Module 2 Flashcards
are anything of value to an organization, such as data and other intellectual property, servers, computers, smart phones, tablets, and more.
Assets
A potential danger to an asset such as data or the network itself.
Threat
A weakness in a system or its design that could be exploited by a threat.
Vulnerability
An attack surface is the total sum of the vulnerabilities in a given system that are accessible to an attacker. The attack surface describes different points where an attacker could get into a system, and where they could get data out of the system. For example, your operating system and web browser could both need security patches. They are each vulnerable to attacks and are exposed on the network or the internet. Together, they create an attack surface that the threat actor can exploit.
Attack surface
The mechanism that is used to leverage a vulnerability to compromise an asset. Exploits may be remote or local. A remote exploit is one that works over the network without any prior access to the target system. The attacker does not need an account in the end system to exploit the vulnerability. In a local exploit, the threat actor has some type of user or administrative access to the end system. A local exploit does not necessarily mean that the attacker has physical access to the end system.
Exploit
The likelihood that a particular threat will exploit a particular vulnerability of an asset and result in an undesirable consequence.
Risk
is the process that balances the operational costs of providing protective measures with the gains achieved by protecting the asset.
Risk management
There are four common ways to manage risk (Risk Management Strategy)
Risk acceptance
Risk avoidance
Risk reduction
Risk transfer
This is when the cost of risk management options outweighs the cost of the risk itself. The risk is accepted, and no action is taken.
Risk acceptance
This means avoiding any exposure to the risk by eliminating the activity or device that presents the risk. By eliminating an activity to avoid risk, any benefits that are possible from the activity are also lost.
Risk avoidance
This reduces exposure to risk or reducing the impact of risk by taking action to decrease the risk. It is the most commonly used risk mitigation strategy. This strategy requires careful evaluation of the costs of loss, the mitigation strategy, and the benefits gained from the operation or activity that is at risk.
Risk reduction
Some or all of the risk is transferred to a willing third party such as an insurance company.
Risk transfer
The actions that are taken to protect assets by mitigating a threat or reducing risk.
Countermeasure -
The potential damage to the organization that is caused by the threat.
Impact -
requires inside network access such as a user with an account on the network.
A local exploit
does not require an account on the network to exploit that network’s vulnerability.
A remote exploit
is a common term used to describe a threat actor.
hacker
A clever programmer capable of developing new programs and coding changes to existing programs to make them more efficient.
A network professional that uses sophisticated programming skills to ensure that networks are not vulnerable to attack.
A person who tries to gain unauthorized access to devices on the internet.
An individual who run programs to prevent or slow network access to a large number of users, or corrupt or wipe out data on servers.
Hacker
are ethical hackers who use their programming skills for good, ethical, and legal purposes. They may perform network penetration tests in an attempt to compromise networks and systems by using their knowledge of computer security systems to discover network vulnerabilities. Security vulnerabilities are reported to developers and security personnel who attempt to fix the vulnerability before it can be exploited. Some organizations award prizes or bounties to ____ when they provide information that helps to identify vulnerabilities.
White hat hackers
are individuals who commit crimes and do arguably unethical things, but not for personal gain or to cause damage. An example would be someone who compromises a network without permission and then discloses the vulnerability publicly. ___ may disclose a vulnerability to the affected organization after having compromised their network. This allows the organization to fix the problem.
Grey hat hackers
are unethical criminals who violate computer and network security for personal gain, or for malicious reasons, such as attacking networks. __ hackers exploit vulnerabilities to compromise computer and network systems.
Black hat hackers
emerged in the 1990s. They are teenagers or inexperienced threat actors
running existing scripts, tools, and exploits, to cause harm, but typically not for profit.
Script Kiddies
are grey hat hackers who attempt to discover exploits and report them
to vendors, sometimes for prizes or rewards.
Vulnerability Brokers
are grey hat hackers who rally and protest against different political and social
ideas.
Hacktivists
is a term for black hat hackers who are either self‐employed or working for
large cybercrime organizations.
Cybercriminals
are threat actors who steal government secrets, gather intelligence,
and sabotage networks of foreign governments, terrorist groups, and corporations.
