Module 1 - Introduction to Security Flashcards
Introduction to Security
What is Security?
To be free from danger & the process that achieves that freedom
As security is increased, what happens to convenience?
Decreases
How is digital information secured?
1) Manipulated by a microprocessor
2) Preserved on a storage device
3) Transmitted over a network
What are the 3 types of information protecting, & what is the acronym?
CIA Triad:
1) Confidentiality
2) Integrity
3) Availability
Define Confidentiality
Only approved individuals may access information
Define Integrity
Ensures information is correct & unaltered
Define Availability
Ensures information is accessible to authorized users
What is a Threat Actor?
An individual or entity responsible for cyber incidents against the technology equipment of enterprises & users; aka “attacker” or “hacker”
What 3 categories is Financial Crime divided into based on targets?
1) Individual Users
2) Enterprises
3) Governments
What are the 3 types of hackers?
1) Black hat hackers
2) White hat hackers
3) Gray hat hackers
What are Black Hat Hackers?
Threat actors who violate computer security for personal gain or to inflict malicious damage (ex: corrupt a hard drive)
What do White Hat Hackers do?
Attempt to probe a system (with an organization’s permission) for weaknesses & then privately provide that information; aka “ethical hackers”
What are Gray Hat Hackers?
Attackers’ who attempt to break into a computer system without the organization’s permission (illegal) but not for their own advantage; instead, they publicly disclose the attack in order to shame the organization into taking action
What are the 5 distinct categories of hackers?
1) Script kiddies
2) Hacktivists
3) State actors
4) Insiders
5) Others (Competitors, Criminal Syndicates, Shadow IT, Brokers, Cyberterrorists)
What are Script Kiddies?
Individuals who want to perform attacks, yet lack technical knowledge to carry them out. They download freely available automated attack software & use it to attack
What are Hacktivists?
Individuals strongly motivated by ideology (for the sake of their principles or beliefs);
Often involved breaking into a website & changing its contents as means of a political statement
What are State Actors?
Launches cyberattacks on their foes (instead of an army walking in); directed towards businesses in foreign countries with the goal of causing financial harm or damage to the enterprise’s reputation;deadliest of any threat actors
Which type of threat actor is the deadliest?
State Actors
What is APT, what does it stand for, & who does it?
A class of attacks that use innovative attack tools to infect & silently extract data over an extended period of time;
Advanced Persistent Threat (APT)
Most commonly associated w/ state actors
What are Insiders?
Employers, contractors, & business partners can pose an insider threat of manipulating data from the position of a trusted employee; harder to recognize because they come from within the enterprise
What are the “Other” threat actors?
1) Competitors
2) Criminal Syndicates
3) Shadow IT
4) Brokers
5) Cyberterrorists
What are Competitors?
Launch attacks against an opponent’s system to steal classified information; may steal new product research or a list of current customers to gain a competitive advantage
What are Criminal Syndicates?
Move from traditional criminal activities to more rewarding and less risky online attacks
What are Shadow ITs?
Employees become frustrated with the slow pace of acquiring technology, so they purchase and install their own equipment or resources in violation of company policies;
What are the 3 focuses of Insiders?
1) Intellectual Property (IP)
2) Sabotage
3) Espionage
What are Brokers?
Sell their knowledge of a weakness to other attackers or governments; sell weaknesses to the highest bidder
What are Cyberterrorists?
Attack a nation’s network & computer infrastructure to cause disruption & panic among citizens
Define Vulnerability
The state of being exposed to the possibility of being attacked or harmed
What are the 5 categories of Vulnerabilities?
1) Platforms
2) Configurations
3) Third parties
4) Patches
5) Zero-day vulnerability
What is a Legacy platform?
For a variety of reasons (limited hardware capacity, an application that only operates on a specific OS version, or neglect), an OS may not be updated, thus depriving it of these security fixes; just asking to be attacked; think Windows XP
What is an On-premises platform?
Software & technology located within the physical confines of an enterprise
What are Cloud platforms?
Servers, storage, & the supporting networking infrastructure are shared by multiple enterprises over a remote network connection that has been contracted for a specific period of time
What are the 3 types of platforms?
1) Legacy platform
2) On-premises platform
3) Cloud platform
What is a Weak Configuration?
Features & security settings that are not properly configured to repel attacks
What are 7 types of weak configurations?
