Module 1

Question 1

What is the difference between data and information?

Answer 1

Data: Data is actually processed and is useless until organized (ex: each student’s test score)
Information: When data is processed and presented in a context that is useful (ex: Avg score of a class)

Question 2

Information Security

Answer 2

Protection of information and information systems from unauthorized access in order to provide confidentiality, integrity, and availability

Question 3

Computer Security

Answer 3

Measures and controls that ensure confidentiality, integrity, and availability of the information processed and stored by a computer

Question 4

Cybersecurity

Answer 4

Prevention of damage to electronic communication systems to ensure availability, integrity, authentication, confidentiality

Question 5

Describe the 3 States of Data

Answer 5

Data at Rest: Data that is preserved on a storage device
Data in transit/motion: Describes data that is transmitted over a network (ex information going over a network or internet)
Data in use: Data that is manipulated by a microprocessor (ex Microsoft Word Document editing)

Question 6

CIA Triad

Answer 6

Refers to the 3 principles of security control and management, which is:
Confidentiality: Keeping info and communications private and protected
Integrity: Keeping organizational information accurate, free of errors, and free from unauthorized modification
Availability: Ensuring that computer systems operate continuously and that authorized persons can access the data they need.

Question 7

As security is __________, convenience is ______________

Answer 7

Increased, Decreased

Question 8

Hacker vs Threat Actor

Answer 8

Hacker: Programmer capable of developing programs and making coding changes to programs to make them more efficient.
Threat Actor: Hacker that uses their skill in a bad way. (Refers to gray and black hat hackers)

Question 9

What is white vs black vs gray hat hackers

Answer 9

White Hat: Ethical hacker, exposes security flaws with organization’s consent to be fixed
Black Hat: Exposes security vulnerabilities without organizational consent for malicious purposes
Gray Hat: Exposes security flaws in applications without consent, but not for malicious purposes

Question 10

What are the different types of threat actors? (hint 9)

Answer 10

• Script Kiddies: Inexperienced hackers with limited technical knowledge who rely on automated tools to hack Hacktivists: Hackers who rally and protest against different political and social ideas
• Cybercriminals: Hackers who are either self-employed or working for larger cybercrime organizations
  
  • Steal money
• State Actors/State-Sponsored Hackers: Hackers who steal government secrets, gather intelligence, and sabotage networks of foreign governments, terrorist groups, and corporations
  
  • Involved in attacks called advanced persistent threat (APT). (Try to stay as long as you can in a system, such as spying on a system)
• Insiders: Present and past employees, contractors, partners, and any entity that has access to proprietary or confidential information and whose actions result in compromised security.
  
  • Ex: Previous employee who had access to personal information
• Competitors: Launch an attack against an opponent’s system to steal classified information
• Criminal Syndicates: Moving from traditional criminal activities to more rewarding and less risky online attacks
• Shadow IT: Employees install their own equipment or resources in violation of company policies (can expose weaknesses in corporations)
• Brokers: Sell their knowledge of weakness to other attackers or governments
• Cyberterrorists: Attack a nation’s network and computer infrastructure to cause disruption and panic among citizens

Question 11

Vulnerability

Answer 11

• State of being exposed to the possibility of being attacked or harmed
  
  • A weakness in a system or its design that could be exploited
  • Ex: A building that has unlocked doors or doesn’t have security cameras deployed
• Vulnerabilities can be categorized into platforms, configurations, third parties, patches, and zero-day vulnerabilities

Question 12

Exploit

Answer 12

Taking advantage of the vulnerability or weakness

Question 13

Attack

Answer 13

• Technique used to exploit a vulnerability in an application or physical computer system without the authorization to do so
  
  • Ex: Physical security attacks, software based attacks, etc

Question 14

List the 5 different categories that cybersecurity vulnerabilities can be categorized into:

Answer 14

• Platforms
• Configurations
• Third Parties
• Patches
• Zero-day vulnerabilities

Question 15

Platform

Answer 15

• A system that consists of the hardware device and an OS that runs software
• Examples of platforms:
  
  • Legacy Platforms: OS no longer in use
  • On-premises platforms: physical software and technology in an enterprise (data center)
  • Cloud Platforms: Pay per use computing model

Question 16

Configuration

Answer 16

• Configuration settings are often not properly implemented, resulting in weak configurations.
  
