Domain 7 - Security Operations Flashcards
1
Q
Describe the proper process during an Incident Scene.
A
- ID the Scene
- Protect the environment
- ID evidence and potential sources of evidence
- Collect evidence
– hash + - Minimize the degree of contamination
Locard’s Exchange Principle
– perps leave something behind
2
Q
What are the important factors within Evidence?
A
Sufficient Reliable Relevant Permissible Preserved and identifiable
3
Q
Sufficient
A
persuasive enough to convince one of its validity
4
Q
Reliable
A
consistent with fact, evidence has not been tampered with or modified
5
Q
Relevant
A
relationship to the findings must be reasonable and sensible, Proof of crime, documentation of events, proof of acts and methods used, motive proof, identification of acts
6
Q
Permissible
A
lawful obtaining of evidence, avoid: unlawful search and seizure, secret recording, privacy violations, forced confessions, unlawful obtaining of evidence
7
Q
Preserved and identifiable
A
collection, reconstruction
8
Q
Identification
A
labeling, recording serial number etc. Evidence must be preserved and identifiable
•Collection, documentation, classification, comparison, reconstruction
9
Q
EVIDENCE LIFECYCLE
A
- Discovery
- Protection
- Recording
- Collection and identification
- Analysis
- Storage, preservation, transportation
- Present in court
- Return to owner
Witnesses that evidence is trustworthy, description of procedures, normal business methods collections, error precaution and correction
10
Q
Best Evidence
A
–Primary Evidence–is used at the trial because it is the most reliable.
–Original documents–are used to document things such as contracts
– NOTE: no copies!
–Note: Oral is not best evidence though it may provide interpretation of documents, etc.
11
Q
Secondary Evidence
A
–Not as strong as best evidence.
–A copy, Secondary Evidence, is not permitted if the original, Best Evidence, is available –Copies of documents.
–Oral evidence like Witness testimony
12
Q
Direct Evidence
A
–Can prove fact by itself and does not need any type of backup.
–Testimony from a witness –one of their 5 senses:
•Oral Evidence is a type of Secondary Evidence so the case can’t simply stand on it alone But it is Direct Evidence and does not need other evidence to substantiate
13
Q
Conclusive evidence
A
–Irrefutable and cannot be contradicted
–Requires no other corroboration
14
Q
Circumstantial evidence
A
–Used to help assume another fact
–Cannot stand on its own to directly prove a fact
15
Q
Corroborative Evidence
A
Supports or substantiates other evidence presented in a case
16
Q
Hearsay Evidence
A
something a witness hears another one say. Also business records are hearsay and all that’s printed or displayed. One exception to business records: audit trails and business records are not considered hearsay when the documents are created in the normal course of business.
17
Q
Interviewing
A
gather facts and determine the substance of the case.
18
Q
Interrogation
A
–Evidence retrieval method, ultimately obtain a confession
19
Q
The Process - Due Process
A
–Prepare questions and topics, put witness at ease, summarize information
–interview/interrogation plan
–Have one person as lead and 1-2 others involved as well
–never interrogate or interview alone
20
Q
Opinion Rule
A
Requires witnesses to testify only about the facts of the case, cannot be used as evidence in the case.
21
Q
Expert Witnesses
A
–Used to educate the jury, can be used as evidence
22
Q
Six principles to guide digital evidence technicians as they perform media analysis, network analysis, and software analysis in the pursuit of forensically recovered evidence:
A
When dealing with digital evidence, all of the general forensic and procedural principles must be applied. Upon seizing digital evidence, actions taken should not change that evidence.
When it is necessary for a person to access original digital evidence, that person should be trained for the purpose.
All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review.
An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession.
Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.
23
Q
Media analysis
A
a branch of computer forensic analysis, involves the identification and extraction of information from storage media. This may include the following: Magnetic media (e.g., hard disks, tapes) Optical media (e.g., CDs, DVDs, Blu-ray discs) Memory (e.g., RAM, solid state storage) Techniques used for media analysis may include the recovery of deleted files from unallocated sectors of the physical disk, the live analysis of storage media connected to a computer system (especially useful when examining encrypted media), and the static analysis of forensic images of storage media.
24
Q
Network Analysis
A
Forensic investigators are also often interested in the activity that took place over the network during a security incident. Network forensic analysis, therefore, often depends on either prior knowledge that an incident is underway or the use of preexisting security controls that log network activity. These include: Intrusion detection and prevention system logs Network flow data captured by a flow monitoring system Packet captures deliberately collected during an incident Logs from firewalls and other network security devices The task of the network forensic analyst is to collect and correlate information from these disparate sources and produce as comprehensive a picture of network activity as possible.
