What is a threat environment?
A threat environment consists of all the attacks and attackers that a company faces.
What are the three goals of security?
It’s the CIA triad:
Confidentiality - No one else can read your information, either while it’s on a computer, or while it’s traveling across a network. Encryption is an example of this.
Integrity - The attacker cannot change or destroy information, or at the worst, the owner can detect the change or destruction.
Availability - Those that are authorized to use the information are not prevent from doing so. This might include failsafe servers and things like that.
What is a compromise?
A compromise (also known as an incident or a breach), is basically a successful attack.
What are countermeasures? What types of countermeasures are there?
A countermeasure is a tool that is used to thwart attacks. There are three main kinds of countermeasures: Preventative, detective, and corrective.
What is a preventative countermeasure?
A preventative countermeasure is there to prevent a certain attack from working (like a firewall).
What is a detective countermeasure?
A detective countermeasure detects (duh) that something is wrong. An anti-virus program is this, as well as a corrective.
What is a corrective countermeasure?
A corrective countermeasure is a countermeasure that is deployed in order to actually correct a specific attack.
Why are employees and ex-employees the most dangerous threats?
Employees and ex-employees are dangerous because they often have knowledge of internal systems, have permissions to access systems, often know how to avoid detection, and they’re generally trusted.
Who watches the watchmen, eh?
What sort of things can employees do?
Sabotage - Destruction of hardware, software, or data, or worse, planting of a time bomb or logic bomb on a computer.
Hacking - Accessing things that they don’t have authorization to.
Financial Theft - Theft of assets or money, or the big one, Intellectual Property.
Extortion - Threatening to release information in order to manipulate someone.
Sexual or Racial Harassment of Other Employees - Displaying pornographic material, often via email.
Internet Abuse - Pornography, piracy, excessive personal use.
Carelessness - Loss of computers or media devices that contain sensitive information due to neglect or carelessness.
Contract Workers -
What is hacking?
Hacking is defined as intentionally accessing a computer resource without authorization, or going beyond authorization. Authorization is the key here.
What is separation of duties?
Separation of duties is the principle in which you only give each employee permissions necessary to complete their jobs.
What is malware?
Malware (evil software) is a generic name for… well, “evil software”.
What are some examples of malware?
Viruses - Programs that attach themselves to legitimate programs. When those programs are executed, it causes the “virus” to spread to other executables. Primarily, they’re spread by e-mail.
Worms - Programs that do not attach themselves to other programs. They can spread via “direct-propagation”, allowing them to jump between computers without human intervention on the receiving computer, provided it has a targeted vulnerability. They can spread fast.
Blended Threats - Malware that propagates in multiple ways. Think a blend between virus and worm.
Nonmobile malware - Malware that must be placed on the user’s computer through deception of the user.
Trojan Horse - Remote Access Trojan, allows for remote control of the victim’s PC. It masquerade as a good program, until the victim runs it, at which point the payload is delivered.
What is a payload?
Payload is the term for the piece of code in malware that does the actual damage.
What is spyware?
Spyware is a form of Trojan that gathers information about you and sends it back to someone. It’s subtle. Some only send rather benign information, others do things like logging keys.
What is a rootkit?
A rootkit takes control of the super user account, and uses this authority to hide the malware in a far more effective way.
What is mobile code?
What is social engineering?
Social engineering is an attempt to trick a user in order to do something that would normally go against security policies. Spam, phishing, hoaxes, that sort of thing.
Who are traditional hackers?
Traditional hackers are people who are motivated to bypass security to get a thrill, validation, or a sense of power. Mostly motivated by reputation among their peers, but their crimes are petty at most. Not really relevant any longer.
What are Reconnaissance probes?
Reconnaissance probes are the first step of a hack, scanning IP addresses and ports, looking for open ports and services are running. These packets, should they be received, will generate a response, signalling an opening.
What is an exploit?
An exploit is the attack method used to break into a computer.
What is IP address spoofing?
IP address spoofing is a method of hiding your identity; the catch is that you do not receive packets back.
