Einführung

Question 1

Risk-Reduction ROI Formel

Answer 1

(reduction in risk in $ - cost of control) / cost of control

Question 2

Reduction in risk Formel

Answer 2

Annualized rate of occurrence * expected monetary loss for a single event * reduction in probability of risk occurrence with the control

Question 3

Compliance vs. Security

Answer 3

• Compliance: Regulatory Frameworks, risks, standards, policies, documentation
  -> only mandates basic security hygiene
  -> should be technology-neutral
• Security: Authentication Mechanisms, Secure IT Environment, Physical Controls, Network Access, Business Processes
  -> Compliance misst Security

Question 4

Advanced Persistent Threat (APT): Characteristics

Answer 4

• Sophisticated & sustained
• Undetected presence over a prolonged period of time
• High degree of customization
• Experienced and well-funded attacker

Question 5

APT categories

Answer 5

• Cyberespionage
• Financial crimes
• Hacktivism
• Destruction

Question 6

APT Modus Operandi

Answer 6

• Stage 1: Planning
• Stage 2: Infiltration
• Stage 3: Expansion
• Stage 4: Execution

Question 7

APT: Planning

Answer 7

1) Research the target
2) Assemble a team of attackers
3) Acquire or build the necessary tools
4) Test the target’s detection capability
5) Zero-day vulnerability hunts on used technology

Question 8

APT: Infiltration

Answer 8

5) Distraction with a DDoS attack
6) Initial Infiltration on found vulnerability to enter system

Question 9

APT: Expansion

Answer 9

7) Expand access across the network
8) Move laterally through the system
9) Gather target data in bundles

Question 10

APT: Execution

Answer 10

10) White noise attack (DDoS zur Ablenkung)
11) Exfiltrate data
12) Leave a backdoor for future attacks
-> also: clean-up, erase footsteps

Question 11

Common types of security vulnerabilities

Answer 11

• Vulnerabilities in the source code
• Misconfigured system components
• Trust configurations
• Weak credentialing practices
• Lack of strong encryption
• Insider threat
• Psychological vulnerability
• Inadequate authentication
• Injection flaws
• Sensitive data exposure
• Insufficient monitoring and logs
• Shared tenancy vulnerabilities

Question 12

Definition attack vector

Answer 12

• Are the methods that attackers use to break into a network
• sum of attack vectors: attack surface

Question 13

Common attack vectors (categories)

Answer 13

• Targeting the network vulnerabilities
• Targeting the network services
• Targeting the users

Question 14

Attack vectors: Network Vulnerabilities

Answer 14

• Missing or poor encryption
  -> Measure: Encryption while data is at rest, transferred or processed
• Misconfiguration
  -> Measure: Micro-segmentation policy
• Session Hijacking
  -> Measure: Secure Channel Protocols
• MITM
  -> Measure: Encryption
• Cross-Site-Scripting/SQL-Injection
  -> Measure: Don’t trust user’s input (sanitize)
  –> attacks can be made harder or even prevented without affecting the services

Question 15

Attack vectors: Network Services

Answer 15

• Brute Force attacks
• (D)DoS
• Zero-Day-Exploits
  –> Can’t be prevented without affecting the services

Question 16

Attack vectors: Users

Answer 16

• Phishing
• Typosquatting
• Compromised, weak or stolen credentials
• Trust relationships
• Malicious insiders
  –> Awareness Training

Question 17

Other common attack vectors

Answer 17

• Ransomware
• Third party vendors

Question 18

Future Shift of Attack Vectors

Answer 18

• IoT
• Home office
• “Always on”
• Miniaturization (immer kleinere Hardware)
• Quantum computers
• Breaking old protocols with new methods

Question 19

Social Engineering Definition

Answer 19

Using the human component to get reconnaissance (Auskundschaften) of a network

Question 20

Social Engineering: Six Levers

Answer 20

• Reciprocration (“Gegenseitigkeit”)
• Scarcity (“Knappheit”)
• Consistency (“Konsistenz”)
  -> User prüfen “alltägliche” Dinge nicht genau
• Liking (“Sympathie”)
• Authority (“Authorität”)
• Social validation (“soziale Bestätigung”)
  -> Schwarmintelligenz

Question 21

Popular social engineering attacks

Answer 21

• Pretexting
  -> construct a lie such that the victim believes it is real
• Diversion theft
  -> Convince the courier that the service is required somewhere else
  -> MITM
• Phishing
• Vishing
  -> phone systems
• Spear-phishing
  -> more targeted, background information
• Water holing
  -> exploit vulnerabilities on trusted sites
• Baiting
  -> flash drive
• Quid pro quo
• Tailgating

Question 22

Defenses against Social Engineering

Answer 22

• Education/training
• Multi-layer defense
• Password guidelines
• Technical defenses against special attacks

Question 23

Security Operations Center (SOC) Definition

Answer 23

• Centralized unit offering services regarding IT-Security
• Can be internal within an organization or external, providing remote services for outside parties
• Consists of a security team that defends the network against unauthorized activities. Responsibilities include protection, monitoring, detection, and analysis

Question 24

SOC: Roles and Responsibilities

Answer 24

• Tier 1: Incident detection, incident triage
• Tier 2: Incident Responder
• Tier 3: Incident Resolution, post-incident, threat hunter
• SOC manager: supervision

Question 25

SOC: Services

Answer 25

- Preventive: -> Real time monitoring and triage, including call center -> Prevention of cybersecurity incident -> Regular vulnerability scan for network and host - Detective: -> Incident analysis and response -> Forensic artifact analysis -> Deploying countermeasures - Post: -> Regular security policies adaption and consultation -> Sensor tuning and maintenance

Question 26

How to collect Cyberintelligence

Answer 26

- Cyber news feed - Signature updates - Incident reports - Threat briefs - Being up to date with tactics, techniques and procedures (TTP) of advanced adversaries

Question 27

SOC data sources

Answer 27

- Monitoring systems - Calls / E-mails from employees, customers - Broadcast messages from providers/agencies/authorities - Threat intelligence

Question 28

Security Information and Event Management (SIEM)

Answer 28

- One of the most important tool in SOC - Basic tasks: data aggregation, correlation, alert ranking and prioritization, alerting

Question 29

Incident Handling Prozess

Answer 29

- Preparation - Identification - Containment - Eradication - Recovery - Lessons Learnt

Question 30

Identifizierung vs. Authentifizierung

Answer 30

- Identifizierung ist die Fähigkeit, eindeutig einen Benutzer eines Systems oder einer Anwendung zu identifizieren - Authentifizierung ist die Möglichkeit, zu beweisen, dass ein Benutzer oder eine Anwendung wirklich die Person oder die Anwendung ist, die/der die Anwendung beansprucht