Lesson 1: Comparing and Contrasting Attacks

Question 1

Information security

Answer 1

refers to the protection of available information or information resources from unauthorized access, attack, theft, or data damage.

Question 2

Three primary goals or functions involved in the practice of information security:

Answer 2

• Prevention—personal information, company information, and information about intellectual property must be protected.
• Detection—detection occurs when a user is discovered trying to access unauthorized data or after information has been lost.
• Recovery—when there is a disaster or an intrusion by unauthorized users, system data can become compromised or damaged. It is in these cases that you need to employ a process to recover vital data from a crashed system or data storage devices. Recovery can also pertain to physical resources.

Question 3

Assets are usually classified in the following ways:

Answer 3

• Tangible assets—these are physical items, such as buildings, furniture, computer equipment, software licenses, machinery, inventory (stock), and so on.
• Intangible assets—these are mostly information resources, including Intellectual Property (IP), accounting information, plans and designs, and so on. Intangible assets also include things like a company’s reputation, image, or brand.
• Employees—it is commonplace to describe an organization’s staff (sometimes described as “human capital”) as its most important asset.

Question 4

Market value

Answer 4

the price that could be obtained if the asset were to be offered for sale (or the cost if the asset must be replaced).

Question 5

Liabilities

Answer 5

In terms of security, however, assets must also be valued according to the liabilities that the loss or damage of the asset would create:

• Business continuity—this refers to an organization’s ability to recover from incidents (any malicious or accidental breach of security policy is an incident).
• Legal—these are responsibilities in civil and criminal law. Security incidents could make an organization liable to prosecution (criminal law) or for damages (civil law). An organization may also be liable to professional standards, codes, and regulations.

Question 6

The CIA Triad

Answer 6

Secure information has three properties, often referred to as the CIA Triad:

• Confidentiality—means that certain information should only be known to certain people.
• Integrity—means that the data is stored and transferred as intended and that any modification is authorized.
• Availability—means that information is accessible to those authorized to view or modify it.

Question 7

Non-repudiation

Answer 7

means that a subject cannot deny doing something, such as creating, modifying, or sending a resource. For example, a legal document, such as a will, must usually be witnessed when it is signed. If there is a dispute about whether the document was correctly executed, the witness can provide evidence that it was.

Question 8

Security policy

Answer 8

formalized statement that defines how security will be implemented within an organization.

Question 9

Steps to establishing a security policy:

Answer 9

1. The first step in establishing a security policy is to obtain genuine support for and commitment to such a policy throughout the organization.
2. The next step is to analyze risks to security within the organization. Risks are components, processes, situations, or events that could cause the loss, damage, destruction, or theft of data or materials.
3. Having identified risks, the next step is to implement controls that detect and prevent losses and procedures that enable the organization to recover from losses (or other disasters) with minimum interruption to business continuity.
4. The “final” step in the process is to review, test, and update procedures continually. An organization must ensure continued compliance with its security policy and the relevance of that policy to new and changing risks.

Question 10

Security posture

Answer 10

employees must be aware of their responsibilities. The structure of security responsibilities will depend on the size and hierarchy of an organization, but these roles are typical:

• Managers may have responsibility for a domain, such as building control, information and communications technology (ICT), or accounting.
• Technical and specialist staff have responsibility for implementing, maintaining, and monitoring the policy. Two notable job roles are Information Systems Security Officer (ISSO) and Cybersecurity Analyst (CySA).
• Non-technical staff have the responsibility of complying with policy and with any relevant legislation.
• External responsibility for security (due care or liability) lies mainly with directors or owners, though again, it is important to note that all employees share some measure of responsibility.

Question 11

Chief Information Security Officer (CISO)

Answer 11

Overall internal responsibility for security might be allocated to a dedicated department, run by a Director of Security or Chief Information Security Officer (CISO).

