Chapter 2 Flashcards
1
Q
Threat Actor
A
An entity that is the cause of an event that has impacted the safety of another entity. Also called a malicious actor.
2
Q
Avalanche Effect
A
In a hashing algorithm if one bit is changed then the entire hash is completely different
3
Q
Advanced Persistent Threat (APT)
A
Highly sophisticated threat actors that can make constant attacks and have access to massive resources.
4
Q
Unskilled attackers
A
A threat actor that runs premade scripts without any knowledge of what is haappening under the hood. “Script kiddies”
5
Q
Hacktivist
A
A hacker with a purpose that is motivated by philosophy, revenge, disruption etc. Can be very sophisticated and motivated but often has access to limited funding.
6
Q
Insider Threat
A
Someone from inside the organization who can use organization resources against itself for revenge, financial gain etc. Has knowledge of where to aattack and security vulnerabilities.
7
Q
Organized Crime
A
Usually motivated by money, almost always an external entity. Very sophisticated. Lots of capital.
8
Q
Shadow IT
A
Members of the organization that use workarounds to avoid the security put in place by the IT department. They often set up their own networks to get around limitations like change control and other security practices. Can be a huge risk.
9
Q
Threat Vector
A
The method an attacker uses to gain access to the system. Also called “attack vector”
10
Q
Phishing
A
Enticing someone to click on a link that can trick you into exposing sensitive data or installing malware. Social engineering intended to trick the recipient into thinking it is a legittimate communication or service.
11
Q
Scalable Vector Graphic (SVG)
A
A image file format that can contain embedded code. Can be used to perform HTML injections or deliver javascript attack code.
12
Q
File Based Vectors
A
More than just executables, malicous code can hide in many places such as: Adobe PDFs or microsoft office macros
13
Q
Removable device vectors
A
USBs can be used to get around a firewall. These can be used to infect air gapped systems.
14
Q
Air gapped Network
A
A network with no direct connection to the internet or other networks
15
Q
802.1x
A
An authentication protocol that prevents the access of data or network resources until proper credentials are provided.
16
Q
Supply Chain Vector
A
Tampering with the underlying infrastructure of manufacturing process to add vulnerabilities.
17
Q
Managed Service Providers (MSP)
A
Monitors systems and informs you if things need to be changed. If an attacker can infiltrate an MSP they will have access to many organizations systems.
18
Q
Typosquatting
A
URLs that are similar to the legitimate site but have slight changes.
19
Q
Pretexting
A
Using sotries and lies to manipulate you into believing their story. Attacker is a character in the story they create.
20
Q
Smishing
A
SMS phishing
21
Q
Impersonation
A
The attacker pretending to be someone they arent. Could introduce themselves as someone higher in rank.
22
Q
Identity Fraud
A
The attacker uses your information to impersonate you, giving them access to your resources and privileges.
23
Q
Watering hole Attack
A
Infecting a 3rd party site that employees of the target organization frequent and use it and use it to gain access. Infect all users and then pursue their target.
24
Q
Defense in Depth
A
Layering defense measures that can catch threats that others may have missed
25
Buffer Overflow
Writing more than is expected into a particular area of memory, causing other memory to be overwritten. Developers need to perform bounds checking to prevent this. Difficult exploit, and it needs to be repeatable to be useful.
26
Race Condition
When two events happen at nearly the same time within an application. This can be a big issue if it is not planned for.
27
Time of Check to Time of Use (TOCTOU)
Applications may perform a check for a condition before performing an action. Sometimes something may happen between that check and action which can have negative consequences.
28
Malicious Updates
Attackers perform a supply chain attack to add malicous code to official updates.
29
Operating System
The foundational computing platform of a device. Is often tens of millions of lines of code, so there is a large surface area for attack.
30
Patch Tuesday
Every second tuesday of the month there is a new windows update
31
Code Injection
Adding your own code into an applications input areas. Enabled because of bad programming.
32
Structured Query Language (SQL)
The most common relational database language
33
SQL Injection
Adding your own requests to the input of an existing application. Applications should not allow users to make their own specific requests.
