Principles of Cyber Security

Question 1

DAC

Answer 1

Discretionary Access Control

Question 2

DAC: DACL

Answer 2

DAC List
Tracks permissions against each object

Question 3

DAC: Access Matrix

Answer 3

Combined DACLs

Question 4

DAC: Advantages

Answer 4

Easily Implementable
Highly Flexible

Question 5

DAC: Disadvantages

Answer 5

Poor Scaling (Matrix Explosion)
Prone to Mistakes (Complex Policy Management)
Frequent Changes

Question 6

MAC

Answer 6

Mandatory Access Control

Question 7

MAC: Object Access Requirements

Answer 7

At least the specified clearance level
All need-to-knows

Question 8

MAC: Advantages

Answer 8

Most Secure
Easily Scalable

Question 9

MAC: Disadvantages

Answer 9

Not Flexible
Limited User Functionality
High Admin Overhead

Question 10

RBAC

Answer 10

Role-based Access Control

Question 11

RBAC: Role Hierarchies

Answer 11

Roles can inherit permissions from other roles

Question 12

RBAC: Constraints

Answer 12

Restricts roles:
- Mutually Exclusive Roles (Subject has only one role)
- Cardinality Restrictions (Constrain number of subjects assigned to role)
- Prerequisite Roles (Must hold specified role before assignment of new role)

Question 13

RBAC: Consolidated

Answer 13

Combines Role Hierarchies and Constraints

Question 14

RBAC: Advantages

Answer 14

Scalable
Flexible (Loose coupling of user and perms)

Question 15

RBAC: Disadvantages

Answer 15

Roles need provisioning and maintenance
Possible rule explosion
Cannot accommodate real-time context

Question 16

ABAC

Answer 16

Attribute-based Access Control

Question 17

ABAC: Subject Attributes

Answer 17

Identity and characteristics of a subject e.g. name, job title, etc.

Question 18

ABAC: Object Attributes

Answer 18

Extracted from object metadata

Question 19

ABAC: Environment Attributes

Answer 19

Describe the current environmental context e.g. current malware threat

Question 20

ABAC: Advantages

Answer 20

Dynamic
Fine-grained
Considers the Environment

Question 21

ABAC: Disadvantages

Answer 21

Attributes need provisioning and maintenance
Possible Attribute Explosion
Complexity to Design and Implement

Question 22

CVE

Answer 22

Common Vulnerabilities and Exposures (CVE)

A weakness knowledge base that lists common identifiers for publicly known cybersecurity vulnerabilities.

Each entry contains
- CVE ID
- A brief description
- Any pertinent references i.e. vulnerability reports

Question 23

NVD

Answer 23

National Vulnerability Database (NVD)

A weakness knowledge base informed by CVE and run by the U.S. government

NVD analyses CVEs

Question 24

CWE

Answer 24

Common Weakness Enumeration (CWE)

A weakness knowledge base. Community-developed list of common software weaknesses and vulnerabilities.

Acts as a baseline for weakness identification, prevention, and mitigation

Question 25

CAPEC

Answer 25

An Attack Technique Knowledge Base Describes common techniques employed by adversaries Focuses on application security by enumerating exploits against vulnerable systems (including Social Engineering and Supply Chain Attacks) CAPECxploits. Lists exploits of vulnerable systems

Question 26

ATT&CK

Answer 26

An Attack Technique Knowledge Base Describes phases in an adversary's lifecycle and specific TTPs that APTs use. Focuses on network defence by providing a contextual understanding of malicious behaviour. Focuses on adversaries interactions with the system, not the tools used ATT&ACK P T

Question 27

TTP

Answer 27

Tactics, Techniques, and Procedures

Question 28

Cyber Essentials

Answer 28

A UK cybersecurity certification scheme designed to help businesses protect themselves against the most common cyber threats

Question 29

Cyber Essentials: Firewalls

Answer 29

Ensure only necessary network services can be accessed from the internet to reduce exposure to attacks All inbound connections are blocked by default except those towards services meant to be accessed from the internet and every inbound rule that accepts connections must be motivated and documented

Question 30

Cyber Essentials: Secure Configuration

Answer 30

Ensures devices are configured to reduce vulnerabilities and provide only strictly required services All unnecessary software is removed/disabled, auto-run features are disabled, default/guessable passwords are changed

Question 31

Cyber Essentials: User Access Control

Answer 31

Ensures user accounts are only for authorised individuals and only provide access to required resources Requires - Setup of a process and approve a new user account - Always authenticate users before granting access to applications and devices - Remove/disable accounts when no longer required - Use 2FA - Use admin accounts only for admin activities

Question 32

Cyber Essentials: Malware Protection

Answer 32

Ensures untrusted software is restricted and known malware is restricted Requires - Anti-malware software that is up to date with daily checks. It should automatically scam when files are downloaded, opened, or accessed from a network folder. Web pages should be automatically scanned with blacklisting of malicious and suspicious websites - Application whitelisting - Application sandboxing for code of unknown origins