1) Default setting
2) Open port & services
3) Unsecured root accounts
4) Open permission
5) Unsecured protocols
6) Weak encryption
7) Errors
What are Default Settings as a weak configuration?
Predetermined by the vendor for usability & ease of use (not for security) so the user can immediately begin using the product; ex: a router comes with a default password that is widely known
What are Open Ports & Services as a weak configuration?
Devices & services are often configured to allow the most access so that the user can close ports that are specific to that organization; ex: a firewall comes with FTP ports 20 & 21 open
What are Unsecured Root Accounts?
Can give a user unfettered access to all resources; ex: a misconfigured cloud storage repository cloud give any user access to all data
What are Open Permissions as a weak configuration?
User access over files that should be restricted; ex: a user could be given Read, Write, and Execute privileges when she should have only Read privileges
What are Unsecured Protocols as a weak configuration?
Aka insecure protocols; this configuration uses protocols for telecommunications that do not provide adequate protections; ex: an employee could use devices that run services with unsecure protocols such as Telnet or SNMPv1
What is Weak Encryption as a weak configuration?
Users choosing a known vulnerable encryption mechanism; ex: a user could select an encryption scheme that has a known weakness or a key value that is too short
What are Errors as a weak configuration?
Human mistakes in selecting one setting over another without considering the security implications; ex: an employee could use deprecated settings instead of current configurations
What are Third Parties?
External entities used by almost all businesses;
One of the major risks of a third-party system integration involves the principle of the “weakest link”
What is Outsourced Code Development as it relates to Third Parties?
Contracting with third parties to assist the organization in the development & writing of a software program or app
What is Data Storage as it relates to Third Parties?
Third-party facilities used for storing important data
What is Vendor Management as it relates to Third Parties?
Process organizations use to monitor & manage the interactions with all of their external third parties
What is System Integration as it relates to Third Parties?
Connectivity between the organization & the third party
What is Lack of Vendor Support as it related to Third Parties?
A lack of expertise to handle system integration
What is a Security Patch?
An officially released software security update intended to repair a vulnerability; important because they can create vulnerabilities
What are the 3 vulnerabilities that Patches can create?
1) Difficulty patching firmware
2) Few patches for application software
3) Delays in patching OSs
Explain Difficulty Patching Firmware.
Firmware, or software that is embedded into hardware, provides low-level controls & instructions for the hardware; updating firmware to address a vulnerability can often be difficult & requires specialized steps; furthermore, some firmware cannot be patched
Explain Few Patches for Application Software?
Outside of the major application software, patches for applications are uncommon; in most cases, no automated process can identify which computers have installed the application, alert users to a patch, or to distribute the patch
Explain Delays in Patching OSs.
Modern operation systems – such as Red Hat Linux, Apple macOS, Ubuntu Linux, & Microsoft Windows – frequently distribute patches; however, they can create new problems, such a preventing a custom application from running correctly; many organizations use test patches when they are released to ensure that they do not adversely affect any customized applications organizational delays installing a patch from the developer’s online update service until the patch is thoroughly tested
Define Zero Day vulnerabilities.
A vulnerability that is exploited by attackers before anyone else even knows it exists; this type of vulnerability is called a zero day because it provides zero days of warning; considered extremely serious
What are Attack Vectors?
Pathway or avenue used by a threat actor to penetrate a system
What are the categories of Attack Vectors?
1) Email
2) Wireless
3) Removeable Media
4) Direct Access
5) Social Media
6) Supply Chain
7) Cloud
How is Email an Attack Vector?
Almost 94% of all malware is delivered through email to an unsuspecting user; goal – to trick the user to open an attachment that contains malware or click a hyperlink that takes the user to a fictitious website
How is Wireless an Attack Vector?
Because wireless data transmissions “float” through the airwaves, they can be intercepted & read or altered by a threat actor if the transmission is not properly protected
How is Removeable Media an Attack Vector?
Common attack vector (ex: USB flash drive); threat actors have been known to infect USB drives with malware & leave them scattered in a parking lot or cafeteria; once inserted, the USB flash drive will infect the computer
How is Direct Access an Attack Vector?
Occurs when a threat actor can gain direct physical access to the computer; can insert a USB flash drive with an alternative operating system & reboot the computer under the alternate OS to bypass the security on the computer
How is Social Media an Attack Vector?
