Security Flashcards
CIA triad
Confidentiality like encryption
Integrity like hashing
Availability like uptime or redundancy
Non-compliant System
System that is not compliant with the configuration baseline of what is approved by the organization
Configuration baseline
set of recommendations for deploying a computer in a hardened configuration
Unprotected System
system not protected by any antivirus or firewall
Unpatched System
system without patches or updates applied even though they are available
What are some Windows releases that are EOL as of 2023?
Windows XP
Windows Vista
Windows 7
Bring Your Own Device (BYOD)
Use of personal devices in an office environment
Zero-day Exploit
unknown exploit that exposes previously unknown vulnerabilities
Denial of Service (DOS)
attack that attempts to make a computer or server’s resources unavailable
Flood Attack
type of DoS that attempts to send more packets to a server or host than it can handle
Ping Flood
Flood attack that happens when too many pings (ICMP echo) are being sent
SYN Flood
Attacker initiates multiple TCP sessions but never completes the three-way handshake
Permanent Denial of Service (PDoS)
attack that exploits a security flaw to permanently break a networking device by reflashing its firmware
Fork Bomb
attack that creates a large number of processes to use up the available processing power of a computer. It is not considered a “worm” because it does not infect the programs.
Distributed Denial of Service (DDoS)
uses lots of machines to attack a server to create a DoS
DNS Amplification
the attacker typically uses a botnet or a group of compromised computers to send a large number of DNS queries to open DNS resolvers. The source IP address of these queries is spoofed on the hackers machine to make it look like they are coming from the victim’s IP address. When the open DNS resolvers respond to these queries, the response is sent to the spoofed source IP address, which is the victim’s IP address. Because the response is typically much larger than the original query, this can overwhelm the victim’s network and cause a denial of service.
Blackhole/Sinkhole
identifies attacking IP addresses and routes them to a non-existent server through the null interface
Spoofing
occurs when an attacker masquerades as another person by falsifying their identity
ARP Spoofing/”Poisoning”
sending fake ARP messages to a local netowkr in order to associate a fake MAC address with a legitimate IP address, thereby intercepting network traffic intended for the legitimate device.
On-Path Attack
occurs when an attacker puts themself between the victim and the intended destination
Replay
occurs when valid data is captured by the attacker and is then repeated immediately, or delayed, and then repeated. an example is capturing someone’s log-in credentials and storing it, and then logging into their account later on in the day.
Relay attack
when the attacker inserts themself in between the two hosts and intercepts legitimate communication but relaying the information to a C2 or 3rd party.
SSL Stripping
when an attacker tricks the encryption application into presenting the user with an HTTP connection instead of an HTTPS connection
Downgrade Attack
when an attacker attempts to have a client or server abandon a higher security mode in favor of a lower security mode by intercepting the communication between two systems that are negotiating the protocol version to be used, and then modifying the negotiation messages to suggest an older and less secure protocol version.
SQL injection
attack consisting of the insertion or injection of an SQL query via input data from the client to a web application
Injection Attack
insertion of additional information or code through data input from a client to an application. Common types are SQL, HTML, XML, LDAP
Cross-Site Scripting (XSS)
when an attacker embeds malicious scripting commands on a trusted website
Stored/Persistent - XSS attack
attacker injects malicious code into a web application that is then stored on the server and served to all users who access the page. Like adding a comment with XSS injection of a JS alert that whenever someone else loads the page, it shows them that alert. Blind XSS is the same but you cannot see it, like adding XSS into a private report comment to an admin.
Reflected - XSS attack
when an attacker injects malicious code into a website that is then reflected back to the user in a dynamic response, such as a search query or a form submission. The victim’s browser then executes the malicious code, allowing the attacker to steal sensitive information or perform other malicious actions on behalf of the victim.
Document Object Model (DOM) - XSS attack
attempt to exploit the victim’s web browser
How to prevent SQL injections?
ensure your website has data validation and sanitizing user inputs
How to prevent XSS attacks?
with output encoding and proper input validation
Cross-Site Request Forgery (XSRF/CSRF)
when an attacker tricks a user into performing an action on a website that they did not intend to perform while they are already authenticated on the website. An example is an attacker sending a malicious link that when clicked, will have the victim go to their online banking app and transfer funds to the attackers account.
