Domain One: Threats, Attacks and Vulnerabilities Flashcards
(152 cards)
1
Q
What is an Indicator of Compromise ?
A
Indicators of compromise are indications or signs that unauthorised activity has compromised an information system.
2
Q
What are common signs of IOCs ?
A
- Unusual Outbound Activity
- Anomalies in privileged user account or activity
- Geographical irregularities in network traffic
- Account Login Redflags - failed attempts
- Increases in database read volumes
- HTML response size increases
- Large number of requests for same files
- Mismatched port-application traffic - Hackers often try to hide what they do by using an encrypted vpn over a standard port
- Suspicious registry of file changes
- Unusual DNS Requests - An indicator of a command and control compromise where a bot is trying to contact its command
- Unexpected System Patching - Hackers may apply these to keep other attackers out or fool a Sys admin into complacency
- Mobile device profile changes
- Bundles of data in the wrong places - An indicator information has been moved to a location with outbound access as a pre-cursor to exfiltration
- Web Traffic with non-human behaviour - Again bots trying on a fast and repetitive schedule than no human could achieve
- Signs of DDoS attempts even if temporary
3
Q
What frameworks automate IOCs ?
A
OpenIOC - Opensource sharing of IOCs
Stix/Taxii/Cybox - Automated sharing of IOCs
4
Q
What is polymorphic malware ?
A
Malware that changes its code after each use making each replicant different for detection purposes - an example is changing the file hash or file type
5
Q
What is a virus ?
A
Is malware that infects and uses other codes infrastructure and environments and uses its executable code and privileges
6
Q
What is an amoured virus ?
A
Is a virus that uses encryption as a layer of protection against reverse engineering
7
Q
What is ransomware ?
A
Is a denial of service attack that locks the user out of their system until the encryption key is transferred in exchange for monetary gain.
8
Q
What is a worm ?
A
Unlike a virus that piggy backs off a legitimate entity the worm is self replicating and does not need a host
9
Q
What is a Trojan ?
A
A program that charades with one characteristic of functionality but it has another nefarious purpose
10
Q
What is a rootkit ?
A
Designed to specifically change the OS to facilitate non-standard activity
11
Q
What is a keylogger ?
A
Software that logs every keystroke of an end user
12
Q
What is Adware ?
A
Software supported by advertising can also be a form of malware
13
Q
What is Spyware ?
A
Malware that spies on user activity and reports stolen information.
14
Q
What are bots ?
A
A piece of software that performs tasks under the control of another program
15
Q
What is a rat ?
A
Trojan that exposes a back door to enable further attacks
16
Q
What is a logic bomb ?
A
Deliberately installed piece of software that remains dormant until some event or time which then triggers malicious payload
17
Q
What are some examples of social engineering ?
A
Phising
Tailgating
Impersonation
Third-Party Authorisation
Help Desk/Tech Support
Contractors/Outside Parties
Dumpster Diving - Trawling rubbish and waste for sensitive information
Shoulder Surfing
Hoax - Mainly on social media trying to get users to change security settings
Watering Hole Attack - Normally a compromised web site that draws users in and harvests their information. A watering hole attack differs from phishing and spear-phishing attacks, which typically attempt to steal data or install malware onto users’ devices but are often equally targeted, effective, and challenging to prevent. Instead, a watering hole attack aims to infect users’ computers then gain access to a connected corporate network. Cyber criminals use this attack vector to steal personal information, banking details, and intellectual property, as well as gain unauthorized access to sensitive corporate systems. Typically, attackers will target public websites frequented by professionals from specific industries, such as discussion boards, industry conferences, and industry-standard bodies.
18
Q
What is Phishing ?
A
is a bulk generated non specific target attempt to illicit information by representation as a trusted third party. Quantity vs quality.
19
Q
What is Spear Phising ?
A
targeted approach with higher success potential than phishing.
20
Q
What is Whaling
A
a form of Spear Phishing aimed at a high valued target such as a CEO
21
Q
What is Vishing ?
A
Phishing with voice technologies
22
Q
What is smishing ?
A
SMS
23
Q
What is Amplification ?
A
A type of denial of service designed to create sufficient enough packets to overwhelm a host such as a large server. Typically a ping request can be sent out to a large network with the return host address with that of the target. The target then gets overwhelmed.
Its hard to defend against because the attack is coming from a legitimate source.
24
Q
What is Buffer overflow ?
A
One of the most commonly used attacks, buffer overflows happen when the input buffer used to hold input is overwritten with data that is larger than the buffer can handle. This generally happens when error checking is not present either due to poor coding practices or limitations of the language.
The overflow causes adjacent areas in memory to be overwritten causing instability.
25
What is Clickjacking ?
