Domain 1 Flashcards
is the art of exploiting human behavior by convincing someone to reveal information or perform an activity, these attacks can occur in person, via email, and over the phone
Social Engineering
is the act of attempting to gather personal or sensitive information through fraudulent emails. is the most common form of social engineering attack related to computer security
Phishing
is the act of attempting to gather personal or sensitive information through fraudulent SMS (short message services, better known as texting) works primarily due to the use of urgency and intimidation in the message
Smishing
Is the act of attempting to gather personal or sensitive information through fraudulent phone calls, This video demonstrates the use of (***) to steal someone’s cell phone credentials
Vishing
is unwanted commercial emails that are sent out in bulk via email
Spam
SPIM is unwanted commercial emails that are sent out in bulk via instant messages
Spam Over Instant Messaging
is a term created to refer to a phishing attack that targets a specific person or group of people with something in common
Spear Phishing
is the act of attempting to gather personal or sensitive information from trash dumpstersAn attacker may gather a variety of information that can be useful in a social engineering attack10
Dumpster Diving
is the act of secretly observing a person’s computer screen or keyboard to gather personal or sensitive informationThe attacker directly observes the individual entering sensitive information on a form, keypad, or keyboard
Shoulder Surfing
is the act of directing internet users to a malicious website to gather personal or sensitive informatio
Pharming
is the act of following an authorized person into a restricted area without providing credentialsAlso known as piggybacking
Tailgating
Is the act of encouraging a person to disclose personal or sensitive information Calls to or from help desk and tech support units can be used to ____ ______
Eliciting Information
is a type of phishing that targets high-profile individuals such as executivesThe sender must do some upfront research about the target as well as the subject in order to craft an e-mail that sounds convincing
Whaling
The attacker adds a story to the beginning of the message
Prepending
is the act of stealing personal information to impersonate the victim
Identity fraud
The act of sending spoofed invoices from a trusted source or business executive
Invoice Scams
The act of gaining access to a vast number of stored usernames and passwords, enabling an attacker a series of access passes to the system
Credential Harvesting
The act of engaging with a computer system to gather information about its possible weaknesses
Reconnaissance
is a false security threat that’s meant to entice a user to believe it’s real and disclose sensitive or personal information
Hoax
The act of masquerading as a legitimate or trusted individual or entity
Impersonation
The act of infecting a frequently visited website with malware
Watering Hole Attack
also known as URL hijacking) is the act of presenting users with a fake site that has a similar URL
Best defense against this is to register those domains with all deviations of the designated site
Typosquatting
A social engineering tactic where the attacker creates a false scenario to steal the victim’s personal information
An example is an attacker calling to verify personal information with the victim
Pretexting
are an attempt to shift public opinion through the use of social media platforms
Influence Campaign
A military strategy that employs conventional warfare and unconventional means in the battlefield
Information is used to sway people toward a position favored by those spreading it
Hybrid Warfare
refers to websites that allow users to post and share content within a digital community
Social Media
Authority
•The attacker impersonates a high-level executive or an IT support person
Intimidation
•The attacker attempts to scare or threaten the victim
Consensus
•The attacker claims that others are performing the requested action
Principles (reasons for effectiveness)
Scarcity
•The attacker claims limited availability for a prize or reward
Familiarity
•The attacker poses as a familiar figure or builds rapport over time before conducting a social engineering attack
Trust
•The attacker uses his or her good relationship with the victim to conduct the social engineering attack
Urgency
•The attacker scares or threaten the victim to perform an action within a short amount of time
Principles
is term given to a program intended to damage a computer system
Malware
is malware designed to lock a victim’s computer or data until money is paid to the attacker
Ransomware
are malicious applications that misleads victims by appearing as a trusted file or application
Trojans
is a type of malware with the objective of spreading rapidly
Worm
are programs like spyware and adware that are downloaded along with the program the user consented to download
Potentially Unwanted Program (PUPS)
is a type of malware that uses a system’s software and applications to hide and execute its operations
Fileless Virus
gives instructions to the botnet and is the central management center to conduct cyber-attacks
Command and Control
Computer programs that automate a previously repetitive and task.
