Must know Items Flashcards

1
Q

Information Security - InfoSec

A

Information security (or infosec) refers to the protection of data resources from unauthorized access, attack, theft, or damage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

InfoSec Properties - CIA Triad & how it is enforced

A

Three main tenants of Information Security

Confidentiality

  • info known to certain people
  • enforced by permissions, authentication, encryption

Integrity

  • Data is correct and transferred as intended
  • enforced by hash/checksum

Availability

  • accessible to authorized user to view and/or modify
  • enforced by backups/redundancy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

non-repudiation

A

A fourth important tenant of InfoSec

non-repudiation

  • A subject can not deny creating or modifying data
  • enforced by signing electronically
  • related to integrity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Security Control Categories

A

Technical

  • controls implemented as a system
  • hw, sw, security appliances, firewalls

Operational

  • controls that depend on a person for implementation
  • security guard, training programs

Managerial

  • controls that give oversight to the system
  • NDA, risk identification, tools to evaluate and select other security controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Security Control Functional Types

A

Preventative
- before an attack happens and attempts to block it

Detective
- during an attack to identify it

Corrective
- after an attack to mitigate it

Physical
- alarms, gates, locks, fences, lighting, security cameras, guards

Deterrent
- psychologically discourages - signs, warnings of legal penalties

Compensating
- controls which serve as a substitute

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

NIST Cyber Security Framework (CFS)

A

A list of activities/objectives taken to mitigate risks

Provides

  • a statement of current capabilities
  • a measure of progress
  • verifiable for regulatory compliance reporting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

ISO 27001

A

International Standard relating to InfoSec rules and regulations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

ISO 27002

A

International Standard relating to InfoSec best practices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

ISO 27701

A

International Standard relating to personal data and privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

ISO 27017 and 27018

A

International Standard relating to cloud security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

ISO 31000

A

International Standard relating to enterprise risk management (ERM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Regs, Standards and Legislation

A

Sarbanes-Oxley (SOX)

  • relates to due diligence, criminalizes negligence
  • risk assessments, internal controls, and audit procedures

General Data Protection Regulation (GDPR)

  • EU’s fairness and right to privacy regulation
  • very common standard in use today

Grahm-Leach-Bliley Act (GLBA) - for financial industry
HIPPA - how to handle health data from a corporate view point
PCI DSS - how to handle credit card info

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Risk impact

A

Vulnerability + Threat = Risk

Vulnerability
- weakness which could cause a data breach

Threat
- someone or something which could exploit a vulnerability to cause a data breach

Risk

  • likelihood and impact/consequence of threat actor exploiting a vulnerability
  • assess by identifying a vulnerability and then evaluate the likelihood of it being exploited by a threat and the impact that a successful exploit would have.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Attack Surface

A

points where an attacker can discover/exploit vulnerabilities in a network or application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Attack Vector

A

How to access a system

  • direct access
  • removable media
  • email
  • remote and wireless
  • supply chain
  • web and social media
  • cloud
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Threat Intelligence

A

Can learn from anywhere, just need to research and follow up

  • Tools - Mitre ATT&CK, OWASP, CVE, CVSS
  • honeypots/nets
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

TTP and IoC

A

Tactics, Techniques and Procedures (TTP)

  • how you know you are being attacked
  • identify attackers

Indicators of Compromise

  • knowing a system has been compromised
  • evidence of TTP on the system
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

SIEM

A

Security Information and Event Management

- a platform which uses cyber threat intelligence (CTI) data and AI to produce actionable intelligence on an attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

SOAR

A

Security Orchestration, Automation, and Response

  • a solution to the problem of an Analysts’ ability to respond to an overwhelming volume of alerts
  • usually automates SIEM
  • used to drive incident response and threat hunting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Threat Data Feeds

A

STIIX - Structured Threat Information eXpression - syntax
TAXII - Trusted Automated eXchange - protocol/service
AIS - Automated Indicator of Sharing - service for sharing threat intel
Threat Maps - global attack maps
CVE - Common Vulnerabilities and Exposure - database by Mitre

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

SCAP

A

Security Content Application Protocol

  • used by many scanners to obtain feed updates
  • defines ways to compare a systems actual configuration to a target secure baseline
  • defines common identifiers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

OSINT

A

Open Source Intelligence

-an open source threat intelligence service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Network Reconnaissance and Discovery

