Information Security & Risk Management Flashcards
Incident Response
Incident response defines how to handle an incident as soon as it is discovered. Contain and counter a threat before it causes additional damage.
Incident Response includes six important guidelines
Preparation
Identification
Containment
Eradication
Recovery
Lesson Learned
Incident Response includes six important guidelines
Preparation
Identification
Containment
Eradication
Recovery
Lesson Learned
Stuxnet
A computer worm, the first cyberweapon capable of crippling critical government infrastructure and system operations.
Botnet
is a network of hijacked internet connected devices. Attackers perform malicious actions on the bots or use them to attack other devices. Typically DDos
Notable Botnet attacks
Information Theft- harvest sensitive data from the controlled bots.
Crypto Mining- Can use the bot’s hardware to perform crypto mining.
Spam mail- Can use bots to send phishing emails.
DDos- The botnet can be used to perform a Distributed Denial Of Service.
Brute Force- bots can perform brute-force against login interfaces.
Botnet: Blue Team Aspect
Strengthens organization’s defenses including endpoint security suites, strong password requirements, and implementation of the least privilege principle.
Botnet: Red Team
Create and maintain large, efficient, and legal botnets in a cloud environment. A large volume of botnets can launch serious attacks to overwhelm an organization’s services and defenses, for testing.
File-less malware
Malicious software that uses a legitimate program to infect a computer. Makes it difficult for Antivirus Programs to identify and delete these malwares.
File-less malware Vulnerabilities
In order to bypass antivirus detection, fileless malware operates in the computer’s memory. That way, the code of the malicious software resides inside the memory without touching the hard drive.
File-less malware Defensive
Computer memory scans are useful for detecting and preventing fileless malware activities.
Keylogger
a program that subsequentially records the user’s keystrokes. They can be used to gather sensitive data.
Keyloggers: Blue Team
The best way to protect against keyloggers is user awareness. By ensuring that company employees only download files from verified and familiar websites, the team will prevent most keylogger attacks.
Keylogger: Red Team
Keyloggers are used to collect data that attackers may use to take over digital corporation assets. Once ethical hackers capture credentials they have the opportunity to go for higher level privilege.
Trojan
A type of malware that masquerades as a legitimate program to trick users into opening files. When executed, the trojan can compromise the computer by stealing or deleting files and folders, and attackers use it to create sockets in remote computers.
(Social Engineering)
IT Team Aspect: Trojan
IT teams must install IDS(Intrusion Detection System) and IPS systems to detect and prevent trojan attacks.
Red Team Aspect: Trojan
The red team can use Trojan files to access restricted areas in an organization’s systems through social engineering tactics as part of the penetration testing operations.
Worms
A computer worm is a type of malware that in addition to the malicious actions it performs on the computer, can also replicate itself and spread to other computers.
How does it spread?
A computer worm uses its ability to spread in systems and networks, and once it reaches its target, it replicates itself. The worm can perform acts such as delete or modify files, inject a malicious payload in software, and increase the system’s resource consumption.
Worm Indications
Abnormal network traffic
Slow system performance.
Emails and files sent without the user’s knowledge
Unusual system behavior
Operations are performed by the computer without user commands.
Blue Team Aspect: Worms
Monitoring is an important factor in preventing such occurrences. When a worm is in a target system, it scans the network for additional vulnerable targets, and the scanning-related operations generate security logs that the blue team can use to monitor and identify the presence of a worm in the organization’s computer.
Red Team Aspects:
Red team uses worms to spread Trojans and viruses, create a backdoor, or dump sensitive information from the targeted compute systems, as part of their penetration testing tasks.
Backdoor
A backdoor refers to any method by which authorized and unauthorized users can gain access to a computer.
Types of backdoors
Hardware
Default Passwords-
Application and Systems
Operating Systems
APIs
Backdoor Detection and Prevention
Backdoors can be detected is by monitoring user behavior with high-level permissions and noticing unusual data spikes, such as connections to suspicious IP addresses.
Prevention- Antivirus software that can detect a wide range of malware. Another way to prevent backdoors is by using firewalls that can monitor all incoming and outgoing traffic on a device. If external network traffic attempt to enter the device, the firewall can block it.
Red Team Aspect: Backdoor
Use backdoor to simulate bypassing security measures, demonstrate how an attacker can do so in a real-life scenario.
Blue Team Aspect: Backdoor
Blue teams apply 24/7 monitoring of all devices and networks, to detect any suspicious activity. Prevention and detection measures are implemented using security techniques, such as firewalls, IPS, EDR, endpoint solutions, and others.
CIA Triads
Confidentiality- Only authorized personnel, whereby the data is passed only between sender and recipient. Encryption is an essential factor in maintaining confidentiality, ensuring that the data can be shared using keys to encrypt and decrypt it.
Integrity- The ability to ensure reliability, consistency, and accuracy of information or data.
Availability- the concept of ensuring that data or services are accessible to authorized users who need them.
Ransomware
Ransomware is a type of a malicious program that attackers use to encrypt the victim’s data and hold it captive while demanding cryptocurrency payment to unlock the data.
Blue Team Aspect: Ransomware
Many companies implement the necessary security measures and network protection solutions, such as firewalls, IDS, IPS, and WAF, to safeguard their assets and data against these attacks.
Programmer Aspect: Ransomware
Programmers of cybersecurity tools need to find solutions and modern and sophisticated ransomware.