State‐ Sponsored hackers
Since hacking started in the 1960s with ____ it has evolved to
include many types of threat actors.
phone freaking, or phreaking,
are threat actors
who are motivated to make money
using any means necessary.
Cybercriminals
Cybersecurity tasks
- Use a trustworthy IT vendor
- Keep security software up-to-date
- Perform regular penetration tests
- Back up to cloud and hard disk
- Periodically change WIFI password
- Keep security policy up-to-date
- Enforce use of strong passwords
- Use two factor authentication
Many network attacks can be prevented by sharing information about ____ Each attack has unique, identifiable attributes.
indicators of compromise
(IOC).
___ are the evidence
that an attack has occurred.
Indicators of compromise
IOCs can be features that identify the following:
- malware files
- IP addresses of servers that are used in attacks
- filenames
- characteristic changes made to end system software
___ focus more on the motivation behind an attack and the potential means by which threat actors have, or will, compromise vulnerabilities to gain access to assets.
Indicators of attack (IOA)
are concerned with the strategies that are used by attackers.
Indicators of attack (IOA)
Categories of Tools / Evolution of Security Tools
password crackers
wireless hacking tools
network scanning and hacking tools
packet crafting tools
packet sniffers
rootkit detectors
fuzzers to search vulnerabilities
forensic tools
debuggers
hacking operating systems
encryption tools
vulnerability exploitation tools
vulnerability scanners
Passwords are the most vulnerable security threat. ____ are often referred to as password recovery tools and can be used to crack or recover the password. This is accomplished either by removing the original password, after bypassing the data encryption, or by outright discovery of the password. ____ repeatedly make guesses in order to crack the password and access the system.
password crackers
Examples of password cracking tools include John the Ripper, Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and Medusa.
Wireless networks are more susceptible to network security threats. ____ are used to intentionally hack into a wireless network to detect security vulnerabilities.
wireless hacking tools
Examples of wireless hacking tools include Aircrack-ng, Kismet, InSSIDer, KisMAC, Firesheep, and NetStumbler.
____ are used to probe network devices, servers, and hosts for open TCP or UDP ports.
network scanning and hacking tools
Examples of scanning tools include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.
____ _are used to probe and test a firewall’s robustness using specially crafted forged packets.
packet crafting tools
Examples of such tools include Hping, Scapy, Socat, Yersinia, Netcat, Nping, and Nemesis.
_______ are used to capture and analyze packets within traditional Ethernet LANs or WLANs.
packet sniffers
Tools include Wireshark, Tcpdump, Ettercap, Dsniff, EtherApe, Paros, Fiddler, Ratproxy, and SSLstrip.
_____ is a directory and file integrity checker used by white hats to detect installed root kits.
rootkit detectors
Example tools include AIDE, Netfilter, and PF: OpenBSD Packet Filter.
____are tools used by threat actors when attempting to discover a computer system’s security vulnerabilities.
fuzzers to search vulnerabilities
Examples of fuzzers include Skipfish, Wapiti, and W3af.
White hat hackers use _____ to sniff out any trace of evidence existing in a particular computer system.
forensic tools
Example of tools include Sleuth Kit, Helix, Maltego, and Encase.
_____ are used by black hats to reverse engineer binary files when writing exploits. They are also used by white hats when analyzing malware.
debuggers
Debugging tools include GDB, WinDbg, IDA Pro, and Immunity Debugger.
_____ are specially designed operating systems preloaded with tools and technologies optimized for hacking.
hacking operating systems
Examples of specially designed hacking operating systems include Kali Linux, SELinux, Knoppix, Parrot OS, and BackBox Linux.
These tools safeguard the contents of an organization’s data when it is stored or transmitted. ______use algorithm schemes to encode the data to prevent unauthorized access to the data.
encryption tools
Examples of these tools include VeraCrypt, CipherShed, Open SSH, OpenSSL, OpenVPN, and Stunnel.
These tools identify whether a remote host is vulnerable to a security attack.
vulnerability exploitation tools
Examples of vulnerability exploitation tools include Metasploit, Core Impact, Sqlmap, Social Engineer Tool Kit, and Netsparker.