Footprinting

A

Basic command line tools:
ipconfig - win - shows assigned network interfaces (MAC to IP, default gateway)
ifconfig - linux form of ipconfig

ping - probe a host on a particular IP or hostname using ICMP
- ICMP - Internet Control Message Protocol

arp - display the local machines Address Resolution Protocol (ARP) cache

  • useful for showing recent MACs associated with each IP
  • can show a Man in the middle attack (gateway MAC IP is not real routers MAC address)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Network Reconnaissance and Discovery

Routes/Routing

A

Tools to test routing configurations and connectivity with remote hosts and networks
route - view/config the hosts local routing table
- usually shows the gateway router and any subnets, additional host entries are suspicious

tracert - win - using ICMP, reports round trip time (RTT) for hops between host and remote host
traceroute - linux form of tracert, but uses UDP

pathping - win - provides latency stats and packet loss along a route over a longer measuring period
mar - linux form of pathping
- high latency times to gateway indicate Man in the Middle attack
- high latency times on other hops indicate DoS or could be network congestion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Network Reconnaissance and Discovery

Nmap

A

Nmap is an open source IP Scanner
Basic use for port scanning and port identification:
nmap

Service discovery - which hosts are operating and which applications it is using
nmap can scan protocols (TCP SYN -s S, UDP -s U, port ranges -p)

Fingerprinting - detailed analysis of services on a particular host
nmap can scan more intently using -s V or -A
- provides protocol, app name and version, os type and version, device type

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Network Reconnaissance and Discovery

netstat and nslookup

A

netstat used for state of TCP/UDP ports on the local machine

nslookup used for IP resolution uses DNS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Network Reconnaissance and Discovery

other tools

A

theHarvester - gathers OSINT
dnsenum - hosting info, name records, and ip ranges in use
scanless - scans for open ports that should not be open
curl - client tool for performing data transfers over many types of protocols
nc, ncat - connection tool to test connections
Nessus - network scanner to show vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Network Reconnaissance and Discovery

Packet Capture and Analysis tools

A

tcpdump - lin - cmd line tool to capture packet traffic

wireshark - performs a pcap ( packet capture) and analysis of traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Network Reconnaissance and Discovery

Packet Injection and Replay tools

A

Tools to allow for spoofing/forged data on network traffic
hping - can test host/prot detection and firewall testing, traceroute testing, and DoS testing

tcpreplay - can replay captured traffic (.pcap files) through a network interface

30
Q

RAT

A

Remote Access Trojan - gives an attacker a means of remote access to the system

31
Q

Scanning Intrusive vs non-Intrusive

A

Non-Intrusive is not using network bandwidth to perform the scan, like looking at types of traffic generated by a device

Intrusive uses network bandwidth or network connections

32
Q

Pen testing

A

Black Box/Hat - unknown environment - non credentialed testing

White Box/Hat - known environment - credentialed testing

Grey Box/Hat - partially known environment

33
Q

Attack Exercises Teams

A

Red team - attack unknown environment
Blue team - defensive role
White team - knows the rules, arbitrator
Purple team - red and blue team meet for regular debriefs during the exercise

34
Q

Pen test attack life cycle

A

persistence
- able to reconnect to attack sys

privilege escalation
- higher perm for actions

lateral movement
- move to another host

pivoting
- ability to bypass network boundary

actions/objectives
- exfiltrate (steal) data

cleanup
- remove evidence of attack

35
Q

Kill Chain Reconnaissance tools

and if Passive or Active technique

A

OSINT - passive
Social Engineering - passive and active
Footprinting -nmap and packet sniffing - active
War driving - mapping the location and type of wireless networks target is operating
Drones/UAV

36
Q

Worm

A

an in memory-resident malware that can run without user intervention and replicate over network resources

a worm gets into a system from exploiting a vulnerability in a process when the user browses a website, runs a vulnerable server application, or is connected to an infected file share

37
Q

Virus

A

malware designed to replicated and spread from computer to computer usually infecting executable applications or program code

is only execute when the user performs an action such as downloading and running an infected process

multiparite a virus using multiple vectors

polymorphic a virus which changes dynamically or obfuscate their code to evade detection

38
Q

Logic bomb

A

malware which has a trigger before exposing itself

a trigger could be pre-configured time or date, user event

a mine is when a script is left as a trap

39
Q

Malware Indicators

A

Browser changes or over ransomware notification

Anti-virus notification

Sandbox execution
- Cuckoo tool

Resource utilization/consumption
- taskmanager or top cmd

File system changes

  • Registry
  • Temp files
40
Q

Process Analysis

A

Requires a baseline of ‘normal’ by taking benchmarks of the system in order to be able to spot abnormalities

