Information Security & Risk Management

Question 1

Incident Response

Answer 1

Incident response defines how to handle an incident as soon as it is discovered. Contain and counter a threat before it causes additional damage.

Question 2

Incident Response includes six important guidelines

Answer 2

Preparation
Identification
Containment
Eradication
Recovery
Lesson Learned

Question 3

Incident Response includes six important guidelines

Answer 3

Preparation
Identification
Containment
Eradication
Recovery
Lesson Learned

Question 4

Stuxnet

Answer 4

A computer worm, the first cyberweapon capable of crippling critical government infrastructure and system operations.

Question 5

Botnet

Answer 5

is a network of hijacked internet connected devices. Attackers perform malicious actions on the bots or use them to attack other devices. Typically DDos

Question 6

Notable Botnet attacks

Answer 6

Information Theft- harvest sensitive data from the controlled bots.
Crypto Mining- Can use the bot’s hardware to perform crypto mining.
Spam mail- Can use bots to send phishing emails.
DDos- The botnet can be used to perform a Distributed Denial Of Service.
Brute Force- bots can perform brute-force against login interfaces.

Question 7

Botnet: Blue Team Aspect

Answer 7

Strengthens organization’s defenses including endpoint security suites, strong password requirements, and implementation of the least privilege principle.

Question 8

Botnet: Red Team

Answer 8

Create and maintain large, efficient, and legal botnets in a cloud environment. A large volume of botnets can launch serious attacks to overwhelm an organization’s services and defenses, for testing.

Question 9

File-less malware

Answer 9

Malicious software that uses a legitimate program to infect a computer. Makes it difficult for Antivirus Programs to identify and delete these malwares.

Question 10

File-less malware Vulnerabilities

Answer 10

In order to bypass antivirus detection, fileless malware operates in the computer’s memory. That way, the code of the malicious software resides inside the memory without touching the hard drive.

Question 11

File-less malware Defensive

Answer 11

Computer memory scans are useful for detecting and preventing fileless malware activities.

Question 12

Keylogger

Answer 12

a program that subsequentially records the user’s keystrokes. They can be used to gather sensitive data.

Question 13

Keyloggers: Blue Team

Answer 13

The best way to protect against keyloggers is user awareness. By ensuring that company employees only download files from verified and familiar websites, the team will prevent most keylogger attacks.

Question 14

Keylogger: Red Team

Answer 14

Keyloggers are used to collect data that attackers may use to take over digital corporation assets. Once ethical hackers capture credentials they have the opportunity to go for higher level privilege.

Question 15

Trojan

Answer 15

A type of malware that masquerades as a legitimate program to trick users into opening files. When executed, the trojan can compromise the computer by stealing or deleting files and folders, and attackers use it to create sockets in remote computers.
(Social Engineering)

Question 16

IT Team Aspect: Trojan

Answer 16

IT teams must install IDS(Intrusion Detection System) and IPS systems to detect and prevent trojan attacks.

Question 17

Red Team Aspect: Trojan

Answer 17

The red team can use Trojan files to access restricted areas in an organization’s systems through social engineering tactics as part of the penetration testing operations.

Question 18

Worms

Answer 18

A computer worm is a type of malware that in addition to the malicious actions it performs on the computer, can also replicate itself and spread to other computers.

Question 19

How does it spread?

Answer 19

A computer worm uses its ability to spread in systems and networks, and once it reaches its target, it replicates itself. The worm can perform acts such as delete or modify files, inject a malicious payload in software, and increase the system’s resource consumption.

Question 20

Worm Indications

Answer 20

Abnormal network traffic
Slow system performance.
Emails and files sent without the user’s knowledge
Unusual system behavior
Operations are performed by the computer without user commands.

Question 21

Blue Team Aspect: Worms

Answer 21

Monitoring is an important factor in preventing such occurrences. When a worm is in a target system, it scans the network for additional vulnerable targets, and the scanning-related operations generate security logs that the blue team can use to monitor and identify the presence of a worm in the organization’s computer.

Question 22

Red Team Aspects:

Answer 22

Red team uses worms to spread Trojans and viruses, create a backdoor, or dump sensitive information from the targeted compute systems, as part of their penetration testing tasks.

Question 23

Backdoor

Answer 23

A backdoor refers to any method by which authorized and unauthorized users can gain access to a computer.

Question 24

Types of backdoors

Answer 24

Hardware
Default Passwords-
Application and Systems
Operating Systems
APIs

Question 25

Backdoor Detection and Prevention

Answer 25

Backdoors can be detected is by monitoring user behavior with high-level permissions and noticing unusual data spikes, such as connections to suspicious IP addresses.
Prevention- Antivirus software that can detect a wide range of malware. Another way to prevent backdoors is by using firewalls that can monitor all incoming and outgoing traffic on a device. If external network traffic attempt to enter the device, the firewall can block it.

Question 26

Red Team Aspect: Backdoor

Answer 26

Use backdoor to simulate bypassing security measures, demonstrate how an attacker can do so in a real-life scenario.

Question 27

Blue Team Aspect: Backdoor

Answer 27

Blue teams apply 24/7 monitoring of all devices and networks, to detect any suspicious activity. Prevention and detection measures are implemented using security techniques, such as firewalls, IPS, EDR, endpoint solutions, and others.

Question 28

CIA Triads

Answer 28

Confidentiality- Only authorized personnel, whereby the data is passed only between sender and recipient. Encryption is an essential factor in maintaining confidentiality, ensuring that the data can be shared using keys to encrypt and decrypt it.
Integrity- The ability to ensure reliability, consistency, and accuracy of information or data.
Availability- the concept of ensuring that data or services are accessible to authorized users who need them.

Question 29

Ransomware

Answer 29

Ransomware is a type of a malicious program that attackers use to encrypt the victim’s data and hold it captive while demanding cryptocurrency payment to unlock the data.

Question 30

Blue Team Aspect: Ransomware

Answer 30

Many companies implement the necessary security measures and network protection solutions, such as firewalls, IDS, IPS, and WAF, to safeguard their assets and data against these attacks.

Question 31

Programmer Aspect: Ransomware

Answer 31

Programmers of cybersecurity tools need to find solutions and modern and sophisticated ransomware.