Sec+601 Flashcards by Cert Bee

3 key objectives of cybersecurity programs

confidentiality, integrity, and availability

How well did you know this?

Not at all

Perfectly

Confidentiality

ensures that unauthorized individuals are not able to gain access to sensitive information. Cybersecurity professionals develop and implement security controls, including firewalls, access control lists, and encryption, to prevent unauthorized access to information.

How well did you know this?

Not at all

Perfectly

Integrity

ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally. Integrity controls, such as hashing and integrity monitoring solutions, seek to enforce this requirement. Integrity threats may come from attackers seeking the alteration of information without authorization or non-malicious sources, such as a power spike causing the corruption of information.

How well did you know this?

Not at all

Perfectly

Availability

ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them. Availability controls, such as fault tolerance, clustering, and backups, seek to ensure that legitimate users may gain access as needed. Similar to integrity threats, availability threats may come either from attackers seeking the disruption of access or non-malicious sources, such as a fire destroying a datacenter that contains valuable information or services.

How well did you know this?

Not at all

Perfectly

Security incidents

occur when an organization experiences a breach of the confidentiality, integrity, and/or availability of information or information systems.

How well did you know this?

Not at all

Perfectly

3 key threats to cybersecurity efforts:

DAD Triad - Disclosure, Alteration and Denial
Disclosure is the exposure of sensitive information to unauthorized individuals, otherwise known as data loss. Disclosure is a violation of the principle of confidentiality. Attackers who gain access to sensitive information and remove it from the organization are said to be performing data exfiltration. Disclosure may also occur accidentally, such as when an administrator misconfigures access controls or an employee loses a device.

Alteration is the unauthorized modification of information and is a violation of the principle of integrity. Attackers may seek to modify records contained in a system for financial gain, such as adding fraudulent transactions to a financial account. Alteration may occur as the result of natural activity, such as a power surge causing a “bit flip” that modifies stored data. Accidental alteration is also a possibility, if users unintentionally modify information stored in a critical system as the result of a typo or other unintended activity.
Denial is the unintended disruption of an authorized user’s legitimate access to information. Denial events violate the principle of availability. This availability loss may be intentional, such as when an attacker launches a distributed denial-of-service (DDoS) attack against a website. Denial may also occur as the result of accidental activity, such as the failure of a critical server, or as the result of natural activity, such as a natural disaster impacting a communications circuit.

How well did you know this?

Not at all

Perfectly

Attackers who gain access to sensitive information and remove it from the organization are said to be performing:

data exfiltration

How well did you know this?

Not at all

Perfectly

We can categorize the potential impact of a security incident using the same categories that businesses generally use to describe any type of risk:

financial, reputational, strategic, operational, and compliance.

How well did you know this?

Not at all

Perfectly

(Breach impact risk) as the name implies, the risk of monetary damage to the organization as the result of a data breach. This may be very direct financial damage, such as the costs of rebuilding a datacenter after it is physically destroyed or the costs of contracting experts for incident response and forensic analysis services.

Financial Risk

How well did you know this?

Not at all

Perfectly

(Breach impact risk) occurs when the negative publicity surrounding a security breach causes the loss of goodwill among customers, employees, suppliers, and other stakeholders. It is often difficult to quantify reputational damage, as these stakeholders may not come out and directly say that they will reduce or eliminate their volume of business with the organization as a result of the security breach. However, the breach may still have an impact on their future decisions about doing business with the organization.

Reputational risk

How well did you know this?

Not at all

Perfectly

(Breach impact risk) is the risk that an organization will become less effective in meeting its major goals and objectives as a result of the breach.

Strategic risk

How well did you know this?

Not at all

Perfectly

(Breach impact risk) occurs when a security breach causes an organization to run afoul of legal or regulatory requirements. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires that health-care providers and other covered entities protect the confidentiality, integrity, and availability of protected health information (PHI). If an organization loses patient medical records, they violate HIPAA requirements and are subject to sanctions and fines from the U.S. Department of Health and Human Services. That’s an example of compliance risk.

Compliance risk

How well did you know this?

Not at all

Perfectly

As an organization analyzes its risk environment, technical and business leaders determine the level of protection required to preserve the confidentiality, integrity, and availability of their information and systems. They express these requirements by writing the () that the organization wishes to achieve. These () are statements of a desired security state, but they do not, by themselves, actually carry out security activities.

control objectives

How well did you know this?

Not at all

Perfectly

are specific measures that fulfill the security objectives of an organization.

Security controls

How well did you know this?

Not at all

Perfectly

Security Control Categories

Technical, Operational, and Managerial

How well did you know this?

Not at all

Perfectly

enforce confidentiality, integrity, and availability in the digital space. Examples of ()l security controls include firewall rules, access control lists, intrusion prevention systems, and enc

Technical controls

How well did you know this?

Not at all

Perfectly

include the processes that we put in place to manage technology in a secure manner. These include user access reviews, log monitoring, and vulnerability management. (Under security controls)

Operational controls

How well did you know this?

