Lesson 1: Comparing and Contrasting Attacks Flashcards

1
Q

Information security

A

refers to the protection of available information or information resources from unauthorized access, attack, theft, or data damage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Three primary goals or functions involved in the practice of information security:

A
  • Prevention—personal information, company information, and information about intellectual property must be protected.
  • Detection—detection occurs when a user is discovered trying to access unauthorized data or after information has been lost.
  • Recovery—when there is a disaster or an intrusion by unauthorized users, system data can become compromised or damaged. It is in these cases that you need to employ a process to recover vital data from a crashed system or data storage devices. Recovery can also pertain to physical resources.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Assets are usually classified in the following ways:

A
  • Tangible assets—these are physical items, such as buildings, furniture, computer equipment, software licenses, machinery, inventory (stock), and so on.
  • Intangible assets—these are mostly information resources, including Intellectual Property (IP), accounting information, plans and designs, and so on. Intangible assets also include things like a company’s reputation, image, or brand.
  • Employees—it is commonplace to describe an organization’s staff (sometimes described as “human capital”) as its most important asset.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Market value

A

the price that could be obtained if the asset were to be offered for sale (or the cost if the asset must be replaced).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Liabilities

A

In terms of security, however, assets must also be valued according to the liabilities that the loss or damage of the asset would create:

  • Business continuity—this refers to an organization’s ability to recover from incidents (any malicious or accidental breach of security policy is an incident).
  • Legal—these are responsibilities in civil and criminal law. Security incidents could make an organization liable to prosecution (criminal law) or for damages (civil law). An organization may also be liable to professional standards, codes, and regulations.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The CIA Triad

A

Secure information has three properties, often referred to as the CIA Triad:

  • Confidentiality—means that certain information should only be known to certain people.
  • Integrity—means that the data is stored and transferred as intended and that any modification is authorized.
  • Availability—means that information is accessible to those authorized to view or modify it.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Non-repudiation

A

means that a subject cannot deny doing something, such as creating, modifying, or sending a resource. For example, a legal document, such as a will, must usually be witnessed when it is signed. If there is a dispute about whether the document was correctly executed, the witness can provide evidence that it was.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Security policy

A

formalized statement that defines how security will be implemented within an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Steps to establishing a security policy:

A
  1. The first step in establishing a security policy is to obtain genuine support for and commitment to such a policy throughout the organization.
  2. The next step is to analyze risks to security within the organization. Risks are components, processes, situations, or events that could cause the loss, damage, destruction, or theft of data or materials.
  3. Having identified risks, the next step is to implement controls that detect and prevent losses and procedures that enable the organization to recover from losses (or other disasters) with minimum interruption to business continuity.
  4. The “final” step in the process is to review, test, and update procedures continually. An organization must ensure continued compliance with its security policy and the relevance of that policy to new and changing risks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Security posture

A

employees must be aware of their responsibilities. The structure of security responsibilities will depend on the size and hierarchy of an organization, but these roles are typical:

  • Managers may have responsibility for a domain, such as building control, information and communications technology (ICT), or accounting.
  • Technical and specialist staff have responsibility for implementing, maintaining, and monitoring the policy. Two notable job roles are Information Systems Security Officer (ISSO) and Cybersecurity Analyst (CySA).
  • Non-technical staff have the responsibility of complying with policy and with any relevant legislation.
  • External responsibility for security (due care or liability) lies mainly with directors or owners, though again, it is important to note that all employees share some measure of responsibility.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Chief Information Security Officer (CISO)

A

Overall internal responsibility for security might be allocated to a dedicated department, run by a Director of Security or Chief Information Security Officer (CISO).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Information security competencies:

A
  • Participate in risk assessments and testing of security systems and make recommendations.
  • Specify, source, install, and configure secure devices and software.
  • Set up and maintain document access control and user privilege profiles.
  • Monitor audit logs, review user privileges, and document access controls.
  • Manage security-related incident response and reporting.
  • Create and test business continuity and disaster recovery plans and procedures.
  • Participate in security training and education programs.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Computer Security Division

A

In the US, the Computer Security Division of the National Institute of Standards and Technology (NIST) is responsible for issuing the Federal Information Processing Standards (FIPS) plus advisory guides called Special Publications. Many of the standards and technologies covered in CompTIA® Security+® are discussed in these documents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Vulnerability