25
Software Analysis
Forensic analysts may also be called on to conduct forensic reviews of applications or the activity that takes place within a running application. In some cases, when malicious insiders are suspected, the forensic analyst may be asked to conduct a review of software code, looking for back doors, logic bombs, or other security vulnerabilities. In other cases, forensic analysis may be asked to review and interpret the log files from application or database servers, seeking other signs of malicious activity, such as SQL injection attacks, privilege escalations, or other application attacks.
26
Hardware/ Embedded Device Analysis
Forensic analysts often must review the contents of hardware and embedded devices. This may include a review of Personal computers & Smartphones
27
Admissible Evidence
- The evidence must be relevant to determining a fact.
- The fact that the evidence seeks to determine must be material (that is, related) to the case.
- The evidence must be competent, meaning it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.
28
Five rules of evidence
- Be authentic; evidence tied back to scene
- Be accurate; maintain authenticity and veracity
- Be complete; all evidence collected, for & against view
- Be convincing; clear & easy to understand for jury
- Be admissible; be able to be used in court
29
Forensic Disk Controller
intercepting and modifying or discarding commands sent to the storage device Write Blocking, intercepts write commands sent to the device and prevents them from modifying data on the device
Return data requested by a read operation
Returning access-significant information from device
Reporting errors from device to forensic host
LOGS TAKEN IN THE NORMAL COURSE OF BUSINESS
30
MOM
means, opportunity and motive
31
Victimology
why certain people are victims of crime and how lifestyle affects the chances that a certain person will fall victim to a crime Investigation
32
Types of Investigations
- Operational
- Criminal
- Civil
- eDiscovery
33
What is a very important step when investigating a hard drive?
don’t use message digest because it will change the timestamps of the files when the file-system is not set to Read-Only
Slack space on a disk should be inspected for hidden data and should be included in a disk image
34
Common Law
USA, UK Australia Canada (judges)
35
Civil Law
Europe, South America
36
Islamite and other Religious laws
ME, Africa, Indonesia
37
United States 3 Branches for Laws
Legislative: writing laws (statutory laws).
Executive: enforces laws (administrative laws)
Juridical: Interprets laws (makes common laws out of court decisions)
38
What are the 3 categories of law?
Criminal law
Civil law
Administrative/Regulatory law
39
Criminal law
individuals that violate government laws. Punishment mostly imprisonment
40
Civil law
wrongs against individual or organization that result in a damage or loss.
Punishment can include financial penalties. AKA tort law (I’ll Sue You!) Jury decides liability
41
Administrative/Regulatory law
how the industries, organizations and officers have to act. Wrongs can be penalized with imprisonment or financial penalties
42
Uniform Computer Information Transactions Act (UCITA
A federal law that provides a common framework for the conduct of computer-related business transactions.
UCITA contains provisions that address software licensing.
The terms of UCITA give legal backing to the previously questionable practices of shrink-wrap licensing and click-wrap licensing by giving them status as legally binding contracts.
43
Computer Crime Laws -3 types of harm
- unauthorized intrusion,
- unauthorized alteration or destruction
- malicious code
44
Admissible evidence
relevant, sufficient, reliable, does not have to be tangible
45
Hearsay
second-hand data not admissible in court
46
Enticement
the legal action of luring an intruder, like in a honeypot
47
Entrapment
the illegal act of inducing a crime, the individual had no intent of committing the crime at first
48
Federal Sentencing Guidelines
provides judges and courts procedures on the prevention, detection and reporting
49
SIEM
Security incident and event management
Automating much of the routine work of log review. Provide real‐time analysis of events occurring on systems throughout an organization but don’t necessarily scan outgoing traffic.
50
Intrusion Detection and Prevention
An intrusion occurs when an attacker is able to bypass or thwart security mechanisms and gain access to an organization’s resources. Intrusion detection is a specific form of monitoring that monitors recorded information and real-time events to detect abnormal activity indicating a potential incident or intrusion.