Not at all

Perfectly

are procedural mechanisms that focus on the mechanics of the risk management process. Examples of administrative controls include periodic risk assessments, security planning exercises, and the incorporation of security into the organization’s change management, service acquisition, and project management practices. (Under security controls)

Managerial control

How well did you know this?

Not at all

Perfectly

intend to stop a security issue before it occurs. Firewalls and encryption are examples of () controls. (CompTIA version of security control types)

Preventive

How well did you know this?

Not at all

Perfectly

identify security events that have already occurred. Intrusion detection systems are () controls. (CompTIA version of security control types)

Detective

How well did you know this?

Not at all

Perfectly

remediate security issues that have already occurred. Restoring backups after a ransomware attack is an example of a () control. (CompTIA version of security control types)

Corrective

How well did you know this?

Not at all

Perfectly

seek to prevent an attacker from attempting to violate security policies. Vicious guard dogs and barbed wire fences are examples of deterrent controls. (CompTIA version of security control types)

Deterrent

How well did you know this?

Not at all

Perfectly

are security controls that impact the physical world. Examples of physical security controls include fences, perimeter lighting, locks, fire suppression systems, and burglar alarms. (CompTIA version of security control types)

Physical

How well did you know this?

Not at all

Perfectly

are controls designed to mitigate the risk associated with exceptions made to a security policy. (CompTIA version of security control types)

Compensating

How well did you know this?

Not at all

Perfectly

three states where data might exist.

data at rest, data in motion and data in processing

is stored data that resides on hard drives, tapes, in the cloud, or on other storage media. This data is prone to pilfering by insiders or external attackers who gain access to systems and are able to browse through their contents.

data at rest

is data that is in transit over a network. When data travels on an untrusted network, it is open to eavesdropping attacks by anyone with access to those networks.

data in motion

is data that is actively in use by a computer system. This includes the data stored in memory while processing takes place. An attacker with control of the system may be able to read the contents of memory and steal sensitive information.

Data in processing

technology uses mathematical algorithms to protect information from prying eyes, both while it is in transit over a network and while it resides on systems.

Encryption

technology uses mathematical algorithms to protect information from prying eyes, both while it is in transit over a network and while it resides on systems.

Data loss prevention (DLP)

DLP systems work in two different environments:

Host-based DLP Network DLP

This DLP uses software agents installed on systems that search those systems for the presence of sensitive information. These searches often turn up Social Security numbers, credit card numbers, and other sensitive information in the most unlikely places!

Host-based

This DLP systems are dedicated devices that sit on the network and monitor outbound network traffic, watching for any transmissions that contain unencrypted sensitive information. They can then block those transmissions, preventing the unsecured loss of sensitive information. DLP systems may simply block traffic that violates the organization's policy, or in some cases, they may automatically apply encryption to the content. This automatic encryption is commonly used with DLP systems that focus on email.

Network-based

DLP systems also have two mechanisms of action:

Pattern matching, where they watch for the telltale signs of sensitive information. For example, if they see a number that is formatted like a credit card or Social Security number, they can automatically trigger on that. Similarly, they may contain a database of sensitive terms, such as “Top Secret” or “Business Confidential,” and trigger when they see those terms in a transmission. Watermarking, where systems or administrators apply electronic tags to sensitive documents and then the DLP system can monitor systems and networks for unencrypted content containing those tags. Watermarking technology is also commonly used in digital rights management (DRM) solutions that enforce copyright and data ownership restrictions.

techniques seek to reduce risk by reducing the amount of sensitive information that we maintain on a regular basis. The best way to achieve () () is to simply destroy data when it is no longer necessary to meet our original business purpose.

minimization

If we can't completely remove data from a dataset, we can often transform it into a format where the original sensitive information is (). The () process removes the ability to link data back to an individual, reducing its sensitivity.

de-identified

An alternative to de-identifying data is transforming it into a format where the original information can't be retrieved.

data obfuscation

replaces sensitive values with a unique identifier using a lookup table. For example, we might replace a widely known value, such as a student ID, with a randomly generated 10-digit number. We'd then maintain a lookup table that allows us to convert those back to student IDs if we need to determine someone's identity. Of course, if you use this approach, you need to keep the lookup table secure!

tokenization

uses a hash function to transform a value in our dataset to a corresponding hash value. If we apply a strong hash function to a data element, we may replace the value in our file with the hashed value.

hashing

partially redacts sensitive information by replacing some or all sensitive fields with blank characters. For example, we might replace all but the last four digits of a credit card number with X's or *'s to render the card number unreadable.

Masking

In this attack, the attacker computes the hashes of those candidate values and then checks to see if those hashes exist in our data file. For example, imagine that we have a file listing all the students at our college who have failed courses but we hash their student IDs. If an attacker has a list of all students, they can compute the hash values of all student IDs and then check to see which hash values are on the list. For this reason, hashing should only be used with caution.

