Udemy Sections 1-3: Overview, Malware, and Malware Infections Flashcards
1
Q
The act of protecting data and information from unauthorized access, unlawful modification and disruption, disclosure, corruption, and destruction
A
Information security
2
Q
The act of protecting the systems that hold and process critical data
A
Information systems security
3
Q
CIA stands for
A
Confidentiality, Integrity, Availability
4
Q
Information has not been disclosed to unauthorized people
A
Confidentiality
5
Q
Information has not been modified or altered w/out proper authorization
A
Integrity
6
Q
Information is able to be stored, accessed, or protected at all times
A
Availability
7
Q
When a person’s identity is established w/ proof and confirmed by a system
A
Authentication
8
Q
AAA stands for
A
Authentication, Authorization, Accounting
9
Q
5 methods of authentication
A
Something you know
Something you have
Something you are
Something you do
Somewhere you are
10
Q
Occurs when a user is given access to a certain piece of data or certain areas of a building
A
Authorization
11
Q
Tracking of data, computer usage, and network resources
A
Accounting
12
Q
The most cost effective security control to use
A
User training
13
Q
Hackers who find and exploit vulnerabilities before anyone else does
A
Elite hackers
14
Q
Hackers with little to no skill who only use the tools and exploits written by others
A
Script kiddies
15
Q
Hackers who are driven by a cause like social change, political agendas, or terrorism
A
Hacktivists
16
Q
Hackers who are a part of a crime group that is well-funded and highly sophisticated
A
Organized crime
17
Q
Highly trained and funded groups of hackers (often by nation states) w/ covert and open-source intelligence at their disposal
A
APT (Advanced Persistent Threats)
18
Q
Property of an intelligence source that ensures it is up-to-date
A
Timeliness
19
Q
Property of an intelligence source that ensures it matches the use cases intended for it
A
Relevancy
20
Q
Property of an intelligence source that ensures it produces effective results
A
Accuracy
21
Q
Property of an intelligence source that ensures it produces qualified statements about reliability
A
Confidence levels
22
Q
Threat intelligence that comes as a commercial service offering, where access to updates and research is subject to a subscription fee
A
Proprietary
23
Q
Data that is derived from the provider’s own research and analysis efforts, such as data from honeynets that they operate, plus information mined from its customers’ systems, suitably anonymized
A
Closed-source
24
Q
Data that is available to use w/out a subscription, which may include threat feeds similar to the commercial providers, and may contain reputation lists and malware signature databases
A
Open-source
25
Knowledge you can write down, see, feel, and touch
Explicit
26
Knowledge gained from experience
Implicit knowledge
27
A proactive cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring
Threat hunting
28
What must you assume when threat hunting?
That the existing rules you've put in place to prevent compromise have failed.
29
A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion
Kill chain
30
The 7 linear steps of the kill chain
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
C2 (command and control)
Actions on objectives
31
The kill chain step in which the attacker determines what methods to use to complete the phases of the attack
Reconnaissance
32
The kill chain step in which the attacker couples payload code that will enable access w/ exploit code that will use a vulnerability to execute on the target system. The attacker is merely writing the code; it has not yet been delivered or executed.
Weaponization
33
The kill chain step in which the attacker identifies a vector by which to transmit the weaponized code to the target environment
Delivery
34
The kill chain step in which the weaponized code is executed on the target system
Exploitation
35
The kill chain step in which the mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system
Installation
36
The kill chain step in which the weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack
C2 (command and control)
37
The kill chain step in which the attacker typically uses the access they've achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives
Actions on objectives
38
A method used to identify a defensive course-of-action matrix to counter the progress of an attack at each stage
Kill chain analysis
39
A free, open-source knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures
MITRE ATT&CK Framework
40
A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim.
Diamond model of intrusion analysis
41
The 4 core features of the Diamond model of intrusion analysis
Adversary
Capability
Infrastructure
Victim
42
Software designed to infiltrate a computer system and possibly damage it without the user's knowledge or consent
Malware
43
Malicious code that runs on a machine w/out the user's knowledge and infects the computer when executed. Requires a user action to reproduce and spread.
