1. Intro - Control Questions Flashcards Preview

IT Biztonság > 1. Intro - Control Questions > Flashcards

Flashcards in 1. Intro - Control Questions Deck (20)
Loading flashcards...
1
Q

What kind of risks are relevant for IT security?

Milyen fajta kockázatok relevánsak az IT biztonságban?

A

○ the loss of confidentiality, integrity, or availability (CIA) of information that is processed, stored,
and transferred by IT systems
○ the unauthorized access, corruption, or denial of services that are provided by IT systems
○ → completely preventing such incidents is not possible in general the goal should be to ”minimize”
the risk of getting compromised

  • a tárolt és feldolgozott adatok integritásának, elérhetőségének és bizalmasságának elvesztése
  • IT rendszerek által biztosított szolgáltatások jogtalan hozzáférése, korrupciója vagy a kiszolgálás megtagadása
  • -> nem lehet ezeknek az előfordulásának a lehetőségét teljesen megszüntetni, ezért inkább minimalizálni kell a kompromizáció kockázatát
2
Q

What is the difference between safety and security?

A
  • safety focuses on risk resulting from random failures, accidents, and natural disasters
    / véletlenszerű meghibásodások, balesetek és természeti katasztrófákból következő kockázatokra koncentrál /
  • security focuses on risk resulting from deliberate attacks carried out by intelligent attackers (malice)
    / intelligens támadók által elkövetett szándékos támadásokra koncentrál /
3
Q

What factors do determine the IT security risk?

A

○ threats – entities who can do you harm (a.k.a. attackers)
» skill level, motive, opportunity, resources, …
○ vulnerabilities – weaknesses that can be exploited
» ease of discovery, ease of exploitation, awareness, …
○ countermeasures – precautions you take
» technical and non-technical

fenyegetések – alanyok, akik kárt okozhatnak (támadók)
» szakismeret, motiváció, lehetőség, erőforrások
sebezhetőségek/gyengeségek – amiket kihasználhatnak mások
»
ellenintézkedések – óvintézkedések, amiket megtehetsz
» technikai és egyéb

4
Q

What type of vulnerabilities do exist in IT systems?

A

○ technical – design flaws and implementation errors in hardware, software, systems, and protocols
○ physical – weaknesses allowing for physical access (e.g., unlocked door)
○ operational – weaknesses in the procedures used to operate the system
○ personnel – lack of security awareness, know-how, and trustworthiness of people (employees,
operators, contractors)

5
Q

Why those vulnerabilities (in IT systems) do occur in practice?

A

○ IT systems are designed, implemented, and operated by humans (imperfect and sometimes
irrational)
○ IT systems are increasingly complex
■ easy to overlook flaws
■ hard to test completely
○ business constraints strongly influence the selection of a trade-off among functionality, usability,
and security
■ increased security makes a system more difficult to sell (or to operate)
● users are looking for more features and better usability, but …
● security is at odds of usability and large number of features
■ different pressures during development result in neglecting security
● minimizing time-to-market
● limits on budget and work power

6
Q

What does vulnerability management mean?

A

○ reported technical vulnerabilities get a globally recognized identifier
■ CVE ID – Common Vulnerabilities and Exposures (cve.mitre.org)
○ information on reported technical vulnerabilities is stored in public vulnerability databases
■ structured vulnerability information in a searchable form
■ example: US National Vulnerability Database (nvd.nist.gov)
○ public availability of vulnerability information helps keeping systems free from known
vulnerabilities
■ this alone can dramatically decrease the risk one faces
■ on the other hand, there may be systems where fixing known vulnerabilities is slow or even
impossible
● introducing patches requires extensive testing or needs special authorizations
● but at least you can count with those vulnerabilities when calculating the risk

7
Q

What are zero-day vulnerabilities? Why are they important?

A

○ vulnerabilities that are known only to potential attackers
○ represent great advantage (hence value) for attackers
○ however, they are hard to find (or expensive to buy)
■ some companies make their living out of finding and selling zero-day vulnerabilities (or
exploits) to criminals and governments
○ often used only in targeted attacks, where …
■ successfully compromising a particular target is important
■ risk of detection and exposure of the zero-day vulnerability is small (exposed zero-day
vulnerabilities induce substantial loss for attackers)

8
Q

What type of countermeasures do exist that reduce the risk? Give some examples for each type!