This is where a overlay is put over a web site that is not visible to the user who thinks that when they interact with the sites controls it will do as they intend. However instead of interacting with control the overlay will do something nefarious such as steal information or redirect.
Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.
Typically, clickjacking is performed by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees.
26
How do you mitigate against ClickJacking ?
Client-side methods – the most common is called Frame Busting. Client-side methods can be effective in some cases, but are considered not to be a best practice, because they can be easily bypassed.
Server-side methods – the most common is X-Frame-Options. Server-side methods are recommended by security experts as an effective way to defend against clickjacking.
27
What is cross site request forgery ?
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
28
What are the two types of cross site scripting ?
Non Persistent - The injected script is not stored but executed immediately and passed back via the web browser
Persistent - script is stored permanently on the web server or on some back end storage system.
Dom Based - Script is executed via DOM process as opposed to web server process
29
What is cross site scripting ?
Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data
30
What is DDoS
The attacker exploits a known vulnerability in a specific applications operating system or attacks features in specific protocols or services in an attempt to deny authorised users access to an information system or the features of that system
31
What is distributed DDos ?
A distibuted DDos attack is where multiple attack platforms known as a bot net or zombie net are used to flood the target system so that the same denial effect is
32
What is DNS poisoning ?
When the attacker alters the DNS table of the host system sending a request for a legitimate website to a compromised one.
33
What is domain hijacking ?
This another redirection attack but this time the compromise is the domain itself as registered. This allow the attacker to potentially install malware when the redirected user lands.
A frequent tactic used by domain hijackers is to use acquired personal information about the actual domain owner to impersonate them and persuade the domain registrar (https://en.wikipedia.org/wiki/Domain_name_registry) to modify the registration information and/or transfer the domain to another registrar, a form of identity theft (https://en.wikipedia.org/wiki/Identity_theft). Once this has been done, the hijacker has full control of the domain and can use it or sell it to a third party.
34
What is driver manipulation ?
An attack on the system by changing how drivers work thus causing an OS to become potentially unstable
35
What are injections ?
This down to poor input field validation and is where the attacker can enter code into the input fields that can give them access to the underlying infrastructure or information at the same privilege level that the application is running under.
36
What is a man in browser attack ?
The location of the attacker is not between source and destination but is actually in the browser. Normally achieved through the installation of malware and this malware will generate a different instruction that the original users intent. For example on a banks website I may think I have updated my contact details but the malware issues a transfer of funds.
The Man-in-the-Browser attack is the same approach as Man-in-the-middle attack, but in this case a Trojan Horse is used to intercept and manipulate calls between the main application’s executable (ex: the browser) and its security mechanisms or libraries on-the-fly.
The most common objective of this attack is to cause financial fraud by manipulating transactions of Internet Banking systems, even when other authentication factors are in use.
A previously installed Trojan horse is used to act between the browser and the browser’s security mechanism, sniffing or modifying transactions as they are formed on the browser, but still displaying back the user’s intended transaction.
Normally, the victim must be smart in order to notice a signal of such attack while they are accessing a web application like an internet banking account, even in presence of SSL channels, because all expected controls and security mechanisms are displayed and work normally.
37
What is man in the middle attack ?
This is the capturing of information between source and destination. The attacker can observe information before relaying it. To the sending system everything appears normal.
38
What is Pass the Hash ?
Where systems hash the password and use that to verify the user if an attacker captures that hash he can mimic the user. Pass the hash (PtH) is a type of cybersecurity attack in which an adversary steals a “hashed” user credential and uses it to create a new user session on the same network. Unlike other credential theft attacks, a pass the hash attack does not require the attacker to know or crack the password to gain access to the system. Rather, it uses a stored version of the password to initiate a new session.
39
What is privilege escalation ?
This a goal to to get higher privilege access than the original access.
40
What is a replay attack ?
The attacker captures some legitimate information used in a legitimate transaction between a user and a web site. The hope is the same outcome can be gained for the attackers advantage by replaying the information.
It is much easier to execute this type of attack with a wireless endpoint in play
41
What is session hijacking ?
The attacker bypasses any authentication mechanism by hijacking a valid authenticated session.
The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token.
Because http communication uses many different TCP connections, the web server needs a method to recognize every user’s connections. The most useful method depends on a token that the Web Server sends to the client browser after a successful client authentication. A session token is normally composed of a string of variable width and it could be used in different ways, like in the URL, in the header of the http requisition as a cookie, in other parts of the header of the http request, or yet in the body of the http requisition.
The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.
The session token could be compromised in different ways; the most common are:
Predictable session token;
Session Sniffing;
Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc);
Man-in-the-middle attack (https://owasp.org/www-community/attacks/Man-in-the-middle_attack)
Man-in-the-browser attack (https://owasp.org/www-community/attacks/Man-in-the-browser_attack)
42
What is shimming ?