Question 12

Information security competencies:

Answer 12

• Participate in risk assessments and testing of security systems and make recommendations.
• Specify, source, install, and configure secure devices and software.
• Set up and maintain document access control and user privilege profiles.
• Monitor audit logs, review user privileges, and document access controls.
• Manage security-related incident response and reporting.
• Create and test business continuity and disaster recovery plans and procedures.
• Participate in security training and education programs.

Question 13

Computer Security Division

Answer 13

In the US, the Computer Security Division of the National Institute of Standards and Technology (NIST) is responsible for issuing the Federal Information Processing Standards (FIPS) plus advisory guides called Special Publications. Many of the standards and technologies covered in CompTIA® Security+® are discussed in these documents.

Question 14

Vulnerability

Answer 14

a weakness that could be triggered accidentally or exploited intentionally to cause a security breach. Examples of vulnerabilities include improperly configured or installed hardware or software, delays in applying and testing software and firmware patches, untested software and firmware patches, the misuse of software or communication protocols, poorly designed network architecture, inadequate physical security, insecure password usage, and design flaws in software or operating systems, such as unchecked user input.

Question 15

Threat

Answer 15

the potential for a threat agent or threat actor (something or someone that may trigger a vulnerability accidentally or exploit it intentionally) to “exercise” a vulnerability (that is, to breach security). The path or tool used by the threat actor can be referred to as the threat vector.

Question 16

Risk

Answer 16

the likelihood and impact (or consequence) of a threat actor exercising a vulnerability.

Question 17

Control

Answer 17

a system or procedure put in place to mitigate risk.

Question 18

Threat actors

Answer 18

The sophisticated nature of modern cybersecurity threats means that it is important to be able to describe and analyze behaviors as well as enumerate known threat patterns. Consequently, it is important to distinguish the types of threat actors in terms of location, sophistication and resources, and intent.

Question 19

Intent and motivation

Answer 19

When assessing the risk that any one type of threat actor poses to your own organization, critical factors to profile are those of intent and motivation.

Question 20

Structured or unstructured (or targeted versus opportunistic)

Answer 20

Threats can be characterized as structured or unstructured (or targeted versus opportunistic) depending on the degree to which your own organization is targeted specifically.

Question 21

Hacker and attacker

Answer 21

related terms for individuals who have the skills to gain access to computer systems through unauthorized or unapproved means. Originally, hacker was a neutral term for a user who excelled at computer programming and computer system administration. Hacking into a system was a sign of technical skill and creativity that gradually became associated with illegal or malicious system intrusions. The terms Black Hat or cracker (malicious) and White Hat (non-malicious) are sometimes used to distinguish motivations.

Question 22

Script kiddie

Answer 22

someone that uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. A newbie (or n00b) is someone with a bare minimum of experience and expertise. Script kiddie attacks might have no specific target or any reasonable goal other than gaining attention or proving technical abilities.

Question 23

Hacktivist

Answer 23

A hacktivist group, such as Anonymous, WikiLeaks, or LulzSec, uses cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform Denial of Service (DoS) attacks, or deface websites. Political, media, and financial groups and companies are probably most at risk, but environmental and animal advocacy groups may target companies in a wide range of industries.

Question 24

Organized crime

Answer 24

can operate across the Internet from different jurisdictions than its victim, increasing the complexity of prosecution. Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and blackmail.

Question 25

Competitor-driven espionage

Answer 25

• thought to be pursued by nation-state backed groups, but it is not inconceivable that a rogue business might use cyber espionage against its competitors.
• Most nation-states have developed cybersecurity expertise and will use cyber weapons to achieve both military and commercial goals.

Question 26

Advanced Persistent Threat (APT)

Answer 26

the term Advanced Persistent Threat (APT) was coined to understand the behavior underpinning modern types of cyber adversaries. Rather than think in terms of systems being infected with a virus or rootkit, an APT refers to the ongoing ability of an adversary to compromise network security (to obtain and maintain access) using a variety of tools and techniques.