These tools scan a network or system to identify open ports. They can also be used to scan for known vulnerabilities and scan VMs, BYOD devices, and client databases.
vulnerability scanners
Examples of these tools include Nipper, Securia PSI, Core Impact, Nessus, SAINT, and Open VAS.
Categories of Attacks
eavesdropping attacks
data modification attack
IP address spoofing attack
password-based attacks
denial-of-service (DoS) attack
man-in-the-middle attack (MiTM)
compromised key attack
sniffer attack
is when a threat actor captures and listens to network traffic. This attack is also referred to as sniffing or snooping.
eavesdropping attack
or sniffing or snooping
occur when a threat actor has captured enterprise traffic and has altered the data in the packets without the knowledge of the sender or receiver.
Data modification attacks
is when a threat actor constructs an IP packet that appears to originate from a valid address inside the corporate intranet.
IP address spoofing attack
occur when a threat actor obtains the credentials for a valid user account. Threat actors then use that account to obtain lists of other users and network information. They could also change server and network configurations, and modify, reroute, or delete data.
Password-based attacks
prevents normal use of a computer or network by valid users. After gaining access to a network,
a _____can crash applications or network services.
A ___ _can also flood a computer or the entire network with traffic until a shutdown occurs because of the overload.
A _____can also block traffic, which results in a loss of access to network resources by authorized users.
denial-of-service DoS attack
occurs when threat actors have positioned themselves between a source and destination. They can now actively monitor, capture, and control the communication transparently.
man-in-the-middle attack MiTM attack
occurs when a threat actor obtains a secret key. This is referred to as a compromised key. A compromised key can be used to gain access to a secured communication without the sender or receiver being aware of the attack.
compromised-key attack
is an application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, a ____ provides a full view of the data inside the packet. Even encapsulated (tunneled) packets can be broken open and read unless they are encrypted and the threat actor does not have access to the key.
sniffer
can occur when threat actors have gained access to user account information that allows them to access a system like authorized users.
A password-based attack
threat actors alter the contents of legitimate messages without the knowledge of the sender or receiver.
In data modification attacks,
a threat actor causes network traffic to pass through his computer. The traffic is then forwarded on as usual. The threat actor can then access then read and analyze the traffic for valuable information.
In man-in-the-middle (MiTM) attacks,
When encryption keys are stolen and use to decrypt private communications, ____ has occurred.
a compromised-key attack
A threat actor has attached to the network and uses a sniffer to read the contents of network traffic. This is an _____
eavesdropping attack.
A threat actor uses a tool to construct IP packets that appear to come from a valid source within the corporate network. This is an example of
IP address spoofing.
uses fake traffic to prevent legitimate users to access a network or system.
A denial of service (DoS) attack
It is code or software that is specifically
designed to damage, disrupt, steal, or generally inflict some other “bad” or illegitimate action on
data, hosts, or networks.
Malware is short for malicious software or malicious code.
are especially prone to malware attacks.
End devices
Three most common types of malware are:
- virus
- worm
- Trojan horse
is a type of malware that spreads by inserting a copy of itself into another program. After
the program is run, ____ then spread from one computer to another, infecting the computers.
Most ____ require human help to spread.
A simple ___ may install itself at the first line of code in an executable file. When activated, the
___ might check the disk for other executables so that it can infect all the files it has not yet
infected.
___ can also be programmed to mutate to avoid detection.
Most____ are now spread by
USB memory drives,
CDs,
DVDs,
network shares, and
email.
A virus
is software that appears to be legitimate, but it contains malicious code which exploits the privileges of the user who runs it.
Often, ___are found attached to online games.
The ____concept is flexible. It can cause immediate damage, provide remote access to
the system, or access through a back door. It can also perform actions as instructed remotely,
such as “send me the password file once per week.”
Trojan horse malware
Trojan Horse Classification / Type of Trojan Horse
remote-access
data-sending
destructive
proxy
FTP
Security software disabler
Denial of Service (DoS)
Keylogger
Enables unauthorized remote access.
Remote-access
Provides the threat actor with sensitive data, such as passwords.
Data-sending
Corrupts or deletes files.