A

○ technical – host and network security controls
■ e.g., firewalls, anti-virus software, authentication tokens, security protocols, cryptographic
algorithms, …
○ physical – countermeasures providing physical security
■ e.g., locks, fences, security guards, tamper resistant hardware, …
○ operational – policies and procedures related to the operation of the system and management of the
personnel
■ e.g., password changing policies, key management procedures, regular security testing, …
■ e.g., hiring and firing procedures, promotion procedures, vacation policies…
○ personnel – measures for increasing security awareness and trustworthiness of people
■ e.g., security education, increasing employee satisfaction with good salaries

9
Q

What is the difference between risk minimization and risk optimization?
What kind of questions do we need to answer during risk optimization?

A

○ we said the goal of security is to ”minimize” the risk of attacks
○ the goal is actually not risk minimization in an absolute sense (that would require to remove as
much risk as possible, no matter the costs)
○ rather, we want to minimize the risk under some budget constraint risk optimization
■ What are the plausible threats?
■ What are the known vulnerabilities?
■ What is the likelihood of those vulnerabilities being exploited by the plausible threats?
■ What is the expected loss?
■ What countermeasures can reduce the risk in a cost effective way?

10
Q

What are the aspects of threat classification?

A

○ motivations
○ information gathering capabilities
○ level of technical expertise
○ amount of resources

11
Q

What type of information is useful to collect before an attack?

A

○ useful information include:
■ general system architecture, available services, used hardware and software components and
their configuration settings, network topology and technology
■ employed security mechanisms (firewall, IDS, anti-virus, …)
■ known vulnerabilities of the used system elements and security solutions
■ who are the users and what are their access rights?

12
Q

What levels of technical expertise can we distinguish?

A

○ understanding of the operation of computer systems and networks
○ being familiar with known vulnerabilities and exploit techniques
○ ability to discover new vulnerabilities and construct exploits – …

13
Q

What can financial resources be converted to?

A

○ financial resources can be used to
■ increase information gathering capabilities
● » e.g., bribery, ransom, purchase of technical documentations, advanced social
engineering, or even use of intelligence approaches (OSINT, SIGINT)
■ deepen technical expertise
● » hiring of experts
● » improving own competencies and capabilities
■ obtain advanced attack tools and methods
● » zero-day exploits
● » advanced cryptanalysis tools
● » increased computing power

14
Q

What typical threat models do exist?
Summarize each of those models in terms of attacker motivations, level of technical expertise,
information gathering capabilities, and available financial resources!

A

○ Script Kiddie
■ motivations:
● self-expression
● achieving some status
■ technical expertise: limited
● uses tools and methods developed by others
● may minimally extend existing tools, or combine them in new ways
● may improve in the long-term (education, self-study, practice)
■ information gathering capability: limited
● mainly publicly available information
● basic social engineering tricks
■ financial resources: limited
■ no strategic planning, opportunistic target selection
● chooses targets that seem to be easy to compromise
● potential success due to negligence on the system owner’s side
○ Disgruntled employee
■ motivations:
● revenge (typically after having been fired, or still as an employee)
■ can be very determined, sometimes even irrational
● well defined objectives, concious target selection
■ information gathering capabilities: potentially advanced
● former employee or still empoyed → internal access to information
● may have very detailed technical knowledge about the system
● has personal connections to other employees (effective social engineering)
■ technical expertise: potentially advanced
● depends on his (former) role in the company
■ financial resources: limited
■ example:
● sabotage against the Maroochy Shire (Australia) waste water management system
○ Hacktivist group
■ loosely organized group of amateurs
■ motivations :
● spread or defense of some political or social ideology
● objectives are often related to actual events (visible response to the event)
● no long term strategy, ad hoc campaigns
■ information gathering capabilities: limited
● no resources to obtain internal information
● may try to gather information by technical means (hacking)
■ technical expertise: variable
● few leaders who have potentially strong technical background and connections to
cyber criminal circles
● lot of followers who do what they are told to do
■ financial resources: limited
■ examples: Anonymous, Syrian Electronic Army
○ Terrorist organization
■ increased use of computers, but mainly as an auxiliary tool
● searching and storing information, plans, designs
● using hacking to obtain intelligence before physical attacks
● in the future, maybe simultaneous physical and cyber attacks (no example yet)
■ motivations:
● spread or defense of political or religious ideology
● determined, sometimes irrational behavior
● well defined objectives, strategic planning and target selection
■ information gathering capabilities: limited
■ technical expertise: limited
● although, they may have links to cyber criminal organizations
■ financial resources: potentially large
■ examples: no example yet
○ Cybercrime organization
■ one of the largest threat today for ordinary users and organizations
■ motivations:
● financial profit
● well-defined objectives and large scale attack campaigns in space and time
■ information gathering capabilities: potentially advanced
● mainly using technical approaches, such as spyware, hacking into servers, phishing,
and social engineering
■ technical expertise: advanced
● can employ expert hackers
● can buy exploits, malware, and other advanced attack tools
■ financial resources: potentially large
■ examples: many …
○ State sponsored attacker
■ motivations:
● political or economical, aligned with motivations of the sponsor state
● has clear objectives (espionage or sabotage), performs strategic planning, and carries
out long-term, targeted operations
■ information gathering capabilities: advanced
● cyber espionage and surveillance tools
● traditional intelligence gathering (e.g., SIGINT)
■ technical expertise: advanced
● complex research, development, and training programs
● can employ or train expert hackers
● can buy zero-day exploits, malware, and other advanced attack tools legitimately
■ financial resources: large
■ examples: APT1 (PLA 61398), TAO