Question 27

Externally

Answer 27

In most cases, the threat actors described above operate externally from the networks they target.

Question 28

Malicious insider threat

Answer 28

when the perpetrator of an attack is a member of, ex-member of, or somehow affiliated with the organization’s own staff, partners, or contractors. The Computer Emergency Response Team (CERT) at Carnegie Mellon University’s definition of a malicious insider is:

A current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.

Question 29

Auditing

Answer 29

Implementing operational and management controls (especially secure logging and auditing) is essential.

Question 30

Kill chain

Answer 30

several models for describing the general process of an attack on systems security. These steps are often referred to as a kill chain, following the influential white paper Intelligence-Driven Computer Network Defense commissioned by Lockheed Martin

Question 31

Kill chain

Answer 31

• Planning/scoping—in this stage the attacker determines what methods he or she will use to complete the phases of the attack. One significant issue here is that the attacker will not want to draw attention to him- or herself so will try to identify stealthy methods to proceed. The attacker also needs to establish resources to launch the attack. To evade detection, he or she might employ a botnet of compromised home computers and devices, which can be used as unwitting zombies to facilitate scans, Denial of Service (DoS) attacks, and exploits and mask their origin.
• Reconnaissance/discovery—in this phase the attacker discovers what he or she can about how the target is organized and what security systems it has in place. This phase may use both passive information gathering and active scanning of the target network. The outcome of the phase, if successful, will be one or more potential exploits.
• Weaponization—in this phase the attacker utilizes an exploit to gain access. This phase would normally comprise several steps:

_ Exploit—run code on the target system to exploit a vulnerability and gain elevated privileges. The point of access (a compromised computer or user account, for instance) is referred to as a pivot point.

_ Callback—establish a covert channel to an external Command and Control (C2 or C&C) network operated by the attacker.

_ Tool download—install additional tools to the pivot to maintain covert access to the system and progress the attack.

• Post-exploitation/lateral discovery/spread—if the attacker obtains a pivot point, the next phase is typically to perform more privileged network scans with a view to discovering more of the network topology, locating and exploiting additional pivot points, and identifying assets of interest.
• Action on objectives—in this phase, the attacker typically uses the access he or she has achieved to covertly copy information from target systems (data exfiltration). However, an attacker may have other motives or goals to achieve.
• Retreat—once the attacker has achieved his or her initial aims without being detected, he or she may either maintain an APT or seek to withdraw from the network, removing any trace of his or her presence to frustrate any subsequent attempt to identify the source of the attack.

Question 32

Indicators of Compromise (IoC)

Answer 32

Historically, a lot of security tools have depended on identification of malware signatures. This type of signature-based detection is unlikely to work against sophisticated adversary kill chains because the tools used by the attacker are less likely to be identifiable from a database of known virus-type malware. Consequently, cybersecurity procedures have moved beyond the use of such static anti-virus tools (though they still have their place) to identify and correlate Indicators of Compromise (IoC).

Question 33

Structured Threat Information eXpression (STIX) architecture is built from the following components:

Answer 33

• Observable—a stateful property of the computer system or network or an event occurring within it. Examples of observables include a change in an executable file property or signature, an HTTP request, or a firewall blocking a connection attempt. Observables would be generated by the logging and monitoring system (the data “bucket”).
• Indicator—a pattern of observables that are “of interest”; or worthy of cybersecurity analysis. Ideally, software would automate the discovery of connections between observables based on a knowledge of past incidents and TTPs (see below).
• Incident—a pattern of indicators forming a discrete cybersecurity event. The incident is defined both by the indicators involved and the assets affected. The incident will be assigned a ticket and priority, and the parties involved in response and incident handling will be identified.
• Tactics, Techniques, and Procedures (TTP)—known adversary behaviors, starting with the overall goal and asset target (tactic), and elaborated over specific techniques and procedures. This information is used to identify potential indicators and incidents.
• Campaign and Threat Actors—the adversaries launching cyber-attacks are referred to in this framework as Threat Actors. The actions of Threat Actors utilizing multiple TTPs against the same target or the same TTP against multiple targets may be characterized as a campaign.
• Exploit Target—system vulnerabilities or weaknesses deriving from software faults or configuration errors.
• Course of Action (CoA)—mitigating actions or use of security controls to reduce risk from Exploit Targets or to resolve an incident