Rainbow Table attack

Chris is responding to a security incident that compromised one of his organization's web servers. He believes that the attackers defaced one or more pages on the website. What cybersecurity objective did this attack violate? a- Confidentiality b- Nonrepudiation c- Integrity d- Availability

c- integrity

Tonya is concerned about the risk that an attacker will attempt to gain access to her organization's database server. She is searching for a control that would discourage the attacker from attempting to gain access. What type of security control is she seeking to implement? A-Preventive B-Detective C-Corrective D-Deterrent

D-Deterrent

Greg recently conducted an assessment of his organization's security controls and discovered a potential gap: the organization does not use full-disk encryption on laptops. What type of control gap exists in this case? A-Detective B-Corrective C-Deterrent D-Preventive

D-Preventive

Which one of the following data protection techniques is reversible when conducted properly? A-Tokenization B-Masking C-Hashing D-Shredding

A. Tokenization techniques use a lookup table and are designed to be reversible. Masking and hashing techniques replace the data with values that can't be reversed back to the original data if performed properly. Shredding, when conducted properly, physically destroys data so that it may not be recovered.

also known as authorized attackers, are those who act with authorization and seek to discover security vulnerabilities with the intent of correcting them. White-hat attackers may either be employees of the organization or contractors hired to engage in penetration testing.

White-hat hackers

also known as unauthorized attackers, are those with malicious intent. They seek to defeat security controls and compromise the confidentiality, integrity, or availability of information and systems for their own, unauthorized, purposes.

Black-hat hackers

also known as semi-authorized attackers, are those who fall somewhere between white- and black-hat hackers. They act without proper authorization, but they do so with the intent of informing their targets of any security vulnerabilities.

Gray-hat hacker

is a derogatory term for people who use hacking techniques but have limited skills. Often such attackers may rely almost entirely on automated tools they download from the Internet. These attackers often have little knowledge of how their attacks actually work, and they are simply seeking out convenient targets of opportunity.

Script Kiddies

use hacking techniques to accomplish some activist goal. They might deface the website of a company whose policies they disagree with. Or a () might attack a network due to some political issue. The defining characteristic of () is that they believe they are motivated by the greater good, even if their activity violates the law.

Hacktivists

do not normally embrace political issues or causes, and they are not trying to demonstrate their skills. In fact, they would often prefer to remain in the shadows, drawing as little attention to themselves as possible. They simply want to generate as much illegal profit as they possibly can.

Organized criminal syndicates

attacks that Mandiant reported are emblematic of nation-state attacks. They tend to be characterized by highly skilled attackers with significant resources. A nation has the labor force, time, and money to finance ongoing, sophisticated attacks. The motive can be political or economic. In some cases, the attack is done for traditional espionage goals: to gather information about the target's defense capabilities. In other cases, the attack might be targeting intellectual property or other economic assets.

Advanced Persistent Threats (APTs)

attacks occur when an employee, contractor, vendor, or other individual with authorized access to information and systems uses that access to wage an attack against the organization. These attacks are often aimed at disclosing confidential information, but insiders may also seek to alter information or disrupt business processes.

Insiders

attacks are particularly dangerous because they are unknown to product vendors, and therefore, no patches are available to correct them. APT actors who exploit () vulnerabilities are often able to easily compromise their targets.

Zero-Day Attacks

Behavioral assessments are a powerful tool in identifying insider attacks.

Remember

Dedicated employees often seek to achieve their goals and objectives through whatever means allows them to do so. Sometimes, this involves purchasing technology services that aren't approved by the organization. For example, when file sharing and synchronization services first came on the market, many employees turned to personal Dropbox accounts to sync work content between their business and personal devices. They did not do this with any malicious intent. On the contrary, they were trying to benefit the business by being more productive. This situation, where individuals and groups seek out their own technology solutions, is a phenomenon known as

Shadow IT

may engage in corporate espionage designed to steal sensitive information from your organization and use it to their own business advantage.

Competitors

Threat actors targeting an organization need some means to gain access to that organization's information or systems. _______________ are the means that threat actors use to obtain that access.

Threat vectors

Bold attackers may seek to gain ______________ to an organization's network by physically entering the organization's facilities. One of the most common ways they do this is by entering public areas of a facility, such as a lobby, customer store, or other easily accessible location and sitting and working on their laptops, which are surreptitiously connected to unsecured network jacks on the wall.

Direct Access

Besides wireless networks and removable media, Cloud services can also be used as an attack vector. Attackers routinely scan popular cloud services for files with improper access controls, systems that have security flaws, or accidentally published API keys and passwords.

Remember this

Sophisticated attackers may attempt to interfere with an organization's IT supply chain, gaining access to devices at the manufacturer or while the devices are in transit from the manufacturer to the end user. Tampering with a device before the end user receives it allows attackers to insert backdoors that grant them control of the device once the customer installs it on their network. This type of third-party risk is difficult to anticipate and address.

Remember this

Examples of Threat Vectors

Direct access Wireless Email Supply chain Social media Removable media Cloud

is the set of activities and resources available to cybersecurity professionals seeking to learn about changes in the threat environment.

Threat intelligence

Threat intelligence information can also be used for predictive analysis to identify likely risks to the organization.