15
Q

How the cyber underground is organized?

What are the actors and what kind of infrastructure do they use?

A

○ different actors that collaborate and trade with each other
■ specialized roles
■ mutual benefits (win-win situations, non-zero sum games)
○ products and services are sold and bought on underground markets
■ on-line interactions using various communication infrastructure
■ anonymous payment methods such as WU, e-gold, or bitcoin
○ communication infrastructure
■ IRC (Internet Relay Chat) networks
■ social networks and public forums
■ anonymous communication systems (e.g., Tor)
○ Actors:
■ information dealers
● make profit by selling valuable information
● examples:
○ customer data (can be used for identity theft)
○ account credentials, credit card numbers
○ technical information, such as security vulnerabilities
■ resource dealers
● make profit by selling computing or human resources –
● examples:
○ create, maintain, and expand botnets
○ broking hackers
○ recruiting low level workers for attack campaigns
■ service providers
● make profit by offering different services
● examples:
○ bullet-proof hosting
■ offer locations to store attack content (exploit code, malware, and
stolen data)
■ typically offshore, based in safe havens (for attackers) such as Russia
and China
○ proxy, VPN, and re-direction services
○ running a spam or DDoS campaign
○ special malware checking services
○ social engineering and hacking-as-a-service
■ R&D people, tool makers
● make profit by creating and selling custom-ordered attack tools, such as malware,
packers, exploit code, DDoS tools, …
● before release, the product is put through a QA process to ensure that all is
functioning well and potentially evading detection
■ criminals, fraudsters, and attack launchers
● pay for information, resources, attack tools and services
● launch attacks such as financial fraud, spam, DDoS, and other crimes
■ cashiers or ”money mules”
● people who are knowingly or unknowingly used to launder money
○ anonymously move money from one country or bank account to another
○ typically through anonymous wire transfer services such as Western Union
● several mules, anonymous services and various bank accounts are used in order to
make it harder for authorities to trace funds and to place legal responsibility on the
mules themselves

16
Q

What types of products and services are offered on the underground market?

A
○ Credit card credentials
○ Scanned fake document
○ Trojan
○ Exploit kit
○ Crypter
○ Dedicated-/Bulletproof-server hosting
○ Proxy-server hosting
○ Traffic-to-download conversation
○ DDoS attack
○ Spamming
○ Flooding
○ Malware checking against security software
○ Hacking
17
Q

What are the distinguishing features of targeted attacks?

A

○ targeted = victim is not random, but chosen on purpose –
■ a given organization or (set of) individual(s)
○ highly customized tools and intrusion techniques
■ malware delivery by spear phishing and social engineering
■ using partners in the supply chain as stepping stones
■ multiple different exploits (often 0-day or very fresh)
○ stealthy operation and persistence
■ bypassing mainstream AV and security products without detection
■ careful design and intensive testing to avoid any anomalies
○ well-funded and well-staffed organizations behind
■ military or state intelligence
■ large companies (competitors)

18
Q

What are the typical objectives of targeted attacks?

A

typically organizations of strategic importance, such as government agencies, defense contractors,
high profile manufacturers, critical infrastructure operators and their partner ecosystem

19
Q

What is Stuxnet, and why is it important?

A

○ “the Most Menacing Malware in History” (Kim Zetter, Wired)
○ targeted the Natanz nuclear enrichment plant in Iran
○ used multiple zero-day exploits
○ possibly created by Western nation states

20
Q

What types of organizations have higher chances to be victims of targeted attacks?

A

○ typically organizations of strategic importance, such as government agencies, defense contractors,
high profile manufacturers, critical infrastructure operators and their partner ecosystem