Chain of Attack Computers? What’s that?
A chain of attack computers is when an attacker sends his probes through layers of remote computers.
What is piggybacking?
Piggybacking is a form of social engineering whereupon someone “holds the door” into a secured area for someone who has no authorization to be there.
What is shoulder surfing?
Shoulder surfing is the simple act of watching someone type their password over their shoulder, or otherwise hidden.
What is a Denial-of-Service attack?
A Denial-of-Service attack is when a server or network is made unavailable to legitimate users by sending a flood of attack messages to the victim. An alternate method is the Distributed DoS attack, where the victim is flooded by bots. The packets sent don’t even have to be malicious; there just have to be a lot of them.
What is a bot?
A bot is a machine that has been compromised by an attacker, allowing the attacker to remotely control the machine and direct it to send attack packets, spam, etc.
What is click fraud?
Click fraud is when a company pays for ads, and then uses a bot to click that ad to generate revenue.
What is SCADA?
Systems Control and Data Acquisition - Things like the infrastructure of an area; water treatment plants, power plants, that sort of thing. These are targets of cyberwar and cyberterror.
What are the four reasons that employees are especially dangerous?
- They usually have extensive knowledge of the system.
- They often have access to sensitive parts of systems.
- They know how to avoid detection.
- They are trusted by their employer.
What type of employee is the most dangerous?
IT employees are the most dangerous, due to their extraordinary knowledge and access.
Sabotage is the destruction of hardware, software, or data.
What is intellectual property?
Intellectual property is information that is owned by the company and protected by law.
What are the two things employees primarily like to steal?
Employees primarily like to steal finances, and intellectual property.
What’s the difference between intellectual property and trade secrets?
Intellectual property is owned by the company and are protected by law. Trade secrets are not protected by law.
What is extortion?
Extortion occurs when the perpetrator attempts to control the victim by threatening to take actions that would harm the victim.
Who, besides employees, constitute potential “internal” threats.
Contract workers are an internal threat, and are not full employees of the company.
What is a RAT?
A RAT, or Remote Access Trojan, is a Trojan that gives the attacker remote control of the computer.
What are some ways non-mobile malware can infect a computer?
Non-mobile malware can infect a computer by:
Being placed there by a hacker.
Being deposited as “payload” by a virus or worm.
Enticing the user to download it.
Being executed as mobile code within a website.
What’s the difference between a virus and a worm?
A virus infects files and executables and relies on the user for propagation. A worm is a stand-alone program, and does not require the user to propagate, and can do things on its own.
How do worms spread?
Worms spread by looking for specific weaknesses in connected systems and exploiting them.
What are downloaders?
Downloaders are a form of Trojan horse that are generally small programs, and hard to detect, which then download much larger Trojans.
Why can cookies be dangerous?
What’s the difference between a Trojan horse and a rootkit?
A Trojan horse replaces a legitimate program. A rootkit takes over the root account of a Unix computer and uses the admin privileges to hide itself.
What is a Trojan horse?
A Trojan horse is a program that deletes a legitimate existing system program, and takes its place.
What’s the difference between phishing and spear phishing?
Phishing normally targets wide swaths of people. Spear phishing is targeted at one or a few individuals, for a specific purpose.
What’s the difference between IP address scanning and port scanning?
IP address uses an ICMP echo on all IP addresses within a range, and listens for echoes back. Port scanning uses the “live” addresses from an IP address scan and sends scanning probes to request connections on specific ports, to determine what is running.
What does “owning” a computer mean?
Owning a computer means that the attacker is able to do whatever he or she wishes.
When can an attacker not use IP address spoofing?
An attacker cannot use IP address spoofing for reconnaissance probes, as their replies would be lost, and that’s the whole point of the thing.
What is pretexting?
Pretexting occurs when an attacker calls and claims to be a specific customer, hoping to get information that is private to that customer.
Fraud occurs when the attacker deceives the victim into doing something that goes against the victim’s financial self-interest.