Randoms Flashcards
CIA TRIAD
The CIA triad is a common model that forms the basis for the development of security systems.
CONFIDENTIALITY
Another term for confidentiality would be privacy.
Ensures that access to information is controlled to prevent the unauthorized sharing of data—whether intentional or accidental
ensuring that only those who are authorized can view this data.
The data may be compartmentalized according to the security / sensitivity level of the information.
For example, those who work with an organization’s finances should be able to access the spreadsheets, bank accounts, and other information related to the flow of money, but those in the advertising team should not have access to it.
Methods to ensure confidentiality include data encryption, username ID and password, two factor authentication, and minimizing exposure of sensitive information.
INTEGRITY
Integrity is accuracy, consistency, and trustworthiness of the data during its entire life cycle.
Data must be unaltered during transit and not changed by unauthorized entities.
File permissions and user access control can prevent unauthorized access. Version control can be used to prevent accidental changes by authorized users. Backups must be available to restore any corrupted data.
Checksum hashing can be used to verify integrity of the data during transfer.
A checksum is used to verify the integrity of files, or strings of characters, after they have been transferred from one device to another across your local network or the Internet.
Checksums are calculated with hash functions. Some of the common checksums are MD5, SHA-1, SHA-256, and SHA-512.
A hash function uses a mathematical algorithm to transform the data into fixed-length value that represents the data.
The hashed value is simply there for comparison. From the hashed value, the original data cannot be retrieved directly. For example, if you forgot your password, your password cannot be recovered from the hashed value. The password must be reset.
After a file is downloaded, you can verify its integrity by verifying the hash values from the source with the one you generated using any hash calculator. By comparing the hash values, you can ensure that the file has not been tampered with or corrupted during the transfer.
AVAILABILITY
Availability means information should be consistently and readily accessible for authorized parties.
This involves properly maintaining hardware and technical infrastructure and systems that hold and display the information
Maintaining equipment, performing hardware repairs, keeping operating systems and software up to date, and creating backups ensure the availability of the network and data to the authorized users.
Plans should be in place to recover quickly from natural or man-made disasters.
Security equipment or software, such as firewalls, guard against downtime due to attacks such as denial of service (DoS).
Denial of service occurs when an attacker attempts to overwhelm resources so the services are not available to the users.
SECURITY BREACH
Security breaches occur when individuals or applications gain unauthorized access to data, applications, services, or devices.
During these breaches, the attackers, whether they are insiders or not, attempt to obtain information that they could use for financial gains or other advantages.
INTERNAL VS EXTERNAL THREATS
Internal Security Threats
Attacks can be originated from within an organization or from outside of the organization, as shown in the figure. An internal user, such as an employee or contract partner, can accidently or intentionally:
Mishandle confidential data
Threaten the operations of internal servers or network infrastructure devices
Facilitate outside attacks by connecting infected USB media into the corporate computer system
Accidentally invite malware onto the network through malicious email or websites
Internal threats also have the potential to cause greater damage than external threats, because internal users have direct access to the building and its infrastructure devices. Employees also have knowledge of the corporate network, its resources, and its confidential data, as well as different levels of user or administrative privileges.
External Security Threats
External threats from amateurs or skilled attackers can exploit vulnerabilities in network or computing devices, or use social engineering to gain access.
CYBERWARFARE
Cyberwarfare is an attack or a series of cyber attacks against a nation-state, causing it significant harm.
State sponsored attacks that are targeted towards other states
Cyberwarfare is an Internet-based conflict that involves the penetration of computer systems and networks of other nations.
These attackers have the resources and expertise to launch massive Internet-based attacks against other nations to cause damage or disrupt services, such as shutting down a power grid.