51
IDS
Intrusion Detection System
automates the inspection of logs and real-time system events to detect intrusion attempts and system failures. IDSs are an effective method of detecting many DoS and DDoS attacks. They can recognize attacks that come from external connections, such as an attack from the Internet, and attacks that spread internally such as a malicious worm. Once they detect a suspicious event, they respond by sending alerts or raising alarms. In some cases, they can modify the environment to stop an attack. A primary goal of an IDS is to provide a means for a timely and accurate response to intrusions. An IDS is intended as part of a defense-in-depth security plan. It will work with, and complement, other security mechanisms such as firewalls, but it does not replace them.
52
IPS
Intrusion Prevention System
Includes all the capabilities of an IDS but can also take additional steps to stop or prevent intrusions. If desired, administrators can disable these extra features of an IPS, essentially causing it to function as an IDS.
53
Data Loss Prevention (DLP)
PROTECT SENSITIVE INFORMATION
Data loss prevention systems attempt to detect and block data exfiltration attempts. These systems have the capability of scanning data looking for keywords and data patterns
54
Network-based DLP
scans all outgoing data looking for specific data. Administrators would place it on the edge of the negative to scan all data leaving the organization. If a user sends out a file containing restricted data, the DLP system will detect it and prevent it from leaving the organization. The DLP system will send an alert, such as an email to an administrator.
55
Endpoint-based DLP
Can scan files stored on a system as well as files sent to external devices, such as printers. For example, an organization endpoint-based DLP can prevent users from copying sensitive data to USB flash drives or sending sensitive data to a printer.
56
3 states of information
- data at rest (storage)
- data in transit (the network)
- data being processed (must be decrypted) / in use / end-point
Can look for sensitive information stored on hard drives
57
Configuration item (CI)
component whose state is recorded Version: recorded state of the CI
58
Configuration
collection of component CI’s that make another CI
59
Building
assembling a version of a CI using component CI’s
60
Build list
set of versions of component CI’s used to build a CI Software Library - controlled area only accessible for approved users
61
Recovery procedures
system should restart in secure mode
62
maintenance mode
Startup should occur in maintenance mode that permits access only by privileged users from privileged terminals
63
Fault-tolerant
continues to function despite failure
64
Fail safe system
program execution is terminated and system protected from compromise when hardware or software failure occurs
DOORS usually
65
Fail Closed/secure
most conservative from a security perspective
66
Fail Hard
BSOD, human to see why it failed
67
Fail soft or resilient system
reboot, selected, non-critical processing is terminated when failure occurs
68
FAIL SAFE
doors UNLOCK
69
FAIL SECURE
doors LOCK
70
Trusted Path
Protect data between users and a security component. Channel established with strict standards to allow necessary communication to occur without exposing the TCB to security vulnerabilities. A trusted path also protects system users (sometimes known as subjects) from compromise as a result of a TCB interchange.
ONLY WAY TO CROSS SECURITY BOUNDARY RIGHT WAY
71
Events
anything that happens. Can be documented verified and analyzed
72
Security Incident
event or series of events that adversely impact the ability of an organization to do business
suspected attack
73
Security intrusion
evidence attacker attempted or gained access
74
Lifecycle - Response Capability
policy, procedures, a team
75
Incident response and handling
Triage, investigation, containment, and analysis & tracking
76
Recovery
Recovery / Repair
77
Debriefing / Feedback
External Communications
78
Mitigation
limit the effect or scope of an incident
79
List the steps for an Incidence Response
```
Detection
Response
Mitigation
Reporting
Recovery
Remediation
Lessons Learned
```
80
Root Cause Analysis (RCA)
Tree / Boolean -FAULT TREE ANALYSIS
- 5Ways
- Failure Mode and Effects analysis
- Pareto Analysis
- Fault Tree Analysis
- Cause Mapping
81
HIDS
Host-based IDS, monitors activity on a single computer, including process calls and information recorded in firewall logs. It can often examine events in more detail than an NIDS can, and it can pinpoint specific files compromised in an attack. It can also track processes employed by the attacker. A benefit of HIDSs over NIDSs is that HIDSs can detect anomalies on the host system that NIDSs cannot detect.
82
NIDS
Network-based IDS, monitors and evaluates network activity to detect attacks or event anomalies. It cannot monitor the content of encrypted traffic but can monitor other packet details. A single NIDS can monitor a large network by using remote sensors to collect data at key network locations that send data to a central management console.
83
List the 3 Backup types
Full
Incremental
Differential
84
Full
All files, archive bit and modify bit are cleared. Advantage: only previous day needed for full restore, disadvantage: time consuming
85
Incremental
only modified files, archive bit cleared, Advantage: least time and space, Disadvantage: first restore full then all incremental backups, thus less reliable because it depends on more components
86
Differential
only modified files, doesn’t clear archive bit. Advantage: full and only last diff needed, Intermediate time between full and diff.