Question 33

Cyber Essentials: Patch Management

Answer 33

Ensures devices and software are not vulnerable to known security issues for which fixes are available All software is updated, licensed and supported

Question 34

Additional Defences: Data Protection

Answer 34

Encrypt, fragment, backup, sanitise data to prevent data leaks

Question 35

Additional Defences: Segregation of Duties

Answer 35

Have more than one person required to complete a critical task. More accounts need to be compromised to undermine it

Question 36

Additional Defences: Network Fragmentation & Monitoring

Answer 36

Split up network infrastructure based on business process, necessary exposure and risk levels. Firewalls used between boundaries Use intrusion detection systems to observe network traffic and detect malicious traffic. Signature or anomaly based Machine learning helps with accuracy Can suffer from false positives

Question 37

Additional Defences: Honeypots

Answer 37

Decoys to lure in attacks for analysis High-Interaction Honeypots: Close mimic, extensive interaction & analysis Low-Interaction Honeypots: Simulate a few services, reduces risk of compromise

Question 38

Additional Defences: Pentesting

Answer 38

Authorised attacks aimed at identifying how an attacker can compromise the system

Question 39

Additional Defences: Pentesting: PTES

Answer 39

Penetration Testing Execution Standard Comprehensive framework for effective and consistent pentesting

Question 40

Additional Defences: Standards

Answer 40

Guide security principles Efficient for driving adoption Compliance-driven security risks shifting focus to meeting regulations rather than tackling security risks, giving a false sense of security

Question 41

APT: Lifecycle

Answer 41

Reconnaissance Initial Compromise Post-Exploitation (Repeated until goal accomplished)

Question 42

APT: Post-Exploitation: Persistence

Answer 42

Achieved through malware (backdoors, rootkits, remote access trojans (RATs), keyloggers) or stolen credentials (allowing maintained access if other vulnerabilities are patched)

Question 43

APT: Post-Exploitation: C&C Communication

Answer 43

Encrypt data using non-standard communication protocols or use innocent-looking traffic to hide malicious activity

Question 44

APT: Post-Exploitation: C&C Communication: Push Model

Answer 44

Attacker sends commands to C&C control hub which relays them to the compromised system

Question 45

APT: Post-Exploitation: C&C Communication: Pull Model

Answer 45

Attacker leaves commands at the hub, the compromised system periodically polls the hub, the machine leaves outputs at the hub and the attacker periodically polls the hub

Question 46

APT: Post-Exploitation: Lateral Spread

Answer 46

Seek new systems to compromise within the network via analysis of compromised machines (to gather credentials), network analysis (to find targets), and stealing credentials (using social engineering)

Question 47

APT: Post-Exploitation: Data Exfiltration

Answer 47

Exfiltrate sensitive information to an external system. Staging servers can accumulate and transform data to reduce data size and help avoid detection. Faster transfer speeds risk detection Data is hidden in other data using steganography, the practice of hiding information in other data

Question 48

Cryptography

Answer 48

The practice of secure communication in the presence of an adversarial third party

Question 49

Cryptography: Symmetric Encryption

Answer 49

The same key is used to encrypt and decrypt data. Requires N(N-1)/2 keys

Question 50

Cryptography: Asymmetric Encryption

Answer 50

A sender encrypts data using the recipients public key and the recipient decrypts the data using their private key. Requires N x 2 keys where N is the number of communicating nodes

Question 51

Cryptography: Digital Signature

Answer 51

Used to verify the authenticity and integrity of data. Generated by creating a hash of the data and encrypting the hash when transferring the data. The recipient can then decrypt the hash and the data and compare the received data’s hash with the received hash.

Question 52

Cryptography: Distributing Keys: Private Key Distribution: Public Key Encryption

Answer 52

To send a private key, asymmetric (public key) encryption. The recipient can send a public key used to encrypt the data. Vulnerable to Man in the Middle Attacks where the adversary intercepts the public key from the recipient and sends it on their own to the sender.

Question 53

Cryptography: Distributing Keys: Private Key Distribution: Diffie-Hellman Symmetric Key Encryption

Answer 53

Two parties agree on public parameters including a large prime number and primitive root modulo. Uses a property of modulus to send the keys Susceptible to Man in the Middle Attacks

Question 54

Cryptography: Distributing Keys: Public Key Distribution

Answer 54

Recipient needs to know with certainty the sender’s public key to validate a digital signature or to encrypt messages so they can avoid man in the middle attacks

Question 55

Cryptography: Distributing Keys: Public Key Distribution: Digital Certificate

Answer 55

Consist of a public key and a user ID both signed by a trusted third party

Question 56

Cryptography: Distributing Keys: Public Key Distribution: Public Key Infrastructure