How to prevent XSRF/CSRF?
with tokens, encryption, XML file scanning, and cookie verification
Password Analysis Tool
Used to test the strength of passwords to ensure password policies are being followed
Password Cracker
uses comparative analysis to break passwords and systematically continues guessing until the password is determined
What are the different types of password cracking methods?
password guessing, dictionary attack, brute-force attack, cryptanalysis attack
Password Guessing
occurs when a weak password is simply figured out by a person
Dictionary Attack
method where a program attempts to guess the password by using a list of possible passwords
Brute-Force Attack
method where a program attempts to try every possible combination until it cracks the password
Cryptanalysis Attack
comparing a precomputed encrypted password to a value in a lookup table. Example is a rainbow attack - breaching the target machines password storage of hashes, and using a rainbow table to compare.
Insider Threat
An employee or other trusted insider who uses their authorized network access in unauthorized ways to harm the company
Logic Bomb
specific type of malware that is tied to either a logical event or a specific time
Boot sector - Virus
virus that is stored in the first sector of a hard drive and is loaded into memory upon boot. Only targets MBR and is installed via removable media
Macro - Virus
virus embedded into a document and is executed when the document is opened by the user
Program - Virus
seeks out executables or application files to infect
Multipartite - Virus
combines boot and program viruses to first attach itself to the boot sector and system files before attacking other files on the computer
Encryption - Virus
uses a cipher to encrypt its contents to avoid any antivirus software
Polymorphic - Virus
will encrypt its own code in a unique way so that is appears different each time it infects a new file or system in order to evade antivirus software
Metamorphic - Virus
has the ability to rewrite itself entirely before attempting to infect a file
Armored - Virus
has a layer of protection to confuse a program or a person who’s trying to analyze it
Hoax Viruses
tries to trick a user to infect its own machine
Worm
malicious software that can replicate itself without any user interaction
Trojan
a piece of malicious software that is disguised as a piece of harmless or desirable software
Remote Access Trojan (RAT)
provides the attacker with remote control of a victim computer
Stealth Viruses
a category for any virus protecting itself
Virus
malicious code that runs on a machine without the user’s knowledge and infects the computer when executed
Ransomware
malware that restricts access to a victim’s computer system until a ransom is received
Spyware
malware that secretly gather information about the user without their consent
Adware
displays advertisements based on your activity. falls into the category of spyware
Grayware
software that isn’t benign nor malicious and tends to behave improperly without serious consequences
Rootkit
software designed to gain administrative level control over a system without detection. commonly installed thru a DLL injection or shim
DLL injection
malicious code is inserted into a running process on a Windows machine by taking advantage of Dynamic Link Libraries that are loaded at runtime
Driver Manipulation
attack that relies on compromising the kernel-mode device drivers that operate at a privileged or system level
Botnet
a collection of compromised computers under the control of a master node
7 steps of removing malware
- Identify the symptoms of a malware infection
- Quarantine/isolate the infected systems
- Disable System Restore
- Remediate the infected system
- Schedule automatic updates and scans
- Enable System Restore and create a new restore point
- Provide end user security awareness training
Phishing
a social engineering attack where the malicious actor communicates with the victim from a supposedly reputable source to lure the victim into divulging sensitive information
Spearphishing
uses the same technology and techniques but is a more targeted version of phishing
Whaling - Phishing
focused on key executives within an organization or other key leaders, executives, and managers in the company
Vishing
Occurs when the message is being communicated to the target using the voice functions of a telephone
Business Email Compromise (BEC)
occurs when an attacker takes over a high-level executive’s email account and orders employees to conduct tasks
Pharming
tricks users into divulging private information by redirecting a victim to a website controlled by the attacker or penetration tester
Tailgating
when an attacker attempts to enter a secure portion of a building by following an authorized person into that area, without their knowledge
Piggybacking
Similar to tailgating, but happens with the knowledge or consent of the employee
Shoulder Surfing
using direct observation to obtain info from an employee
Dumpster Diving
actually looking in garbage or recycling bins for personal or confidential information
Evil Twin
a fraudulent Wi-Fi access point or web server that appears to be legitimate but is set up to eavesdrop on wireless communications
Karma Attack
exploits the behavior of Wi-Fi devices due to a lack of access point authentication protocols being implemented
Preferred Network List (PNL)
a list of the SSIDs of any access points the device has previously connected to and will automatically connect to when those networks are in range
Captive Portal
a web page that the user of a public-access network is obligated to view and interact with before access is granted (sign in with google to access wifi)
Personal Firewall
software application that protects a single computer form unwanted internet traffic
Clean Desk Policy
by the end of the day, employees clean their desks and leave nothing out that may be takes as a password or a PIN
Physical Controls
implemented to increase physical security posture
Logical Controls
implemented through hardware or software to prevent or restrict access
Managerial Controls
implemented to manage the organization’s personnel and assets
Principle of Least Privilege
uses the lowest level of permissions needed to complete a job function
Discretionary Access Control (DAC)
access control method where access is determined by the owner of the resource
Mandatory Access Control (MAC)
access control policy where the computer system and administrator decides who gets access
Role-based Access Control (RBAC)
access method that is combined by the system that focuses on a set of permissions versus an individual’s permissions. Based on roles such as a loan processor group who is allowed to view and modify certain documents.