87
Redundant servers
applies raid 1 mirroring concept to servers. On error servers can do a fail-over. This AKA server fault tolerance
88
Server clustering
group of independent servers which are managed as a single system. All servers are online and take part in processing service requests. Individual computing devices on a cluster vs. a grid system – cluster devices all share the same OS and application software but grid devices can have different OSs while still working on same problem
89
Tape Rotation Schemes
GF/Father/Son, Tower of Hanoi, Six Cartridge Weekly
90
RAIT
robotic mechanisms to transfer tapes between storage and drive mechanisms
91
RAID 0
Striped, one large disk out of several –Improved performance but no fault tolerance
92
RAID 1
Mirrored drives –fault tolerance from disk errors and single disk failure, expensive; redundancy only, not speed
93
RAID 2
not used commercially. Hammering Code Parity/error
94
RAID 3
Striped on byte level with extra parity drive –Improved performance and fault tolerance, but parity drive is a single point of failure and write intensive. 3 or more drives
95
RAID4
Same as Raid 3 but striped on block level; 3 or more drives
96
RAID 5
Striped on block level, parity distributed over all drives – requires all drives but one to be present to operate hot- swappable. Interleave parity, recovery control; 3 or more drives
97
RAID 6
Dual Parity, parity distributed over all drives –requires all drives but two to be present to operate hot- swappable
98
RAID 7
same as raid5 but all drives act as one single virtual disk
99
Transaction Redundancy Implementations
Electronic vaulting
Remote Journaling
Database shadowing
100
Electronic vaulting
transfer of backup data to an offsite storage location via communication lines
101
Remote Journaling
parallel processing of transactions to an alternative site via communication lines
102
Database shadowing
live processing of remote journaling and creating duplicates of the database sets to multiple servers
103
Data destruction and reuse
```
Object reuse
Data remanence
Clearing
Purging
Destruction
```
104
Object reuse
use after initial use
105
Data remanence
remaining data after erasure Format magnetic media 7 times (orange book)
106
Clearing
overwriting media to be reused
107
Purging
degaussing or overwriting to be removed
108
Destruction
complete destroy preferably by burning
109
What is the end goal of Disaster Recovery Planning?
Restore normal business operations. Statement of actions that have to be taken before, during and after a disruptive event that causes a significant loss of information Goal: provide organized way for decision making, reduce confusion and deal with the crisis. Planning and development must occur before the disaster BIA has already been done, now were going to protect!
110
What is a Disaster?
any event, natural or manmade, that can disrupt normal IT operations The disaster is not over until all operations have been returned to their normal location and function It will be officially over when the data has been verified at the primary site, as accurate
111
Recovery team
mandated to implement recovery after the declaration of the disaster
112
Salvage team
goes back to the primary site to normal processing environmental conditions. Clean, repair, Salvage. Can declare when primary site is available again
113
Normal Operations Resume plan
has all procedures on how the company will return processing from the alternate site
114
Other recovery issues
Interfacing with other groups: everyone outside the corporation Employee relations: responsibility towards employees and families Fraud and Crime: like vandalism, looting and people grabbing the opportunity Financial disbursement, Media relations 1. Find someone to run it
Documenting the Plan Activation and recovery procedures Plan management
HR involvement
Costs
Required documentation Internal /external communications
Detailed plans by team members
GET COMMUNICATIONS UP FIRST THEN MOST CRITCAL BUSINESS FUNCTIONS
Disaster
115
Disaster Recovery Test
```
Desk Check
Table-top exercise
Simulation tests
Parallel tests
Full-interruption tests
```
116
Desk Check
review plan contents
117
Table-top exercise
members of the disaster recovery team gather in a large conference room and role-play a disaster scenario.
118
Simulation tests
are more comprehensive and may impact one or more noncritical business units of the organization, all support personnel meet in a practice room
119
Parallel tests
involve relocating personnel to the alternate site and commencing operations there. Critical systems are run at an alternate site, main site open also
120
Full-interruption tests
involve relocating personnel to the alternate site and shutting down operations at the primary site.