34
Cross Site Scripting (XSS)
A type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
35
Persistent XSS Attack
Attacker posts a message to a social network that incudes the malicious code. Everyone who clicks the page gets the payload. Could add code that forces the viewers to post the message to their own page.
36
Hardware Vulnerabilities
Devices that are connected to a network are potential security risks.
37
IOT
Internet of things
38
Firmware
The operating system of a hardware device. We may not have direct access to this software. Sometimes we have no idea what this operating system even is. Venders are the only ones who can fix this, and many dont care about security vulnerabilities.
39
End of Life Notice (EOL)
A notice that a manufacturer is no longer selling the product. Many times the product will stop recieving updates and patches.
40
End of Service Life (EOSL)
Manufacturer is no longer selling or providing support for the product. May still ahve a premium cost service option. EOSL is a significant concern as security patches are an important part of normal operation.
41
Legacy Platforms
Older devices that may be running end of life software. The security risks and maintainance costs must be compared to the returns. May require additional security protections like additional firewall rules. Add additional IPS signatures for older operating systems.Vi
42
Virtual Machine (VM)
an isolated computing environment created by abstracting resources from a physical machine.
43
VM Escape
Breaking out of the VM and interacting with the host operating system or hardware.
44
Hypervisor
Manages the relationship between the physical and virtual resources of a virtual machine and it's host.
45
Common Vulnerability Scoring System (CVSS)
A way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity
46
Directory Traversal
Allowing people to manually move around the structure of a webserver into different folders or subdirectories.
47
Remote Code Execution (RCE)
The ability for attackers to run code on a machine without direct physical access.
48
Out of Bounds Write
Write to unauthorized memory areas resulting in data corruption, crashing, or code execution.
49
Supply Chain
The process of getting a product from the raw materials all the way to getting the finished product to a consumer. Attackers can infect the product or service at any step along the way
50
Target Corp 2013 Breach
40 million credit cards stolen. HVAC firm in pennsylvania was infected. Nakware was delivered in a phishing email and VPN credentials were stolen. Attackers now had access to the HVAC systems within the Target Corp Network. The HVAC and cash register systems were on the same network with no access restrictions between the two. Attackers put malware on every cash register and used it to collect credit cards.
51
Misconfiguration Vulnerabilities
With all of the different systems that an organization needs to perform their day to day business it is increasingly easier to misconfigure one of them. Cloud computing increases this as there are many permissions and settings to configure.
52
Insecure Protocols
Some protocols arent encrypted, which means that data traverses the network in the clear. Telnet, FTP, SMTP, IMAP.
53
Mira Botnet
Takes advantage of default configurations. Takes over IOT devices. Looks for over 60 default configurations. Camera, routers, doorbells, garage door openers etc. Mira is released as open source software.
54
Port Security
Each time you enable an inbound service on a server you must open a port. That port is used by someone on the outside to gain access to that specific application, this gives them access to a a section of your server. Port numbers are often managed by a firewall, which will allow or deny traffic based on port number or application.
55
Mobile Device Vulnerabilities
Often challenging to secure. Need additional security policies and systems. Relatively small and easy to hide. Almost always in motion. Packed with sensitive data, both personal and organizational. Constantly connected to the internet.
56
Jailbraking/Rooting
Replacing the operating system of a mobile device with one of your own. This circumvents security features.
57
Mobile Device Manager
(MDM)
58
Sideloading
Installing an app without using an official app store.
59
Zero Day Vulnerability
A vulnerability that is unknown to the vendor for which a patch or fix is not available.
60
Zero Day Attack
Exploiting a zero day vulnerability which results in the security community needing to work very hard to patch the issue.
61
Common Vulnerabilities and Exposures (CVE)
cve.mitre.org Provides a reference method for publicly known information-security vulnerabilities and exposures.
62
Malware
Malicious software that does bad things to your system. Gathering information, show you advertising, encrypting and holding your data randsom.
63
Randsomware
Infects your machine, encrypts you data, and then requests that you pay them to decrypt your data. A negative form of cryptography. A good reason to backup your data often. Store backups offline so that randsomware cannot infect it.
64
Virus
Malware that can replicate itself
65
Worm
A malware that can self replicate between systems without any user input. Uses the network as a transmission medium. Self propagates and spreads quickly.
