midterm 2 Flashcards
What is the G7 24/7 Cybercrime Network?
๐น A network for international cooperation in investigating and prosecuting high-tech crimes.
๐น Provides 24/7 contact points for cybercrime incidents.
๐น Facilitates freezing and production requests for digital evidence.
What is the ITU (International Telecommunication Union)?
๐น Established in 1865 to manage global communication networks.
๐น Sectors: Radiocommunications, Standardization, and Development.
๐น Operates the ITU Cybersecurity Programme to enhance global cyber resilience.
What is the role of the United Nations in cybersecurity?
/UN Internet Governance Forum โ Discusses global internet policies.
/UN Group of Governmental Experts (GGE) โ Addresses international cybersecurity issues.
/Cyber Defence Committee (NATO collaboration) โ Strengthens cybersecurity policies.
What cybersecurity policies does the OECD support?
/Digital security legal instruments developed since the 1990s.
//Key recommendations:
//Cryptography Policy (1997)
//Digital Security Risk Management (2015)
//Security of Critical Activities (2019)
What is the Budapest Convention on Cybercrime
/Adopted in 2001, aims to harmonize cybercrime laws across countries. /Promotes international cooperation for cybercrime investigations.
/Sets legal standards for criminal procedures and digital evidence handling.
What is the Global Cybersecurity Index (GCI)?
/Measures cybersecurity preparedness across nations.
/Assessment based on Legal, Technical, Organizational, Capacity Building, and Cooperation measures.
What is the African Unionโs approach to cybersecurity?
/African Union Convention on Cybersecurity and Personal Data Protection.
/Establishes legal and regulatory frameworks for data protection and cybercrime.
What are National Cybersecurity Strategies?
/Key areas include:
/Governance
/Risk management
/Critical infrastructure protection
/nternational cooperation
What are the legal solutions for cybersecurity?
/Criminalization โ Defining cybercrime laws.
/Incident reporting & information sharing โ Ensuring response coordination.
/Institutional arrangements โ Creating dedicated cybersecurity agencies.
What is the Global Cybersecurity Index (GCI)?
/A global ranking system that measures countriesโ cybersecurity preparedness.
/Developed by the International Telecommunication Union (ITU).
/Evaluates legal, technical, and organizational measures in cybersecurity.
What are the Five GCI Assessment Pillars?
/Legal Measures โ Laws and regulations on cybersecurity and cybercrime.
/Technical Measures โ National CSIRTs, cybersecurity standards, and risk management.
/Organizational Measures โ Cyber strategies, policies, and coordination.
/Capacity Building โ Cybersecurity education, training, and awareness.
/Cooperation โ International partnerships and incident response collaboration.
Why is the GCI important?
/Helps countries identify strengths & weaknesses in cybersecurity.
/Encourages international cooperation in fighting cyber threats.
/Provides benchmarking data for governments to improve security policies.
What does a high GCI score indicate?
/A country has strong legal, technical, and organizational cybersecurity frameworks.
/It actively trains personnel, promotes awareness, and engages in international collaboration.
/Examples of high-ranking countries: U.S., U.K., Singapore, Estonia.
How can countries improve their GCI ranking?
/Strengthen cybercrime laws and enforcement.
/Develop national cybersecurity strategies.
/Create and fund CSIRTs (Computer Security Incident Response Teams).
/Enhance international cooperation in cybersecurity.
What was the biggest shift in cyberthreats observed in 2023?
A surge in attacks targeting identities, focusing on logging in rather than hacking in.
What technique saw a 100% increase in 2023 for compromising identities?
A type of malware designed to steal credentials and sensitive data.
What cyberattack method saw a drop despite remaining common?
Ransomware attacks on enterprises.
What was the most common impact of cyberattacks in 2023?
Data theft and leaks.
How are attackers acquiring credentials on the dark web?
Through infostealer malware that collects and sells login data.
What is adversary-in-the-middle (AitM) phishing?
A method where attackers intercept traffic between a user and a website to steal credentials and bypass MFA.
Why is identity abuse becoming a preferred attack vector?
Itโs harder for defenders to distinguish between legitimate and malicious identity use.
What were the top two initial access vectors in 2023?
Valid accounts (30%) and phishing (30%).