Bots
uses encryption to deny the victim access to his or her data
Also the name given to malware used to mine crypto
Cryptomalware
are malware designed to execute on a future date or event
Logic Bombs
is malware designed to steal a victim’s personal information online
Spyware
capture the victim’s keystrokes to steal credentials or personal information
Keylogger
are malicious programs that installs a backdoor on the victim’s computer
Remote Access Trojans (RAT)
are malicious programs that allow attackers to control a victim’s computer remotely
Rootkits
an undisclosed way to gain access to a system or application
Backdoor
The attacker attempts to gain access to a large amount of usernames through commonly used passwords
Spraying
The attacker attempts to gain access to a password-protected resource by entering every word in a ________ as a password
Dictionary
The attacker attempts every possible combination of letters, numbers, and special characters to guess the user’s credential
Brute Force
are pre-assembled tables for reversing encrypted hashes, typically password hashes
Rainbow Table
An attacker can launch a known ______ attack if he has samples of both the ? and the ciphertext
Plaintext
A USB drive that appears harmless but contains might contain ransomware or a keylogger that transmits back to the attacker’s command and control server
Malicious Flash Drive
The attacker creates a copy of a legitimate card to steal its credentials
Card Cloning
Attackers capture credit card information illegally through fake credit card readers
Skimming
A technique to make systems capable of machine learning more resilient by exposing them to malicious scenarios
Adversarial artificial intelligence (AI)
The attacker inputs malicious data to a system or application while its in its training process
Tainted training data for machine learning (ML)
Attackers might try new approaches to find security holes in the machine learning algorithm
Security of machine learning algorithms
Attackers might try new approaches to find security holes in the machine learning algorithm
Supply-chain attacks
attacks have less physical impact than on-premise attacks and are more resilient due to the lower cost to back-up data.
Cloud Based
The attacker attempts to find a match to a hash by identifying portions based off probability
Birthday
occurs when two different inputs produce the same hash value
Collison
The attacker negotiates for a less secure protocol to communicate with hosts and servers
Downgrade
Attackers try to work their way up from a basic user account to an account with administrative access
Privilege Escalation
An application vulnerability that allows an attacker to inject malicious data
Cross-site scripting
The attacker inserts malicious code into an application
Injection
An attacker inserts malicious code to obtain or delete data from the database
Structured query language (SQL)
is a collection of code that is designed to be used as needed by a computer process
Dynamic Link Library (DLL)
is performed by replacing a valid DLL file with a malicious DDL file
DLL Injection Attack
The attacker exploits input validation vulnerabilities to execute commands to the LDAP servers
Lightweight Directory Access Protocol (LDAP)
The attacker injects XML code directly into the application to manipulate its operations
Extensible Mark Up Language (XML)
occurs when a program attempts to read or write to memory with a NULL pointer
Pointer/object dereference
The attacker manipulates the file system structure on a web server to search for unsecured files
Directory Traversal
The attacker attempts to crash or hang up the application by injecting more data than intended for the application
Buffer Overflow
occurs when a process produces an unexpected result due to timing
Race Condition
The attacker attempts to access a file between the first time the program accesses the file and usage of file
Time of check/time of use
is the ability for an application to catch errors and provide user-friendly feedback to the user, without crashing the application
Error Handling
occurs when an error message that’s displayed to an end user provides clues about how an application operates
Improper Error Handling
occurs when an attacker intercepts secure communication and fraudulently resends or misdirects the communication
Replay Attack
The attacker repeats valid transmission data between a legitimate user and server
Session Replays
occur when a user’s input exceed the boundaries of integer variables
Integer overflows
The attacker attempts to bypass the input validation countermeasures on a server to gain access to sensitive data
Server-side validation
With a web-based service, the attacker performs legitimate but unauthorized actions on a user’s account
Cross side request forgies
allows applications to communicate and respond to each other
An attacker can target an *** to gain administrative access or modify its intended behavior by discovering flaws in its implementation
application programming interface (API)
The attacker exploits the system or application to crash or hang up its intended operations
Resource Exhaustion
The attacker causes the application to consume more and more memory the longer it runs
Memory Leak
SSL stripping is a technique to downgrade the security of a website from https to http
Secure Sockets Layer
Drivers are used by operating systems to interact with the hardware and software components of a device
Driver Manipulation
is the act if writing code to provide operating system compatibility with older drivers
Shimming
is the act of rewriting the internal processing of a program without altering its external behavior
Refactoring
The attacker sends a legitimate password hash for authentication
Pass the hash
is a malicious access point that is been configured to eavesdrop and intercept wireless network traffic
Evil twin
is an unauthorized and potentially malicious access point
Rogue Access Point
is the act of using Bluetooth technology to connect to another device for potentially malicious reasons
Bluesnarfing
is the act of using Bluetooth technology to send messages to another device
Bluejacking
is a wireless attack in which the attacker denies the victim wireless connection to the access point
Disassocation
is the act of blocking access to wireless signals and causing denial of service by interjecting electromagnetic waves on the same frequency
Jamming