Question 34

passive reconnaissance

Answer 34

An attacker can “cyber-stalk” his or her victims to discover information about them via Google Search or by using other web or social media search tools. This information gathering is also referred to as passive reconnaissance.

Question 35

Open Source Intelligence (OSINT)

Answer 35

Publicly available information and tools for aggregating and searching information are referred to as Open Source Intelligence (OSINT).

Question 36

deep web

Answer 36

The deep web is any part of the World Wide Web that is not indexed by a search engine. This includes pages that require registration, pages that block search indexing, unlinked pages, pages using non-standard DNS, and content encoded in a non-standard manner. Within the deep web, however, are areas that are deliberately concealed from “regular” browser access.

• Dark net—a network established as an overlay to Internet infrastructure by software, such as The Onion Router (TOR), Freenet, or I2P, that acts to anonymize usage and prevent a third party from knowing about the existence of the network or analyzing any activity taking place over the network. Onion routing, for instance, uses multiple layers of encryption and relays between nodes to achieve this anonymity.
• Dark web—sites, content, and services accessible only over a dark net.

Question 37

counterintelligence

Answer 37

Investigating these dark web sites and services is a valuable source of counterintelligence. The anonymity of dark web services has made it easy for investigators to infiltrate the forums and webstores that have been set up to exchange stolen data and hacking tools.

Question 38

Social engineering

Answer 38

(or “hacking the human”) refers to means of getting users to reveal confidential information. Typical social engineering attack scenarios include:

• An attacker creates an executable file that prompts a network user for their user name and password, and then records whatever the user inputs.
• An attacker contacts the help desk pretending to be a remote sales representative who needs assistance setting up remote access.
• An attacker triggers a fire alarm and then slips into the building during the confusion and attaches a monitoring device to a network port.

Question 39

Impersonation

Answer 39

(pretending to be someone else) is one of the basic social engineering techniques. The classic impersonation attack is for the social engineer to phone into a department, claim they have to adjust something on the user’s system remotely, and get the user to reveal their password.

Question 40

Basic tools of a social engineer:

Answer 40

• Familiarity/liking
• Consensus/social proof
• Authority and Intimidation
• Scarcity and urgency

Question 41

Trust

Answer 41

Being convincing (or establishing trust) usually depends on the attacker obtaining privileged information about the organization.

Question 42

Dumpster Diving

Answer 42

Dumpster diving refers to combing through an organization’s (or individual’s) garbage to try to find useful documents (or even files stored on discarded removable media).

Question 43

Shoulder surfing

Answer 43

Shoulder surfing refers to stealing a password or PIN (or other secure information) by watching the user type it.

Question 44

Lunchtime attack

Answer 44

Most authentication methods are dependent on the physical security of the workstation. If a user leaves a workstation unattended while logged on, an attacker can physically gain access to the system. This is often described as a lunchtime attack.

Question 45

Tailgating

Answer 45

Tailgating is a means of entering a secure area without authorization by following close behind the person that has been allowed to open the door or checkpoint. Like tailgating, piggy backing is a situation where the attacker enters a secure area with an employee’s permission.

Question 46

Phishing

Answer 46

combination of social engineering and spoofing (disguising one computer resource as another). In the case of phishing, the attacker sets up a spoof website to imitate a target bank or e‑commerce provider’s secure website or some other web resource that should be trusted by the target. The attacker then emails users of the genuine website informing them that their account must be updated or with some sort of hoax alert or alarm, supplying a disguised link that actually leads to their spoofed site. When the user authenticates with the spoofed site, their logon credentials are captured. Another technique is to spawn a “pop-up” window when a user visits a genuine banking site to try to trick them into entering their credentials through the pop-up.