121
BCP
Plan for emergency response, backup operations and post disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation
122
BCP (pro) & DRP (reactive)Goals
Business continuity- Ensuring the business can continue in an emergency, 1st business organization analysis
Focus on business processes
1. Scope and plan initiation - Consider amount of work required, resources required, management practice
2. BIA – helps to understand impact of disruptive processes
3. Business Continuity Plan development a. Use BIA to develop BCP (strategy development phase bridges the gap between the business impact assessment and the continuity planning phases of BCP development) b. Testing
4. Plan approval and implementation - Management approval - Create awareness
Update plan as needed, At least once a year testing
Disaster Recovery – Recover as quickly as possible
- Heavy IT focus
- Allows the execution of the BCP
- Needs Planning
- Needs Testing
CRITICA, URGENT, IMPORTANT
123
Business Continuity plans development
- Defining the continuity strategy
- Computing: strategy to preserve the elements of hardware/software/ communication lines/ applications/ data
- Facilities: use of main buildings or any remote facilities
- People: operators, management, technical support persons
- Supplies and equipment: paper, forms HVAC
- Documenting the continuity strategy
124
Roles and responsibilities: BCP committee
BCP committee
- Senior staff (ultimate responsibility, due care/diligence)
- Various business units (identify and prioritize time critical systems)
- Information Systems
- Security Administrator
- People who will carry out the plan (execute) representatives from all departments
125
CCTV
Multiplexer allows multiple camera screens shown over one cable on a monitor
Via coax cables (hence closed)
Attacks: replayed (video images)
Fixed mounting versus PTZ Pan Tilt Zoom accunicator system (detects movements on screen and alerts guards)
Recording (for later review) = detective control
CCTV enables you to compare the audit trails and access logs with a visual recording
126
Importance of Lighting
Glare protection - against blinding by lights
Continuous lightning - evenly distributed lightning
Controlled lightning - no bleeding over no blinding
Standby Lightning - timers
Responsive areas illumination - IDS detects activities and turns on lightning
NIST: for critical areas the area should be illuminated 8 feet in height with 2-foot candle power
127
Fences
Small mesh and high gauge is most secure
3-4 feet deters casual trespasser
6-7 feet too hard to climb easily
8 feet + wires deters intruders, difficult to climb
no one STOPS a determined intruder
128
Local alarms
audible alarm for at least 4000 feet far
129
Central stations
less than 10mins travel time for e.g. an private security firm
130
Proprietary systems
owned and operated by the customer. System provides many of the features in-house
131
Auxiliary Station systems
on alarm ring out to local fire or police
132
Line supervision check
if no tampering is done with the alarm wires
133
Power supplies
alarm systems needs separate circuitry and backup power
134
PHYSICAL PARAMETER DETECTION : Electromechanical
detect a break or change in a circuit magnets pulled lose, wires door, pressure pads
135
Photoelectric
light beams interrupted (as in an store entrance)
136
Passive infrared
detects changes in temperature
137
Acoustical detection
- microphones, vibrations sensors
138
wave pattern motion detectors
detects motions
139
proximity or capacitance detector
magnetic field detects presence around an object
140
Types of Locks
```
Warded lock
Tumbler lock
Combination lock
Cipher Lock
Device lock
Preset
Programmable
```
141
Warded lock
hanging lock with a key
142
Tumbler lock
cylinder slot
143
Combination lock
3 digits with wheels
144
Cipher Lock
Electrical
145
Device lock
bolt down hardware
146
Preset
ordinary door lock
147
Programmable
combination or electrical lock
148
Raking
circumvent a pin tumbler lock
149
Audit trails
Date and time stamps Successful or not attempt Where the access was granted
Who attempted access
Who modified access privileges at supervisor level
150
Security access cards
Photo id card: dumb cards Digital-coded cards:
* Swipe cards
* Smartcards Wireless proximity cards
* User activated
* System sensing
o Passive device, no battery, uses power of the field
o Field Powered device: active electronics, transmitter but gets power from the surrounding field from the reader
Transponders: both card and receiver holds power, transmitter and electronics
151
What is a Trusted recovery ?
Ensures that the security is not breached when a system crash or failure occurs. Only required for a B3 and A1 level systems.