A

a weakness that could be triggered accidentally or exploited intentionally to cause a security breach. Examples of vulnerabilities include improperly configured or installed hardware or software, delays in applying and testing software and firmware patches, untested software and firmware patches, the misuse of software or communication protocols, poorly designed network architecture, inadequate physical security, insecure password usage, and design flaws in software or operating systems, such as unchecked user input.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Threat

A

the potential for a threat agent or threat actor (something or someone that may trigger a vulnerability accidentally or exploit it intentionally) to “exercise” a vulnerability (that is, to breach security). The path or tool used by the threat actor can be referred to as the threat vector.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Risk

A

the likelihood and impact (or consequence) of a threat actor exercising a vulnerability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Control

A

a system or procedure put in place to mitigate risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Threat actors

A

The sophisticated nature of modern cybersecurity threats means that it is important to be able to describe and analyze behaviors as well as enumerate known threat patterns. Consequently, it is important to distinguish the types of threat actors in terms of location, sophistication and resources, and intent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Intent and motivation

A

When assessing the risk that any one type of threat actor poses to your own organization, critical factors to profile are those of intent and motivation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Structured or unstructured (or targeted versus opportunistic)

A

Threats can be characterized as structured or unstructured (or targeted versus opportunistic) depending on the degree to which your own organization is targeted specifically.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Hacker and attacker

A

related terms for individuals who have the skills to gain access to computer systems through unauthorized or unapproved means. Originally, hacker was a neutral term for a user who excelled at computer programming and computer system administration. Hacking into a system was a sign of technical skill and creativity that gradually became associated with illegal or malicious system intrusions. The terms Black Hat or cracker (malicious) and White Hat (non-malicious) are sometimes used to distinguish motivations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Script kiddie

A

someone that uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. A newbie (or n00b) is someone with a bare minimum of experience and expertise. Script kiddie attacks might have no specific target or any reasonable goal other than gaining attention or proving technical abilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Hacktivist

A

A hacktivist group, such as Anonymous, WikiLeaks, or LulzSec, uses cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform Denial of Service (DoS) attacks, or deface websites. Political, media, and financial groups and companies are probably most at risk, but environmental and animal advocacy groups may target companies in a wide range of industries.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Organized crime

A

can operate across the Internet from different jurisdictions than its victim, increasing the complexity of prosecution. Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and blackmail.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Competitor-driven espionage

A
  • thought to be pursued by nation-state backed groups, but it is not inconceivable that a rogue business might use cyber espionage against its competitors.
  • Most nation-states have developed cybersecurity expertise and will use cyber weapons to achieve both military and commercial goals.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Advanced Persistent Threat (APT)

A

the term Advanced Persistent Threat (APT) was coined to understand the behavior underpinning modern types of cyber adversaries. Rather than think in terms of systems being infected with a virus or rootkit, an APT refers to the ongoing ability of an adversary to compromise network security (to obtain and maintain access) using a variety of tools and techniques.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Externally

A

In most cases, the threat actors described above operate externally from the networks they target.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Malicious insider threat

A

when the perpetrator of an attack is a member of, ex-member of, or somehow affiliated with the organization’s own staff, partners, or contractors. The Computer Emergency Response Team (CERT) at Carnegie Mellon University’s definition of a malicious insider is:

A current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.

29
Q

Auditing

A

Implementing operational and management controls (especially secure logging and auditing) is essential.

30
Q

Kill chain

A

several models for describing the general process of an attack on systems security. These steps are often referred to as a kill chain, following the influential white paper Intelligence-Driven Computer Network Defense commissioned by Lockheed Martin

31
Q

Kill chain

A
  • Planning/scoping—in this stage the attacker determines what methods he or she will use to complete the phases of the attack. One significant issue here is that the attacker will not want to draw attention to him- or herself so will try to identify stealthy methods to proceed. The attacker also needs to establish resources to launch the attack. To evade detection, he or she might employ a botnet of compromised home computers and devices, which can be used as unwitting zombies to facilitate scans, Denial of Service (DoS) attacks, and exploits and mask their origin.
  • Reconnaissance/discovery—in this phase the attacker discovers what he or she can about how the target is organized and what security systems it has in place. This phase may use both passive information gathering and active scanning of the target network. The outcome of the phase, if successful, will be one or more potential exploits.
  • Weaponization—in this phase the attacker utilizes an exploit to gain access. This phase would normally comprise several steps:

_ Exploit—run code on the target system to exploit a vulnerability and gain elevated privileges. The point of access (a compromised computer or user account, for instance) is referred to as a pivot point.

_ Callback—establish a covert channel to an external Command and Control (C2 or C&C) network operated by the attacker.

