Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
101 Cards in this Set
- Front
- Back
|
Cybersecurity |
The assessments of threats and the mitigation of risks |
|
|
Threat Assessment |
A structured process of identifying the risks posed to a group or system |
|
|
Risk mitigation |
The systematic process of reducing the impact of a negative event, and/or the likelihood that it will occur/reoccur. |
|
|
Social engineering |
The act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by gaining confidence and trust
Examples: phishing, pretexting, baiting, quid pro quo, tailgating, shoulder surfing |
|
|
Social Engineering Principles |
Authority Intimidation Consensus/Social Proof Scarcity Urgency Familiarity Trust |
|
|
Social Engineering - Authority |
Using authority is most effective with impersonation, whaling, and vishing attacks. |
|
|
Social Engineering - Intimidation |
Intimidation might be through bullying tactics and is often combined with impersonation and/or vishing attacks |
|
|
Social Engineering - Consensus/Social Proof |
This attack uses the principle that people are often more willing to like something that other people like. This can be accomplished via fake testimonials such as on imposter websites or rogueware websites. This is most effective with Trojans and hoaxes. |
|
|
Social Engineering - Scarcity |
This attack operates on the principle that people are often encouraged to take action when they think there is a limited quantity of something.
Scarcity is a psychology-based technique that is used to overcome users' objections and encourage immediate action.
Scarcity is often most effective with phishing and Trojan attacks. People often make quick decisions without really thinking them through. |
|
|
Social Engineering - Urgency |
Urgency is a psychology-based technique that is used to overcome users' objections and encourage immediate action. This principle is used by attackers to force their victims to make hasty decisions that later prove to be detrimental.
ie. When an attacker puts a clock on a decision, such as having a counter counting down after a warning that in 72 hours they will lose all their data if they don't do a particular action.
Urgency is most effective with ransomware, phishing, vishing, whaling, and hoaxes. |
|
|
Social Engineering - Familiarity/Liking |
This operates on the principle that if you like someone, you are more likely to do what the person asks. An example is celebrity endorsements. Using this principle, social engineers attempt to build a rapport with the victim, building a relationship before launching the attack.
This is most effective with shoulder surfing and tailgating attacks. |
|
|
Social Engineering - Trust |
Building on the principle of familiarity/liking, some social engineers attempt to build a trusting relationship between themselves and the victim. This can take some time but can have tremendous payoffs.
This principle is most often used with vishing |
|
|
Phishing |
The most common type of social engineering attacks that occurs today.
Phishing is a technique for attempting to acquire sensitive data, such as credit card numbers, usernames, or passwords, through fraudulent solicitation e.g. email where the perpetrator pretends to be from a reputable business or person.
There are 6 most common forms of phishing attacks:
Deceptive phishing - emails that appear to be from a legitimate company or person in an attempt to steal people's personal data or login credentials, often using threats or urgency to scare users into doing what the threat actors want them to do.
Spear phishing- personalized phishing attacks. Customized attack emails with the target's legitimate details embedded into the email text.
Whaling - when spear phishers target executives in an attempt to steal their login credentials. If successful, they can use the credentials to infiltrate the network in order to use malware or rootkits or they can then perpetrate CEO fraud, where they can use the compromised email account of the CEO or other executive by authorizing fraudulent wire transfers or leveraging the account to conduct W-2 phishing, where they request W-2 information for all employees so they can file fake tax returns on their behalf or post their information on the dark web.
Vishing - phishing via telephone.
