Updated - INFO 310 FINAL Flashcards
Protection of Assets, Prevention Detection, and Recovery
Goal of Cybersecurity
confidentiality, Integrity, Availability.
CIA
the concealment of information or resources
Confidentiality (CIA)
the trustworthiness of data or resources
Integrity (CIA)
the ability to use information or resources
Availability (CIA)
Deception, Disruption, Disclosure, Usurpation
Categories of Threats
The acceptance of false data
Deception (Category of threat)
the interruption or prevention of correct operation
Disruption (Category of threat)
The unauthorized access to information
Disclosure (Category of threat)
the unauthorized control of some part of a system
Usurpation (Category of threat)
the unauthorized interception of information, is a form of disclosure
Snooping or eavesdropping (Type of threat)
an unauthorized change of information is a form of usurpation, deception, and disclosure.
Modification or alteration (Type of threat)
an impersonation of one entity by another, is a form of both deception and usurpation.
Masquerading or spoofing (Type of threat)
a false denial that an entity sent (or created) something, is a form of deception.
Repudiation of origin
a false denial that an entity received some information or mes- sage, is a form of deception
Denial of receipt
a temporary inhibition of a service, is a form of usurpation, al- though it can play a supporting role in deception.
Delay
a long-term inhibition of service, is a form of usurpation often also used as a mechanism of deception.
Denial of service
Asset, Threat, Vulnerability, Risk
The Core of Cybersecurity
People, property, and information of value
Asset
Anything that can exploit a vulnerability, intentionally or acciden- tally, and obtain, damage, or destroy an asset.
Threat
Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset.
Vulnerability
The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability.
Risk
Asset + Threat + Vulnerability = Risk.
Formula for calculating risk
Any cipher based on substitution, using multiple substitution alphabets.
Polyalphabetic Ciphers
message wrapped around a rod of a certain size then can be read.
Scytale Encryption
A method of encryption by which the positions held by units of plaintext […] are shifted according to a regular system, so that the ciphertext constitutes a permutation of the plaintext.
Transposition Ciphers
The study of the frequency of letters or groups of letters in a ciphertext. The method is used as an aid to breaking classical ciphers.
Frequency Analysis
s the art or better yet, science, of skillfully maneuvering human beings to take action in some aspect of their lives.
Social Engineering
The practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information.
Phishing (SE)
The practice of eliciting information or attempting to influence action via the telephone, may include such tools as phone spoofing.
Vishing (SE)
The practice of pretexting as another person with the goal of obtaining information or access to a person, company, or computer system
Impersonation (SE)
· Ensures Authentication · Ensures Non-Repudiation · Ensures Confidentiality · Ensures Integrity
Properties of encryption
Uses a single key for both encryption and decryption
Secret Key Cryptography (SKC) (AKA Symmetric Encryption)
Uses one key for encryption and another for decryption
Public Key Cryptography (PKC) (AKA Asymmetric Encryption)
Uses a mathematical transformation to create a digital fingerprint or message digest
Hash Functions (AKA Checksum)
Physical, Link, Network, Transport, and Application
The Layers of the Internet Protocol Model
Wire, open air, optic fibers
Physical layer IPM
Ethernet, Wifi, 4G
Link layer IPM
Internet protocol, inter control ICMP (nter Control Messaging Protocol)
Network layer IPM
Transmission Control Protocol (TCP) User Datagram Protocol (UDP)
Transport Layer (IPM)
Email > Simple Mail Transfer Protocol (SMTP) - Websites
>
HyperText Transfer Protocol (HTTP) -
File Sharing
>
File Transfer Protocol (FTP)
>
Server Message Block (smb)
Application Layer IPM
public domain on the internet. Created by Internet Service Providers (ISP) to connect to other ISPs around the world. Creates the internet.
Public IP
private to a Local Area Network (LAN). They are assigned in a LAN by the Dynamic Host Configuration Protocol (DHCP).
Private IP
it is a unique identifier. It has two components: the network address and the host address. A subnet mask then sep- arates the IP address into network and host addresses.
