Security+ 1 Flashcards
Technical controls : smart cards, ACLs, encryption, network authentication etc …
Administrative controls : various policies and procedures, security awareness training, DRPs, contingency planning etc … can also be broken down into 2 subsections : procedural controls and legal/regulatory controls.
Technical/Administrative Controls
Blue Hat Hacker : These are individuals who are asked to attempt to hack into a system by an organization, but the organization does not employ them. The organization relies on the fact that the person simply enjoys hacking into systems. Usually, this type of scenario occurs when testing systems.
Green Hats / or Mercenaries : fix vulnerabilities at a price.
Elite: Elite hackers are the ones who first find out about vulnerabilities. Only 1 out of an estimated 10,000 hackers wears the Elite hat—and I say that figuratively. The credit for their discoveries is usually appropriated by someone else more interested in fame. Many of these types of individuals don’t usually care about “credit due” and are more interested in anonymity—perhaps a wise choice. You do not want to get on an Elite hacker’s bad side; they could crumple most networks and programs within hours if they so desired.
Types of Hackers …
hacktivist—a combination of the terms hack and activist. As with the term hacker, the name of hacktivist is often applied to different kinds of activities; from hacking for social change, to hacking to promote political agendas, to full-blown cyber-terrorism. Due to the ambiguity of the term, a hacktivist could be inside the company or attack from the outside and will have a varying amount of resources and funding. However, the hacktivist is usually far more competent than a script kiddie.
Hacktivist
Individuals might also carry out cyberattacks for governments and nation states. In this case, a government—and its processes—is known as an advanced persistent threat (APT), though this term can also refer to the set of computer-attacking processes themselves. Often, an APT entity has the highest level of resources, including open-source intelligence (OSINT) and covert sources of intelligence. This, coupled with extreme motivation, makes the APT one of the most dangerous foes.
APT’s
Metamorphic: Similar to polymorphic but rewrites itself completely each time it is going to infect a new file in a further attempt to avoid detection.
Multipartite: A hybrid of boot and program viruses that attacks the boot sector or system files first and then attacks the other files on the system.
Macro: Usually placed in documents and e-mailed to users in the hopes that the users will open the document, thus executing the virus.
Armored: Protects itself from antivirus programs by tricking the program into thinking that it is located in a different place from where it actually resides. Essentially, it has a layer of protection that it can use against the person who tries to analyze it; it will thwart attempts by analysts to examine its code.
Viruses
Active interception normally includes a computer placed between the sender and the receiver to capture and possibly modify information. If a person can eavesdrop on your computer’s data session, then that data can be stolen, modified, or exploited in other ways. Examples of this include session theft and man-in-the-middle (MITM) attacks
As long as the definitions have been updated, antivirus systems usually locate viruses along with other malware such as worms and Trojans. However, these systems usually do not locate logic bombs, rootkits, and botnet activity.
Another way to help prevent viruses is to use what I call “separation of OS and data.” This method calls for two hard drives. The operating system is installed to the C: drive, and the data is stored on the D: drive (or whatever letter you use for the second drive).
Active Interception Etc …
Typical symptoms of viruses :
Computer runs slower than usual.
Computer locks up frequently or stops responding altogether.
Computer restarts on its own or crashes frequently.
Hard drives, optical drive, and applications are not accessible or don’t work properly.
Strange sounds occur.
You receive unusual error messages.
Display or print distortion occurs.
New icons appear or old icons (and applications) disappear.
There is a double extension on a file attached to an e-mail that was opened; for example: .txt.vbs or .txt.exe.
Antivirus programs will not run or can’t be installed.
Files have been corrupted or folders are created automatically.
System Restore capabilities are removed or disabled.
Typical Symptoms of Viruses
General Procedures for removing malware :
Identify malware symptoms.
Quarantine infected systems.
Disable System Restore (in Windows).
Remediate infected systems:
Update anti-malware software.
Use scan and removal techniques (for example, Safe Mode and pre-installation environments).
Schedule scans and run updates.
Enable System Restore and create a restore point (in Windows).
Educate end users.
Before making any changes to the computer, make sure that you back up critical data and verify that the latest updates have been installed to the OS and the AV software. Then perform a thorough scan of the system using the AV software’s scan utility; if allowed by the software, run the scan in Safe Mode. Another option is to move the affected drive to a “clean machine,” a computer that is not connected to any network, and is used solely for the purpose of scanning for malware. This can be done by using a USB converter kit or a removable drive system, or by slaving the affected drive to another hard drive port of the other computer. Then, run the AV software on that clean machine to scan that drive. PC repair shops use this isolated clean machine concept.
In rare cases, you might need to delete individual files and remove Registry entries.
General Procedures for Removing Malware
Here are some common symptoms of spyware:
The web browser’s default home page has been modified.
A particular website comes up every time you perform a search.
Excessive pop-up windows appear.
The network adapter’s activity LED blinks frequently when the computer shouldn’t be transmitting data.
The firewall and antivirus programs turn off automatically.
New programs, icons, and favorites appear.
Odd problems occur within windows (slow system, applications behaving strangely, and such).
The Java console appears randomly.
To troubleshoot and repair systems infected with spyware, first disconnect the system from the Internet (or simply from the local area network). Then, try uninstalling the program from the Control Panel or Settings area of the operating system. Some of the less malicious spyware programs can be fully uninstalled without any residual damage. Be sure to reboot the computer afterward and verify that the spyware was actually uninstalled! Next, scan your system with the AV software to remove any viruses that might have infested the system, which might get in the way of a successful spyware removal. Again, in Windows, do this in the recovery environment (for example, Safe Mode) if the AV software offers that option.
Next, scan the computer with the anti-spyware software of your choice in an attempt to quarantine and remove the spyware. You can use other programs to remove malware, but be careful with these programs because you will probably need to modify the Registry. Remove only that which is part of the infection.
Finally, you need to make sure that the malware will not re-emerge on your system. To do this, check your home page setting in your browser, verify that your HOSTS file hasn’t been hijacked (located in C:\WINDOWS\system32\drivers\etc), and make sure that unwanted websites haven’t been added to the Trusted Sites within the browser.
Spyware etc …
The best way to identify a rootkit is to use removable media (a USB flash drive or a special rescue disc) to boot the computer. This way, the operating system is not running, and therefore the rootkit is not running, making it much easier to detect by the external media. Sometimes, rootkits will hide in the MBR. Often, operating system manufacturers recommend scrubbing the MBR (rewriting it, for example, within System Recovery Options or other recovery environment) and then scanning with antivirus software. This depends on the type of rootkit. The use of GPT in lieu of MBR helps to discourage rootkits. I suggest using GPT whenever possible. Best way to combat rootkits is to reinstall OS.
Rootkits Etc …