Virus
44
A type of virus stored in the first sector of a hard drive and are loaded into memory upon boot up.
Difficult to detect because it is installed BEFORE the OS boots up. Requires an antivirus that specifically looks for this type of virus.
Boot sector virus
45
Virus embedded into a document and is executed when the document is opened by the user
Macro
46
A type of virus that infects an executable or application
Program virus
47
A virus that combines boot and program viruses to first attach itself to the boot sector and system files before attacking other files on the computer.
This gives the virus persistence; if you are able to delete the program virus portion, the boot sector portion reinstalls it.
Multipartite virus
48
An advanced version of an encrypted virus that changes its code every time it's executed by altering the decryption module to avoid detection
Polymorphic virus
49
A virus that encrypts its code to avoid detection
Encrypted virus
50
A virus that is able to rewrite itself entirely before it attempts to infect a file. An advanced version of a polymorphic virus.
Metamorphic virus
51
A type of virus that uses techniques to avoid detection by antivirus software.
Stealth virus
52
A type of virus that has a layer of protection to confuse a program or a person analyzing it.
Armored virus
53
A form of social engineering when a website or scam caller claims that you have a virus, and gives you a number to call or program to install in order to get rid of it.
Hoax virus
54
Malicious software that is able to replicate itself without user interaction
Worm
55
Malicious software disguised as a piece of harmless or desirable software. It performs the desired function, but also a secret malicious function.
Trojan horse
56
A Trojan that provides the attacker with remote control of a victim computer and is the most commonly used type of trojan
RAT (Remote Access Trojan)
57
Malware that restricts access to a victim's computer or files until a ransom is received
Ransomware
58
Malware that secretly gathers info about the user w/out their consent
Spyware
59
A type of spyware that captures keystrokes made by the victim and takes screenshots that are sent to the attacker
Keylogger
60
A type of spyware that displays advertisements based upon its spying on you
Adware
61
Software that isn't benign nor malicious and tends to behave improperly without serious consequences. For example, this can make the user jump to random places on the screen or turn the screen upside-down. It can be used as a prank.
Grayware
62
Malicious code is inserted into a running process on a Windows machine by taking advantage of Dynamic Link Libraries that are loaded at runtime. This keeps the computer from understanding that it has malicious code installed.
It works by using a shim between the OS and the DLL. The shim will redirect the call between them with malicious code embedded in them.
DLL injection
63
Software designed to gain administrative level control over a system without detection
Rootkit
64
The method used commonly used by rootkits to maintain their persistent control
DLL injection
65
An attack that relies on compromising the kernel-mode device drivers that operate at a privileged or system level
Driver manipulation
66
A piece of software code that is placed between two components to intercept calls and redirect them. This is used by both DLL injection and driver manipulation.
Shim
67
Rootkits are known for using which two methods?
DLL injection and driver manipulation
68
What is the best way to detect a rootkit?
Boot from an external device and scan the internal hard drive
69
Activity that abuses electronic messaging systems, most commonly through email
Spam
70
Why can't we just block spammers' email servers?
Spammers exploit reputable companies' open mail relays to send their messages.
71
A function of an email server that allows the server to send mail on the behalf of other organizations.
Open mail relay
72
An governmental act made to put a stop to spammers exploiting companies' open mail relays
CAN-SPAM
73
Code that infects a computer when a file is opened or executed
Virus
74
Method used by an attacker to access a victim's machine
Threat vector
75
Method used by an attacker to gain access to a computer in order to infect it with malware
Attack vector
76
Difference between threat vector and attack vector?
Threat vector is how to get to the machine itself.
Attack vector includes both how to gain access to the machine and how to infect it.
77
Malware placed on a website that you know your potential victims will access as part of routine activities
Watering hole
78
Registering a domain name as a misspelled version of a well-known domain, hoping that a victim will type the URL incorrectly to access the attacker's site.
Typosquatting
79
A collection of compromised computers under the control of a master node
Botnet
80
Occurs when a computer is placed between the sender and receiver and is able to capture or modify the traffic between them
Active interception
81
Occurs when an attacker is able to exploit a design flaw or bug in a system to gain access to resources that a normal user isn't able to access
Privilege escalation
82
Used to bypass normal security and authentication functions
Backdoor
83
A type of malware that works like a backdoor (maintaining persistent access)
RAT (Remote Access Trojan)
84
Non-malicious code that when invoked, displays an insider joke, hidden message, or secret feature
Easter egg
85
If Easter eggs are harmless, why are they dangerous?