Internet Protocol (IP) Address
the process of verifying that an individual, entity or website is who it claims to be. This in the context of web applications is commonly performed by submitting a username or ID and one or more items of private information that only a given user should know
Authentication
An attestation of identity, qualification, competence, or authority issued to an individual by a third party
Credential
sequence of network HTTP request and response transactions associated to the same user. […] provide the ability to establish variables - such as access rights and localization settings - which will apply to each and every interaction a user has with the web application for the duration of the session.
Web Session
is almost exclusively in Javascript (JS) runs with an interpreter. Makes web pages come alive. Credential information is stored and sent from the client
Client side code
Server side services listen for a request and then respond to that request part of the N-tier application design
Server Side
Presentation, logic, data
N-Tier Application
Translates data in to something the user can understand
Presentation tier
Coordinates the application, processes commands makes logical decisions and evaluations and performs calculations. Provides communication between the presentation and data tier
Logic Tier
Information is stored and retrieved from a database, datastore or filesystem. Provides information back to the logic tier
Data Tier
does nothing except provide a pathway for the electrical signals to travel along
Hub
are the connectivity points of an Ethernet network that forward data only to the port that connects to the destination device. It does this by learning the MAC address of the devices attached to it, and then by matching the destination MAC address in the data it receives.
Switch
ill normally create, add, or divide on the Network Layer as they are normally IP-based devices.Receives a packet of data, it reads the header of the packet to define the destination address
Router
use the wireless infrastructure network mode to provide a connection point between WLANs and a wired Ethernet LAN.
Wireless Access Point
Encrypted Connection over the internet from a device to a network
Virtual Private Network (VPN)
A networking device, either hardware or software based, that controls access to your organization’s network.
Firewall
implemented through software applications to monitor and control network traffic between a computer or a network of computers and the internet or other networks- Use network operating systems such as Linux/Unix, Windows Servers and Mac OS Servers
Software Firewalls
Dedicated network device Many routers and WAPs have this functionality built in
Hardware Firewalls
a 32-bit number that masks an IP address, and divides the IP address into network address and host address. network bits to all “1”s and setting host bits to all “0”s
Subnet Mask
allocates and manages IP addresses on the internet. is a set of Internet protocol (IP) standards that is used to create unique identifiers for networks and individual devices.
Classless inter-domain routing (CIDR)
A dictionary of CVE attempting to standardize across the industry
CVE - Common Vulnerabilities and Exposures
Maintain accurate inventory of assets Define and set stan- dards>Maintain awareness and detect new vulnerabilities>Reme- diate or mitigate identified vulnerabilities >Continuously monitor IT environment
Goals of Vulnerability Management Program (4)
Apply Patches -
Update configurations -
Deactivate unnecessary services and channels
Remediation
reducing, lessening, or minimizing the severity, impact, or likelihood of potential threats, risks, or vulnerabilities- Compensating Network Controls - Procedural or Physical Controls
Mitigation
tend to lack motivation and rely on script created by more ad- vanced hackers. They utilize easy to use software to do things such as port scanning. Blue hats are “vindictive “ - these.
Script Kiddies
newbie hackers. Unlike script kiddies, these hackers have the drive to become a more advanced hacker
Green Hat
malicious hacker who hacks for personal gain, typically financial
Black Hat
Use their skills in order to help individuals, businesses and gov- ernment.
White Hat/Ethical Hackers
: shifts between ethical and non-ethical hacking practices
Grey Hat
Digital vigilantes working to right a perceived wrong in the world
Hacktivists:
government employees who attempt to acquire classified informa- tion about other governments
Nation State Hackers (AKA APT)
: a disgruntled employee or corporate spy
Malicious Insider
1) Provide training 2)Define security requirements 3)Define met- rics and compliance reporting 4) Perform threat modeling 5) Establish design requirementsà6) Define and use cryptography standards 7)Manage the security risk of using 3rd party compo- nentsà8) Use approved tools 9) Perform SAST 10) Perform DAST 11)Perform penetration testing 12) Establish a standard incident response process
Microsoft secure development lifecycle 12 parts
Thesepermissions grants the right to read the contents of the file and read the permissions of a directory.