Question 47

Spear phishing

Answer 47

refers to a phishing scam where the attacker has some information that makes an individual target more likely to be fooled by the attack. The attacker might know the name of a document that the target is editing, for instance, and send a malicious copy, or the phishing email might show that the attacker knows the recipient’s full name, job title, telephone number, or other details that help convince the target that the communication is genuine. A spear phishing attack directed specifically against upper levels of management in the organization (CEOs and other “big beasts”) is sometimes called whaling. Upper management may also be more vulnerable to ordinary phishing attacks because of their reluctance to learn basic security procedures.

Question 48

Vishing

Answer 48

Vishing describes a phishing attack conducted through a voice channel (telephone or VoIP, for instance). For example, targets could be called by someone purporting to represent their bank asking them to verify a recent credit card transaction and requesting their security details. It can be much more difficult for someone to refuse a request made in a phone call compared to one made in an email.

Question 49

SMiShing

Answer 49

refers to fraudulent SMS texts. Other vectors could include instant messaging (IM) or social networking sites.

Question 50

Pharming

Answer 50

another means of redirecting users from a legitimate website to a malicious one. Rather than using social engineering techniques to trick the user, pharming relies on corrupting the way the victim’s computer performs Internet name resolution, so that they are redirected from the genuine site to the malicious one.

Question 51

watering hole attack

Answer 51

another type of directed social engineering attack. It relies on the circumstance that a group of targets may use an unsecure third-party website.

Question 52

Hoaxes

Answer 52

security alerts or chain emails, are another common social engineering technique, often combined with phishing or pharming attacks.

Question 53

Social engineering is best defeated by training users to recognize and respond to threat situations:

Answer 53

• Train employees to release information or make privileged use of the system only according to standard procedures.
• Establish a reporting system for suspected attacks—though the obvious risk here is that many false negatives will be reported.
• Train employees to identify phishing and pharming style attacks plus new styles of attacks as they emerge.
• Train employees not to release work-related information on third-party sites or social networks (and especially not to reuse passwords used for accounts at work).

Question 54

One of the most prevalent threats to computers today

Answer 54

• malicious code

Malicious code is undesired or unauthorized software, or malware, that is placed into a target system to disrupt operations or to redirect system resources for the attacker’s benefit. In the past, many malicious code attacks were intended to disrupt or disable an operating system or an application, or force the target system to disrupt or disable other systems. More recent malicious code attacks attempt to remain hidden on the target system, utilizing available resources to the attacker’s advantage.

Potential uses of malicious code include launching Denial of Service attacks on other systems; hosting illicit or illegal data; skimming personal or business information for the purposes of identity theft, profit, or extortion; or displaying unsolicited advertisements.

Question 55

computer virus

Answer 55

a type of malware designed to replicate and spread from computer to computer, usually by “infecting” executable applications or program code.

Question 56

There are several different types of viruses and they are generally classified by the different ways they can infect the computer (the vector):

Answer 56

• Boot sector viruses—attack the disk boot sector information, the partition table, and sometimes the file system.
• Program viruses—sequences of code that insert themselves into another executable program. When the application is executed, the virus code becomes active. Executable objects can also be embedded or attached within other file types, such as document formats like Microsoft Word (DOC), Portable Document Format (PDF), and Rich Text Format (RTF).
• Script viruses—scripts are powerful languages used to automate OS functions and add interactivity to web pages. Scripts are executed by an interpreter rather than self-executing. Most script viruses target vulnerabilities in the interpreter. Note that some document types, such as PDF, support scripting and have become a common vector in the last few years.
• Macro viruses—use the programming features available in Microsoft Office documents. Recent versions of Office enforce restrictions against enabling potentially dangerous content by default, but some users may have disabled these protections.
• Multipartite viruses—use both boot sector and executable file infection methods of propagation.

