InfoSec Part 2 Flashcards
What is malware?
Bad as in, software that is intended to:
Disable computer systems
Disrupt operations
Steal data
A program that must be executed to have any impact
Keylogger
Logs your keystrokes (recording passwords, intellectual property)
Bot
Waiting for the command signal to do something on a computer
Remote control and allows cybercriminal to do anything they want
Ransomware
Encrypt your data and demand a ransom payment if you want it back
Types of systems targeted by malware … and which platform suffered nearly half of malware infections as of mid-2021?
Computers (Windows, Macintosh OS X, Linux)
Mobile devices (Android, iOS, etc.)
50% of all malware infections occur on Android phones
Trojans – what are they, and how do they compromise systems?
Hidden malware (utility software, game, bogus software updates)
No need for vulnerabilities
Banking Trojans
Stealing financial info
Spoofing
Keylogger
Man-in-the-middle
TrickBot, Panda, Kronos, Zeus, etc.
Remote Access Trojans
RAT Explosion
Read messages, monitor GPS location, record audio from mic, take pictures, etc.
Broad range of targets
Access
Modular, flexible
Fake Antivirus Trojans
Simulate the activity of antivirus software or parts of the OS security modules
Designed to extort money from users in return for the detection and removal of threats that are nonexistent
Repeated pop ups to make the user worry and pay for fake antivirus software
Viruses – what are they, and how do they propagate?
Hides itself inside host file. Self -replicating malware
Payloads - (Key-loggers, File destruction, None)
What is a macro? What is a macro virus?
Script capability in Office apps and others
Written code full of malware
Worms – what are they, and how do they propagate?
Stand-alone malware
- No “useful program”
- No infected host file
Self-propagating via network
Exploits vulnerabilities to invade systems
Similar payloads
Why is Email a powerful attack vector?
Ubiquitous (everyone has one)
Distribute as attachments, links
Large threat
What is phishing?
A scam by which an email user is duped into revealing personal or confidential info which the scammer can use illicitly
What three key scam techniques are used in a phishing attack?
Seems legit — spoofing
Sense of urgency
Call to action
What is spoofing? How is it used in phishing?
Message claims to be legit, but isn’t
Graphics are legit because attackers use graphics from the real site
Link looks legit, but it’s just text so it means nothing; hover over the link
Used in phishing to collect private data and deliver malware payload
Gain your trust
Fan the flames of urgency
So that you will take action now!
How can one avoid phishing scams?
Be suspicious of urgent requests
Be suspicious of requests for personal info
Check with the sender
Call them
Don’t use contact info on the phish
Don’t use links in an email
Type into a browser instead!
Employee training
How is spear phishing different from phishing? Consider the target and methods used.
Spear phishing is a targeted attack
Researched the target
Carefully crafted email
Apparently valid source
Personalized
Nicknames
Habits, preferences
Recent purchases
Recent promotions or job changes
What is Malvertising?
Using online advertising to promote malware
Drive-by Downloads
No interaction required
Exploits client vulnerability: OS, browser, plugin
Process:
Page loaded
Fingerprint analyzed
Vulnerabilities exploited
Malware downloaded & installed
Victim compromised
How can one defend against web-based malware?
Minimize use of Admin account
Keep OS, browser, plugins up-to-date
Minimize the attack surface
Be careful with popups!
Use an ad blocker!
Cables
Weaponized to inject a payload
USB Keylogger
Computers trust keyboards
Device pretended to be keyboard, plug it in, and gains access
Streams data to the Cloud so the attacker can watch live when talking
Smart logger: activated on user activity
Can inject keystrokes remotely
Biohacking
implants technology within your body
RFID emulator chips
Works with NFC capable smartphone sand certain commercial access control systems and door locks and USB contactless readers
Swipe hand at door lock and it opens up
Uses: car keys, passwords, office keys, ID badge, NFC touchless payments in stores
What is a Man-in-the-Middle (MitM) attack?
An attack where the attacker sits between two communicating hosts and transparently captures, monitors, and relays all communication between the hosts
How can an attacker execute an MitM attack against open WiFi hotspot users?