An example of a state-sponsored attack involved the Stuxnet malware that was designed to damage Iran’s nuclear enrichment plant. Stuxnet malware did not hijack targeted computers to steal information. It was designed to damage physical equipment that was controlled by computers. It used modular coding that was programmed to perform a specific task within the malware. It used stolen digital certificates so the attack appeared legitimate to the system
THREAT ACTOR V ATTACKER
A “threat actor” is a broader term that refers to any individual, group, or entity that poses a potential risk or threat to computer systems, networks, or data.
An “attacker,” on the other hand, specifically refers to a threat actor who has taken action to exploit vulnerabilities, compromise systems, or launch attacks against targets.
In other words, an attacker is a threat actor who has moved from intent to action by engaging in malicious activities.
unlike a hacker, a threat actor does not necessarily have any hacking or technical skills. They are simply an entity with malicious intent and a mission to compromise an organization’s security or data.
PROOF OF CONCEPT
A demonstration of the feasibility of a particular method
A proof of concept (PoC) is a demonstration that a certain idea or method works.
In computer security this often means that hackers show that they have been able to make use of a security flaw in software or hardware
A proof of concept (PoC) exploit is a non-harmful attack against a computer or network. PoC exploits are not meant to cause harm, but to show security weaknesses within software. Identifying issues allows companies to patch vulnerabilities and protect itself against attacks.
Typically, PoC exploits are done by a vendor working for the company. By simulating an actual attack, it allows the company to patch the security hole without systems or data being compromised. The code developed for the test (a proof of concept code) will likely be used in the future to test the software and make sure the new security measures work.
When PoC code is published before the security hole is patched, a zero-day exploit can occur. Zero-day exploits are malicious attacks that occur after a security risk is discovered but before it is patched.
Publishing PoC code has become controversial because it can lead to zero-day exploits when it is released too quickly. When a PoC code is shared before a weakness is patched, it leaves software and networks vulnerable to hackers. Many large companies have recently fallen victim to security breaches due to PoC codes being shared before issues can be fixed.
ROBOTS.TXT
robots.txt is a file that specifies the scope of web crawlers
is a text file that webmasters use to instruct web crawlers (also known as robots or spiders) about which parts of their website should be crawled and indexed by search engines and other automated bots, and which parts should not be accessed. It’s a standard used to communicate guidelines to these bots and ensure they respect the website’s wishes regarding content visibility.
The robots.txt file is typically placed in the root directory of a website and contains rules that define which user agents (bots) are allowed to access certain parts of the website and which parts should be excluded from crawling. The rules are defined using a simple syntax that specifies the paths that are allowed or disallowed for specific user agents.
For example, a robots.txt file might look like this:
User-agent: *
Disallow: /private/
Disallow: /secret/
It’s important to note that while robots.txt can provide instructions to well-behaved bots, it doesn’t offer strong security measures. Malicious bots can choose to ignore these instructions. If more robust access control is needed, additional security measures should be implemented at the server level.
EXPLOIT VS PAYLOAD VS SHELL
Exploit: Code that takes advantage of system vulnerabilities. a code that is written to take advantage of a specific vulnerability in a system.
An “exploit” is like a key that unlocks a system’s weak point. It’s a piece of code that capitalizes on vulnerabilities to gain unauthorized access.
Examples of exploits include web application exploits, denial of service exploits, remote code execution exploits, and so on.
Payload: Malicious content delivered after a successful exploit.
A payload is a code that is written to be executed after a system is successfully exploited. They can provide an interactive shell to the attacker, create a backdoor, or execute a particular piece of code.
Examples of payloads include the Meterpreter shell, keyloggers, reverse shells, and so on.
The exploit delivers the payload while the payload is the code that performs the actual work. Without an exploit, there’ll be no way to deliver a payload and run code on a system. Without a payload, nothing will be done after exploiting a system:
Shell: A command interface allowing control of a compromised system.
The exploit is what delivers the payload.Exploits give you the ability to ‘pop a shell/run your payload code’
https://www.ques10.com/p/67205/difference-between-payload-and-exploits-in-syste-1/#:~:text=Exploits%20give%20you%20the%20ability,like%20denial%20of%20service%20exploits.