_ Tool download—install additional tools to the pivot to maintain covert access to the system and progress the attack.

  • Post-exploitation/lateral discovery/spread—if the attacker obtains a pivot point, the next phase is typically to perform more privileged network scans with a view to discovering more of the network topology, locating and exploiting additional pivot points, and identifying assets of interest.
  • Action on objectives—in this phase, the attacker typically uses the access he or she has achieved to covertly copy information from target systems (data exfiltration). However, an attacker may have other motives or goals to achieve.
  • Retreat—once the attacker has achieved his or her initial aims without being detected, he or she may either maintain an APT or seek to withdraw from the network, removing any trace of his or her presence to frustrate any subsequent attempt to identify the source of the attack.
32
Q

Indicators of Compromise (IoC)

A

Historically, a lot of security tools have depended on identification of malware signatures. This type of signature-based detection is unlikely to work against sophisticated adversary kill chains because the tools used by the attacker are less likely to be identifiable from a database of known virus-type malware. Consequently, cybersecurity procedures have moved beyond the use of such static anti-virus tools (though they still have their place) to identify and correlate Indicators of Compromise (IoC).

33
Q

Structured Threat Information eXpression (STIX) architecture is built from the following components:

A
  • Observable—a stateful property of the computer system or network or an event occurring within it. Examples of observables include a change in an executable file property or signature, an HTTP request, or a firewall blocking a connection attempt. Observables would be generated by the logging and monitoring system (the data “bucket”).
  • Indicator—a pattern of observables that are “of interest”; or worthy of cybersecurity analysis. Ideally, software would automate the discovery of connections between observables based on a knowledge of past incidents and TTPs (see below).
  • Incident—a pattern of indicators forming a discrete cybersecurity event. The incident is defined both by the indicators involved and the assets affected. The incident will be assigned a ticket and priority, and the parties involved in response and incident handling will be identified.
  • Tactics, Techniques, and Procedures (TTP)—known adversary behaviors, starting with the overall goal and asset target (tactic), and elaborated over specific techniques and procedures. This information is used to identify potential indicators and incidents.
  • Campaign and Threat Actors—the adversaries launching cyber-attacks are referred to in this framework as Threat Actors. The actions of Threat Actors utilizing multiple TTPs against the same target or the same TTP against multiple targets may be characterized as a campaign.
  • Exploit Target—system vulnerabilities or weaknesses deriving from software faults or configuration errors.
  • Course of Action (CoA)—mitigating actions or use of security controls to reduce risk from Exploit Targets or to resolve an incident
34
Q

passive reconnaissance

A

An attacker can “cyber-stalk” his or her victims to discover information about them via Google Search or by using other web or social media search tools. This information gathering is also referred to as passive reconnaissance.

35
Q

Open Source Intelligence (OSINT)

A

Publicly available information and tools for aggregating and searching information are referred to as Open Source Intelligence (OSINT).

36
Q

deep web

A

The deep web is any part of the World Wide Web that is not indexed by a search engine. This includes pages that require registration, pages that block search indexing, unlinked pages, pages using non-standard DNS, and content encoded in a non-standard manner. Within the deep web, however, are areas that are deliberately concealed from “regular” browser access.

  • Dark net—a network established as an overlay to Internet infrastructure by software, such as The Onion Router (TOR), Freenet, or I2P, that acts to anonymize usage and prevent a third party from knowing about the existence of the network or analyzing any activity taking place over the network. Onion routing, for instance, uses multiple layers of encryption and relays between nodes to achieve this anonymity.
  • Dark web—sites, content, and services accessible only over a dark net.
37
Q

counterintelligence

A

Investigating these dark web sites and services is a valuable source of counterintelligence. The anonymity of dark web services has made it easy for investigators to infiltrate the forums and webstores that have been set up to exchange stolen data and hacking tools.

38
Q

Social engineering

A

(or “hacking the human”) refers to means of getting users to reveal confidential information. Typical social engineering attack scenarios include:

  • An attacker creates an executable file that prompts a network user for their user name and password, and then records whatever the user inputs.
  • An attacker contacts the help desk pretending to be a remote sales representative who needs assistance setting up remote access.
  • An attacker triggers a fire alarm and then slips into the building during the confusion and attaches a monitoring device to a network port.
39
Q

Impersonation

A

(pretending to be someone else) is one of the basic social engineering techniques. The classic impersonation attack is for the social engineer to phone into a department, claim they have to adjust something on the user’s system remotely, and get the user to reveal their password.