WiFi Pineapple
Will intercept in the middle of your device and the access point
Can present a registration screen to collect personal info prior to letting you into their “free hotspot”
Hackers can intercept data, deliver webpages to your machine that possibly contain attacks
How can one defend against this threat?
Switch off Wifi on mobile phone and just use cellular
Tether notebook to phone’s cellular service
VPN: encrypt your data from your point to the in-point
What is the “vulnerability” being exploited in a Denial of Service (DoS) attack?
Heavy reliance on servers
e-Commerce
Communications
Enterprise applications
Capacity
Servers have maximum capacity
Exceeding maximums -> problems
How does DoS attack harm the victim?
Overwhelms the target server with service requests
Deny service to regular customers
Attack consumers all server capacity
Nothing left for regular customers
Customers frustrated, go elsewhere
“The straw that broke the camel’s back”
How does a DDoS attack work?
Distributed denial of services
Attack comes from every direction at once
Botnets of Zombies
Lays silent until Command & Control tells them what to do
Command & Control Network
Lets cybercriminal control the Botnet to make it do their will
How frequently do DDoS attacks occur?
2013: 11% attacked 11-50 times/month
2021: 70% attacked 20-50 times/month
Roughly what is the cost of a typical DDoS attack to a small business?
Costs up to $120,000
Up to $2 million for LARGER companies
Why is data classification a necessary step in risk management?
Data is an asset
Protection based on value
Tangible
Intangible . . . consider CIA
UF classifications
Open
Sensitive
Restricted
What three factors can be used to quantify IT security risk? How are they used together to estimate risk?
Multi-disciplinary
Wide variety of skills and people
Types of risks
Estimate the risk
1. Asset value
2. Threat likelihood
3. Threat severity
Be able to explain the three ways that an organization can respond to IT security risk.
Accept the risk
Refuse the risk
Mitigate the risk (minimize)
Technical measures, training, policy, insurance
Defense in depth – how does the castle metaphor apply to information security?
Multiple layers of defense
Get notified if one of the layers goes down
Human vulnerabilities – what measures are suggested for addressing them?
Education/Awareness Training
- “An ounce of prevention is worth a pound of cure”
- Training courses
- Hands-on, e.g. simulated phishing
HR practices
- Hiring
- Exit procedures
Endpoint Protection
User computer have unpatched operating systems and applications
Patching
Anti-malware
Firewall
Intrusion Detection
Monitors network, looking for certain packets of data going in and out and can notify someone of a problem
Vulnerability Scanning
Identify systems that need to be patched
Scan
Notify
Remediate
Repeat
Report
Penetration Testing
Internal (IT Team)
External security consultants
Social engineering and technological
Disaster Recovery Testing
Perform restore and verify systems work
Simulated disasters
Physical vulnerabilities – be able to briefly describe the steps an organization can take to protect mobile devices … and to protect USB flash drives.
Corporate endpoints
BYOD and mobile
USB flash drives
Disposal
Equipment disposal
Corporate endpoints
Inventory control
Hard drive encryption
BYOD and mobile
Encryption
Mobile device management
USB flash drives
Encryption
Ban them!
Disposal
Shred documents
Records management vendor
Equipment Disposal
DBAN
Keep your hard drive
Copier vendor data security options
What’s the “fastest and cheapest bang for your buck” when it comes to information security?
User education training to counteract those threats
Educate users about computer security
Be able to briefly explain the importance of password complexity.
Brute force attacks
Dictionary attacks
Complex enough
- Length
- Uppercase, lowercase, numbers, symbols
- Not ‘words’
- Passphrases
Expiration
What is a ‘passphrase’ and why might this be a better approach than a complex password?
20 letter phrase that is easy to remember, but too long for an attacker to enter
Combination of words/phrases that the user would remember
What is MFA? Be able to briefly explain how it works and how it can improve IT security
Multi-factor authentication
Something you know (password) and something you have (key fob/app on phone)
Ex. Duo Push UF app
What are the principles of least privilege and role-based access controls? Be able to explain how these concepts can be used to improve an organization’s IT security.
Security rights — ACL (Access Control List)
Access to read/edit certain things
Principle of Least Privilege
“User given no more privilege than is necessary to perform a job”
Role based access controls
Your role is different than that of the supervisor