Destructive
Uses the victim’s computer as the source device to launch attacks and perform other illegal activities.
Proxy
Enables unauthorized file transfer services on end devices.
FTP
Stops antivirus programs or firewalls from functioning.
Security software disabler
Slows or halts network activity.
Denial of Service (DoS)
Actively attempts to steal confidential information, such as credit card numbers, by recording keystrokes entered into a web form.
Keylogger
are like viruses because they replicate and can cause the same type of damage.
Specifically, ____ replicate themselves by independently exploiting vulnerabilities in networks.
_____ can slow down networks as they spread from system to system.
Computer worms
____ known as the worm that ate the internet, was a denial of service (DoS) attack that
exploited a buffer overflow bug in Microsoft’s SQL Server. At its peak, the number of infected
servers doubled in size every 8.5 seconds. It infected 250,000+ hosts within 30 minutes, as shown
in the figure.
SQL Slammer,
Most worm attacks consist of three components,
Enabling vulnerability
Propagation mechanism
Payload
A worm installs itself using an exploit mechanism, such as an email attachment, an executable file, or a Trojan horse, on a vulnerable system.
Enabling vulnerability
After gaining access to a device, the worm replicates itself and locates new targets.
Propagation mechanism
Any malicious code that results in some action is a payload. Most often this is used to create a backdoor that allows a threat actor access to the infected host or to create a DoS attack.
Payload
are self-contained programs that attack a system to exploit a known vulnerability. Upon successful exploitation, the ____ copies itself from the attacking host to the newly exploited system and the cycle begins again. Their propagation mechanisms are commonly deployed in a way that is difficult to detect.
Worms
Code Red Worm Propagation
- Propagate for 19 days
- Launch Dos attack for next 7 days
- Stop and go dormant for a few days
- Repeat the cycle
Currently, the most dominant malware is ____.
* ____ is malware that denies access to the infected computer system or its data. The cybercriminals then demand payment to release the computer system.
* ____ has evolved to become the most profitable malware type in history.
* There are dozens of ___ _variants.
* _____ frequently uses an encryption algorithm to encrypt system files and data.
* Payments are typically paid in Bitcoin because users of bitcoin can remain anonymous.
* Email and malicious advertising, also known as malvertising, are vectors for ____ campaigns.
* Social engineering is also used.
ransomware
Other Malware, / type of malware
spyware
adware
scareware
phishing
rootkits
Used to gather information about a user and send the information to another entity without the user’s consent. ____ can be a system monitor, Trojan horse, Adware, tracking cookies, and key loggers.
Spyware
Displays annoying pop-ups to generate revenue for its author. The malware may analyze user interests by tracking the websites visited. It can then send pop-up advertising pertinent to those sites.
Adware
Includes scam software which uses social engineering to shock or induce anxiety by creating the perception of a threat. It is generally directed at an unsuspecting user and attempts to persuade the user to infect a computer by taking action to address the bogus threat.
Scareware
Attempts to convince people to divulge sensitive information. Examples include receiving an email from their bank asking users to divulge their account and PIN numbers.
Phishing
Installed on a compromised system. After it is installed, it continues to hide its intrusion and provide privileged access to the threat actor.
Rootkits
Common Malware Behaviors
Appearance of strange files, programs, or desktop icons
Antivirus and firewall programs are turning off or reconfiguring settings
Computer screen is freezing or system is crashing
Emails are spontaneously being sent without your knowledge to your contact list
Files have been modified or deleted
Increased CPU and/or memory usage
Problems connecting to networks
Slow computer or web browser speeds
Unknown processes or services running
Unknown TCP or UDP ports open
Connections are made to hosts on the Internet without user action
Strange computer behavior
replicate by sending copies of themselves across the network to other hosts.
Worms
causes messages to appear that direct the user to purchase a product or visit a commercial website.
Adware
malware masquerades as a legitimate request for personal information, but actually sends that information to threat actors.
Phishing
will prevent access to computer systems, sometimes by encrypting device storage. Payment needs to be made to regain access to the system.
Ransomware
What type of malware executes arbitrary code and installs copies of itself in the memory of the infected computer? The main purpose of this malware is to automatically replicate from system to system across the network.