Smishing - phishing via text messaging
Pharming - this method of phishing leverages cache poisoning against the DNS by converting website names to the IP address of the malicious website. |
|
|
Pretexting |
Where an attacker uses a good pretext, or fabricated scenario, that they use to attempt to steal their victim's personal information. Example - when a scammer says they need certain bits of information to verify the victim's identity. Pretexting relies on building a false sense of trust with the victims such as saying they are from the HR or finance departments. |
|
|
Baiting |
Baiting is similar to phishing except it uses the promise of a reward such as a movie, software or music download, to trick users into providing their login credentials. This type of attack is not restricted to online media. An example is an attacker sending out corrupted CDs or DVDs loaded with malware that appear to be something desirable. |
|
|
Quid pro quo |
Similar to baiting but instead of promising goods, the promised benefit is in the form of a service. ie. fraudsters impersonating the SSA to obtain victims' personal information for the purposes of committing identity theft. |
|
|
Tailgating |
Aka piggybacking, in these types of attacks the threat actor attempts to infiltrate restricted areas by impersonating a delivery person or fellow employee and asking someone with actual credentials to hold the door for them so they can access the building. |
|
|
Malware |
Hardware, software, or firmware meant to perform an unauthorized process that will compromise the confidentiality, integrity, or availability of a system e.g. a virus, worm, Trojan, adware, ransomware, or other code-based entity that infects the host . |
|
|
Packet sniffer |
Software that monitors network traffic on wired and wireless networks and captures packets. Packet sniffers are used by network managers to monitor and analyze traffic, but hackers also use them |
|
|
Man-in-the-middle (MITM) attack |
An attack where the adversary positions themselves between the user and the system so that they can intercept and alter data traveling between them. e.g. a remote hacker can update information or manipulate software being downloaded to gain access or information from the target. |
|
|
Brute force attack |
An attack that involves trying all possible authentication combinations to find a match. These attacks are often used for attacking authentication and discovering hidden content and pages within a web application. |
|
|
Code injection |
This type of attack injects code into the target application to then be interpreted and executed e.g. HTML injections are used to change a website or to steal personal information (PII). HTML injections can occur via website link, data, or input fields on web forms. |
|
|
Key logger |
A program designed to record which keys are pressed on your keyboard. It can obtain usernames, passwords, or encryption keys and use them to bypass security measures. |
|
|
CIA triad |
Confidentiality Integrity Availability |
|
|
User Attacks |
Social Engineering Phishing Attacks Credential Reuse Malwate Attacks Man in the Middle Packet Sniffing Computer Theft |
|
|
Web Attacks |
Brute-force Attacks Code Injection Faulty Sessions |
|
|
Server Attacks |
OS Exploit Malicious Software |
|
|
Database Attacks |
Default Credentials Unpatched Database Lack of Segregation |
|
|
CIA Triad - Confidentiality |
The state of keeping or being kept secret or private.
Ensuring sensitive information does not reach unauthorized people.
Enforced via encryption and authentication. |
|
|
CIA Triad - Integrity |
The quality of being honest, whole, or undivided.
This refers to protecting information from being modified by unauthorized parties.
Mitigation - use a secure hashing algorithm and process when transferring sensitive data to make sure it cannot be intercepted or altered in transit. |
|
|
CIA Triad - Availability |
The quality of being able to be used or obtained.
Examples: DoS attacks to make it impossible for legitimate clients to use a service or make transactions, taking down a web-connected generator to disable a critical power supply.
Mitigation - creating regular backups and load-balancing server load. |
|
|
Governance |
The framework for managing performance and risk, oversight of compliance and control responsibilities, and defining the cyber mission by mapping the structure, authority, and processes to create an effective program. |
|
|
Risk Assessment |
Analyzes what can go wrong, how likely it is to happen, what the potential consequences are, and how tolerable the identified risk is. |
|
|
Proper steps for implementation of a new security policy |
1 - obtain support and commitment from management 2 - analyze risks to security 3 - implement appropriate controls 4 - review, test, and update procedures. |
|
|
Proper steps for creating/ implementing an incident response process for a company |
1 - preparation 2 - identification/ detection 3 - analysis 4 - containment 5 - eradication 6 - recovery |
|
|
Proper steps for performing a BIA (Business Impact Analysis) for a set of critical servers as part of a risk management push |
1 - identify threats 2 - remediate risks 3 - assign risk to each function or asset 4 - identify critical functions or processes 5 - identify assets and resources |
|
|
Application Attacks |
DDoS XSS DNS poisoning SQL injection |
|
|
Wireless Attacks |
Bluejacking Bluesnarfing Evil twin Rogue AP |
|
|
Cryptographic Attacks |
Birthday attack Rainbow tables Dictionary attack Brute force Birthday Attack - an attack on a hashing system that attempts to send two different messages with the same hashing function, causing a collision. A collision happens when two files have the same hash, which destroys their integrity. Rainbow Tables -Rainbow tables use precomputed hashes in an attempt to recover the prehashed password. Dictionary Attack: The attacker tries a list of known or commonly used passwords. Brute Force Attack: Does not use a list of passwords; instead, it aims at trying all possible combinations in the password space. |
|
|
Cyber Kill Chain |
Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Actions on Objectives |
|
|
Viruses |
A virus attaches itself to a host and requires activation in order to operate.