Power User
user who is not a normal user and also not a normal administrator
Zero-Trust
security framework that requires the users to be authenticated, authorized, and validated
Time-Based One-Time Password (TOTP)
generated by combining a secret key, known only to the user and the authentication system, with the current time. The result is a unique, one-time code that is valid for only a short period of time, typically 30 seconds
HMAC-Based One-Time Password (HOTP)
2FA authentication mechanism that generates a one-time password based on a secret key and a counter value.
In-Band Authentication
relies on an identity signal from the same system requesting the user authentication
Out-of-Band Authentication
uses a separate communication channel to send the OTP or PIN
Enterprise Mobility Management (EMM)
enables centralized management and control of corporate mobile devices. manages not only mobile devices, but also applications, content, and data in an enterprise environment.
Remote Wipe
used to send remote commands to a mobile device from a MDM solution to delete its data settings
Active Directory (AD)
allows to get information from the network about all of your systems, users, and computers
Security Group
allows to easily assign permissions to a set of users or workstations
Organizational Unit (OU)
way of dividing the domain into different administrative realms
Folder Redirection
allows to change the target of a personal folder
Pre-Shared Key
same encryption key is used by the access point and the client. Only used in symmetric encryption algorithms
Wired Equivalent Privacy (WEP)
original 802.11 wireless security standard that claims to be as secure as a wired network. Uses IV
Wi-Fi Protected Access (WPA)
replacement for WEP, which uses TKIP, Message Integrity Check (MIC), and RC4 encryption
Wi-Fi Protected Access version 2 (WPA2)
802.11i standard to provide better wireless security featuring AES with a 128-bit key, CCMP, and integrity checking
Wi-Fi Protected Setup (WPS)
automated encryption setup for wireless networks at a push of a button, but is severely flawed and vulnerable. Always disable it
Wi-Fi Protected Access 3 (WPA3)
Latest and most secure version of wireless network encryption currently available. 192-bit or 128-bit key. Uses AES with GCMP
Simultaneous Authentication of Equals (SAE)
a secure password-based authentication and password authenticated key agreement that relies on forward secrecy
Forward Secrecy
assures the session keys will not be compromised even if the long-term secrets used in the session key exchange have been compromised. Generates a new session key for each connection.
Remote Authentication Dial-In User Service (RADIUS)
cross-platform protocol that authenticates and authorizes users to services, and accounts for their usage
Terminal Access Controller Access Control System Plus (TACACS+)
Cisco-proprietary protocol that provides separate authentication, authorization, and accounting services
Diameter
peer-to-peer (meaning Diameter node can communicate with each-other without a central controller) protocol created as a next-generation version of RADIUS
Lightweight Directory Access Protocol (LDAP)
cross-platform protocol that centralizes info about clients and objects on the network
Single Sign-On (SSO)
enables users to authenticate once and receive authorizations for multiple services across the network. In an Active Directory environment, Kerberos is used as the authentication protocol for SSO.
Kerberos
uses symmetric encryption and the Key Distribution Center to conduct authentication and authorization functions
What are the steps for Kerberos authentication?
- The user sends a request to the Authentication Server (AS) for a Ticket-Granting Ticket (TGT).
- The AS verifies the user’s identity and sends back a TGT encrypted with a secret key shared between the client and the Kerberos server.
- The user sends a request to the Ticket-Granting Server (TGS) with the TGT for a service ticket for a specific resource.
- The TGS verifies the TGT’s authenticity and checks the user’s authorization to access the requested resource.
5 If the TGT is valid and the user is authorized, the TGS creates a service ticket encrypted with a secret key shared between the TGS and the resource server and sends it back to the user. - The user sends the service ticket to the resource server.
- The resource server verifies the service ticket by decrypting it with its secret key, and grants access to the requested resource if the ticket is valid.