These attacks occur when an attacker eavesdrops or alters the radio frequencies of **-capable devices
RFID (Radio Frequency Identification)
NFC attacks occur when an attacker disables or alters the communication path between an NFC-capable devices
NFC (Near Field Communication)
attacker can decrypt the IV of a wireless traffic to read messages in plaintext
Initialization Vector (IV)
attacks occur when an attacker places themselves between two devices to eavesdrop, alter, or intercept the communication
On Path Attack
Man In The Middle
Man In The Browser
is the process of altering data to deceive devices about the actual MAC address of a system
Address Resolution Protocol (ARP) poisoning
is the act of removing legitimate MAC entries from a network switch and consuming its limited bandwidth
Media access control (MAC) flooding
is the act of duplicating the default or factory-assigned MAC address of a device
MAC cloning
(DNS) translates URLs to IP addresses
Attackers can target these servers to redirect users to malicious websites
Domain Name Systems
occurs when an attacker compromises and takes full control of the victim’s domain name account
Domain Hijacking
is the process of altering DNS records to mislead users to a malicious website
DNS Poisoning
occurs when users are redirected to a malicious website
Uniform Resource Locator (URL
is the act of validating the authenticity of a website and those who access the website
Domain Reputation
is large-scale denial-of-service attack that leverages often thousands of botnets
Distributed denial-of-service (DDoS
occurs when an attacker denies legitimate access to networking devices
Network DDoS
network DDoS occurs when an attacker denies legitimate access to user applications
Application DDoS
DDoS occurs when an attacker denies legitimate access to IP-capable devices designed to monitor physical systems
is designed to aid administrators manage Windows systems
Attackers can write **** scripts to steal credentials and other sensitive data through a popular hacking tool called PowerSploit
PowerShell
is a widely used programming language and scripting tool used in software development and data analytics
Python
a popular scripting language used for automating tasks on Linux systems
Bash
are recorded instructions used to improve the functionality of PDF documents
Macros
is an older scripting language used to automate Microsoft processes and applications
Visual Basic for Applications (VBA)
are long-running attacks, sophisticated cyber-attacks
Advanced persistent threat (APT)
These threat actors has legitimate access to organizational facilities and IT resources making detection difficult
Internal Actors
These types of hackers are financially supported by their governments and have access to advanced cyber capabilities, including zero-day vulnerabilities
States Actors
are beginner hackers who often use tools or scripts without the knowledge of its operations
Script Kiddies
are threat actors that switched from traditional criminal activities to conducting online attacks
Criminal Syndicates
Skilled individuals with the ability to access computer systems and recourses without authorization
Hackers
who are hired to discover computer or network vulnerabilities
Hackers - Authorized
Hackers with the intent of stealing sensitive data or gaining unauthorized access to a computer system
Hackers - Unauthorized
refers to IT projects that are managed without the knowledge and consent of the IT department
Shadow IT
Outside organizations seeking financial or market gain through espionage
Competitors
Anonymity can make attribution difficult
Cyber-persona can mask the true actor, requiring significant analysis and collaboration to identify actor at times
Attributes of actors
Nation states can conduct more sophisticated cyber-attacks due than script-kiddies, and can cause higher levels of disruptions
Level of sophistication/capability
Nation state-sponsored hackers receive industry-leading training in computer hacking and they share their collected information with their government intelligence agencies
Resources/funding
An attacker needs a medium to carry out a cyber-attack so they rely on attack vectors (sometimes called threat vectors) to gain access to a system
Vectors
This involves an attacker having physical access to the hardware of the system
Direct access
An attacker can gain access to a network or device through unsecured access points, weak wireless encryption standards, and weak or default credentials
Wireless
is a threat vector that attackers exploit through phishing campaigns
Attackers consider email to be the most successful vector due to its widespread use
An attacker can gain access to a system’s component prior to its final integration by attacking its manufacturing process
Supply Chain
Attackers can use social media to launch a social media attack or impersonate the victim online
Social Media
An attacker can load malware into _________ _______ without the victim’s knowledge
Removable Media
Attackers can gain access to data stored in the cloud through password attacks
Cloud
Publicly available information about cyber threats
Open-source intelligence (OSINT)
Information about cyber threats that is not publicly available
Closed/proprietary
The US National Vulnerability Database keeps a record of technical vulnerabilities, including those found in the Common Vulnerabilities and Exposures database or CVE
Vulnerability databases
A central resource between the public and private sector to disseminate information regarding cyber threats actors and threats to critical infrastructure
Public/private information-sharing centers
Internet content and websites that are undisclosed via search engines and is known for criminal activity
Dark Web
Evidence that an unauthorized action has been perform against an information system
Indicators of compromise (IoC)
system that sends automatic alerts between the public and private sector once a threat is confirmed
Automated Indicator Sharing (AIS)
A standardized communication standard to automatically exchange cyber threat information
Structured Threat Information eXpression (STIX)/Trusted Automated eXchange of Intelligence Information (TAXII)
The act of analyzing cyber threat information to predict the attacker’s
Predictive analysis
A graphical representation of cyber attacks conducted around the globe
Threat maps
A location for software developers to collaborate on projects and centrally store their source code