The act of putting code between OS and drivers - although legitimat attackers can place malicious code in between
A driver shimming attack involves the misuse of a helpful tool known as a shim within an operating system like Windows. Driver shims are intended to make older drivers work smoothly with newer software. They bridge the gap between older and newer components.
43
What is spoofing ?
CAn be MAC or IP spoofing and its a way to pretend that the code or request is coming from a legitimate source
Smurf Attack - The attacker spoofs a packet to all systems on a particular network and forges the from address so that the target host gets all the echo replies.
44
What is URL Hijacking ?
These are redirect attacks where the destination is a clone very similar to the original target but for example the URL or the name of the website is slightly different e.g. eboy.com or bbs.co.uk
45
What is a Zero Day ?
This is an attack that has never been seen before so that the vendor has no defence set up via the patching system or other countermeasures.
46
What is a birthday attack ?
Relies on the law of probability that in a room of 23 people there is a 50% chance of 2 people sharing the same birthday. A birthday attack assumes that instead of a shared birthday there will be a shared password.
47
What is BlueJacking
This is where a hacker can use your bluetooth device to send unwanted messages appearing to come from your phone.
48
What is BlueSnarfing ?
This is where bluetooth is used to connect to your device with the sole intent of stealing your information,
49
What is Bruteforce ?
Online bruteforce is done in real time against the server - remedied by locking accounts out after a specified number of retry attempts
Offline bruteforce - is where the attacker has captured your password file and has copied it to a offline location where they will have time and opportunity to crack the file due to no network latency. Mitigated by having the right acl and encryption solutions in place.
50
What is a collision ??
This is where two passwords can generate the same hash. An attacker can use this to their advantage to change content mitigated by newer hashing algorithms.
51
What is a dictionary attack ?
This is a dictionary of common passwords with common alterations such as an a being changed to a @
52
What is a dissociation attack ?
Is the act by attackers of disconnecting devices from a network. Because most devices are set to reconnect automatically this gives the attacker a replayable opportunity to capture the password or token when authenticating.
A disassociation attack is a cyberattack where a hacker forces a device to lose internet connectivity either temporarily or for an extended time. One second, you're using your internet, and the next, your connection vanishes.
Your phone or laptop will try to reconnect as usual, but your router will be unavailable. The attack can be one where the attacker simply wants to kick you off the network for fun. However, it is seldom so. Most disassociation attacks are by hackers who want a profit.
And usually, in that case, when your device attempts to reconnect to the router, it'll be connecting to an evil twin (cloned) router the attacker has set up for that purpose. Most people won't notice a difference when they connect to a cloned router, but their internet activities will be visible to the attacker.
53
What is a downgrade vulnerability ?
This is where systems are allowed to run weaker protection due to backwards compatibility. Such as running an obsolete level of tls/ssl connections
54
What is an evil twin rogue attack ?
This is where a malicious access point is setup to attract users and allow the attacker to act as a man in the middle. Evil Twin is essentially a copy of a legitimate AP whereas a rogue ap is a malicious AP setup from scratch.
55
What is an initialisation vector attack ?
When establishing a connection a randomised identifier is sent between source and destination. If the randomisation is not completely random but guessable then it may allow an attacker to guess a correct sequence and therefore establish a connection for malicious purposes. The connection itself would however be see as being perfectly legitimate.
In WEP systems the IV is sent in clear text and was only 24 bits long which made them vulnerable.
56
What is a NFC attack ?
Used for transmitting information between mobile phones and a scanning station. Usually used for transmitting financial information.
57
What is a rainbow tables attack ?
Rainbow tables are a dictionary of how common passwords get represented in a hash. This lends itself to a brute force type of approach.
A mitigation is to salt the hash. This means adding extra random characters to the thing that is to be hashed.
A rainbow table attack is a password cracking method that uses a special table (a “rainbow table”) to crack the password hashes in a database. Applications don’t store passwords in plaintext, but instead encrypt passwords using hashes. After the user enters their password to login, it is converted to hashes, and the result is compared with the stored hashes on the server to look for a match. If they match, the user is authenticated and able to login to the application.
The rainbow table itself refers to a precomputed table that contains the password hash value for each plain text character used during the authentication process. If hackers gain access to the list of password hashes, they can crack all passwords very quickly with a rainbow table.
An attacker spots a web application with outdated password hashing techniques and poor overall security. The attacker steals the password hashes and, using a rainbow table, the attacker is able to decrypt the passwords of every user of the application.
A hacker finds a vulnerability in a company’s Active Directory and is able to gain access to the password hashes. Once they have the list of hashes they execute a rainbow table attack to decrypt the hashes into plaintext passwords.