802.1x framework
used for port-based authentication on both wired and wireless networks. uses RADIUS or TACACS+
Extensible Authentication Protocol (EAP) and what are the different types?
allows for numerous different mechanisms of authentication. EAP-MD5, EAP-TLS, EAP-TTLS, EAP-FAST, PEAP.
EAP-MD5
utilizes simple passwords and the challenge handshake authentication process to provide remote access authentication
EAP-TLS
during authentication, the client and server exchange digital certificates without the need for a username and password but instead the client needs to provide a private key that matches the public key in the digital certificate. TLS is used to establish a secure channel before authentication.
EAP-TTLS
requires a digital certificate on the server and a password on the client for its authentication. TLS tunnel is established before username and password are provided to prevent eavesdropping.
EAP Flexible Authentication via Secure Tunneling (EAP-FAST)
uses certificates, credentials, and a TLS tunnel to encrypt traffic between client and server. first client and server exchange credentials, then a TLS tunnel is established, then the client provides credentials and is authenticated. the TLS tunnel remains until the end of the connection.
Protected EAP (PEAP)
uses server certificates and Microsoft’s Active Directory databases to authenticate a client’s password. also sets up a TLS tunnel for encryption. first establishes a TLS tunnel, then the client verifies the server certificate, then the client gives username and password.
Lightweight EAP (LEAP)
a proprietary protocol that only works on Cisco-based devices
Corporate Owned/Business Only (COBO) - Devices
purchased by the company and only used by the employee for work-related purposes
Corporate Owned/Personally Enabled (COPE) - Devices
company provides a device used for work and/or personal use by employees
Choose Your Own Device (CYOD)
allows employees to choose a device from an approved list of vendors or devices
Storage Segmentation - Devices
creates a clear separation between work and personal data on a device into separate partitions.
Mobile Device Hardening
- Update your device to the latest software
- Install Antivirus
- Train users on proper security and use of their device
- Only install apps from the official app stores
- Do not jailbreak or root your device
- Only use version 2 SIM cards for your devices
- Turn off all unnecessary features on your device
- Turn on encryption for voice and data
- Use strong passwords or biometrics
- Don’t allow BYOD
What are some vulnerabilities of IoT devices?
- Insecure Defaults
- Hard-coded configurations
- Cleartext communication
- Data leakage
Local Sign-in
uses Local Security Authority (LSA) to compare the submitted credentials to the SAM database
Network Sign-in
uses Kerberos to perform network authentication
Remote Sign-in
allows users to access the local network by using a VPN or a web portal (SSL/TLS)
Account Management
set of policies that determine what rights and privileges each user has on a given computer or network
What are some encryption methods for data in motion?
TLS or SSL, IPSec or L2TP, WPA2 with AES
What are some encryption methods for data at rest?
Full disk encryption, folder encryption, file encryption, database encryption
Degaussing - data destruction
exposes the hard drive to a powerful magnetic field which in turn causes previously-written data to be wiped from the drive
Purging (Sanitizing) - data destruction
act of removing data in such a way that it cannot be reconstructed using any know forensic techniques. Typically involves overwriting the entire drive with zeros multiple times.
Erasing or Wiping data - data destruction
the process of destroying old data by writing over the location on the hard drive or solid state device with new data
Low-level Format - data destruction
procedure provided by the manufacturer which will reset the data back to its factory condition
Self-Encrypting Drive - data destruction
a particular type of hardware that will encrypt the entire disk. getting rid of the key after.
Incident Response
a set of procedures an investigator follows when examining a computer security incident
Incident Management Program
consists of monitoring and detection of security events on a computer network and the use of proper responses to those security events
Chain of Custody
the record of evidence history from collection to court presentation and disposal
Faraday Bag
shields devices from outside signals to prevent data from being altered, deleted, or added to a new device.
Legal Hold
preserves all relevant information when litigation is reasonably expected to occur
.bat file
text-based file containing Windows commands and is interpreted from the command line environment
.ps1 file
used within windows inside the PowerShell environment. more complex scripts than a batch file
.vbs file
scripting language based on the Visual Basic programming language
.sh file
bash script used within linux
.py file
python language file used in Windows, Linux, and Mac
Pseudocode
generic language used to teach new learners how to program a computer
.js file
JavaScript used for automations in webpages and macOS systems
What is a dropper?
type of malware that is designed to deliver and install other malicious programs. Stage 1 dropper, delivers the Stage 2 payload.
