Ch1

Question 1

What is Information Security?

Answer 1

Protection of information systems against unauthorized access to or modification of information, in storage, processing or transit, and against the DoS to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats. InfoSec aims to keep data in any form (physical and digital data) protected from unauthorized access, use, disclosure, modification, inspection, recording or disruption.

Question 2

What is Cyber Security?

Answer 2

The ability to protect or defend the use of cyberspace from cyber attacks. It is a subset of information security, focused on the practice of protecting internet-connected systems, programs, data and networks from digital attacks, unauthorized digital access, or damage by implementing various processes, technologies and practices. Cyber security protects only digital data.

Question 3

What’s the main difference between Information Security and Cyber Security?

Answer 3

Information Security aims to protect both physical and digital data, while Cyber Security focuses specifically on protecting only digital data. Cyber Security is considered a subset of Information Security.

Question 4

What are the main security goals (objectives) in cybersecurity?

Answer 4

Confidentiality, Integrity, and Availability (CIA triad)

Question 5

What is Confidentiality in cybersecurity?

Answer 5

Refers to the protection of data to ensure data/information is only accessible by the people authorized to see it. An organization needs to guard against the malicious actions that endanger the confidentiality of its information.

Question 6

What are the attacks threatening Confidentiality?

Answer 6

• Stealing passwords
• Breaking encryption to get unauthorized access
• Sniffing - obtaining information by monitoring online traffic

Question 7

What controls help attain Confidentiality?

Answer 7

• Encryption (Data at rest, Data in transmission)
• Access control (physical and technical)
• Awareness Training

Question 8

What is Integrity in cybersecurity?

Answer 8

Refers to the protection of information and systems from being modified by unauthorized entities. It means that changes need to be done only by authorized entities and through authorized mechanisms.

Question 9

What are the attacks threatening Integrity?

Answer 9

• Modification - attacker intercepts the message and changes it
• Masquerading or spoofing - attacker impersonates somebody else
• Replaying - attacker obtains a copy of a message sent by a user and later tries to replay it

Question 10

What controls help attain Integrity?

Answer 10

• Hashing
• Message Authentication Code (MAC)
• Digital Signature
• Error detection and correction controls

Question 11

What is Availability in cybersecurity?

Answer 11

Refers to the protection of systems to ensure reliable access to data and resources as and when needed. It also ensures all hardware and software are maintained properly and updated when needed.

Question 12

What are the attacks threatening Availability?

Answer 12

Denial of Service (DoS) - may slow down or totally interrupt the service of a system

Question 13

What controls help ensure Availability?

Answer 13

• Load balancing
• Redundant network and power
• Business continuity management & Disaster Recovery plans (Backup & restoration)
• Network and system performance monitoring

Question 14

What is a Vulnerability in cybersecurity?

Answer 14

Any weakness that could be exploited. The weakness could be on software, hardware, process, or human. This includes unpatched systems, misconfigured network devices, etc.

Question 15

What is a Threat in cybersecurity?

Answer 15

A potentially damaging event associated with the exploitation of a vulnerability. Actors that exploit vulnerabilities are called threat agents.

Question 16

What is an Exposure in cybersecurity?

Answer 16

The potential that a security breach could occur. For instance, an unpatched system exposes the organization to a potential loss.

Question 17

What is Risk in cybersecurity?

Answer 17

The likelihood that a vulnerability could be exploited and the corresponding impact of such an event. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact.

Question 18

What is a Countermeasure in cybersecurity?

Answer 18

A control that is put in place to mitigate a risk. Controls include access control, deployment of firewalls, passwords, encryption, etc.

Question 19

Explain the relationship between vulnerability, threat, risk, exposure, and countermeasure with an antivirus example.

Answer 19

• Vulnerability: Expired antivirus software with outdated signatures
• Threat: Viruses attacking the systems and disrupting productivity
• Risk: Likelihood of virus infiltration and potential damage
• Exposure: When vulnerability is exploited, company is exposed to loss
• Countermeasure: Purchase and install updated antivirus software on all computers

Question 20

What are the types of security attacks based on origin?

Answer 20

• Outsider attacks - Actions originate from outside, attackers do not possess credentials
• Insider attacks - Actions originate from inside, attackers possess all credentials, highly difficult to prevent

Question 21

What are Passive Attacks in cybersecurity?

Answer 21

Eavesdropping on or monitoring of information that is being transmitted. Purpose is to obtain message contents and perform traffic analysis. Types include reading the content of the message and traffic analysis (observing traffic patterns).