Remember this

There are many sources of threat intelligence, ranging from open source intelligence (OSINT) that you can gather from publicly available sources to commercial services that provide proprietary or closed-source intelligence information.

Remember this

These are the telltale signs that an attack has taken place and may include file signatures, log patterns, and other evidence left behind by attackers. () may also be found in file and code repositories that offer threat intelligence information.

indicators of compromise (IoCs)

A number of sites maintain extensive lists of open source threat information sources: Senki.org provides a list: www.senki.org/operators-security-toolkit/open-source-threat-intelligence-feeds The Open Threat Exchange operated by AT&T is part of a global community of security professionals and threat researchers: https://cybersecurity.att.com/open-threat-exchange The MISP Threat Sharing project, www.misp-project.org/feeds, provides standardized threat feeds from many sources, with community-driven collections. Threatfeeds.io hosts a list of open source threat intelligence feeds, with details of when they were added and modified, who maintains them, and other useful information: threatfeeds.io

Remember this

is a network run over standard Internet connections but using multiple layers of encryption to provide anonymous communication.

dark web

Threat maps provide a geographic view of threat intelligence. Many security vendors offer high-level maps that provide real-time insight into the cybersecurity threat landscape. For example, FireEye offers the public threat map shown in Figure 2.4 at www.fireeye.com/cyber-map/threat-map.html Organizations may also use threat mapping information to gain insight into the sources of attacks aimed directly at their networks. However, threat map information should always be taken with a grain of salt because geographic attribution is notoriously unreliable. Attackers often relay their attacks through cloud services and other compromised networks, hiding their true geographic location from threat analysis tools.

Remember this

allow organizations to filter and use threat intelligence based on how much trust they can give it. That doesn't mean that lower confidence information isn't useful; in fact, a lot of threat intelligence starts with a lower (), and that score increases as the information solidifies and as additional sources of information confirm it or are able to do a full analysis. Low confidence threat information shouldn't be completely ignored, but it also shouldn't be relied on to make important decisions without taking the low confidence score into account.

Confidence scores

One way to summarize the threat intelligence assessment data is via a confidence score. Confidence scores allow organizations to filter and use threat intelligence based on how much trust they can give it. That doesn't mean that lower confidence information isn't useful; in fact, a lot of threat intelligence starts with a lower confidence score, and that score increases as the information solidifies and as additional sources of information confirm it or are able to do a full analysis. Low confidence threat information shouldn't be completely ignored, but it also shouldn't be relied on to make important decisions without taking the low confidence score into account. Assessing the Co

Remember this

Managing threat information at any scale requires standardization and tooling to allow the threat information to be processed and used in automated ways. Indicator management can be much easier with a defined set of terms. That's where structured markup languages like STIX and OpenIOC come in. Structured Threat Information eXpression (STIX) is an XML language originally sponsored by the U.S. Department of Homeland Security. In its current version, STIX 2.0 defines 12 STIX domain objects, including things like attack patterns, identities, malware, threat actors, and tools.

Remember this

Using a single threat feed can leave you in the dark! Many organizations leverage multiple threat feeds to get the most up-to-date information. Thread feed combination can also be challenging since they may not use the same format, classification model, or other elements. You can work around this by finding sources that already combine multiple feeds or by finding feeds that use the same description frameworks, like STIX.

Remember this

In the United States, organizations known as Information Sharing and Analysis Centers (ISACs) help infrastructure owners and operators share threat information and provide tools and assistance to their members. The National Council of ISACs lists the sector-based ISACs at www.nationalisacs.org/member-isacs. The ISAC concept was introduced in 1998, as part of Presidential Decision Directive-63 (PDD-63), which asked critical infrastructure sectors to establish organizations to share information about threats and vulnerabilities. ISACs operate on a trust model, allowing in-depth sharing of threat information for both physical and cyber threats. Most ISACs operate 24/7, providing ISAC members in their sector with incident response and threat analysis.

Remember this

is specifically designed to communicate cyber threat information at the application layer.

TAXII, the Trusted Automated eXchange of Indicator Information protocol

is a threat description language

STIX

the term malware describes a wide range of software that is intentionally designed to cause harm to systems and devices, networks, or users. Malware can also gather information, provide illicit access, and take a broad range of actions that the legitimate owner of a system or network may not want to occur.

Remember this

The term malware describes a wide range of software that is intentionally designed to cause harm to systems and devices, networks, or users. Malware can also gather information, provide illicit access, and take a broad range of actions that the legitimate owner of a system or network may not want to occur.

Remember this

which encrypts files and then holds them hostage until a ransom is paid

crypto malware

is malware that takes over a computer and then demands a ransom.

ransomware

Some ransomware has been defeated, and defenders may be able to use a preexisting decryption tool to restore files. Antivirus and antimalware providers as well as others in the security community provide anti-ransomware tools.

Remember this

The Security+ Exam Outline calls out remote access Trojans (RATs) and Trojans separately. RATs are a subset of Trojans, so not every Trojan is a RAT. Make sure you remember that RATs provide remote access and monitoring of a system for attackers.

