Cynersecurity Concepts Flashcards
What are the three different approaches to implementing cybersecurity?
[In reality, most organizations with mature security programs use a combination of risk-based and compliance-based approaches.]
- Compliance-based—(standards-based security), this approach relies on regulations or standards to determine security implementations. Controls are implemented regardless of their applicability or necessity, which often leads to a “checklist” attitude toward security.
- Risk-based—Risk-based security relies on identifying the unique risk a particular organization faces and designing and implementing security controls to address that risk above and beyond the entity’s risk tolerance and business needs.
- Ad hoc—An ad hoc approach simply implements security with no particular rationale or criteria. Ad hoc implementations may be driven by vendor marketing, or they may reflect insufficient subject matter expertise, knowledge or training when designing and implementing safeguards.
Definition: The combination of the probability of an event and its consequence (International Organization for Standardization/International Electrotechnical Commission [ISO/IEC] 73). Risk is mitigated through the use of controls or safeguards.
Risk
Definition: Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm. ISO/IEC 13335 defines a threat broadly as a potential cause of an unwanted incident. Some organizations make a further distinction between a threat source and a threat event, classifying a threat source as the actual process or agent attempting to cause harm, and a threat event as the result or outcome of a threat agent’s malicious activity.
Threat
Definition: A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events
Vulnerability
When using qualitative rankings the most important step is to _________________.
rigorously define the meaning of each category and use definitions consistently throughout the assessment process.
In cybersecurity, impacts are most often described quantitatively, but are also evaluated in terms of ______.
confidentiality, integrity and availability
There are a number of methodologies available to measure risk. Different industries and professions have
adopted various tactics based upon the following criteria:
- Risk tolerance
- Size and scope of the environment in question
- Amount of data available
It is important to understand third-party risk, such as information sharing and network access, as it relates to cybersecurity.
True.
A ______ is a well-defined, advanced, targeted attack that is stealthy and has a mission that it will not stop attempting to achieve until it is identified and mitigated or succeeds.
cyberattack
Name 9 threat agents:
Corporations
Nation States
Hacktivists—politically motivated hackers
Cyberterrorists
Cybercriminals— fraudulent financial transactions.
Cyberwarriors—hacktivists, cyberfighters,
Script Kiddies
Online Social Hackers
Employees—Although they typically have fairly low-tech methods and tools, dissatisfied current or former employees represent a clear cybersecurity risk.
Definition: Characterized by their willingness to use violence, they frequently target critical infrastructures and government groups.
Cyberterrorists
Definition: They are young individuals who are learning to hack; they may work alone or with others and are primarily involved in code injections and distributed denial-of-service (DDoS) attacks.
Script Kiddies
Definition: Skilled in social engineering, these attackers are frequently involved in cyberbullying, identity theft and collection of other confidential information or credentials.
Online Social Hackers
The path or route used to gain access to the target (asset) is known as an _________.
attack vector
There are two types of attack vectors:
ingress and egress (also known as data exfiltration).
Name 5 attack attributes.
attack vector payload exploit vulnerability target egress (if applicable)
Each of the attack attributes provides unique points where _____ to prevent or detect the attack can be placed.
