Lesson 1: Comparing & Contrasting Attacks Flashcards
information security
refers to protection of available information or information resources from unauthorized access, attack, theft, or data damage
primary goals or functions of information security
- Prevention: personal information, company information, and information about intellectual property must be protected
- Detection: detection occurs when a user is discovered trying to access unauthorized data or after information has been lost
- Recovery: when there is a disaster or an intrusion by unauthorized users, system data can become compromised or damaged
assets
- Tangible assets: these are physical items, such as buildings, furniture, computer equipment, software licenses, machinery, inventory (stock), and so on
- Intangible assets: information resources, including IP, accounting information, plans and designs, and so on, can also include company’s reputation or brand
- Employees: human capital
data assets
- Product development, production, fulfilment, and maintenance
- Customer contact information
- Financial operations and controls (collection and payments of debts, payroll, tax, financial reporting)
- Legal obligations to maintain accurate records for a given period
- Contractual obligations to third parties (Service Level Agreements)
CIA Triad
- Confidentiality: certain information should only be known to certain people
- Integrity: data is stored and transferred as intended and that any modification is authorized
- Availability: information is accessible to those authorized to view or modify it
non-repudiation
subject cannot deny doing something, such as creating, modifying, or sending a resource
steps in establishing a security policy
- Obtain genuine support for and commitment to such policy throughout organization
- Analyze risks to security within organization. Risks are components, processes, situations, or events that could cause loss, damage, destruction, or theft of data or materials
- Implement controls that detect and prevent losses and procedures that enable organization recover from losses (or other disasters) with minimum interruption to business continuity
- Review, test, and update procedures continually
information security roles and responsibilities
- Overall internal responsibility for security might be allocated to a dedicated department, run by a Director of Security or Chief Information Security Officer (CISO) | responsibility for security might have been allocated to an existing business unit, such as Information and Communications Technology (ICT) or accounting
2, Managers may have responsibility for a domain, such as building control, ICT, or accounting
- Technical and specialist staff have responsibility for implementing, maintaining, and monitoring policy (notable job roles are Information Systems Security Officer [ISSO] and Cybersecurity Analyst (CySA)
- Non-technical staff have responsibility of complying with policy and with any relevant legislation
- External responsibility for security (due care or liability) lies mainly with directors or owners, though again, it is important to note that all employees share some measure of responsibility
information security competencies
- Participate in risk assessments and testing of security systems and make recommendations
- Specify, source, install, and configure secure devices and software
- Set up and maintain document access control and user privilege profiles
- Monitor audit logs, review user privileges, and document access controls
- Manage security-related incident response and reporting
- Create and test business continuity and disaster recovery plans and procedures
- Participate in security training and education programs
vulnerability
- weakness that could be triggered accidentally or exploited intentionally to cause a security breach
- ex:
- Improperly configured or installed hardware or software
- Delays in applying and testing software and firmware patches
- Untested software and firmware patches
- Misuse of software or communication protocols
- Poorly designed network architecture
- Inadequate physical security
- Insecure password usage
- Design flaws in software or operating systems, such as unchecked user input
threat
potential for a threat agent or threat actor (something or someone that may trigger a vulnerability accidentally or exploit it intentionally) to “exercise” a vulnerability (that is, to breach security). Path or tool used by threat actor can be referred to as threat vector
risk
likelihood and impact (or consequence) of a threat actor exercising a vulnerability
control
system or procedure put in place to mitigate risk
attributes of threat actors
- Viruses
- Rootkits
- Trojans
- Botnets
- DDoS
- Specific software vulnerabilities
Script Kiddies, Hackers, and Hacktivists
- Hacker and attacker are related terms for individuals who have skills to gain access to computer systems through unauthorized or unapproved means
- Black Hat or cracker: malicious
- White Hat: non-malicious
- Script kiddie: someone that uses hacker tools without necessarily understanding how they work or having ability to craft new attacks
- Newbie (n00b): bare minimum of experience and expertise
- Hacktivist: groups using cyber weapons to promote political agenda | might attempt to obtain and release confidential information to public domain, perform Denial of Service (DoS) attacks, or deface websites
- Anonymous
- WikiLeaks
- LulzSec
Organized Crime and Competitors
- Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and blackmail
- Most competitor-driven espionage is thought to be pursued by nation-state backed groups, but it is not inconceivable that a rogue business might user cyber espionage against its competitors
Nation State Actors/Advanced Persistent Threats
- Nation states have developed cybersecurity expertise and will use cyber weapons to achieve both military and commercial goals
- Advanced Persistent Threat (APT): to understand behavior underpinning modern types of cyber adversaries | ongoing ability of an adversary to compromise network security (to obtain and maintain access) using a variety of tools and techniques
- Nation state actors have been implicated in many attacks, particularly on energy and health network systems
- Goals include espionage, strategic advantage, commercial gain (like North Korea)
- Nation state actors will work at arm’s length from state sponsoring and protecting them, maintaining “plausible deniability,” likely to pose as independent groups or even as hactivists
Malicious Insider Threats
- Perpetrator of an attack is a member of, ex-member of, or somehow affiliated with organization’s own staff, partners, or contractors
- Computer Emergency Response Team (CERT) definition of malicious insider
- Current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in manner that negatively affected the confidentiality, integrity, or availability of organization’s information or informations systems
- CERT identifies main motivators for insider threats
- Sabotage
- Financial gain
- Business advantage
- Implementing operation and management controls (especially secure logging and auditing) is essential
Kill Chain
- several models for describing general process of an attack on systems security (following influential paper Intelligence-Driven Computer Network Defense)
- Planning/scoping: attacker determines what methods s/he will use to complete phases of attack
- Reconnaissance/discovery: attacker discovers what s/he can about how target is organized and what security systems it has in place
- Weaponization: phase attacker utilizes an exploit to gain access | comprised of several steps
- Exploit: run code on target system to exploit a vulnerability and gain elevated privileges. Point of access (a compromised computer or user account, for instance) referred to as pivot point
- Callback: establish covert channel to an external Command and Control (C2 or C&C) network operated by attacker
- Tool download: install additional tools to pivot to maintain covert access to system and progress attack
- Post-exploitation/lateral discovery/spread: if attacker obtains pivot point, next phase is typically to perform more privileged assets of interest
- Action on objectives: attacker typically uses access s/he has achieved to covertly copy information from target systems (data exfiltration). However, an attacker may have other motives or goals to achieve
- Retreat: once attacker has achieved his or her initial aims without being detected, s/he may either maintain an APT or seek to withdraw from network, removing any trace of his or her presence to frustrate any subsequent attempt to identify source of attack
Indicator
pattern of observables that are “of interest”; or worth of cybersecurity analysis
Incident
pattern of indicators form a discrete cybersecurity event. Incident is defined both by indicators involved and assets affected. Incident will be assigned a ticket and priority, and parties involved in response and incident handling will be identified
Tactics, techniques, and procedures (TTP)
known adversary behaviors, starting with overall goal and asset target (tactic), and elaborated over specific techniques and procedures. This information is used to identify potential indicators and incidents
Campaign and Threat Actors
adversaries launching cyber-attacks. Actions of Threat Actors utilize multiple TTPs against same target or same TTP against multiple targets may be characterized as a campaign
Exploit Target
system vulnerabilities or weaknesses deriving from software faults or configuration errors
Course of Action (CoA)
mitigating actions or use of security controls to reduce risk from Exploit Targets or to resolve an incident
