2.1 Common Threats

Question 1

2.1.1 Threat Domains

Answer 1

A threat domain is considered to be an area of control, authority, or protection that attackers can exploit to gain access to a system.

Question 2

2.1.2 Types of Cyber Threats

Answer 2

Cyber threats can be classified into different categories. This allows organizations to assess the likelihood of a threat occurring and understand the monetary impact of a threat so that they can prioritize their security efforts.

Question 3

Software attacks

Answer 3

A successful denial-of-service (DoS attack)
A computer virus

Question 4

Software errors

Answer 4

A software bug
An application going offline
A cross-site script or illegal file server share

Question 5

Sabotage

Answer 5

An authorized user successfully penetrating and compromising an organization’s primary database
The defacement of an organization’s website

Question 6

Human errors

Answer 6

Inadvertent data entry errors
A firewall misconfiguration

Question 7

Theft

Answer 7

Laptops or equipment being stolen from an unlocked room

Question 8

Hardware failures

Answer 8

Hard drive crashes

Question 9

Utility interruption

Answer 9

Electrical power outages
Water damage resulting from sprinkler failure

Question 10

Natural disasters

Answer 10

Severe storms such as hurricanes or tornados
Earthquakes
Floods
Fires

Question 11

2.1.3 Internal vs External Threats

Answer 11

Threats can originate from both within and outside of an organization, with attackers seeking access to valuable sensitive information such as personnel records, intellectual property, and financial data.

Internal threats are usually carried out by current or former employees and other contract partners who accidentally or intentionally mishandle confidential data or threaten the operations of servers or network infrastructure devices by connecting infected media or by accessing malicious emails or websites.

The source of an external threat typically stems from amateur or skilled attackers who can exploit vulnerabilities in networked devices or can use social engineering techniques, such as trickery, to gain access to an organization’s internal resources.

Question 12

2.1.5 User Threats and Vulnerabilities

Answer 12

A user domain includes anyone with access to an organization’s information system, including employees, customers, and contract partners. Users are often considered to be the weakest link in information security systems, posing a significant threat to the confidentiality, integrity, and availability of an organization’s data.

Question 13

No awareness of security

Answer 13

Users must be aware of and understand an organization’s sensitive data, security policies and procedures, technologies, and countermeasures that are implemented in order to protect information and information systems.

Question 14

Poorly enforced security policies

Answer 14

All users must be aware of and understand an organization’s security policies, as well as the consequences of non-compliance.

Question 15

Data Theft

Answer 15

Data stolen by users can pose a significant financial threat to organizations, both in terms of the resulting damage to their reputation and the legal liability associated with the disclosure of sensitive information.

Question 16

Unauthorised downloads and media

Answer 16

Many network and device infections and attacks can be traced back to users who have downloaded unauthorized emails, photos, music, games, apps, or videos to their computers, networks, or storage devices. The use of unauthorized media such as external hard disks and USB drives also poses a threat.

Question 17

Unauthorized VPNs

Answer 17

VPNs can hide the theft of unauthorized information because the encryption normally used to protect confidentiality can stop a network administrator from tracking data transmission (unless they have permission to do so).

Question 18

Unauthorized websites

Answer 18

Accessing unauthorized websites can pose a risk to a user’s data and devices, as well as the organization itself. Often, these websites prompt users to download scripts or plugins that contain malicious code or adware. Some of these sites can even take over user devices like cameras and applications.

Question 19

Destructions of systems, applications and data

Answer 19

The accidental or deliberate destruction or sabotage of systems, applications, and data poses a serious risk to all organizations. Activists, disgruntled employees, or industry competitors may attempt to delete data and destroy or misconfigure devices to make organizational data and information systems unavailable.

Answer 20

Always keep in mind that there are no technical solutions, controls, or countermeasures that will make information systems any more secure than the behaviors and processes of the people who use these systems.

Question 21

2.1.6 Threats to Devices

Answer 21

Any devices left powered on and unattended pose the risk of someone gaining unauthorized access to network resources.
Downloading files, photos, music, or videos from unreliable sources could lead to the execution of malicious code on devices.
Cybercriminals often exploit security vulnerabilities within software installed on an organization’s devices to launch an attack.
An organization’s information security teams must try to keep up to date with the daily discovery of new viruses, worms, and other malware that pose a threat to their devices.
Users who insert unauthorized USB drives, CDs, or DVDs run the risk of introducing malware, or compromising data stored on their device.
Policies are in place to protect an organization’s IT infrastructure. A user can face serious consequences for purposefully violating such policies.
Using outdated hardware or software makes an organization’s systems and data more vulnerable to attack.