Remember this

Unlike Trojans that require user interaction, () spread themselves. Although () are often associated with spreading via attacks on vulnerable services, any type of spread through automated means is possible, meaning that () can spread via email attachments, network file shares, or other methods as well. () also self-install, rather than requiring users to click on them, making them quite dangerous.

Worms

are malware that is specifically designed to allow attackers to access a system through a backdoor. Many modern () also include capabilities that work to conceal the () from detection through any of a variety of techniques, ranging from leveraging filesystem drivers to ensure that users cannot see the rootkit files, to infecting startup code in the master boot record (MBR) of a disk, thus allowing attacks against full-disk encryption systems.

rootkits

Rootkit detection can be challenging, because a system infected with malware like this cannot be trusted. That means that the best way to detect a rootkit is to test the suspected system from a trusted system or device. In cases where that isn't possible, rootkit detection tools look for behaviors and signatures that are typical of rootkits. Techniques like integrity checking and data validation against expected responses can also be useful for rootkit detection, and anti-rootkit tools often use a combination of these techniques to detect complex rootkits.

Once a rootkit is discovered, removal can be challenging. Although some antimalware and anti-rootkit tools are able to remove specific rootkits, the most common recommendation whenever possible is

to rebuild the system or to restore it from a known good backup.

Some rootkits are intentionally installed, either as part of digital rights management (DRM) systems or as part of anti-cheating toolkits for games, or because they are part of a tool used to defeat copy protection mechanisms. Although these tools are technically rootkits, you will normally be focused on tools used by malicious actors instead of intentional installation for purposes like these.

Like many of the malware types you will read about here, the best ways to prevent rootkits are normal security practices, including patching, using secure configurations, and ensuring that privilege management is used. Tools like secure boot and techniques that can validate live systems and files can also be used to help prevent rootkits from being successfully installed or remaining resident.

are methods or tools that provide access that bypasses normal authentication and authorization procedures, allowing attackers access to systems, devices, or applications. () can be hardware or software based, but in most scenarios for the Security+ exam you will be concerned with software-based backdoors.

backdoors

Detecting backdoors can sometimes be done by checking for unexpected open ports and services, but more complex backdoor tools may leverage existing services. Examples include web-based backdoors that require a different URL under the existing web service, and backdoors that conceal their traffic by tunneling out to a remote control host using encrypted or obfuscated channels.

are used by attackers who control them to perform various actions, ranging from additional compromises and infection, to denial-of-service attacks or acting as spam relays. Large () may have hundreds of thousands of bots involved in them, and some have had millions of bots in total.

botnets

Many botnet command and control (C&C) systems operate in a client-server mode, as shown in Figure 3.1. In this model, they will contact central control systems, which provide commands and updates, and track how many systems are in the botnet. Internet Relay Chat (IRC) was frequently used to manage client-server botnets in the past, but many modern botnets rely on secure HTTP (HTTPS) traffic to help hide C&C traffic and to prevent it from easily being monitored and analyzed by defenders.

which uses many IP addresses that are used to answer queries for one or more fully qualified DNS names.

fast flux DNS,

Fast flux DNS is a technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies

Fast flux DNS

Taking down the domain name is the best way to defeat a fast flux DNS–based botnet or malware, but not every DNS registrar is helpful when a complaint is made.

Detecting botnets is often accomplished by analysis of bot traffic using network monitoring tools like IPSs and IDSs and other network traffic analysis systems. Additional data is gathered through reverse engineering and analysis of malware infections associated with the bot. The underlying malware can be detected using antivirus and antimalware tools, as well as tools like endpoint detection and response tools.

are programs that capture keystrokes from keyboards, although () applications may also capture other input like mouse movement, touchscreen inputs, or credit card swipes from attached devices.

keyloggers

Computer viruses are malicious programs that self-copy and self-replicate. Viruses require one or more infection mechanisms that they use to spread themselves, typically paired with some form of search capability to find new places to spread to. Viruses also typically have both a trigger, which sets the conditions for when the virus will execute, and a payload, which is what the virus does, delivers, or the actions it performs. Viruses come in many varieties, including Memory-resident viruses, which remain in memory while the system of device is running Non-memory-resident viruses, which execute, spread, and then shut down Boot sector viruses, which reside inside the boot sector of a drive or storage media Macro viruses, which use macros or code inside word processing software or other tools to spread Email viruses, which spread via email either as attachments or as part of the email itself using flaws within email clients

virus attacks are similar to traditional viruses in a number of critical ways. They spread via methods like spam email and malicious websites, and they exploit flaws in browser plug-ins and web browsers themselves. Once they successfully find a way into a system, they inject themselves into memory and conduct further malicious activity, including adding the ability to reinfect the system by the same process at reboot through a registry entry or other technique. At no point do they require local file storage, because they remain memory resident throughout their entire active life—in fact, the only stored artifact of many fileless attacks would be the artifacts of their persistence techniques.

Fileless

is malware that is designed to obtain information about an individual, organization, or system.