Boot sector virus - attacks the operating system, specifically the disk boot sector information, the partition table, and sometimes the file system
Program virus - code that inserts itself into executable programs. This virus becomes active once the infected program runs. Can be embedded or attached to web pages or PDF files, which make them difficult to detect
Script virus - written in a scripting language such as JavaScript or Python or PostScript.
Macro virus - written in the same macro language used for software programs, such as Word or Excel. Since they are focused on an application and not an OS, they can infect any computer running any OS. When executed, they can infect every other document on the user's computer.
Multipartite virus - uses both boot sector and executable file infection methods to spread themselves. |
|
|
Worms |
Worms do not need human interaction to activate activate
Self-replicating programs, considered a memory-resident virus.
A worm does not need to attach itself to an executable file and instead can replicate over network resources
Quickly consume network bandwidth as they replicate
Can crash an OS or server application via a DoS attack
Can have a payload that performs further malicious actions |
|
|
Trojans |
A program that hides within something else. Can be embedded within a downloadable object, e.g. a Screensaver, software, or game |
|
|
Remote Access Trojans (RATs) |
RATs function as backdoor applications. Once the RAT is installed, the attacker can access the victim's computer and install files and software onto it.
Can be used as a botnet to launch a DDoS attack or send mass email spam. Botnets are 2 or more zombie computers being remotely controlled by an attacker. |
|
|
Spyware |
A program that gains a hold on the victim's system and can be installed with or without the user's knowledge. Monitors user activity and sends the information to an external target.
Packet sniffers can be used as spyware
If the application is installed without the user's consent and/or cannot be easily removed, it is spyware. |
|
|
Keyloggers |
Captures the keystrokes of the intended victim. Can be software or hardware. |
|
|
Adware |
Any type of software or browser plug-in that displays or downloads advertisements via pop-ups.
If the user gives consent, whethwr intentionally or not, it is adware |
|
|
Backdoor |
Remote access methods that are installed without the user's knowledge. Can be installed via malware, such as a Trojan, or by a malicious insider.
Can also be created by a software developer for testing and development of the software.
An example is a router configured with the default username and password. |
|
|
Rootkits |
Rootkits are a type of backdoor that is more difficult to detect and remove. Can change core system files and programming interfaces so that local shell processes can't show their presence if run from an infected machine.
