15) and calculates (3^15)mod17 = 6 and sends result publically
3) B selects a private random number (e.g. 13) and calculates (3^13)mod17 = 12 and sends result publically
4) A takes B’s public result, 12, and own private number, 15, and calculates (12^15)mod17 = 10 to obtain shared secret
5) B takes A’s public result, 6, and own private number, 13, and calculates (6^13)mod17 = 10 to obtain shared secret
How is the Diffie-Hellman key exchange protocol vulnerable to man-in-the-middle attacks?
1) MITM generates 2 private keys PUx & PUy and calculates 2 public keys PRx = (a^PUx)modq and PRy = (a^PUy)modq
2) MITM intercepts A’s public key PUa before it reaches B and creates a secret key for A, Ka = (PUa^PRy)modq
3) MITM transmits public key PUx to B in place of PUa
4) B calculates secret key K1 = (PUx^PRb)modq
5) MITM intercepts B’s public key PUb before it reaches A and creates a secret key for B, Kb = (PUb^PRx)modq
6) MITM transmits public key PUy to A in place of PUb
7) A calculates secret key K2 = (PUy^PRa)modq
8) Now MITM can decrypt messages using Ka and encrypt with Kb
How can Diffie-Hellman man-in-the-middle attacks be prevented?
With a digital certificate: users/companies are bound to their public key
What is the function of a Public Key Infrastructure?
To create, manage, store, distribute, and revoke digital certificates
Enables secure, convenient, efficient acquisition of public keys
What are the 4 key players in PKIs?
Certification authorities
Registration authorities
PKI repositories
PKI users
What do Certification Authorities (PKI) do?
Issues, revokes, and distributes certificates
Certificates signed with CA’s private key so authenticity can be checked using CA’s public key
What do Registration Authorities (PKI) do?
Approves/rejects certificate applications
Renews (re-keys), revokes, and suspends certificates
What to PKI repositories do?
Store & distribute certificates and certificate revocation lists
What 4 reasons might there be for a certificate to be revoked?
Compromised private key
Certificate expiration
Human resources reason
Name/address/DNS change
What 3 issues are there with Certificate Revocation Lists?
Issued too infrequently to be effective against attackers
Expensive to distribute
Vulnerable to DoS attacks
Secure sockets layer vs transport layer security
Cyptographic protocols
TLS improves upon SSL by providing privacy & data integrity between communication applications
What 4 steps are there in a handshake protocol?
1) Client hello (protocol version, supported cryptographic algorithms)
2) Server hello (highest protocol version, strongest cryptographic algorithm)
3) Server key exchange: client receives server’s certificate and verifies the CA private key with the CA public key
4) Client key exchange
What is Kerberos?
A network authentication protocol that relies on symmetric encryption
What are the 4 aims of Kerberos?
User password shouldn’t have to travel over network
User password shouldn’t be stored on client’s machine
User is only asked to enter password once per work session
Authentication information management is centralised and resides on authentication server
What are Kerberos tickets?
Issued by authentication server
Encypted witht the secret key of the service it’s intended for
Used as proof presented by a user to an application server to demonstrate their identity and gain access to that service on the network
What is the key distribution centre in Kerberos?
A centralised model containing the database, authentication server, and ticket granting server
What are the 6 steps in accessing a service in Kerberos?
1) User requests a ticket-granting-ticket from the authentication server
2) AS sends the session key and the TGT to the user
3) User requests access to a particular server from the ticket granting server using the TGT
4) TGS sends a session key and the ticket-for-service
5) User requests the service from the application server using the TfS
6) Application server grants the service
What 4 limitations does Kerberos have?
Single point of failure as if KDC server is down, no-one can log in
Vulnerable to password guessing attacks
Requires clocks to be synchronised
Has to assume user’s workstation is secure
What 5 attacks is password-based authentication vulnerable to?
Password cracking (brute force attack, dictionary attack)
Electronic monitoring (network sniffing, keyloggers)
Workstation hijacking
Shoulder-surfing
Dumpster-diving
What are the 3 drawbacks of token-based authentication?
Requires a special read - added cost
Token loss - loss of access, added cost, stealing
User dissatisfaction
What are the 2 types of biometric authentication?
Static: fingerprints, hands, face, retina/iris
Dynamic: voice, signature
What are the 3 drawbacks of multi-factor authentication?
User must carry physical token at all times
Risk of loss or theft –> replacement cost
Unscalable: new token required for each new account/system
What 5 measures are there for preventing online password cracking?
Password policies
Password blacklists
Machine-generated passwords
Force regular password changes
Throttling - time delay between consecutive failed login attempts
What’s the issue with hash dictionaries?
The size - good dictionaries can be 100s of TBs
What is a rainbow table?
A precomputed table used to crack password hashes
Has a good trade-off between time and space
What is password salting?
A way to avoid reverse password attacks
What are the 3 steps of password salting?
1) Append/prepend a random salt to the password
2) Compute the hash of the password and the salt
3) Store the hash of the salted password and the salt
What are the 2 benefits of password salting?
Prevents duplicate password visibility
Increase difficulty of offline dictionary attacks by factor 2^b for salt of b bits
What are the 4 group of harmful activities in Solove’s Taxonomy of Privacy
Information Collection
Informaiton Processing
Information Dissemination (distribution)
Invasions
What are the 2 harmful types of information collection (Solove)?
Surveillance: surveilling an individual’s activies
Interrogation: probing for information
What are the 4 harmful types of information processing (Solove)?