Ex: an attacker may read social media posts to determine when an employee will be on vacation & then call the organization’s help desk pretending to be that employee to ask for “emergency” access to an account
How is Supply Chain an Attack Vector?
Network that moves a product from the supplier to the customer & is made up of vendors that supply raw material, manufacturers who convert the material into products, warehouses that store products, distribution centers that deliver them to the retailers, & retailers who bring the product to the consumer; also serve as third-party vulnerabilities
How is Cloud an Attack Vector?
Taking advantage of the complexity of remote cloud servers & storage devices to find security weaknesses
What is Social Engineering?
Means of eliciting information (gathering data) by relying on the weaknesses of individuals; also used as influence campaigns to sway attention & sympathy in a particular direction; rely on psychological principles; one of the most successful types of attack; does not even exploit technology vulnerabilities; each successful attack has serious ramifications
What is an Influence Campaign? What are the 2 types?
Uses social engineering to sway attention & sympathy in a particular direction
Types:
Social Media Influence Compaign - exclusively used on social media & other sources
Hybrid Warfare Influence Campaign - used on social media & other sources
Explain Psychological Principles for Social Engineering Attacks.
To affect others mentally & emotionally rather than physically; factors that make social engineering highly effective; ex: CEO calling organization’s help desk to reset a password; variety of techniques to gain trust – provide a reason, project confidence, use evasion & diversion, make them laugh
What are Social Engineering Effectiveness (7) for Psychological Principles?
1) Authority
2) Intimidation
3) Consensus
4) Scarcity
5) Urgency
6) Familiarity
7) Trust
What is Authority as a Psychological Principle?
To impersonate an authority figure or falsely cite their authority; ex: “I’m the CEO calling”
What is Intimidation as a Psychological Principle?
To frighten & coerce by threat; ex: “if you don’t reset my password, I will call your supervisor”
What is Consensus as a Psychological Principle?
To influence by what others do; ex: “I called last week, & your colleage reset by password”
What is Scarcity as a Psychological Principle?
To refer to something in short supply; ex: “I can’t waste time here”
What is Urgency as a Psychological Principle?
To demand immediatie action; ex: “My meeting with the board starts in five minutes”
What is Familiarity as a Psychological Principle?
To give the impression the victim is well known & well received; ex: “I remember reading a good evaluation on you”
What is Trust as a Psychological Principle?
To inspire confidence; ex: “You know who I am”
What is Prepending related to Psychological Principles?
Influencing the subject before the event occurs; ex: “the best film you will see this year!”; by starting with the desired outcome, the statement influences the listener to think that way
What are the 4 techniques Attackers use to gain trust?
1) Provide a reason - adds a reason with their request
2) Project confidence - acts like they belong
3) Use evasion & diversion - evades a question
4) Make them laugh - uses humor
Social engineering psychological approaches/techniques involve (7):
1) Impersonation
2) Phishing
3) Redirection
4) Spam
5) Spim
6) Hoaxes
7) Watering Hole Attack
What is Redirection as a psychological approach?
User makes a typing error when entering a uniform resource location (URL) address in a web browser, such as typing goggle.com (a misspelling) or google.net (incorrect domain) instead of the correct google.com; in past, error message like HTTP Error 404 Not Found; when an attacker directs a user to a fake lookalike site filled with ads for which the attacker receives money for traffic generated to the site
What is Impersonation as a psychological approach?
Aka identity fraud – masquerading as a real or fictitious character & then playing the role of that person with a victim; goal can be to obtain private information (pretexting)
What is Phishing as a psychological approach?
Sending an email message or displaying a web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information or taking action; one of the largest & most consequential cyber treats
What is an Invoice Scam?
Fictitious overdue invoice that demands immediate payment; type of Phishing
What are 4 types of Phishing?
1) Spear Phishing
2) Whaling
3) Vishing
4) Smishing
What is Spear Phishing?
Targets specific users; emails are customized to the recipients, including their names & personal information
What is Whaling?
Attacks wealthy individuals or senior executives instead of going after “smaller fish”
What is Vishing?
Using phone calls instead of emails; attack calls victim, who upon answering, hears a recorded message that pretends to be from the user’s bank stating that her credit card has experience fraudulent activity or that her bank account has had unusual activity
What is Smishing?
Variation of vishing using SMS text messages & callback recorded phone messages; pretends to be from their bank
What is Typo Squatting as a form of Redirection?