Often installed in the kernel of the OS |
|
|
Vulnerability |
Weaknesses that can be exploited by an attacker |
|
|
Governance |
Provides management frameworks for implementing security practices in an organization. It helps a business decide how to enforce its security practices by developing policies, standards, processes, and procedures |
|
|
Risk Management |
Helps an organization identify which assets are most important and determine how they are most likely to be compromised. The business then uses this information to decide how to best protect its most important and at-risk assets. This decision then helps inform the business's security practices. |
|
|
Compliance |
Compliance focuses on ensuring internal security policies are being followed, and verifying that the business is following relevant security laws currently in effect. |
|
|
Policies |
Policies are |
|
|
Standards |
Standards are |
|
|
Processes |
Processes are |
|
|
Procedures |
Procedures are |
|
|
Proper steps for developing a security culture framework |
1 - measure and set goals Identify the particular security concerns Define what people should do Define a goal for how well you want the. organization to perform. Measure how often employees currently perform the behavior properly to create a baseline in order to measure progress 2 - involve the right people After defining the goals, inform the revelant employees of the new target Includes security personnel and training officers 3 - create an action plan A plan typically involves developing a training exercise that addresses the security issue at hand. 4 - execute the plan After the plan has been formulated, run the training 5 - measure changes Collect data on how well people are adhering to the guidelines taught in training and compare to the baseline to determine if the exercise is effective |
|
|
C-Suite Officers |
CEO - Chief executive officer CIO - Chief information officer CISO - Chief information security officer COO - Chief operating officer CFO - Chief financial officer CTO - Chief technology officer CPO - Chief product officer |
|
|
Security controls |
Administrative Technical Physical |
|
|
Security controls - Administrative |
e.g. Requiring employees to adhere to training guidelines |
|
|
Security controls - Technical |
e.g. Forcing developers to authenticate using SSH keys rather than passwords |
|
|
Security controls - Physical |
e.g. Protecting a building by requiring keycard access |
|
|
Security goals |
Preventative DeterrentDetectiveCorrective Compensating |
|
|
Security goals - Preventative |
Prevents access with physical or logical/technical barriers. e.g. keycard access |
|
|
Security goals - Deterrent |
Discourages attackers from attempting to access a resource |
|
|
Security goals - Detective |
Detective controls do not protect access to a confidential resource, rather it identifies and records attempted access |
|
|
Security goals - Corrective |
Attempts to fix an incident and possibly prevent reoccurence. |
|
|
Security goals - Compensating |
Does not prevent attacks but restores the function of compromised systems |
|
|
Vulnerability |
The aspect of a business that can be exploited to compromise a system's CIA |
|
|
Threat |
An actor that might exploit a vulnerability. Threats can be intentional, unintentional, or due to natural disaster |
|
|
Risk |
The possibility of losing something valuable. A risk will cost money if it occurs. |
|
|
OWASP |
Open Web Application Security Project |
|
|
OWASP Top 10 |
1. Determine assessment scope Listing the assets under consideration, determining their value, and defining objectives for your threat modeling assessment. Often considered one at a time and begins with asset inventory. 2. Identify threat agents A threat agent is person or group that can actualize a threat, whether or not they are malicious 3. Identify potential attacks Identify which attacks each threat agent is likely to perform, based on how much skill or funding they have 4. Identify exploitable vulnerabilities and points of failure Identify ways for the data to enter or exit the system and which systems are likely to suffer security failures. 5. Rank/Prioritize Risks Rank which potential attacks are most. severe and most likely to occur 6. Mitigate risks Determine ways to mitigate the most serious risks you identified |
|
|
Qualitative Risk Analysis |
The process of prioritizing risk based on intangible factors. Intuitive analysis. Faster than quantitative analysis and for high-level problems, can be just as effective. |
|
|
Quantitative Risk Analysis |
Calculated risk analysis that considers asset value and exposure factor, or how much of an asset will be affected in the event of a breach. |
|
|
Loss Expectancies |
A measure of how much money an organization will lose in the event of a given breach. There are 2 common methods of measuring loss expectancy, single loss expectancy (SLE) and annual loss expectancy (ALE). |
|
|
SLE - Single Loss Expectancy |
Calculated as SLE = AV (Asset Value) × EF (Exposure Factor) |
|
|
ALE - Annual Loss Expectancy |
Calculated as ALE = ARO (Annual Rate of Occurance) × SLE |
|
|
Annual Rate of Occurance |