40
Q

Basic tools of a social engineer:

A
  • Familiarity/liking
  • Consensus/social proof
  • Authority and Intimidation
  • Scarcity and urgency
41
Q

Trust

A

Being convincing (or establishing trust) usually depends on the attacker obtaining privileged information about the organization.

42
Q

Dumpster Diving

A

Dumpster diving refers to combing through an organization’s (or individual’s) garbage to try to find useful documents (or even files stored on discarded removable media).

43
Q

Shoulder surfing

A

Shoulder surfing refers to stealing a password or PIN (or other secure information) by watching the user type it.

44
Q

Lunchtime attack

A

Most authentication methods are dependent on the physical security of the workstation. If a user leaves a workstation unattended while logged on, an attacker can physically gain access to the system. This is often described as a lunchtime attack.

45
Q

Tailgating

A

Tailgating is a means of entering a secure area without authorization by following close behind the person that has been allowed to open the door or checkpoint. Like tailgating, piggy backing is a situation where the attacker enters a secure area with an employee’s permission.

46
Q

Phishing

A

combination of social engineering and spoofing (disguising one computer resource as another). In the case of phishing, the attacker sets up a spoof website to imitate a target bank or e‑commerce provider’s secure website or some other web resource that should be trusted by the target. The attacker then emails users of the genuine website informing them that their account must be updated or with some sort of hoax alert or alarm, supplying a disguised link that actually leads to their spoofed site. When the user authenticates with the spoofed site, their logon credentials are captured. Another technique is to spawn a “pop-up” window when a user visits a genuine banking site to try to trick them into entering their credentials through the pop-up.

47
Q

Spear phishing

A

refers to a phishing scam where the attacker has some information that makes an individual target more likely to be fooled by the attack. The attacker might know the name of a document that the target is editing, for instance, and send a malicious copy, or the phishing email might show that the attacker knows the recipient’s full name, job title, telephone number, or other details that help convince the target that the communication is genuine. A spear phishing attack directed specifically against upper levels of management in the organization (CEOs and other “big beasts”) is sometimes called whaling. Upper management may also be more vulnerable to ordinary phishing attacks because of their reluctance to learn basic security procedures.

48
Q

Vishing

A

Vishing describes a phishing attack conducted through a voice channel (telephone or VoIP, for instance). For example, targets could be called by someone purporting to represent their bank asking them to verify a recent credit card transaction and requesting their security details. It can be much more difficult for someone to refuse a request made in a phone call compared to one made in an email.

49
Q

SMiShing

A

refers to fraudulent SMS texts. Other vectors could include instant messaging (IM) or social networking sites.

50
Q

Pharming

A

another means of redirecting users from a legitimate website to a malicious one. Rather than using social engineering techniques to trick the user, pharming relies on corrupting the way the victim’s computer performs Internet name resolution, so that they are redirected from the genuine site to the malicious one.

51
Q

watering hole attack

A

another type of directed social engineering attack. It relies on the circumstance that a group of targets may use an unsecure third-party website.

52
Q

Hoaxes

A

security alerts or chain emails, are another common social engineering technique, often combined with phishing or pharming attacks.

53
Q

Social engineering is best defeated by training users to recognize and respond to threat situations:

A
  • Train employees to release information or make privileged use of the system only according to standard procedures.
  • Establish a reporting system for suspected attacks—though the obvious risk here is that many false negatives will be reported.
  • Train employees to identify phishing and pharming style attacks plus new styles of attacks as they emerge.
  • Train employees not to release work-related information on third-party sites or social networks (and especially not to reuse passwords used for accounts at work).
54
Q

One of the most prevalent threats to computers today

A

• malicious code

Malicious code is undesired or unauthorized software, or malware, that is placed into a target system to disrupt operations or to redirect system resources for the attacker’s benefit. In the past, many malicious code attacks were intended to disrupt or disable an operating system or an application, or force the target system to disrupt or disable other systems. More recent malicious code attacks attempt to remain hidden on the target system, utilizing available resources to the attacker’s advantage.

Potential uses of malicious code include launching Denial of Service attacks on other systems; hosting illicit or illegal data; skimming personal or business information for the purposes of identity theft, profit, or extortion; or displaying unsolicited advertisements.

55
Q

computer virus

A

a type of malware designed to replicate and spread from computer to computer, usually by “infecting” executable applications or program code.