  • Default Settings: Predetermined by vendor and meant for ease of use and not security (default Wi-Fi password)
  • Open ports and services: Devices and services are configured to allow the most access so the user can close ports specific to that organization
  • Unsecured root accounts: Root account gives user unfettered access to all resources (Ex: cloud storage)
  • Open permissions: User access over files that should be restricted (ex: user given read and write privileges when only meant to be given read)
  • Unsecure protocols: Configuration uses protocols for telecommunications that do not provide adequate protection (ex: employee using device with unsecured protocols)
  • Weak Encryption: User choosing a known vulnerable encryption mechanism
  • Errors: Human mistakes in selecting one setting over another without considering security implications

Question 17

Third Party

Answer 17

• When businesses use external entities such as marketing agencies, landscapers, IT related third parties, etc.
  
  • Examples include outsourced code development, data storage facilities

Question 18

Patches

Answer 18

• Patch Means to fix vulnerability
• Patches can create vulnerabilities such as: Difficulty patching firmware, few patches for application software, delays in patching OSs
  
  • Important to keep OS updated for security

Question 19

Zero Day

Answer 19

• Vulnerabilities can be exploited by attackers before anyone else even knows it exists
• Called zero day because it provides zero days of warning
• These vulnerabilities are extremely serious.

Question 20

IP Address and Port

Answer 20

• IP Address allows you to identify a specific machine
• Each networking program on a machine is associated with a different port.
• The port identifies the program

Question 21

Information security is protected in what three layers?

Answer 21

• Products
• People
• Policies and Procedures

Question 22

Attack Vector

Answer 22

• Pathway used by a threat actor to penetrate a system.
• Attack vectors can be grouped into these categories:
  
  • Email
  • Wireless
  • Removable Media
  • Direct Access
  • Social Media
  • Supply Chain
  • Cloud

Question 23

Social Engineering (attack)

Answer 23

• Means of eliciting information by relying on weaknesses of individuals
  
  • Used as influence campaigns to sway people’s attention on social media
  • Ex: Impersonating someone and asking for information such as username and password
• Attackers use techniques to gain trust:
  
  • Provide a reason
  • Project confidence
  • Use evasion and diversion
  • Make person laugh

Question 24

Social Engineering: Spam

Answer 24

• Unsolicited email that is sent to a large number of recipients
  
  • Ex: Clicking on a link to buy a product
    
    • Spam is often sent by image with text on it so that it cannot be filtered out as junk

Question 25

Social Engineering: Hoax

Answer 25

• False warnings, often in email claiming to come from the IT dept.
• Asks recipient to erase specific files and forward the message to others
  
  • Allows hackers to compromise the system

Question 26

Social Engineering: Physical Exploits

Answer 26

• Shoulder Surfing: Obtain passwords by looking over someone’s shoulder
• Dumpster diving: Obtain passwords by inspecting trash
• Tailgating and Piggy Backing: To gain entry into a secure area by following an employee

Question 27

Social Engineering: Impersonation

Answer 27

• Pretending to be a fictitious character and impersonating that role with a victim
  
  • Ex: help desk technician

Question 28

Social Engineering: Phishing

Answer 28

• Sending an email message or displaying a web announcement that falsely claims to be from a legitimate enterprise to trick user into giving up their information
• Different types of phishing, including:
  
  • Spear phishing
  • Whaling
  • vishing
  • smishing

Question 29

Social Engineering: Redirection

Answer 29

• Misidirecting the user such as having a domain name similar to a real company
  
  • Ex: goggle.com instead of google.com

Question 30

Social Engineering: Watering hole attack

Answer 30

• Directed toward smaller group of individuals, such as manufacturing executives who use a specific site

Question 31

What are the three most common physical social engineering attacks?

Answer 31

• Dumpster Diving: digging through trash to find useful info
• Tailgating: Following an authorized user through a door
• Shoulder surfing: Watching an individual enter a security code on a keypad

Question 32

What are the four main consequences of a successful attack on data?

Answer 32

• Data Loss: data is not recoverable anymore
• Data exfiltration: Stealing data to distribute it to other parties
• Data breach: Stealing data to disclose it in an unauthorized fashion
• Identity theft: Taking personally identifiable information to impersonate someone

Question 33

What are the various effects of a successful attack on an enterprise?

Answer 33

• May make systems inaccessible (availability loss)
• Could result in financial loss
• Impacts reputation of enterprise for perceived lack of security