Need for advanced attacks

41
Q

Social Engineering Principles

Reasons for Effectiveness

A

Familiarity/liking
- establishes trust with victim

Consensus/social proof
- exploit polite behaviors

Authority and intimidation

  • make victim afraid to refuse
  • exploit lack of knowledge or awareness

Scarcity and urgency
- rush victim into a decision

42
Q

Pretexting

A

Using a scenario with convincing details

43
Q

tailgating

A

unknown
access premises covertly
follow someone through a door

44
Q

Piggybacking

A

Known
access premises without authorization but with knowledge of employee
getting employee to hold a door

45
Q

Symmetrical Encryption

A

sender and receiver must use the same key

Fast therefore good for bulk encryption

Difficult to pass the key between the two parties w/out compromise

asymmetrical better for key sharing

46
Q

Asymmetrical Encryption

A

Utilizes key pairs - a private and a public key
each key can encrypt and decrypt but the key used to encrypt can not then decrypt
private key encrypts, then the public key decrypts and vice versa

Typical process of sending encrypted message between two parties:
1 two parties exchange the public keys
2 each can then encrypt the message being sent with their private key
3 send the encrypted message to the reciever
4 the receiver then decrypts the encrypted message with the senders public key

47
Q

Signing with Public keys

A

Signatures are asymmetrical encryption in reverse

to Sign - Sender who is signing uses their private key
to Verify - Receiver then uses the senders public key to decrypt the signing message

48
Q

Digital Certificate

A

A wrapper for a public key associated with a digital identity

Identity assertion is validated by a Cert Authority (CA) (a 3rd party) by signing the certificate

Both parties must trust the CA

This is known as Public Key Infrastructure (PKI) standard is X.509

49
Q

Access Controls

A

Subjects
- user or sw that requests access

Objects
- resources networks, servers, data

Identification
- associating a subject with computer/network account

Authentication

  • Challenge the subject to supply credentials to gain access to the account
  • passwords, pin, biometrics

Authorization

  • rights/permissions/privileges assigned to the account
  • What we are allowed to access

Accounting

  • auditing use of the account
  • who did what on the system
50
Q

Authentication Factors

A

Something you know

  • knowledge factor
  • password, PIN, challenge questions, date of birth

Something you have

  • Ownership factor
  • Hardware token, FOB, smart card, birth certificate

Something you are/do

  • biometric factor
  • fingerprint, iris
51
Q

Authentication Attributes

A

somewhere you are

  • geolocation
  • IP location
  • switch port, VLAN, wireless network

something you can do
-perform an action uniquely

something you exhibit
-behavior or trait unique to you

someone you know
-web of trust

52
Q

Kerberos

A

Kerberos players: Supplicant(client), the KDC svr, and the app svr

Client needs to use the app svr

Kerberos Authentication

  • client requests ticket to app svr
  • KDC verifies user and produces a session ticket to be used on specified app svr
  • client has now been authenticated and has the session key to use with app svr

Kerberos Authorization

  • client requests session ticket to app svr
  • KDC provides a session ticket key and a TGT for the app svr to the client
  • client sends the session key and TGT to the app svr plus an authenticator
  • app svr verifies the TGT and session key, send the client an authenticator
  • client verifies the authenticator
  • now have mutual authentication
  • client and app svr can now do business
53
Q

EAP and 802.1

A

See diagram, think RADIUS and TACACS+, AAA servers

Know process of authentication it uses

54
Q

Biometric Authentication

A

FRR - False Rejection Rate
FAR - False Acceptance Rate
CER - Cross-over Error Rate, the sweet spot

55
Q

Role Based Access Control (RBAC)

A

• Non-discretionary and more centralized control
• Based on defining roles then allocating users to roles
• Users should only inherit role permissions to perform particular tasks
Similar to group based permission management

56
Q

Discretionary Access Control (DAC)

A
  • Based on resource ownership
  • Access Control Lists (ACLs)
  • Vulnerable to compromised privileged user accounts
57
Q

Mandatory Access Control

A

Uses sensitivity labels for objects
Uses security clearance labels for subjects
Centralized point of management:
Rules are set and can not be changed by any subject account and are therefore no-discretionary
Subjects can not change object labels nor their own label
system defined, very rigid
Used by trusted OS, like SE Linux

58
Q

Attribute Based Access Control (ABAC)

A

Limits access based off of any attribute tied to a file.