controls
There are two broad categories for threat events:
adversarial and nonadversarial (is usually the result of an error or malfunction)
Generalized Attack Process (8)
- Perform reconnaissance:
- Create attack tools:
- Deliver malicious capabilities
- Exploit and compromise:
- Conduct an attack:
- Achieve results:
- Maintain a presence or set of capabilities:
- Coordinate a campaign:
Components of reconnaissance: (3)
- Sniffing or scanning the network perimeter
- Using open source discovery of organizational information
- Running malware to identify potential targets
Create attack tools may include: (3)
- Phishing or spear phishing attacks
- Crafting counterfeit websites or certificates
- Creating and operating false front organizations to inject malicious components into the supply chain
Deliver malicious capabilities may include: (4)
- Introducing malware into systems
- Placing subverted individuals into positions
- Installing sniffers or scanning devices
- Inserting tampered hardware into systems or supply chains
Exploit and compromise may include: (4)
- Split tunneling or gaining physical access to facilities
- Exfiltrating data or sensitive information
- Exploiting multitenancy in a cloud environment
- Launching zero-day exploits
Conduct an attack may include: (4)
- Communication interception or wireless jamming
- DoS or distributed denial-of-service (DDoS)
- Remote interference with or physical attacks on facilities or infrastructures
- Session-hijacking or man-in-the-middle attacks
Achieve results may include: (3)
- Obtaining unauthorized access
- Degrading organizational services
- Creating, corrupting or deleting critical data
Maintain a presence or set of capabilities may include: (2)
- Obfuscating adversary actions or interfering with (IDSs)
* Adapting cyberattacks in response to security measures
Coordinate a campaign may include: (3)
- Multi-staged attacks
- Internal and external attacks
- Widespread and adaptive attacks
Some of the most common nonadversarial threat events are:
- Mishandling of critical information by authorized users
- Incorrect privilege settings
- Fire, flood, hurricane, etc. at primary or backup facilities
- Introduction of vulnerabilities into software products
- Pervasive disk errors or problems from aging equipment
Definition: A _____ (a term derived from “robot network”) is a large, automated and distributed network of previously compromised computers that can be simultaneously controlled to launch large-scale attacks such as denial-of-service (DoS).
Botnets
Definition: A class of malware that hides the existence of other malware by modifying the underlying operating system.
Rootkit
What is CAPEC
The MITRE Corporation publishes a catalogue of attack patterns known as Common Attack Pattern Enumeration and Classification (CAPEC) as “an abstraction mechanism for helping describe how an attack against vulnerable systems or networks is executed.”
Some of the most common attack patterns are (13):
Advanced persistent threats Backdoor Brute force Buffer overflow Cross-site scripting (XSS Denial-of-service (DoS) Man-in-the-middle Social engineering Phishing Spear phishing Spoofing Structure Query Language (SQL) injection Zero-day exploit
An important aspect of information security policies is their lifecycle of: (4)
development,
maintenance,
approval,
exception.
The way that compliance documents relate to and support each other is called a __________.
policy framework
What compliance document interprets policies in specific situations.
Standards
The information security policy needs a clearly defined scope. This involves: (5)
- definition
- responsibilities
- vision including goals, metrics and rationale of how the vision is supported
- how it aligns with other high-level policies
- Elaboration: data management, information risk assessment, and compliance with legal, regulatory and contractual obligations
COBIT 5 Information Security Policy Set: (8)
Risk Mgmt Business Continuity Asset Mgmt Rules of Behavior Acquisition/Dev/Main Vendor Mgmt Communications and Operations Compliance
The access control policy should cover the following topics, among others: (3)
- Physical and logical access provisioning life cycle
- Least privilege/need to know
- Segregation of duties
- Emergency access
Possible security policies or procedures other than the general information security policy may include: (3)
access control,
personnel information
security incidents
The personnel information security policy objective includes, but is not limited to, the following goals: (4)
- background checks
- information about key personnel in information security positions.
- succession plan for key information security positions.
- termination procedures
This policy addresses the need to respond to incidents in a timely manner in order to recover business
activities. The policy should include:
- Definition of an information security incident
- A statement of how incidents will be handled
- Incident response team
- Incident response plan
- Incident documentation and closing
Additional controls that may be applied to privileged users may include:
- Limiting privileged access
- Background checks
- Additional logging of activity
- Maintaining accountability by not sharing privileged accounts
- Using stronger authentication controls
- Reviewing privileges and removing those no longer required
Implementing a configuration management process has several benefits for security including:
- Verification of the impact on related items
- Assessment of a proposed change’s risk
- Ability to inspect different lines of defense for potential weaknesses
- Tracking of configuration items against approved secure configuration baselines
- Insights into investigations after a security breach or operations disruption
- Version control and production authorization of hardware and software components