Question 22

What are Active Attacks in cybersecurity?

Answer 22

Any attempt to modify, destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset. Types include masquerade, replay previous messages, modify messages, and denial of service.

Question 23

List the types of active attacks.

Answer 23

• Masquerade: Using someone’s identity with authority to perform certain actions
• Replay previous messages: Capture message from sender to receiver and later replay to receiver
• Modify messages: Attacker captures the message from sender to receiver and modifies the contents
• Denial of service: Attacker disrupts services by flooding requests to the server

Question 24

What are the common security tools used by defenders?

Answer 24

• Encryption
• Anti-virus software & Spam filters
• Firewalls
• Intrusion detection/prevention software
• Strong authentication
• Access control
• Authorization management
• Application security gateways and filters
• Digital signatures
• Disaster Recovery
• Awareness/Education

Question 25

What are the common tools used by attackers (hackers)?

Answer 25

- Password cracking - Intrusion and penetration attacks - Eavesdropping attacks (esp. wireless) - Hijacking and injection attacks - Denial of service attacks - OS/Application vulnerability attacks - Trojan horses, viruses/worms, spyware, keyloggers - Phishing - Social Engineering

Question 26

What are the elements of a cyber attack?

Answer 26

1. Reconnaissance - gathering information about the target 2. Enumeration - analyzing results to identify specific targets 3. Exploitation - probing and exploiting vulnerabilities to gain unauthorized access 4. Action on objectives - exfiltrating/stealing data, modifying data, or destroying data

Question 27

What information might attackers gather during the reconnaissance phase?

Answer 27

- Domain names - Corporate information - Network diagrams - Names of employees and key managers - Social media information - Ingress/egress points - etc.

Question 28

What happens during the enumeration phase of a cyber attack?

Answer 28

The attacker analyzes reconnaissance results to identify specific targets such as people, organizations, departments, facilities, capabilities, data, vendor names, and information systems.

Question 29

What occurs during the exploitation phase of a cyber attack?

Answer 29

Probing and exploiting specific vulnerabilities to gain unauthorized access to the enterprise. It uses weapons like phishing, malware, scripting, and attacks to gain unauthorized access to systems and data.

Question 30

What happens in the 'action on objectives' phase of a cyber attack?

Answer 30

- Exfiltration/stealing data (compromise of confidentiality) - Modifying data (compromise of integrity) - Destroying data and otherwise disrupting the environment (compromise of availability)

Question 31

What is Defense-in-Depth?

Answer 31

The concept that an organization should not rely on just one control for protection, but instead should use layers of controls to increase the work factor of potential attackers. It is the coordinated use of multiple security controls in a layered approach to minimize the probability of successful penetration and compromise.

Question 32

What is a Denial of Service (DoS) attack?

Answer 32

An attack against computer or network which reduces or prevents accessibility of system resources to authorized users. DoS implies that an attacker disables or corrupts networks, systems, or services with the intent to deny services to intended users. DoS attacks involve either crashing the system or slowing it down to the point that it is unusable.

Question 33

What areas can be affected by DoS attacks?

Answer 33

- Network resources like Routers/Switches/other Equipment - Servers and sometimes End-User PCs

Question 34

What are the classifications of DoS attacks?

Answer 34

- Routing and DNS attacks - manipulate routing tables to route to attacker's net - Bandwidth consumption - consume all available network bandwidth - Resource consumption - consume system resources (CPU, memory, storage space)

Question 35

What are the levels/layers of DoS attacks?

Answer 35

- Network Level Device (routers, switches, firewalls) - OS Level Equipment (vendor OS, end-user equipment) - Data Flood (amplification, simple flooding) - Protocol Feature Attacks (servers, client PC, DNS servers)

Question 36

Give examples of Network Level DoS attacks.

Answer 36

Ascend Kill II, 'Christmas Tree Packets' - Attacks attempt to exhaust hardware resources using multiple duplicate packets or a software bug.

Question 37

Give examples of OS Level DoS attacks.

Answer 37

Ping of Death, ICMP Echo Attacks, Teardrop - Attacks take advantage of the way operating systems implement protocols.

Question 38

Give examples of Data Flood DoS attacks.

Answer 38

Smurf Attack (amplifier attack), UDP Echo (oscillation attack) - Attacks in which massive quantities of data are sent to a target with the intention of using up bandwidth/processing resources.