  • File extension
  • time
  • size
  • content

Centralized point of management

Very flexible but can become complex

59
Q

PAM - Privileged Access Management

A

Refers to policies, procedures, and technical controls to prevent malicious abuse of privileged accounts
Attempts to mitigate risks from weak configuration control over privileges

60
Q

SAML

A

Security Assertions Markup Language

  • open standard for implementing identity and service provider communications
  • attestations/assertions
    • xml format
    • signed using XML signature
  • communication protocols
    • HTTPS
    • SOAP (Simple Object Access Protocol)

-tied to OAUTH and OpenId

61
Q

Network Appliances and the OSI Model

All People Seem To Need Data Processing

Please Do Not Throw Sausage Pizza Away

A

See diagram for details of each layer

1 Physical - moves bits - wires, fiber, etc
2 Datalink - Switch, Bridge, WAP local networks, connects nodes inside a LAN
arp (address resolution protocol)
3 Network - Router (IP) - global networking LAN to LAN connections
firewall
4 Transport - end to end connections TCP, UDP
DNS
5 Session - host to host (process to process)
6 Presentation - Syntax layer, encryption and formatting
7 Application - End user layer, creates to send, open received

62
Q

Private IP addresses found on a host

A

These are non-routable over the internet

  1. x.x.x (Class A private)
  2. 16-31.x.x (Class B private)
  3. 168.x.x (Class C private)
63
Q

Compare and contrast Network based solution vs Host based solution

A
Network based solution:
Pro:
- wide overarching picture of network
- offloads processing from individual hosts
Con:
- not detailed
Host based solution:
Pro:
- fine picture of individual host
- Can be cheaper: cost of solution, cost of implementation
Con:
- No overarching network context
64
Q

Know common ports and protocols

A

Which of these ports can be used to not alter SFTP? 20/21
SFTP - FTP via SSH - port 22
FTPS - FTP via TLS - port 21

unsecure: SMTP (25), POP3 (110), IMAP (143)
secure: STMPS (587 STARTTLS, 465 IMPLICIT TLS), POP3S (995), IMAPS (993)

udp - DNS (53) for for queries, TFTP (69), NTP (123), SNMP (161,162) RADIUS (1812,1813)

either - TACACS(49), Kerberous (88), SMB(server Msg Block 137-139), LDAP (389), LDAPS (636)

65
Q

CASB

A

Cloud Access Security Broker

Enterprise management SW used to mediate (broker) access to cloud services by users across all types of devices

Functions provided:

  • enable single sign-on authentication, access controls, and authorizations
  • scan for malware and rogue access points (APs)
  • monitor and audit user and resource activity
  • mitigate data exfiltration through prevention of access to unauthorized could services
  • prevent unauthorized application and plugin updates

implemented using

  • forward proxy at the CLIENT net edge
  • reverse proxy at the CLOUD net edge without modifying a user’s system
  • application programming interface (API) using connections between the cloud service and cloud consumer
66
Q

As a Service items - SaaS

A

SW as a Service

  • client brings data
  • CSP provides Apps, OS, HW

Example: Web Mail

67
Q

As a Service items - PaaS

A

Platform as a Service:

  • client provides Data and App
  • CSP provides OS and HW and multi-tier DB

Example: Azure Development platform

68
Q

As a Service items - IaaS

A

Infrastructure as a Service

  • client provides Data, App, and OS
  • CSP provode HW

Example: Amazon Web Services (AWS)

69
Q

Cross Site Scripting (XSS)

Know for test

A
Run a script on your system
can do anything permissions allow
automates malicious actions
Know for TEST:
Two Flavors:
Non-Persistent/reflected
- coded in a link
Persistent/stored
- injected into Database
Client side
- Document Object Model (DOM)
- infects the browser
70
Q

SQLi

A

SQL injections
will always have a totality in the query, like A=A or 1=1

recognize as SQL query

71
Q

Incident Response Cycle
PICERL
-will be on test, usually describes scenario and asks what is next step

A

Note: Can have overlaps in steps

Prep
- have tools and training up to date and ready for use

Identify

  • Detection and Analysis (it happened and what happened)
  • we have a virus and which virus

Containment
-isolation

Eradication
-Removal and destruction

Recovery

  • Recover data, bring systems back online
  • Go back to Identify, may have not fully recovered

Post-Incident

  • lessons learned, documentation
  • improve Prep stage, go back to prep stage
72
Q

Cyber Kill Chain Attack Framework
or
Steps of Attack / Framework
will be on test

A
Steps of Attack / Framework
Reconnaissance / Research
Weaponization / Build your attack
Delivery / get into; Component Access
Exploitation / Breach Security or Activation 
Installation / Persistence - how to stay
Cmd & Control / Reach back to Attacker
Actions on Objectives / The Attack