66
Spyware
Malware that watches everything on your computer.
67
Bloatware
Unnecessary software that comes preinstalled on your device. Often the device manufacturers are paid to include them. Uses up storage, slows your system, exposes your system to potential exploits.
68
Keyloggers
Captures your input data, saves it to a file, and sends it back to the attackers. This circumvents encryption.
69
Dark Comet
A remote access trojan (RAT) keylogger
70
Logic Bomb
Waits for an event to occur and then activates to cause harm to the system. Reboots, erases data, makes changes.
71
Rootkit
Hides itself in the kernel of the operating system. Modifies core system files. Can be invisible to the operating system. Secure boot with UEFI Bios confirms that the operating system signature is unchanges before the system is booted.
72
Physical attacks
Gaining physical access to a device, which circumvents many network security protocols and protections
73
Radio Frequency Identification (RFID)
Commonly used for access badges and key fobs. These can be cloned in seconds using devices available on amazon for under $50. Badges can be duplicated at a bar, or on a train on the way to work. Another reason to use MFA.
74
Environmental Attacks
Attacks involving everything supporting the technology and network. Turning off the power to a datacenter, Damage HVAC systems or fire supression.
75
Denial of Service (DOS)
Forcing a service to fail. Often done by overloading the system with too many requests or data. May be used as a smokescreen for some other exploit.
76
Unintentional DOSing
Misconfiguring your system in a way that creates a loop or bandwidth issue, causing your system to stop working. Things like flooding from a broken waterline can also cause this.
77
Distributed Denial of Service (DDOS)
Launching an army of computers to bring down a service. This is why attackers create botnets. Using malware attackers can take control of thousands or millions of computers and aim their traffic at one service.
78
Asymetric Threat
Attacker may have less resources but can still easily bring down large organizations
79
DDOS Reflection and Amplification
Reflecting traffic of another device or service. Turns a snall attack into a big one. Uses internet services against the victim. Uses protocols with little to no authenication or checks. NTP, DNS, ICMP. When you request information from an NTP server you generally recieve back more information that is in the request.
80
DNS poisoning
Causing a user to visit an IP address they did not origionally intend. Can be done by modifying a DNS server (difficult) or by modifying the client host file (easier). The host file takes precident over DNS queries. This is an on path attack
81
Domain Hijacking
Get access to the domain registration and you have control where the traffic flows.
82
Wireless Deauthentication
A wireless DOS attack. Removes the victim from a connected network. 802.11 wireless includes management frames which attackers can use to disconnect the victim from the network. The frames were unencrypted. IEEE patched this issue in 802.11ac update to encrypt important management frames.
83
Radio Frequency Jamming (RF Jamming)
Transmitting interfering wireless signals to decrease the signal to noise ratio at the recieving device. This causes the recieving device to not get a clear signal. Sometimes it is not intentional: Florecent lights, microwaves.
84
Fox Hunting
Finding the RF jammer using directional antennas and an attenuator
85
On Path Attack
The attacker sits between two devices to watch their traffic. Formerly called Man-in-the-middle. Catches and passes along or redirects the data.
86
ARP Poisoning
On path attack on a local IP Subnet. Attacker must be on the same subnet. ARP has no security like encryption.
87
On Path Browser Attack
Attacker uses malware or trojan to gain access to the victims computer or browser. Allows the attacker to access the data before it is encrypted.
88
Replay Attack
Network attack where an attacker intercepts and maliciously retransmits data that was already exchanged. The attacker needs access to the raw network data using a network tap, ARP poisoning, or malware.
89
Pass the Hash
Attacker intercepts an authentication request (user and hashed password). Attacker then sends their own auth request using the captured information. Avoided by using session key encryption and salting.
90
Cookies
Files that store information about the sites that you visit. Used for tracking, personalization, session management. Can be used to store session IDs which could be used by an attacker to gain access to a server without providing any log in credentials.
91
Preventing Session Hijacking
Encrypt end-to-end. HTTPS encrypts your data. VPNs can allow for some encryption
92
Wannacry Randsomeware
Executable exploited a vulnerability in windows SMBv1. Allowed for arbitrary code execution. Allowed access to the OS.