Spyware

type of spyware used to illicitly monitor partners in relationships.

stalkerware

are programs that may not be wanted by the user but are not as dangerous as other types of malware. () are typically installed without the user's awareness or as part of a software bundle or other installation. () include adware, browser toolbars, web browser–tracking programs, and others.

potentially unwanted programs (PUPs)

The Security+ exam outline includes PUPs with malware, but many PUPs are not technically malicious—they're annoying, they can be privacy risks, and they can slow a system down or otherwise cause problems—but they aren't actually malware. That's why they're called potentially unwanted programs instead of malware—most people and most organizations still don't want them installed!

Defenses against PowerShell attacks include using Constrained Language Mode, which limits sensitive commands in PowerShell, and using Windows Defender's built-in Application Control tool or AppLocker to validate scripts and to limit which modules and plug-ins can be run. It is also a good idea to turn on logging for PowerShell as well as Windows command-line auditing.

The Bash shell has a built-in security mode called the restricted shell that limits what users can do, including things like specifying command names containing slashes, importing function definitions from the shell environment, and others. These can limit the ability of attackers to leverage Bash as a tool for their attacks.

is the practice of manipulating people through a variety of strategies to accomplish desired actions.

Social engineering

relies on scaring or bullying an individual into taking a desired action. The individual who is targeted will feel threatened and respond by doing what the social engineer wants them to do.

intimidation

which relies on the fact that most people will obey someone who appears to be in charge or knowledgeable, regardless of whether or not they actually are.

authority

-based social engineering uses the fact that people tend to want to do what others are doing to persuade them to take an action. A () attack might point out that everyone else in a department had already clicked on a link, or might provide fake testimonials about a product making it look safe. Also referred to as "social proof" in some categorization schemes.

consensus

is used for social engineering in scenarios that make something look more desirable because it may be the last one available.

scarcity

-based attacks rely on you liking the individual or even the organization the individual is claiming to represent.

familiarity

much like familiarity, relies on a connection with the individual they are targeting. Unlike with familiarity, which relies on targets thinking that something is normal and thus familiar, social engineers who use this technique work to build a connection with their targets so that they will take the actions that they want them to take.

trust

relies on creating a feeling that the action must be taken quickly due to some reason or reasons.

urgency

Phishing is a broad term used to describe the fraudulent acquisition of information, often focused on credentials like usernames and passwords, as well as sensitive personal information like credit card numbers and related data. Phishing is most often done via email, but a wide range of phishing techniques exist, including things like smishing, which is phishing via SMS (text) messages, and vishing, or phishing via telephone.

targets specific individuals or groups in an organization in an attempt to gather desired information or access.

spear phishing

much like spear phishing, targets specific people, but whaling is aimed at senior employees like CEOs and CFOs—“big fish” in the company, thus the term ().

whaling

is the process of gathering credentials like usernames and passwords. () is often performed via phishing attacks but may also be accomplished through system compromise resulting in the acquisition of user databases and passwords, use of login or remote access tools that set up to steal credentials, or any other technique that will gather credentials for attackers.

Credential harvesting

attacks redirect traffic away from legitimate websites to malicious versions. () typically requires a successful technical attack that can change DNS entries on a local PC or on a trusted local DNS server, allowing the traffic to be redirected.

Pharming

rely on the fact that people will mistype URLs and end up on their sites, thus driving ad traffic or even sometimes using the typo-based website to drive sales of similar but not legitimate products.

Typo squatters

Spam over Instant Messaging

(SPIM)

retrieving potentially sensitive information from a dumpster and can provide treasure troves of information about an organization, including documentation and notes.

dumpster diving

is the process of looking over a person's shoulder to capture information like passwords or other data.

Shoulder surfing

is a physical entry attack that requires simply following someone who has authorized access to an area so that as they open secured doors you can pass through as well.

Tailgating

Eliciting information, often called elicitation, is a technique used to gather information without targets realizing they are providing it. Techniques like flattery, false ignorance, or even acting as a counselor or sounding board are all common elements of an elicitation effort. Talking a target through things, making incorrect statements so that they correct the person eliciting details with the information they need, and other techniques are all part of the elicitation process. Ideally, a social engineering target who has experienced an elicitation attack will never realize they have provided more information than they intended to, or will only realize it well after the fact.

can mean one of three things: 1. Adding an expression or phrase, such as adding “SAFE” to a set of email headers to attempt to fool a user into thinking it has passed an antispam tool 2. Adding information as part of another attack to manipulate the outcome 3. Suggesting topics via a social engineering conversation to lead a target toward related information the social engineer is looking for

Prepending

is the process of using a made-up scenario to justify why you are approaching an individual. Pretexting is often used as part of impersonation efforts to make the impersonator more believable. An aware target can ask questions or require verification that can help defeat () and impersonation attacks. In many cases, simply making a verification call can defeat such attempts.

Pretexting

Identity fraud, or identity theft, is the use of someone else's identity. Although identity fraud is typically used for financial gain by malicious actors, identity fraud may be used as part of penetration tests or other security efforts as well. In fact, in some cases impersonation, where you act as if you are someone else, can be a limited form of identity fraud. In other cases, impersonation is less specific, and the social engineer or attacker who uses it may simply pretend to be a delivery driver or an employee of a service provider rather than claiming a specific identity.