How are attackers obtaining valid credentials?
Through infostealers, phishing, and dark web marketplaces.
What percentage of cloud assets for sale on the dark web are account credentials?
90%.
What exploit saw widespread abuse in 2023 for data extortion?
MOVEit vulnerability (CVE-2023-34362).
What attack vector saw an increase in Europe?
Exploitation of public-facing applications and credential abuse.
What was the most successful ransomware group in 2023?
BlackCat (ALPHV).
What common Microsoft Office vulnerability was exploited for malware delivery?
CVE-2017-11882 (Equation Editor flaw).
What is the best defense against credential-based attacks?
Implementing multi-factor authentication (MFA) and strong password policies.
How can organizations mitigate security misconfigurations?
Regular penetration testing and proper asset management.
What is the principle of least privilege?
Limiting user access rights to only what is necessary.
What attack vector does session hijacking exploit?
Security misconfigurations allowing concurrent user sessions.
How can organizations prevent adversary-in-the-middle phishing?
Using phishing-resistant MFA (e.g., FIDO2 security keys).
What AI-related security risk is expected to grow?
AI-powered phishing attacks.
Why are patch management and vulnerability scanning critical?
They prevent attackers from exploiting known security flaws.
How can organizations reduce cloud-based attacks?
Strengthening IAM (Identity and Access Management) policies.
What is one key indicator that AI will become a major attack vector?
When a single AI technology reaches 50% market share.
Why is SQL injection dangerous?
It allows attackers to bypass authentication, delete data, and exfiltrate confidential information.
What is SQL injection (SQLi)?
A type of cyberattack where attackers insert malicious SQL queries into a database to manipulate or extract sensitive data.
What are common SQL injection defenses?
Using prepared statements, parameterized queries, and web application firewalls (WAFs).
What is CL0P?
A ransomware group known for data extortion attacks and targeting file transfer software vulnerabilities.
How did CL0P exploit MOVEit?
They used the SQL injection flaw to gain unauthorized access, steal data, and extort victims.
How is data extortion different from traditional ransomware?
Traditional ransomware encrypts files, while data extortion steals and threatens to leak them.
What is data extortion?
A cybercrime tactic where attackers steal sensitive data and demand a ransom to prevent its exposure.
What industries were most affected by data extortion in 2023?
Healthcare, finance, and government sectors.
What is a zero-day vulnerability?
A software flaw unknown to developers but exploited by hackers before a fix is available.
Why was MOVEit (CVE-2023-34362) considered a zero-day attack?
Because it was exploited before the vendor released a security patch.
What is the best defense against zero-day vulnerabilities?
Regular security updates, network monitoring, and threat intelligence.
What is Managed File Transfer (MFT)?
A secure way to transfer large files between businesses or within an organization.
Why was MOVEit targeted?
It handles sensitive business data, making it valuable for cybercriminals.
How can organizations secure MFT solutions?
By implementing encryption, multi-factor authentication (MFA), and security patches.
What is authentication bypass?
A vulnerability that allows unauthorized access to a system without valid credentials.
How was authentication bypass used in the MOVEit attack?
Attackers used SQL injection to bypass login mechanisms and gain access.
How can authentication bypass be prevented?
Strong authentication controls, MFA, and input validation.
What is a threat actor?
Any individual, group, or entity that poses a cybersecurity risk.
What kind of threat actors exploited MOVEit?
Cybercriminal gangs like CL0P, nation-state actors, and ransomware groups.
What is an example of a nation-state threat actor?
APT28 (Fancy Bear), which is linked to Russian cyber espionage.
What is Kerberoasting?
A Windows Active Directory attack that steals service account credentials by requesting and cracking Kerberos tickets offline.
How does Kerberoasting work?
An attacker requests a Kerberos service ticket, extracts it from memory, and brute-forces the NTLM hash offline.
Why is Kerberoasting effective?
It exploits weak service account passwords without needing direct network access.
How can organizations prevent Kerberoasting?
Use strong passwords, Managed Service Accounts (MSA), and monitor Kerberos ticket requests.
What is the Equation Editor flaw?
A Microsoft Office vulnerability that allows attackers to execute malicious code by opening a Word document.
How is the Equation Editor flaw exploited?