permission Read (r)
Implies the ability to change the contents of a file. Or create new files in a directory
Permission write(w)
the right to execute the files if they are programs. Regarding directories, it allows you to enter any directories and access files
Permission Execute (x)
exploiting a bug or design flaw to gain elevated access to re- sources that are normally protected from a user or application
Privilege escalation
o a lower level privilege user accesses functions or content revised for higher privilege users or applications
Vertical privilege escalation
o a normal user accesses functions or content reserved for other normal users
Horizontal privilege escalation
Type of permissions that only allow a person to have the permis- sions necessary to complete their role. For example, an employ will only be given permissions needed to complete their job. Pre- vents lower level employees from accessing additional information that is not relevant to them
Role Based Access Controls
a process by which potential threats, such as structural vulnera- bilities or the absence of appropriate safeguards, can be identi- fied, enumerated, and mitigations can be prioritized. This is about finding problems should be done early in the development.
Threat Modeling
lists all of the assets and considers how attacker could threaten them
Asset based approach (TM)
Talking about human threat agents can make the threat seem real
Modeling Attacker
models that focus on software being built or system being de- ployed
Software model
any place where entities of different privilege interact. Threats tend to cluster around these.
Trust boundary
follows the flows of data often ideal for threat modeling
Dataflow Diagrams (DFD) (Software model)
This model is fairly complex if starting from scratch likely can be adapted
Unified modeling language (UML) (Software model)
o represent flows between various participants; each lane edge is labeled to identify a participant; each message is represented by a line between participants.
Swim line diagrams (Software model)
represents the various states a system could be in and the tran- sitions between those states.
state diagram (Software model)
STRIDE: A well accepted approach to thinking of threats when threat modeling: List what each acronym stands for:
Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of privilege.
Pretending to be someone or something other than yourself. This VIOLATES AUTHENTICATION.
spoofing
Modification of something on a disk in memory or network. This VIOLATES INTEGRITY
Tampering
claiming that you did not do something VIOLATES NONREPUDI- ATION
Repudiation
Absorbing the resources needed to provide a service. VIOLATES AVAILABILITY.
Denial of Service
providing information to someone not authorized to see it VIO- LATES CONFIDENTALLITY
Information Disclosure
Allowing someone to do something they are not authorized to do. Violates AUTHORIZATION
elevation of privilege
SQL, Network file system NFS, Standard messaging block (SMB), Rsyslog
Data tier languages and Protocols List
- A language used in programming and designed to manage data held in databases. PORTS: 3306 (MySQL/MariaDB)>5432 Postgres>1433 MS SQL
Structured Query Language - SQL
Distributed file system protocol runs on port: 2249
Network file system (NFS)
o A network protocol for shared access to files printers and serial ports (445 or 139)
Standard messaging block (SMB)
A utility for sending logs to remote log systems
Rsyslog
Minimize attack surface, Principle of least privilege, Encryption, Tokenization, Federation
Protecting Data (5 rules)
Implement physical, Network, logistical controls on data.
Minimizing attack surface
access to data should be controlled by permissions that are veri- fied before allowing users to access the data.
Principle of least privilege
prevents data visibility in the event of unauthorized access or theft
Encryption
Substituting sensitive data with non-sensitive equivalent. This is then used to map back to the data
Tokenization
A type of meta-database file system that is geographically de- centralized and transparently maps multiple databases in to one single one.
Federation
o Categories: provide organizational structure o Specialty Areas: subgroups of categories containing cybersecu- rity work.
o Work Roles: the most detailed grouping of cybersecurity related work which includes KSAs and tasks for the role.
o Knowledge, skills and abilities: The skills required to perform a work role.
o Task - specific task assigned to the work role
NICE: National Initiative for Cybersecurity Education (parts and what they do
Open Web Application Security Project
OWASP
Top ten critical security risks to applications A1: Injection A2: Bro- ken authentication A3: Sensitive data exposure A4: XML External Entities A5: Broken access control A6: Security misconfiguration A7: Cross Site Scripting (XSS) A8: Insecure deserialization A9: Vulnerable components A10: Insufficient logging and monitoring.