Answer 56

The infrastructure needed to create, manage, distribute and revoke digital certificates to enable secure and efficient acquisition of public keys

Question 57

Cryptography: Distributing Keys: Public Key Distribution: Public Key Infrastructure: CA

Answer 57

Certification Authority Responsible for issuing, distributing, and revoking public key certificates. The CA uses a well-protected private key to add a digital signature to mark it as authentic. User’s have public keys for the CA’s digital signature built into operating systems

Question 58

Cryptography: Distributing Keys: Public Key Distribution: Public Key Infrastructure: RA

Answer 58

Registration Authority The CA uses the RA to authenticate applicants for digital certificates

Question 59

Cryptography: Distributing Keys: Public Key Distribution: Public Key Infrastructure: PKI Repository

Answer 59

Stores all certificates

Question 60

Cryptography: Distributing Keys: Public Key Distribution: Public Key Infrastructure: PKI Repository: CRL

Answer 60

stores certificates revoked before the scheduled expiration date. It is not issued frequently enough to be effective against attackers. It is expensive to distribute and vulnerable to DoS attacks Certificates can be revoked because of - Compromised Private Key - Expiration - Human Resources - Changes to Company Name, Physical Address, DNS

Question 61

Cryptography: Distributing Keys: Public Key Distribution: Public Key Infrastructure: X.509

Answer 61

A widely accepted standard format for digital certificates. Instead of CRL, the Online Certificate Status Protocol (OCSP) is used to query if the certificate is still valid

Question 62

Social Engineering

Answer 62

Use of psychological manipulation to deceive people into compromising security or divulging sensitive information

Question 63

Social Engineering: Compliance Principles

Answer 63

Reasons to comply * Friendships * Commitments / Consistency * Scarcity (Exclusive opportunity) * Reciprocity (Obligation to return a favour) * Social Validation (Admiration of other’s actions) * Authority (Requests from those with power)

Question 64

Social Engineering: Communication Methods

Answer 64

* Direct Communication * Bidirectional Communication: Both target and attacker exchange information * Unidirectional Communication: Only attack communicates * Indirect Communication: Attacker uses third-party channels to communicate such as fake website

Question 65

Social Engineering: Techniques

Answer 65

Information Gathering: Gathering of personal information for malicious purposes, gathered from: * Company Websites * Social Networks * Dumpster Diving * Shoulder Surfing Prevented by using shredders and educating employees on being aware of their social presence Interaction with Target: Contacting the target to establish trust or instil fear * Phishing: Fraudulent emails designed to trick recipients into divulging sensitive data * Spear Phishing: Targeted phishing * Whaling: Spear phishing of high-level individuals with access to company funds * Vishing: Voice Phishing e.g. fraudulent bank call * Smishing: SMS Phishing Physical Impersonation: Attacker impersonates maintenance worker, delivery driver, etc. Prevented by filtering emails by analysing links, spelling, grammar. Not downloading attachments. Not providing personal information. Education, be wary of demanding language Tailgating: Attacker follows someone with legitimate access into a restricted area Baiting: Attacker offers incentive such as a USB drive to entice the target into downloading malware

Question 66

Cyberwarfare: Appeal

Answer 66

* Cost-Effective: Cheap, openly available tools instead of expensive troops and weapons * Anonymity: Use of false IP addresses, foreign servers, and aliases make tracing attack origins difficult * Attribution is Near Impossible: Attacker has plausible deniability, claiming their computer has been hacked * Cyber Deterrence: Retaliation against the wrong actor is unjust and could be a crime of war * No Casualties * Disruption over Destruction * Extremely Quick * Hard to Detect & Neutralise * Exploitable Vulnerabilities Increase as Technology Evolves

Question 67

Bitcoin: Wallet

Answer 67

Stores public/private keys required to access and manage funds

Question 68

Bitcoin: Addresses

Answer 68

* Public keys generate addresses used to receive payment * One address per payment, so that the amount of information publicly available on a user is reduced * Provides pseudo-anonymity

Question 69

Bitcoin: Transaction: Inputs

Answer 69

References to previous transactions. Must not already be spent, tracked Unspent Transaction Outputs (UTXOs) against a wallet

Question 70

Bitcoin: Transaction: Outputs

Answer 70

Determine where bitcoins will be sent

Question 71

Bitcoin: Transaction: Digital Signature

Answer 71

* Transactions are digitally signed to prove ownership and ensure integrity before being broadcast across the bitcoin network. Nodes then verify the digital signature and the funds required, the transaction is then included in blocks by miners. * Transaction blocks have a reference to the hash of the previous block. Changing any block would require updating all subsequent blocks

Question 72

Bitcoin: Advantages

Answer 72

Decentralised, trustless, pseudo-anonymity, immutable transaction history

Question 73

Bitcoin: Disadvantages

Answer 73

High transaction fees reduce profits and makes it less attractive to customers, slow transaction confirmation, not a stabilised currency, lack of regulations