56
Q

There are several different types of viruses and they are generally classified by the different ways they can infect the computer (the vector):

A
  • Boot sector viruses—attack the disk boot sector information, the partition table, and sometimes the file system.
  • Program viruses—sequences of code that insert themselves into another executable program. When the application is executed, the virus code becomes active. Executable objects can also be embedded or attached within other file types, such as document formats like Microsoft Word (DOC), Portable Document Format (PDF), and Rich Text Format (RTF).
  • Script viruses—scripts are powerful languages used to automate OS functions and add interactivity to web pages. Scripts are executed by an interpreter rather than self-executing. Most script viruses target vulnerabilities in the interpreter. Note that some document types, such as PDF, support scripting and have become a common vector in the last few years.
  • Macro viruses—use the programming features available in Microsoft Office documents. Recent versions of Office enforce restrictions against enabling potentially dangerous content by default, but some users may have disabled these protections.
  • Multipartite viruses—use both boot sector and executable file infection methods of propagation.
57
Q

Viruses

A

categorized by their virulence. Some viruses are virulent because they exploit a previously unknown system vulnerability (a “zero day” exploit)

58
Q

payload

A

a virus can also be configured with a payload that executes when the virus is activated. The payload can perform any action available to the host process.

memory-resident viruses that replicate over network resources.

59
Q

Worms

A

A worm is self-contained; that is, it does not need to attach itself to another executable file. They typically target some sort of vulnerability in an application, such as a database server or web browser. The primary effect of a worm infestation is to rapidly consume network bandwidth as the worm replicates. A worm may also be able to crash an operating system or server application (performing a Denial of Service attack). Also, like viruses, worms can carry a payload that may perform some other malicious action, such as installing a backdoor.

60
Q

Trojan horse malware

A

malware code concealed within an application package that the user thinks is benign, such as a game or screensaver. The purpose of a Trojan is not to replicate, but either to cause damage to a system or to give an attacker a platform for monitoring and/or controlling a system.

Many Trojans function as backdoor applications. This class of Trojan is often called a Remote Access Trojan (RAT). RATs mimic the functionality of legitimate remote control programs but are designed specifically for stealth installation and operation. Once the RAT is installed, it allows the attacker to access the PC, upload files, and install software on it. This could allow the attacker to use the computer in a botnet, to launch Distributed Denial of Service (DDoS) attacks, or mass-mail spam.

61
Q

rogueware or scareware

A

fake anti-virus, where a web pop-up claims to have detected viruses on the computer and prompts the user to initiate a full scan, which installs the attacker’s Trojan.

62
Q

covert channel

A

The attacker must establish some means of secretly communicating with the compromised machine (a covert channel). This means that the RAT must establish a connection from the compromised host to a Command and Control (C2 or C&C) host or network operated by the attacker. This network connection is usually the best way to identify the presence of a RAT.

63
Q

Spyware

A

a program that monitors user activity and sends the information to someone else. It may be installed with or without the user’s knowledge. Aggressive spyware or Trojans known as “keyloggers” actively attempt to steal confidential information; for example, as a user enters a credit card number into a webform, it records the keystrokes, thereby capturing the credit card number. There are a wide variety of software keyloggers available on the Internet.

64
Q

Adware

A

any type of software or browser plug-in that displays commercial offers and deals. Some adware may exhibit spyware-like behavior, however, by tracking the websites a user visits and displaying targeted ads, for instance.

65
Q

rootkit

A

represents a class of backdoor malware that is harder to detect and remove. Rootkits work by changing core system files and programming interfaces, so that local shell processes, such as Explorer, taskmgr, or tasklist on Windows or ps or top on Linux, plus port scanning tools, such as netstat, no longer reveal their presence (at least, if run from the infected machine). They also contain tools for cleaning system logs, further concealing the presence of the rootkit. The most powerful rootkits operate in kernel mode, infecting a machine through a corrupted device driver or kernel patch. A less effective type of rootkit operates in user mode, replacing key utilities or less privileged drivers.

66
Q

Ransomware

A

a type of Trojan malware that tries to extort money from the victim.

67
Q

Crypto-malware

A

class of ransomware attempts to encrypt data files on any fixed, removable, and network drives. If the attack is successful, the user will be unable to access the files without obtaining the private encryption key, which is held by the attacker. If successful, this sort of attack is extremely difficult to mitigate, unless the user has up-to-date backups of the encrypted files.

68
Q

time bomb and logic bomb

A

Some types of malware do not trigger automatically. Having infected a system, they wait for a preconfigured time or date (time bomb) or a system or user event (logic bomb).