OWASP TOP 10: list them
Injection of a string in to a query in order to modify a response: attacker sends hostile data in to an interpreter How does it work: There are flaws in the code that when a specific string is injected do something different than they were meant to do.
SQLi
requires keeping data separate from commands and queries. Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.”o Never Insert Untrusted Data Except in Allowed Locations o HTML Escape Before Inserting Untrusted Data into HTML Ele- ment Content
o Use a trusted library”
SQLi mitigation (3 parts)
A type of application attack where the attacker takes advantage of scripting and input validation vulnerabilities in an interactive website to attack legitimate users.
XSS - Cross Site Scripting
The application or API includes invalidated or un-escaped user input as HTML output.
Reflected XSS:
The application or API stores unsanitized user input that can be viewed at a later date.
Stored XSS
JavaScript frameworks, single-page applications, and APIs that dynamically include attacker-controllable data to a page are vul- nerable to this XSS attack.
DOM XSS
Escaping untrusted HTTP request data based on the context in the HTML output, Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails and React JS.
XSS mitigation
the analysis of computer software that is performed WITHOUT executing programs.
Static Application Security Testing (SAST):
the analysis of computer programs DURING their execution. It does not require the source code and therefore detects vulnera- bilities by performing attacks itself.
Dynamic Application Security Testing (DAST)
operated solely for a single organization
Private: cloud infrastructure
services are rendered over a network that is open for public use
Public cloud infrastructure
a composition of public cloud and private environment
Hybrid cloud
refers to online services that provide high-level APIs used to deref- erence various low-level details of underlying network infrastruc- ture like physical computing resources,location, data partitioning, scaling, security, backup etc.
Infrastructure as a service
consumer does not manage or control the underlying cloud infra- structure. This includes the network, servers, operating systems or storage. The user does control the deployed applications and possible the configuration settings for the application hosting en- vironment.
Platform as a service
the applications are accessible via a thin client interface such as a web browser or program interface. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage and even individual application capabilities.
Software as a Service (SaaS)
These primarily contain computer security-related information
Networking Security Logs
contains system events and audit records
Operating System logs
contains application level events or audit information
Application logs
typically hidden within another seemingly innocuous program. It can create copies of itself and insert them into other programs and files to perform a harmful action. Uncommon today and comprises less than 10% of all malware
Viruses
It’s distinctive trait is that it is self-replicating and can spread without user action.
Worms
Masquerades as a legitimate program but contains malicious code. It requires the user to execute the corrupted/malicious file. Typically spread via social engineering
Trojan Horse
Most these programs are trojans, which means they must be spread through social engineering of some sort. Once the user executes the corrupted/malicious file, it looks for and encrypts the users’ files. The hacker then holds the files as hostage in exchange for a ransom. Can be prevented by creating a good backup. According to studies, about 25% of victims choose to pay the ransom while 30% do not get their files unlocked
Ransomware
if you get infected with this, you’re basically **ed. These allow the hacker to have “root” privilege and create/edit/delete files as they please. They can conceal themselves from anti-mal- ware systems and are very difficult to detect. This is because “root” privilege is greater than that of the victim/user. They are extraordinarily hard to create and only the most advanced attacks utilize them. Tech companies are very proactive about patching vulnerabilities that are susceptible to a these.
Rootkit
a method of bypassing normal authentication procedures, typically over a connection to a network such as the internet. It allows the hacker to spy, invisibly, on the victims activities. May be installed by Trojan horses, worms, implants or “other methods”.