An estimate of how many a risk is likely to occur in a given year. |
|
|
Signature-based IDS |
Compares patterns of traffic to predefined signatures
Requires regular updates as new attack signatures are released
Vulnerable to attacks through packet manipulation that tricks the IDS into believing malicious traffic is good
Unable to detect zero-day attacks |
|
|
Anomaly-based IDS |
Compares patterns of traffic against a well-known baseline
Prone to issuing false alerts
Assumes normal network behavior never deviates from the well-known baseline
Excellent at detecting when an attacker probes or sweeps a network |
|
|
Network IDS (NIDS) |
Filters an entire subnet on a network Matches all traffic to a known library of attack signatures Passively examines network traffic at the points where it is deployed Relatively easy to deploy and difficult to detect by attackers
Requires an administrator to react to an alert by examining what has been flagged |
|
|
Host-based IDS (HIDS) |
Runs locally on a host-based system or user's workstation or server
Acts as a second line of defense against malicious traffic that successfully bypasses a NIDS
Examines entire file systems on a host, compares them to previous snapshots or baselines, and generates an alert if there are significant differences between the two
Requires an administrator to react to an alert by examining what has been flagged |
|
|
IDS and IPS differences |
IDS physically connects via a network TAP (Test Access Port), or mirrored port, or SPAN (Switched Port Analyzer) IDS requires an administrator to react to an alert by examining what has been flagged
IPS physically connects inline with the flow of data and is usually placed between a firewall and network switch
IPS requires more robust hardware due to the amount of traffic flowing through it IPS automatically takes action by blocking and logging a threat, thus not requiring administrative intervention |
|
|
IOA - Indicator of Attack |
IOAs indicate attacks happening in real time Proactive approach to intrusion attempts Indicates that an attack is currently in progress but a full breach has not been determined or has not yet occurred Focuses on revealing the intent and end goal of the attacker regardless of the exploit or malware used in the attack |
|
|
IOCs - Indicators of Compromise |
Indicates previous malicious activity Reactive approach to successful intrusions Indicate that an attack occurred, resulting in a breach Used to establish an adversary's TTPs (tactics, techniques, and procedures) Exposes all of the vulnerabilities used in an attack, giving network defenders the opportunity to revamp their defenses as part of their mitigation strategy, and learn from an attack so it won't happen again |
|
|
NSM (Network Security Monitoring) |
NSM is threat-centric, primarily focusing on the adversary and not the vulnerabilities Focuses on the visibility of an attack, not the response to the attack Reveals statistical data related to specific IOAs and IOCs from attacks |
|
|
NSM stages |
Detection Collection Analysis Response Escalation Resolution |
|
|
What is Wireshark? |
Wireshark is a protocol analyzer |
|
|
Due process |
Protecting and respecting the rights of the employees. |
|
|
Due care |
Due care is the mitigation action an organization takes to defend against the risks that have been discovered during due diligence. Due care is a way to implement something right away in order to perform mitigation procedures. In order to perform due care, the organization must first perform due diligence |
|
|
Due diligence |
Due diligence is making sure the right thing was done correctly, and if it is necessary to do it again or if further research is required. |
|
|
Playbook |
A Cybersecurity Playbook is a step-by-step document that an organization uses to outline the procedures on how to respond to specific incidents. Playbooks allow for the IRT (Incident Response Team) to pick up the playbooks in the event of an incident and use them as a guide to begin responding right away. |
|
|
Pharming |
Pharming is a type of DNS poisoning where a HOSTS file is changed to point a friendly URL to to a malicious website. The user is tricked into accessing the malicious website and entering sensitive information such as a username and password. |
|
|
Ping of Death Attack |
A ping of death sends a packet over 65,535 which overflows the target system's memory buffers. The flooded memory resources causes the target system to crash. It is an older attack that is usually stopped by routers or the operating system. |
|
|
CSF (Cybersecurity Framework) 5 core functions |
1. Identify 2. Protect 3. Detect 4. Respond 5. Recover |
|
|
Multi-partite virus |
Multi-partite viruses first attack the boot sector. With the boot sector infected, the virus can then ensure that it's loaded each time the system boots. With the virus in memory, it can then attack personal files and system files to deliver its payload. |
|
|
OCSP |
Online Certificate Status Protocol |
|
|
SAN (network) |
Storage Area Network |
|
|
SAN (certificates) |
Subject Alternative Name An SAN is an extension field on a web server certificate using multiple subdomain labels to support the identification of the server |