STAGED VS NON-STAGED PAYLOADS
DAEMON VS SERVICES VS PROCESSES VS PORTS
Daemons: Background process running on a computer/server, performing tasks like managing services and handling network requests. They initiate and control the execution of services, ensuring they are available and responsive. Daemons often listen on specific ports to handle incoming requests.
Services:Software components or applications providing specific functions, such as file sharing, network communication, and authentication. Services are the functional components that provide specific capabilities or functions on a computer or network. Daemons manage and run these services, ensuring they operate effectively. Services often communicate over network connections using specific ports.
Processes: Running instances of programs or applications, including foreground applications, background daemons, and services.It represents the execution of a specific set of instructions. Processes can include both foreground applications that users interact with and background processes like daemons and services. Daemons and services are types of processes, but not all processes are daemons or services.
Ports: Virtual endpoints in networks that direct data to the right processes or services based on assigned numbers and protocols.Ports act as communication endpoints for network traffic. They allow different services and daemons to receive and send data over a network. Services are associated with specific ports, and daemons listen on these ports to accept incoming data and requests from other systems.
In essence, daemons manage services, and services communicate over ports. Processes, which include both foreground applications and background daemons, drive the execution of services. Together, daemons, services, and processes collaborate to enable the functionality and interaction of various software components across computer systems and networks
PAYLOAD
RELATIONSHIP BETWEEN EXPLOIT, PAYLOAD, AND SHELL
The relationship between exploit, payload, and shell is essential to understand in the context of cyberattacks:
Exploit: An exploit is a piece of code or technique that takes advantage of a vulnerability in a system, application, or network. It’s the “entry point” that allows an attacker to compromise a target system.
Payload: A payload is the malicious content or action that an attacker delivers to a compromised system after successfully exploiting a vulnerability. It’s what the attacker wants to achieve once they have gained access.
Shell: A shell is a command-line interface that provides control over a compromised system. When an attacker successfully delivers a payload, they might execute a shell, allowing them to interact with the compromised system, run commands, manipulate files, and potentially gain complete control over it.
To put it in a simple scenario:
The attacker identifies a vulnerability in a target system (exploit).
They use an exploit to successfully gain access to the system.
Once inside, they deliver a malicious payload, which might include code to activate a shell.
The shell grants the attacker control over the compromised system, allowing them to perform various actions, potentially leading to data theft, system manipulation, or further attacks.
In summary, the exploit opens the door, the payload is what the attacker brings through that door, and the shell is the tool they use to control the compromised environment.
SCENARIO OF PORTS, DAEMON, SERVICES, AND PROCESSES
Certainly! Let’s consider a scenario involving a web server that serves a website to users:
Daemon: In this scenario, the “httpd” daemon (commonly used for web servers like Apache) is running in the background. It’s responsible for managing the web server’s operations. The daemon listens for incoming requests on specific ports, often including port 80 for HTTP traffic.
Service: The “HTTPd” service is the web server itself. It’s the software component that processes requests from users’ browsers for web content. The service runs as a process managed by the “httpd” daemon.
Process: When a user visits the website, their browser (e.g., Chrome) initiates a “chrome.exe” process. Within this process, a separate thread or process is responsible for handling the user’s interaction with the website. This includes sending an HTTP request for the web page to the server.
Port: The user’s browser sends the HTTP request to the web server’s IP address on port 80, which is the standard port for HTTP traffic. The “httpd” daemon, listening on port 80, receives the request from the user’s browser.
Here’s how they interact in this scenario:
The user types a URL in their browser to access a website.
The browser’s process (“chrome.exe”) sends an HTTP request to the web server’s IP address.
The “httpd” daemon receives the request on port 80.
The “HTTPd” service processes the request, retrieves the requested web page from its file system, and sends it back to the user’s browser.
The user’s browser displays the web page to the user.
In this scenario, daemons, services, processes, and ports work together to deliver web content from the server to the user’s browser.