File/code repositories
Conducting research on a vendor by exploring its website for valuable information
Vendor Websites
can provide information regarding current cyber threats and critical vulnerabilities
Vulnerability feeds
are published research papers that have been peer reviewed and written by industry experts
Academic journals
The set of standards that document the protocols involved in online communication
Request for Comments (RFC)
are comprised of security experts sharing cyber threat information, while promoting networking amongst peers
Local industry groups
A source for information regarding cyber threats from multiple sources
Threat feeds
The pattern of activities that is associated to a specific threat actor
Adversary tactics, techniques, and procedures (TTP)
exploits an unpublished vulnerability with no available vendor patch
Zero Day
refer to security configurations that expose a system or application to threats that could be countered with proper configurations
Weak configurations
refers to a device or application with no access control measures in place
Open permissions
pose a significant security concern by allowing an attacker to gain administrative access
Unsecured root accounts
This is like a default administrator account password should be changed to avoid an attacker guessing the default credential
Default settings
refers to protocols like Telnet, HTTP, or FTP, which transmits data in cleartext
Unsecure protocols
can receive and respond to communication requests from an attacker
Open ports and services
Risks associated with sharing information with individuals, groups, or outside organizations
Third party risks
This refers to the policies and procedures in place to vendor and supply chain risks
Vendor Management
What refers to the ability for hardware and software systems to effectively communicate and interoperate
System Intregation
can expose an organization to security vulnerabilities with no security patch available
Lack of vendor support
are risks associated with an attacker can disrupting the system’s manufacturing process
Supply Chain
An organization may choose to transfer its code development process to third-parties but may lose visibility and control of the code
Outsourced Code Development
Data stored outside the organization via a third party cloud provider should have identical security measures as data stored on-premise
Data storage
refers to software code that resides within the hardware of system when the system boots up
Firmware
controls the functionalities of a computer and can receive patches from major vendors through automation
(OS) Operating System
are software programs with user interfaces and are susceptible to software vulnerabilities
Applications
A large open source of information on a threat’s capabilities, gathered from various sources and researchers
Intelligence Fusion
is the act of examining a system or application for the presence of known software vulnerabilities
Vulnerability Scans
occurs when a vulnerability scan detects a vulnerability that is not present on a system or application
False Positives
occurs when a vulnerability scan does not detect a vulnerability that is present on a system or application
False negatives
can detect access violations, security incidents, and other policy violations
Log reviews
can provide information such as the state of the system, but it is not as in depth as a credentialed scan
Non credentialed scan
requires higher privileges but provides vulnerability details and user account information
Credentialed scan
involves directly interaction with the target system beyond scanning for open ports
Intrusive vs Non Intrusive Scan
vulnerabilities can be detected through a dynamic code analysis and can sometimes require regression testing to ensure the code is executing as intended
Applications
Attacker can use available web application scanners to search for web applications that are vulnerable to SQL Injection or cross-site scripting attacks
Web applications
A scan is conducted to enumerate the ports and services operating within a network
Network Scan
A popular database of known software vulnerabilities, each ranked and with a unique ID
Common Vulnerabilities and Exposures (CVE)/Common Vulnerability Scoring System (CVSS)
What reviews should be conducted to discover deviations within the system’s security
Configuration review
A system that collects, correlates, and aggregate log data to support IT teams
Syslog/Security information and event management (SIEM)
Reviewing the output from a SIEM for the presence of security incidents and possible false positives
SIEM Reports
Network packets captured by the SIEM system can identify a threat’s presence on the network
Packet Capture
A SIEM system can ingest data from multiple sources
Data Input
A SIEM system can create alerts based on changes in an end-user’s patterned behavior
User behavior analysis
refers to collected data that conveys human emotion or opinion
Sentimental Analysis
is the process of combining log data to a format that is searchable
Log Aggregation
are software that are gathered independently and passed to the SIEM for aggregation
Log collectors
What combines data from multiple sources to decrease the dwell time of an attack?
Security orchestration, automation, and response (SOAR)
A simulated cyber-attack from an outside
Penetration testing
(white box) testing is conducted with the security tester having in-depth knowledge of the system or application being tested
Known Environment
(black box) testing is conducted with the security tester has no knowledge of the system or application being tested
Unknown Environment
(gray box) testing is conducted with the security tester is given limited knowledge of the system or application being tested
Partially Known Environmental
the scope and boundaries of the penetration test
Rules of engagement
refers to an attacker pivoting to other devices within a network
Lateral Movement
An attacker can install a backdoor to maintain or regain access to a compromised system
Persistence
involves engaging with the system to collect information that’s otherwise not publicly available
Active Reconnaissance
to open-source techniques of information gathering such as Google to gather information on a target
Passive Reconnaissance
is the act of gathering initial information regarding the target system or application
Foot printing