93
British Airways cross site scrypting
22 lines of malicious javascript code was added to checkout pages. Information was stolen from 380000 victims
94
Estonian Central Health Database
SQL injection that breached all healthcare information for an entire country
95
Horizontal Privilege Escalation
Allows user A to access User B resources.
96
Address space Layout Randomization
Randomizes where data is stored in memory each time an application is run. Makes buffer overflows less repeatable.
97
Downgrade Attack
Forces a victim to use a less secure encryption method.
98
SSL Stripping
A combination of an on-path attack with a downgrade attack where the attacker gets in the middle of a conversation and starts sending unencrypted web page information to trick the victim into using non-encrypted protocols like HTTP instead of HTTPS. Victim must make initial request using HTTP. Attacker captures that request and passes it along to the server, establishing a cryptographic link with the server so that it can now view the data once the server moves over to https.
99
Password Attacks
Passwords need to be stored as a salted hash. The SHA-256 hash is used in many applications
100
Spraying Attack
Attack an account with the top few common passwords. If it doesn't work, they simply move on to the next account
101
Brute Force
Trying every possible password compination until the hash is matched. Most accounts will lockout after a number of attempts so attackers will obtain the list of users and hashes, and then run the brute force attack offline.
102
Indicators of Compromise (IOC)
An event that indicates an intruision. Unusually high amount of network activity, change to file hash values, irregular international traffic, changes to DNS data, uncommon login patterns, spikes of read requests to certain files.
103
Account Lockout
Credentials aren't working or exceeded login attempts even though you did not make these attempts
104
Concurrent Session usage
There should not be multiple account logins from multiple locations or systems. If someone is logging in from very different locations in a short time frame alarms should be firing.
105
Resource Consumption
Every attackers action will ahve an equal and opposite reaction. File transfers use bandwidth, firewall logs show outgoing transfer, servers may have crashed due to an attacker looking for an exploit
106
Out of Cycle Logging
Log or log data that should not occur during that time frame
107
Missing Log information
Attackers will try to cover their tracks by removing logs. Missing logs are suspicious, logs need to be secure and monitored. There should be alerts and notifications if logs are tampered with.
108
Segmentation
Can help limit the scope of a security event. Can be done through physical, logical, or virtual means. Also can be done to improve performance and reliability. May also be mandated or needed for compliance: PCI (payment card industry) compliance.
109
Access Control List (ACL)
Allows you to group catagories of traffic and allow or deny these requests.
110
Full Disk Encryption (FDE)
Encrypting everything on the drive. Can use tools like bitlocker and firevault.
111
Monitoring
Aggregating information about your systems and devices. Could be built into devices or as standalone devices. Often integrated into servers, switches, routers, firewalls etc.
112
Sensors
IPS, logs
113
Collectors
A place where all of the logs are consolidated and can be viewed.
114
Security Information and Event Manager (SIEM)
a type of collector. May include a correlation engine to compare diverse sensor data.
115
Least privilege
Rights and permissions should be configured to the bare minimum needed to perform their job objectives.
116
Decommissioning
Should be a formal policy. Most often associated with storage devices. Can wipe the device for use in another system or destroy the physical device.
117
Hardening
Making a device or system more secure
118
Endpoint
The devices that the user is using to access the data.
119
Endpoint Detection and Response (EDR)
Goes beyond signatures to detect a threat. Behavior analysis, machine learning, process monitoring. An EDR software is capable of isolating the system, quarantining the threat, rolling back to a previous config. EDRs are API driven, so no user or technician intervention is required.
120
Host Based Firewall
A personal software based firewall that runs on every endpoint. A great place to identify and block unknown processes that may have been launched due to a security vulnerability. Runs on each device but can be managed by a central console.
121
Intrusion Prevention System
A network security tool that monitors network traffic for potential threats and automatically blocks them.
122
Host Based Intrusion Prevention System (HIPS)
Often built in to the EDR or anti-mal. Watches all inbound traffic for known attacks. Secures OS and application configs. Validates incoming service requests. Identifies signatures, heuristics, behavioral changes, buffer overflows, registry updates, writing files to the windows folder, access to non-encrypted data.