Aggregation: combining pieces of data about a person
Identification: linking information to individuals
Insecurity: carelesseness in protection stored information
Secondary use: use of data for a different purpose without subject’s consent
What are the 7 harmful types of information dissemination?
Appropriation (use of one’s information for purpose of another)
Breach to confidentiality
Blackmail
Distortion
Disclosure
Exposure (of physical/emotional attributes)
Increased accessibility
What are the 3 research paradigms in Privacy Enhancing Technologies?
Privacy as confidentiality
Privacy as control
Privacy as practice
What are quasi-identifiers?
Attributes that, when combined with other quasi-identifiers, create unique identifiers
What are the 4 techniques for data anonymisation?
K-anonymity
L-diversity
T-closeness
Differential privacy
What is K-anonymity?
Attributes are generalised into broader categories (e.g. age as >40) and/or suppressed (e.g. age as 2* for 28)
At least K records have the same values for quasi-identifiers
What 2 attacks is K-anonymity vulnerable to?
Homogeneity attack: if values in a QI group lack diversity e.g. all age 5* people at postcode 476*** have heart disease
Background knowledge attack
What is L-diversity?
Each QI group must contain at least L different sensitive attributes e.g. in a group with 3 attributes, its sufficient to have flu, shingles, or acne as the sensitive data
What 2 attacks is L-diversity vulnerable to?
Skewness attack: doesn’t consider overall distribution of sensitive values e.g. instead of 1/1000 chance of heart disease, now 1/3
Similarity attack: if sensitive attributes in a 3-diverse are lung cancer, liver cancer, and stomach cancer, attack can infer patient has cancer
What is T-closeness?
The distance between the distribution of a sensitive attribute in all QI groups and the distribution of the sensitive attribute in the whole table is at most T
Proxy vs VPN
Similarities: both hide IP addresses, connection between proxy/VPN and end points aren’t encrypted
Differences: VPN encrypts connection with VPN node, proxy doesn’t encrypt connection
What is onion routing?
Where (TCP) traffic is protected with multiple layers of encryption
What is traffic mixing?
Mixes messages with other traffic
To allow responses, the sender places keys at each mix along the path when established
What is dummy traffic?
Meaningless traffic inserted alongside genuine data to obscure the real communication
What is Perfect Forward Secrecy?
Minimises risk to PI in event of encryption key breach
Each session’s key is unique and not re-usable
What is access control and its 3 components?
The process of regulating system resources according to a security protocol
Authentication: verify user credentials are valid
Authorisation: grant permission to an entity to access a system resource
Audit: review & examine system activities
What are the 3 foundations of access control?
Object: the resource to which access is controlled
Subject: an entity that can access objects
Access right: the way a subject may access an object (read, write, execute, delete, create, search)
What are the three subject classes (access control)?
Owner: full control over object
Group: multiple users with similar access permissions to objects
World: all subjects that aren’t the owner or part of a group
What 3 things are Access Control Models used for?
Defining a set of authorisation rights
Defining a set of policies to enforce the authorisation rights
Protecting systems against violations of confidentiality, integrity, and availability
What are the 4 main Access Control Models?
Discretionary Access Control
Mandatory Access Control
Role-Based Access Control
Attribute-Based Access Control
What are blockchains?
Systems that keep track of transactions securely across a network of computers without the need of a central authority e.g. cryptocurrency doesn’t require a bank
What is double spending in blockchains?
When 2+ transactions use the same input
What is proof of work (briefly)?
A way to mitigate double spending in blockchains
What is a block of transactions?
A batch of submitted & confirmed transactions stored as a list
Each block also references the previous block so any changes require updating all following blocks
Each block also includes a random number
What are miners?
Nodes that create new blocks
What are the 4 steps a miner takes?
1) Chooses the transactions to include in a block
2) Chooses the previous block
3) Competes with other miners to solve a puzzle based on the data in the block and the previous block’s hash
4) Once solved, broadcasts proposed block for solution verification and block addition
What puzzle are miners trying to solve?
Finding a number such that the hash of the whole block has at least a certain number of zeros as most significant digits
The more zeros, the harder the mining
What 3 reasons are there for miners to mine over the longest chain/branch?
There is a network consensus so more cumulative work
There are higher rewards
There is more security
What is branch resolution?
Where a generated block can be rolled back and transactions are cancelled
To avoid risk of double spending, wait for other six blocks before confirming txn
What is hashpower?
The number of hash computed per second
The probability of a miner generating a new block is proportional to its hashpower
What are mining pools?
Organised groups of miners
Have a collectively larger hashpower so a higher probability to mine blocks
What are the 3 advantages of blockchains?
Trustless network
Immutable transaction history
No single point of failure
What are the 3 disadvantages of blockchains?
High transaction fees
Slow transaction confirmation
Not yet stabilised currency
What is a smart contract?
A computerised transaction protocol that executes the terms of a contract
Node joining in permissionless/permissioned blockchains
Permissionless: any node can join the network
Permissioned: nodes need to be authorised to join the network
Security in permissionless/permissioned blockchains
Permissionless: need to target thousands of miners to make unavailable
Permissioned: need to traget fraction of peers
Stability in permissionless/permissioned blockchains
Permissioned blockchains aren’t based on cryptocurrencies so are more stable
Transaction fees in permissionless/permissioned blockchains
Permissioned blockchains don’t require any transaction fees
Decentralisation in permissionless/permissioned blockchains
Permissioned blockchains are inherently less decentralised
Setup & maintenance in permissionless/permissioned blockchains
Permissionless: convenient, contained cost
Permissioned: costly