Attackers embed hidden code in a Word file, which executes automatically when opened.
What types of attacks use the Equation Editor flaw?
Phishing, malware delivery, and remote code execution (RCE) attacks.
How can the Equation Editor flaw be prevented?
Apply Microsoft patches, disable Equation Editor, and filter email attachments.
How does SQL injection work?
Hackers manipulate input fields to execute unauthorized database commands.
What is MOVEit?
A secure file transfer software used by businesses and government agencies.
What was the vulnerability in MOVEit?
A SQL injection flaw that let attackers steal sensitive data without authentication.
What happened in the MOVEit attacks?
Attackers stole data from banks, healthcare, and government organizations and demanded ransom.
How can organizations protect against MOVEit exploits?
Apply security patches, disable unnecessary SQL functions, and implement Zero Trust.
What is Fancy Bear?
A Russian state-sponsored hacking group (APT28) linked to the GRU (military intelligence).
What are Fancy Bearโs main targets?
Governments, NATO, journalists, and political organizatio
Name a major attack by Fancy Bear.
2016 U.S. Election Hack โ DNC email breach and leaks via WikiLeaks.
How can organizations defend against Fancy Bear?
Use phishing-resistant MFA, monitor APT activity, and apply software patches.
What is Kerberos?
A secure authentication protocol that uses tickets instead of passwords for user verification.
What methods does Fancy Bear use?
Spear-phishing, zero-day exploits, malware (X-Agent, X-Tunnel), and disinformation campaigns.
What are the three main components of Kerberos?
/Key Distribution Center (KDC) โ The brain of Kerberos, responsible for authentication.
/Ticket Granting Service (TGS) โ Issues service tickets for access.
/Authentication Server (AS) โ Verifies user identity.
What is a Ticket Granting Ticket (TGT)?
A special Kerberos ticket issued after login that allows a user to request access to network resources.
How does a user get a TGT?
The user enters their username and password, which is sent to the Authentication Server (AS), and if correct, a TGT is issued.
What is a Service Ticket (TGS Ticket)?
A ticket that allows users to access specific services (e.g., file shares, printers) without re-entering credentials.
What happens when a user logs into a Kerberos system?
/The user enters their credentials.
/The KDC issues a Ticket Granting Ticket (TGT).
/When the user requests access to a service, the TGT is exchanged for a Service Ticket.
/The Service Ticket is presented to the resource server, granting access.
How long does a Kerberos ticket last?
TGTs typically last 8โ10 hours before expiring, requiring renewal.
What happens when a Kerberos ticket expires?
The user must request a new TGT by re-authenticating or using an automatic renewal system.
How does Kerberoasting exploit Kerberos tickets?
Attackers request a Service Ticket for a service account and then crack its password hash offline.
How can organizations detect Kerberoasting?
Monitor Kerberos ticket requests for unusual activity, like multiple service ticket requests from one user.
How can organizations prevent Kerberoasting?
/Use long, complex passwords for service accounts.
/Implement Managed Service Accounts (MSA) to eliminate password exposure.
/Monitor Kerberos logs for abnormal ticket activity.
How is spear-phishing different from regular phishing?
Spear-phishing targets specific individuals or organizations, while phishing is a general mass email attack.
What is an example of a spear-phishing attack?
A hacker impersonates a CEO and emails an employee, asking for login credentials or bank details.
How can you prevent spear-phishing attacks?
/Verify email senders.
/Avoid clicking on unexpected links or attachments.
/Use email security filters and Multi-Factor Authentication (MFA).
What is X-Agent?
A remote access Trojan (RAT) used by Fancy Bear to steal passwords, capture keystrokes, and exfiltrate data.
How does X-Agent infect a system?
Through phishing emails, malicious downloads, or software exploits.
What operating systems does X-Agent target?
Primarily Windows, macOS, and Linux.
What is X-Tunnel?
A backdoor malware that allows hackers to bypass network firewalls and move data covertly.
What does X-Tunnel do?
It creates an encrypted tunnel between the infected system and a hackerโs remote server.
How can you defend against X-Tunnel?
/Monitor network traffic for unusual connections.
/Use strong endpoint protection.
/Segment networks to prevent lateral movement.