Backdoor
attempts to expose the victim to unwanted and potentially ma- licious advertising. Common ____ programs may re-direct a user’s browser searches to a copycat page that contains promo- tions for other products
Adware
a logical collection of internet-connected devices whose security has been compromised and control ceded to a third party. Each compromised device is known as “bot”. They are rented out by cyber criminals as commodities for a variety of purposes (such as a DDoS attack)
Botnet
many viruses have a “signature”, or a recognizable series of ones and zeros. These anti-virus programs work by spotting these signatures and stopping the files before they can cause damage
Signature Based Detection
monitors system processes to determine if a program is attempt- ing to engage in malicious behavior against the operating system
Behavior Based Detection
the most common first step, works by moving the malicious file into a protected area on the hard drive. This area is separate from any other file that could activate the malicious software
Quarantining Removal
aims to stop the initialization and spread of the virus during the start up process
Startup Detection/Removal
Operating system ____ ____ provides administrators with a known working point to which they can restore the settings back to.
Restore points
Asymmetric cryptography requires that both the encoder and decoder have a shared key? T/F
FALSE
Masquerading is a form of both deception and disruption. T/F
FALSE
AES is an algorithm for which type of encryption?
Symmetric Key Encryption
Select the one that best describes Asymmetric cryptography :- Requires a secured channel to exchange a shared key. - Securely generates a shared key between two parties over an insecure channel. - Has been superseded by elliptical curve based encryption. - Leverages the same key to encrypt and decrypt data.
Securely generates a shared key between two parties over an insecure channel.
What algorithm is considered a secure hash today?
SHA3-512
Diffe-Hellman and RSA are algorithms for which type of encryption?
Asymmetric Key Encryption
The polyalphabetic cipher is intended to prevent frequency analysis? T/F
TRUE
The Vigenère cipher is an example of what?
A polyalphabetic cipher
A 404 HTTP response indicates that the URL requested is not found on the server. T/F
TRUE
[_______] translates more readily memorized domain names to the numerical IP addresses.
Domain Name System
Which protocols are not part of the application layer? 1- TCP (Transmission Control Protocol) 2 - SMTP (Simple Mail Transfer Protocol) 3 - HTTP (HyperText Transfer Protocol) 4 - ICMP (ping)
1 and 4
A 5XX HTTP response status indicates an error occurred on the server. T/F
TRUE
The network ID for IP address 172.35.16.12 with a subnet mask of 255.255.255.0 is:
172.35.16.0
What would you type into a command prompt in order to view the IP address of your computer (Windows or Linux is acceptable)?
ipconfig
[______] is a process by which a server maintains the state of an entity interacting with it.
Session Management
[_____] data is a combination of structured and unstructured data and requires mapping or advanced tools to derive information.
Big
The process of verifying that an individual, entity, or website is who it claims to be.
Authentication
When the secure flag is set on a cookie, JavaScript cannot access the cookie.T/F
FALSE
[_______] is a sequence of network HTTP request and response transactions associated to the same user.
A Web session
Any inactive data that is stored physically in any digital form is called [________].
Data at Rest
The [___________] coordinates the application, processes commands, makes logical decisions and evaluations, and performs calculations.Correct!
Logic Tier
Compute the Network ID and Host ID for the IP address 192.168.1.55 with a subnet mask of 255.255.255.0.
Network ID: 192.168.1.0Host ID: 0.0.0.55
Which binary is computated under the 1’s of the subnet mask?
Network ID
Which binary is computated under the 0’s of the subnet mask?
Host ID
This type of malware masquerades as a legitimate program but contains malicious instructions.
Trojan
This type of malware has the distinctive trait that it’s self-replicating without required interaction.
Worm
The two broad techniques for detecting malware are ____ -based and ___ -based.
signature behavior
The most common first step in malware removal and recovery is:
quarantining
The type of malware that provides a method of bypassing normal authentication procedures, usually over a connection to a network such as the Internet, is called a:
backdoor
The process of learning more about the assets that you can access including the network, computers, applications, and their versions is called:
footprinting
When a social engineer uses a lie with a made-up story to go along with it in order to gain trust, it is called:
pretexting
The practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information is called:
phishing
[________] use their skills in order to help individuals, businesses, and government.
ethical hackers
Government employees attempting to acquire classified information about other governments are often known as [__________]
Advanced Persistent Threats
The four forms of valid credentials are :
What you know, what you have, what you are, and where you are.