Worm
What type of malware attempts to convince people to divulge their personally identifiable information (PII)?
Phishing
Types of Network Attacks / classifies attacks in three major categories.
Reconnaissance Attacks
Access Attacks
DoS Attacks
is information gathering. Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and mapping of systems, services, or vulnerabilities. Recon attacks precede access attacks or DoS attacks. Some of the techniques used by malicious threat actors to conduct
reconnaissance attacks are described in the table.
Reconnaissance attacks
The threat actor is looking for initial information about a target. Various tools can be used, including the Google search, organizations website, whois, and more.
Perform an information query of a target
The information query usually reveals the target’s network address. The threat actor can now initiate a ping sweep to determine which IP addresses are active.
Initiate a ping sweep of the target network
This is used to determine which ports or services are available. Examples of port scanners include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.
Initiate a port scan of active IP addresses
This is to query the identified ports to determine the type and version of the application and operating system that is running on the host. Examples of tools include Nipper, Secuna PSI, Core Impact, Nessus v6, SAINT, and Open VAS.
Run vulnerability scanners
The threat actor now attempts to discover vulnerable services that can be exploited. A variety of vulnerability exploitation tools exist including Metasploit, Core Impact, Sqlmap, Social Engineer Toolkit, and Netsparker.
Run exploitation tools
progress of a reconnaissance attack
from information query, to ping sweep, to port scan.
exploit known vulnerabilities in authentication services, FTP services, and web services. The purpose of this type of attack is to gain entry to web accounts,
confidential databases, and other sensitive information.
Access attacks
the threat actor attempts to discover critical system passwords using various
methods.
Password Attacks
the threat actor’s device attempts to pose as another device by falsifying data.
Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing.
Spoofing Attacks
a threat actor uses unauthorized privileges to gain access to
a system, possibly compromising the target.
Trust Exploitation
a threat actor uses a compromised system as a base for attacks against other targets.
Port redirection
the threat actor is positioned in between two legitimate entities in order to read or modify the data that passes between the two parties.
Man-in-the-Middle
the threat actor exploits the buffer memory and overwhelms it with unexpected values. This usually renders the system inoperable, resulting in a DoS attack.
Buffer Overflow Attack
is an access attack that attempts to manipulate individuals into performing actions or divulging confidential information.
Social engineering
A threat actor pretends to need personal or financial data to confirm the identity of the recipient.
Pretexting
A threat actor sends fraudulent email which is disguised as being from a legitimate, trusted source to trick the recipient into installing malware on their device, or to share personal or financial information.
Phishing
A threat actor creates a targeted phishing attack tailored for a specific individual or organization.
Spear phishing
Also known as junk mail, this is unsolicited email which often contains harmful links, malware, or deceptive content.
Spam
Sometimes called “Quid pro quo”, this is when a threat actor requests personal information from a party in exchange for something such as a gift.
Something for Something
A threat actor leaves a malware infected flash drive in a public location. A victim finds the drive and unsuspectingly inserts it into their laptop, unintentionally installing malware.
Baiting
In this type of attack, a threat actor pretends to be someone else to gain the trust of a victim.
Impersonation
This is where a threat actor quickly follows an authorized person into a secure location to gain access to a secure area.
Tailgating
This is where a threat actor inconspicuously looks over someone’s shoulder to steal their passwords or other information.
Shoulder surfing
This is where a threat actor rummages through trash bins to discover confidential documents.
Dumpster diving
was designed to help white hat hackers and other network security professionals create social engineering attacks to test their own networks. It is a set of menu-based tools that help launch social engineering attacks.
The Social Engineer Toolkit (SET)
Recommended Social Engineering Protection Practices / Protecting against social engineering attacks
Never give your username / password credentials to anyone
Never leave your username / password credentials where they can easily be found
Never open emails from untrusted sources
Never release work related information on social media sites
Never re-use work related passwords
Always lock or sign out of your computer when unattended
Always report suspicious individuals
Always destroy confidential information according to the organization policy
The weakest link in cybersecurity can be the ___ organization, and social engineering a major security threat. Because of this, one of the most effective security measures that an organization can take is to train its personnel and create a “security-aware culture.”
personnel
A ____ creates some sort of interruption of network services to users, devices, or applications.