Easter eggs are usually put in at the last second. They are additional code that have not gone through the rigorous testing and security practices.
86
Malicious code that has been inserted inside a program and will execute only when certain conditions have been met
Logic bomb
87
T/F: Logic bombs, easter eggs, and backdoors are all against security best practices and should not be found in your code.
True
88
Symptoms of infection
Strange behavior
Hard drives, files, or apps not accessible
Strange noises
Unusual error messages
Display looks strange
Jumbled printouts
New or disappearing icons on desktop
Double file extensions
Antivirus won't run
New files or folders
Corrupted/missing files or folders
System Restore will not function
89
First action to take if you suspect your computer is infected
Scan with antimalware
90
What should you do before you take action to clean up a virus?
Make a backup of your system
91
7 steps to take care of a computer infection
Identify symptoms
Quarantine the infected systems
Disable System Restore (if using Windows)
Remediate the infected system
Schedule automatic updates and scans
Reenable System Restore and create a new restore point
Provide end user security awareness training
92
How do you scan for a boot sector virus?
Reboot the computer from an external device and scan it.
This is because if you boot from the internal hard drive, the virus is loaded up before you can do anything from it.
OR you can move the hard drive to another computer and scan in there.
93
A type of malware that acts as a go-between for the OS and the kernel
Rootkit
94
How to prevent spammers from using your mail servers to send spam
Verify your email servers aren't configured as open mail relays or SMTP open relays
95
3 main ways to prevent malware
Install and continually update reputable antimalware
Update and patch your OS
End user training
96
Describes the specific method by which malware code infects a target host
Exploit technique
97
A type of malware that is executed directly as a script or a piece of shellcode that creates a process in the system memory without having to use the local file system
Fileless
98
The 5 steps that APTs use to operate modern malware
Dropper or downloader
Maintain access
Strengthen access
Actions on objectives
Concealment
99
Malware designed to install/run other types of malware embedded in a payload on an infected host
Dropper
100
A piece of code that connects to the internet to retrieve additional tools after the initial infection by a dropper
Downloader
101
Any lightweight code designed to run an exploit on the target, which may include any type of code format from scripting languages to binary code
Shellcode
102
Exploit technique that runs malicious code with the identification number of a legitimate process
Code injection
103
When an attacker's dropper replaces a victim's genuine executable with a malicious one
Masquerading
104
When an attacker's dropper forces a malicious process to run as part of the DLL
DLL injection
105
When an attacker's dropper exploits a vulnerability in a legitimate program's manifest to load a malicious DLL at runtime
DLL sideloading
106
When an attacker's dropper starts a process in a suspended state, and then rewrites the memory locations containing the process code with the malware code
Process hollowing
107
Anti-forensic techniques that droppers implement
Encrypting payloads
Compressing payloads
Obfuscating payloads
108
Exploit techniques that uses the victim's standard system tools (for example, PowerShell or BASH) and packages to perform intrusions. Makes it incredibly hard to find the attacker using this technique.
Living off the land
109
Difference between armored virus and stealth virus?
Stealth virus hide themselves from the OS and/or antivirus software by making changes to file sizes or directory structure.
Armored virus are difficult to detect or analyze, and may be able to protect itself from antivirus programs.
110
Difference between polymorphic and metamorphic viruses?
Polymorphic encrypts its code using a variable encryption key so each copy of the virus appears different.
Metamorphic rewrites its code itself in order to make each copy of the virus different, no encryption key necessary.
111
Difference between phishing and pharming?
Phishing requires only successful social engineering. It is a one-time scam, usually involving the attacker trying to get victims to click on a link to a fraudulent site. It usually involves targeting one individual at a time.
Pharming requires an attacker to gain unauthorized access to a system. This involves creating a fake website for users to enter their credentials, and then redirecting them via DNS poisoning/spoofing/hijacking. It involves simultaneously targeting huge groups of people.