Question 57

Viruses

Answer 57

categorized by their virulence. Some viruses are virulent because they exploit a previously unknown system vulnerability (a “zero day” exploit)

Question 58

payload

Answer 58

a virus can also be configured with a payload that executes when the virus is activated. The payload can perform any action available to the host process.

memory-resident viruses that replicate over network resources.

Question 59

Worms

Answer 59

A worm is self-contained; that is, it does not need to attach itself to another executable file. They typically target some sort of vulnerability in an application, such as a database server or web browser. The primary effect of a worm infestation is to rapidly consume network bandwidth as the worm replicates. A worm may also be able to crash an operating system or server application (performing a Denial of Service attack). Also, like viruses, worms can carry a payload that may perform some other malicious action, such as installing a backdoor.

Question 60

Trojan horse malware

Answer 60

malware code concealed within an application package that the user thinks is benign, such as a game or screensaver. The purpose of a Trojan is not to replicate, but either to cause damage to a system or to give an attacker a platform for monitoring and/or controlling a system.

Many Trojans function as backdoor applications. This class of Trojan is often called a Remote Access Trojan (RAT). RATs mimic the functionality of legitimate remote control programs but are designed specifically for stealth installation and operation. Once the RAT is installed, it allows the attacker to access the PC, upload files, and install software on it. This could allow the attacker to use the computer in a botnet, to launch Distributed Denial of Service (DDoS) attacks, or mass-mail spam.

Question 61

rogueware or scareware

Answer 61

fake anti-virus, where a web pop-up claims to have detected viruses on the computer and prompts the user to initiate a full scan, which installs the attacker’s Trojan.

Question 62

covert channel

Answer 62

The attacker must establish some means of secretly communicating with the compromised machine (a covert channel). This means that the RAT must establish a connection from the compromised host to a Command and Control (C2 or C&C) host or network operated by the attacker. This network connection is usually the best way to identify the presence of a RAT.

Question 63

Spyware

Answer 63

a program that monitors user activity and sends the information to someone else. It may be installed with or without the user’s knowledge. Aggressive spyware or Trojans known as “keyloggers” actively attempt to steal confidential information; for example, as a user enters a credit card number into a webform, it records the keystrokes, thereby capturing the credit card number. There are a wide variety of software keyloggers available on the Internet.

Question 64

Adware

Answer 64

any type of software or browser plug-in that displays commercial offers and deals. Some adware may exhibit spyware-like behavior, however, by tracking the websites a user visits and displaying targeted ads, for instance.

Question 65

rootkit

Answer 65

represents a class of backdoor malware that is harder to detect and remove. Rootkits work by changing core system files and programming interfaces, so that local shell processes, such as Explorer, taskmgr, or tasklist on Windows or ps or top on Linux, plus port scanning tools, such as netstat, no longer reveal their presence (at least, if run from the infected machine). They also contain tools for cleaning system logs, further concealing the presence of the rootkit. The most powerful rootkits operate in kernel mode, infecting a machine through a corrupted device driver or kernel patch. A less effective type of rootkit operates in user mode, replacing key utilities or less privileged drivers.

Question 66

Ransomware

Answer 66

a type of Trojan malware that tries to extort money from the victim.

Question 67

Crypto-malware

Answer 67

class of ransomware attempts to encrypt data files on any fixed, removable, and network drives. If the attack is successful, the user will be unable to access the files without obtaining the private encryption key, which is held by the attacker. If successful, this sort of attack is extremely difficult to mitigate, unless the user has up-to-date backups of the encrypted files.

Question 68

time bomb and logic bomb

Answer 68

Some types of malware do not trigger automatically. Having infected a system, they wait for a preconfigured time or date (time bomb) or a system or user event (logic bomb).