Question 39

Give examples of Protocol Feature DoS attacks.

Answer 39

SYN (connection exhaustion) - Attacks in which 'bugs' in protocol are utilized to take down network resources. Methods include IP address spoofing and corrupting DNS server cache.

Question 40

What is a Bot and Botnet?

Answer 40

A bot (short for 'robot') is a type of software application or script that performs automated tasks on command. Bad bots perform malicious tasks that allow an attacker to remotely take control over affected computers (zombies). A botnet is a network of compromised computers controlled by an attacker.

Question 41

What are the beneficial uses of bots?

Answer 41

Web spiders (web crawlers) - automated programs or bots that systematically search websites and index the content on them. Primarily used to index pages for search engines.

Question 42

What are the malicious uses of botnets?

Answer 42

- Coordination and operation of automated attacks on networked computers - Performing distributed denial-of-service attacks (DDoS) - Stealing data - Sending spam - Allowing the attacker to access devices and their connections

Question 43

What is a Distributed Denial of Service (DDoS) attack?

Answer 43

A type of denial-of-service attack in which the attacker gains illegal administrative access to multiple computers on the Internet and uses those computers to send a flood of data packets to the target computer. A master program communicates to agent programs installed on compromised computers to initiate the attack simultaneously.

Question 44

How does a DDoS attack work?

Answer 44

1. A DDoS master program is installed on one computer using a stolen account 2. The master program communicates to any number of 'agent' programs installed on computers anywhere on the internet 3. When they receive the command, the agents initiate the attack 4. The master program can initiate hundreds or thousands of agent programs within seconds using client-server mode

Question 45

What is SYN Flooding?

Answer 45

A DoS attack that exploits the TCP three-way handshake. The attacker sends SYN packets with spoofed IP addresses to the victim, who replies with SYN-ACK but never receives ACK from the non-existent IP addresses. The victim keeps potential connections in a queue, and when flooded with multiple SYN packets, the queue fills up, resources are exhausted, and legitimate requests are rejected.

Question 46

What is a Reflection/Amplification attack?

Answer 46

A technique that allows attackers to both magnify the amount of malicious traffic they can generate and obscure/hide the sources of the attack traffic. Attackers send small requests to vulnerable servers with spoofed IP addresses (appearing as the target's IP). Often using botnets to send numerous spoofed requests, they leverage multiple vulnerable servers to create huge amounts of data with minimal effort. Examples include DNS amplification and NTP amplification.

Question 47

How does a Reflection/Amplification attack work?

Answer 47

1. Attackers send small requests to vulnerable servers with spoofed IP addresses to appear as the target's IP 2. Attackers often use botnets to send numerous spoofed requests, further magnifying the traffic 3. By leveraging multiple vulnerable servers, they create huge amounts of data with minimal effort, making the attack highly effective and difficult to mitigate

Question 48

What are the DoS countermeasures?

Answer 48

- Use of Firewalls and Demilitarized Zone (DMZ) - Use up-to-date anti-virus and IDS/IPS tools - Perform network/packet analysis - Shut down unnecessary services in the target network - Add load balancers to absorb traffic and set up throttle logic - Use strong encryption mechanisms - Use IPsec to protect against session hijacking and DoS - Prevent SYN flood attacks by discarding the SYN packets

Question 49

How does Confidentiality balance with Integrity and Availability?

Answer 49

Disconnecting a computer from the Internet increases confidentiality but availability and integrity may suffer due to lost updates. Balancing confidentiality with usability is crucial. Access controls and encryption should be implemented to protect sensitive data while allowing legitimate access.

Question 50

How does Integrity balance with Confidentiality and Availability?

Answer 50

Having extensive data checks by different people/systems increases integrity, but confidentiality suffers as more people see data, and availability suffers due to locks on data under verification, degrading performance. Data integrity for critical systems should be prioritized using digital signatures and regular checks while avoiding excessive validation for non-critical data.

Question 51

How does Availability balance with Confidentiality and Integrity?

Answer 51

Focusing on availability of systems anywhere, anytime, and to any staff increases availability but may leave systems vulnerable to attacks that can disrupt services. Redundancy and failover systems should be maintained to ensure availability, while risk assessments should be conducted to identify critical systems and allocate resources accordingly.

Question 52

What is the main objective of security controls?

Answer 52

The main objective of security controls is to reduce the risk of security breaches, protect organizations from threats, and align security objectives with organizational objectives.