Today’s user is often directed to a fake lookalike site filled w/ ads for which the attacker receives money for traffic generated to the site;purchasing the domain names of sites that are spelled similarly to actual sites
What is Pharming as a form of Redirection?
Attempts to exploit how a URL such as www.cengage.com is converted into its corresponding IP address
What is Spam as a psychological approach?
Unsolicited email that is sent to a large # of recipients; users receive so many spam messages because sending spam is lucrative (costs spammers very little to send millions of spam email messages); botnets; spammers make a large profit; image spam – uses graphical images of text in order to circumvent text-based filters; image spam cannot be filtered based on the textual content of the message because it appears as an image instead of text; nonsense text
What is Spim as a psychological approach?
Spam delivered through instant messaging (IM) instead of email; for threat actors, spim can have even more impact than spam; immediacy of instant messages makes users more likely to reflexively click embedded links in a spim; may bypass some antimalware defenses
What are Hoaxes as a psychological approach?
False warning, often contained in an email message claiming to come from the IT department; ex: “deadly virus” – erase specific files or change security configurations & then forward the message to others
What is a Watering Hole Attack as a psychological approach?
Directed toward a smaller group of specific individuals, such as the major executives working for a manufacturing company – they tend to visit a common website; attacker targets the common website that’s frequented & infects it with malware that will make its way onto the group’s computers
Explain Physical Procedures for Social Engineering Attacks.
Attacks that rely on physical acts; these attacks take advantage of user actions that can result in compromised security
What are the 3 most common Physical Procedures for Social Engineering Attacks?
1) Dumpster Diving
2) Tailgating
3) Shoulder Surfing
What is Dumpster Diving as a physical procedure?
Involves digging through trash receptables to find information that can be useful in an attack
Ex: calendars, inexpensive computer hardware, memos, organizational charts, phone directories, policy manuals, system manuals, electronic variations
What is Tailgating as a physical procedure?
Cannot control how many people enter the building when access is allowed; once an authorized person opens the door, one or more individuals can follow behind & also enter
What is Shoulder Surfing as a physical procedure?
To watch an individual entering the security code on a keypad; can be used in any setting that allows an attacker to casually observe someone entering secret information, such as the security codes on a door keypad; attackers are also using webcams & smartphone cameras to “shoulder surf” users of ATM machines to record keypad entries
What are 2 classifications of negative impacts form a successful attack?
1) Data impacts
2) Effects on the organization
What are Data Impacts as a successful attack?
Goal of attack focuses on data as the primary target
What are Effects on the Enterprise as a successful attack?
Successful attack can also have grave consequences for an enterprise; attack may make systems inaccessible (availability loss); results in lost productivity, which can affect the normal tasks for general income (financial loss)
What are the 4 consequences of a data attack?
1) Data loss
2) Data exfiltration
3) Data breach
4) Identity theft
What is Data Loss as a consequence of a data attack?
Destroying data so that it cannot be recovered; ex: maliciously erasing patient data used for cancer research
What is Data Exfiltration as a consequence of a data attack?
Stealing data to distribute it to other parties; ex: taking a list of current customers & selling it to a competitor
What is Data Breach as a consequence of a data attack?
Stealing data to disclose it in an unauthorized fashion; ex: stealing credit card numbers to sell to other threat actors
What is Identity Theft as a consequence of a data attack?
Taking personally identifiable information to impersonate someone; ex: stealing a SSN to secure a bank loan in the victim’s name
Define Attributes of Threat Actors (blue).
Characteristic features of the different groups of threat actors can vary widely
Define Level of Capability/Sophistication of Threat Actors (blue).
High level of power & complexity by threat actors
Define Resources & Funding of Threat Actors (blue).
Financial capabilities of threat actors
Define Internal of Threat Actors (blue).
Threat actors that work within the enterprise
Define External of Threat Actors (blue).
Threat actors that work outside of the enterprise
Define Intent/Motivation of Threat Actors (blue).
Reason for the attacks by threat actors
Define Hacker of Threat Actors (blue).
A person who uses advanced computer skills to attack computers
Define Firmware related to Patches (blue).
Software that is embedded into hardware
Define Pretexting r/t Impersonation.
Using impersonation to obtain private information
Define Invoice Scam r/t Phishing.
Fictitious overdue invoice that demands immediate payment