Denial of Service (DoS) attack
There are two major types of DoS attacks:
Overwhelming Quantity of Traffic
Maliciously Formatted Packets
The threat actor sends an enormous quantity of data at a rate that the network, host, or application cannot handle. This causes transmission and response times to slow down. It can also crash a device or service.
Overwhelming Quantity of Traffic
The threat actor sends a maliciously formatted packet to a host or application and the receiver is unable to handle it. This causes the receiving device to run very slowly or crash.
Maliciously Formatted Packets
are a major risk because they interrupt communication and cause significant loss of time and money. These attacks are relatively simple to conduct, even by an unskilled threat actor.
DoS attacks
____ it originates from multiple, coordinated sources. For example, A threat actor builds a network of infected hosts, known as zombies. The threat actor uses a command and control (CnC) system to send control messages to the zombies. The zombies constantly scan and infect more hosts with bot malware. The bot malware is designed to infect a host, making it a zombie that can communicate with the CnC system. The collection of zombies is called a botnet. When ready, the threat actor instructs the CnC system to make the botnet of zombies carry out a DDoS attack.
A Distributed DoS Attack (DDoS) is similar to a DoS attack,
attack increases in magnitude because it originates from multiple, coordinated sources, as shown in the figure.
DDoS attacks are similar in intent to DoS attacks, except that a DDoS
Components of DDoS
zombies
bots
botnet
handlers
botmasters
This refers to a group of compromised hosts (i.e., agents). These hosts run malicious code referred to as robots (i.e., bots). The zombie malware continually attempts to self-propagate like a worm.
zombies
Bots are malware that is designed to infect a host and communicate with a handler system. Bots can also log keystrokes, gather passwords, capture and analyze packets, and more.
bots
This refers to a group of zombies that have been infected using self-propagating malware (i.e., bots) and are controlled by handlers.
botnet
This refers to a primary command-and-control (CnC or C2) server controlling groups of zombies. The originator of a botnet can use Internet Relay Chat (IRC) or a web server on the C2 server to remotely control the zombies.
handlers
This is the threat actor who is in control of the botnet and handlers.
botmaster
The goal of a threat actor when using a ____ is to find a system memory related flaw on a server and exploit it. Exploiting the buffer memory by overwhelming it with
unexpected values usually renders the system
inoperable, creating a DoS attack.
It is estimated that one third of malicious attacks
are the result of ____
buffer overflow DoS attack
An early example of using malformed packets was the ____. In this legacy attack, the threat actor sent a ____, which was an echo request in an IP packet larger than the maximum packet size of 65,535 bytes. The receiving host would not be able to handle a packet of that size and it would crash.
Ping of Death.
evasion methods used by threat actors (to hide is to thrive)
encryption and tunneling
resource exhaustion
traffic fragmentation
protocol-level misinterpretation
traffic substitution
traffic insertion
pivoting
rootkits
proxies
This evasion technique uses tunneling to hide, or encryption to scramble, malware files. This makes it difficult for many security detection techniques to detect and identify the malware. Tunneling can mean hiding stolen data inside of legitimate packets.
Encryption and tunneling
This evasion technique makes the target host too busy to properly use security detection techniques.
Resource exhaustion
This evasion technique splits a malicious payload into smaller packets to bypass network security detection. After the fragmented packets bypass the security detection system, the malware is reassembled and may begin sending sensitive data out of the network.
Traffic fragmentation
This evasion technique occurs when network defenses do not properly handle features of a PDU like a checksum or TTL value. This can trick a firewall into ignoring packets that it should check.
Protocol-level misinterpretation
In this evasion technique, the threat actor attempts to trick an IPS by obfuscating the data in the payload. This is done by encoding it in a different format. For example, the threat actor could use encoded traffic in Unicode instead of ASCII. The IPS does not recognize the true meaning of the data, but the target end system can read the data.
Traffic substitution
Similar to traffic substitution, but the threat actor inserts extra bytes of data in a malicious sequence of data. The IPS rules miss the malicious data, accepting the full sequence of data.