In addition to these more direct individual interactions, hoaxes are a common occurrence. Hoaxes, which are intentional falsehoods, come in a variety of forms ranging from virus hoaxes to fake news. Social media plays a large role in many modern hoaxes, and attackers and social engineers may leverage current hoaxes to assist in their social engineering attempts.

A final type of fraud is the use of (), which involve sending fake invoices to organizations in the hopes of receiving payment. () can be either physical or electronic, and they rely on the recipient not checking to see if the invoice is legitimate.

invoice scams

Influence campaigns themselves are not the exclusive domain of cyberwarfare, however. Individuals and organizations conduct influence campaigns to turn public opinion in directions of their choosing. Even advertising campaigns can be considered a form of influence campaign, but in general, most influence campaigns are associated with disinformation campaigns. For the Security+ exam, you should be aware of the tightly coupled roles of influence campaigns and social media as part of hybrid warfare efforts by nation-state actors of all types.

Brute-force attacks, which iterate through passwords until they find one that works. Actual brute-force methods can be more complex than just using a list of passwords and often involve word lists that use common passwords, words specifically picked as likely to be used by the target, and modification rules to help account for complexity rules. Regardless of how elegant or well thought out their input is, brute force in the end is simply a process that involves trying different variations until it succeeds.

attacks are a form of brute-force attack that attempts to use a single password or small set of passwords against many accounts. This approach can be particularly effective if you know that a target uses a specific default password or a set of passwords.

Password spraying

Dictionary attacks are yet another form of brute-force attack that uses a list of words for their attempts. Commonly available brute-force dictionaries exist, and tools like John the Ripper, a popular open source password cracking tool, have word lists (dictionaries) built in. Many penetration testers build their own custom dictionaries as part of their intelligence gathering and reconnaissance processes.

Regardless of the password attack mechanism, an important differentiator between attack methods is whether they occur online, and thus against a live system that may have defenses in place, or if they are offline against a compromised or captured password store. If you can capture hashed passwords from a password store, tools like rainbow tables can be very useful. Rainbow tables are an easily searchable database of precomputed hashes using the same hashing methodology as the captured password file. Thus, if you captured a set of passwords that were hashed using MD5, you could compute or even purchase a full set of passwords for most reasonable password lengths, and then simply look up the hashes of those passwords in the table.

is a one-way cryptographic function that takes an input and generates a unique and repeatable output from that input.

hash

attacks largely fall into two categories. Penetration testers (and potentially attackers) may drop drives in locations where they are likely to be picked up and plugged in by unwitting victims at their target organization. An additional layer of social engineering is sometimes accomplished by labeling the drives with compelling text that will make them more likely to be plugged in: performance reviews, financial planning, or other key words that will tempt victims.

Malicious flash drive

Forensic tools like ()() (4discovery.com/our-tools/usb-historian) can help identify devices that were plugged into Windows systems, allowing incident responders to learn more about what devices might have been malicious and to look for other systems they may have been connected to.

USB Historian

attacks focus on capturing information from cards like RFID and magnetic stripe cards often used for entry access.

Card cloning

attacks that use hidden or fake readers or social engineering and hand-held readers to capture () cards, and then employ cloning tools to use credit cards and entry access cards for their own purposes.

skimming

Card cloning can be difficult to detect if the cards do not have additional built-in protection such as cryptographic certificates and smart chips that make them hard to clone. Magnetic stripe and RFID-based cards that can be easily cloned can often be detected only by visual inspection to verify that they are not the original card.

ensures that the supply chain for classified and unclassified integrated circuits, devices, and other critical elements are secure and that manufacturers stay in business and are protected appropriately to ensure that trusted devices remain trusted.

The Trusted Foundry program

There are seven key principles for social engineering. The Security+ exam outline focuses on seven key social engineering principles. Authority relies on the victim believing that the person has a reason to be in charge or in a position of power. Intimidation relies on bullying or scaring the target into doing what is desired. Consensus builds on the trust that individuals have in others and what they think others are doing or believe. Scarcity leverages human reactions to limited supply. Familiarity uses what you expect and what you are used to against you. Trust is built and then used against the target. Urgency, the final item, makes what the social engineer expresses seem as if it is needed immediately.

programs play a crucial role in identifying, prioritizing, and remediating vulnerabilities in our environments

Vulnerability management

Cybersecurity professionals depend on automation to help them perform their duties in an efficient, effective manner. Vulnerability scanning tools allow the automated scheduling of scans to take the burden off administrators. Figure 5.2 shows an example of how these scans might be configured in Tenable's Nessus product. Nessus was one of the first vulnerability scanners on the market and remains widely used today. Administrators may designate a schedule that meets their security, compliance, and business requirements.

The organization's ______ _____________ is its willingness to tolerate risk within the environment. If an organization is extremely risk averse, it may choose to conduct scans more frequently to minimize the amount of time between when a vulnerability comes into existence and when it is detected by a scan.