What cipher should an developer select for symmetric encryption?
AES
This type of response status indicates a client-side error response from the server.
4XX
This type of response status indicates a server side error response from the server.
5XX
192.168.0.35 is an example of this type of IP address.
IPv4
Which protocols are NOT part of the Application layer (select all that apply)?1. FTP (File Transfer Protocol) 2. ICMP (ping) 3. SMTP (Simple Mail Transfer Protocol) 4. HTTP (HyperText Transfer Protocol ) 5. TCP(Transmission Control Protocol ) 6. IP (Internet Protocol)
56
The polyalphabetic cipher is intended to prevent frequency analysis? T/F
TRUE
What are the domains within the field of cybersecurity?
Operational Security, Network Security, Application Security, End-user Education, Information Security
The host ID for IP Address 172.35.16.12 with a subnet mask of 255.255.255.0 is :
0.0.0.12
a method, tool, or procedure for enforcing a security policy is called a:
security mechanism
[_____] is any sequence of one or more symbols given meaning by specific act(s) of interpretation.
data
The [___________] coordinates the application, processes commands makes logical decisions and evaluations and performs calculations.
logic tier
Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset are called a :
vulnerability
Web session management commonly uses a session identifier stored in a [_________] sent from the client to the server.
cookie
Permission validation and web session security occurs in the
logic tier
Encryption can provide four properties
confidentiality, integrity, authentication, non-repudiation
What is the five high-level functions described in the NIST Cybersecurity Framework core?
Identify
Protect
Detect
Respond
Recover
What are types of input for assessing an NIST CSF subcategory?
Maturity Level
Primary Threat
Likelihood of Threat Occurrence
Impact of Threat Occurrence
The NIST is a government agency that stands for National Information on Standards and Technology. T/F
FALSE: National Institute of Standards and Technology
Core, tiers, and [_________] are the three main components for the NIST Cybersecurity Framework.
profile
An IG1 enterprise’s biggest challenge to implementing security would be:
Limited IT department
The CIS CSCs and the NIST CSF are incompatible frameworks. T/F
FALSE
According to CIS Control 8, Implementation Group 3 should implement all security controls implemented by Group 2. T/F
TRUE
[BLANK] is completely addressing the root cause of a vulnerability by applying a patch, updating a configuration or deactivating an unnecessary service.
Remediation
Why is logging important? 1. Sometimes, logging records are the only evidence of a successful attack.
2. Logging plays a significant role in preventing attacks from occurring.
3. If properly instructed, logging can provide the time and place of every event that has occurred in your network or system.
4. Log records create an easy way to understand the scope of a breach without the need for reporting or filtering.
134
The last step of incident response is recovery. T/F
FALSE
The three main categories of logs are:
Networking Security, Operating System, and Application.
The Principle of [___________] states: A user, process, or program must be able to access only the information and resources that are necessary for its legitimate purpose.
Least Privilage
The first step of incident response is preparation. T/F
TRUE
The name of the dictionary used to serve as a common baseline standard for weakness identification, mitigation, and prevention efforts is:
Common Weakness Enumeration
The name of the 501(c)(3) organization that has a mission to make software security visible so that individuals and organizations are able to make informed decisions is:
Open Web Application Security Project
The name of the security weakness that matches the definition below: The lack of verification of proper access to the requested object (AKA OWASP 2021 A01)
Broken Access Control
What generic cybersecurity technique do we use to ensure the confidentiality of data in transit and at rest?
Encryption
Which of the following are OWASP design principles (select all that apply): 1. Minimize attack surface area
2. Keep security simple
3. Avoid security by obscurity
4. Use default settings
5. Principle of Least Privilege
6. Trust services
1, 2, 3, 5
What methodology is used in preventing attacks in SQL injection?
Parameterized Queries
When a secure flag is set on a cookie, JS cannot access the cookie? T/F
FALSE
What are the five core parameters of log management?
collection, storage, search, correlation, and output