152
Failure preparation
Backup critical information thus enabling data recovery
153
System recovery after a system crash
1. Rebooting system in single user mode or recovery console, so no user access is enabled
2. Recovering all file systems that were active during failure
3. Restoring missing or damaged files
4. Recovering the required security characteristic, such as file security labels
5. Checking security-critical files such as system password file
154
Common criteria hierarchical recovery types
1. Manual System administrator intervention is required to return the system to a secure state
2. Automatic Recovery to an secure state is automatic when resolving a single failure (though system administrators are needed to resolve additional failures)
3. Automatic without Undo Loss Higher level of recovery defining prevention against the undue loss of protected objects
4. Function system can restore functional processes automatically
155
Types of system failure
System reboot
Emergency restart
System cold start
156
System reboot
System shuts itself down in a controlled manner after detecting inconsistent data structures or runs out of resources
157
Emergency restart
when a system restarts after a failure happens in an uncontrolled manner. E.g. when a low privileged user tries to access restricted memory segments
158
System cold start
when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system in a more consistent state.
159
Hackers and crackers
want to verify their skills as intruders
160
Entitlement
refers to the amount of privileges granted to users, typically when first provisioning an account. A user entitlement audit can detect when employees have excessive privileges
161
Aggregation
Privilege Creep, accumulate privileges
162
Hypervisor
software component that manages the virtual components. The hypervisor adds an additional attack surface, so it’s important to ensure it is deployed in a secure state and kept up-todate with patches, controls access to physical resources
163
Notebook
most preferred in the legal investigation is a bound notebook, pages are attached to a binding.
164
Exigent circumstances
allows officials to seize evidence before its destroyed (police team fall in)
165
Data haven
is a country or location that has no laws or poorly enforced laws
166
Chain of custody
= collection, analysis and preservation of data Forensics uses bit-level copy of the disk
167
Darknet
unused network space that may detect unauthorized activity
168
Pseudo flaw
– false vulnerability in a system that may attract an attacker
169
FAIR INFORMATION PRACTICES
* Openness
* Collection Limitation
* Purpose Specification
* Use Limitation
* Data Quality
* Individual Participation
* Security Safeguards
* Accountability
170
Noise and perturbation
inserting bogus information to hope to mislead an attacker
171
GANTT and PERT charts
Monitor progress and planning of projects through GANTT and PERT charts
172
Piggybacking
looking over someone’s shoulder to see how someone gets access.
173
Data center should have:
* Walls from floor to ceiling • Floor: Concrete slab: 150 pounds square foot
* No windows in a datacenter
* Air-conditioning should have own Emergency Power Off (EPO)
Electronic Access Control (EAC): proximity readers, programmable locks or biometric systems
Location
174
CPTED
Crime Prevention Through Environmental design
- Natural Access control: guidance of people by doors fences bollards lightning. Security zones defined
- Natural surveillance: cameras and guards
- Territorial Reinforcements: walls fences flags Target Hardening: focus on locks, cameras guards
175
Facility site:
CORE OF BUILDING (thus with 6 stores, on 3rd floor)
176
Hacktivists
combination of hacker and activist), often combine political motivations with the thrill of hacking.
177
Thrill attacks
are the attacks launched only for the fun of it. Pride, bragging rights
178
Script kiddies
Attackers who lack the ability to devise their own attacks will often download programs that do their work for them. The main motivation behind these attacks is the “high” of successfully breaking into a system. Service interruption. An attacker may destroy data, the main motivation is to compromise a system and perhaps use it to launch an attack against another victim. Common to do website defacements,
179
Business Attacks
focus on illegally obtaining an organization’s confidential information. The use of the information gathered during the attack usually causes more damage than the attack itself.
180
Financial Attacks
carried out to unlawfully obtain money or services.
181
Terrorist Attacks
purpose of a terrorist attack is to disrupt normal life and instill fear
182
Military or intelligence attack
designed to extract secret information.
183
Grudge Attacks
are attacks that are carried out to damage an organization or a person. The damage could be in the loss of information or information processing capabilities or harm to the organization or a person’s reputation.
184
Sabotage
is a criminal act of destruction or disruption committed against an organization by an employee. It can become a risk if an employee is knowledgeable enough about the assets of an organization, has sufficient access to manipulate critical aspects of the environment, and has become disgruntled.
185
Espionage
is the malicious act of gathering proprietary, secret, private, sensitive, or confidential information about an organization. Attackers often commit espionage with the intent of disclosing or selling the information to a competitor or other interested organization (such as a foreign government). Attackers can be dissatisfied employees, and in some cases, employees who are being blackmailed from someone outside the organization. Countermeasures against espionage are to strictly control access to all nonpublic data, thoroughly screen new employee candidates, and efficiently track all employee activities.
186
Integrity breaches
unauthorized modification of information, violations are not limited to intentional attacks. Human error, oversight, or ineptitude accounts for many instances
187
Confidentiality breaches
theft of sensitive information