Traffic insertion
This technique assumes the threat actor has compromised an inside host and wants to expand their access further into the compromised network. An example is a threat actor who has gained access to the administrator password on a compromised host and is attempting to login to another host using the same credentials.
Pivoting
A ____ is a complex attacker tool used by experienced threat actors. It integrates with the lowest levels of the operating system. When a program attempts to list files, processes, or network connections, the ____ presents a sanitized version of the output, eliminating any incriminating output. The goal of the ____ is to completely hide the activities of the attacker on the local system.
Rootkits
Network traffic can be redirected through intermediate systems in order to hide the ultimate destination for stolen data. In this way, known command-and-control not be blocked by an enterprise because the proxy destination appears benign. Additionally, if data is being stolen, the destination for the stolen data can be distributed among many proxies, thus not drawing attention to the fact that a single unknown destination is serving as the destination for large amounts of network traffic.
Proxies
is an access attack in which the threat actor is positioned between legitimate entities in order to read or modify the data that passes between them.
Man-in-the-Middle
is a social engineering attack where a threat actor quickly follows an authorized person into a secure location by taking advantage of the authorized person’s credentials.
Tailgating
is a reconnaissance attack in which a threat actor uses a tool like Nmap to scan for open TCP or UDP ports on active devices in a network.
Port scanning
In any organization,___ can be weakest link in network security. ___ fall victim to social engineering attacks, open file attachments that contain malware, or use insecure passwords, for example.
people
are infected computers that make up a botnet. The ____ are used to deploy a distributed denial of service (DDoS) attack.
Zombies
Vulnerability exploits may be remote or local. In a local exploit, the threat actor has some type of user access to the end system, either physically or through remote access. The exploitation activity is within the local network.
a threat actor tries to gain the user password of a remote host by using a keyboard capture software installed on it by a trojan
An access attack tries to gain access to a resource using a hijacked account or other means. The five types of access attacks include the following:
password - a dictionary is used for repeated login attempts
trust exploitation - uses granted privileges to access unauthorized material
port redirection - uses a compromised internal host to pass traffic through a firewall
man-in-the-middle - an unauthorized device positioned between two legitimate devices in order to redirect or capture traffic
buffer overflow - too much data sent to a memory location that already contains data
Hackers use rootkits to avoid detection as well as hide any software installed by the hacker.
to gain access to a device without being detected
is the total sum of the vulnerabilities in a system that is accessible to an attacker. The attack surface can consist of open ports on servers or hosts, software that runs on Internet-facing servers, wireless network protocols, and even users.
An attack surface
Which risk management plan involves discontinuing an activity that creates a risk?
During a risk assessment it may be determined that an activity involves more risk than benefit. In such a situation an organization may decide to avoid the risk altogether by discontinuing the activity. This is known as risk avoidance.
Script kiddies is a term used to describe inexperienced hackers.
amateur hacker
What is the term used when a malicious party sends a fraudulent email disguised as being from a legitimate, trusted source?
is used by malicious parties who create fraudulent messages that attempt to trick a user into either sharing sensitive information or installing malware.
Phishing
Worms are self-replicating pieces of software that consume bandwidth on a network as they propagate from system to system. They do not require a host application, unlike a virus. Viruses, on the other hand, carry executable malicious code which harms the target machine on which they reside.
worm is self-replicating
worm travels to new computers without any intervention or knowledge of the user
Social engineering attempts to gain the confidence of an employee and convince that person to divulge confidential and sensitive information, such as usernames and passwords. DDoS attacks, spam, and keylogging are all examples of software based security threats, not social engineering.
A user receives a phone call from a person who claims to represent IT services and then asks that user for confirmation of username and password for auditing purposes.
Which evasion method describes the situation that after gaining access to the administrator password on a compromised host, a threat actor is attempting to login to another host using the same credentials?
is an evasion method that assumes the threat actor has compromised an inside host and the actor wants to expand the access further into the compromised network.
Pivoting
the goal of the attacker is to prevent legitimate users from accessing network services.
In a DoS or denial-of-service attack,
