Lesson 1: Comparing and Contrasting Attacks Flashcards
Information security
refers to the protection of available information or information resources from unauthorized access, attack, theft, or data damage.
Three primary goals or functions involved in the practice of information security:
- Prevention—personal information, company information, and information about intellectual property must be protected.
- Detection—detection occurs when a user is discovered trying to access unauthorized data or after information has been lost.
- Recovery—when there is a disaster or an intrusion by unauthorized users, system data can become compromised or damaged. It is in these cases that you need to employ a process to recover vital data from a crashed system or data storage devices. Recovery can also pertain to physical resources.
Assets are usually classified in the following ways:
- Tangible assets—these are physical items, such as buildings, furniture, computer equipment, software licenses, machinery, inventory (stock), and so on.
- Intangible assets—these are mostly information resources, including Intellectual Property (IP), accounting information, plans and designs, and so on. Intangible assets also include things like a company’s reputation, image, or brand.
- Employees—it is commonplace to describe an organization’s staff (sometimes described as “human capital”) as its most important asset.
Market value
the price that could be obtained if the asset were to be offered for sale (or the cost if the asset must be replaced).
Liabilities
In terms of security, however, assets must also be valued according to the liabilities that the loss or damage of the asset would create:
- Business continuity—this refers to an organization’s ability to recover from incidents (any malicious or accidental breach of security policy is an incident).
- Legal—these are responsibilities in civil and criminal law. Security incidents could make an organization liable to prosecution (criminal law) or for damages (civil law). An organization may also be liable to professional standards, codes, and regulations.
The CIA Triad
Secure information has three properties, often referred to as the CIA Triad:
- Confidentiality—means that certain information should only be known to certain people.
- Integrity—means that the data is stored and transferred as intended and that any modification is authorized.
- Availability—means that information is accessible to those authorized to view or modify it.
Non-repudiation
means that a subject cannot deny doing something, such as creating, modifying, or sending a resource. For example, a legal document, such as a will, must usually be witnessed when it is signed. If there is a dispute about whether the document was correctly executed, the witness can provide evidence that it was.
Security policy
formalized statement that defines how security will be implemented within an organization.
Steps to establishing a security policy:
- The first step in establishing a security policy is to obtain genuine support for and commitment to such a policy throughout the organization.
- The next step is to analyze risks to security within the organization. Risks are components, processes, situations, or events that could cause the loss, damage, destruction, or theft of data or materials.
- Having identified risks, the next step is to implement controls that detect and prevent losses and procedures that enable the organization to recover from losses (or other disasters) with minimum interruption to business continuity.
- The “final” step in the process is to review, test, and update procedures continually. An organization must ensure continued compliance with its security policy and the relevance of that policy to new and changing risks.
Security posture
employees must be aware of their responsibilities. The structure of security responsibilities will depend on the size and hierarchy of an organization, but these roles are typical:
- Managers may have responsibility for a domain, such as building control, information and communications technology (ICT), or accounting.
- Technical and specialist staff have responsibility for implementing, maintaining, and monitoring the policy. Two notable job roles are Information Systems Security Officer (ISSO) and Cybersecurity Analyst (CySA).
- Non-technical staff have the responsibility of complying with policy and with any relevant legislation.
- External responsibility for security (due care or liability) lies mainly with directors or owners, though again, it is important to note that all employees share some measure of responsibility.
Chief Information Security Officer (CISO)
Overall internal responsibility for security might be allocated to a dedicated department, run by a Director of Security or Chief Information Security Officer (CISO).
Information security competencies:
- Participate in risk assessments and testing of security systems and make recommendations.
- Specify, source, install, and configure secure devices and software.
- Set up and maintain document access control and user privilege profiles.
- Monitor audit logs, review user privileges, and document access controls.
- Manage security-related incident response and reporting.
- Create and test business continuity and disaster recovery plans and procedures.
- Participate in security training and education programs.
Computer Security Division
In the US, the Computer Security Division of the National Institute of Standards and Technology (NIST) is responsible for issuing the Federal Information Processing Standards (FIPS) plus advisory guides called Special Publications. Many of the standards and technologies covered in CompTIA® Security+® are discussed in these documents.
Vulnerability
a weakness that could be triggered accidentally or exploited intentionally to cause a security breach. Examples of vulnerabilities include improperly configured or installed hardware or software, delays in applying and testing software and firmware patches, untested software and firmware patches, the misuse of software or communication protocols, poorly designed network architecture, inadequate physical security, insecure password usage, and design flaws in software or operating systems, such as unchecked user input.
Threat
the potential for a threat agent or threat actor (something or someone that may trigger a vulnerability accidentally or exploit it intentionally) to “exercise” a vulnerability (that is, to breach security). The path or tool used by the threat actor can be referred to as the threat vector.
Risk
the likelihood and impact (or consequence) of a threat actor exercising a vulnerability.
Control
a system or procedure put in place to mitigate risk.
Threat actors
The sophisticated nature of modern cybersecurity threats means that it is important to be able to describe and analyze behaviors as well as enumerate known threat patterns. Consequently, it is important to distinguish the types of threat actors in terms of location, sophistication and resources, and intent.
Intent and motivation
When assessing the risk that any one type of threat actor poses to your own organization, critical factors to profile are those of intent and motivation.
Structured or unstructured (or targeted versus opportunistic)
Threats can be characterized as structured or unstructured (or targeted versus opportunistic) depending on the degree to which your own organization is targeted specifically.
Hacker and attacker
related terms for individuals who have the skills to gain access to computer systems through unauthorized or unapproved means. Originally, hacker was a neutral term for a user who excelled at computer programming and computer system administration. Hacking into a system was a sign of technical skill and creativity that gradually became associated with illegal or malicious system intrusions. The terms Black Hat or cracker (malicious) and White Hat (non-malicious) are sometimes used to distinguish motivations.
Script kiddie
someone that uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. A newbie (or n00b) is someone with a bare minimum of experience and expertise. Script kiddie attacks might have no specific target or any reasonable goal other than gaining attention or proving technical abilities.
Hacktivist
A hacktivist group, such as Anonymous, WikiLeaks, or LulzSec, uses cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform Denial of Service (DoS) attacks, or deface websites. Political, media, and financial groups and companies are probably most at risk, but environmental and animal advocacy groups may target companies in a wide range of industries.
Organized crime
can operate across the Internet from different jurisdictions than its victim, increasing the complexity of prosecution. Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and blackmail.
Competitor-driven espionage
- thought to be pursued by nation-state backed groups, but it is not inconceivable that a rogue business might use cyber espionage against its competitors.
- Most nation-states have developed cybersecurity expertise and will use cyber weapons to achieve both military and commercial goals.
Advanced Persistent Threat (APT)
the term Advanced Persistent Threat (APT) was coined to understand the behavior underpinning modern types of cyber adversaries. Rather than think in terms of systems being infected with a virus or rootkit, an APT refers to the ongoing ability of an adversary to compromise network security (to obtain and maintain access) using a variety of tools and techniques.
Externally
In most cases, the threat actors described above operate externally from the networks they target.