Risk appetite

Many different factors influence how often an organization decides to conduct vulnerability scans against its systems: The organization's risk appetite is its willingness to tolerate risk within the environment. If an organization is extremely risk averse, it may choose to conduct scans more frequently to minimize the amount of time between when a vulnerability comes into existence and when it is detected by a scan. Regulatory requirements, such as those imposed by the Payment Card Industry Data Security Standard (PCI DSS) or the Federal Information Security Management Act (FISMA), may dictate a minimum frequency for vulnerability scans. These requirements may also come from corporate policies.

Comprehensive vulnerability management programs provide the ability to conduct scans from a variety of scan perspectives. Each scan perspective conducts the scan from a different location on the network, providing a different view into vulnerabilities. For example, an external scan is run from the Internet, giving administrators a view of what an attacker located outside the organization would see as potential vulnerabilities. Internal scans might run from a scanner on the general corporate network, providing the view that a malicious insider might encounter. Finally, scanners located inside the datacenter and agents located on the servers offer the most accurate view of the real state of the server by showing vulnerabilities that might be blocked by other security controls on the network. Controls that might affect scan results include the following: Firewall settings Network segmentation Intrusion detection systems (IDSs) Intrusion prevention systems (IPSs)

The internal and external scans required by PCI DSS are a good example of scans performed from different perspectives. The organization may conduct its own internal scans but must supplement them with external scans conducted by an approved scanning vendor.

The Security Content Automation Protocol (SCAP) is an effort by the security community, led by the National Institute of Standards and Technology (NIST), to create a standardized approach for communicating security-related information. This standardization is important to the automation of interactions between security components. The SCAP standards include the following: Common Configuration Enumeration (CCE) Provides a standard nomenclature for discussing system configuration issues Common Platform Enumeration (CPE) Provides a standard nomenclature for describing product names and versions Common Vulnerabilities and Exposures (CVE) Provides a standard nomenclature for describing security-related software flaws Common Vulnerability Scoring System (CVSS) Provides a standardized approach for measuring and describing the severity of security-related software flaws Extensible Configuration Checklist Description Format (XCCDF) A language for specifying checklists and reporting checklist results Open Vulnerability and Assessment Language (OVAL) A language for specifying low-level testing procedures used by checklists

are often leveraged for preventive scanning and testing and are also found in penetration testers toolkits where they help identify systems that testers can exploit. This fact also means they're a favorite tool of attackers!

vulnerability scanners

etwork vulnerability scanners are capable of probing a wide range of network-connected devices for known vulnerabilities. They reach out to any systems connected to the network, attempt to determine the type of device and its configuration, and then launch targeted tests designed to detect the presence of any known vulnerabilities on those devices.

The following tools are examples of network vulnerability scanners: Tenable's Nessus is a well-known and widely respected network vulnerability scanning product that was one of the earliest products in this field. Qualys's vulnerability scanner is a more recently developed commercial network vulnerability scanner that offers a unique deployment model using a software-as-a-service (SaaS) management console to run scans using appliances located both in on-premises datacenters and in the cloud. Rapid7's Nexpose is another commercial vulnerability management system that offers capabilities similar to those of Nessus and Qualys. The open source OpenVAS offers a free alternative to commercial vulnerability scanners. These are four of the most commonly used network vulnerability scanners. Many other products are on the market today, and every mature organization should have at least one scanner in their toolkit. Many organizations choose to deploy two different vulnerability scanning products in the same environment as a defense-in-depth control.

Application scanning tools are commonly used as part of the software development process. These tools analyze custom-developed software to identify common security vulnerabilities. Application testing occurs using three techniques: Static testing analyzes code without executing it. This approach points developers directly at vulnerabilities and often provides specific remediation suggestions. Dynamic testing executes code as part of the test, running all the interfaces that the code exposes to the user with a variety of inputs, searching for vulnerabilities. Interactive testing combines static and dynamic testing, analyzing the source code while testers interact with the application through exposed interfaces. Application testing should be an integral part of the software development process. Many organizations introduce testing requirements into the software release process, requiring clean tests before releasing code into production.

Web application scanners are specialized tools used to examine the security of web applications. These tools test for web-specific vulnerabilities, such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF) vulnerabilities. They work by combining traditional network scans of web servers with detailed probing of web applications using such techniques as sending known malicious input sequences and fuzzing in attempts to break the application. Nikto is a popular web application scanning tool. It is an open source tool that is freely available for anyone to use. As shown in Figure 5.10, it uses a command-line interface and is somewhat difficult to use. Another open source tool available for web application scanning is Arachni. This tool, shown in Figure 5.11, is a packaged scanner available for Windows, macOS, and Linux operating systems. Most organizations do use web application scanners, but they choose to use commercial products that offer advanced capabilities and user-friendly interfaces. Although there are dedicated web application scanners, such as Acunetix, on the market, many firms use the web application scanning capabilities of traditional network vulnerability scanners, such as Nessus, Qualys, and Nexpose.