Question 22

2.1.7 Threats to the Local Area Network

Answer 22

The local area network (LAN) is a collection of devices, typically in the same geographic area, connected by cables (wired) or airwaves (wireless).

Because users can access an organization’s systems, applications, and data from the LAN domain, it is critical that it has strong security and stringent access controls.

Examples of threats to the LAN include:

Unauthorized access to wiring closets, data centers and computer rooms
Unauthorized access to systems, applications and data
Network operating system or software vulnerabilities and updates
Rogue users gaining unauthorized access to wireless networks
Exploits of data in transit
Having LAN servers with different hardware or operating systems makes managing and troubleshooting them more difficult
Unauthorized network probing and port scanning
Misconfigured firewalls

Question 23

2.1.8 Threats to the Private Cloud

Answer 23

The private cloud domain includes any private servers, resources, and IT infrastructure available to members of a single organization via the internet. While many organizations feel that their data is safer in a private cloud, this domain still poses significant security threats, including:

Unauthorized network probing and port scanning
Unauthorized access to resources
Router, firewall or network device operating system or software vulnerabilities
Router, firewall or network device configuration errors
Remote users accessing an organization’s infrastructure and downloading sensitive data

Question 24

2.1.9 Threats to the Public Cloud

Answer 24

Where a private cloud domain hosts computing resources for a single organization, the public cloud domain is the entirety of computing services hosted by a cloud service or internet provider that are available to the public or shared across organizations.

Question 25

2.1.10 Threats to Applications

Answer 25

The application domain includes all of the critical systems, applications, and data used by an organization to support operations. Increasingly, organizations are moving applications such as email, security monitoring, and database management to the public cloud.

Common threats to applications include:

Someone gaining unauthorized access to data centers, computer rooms, wiring closets or systems
Server downtime during maintenance periods
Network operating system software vulnerabilities
Data loss
Client-server or web application development vulnerabilities

Question 26

2.1.12 Threat Complexity

Answer 26

An advanced persistent threat (APT) is a continuous attack that uses elaborate espionage tactics involving multiple actors and/or sophisticated malware to gain access to the target’s network.
Attackers remain undetected for a long period of time, with potentially devastating consequences. APTs typically target governments and high-level organizations and are usually well-orchestrated and well-funded.

As the name suggests, algorithm attacks take advantage of algorithms in a piece of legitimate software to generate unintended behaviors. For example, algorithms used to track and report how much energy a computer consumes can be used to select targets or trigger false alerts. They can also disable a computer by forcing it to use up all its RAM or by overworking its central processing unit (CPU).

Question 27

2.1.13 Backdoors and Rootkits

Question 28

Backdoors

Answer 28

Backdoor programs, such as Netbus and Back Orifice, are used by cybercriminals to gain unauthorized access to systems by bypassing the normal authentication procedures.

Cybercriminals typically have authorized users unknowingly run a remote administrative tool program (RAT) on their computer that installs a backdoor. The backdoor gives the criminal administrative control over a target computer. Backdoors grant cybercriminals continued access to a system, even if the organization has fixed the original vulnerability used to attack the system.

Question 29

Rootkits

Answer 29

This malware is designed to modify the operating system to create a backdoor that attackers can then use to access the computer remotely.

Most rootkits take advantage of software vulnerabilities to gain access to resources that normally shouldn’t be accessible (privilege escalation) and modify system files.

Rootkits can also modify system forensics and monitoring tools, making them very hard to detect. In most cases, a computer infected by a rootkit has to be wiped and any required software reinstalled.

Question 30

2.1.14 Threat Intelligence and Research Sources

Answer 30

The United States Computer Emergency Readiness Team (US-CERT) and the U.S. Department of Homeland Security sponsor a database of common vulnerabilities and exposures (CVE). These CVEs have been widely adopted as a way to describe and reference known vulnerabilities.

Each CVE entry contains a standard identifier number, a brief description of the security vulnerability, and any important references to related vulnerability reports. The CVE list is maintained by a not-for-profit, the MITRE Corporation, on its public website.

Question 31

The Dark Web

Answer 31

This refers to encrypted web content that is not indexed by conventional search engines and requires specific software, authorization, or configurations to access. Expert researchers monitor the dark web for new threat intelligence.

Question 32

Indicator of Compromise (IOC)

Answer 32

IOCs such as malware signatures or malicious domain names provide evidence of security breaches and details about them.

Question 33

Automated Indicator Sharing (AIS)

Answer 33

Automated Indicator Sharing (AIS), a Cybersecurity and Infrastructure Security Agency (CISA) capability, enables the real-time exchange of cybersecurity threat indicators using a standardized and structured language. Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII) are standards used in AIS.