Eliminate passwords: The ONLY way to ensure the prevention of password-based attacks is through eliminating passwords. Without a list of password hashes to steal there is no way to execute a rainbow table attack. Learn more about passwordless authentication (https://www.beyondidentity.com/resources/passwordless-authentication) today and keep your most critical applications secure.
Use salting: Hashed passwords should never be stored without salting. This makes the password more difficult to decrypt. However, we recommend eliminating the alphanumeric password altogether.
Use biometrics: Using a biometric method of authentication makes it difficult, if not impossible, for an attacker to use a rainbow table attack effectively. Rainbow table attacks will not work against biometric passwords.
Monitor your servers: Most modern server security software monitors against attempts to access sensitive information and can automatically act to mitigate and trap intruders before they can find the password database.
Don’t use outdated hashing algorithms: Hackers look for applications and servers using obsolete password hashing algorithms MD5 and SHA1. If your application uses either algorithm, your risk for rainbow table attacks substantially increases.
58
What is a replay attack ?
The attacker captures some legitimate information used in a legitimate transaction between a user and a web site. The hope is the same outcome can be gained for the attackers advantage by replaying the information.
It is much easier to execute this type of attack with a wireless endpoint in play
59
What is a RFID attack ?
Used for security badges and access to buildings and therefore gives access to attackers if they can copy the technology or deny access.
60
What is a weak implementation attack ?
This is the use of older security controls that are not as effective against modern hacking techniques. Such as an older encryption algorithm.
61
What is a WPS attack ?
WPS uses an 8 digit pin for authentication which means it is susceptible to brute force attack by hackers.
62
What is an APT ?
These are toolkits that are designed to gain access and maintain a presence for these hackers. Commonly sponsored by nation states and with the aim not only of satisfying an immediate need but also maintaining a long term advantage over the opposition.
63
What are hacktivists ?
This is a collectivist effort centering around some shared cause or goal. They are more technically advanced than most script kiddies and can write their own scripts - make up 8 -12%. They can exploit known vulnerabilities without being able to exploit or find new ones.
64
Describe Insiders and Competitors ?
Insiders are already inside the network and are therefore a very dangerous entity although sometimes inside attacks are just mistakes.
Competitors are outside of the network and are using hacking to gain a competitive advantage.
65
Describe Nation States attackers ?
As the name suggests this is where hackers work for governments. They compromise 1 - 2% of all attacks but their targets can be critical such as hospitals and infrastructure. They are the elite of the hacking community and are able to find and exploit new vulnerabilities.
66
Describe Organised Crime Attackers ?
Differs from lone hackers in the amount of resources the hackers have at their disposal. The attack is often to further other criminal activities on the dark web including drugs etc.
67
What is OSINT
Intelligence from publicly available sources such as social media, news articles and blogs as well as government reports. OSINT benefits from being quicker to market than more traditional organisations listed below.
There are organisations the provide intel
Information Sharing and Analysis Organisation and Information Sharing and Analysis Centre - Subscription model
Infraguard - Free from FBI
They all suffer from speed of getting the information out there and so can become dated very quickly.
68
Who are script kiddies ?
Make up 81 - 90% of all attacks. A grouping of low level technical knowledge individuals who can run scripts that others write but cannot create their own scripts or exploit an attack. They are limited to just what the script allows them to do.
69
Descibe the reconnaissance phase of penetration testing ?
Reconnaissance is the first step and its an information gathering exercise there are two types
Active - Which is probing the defences of the organisation in a way that an attacker would. This is not the most favoured way because its going to be hopefully picked up by existing defences
Passive - This is using information sources freely available outside of the organisation such as Linked in to glean information to be used in a more creative way. Social media is another example.
Tools can be active or passive. Active tools should trigger defences where as passive tools just listen without the triggering. Packet sniffing can be a passive activity.
70
What after reconnaisance is the next three phases of pentesting ?
Initial Exploitation the focus is to exploit the vulnerability to gain access. Its aim is to show the level of risk present and to demonstrate the mechanisms of the attack vector.
Pivoting and Privilege Escalation - Privilege escalation is about expanding the capabilities from those of the initial exploitation and also being able to pivot to other devices on the network that may have a higher hack value.
Persistence is to create a mechanism whereby the attacker can keep getting access to the system but with less risk of detection.
71
What is black box testing ?
Black box testing is where the tester has no knowledge of the system and it simulates closely the steps an actual hacker would have to undertake
72
What is white box testing ?
White box testing is where the tester has knowledge of the system and this is usually done to test the before and after state of a new feature on the system
73
What is Gray box testing ?
Gray box testing is a mixture of both where the tester has some knowledge of the system. It is usually the most efficient testing pattern as it prevents the tester spending lots of time trying things that wont work as would be the case in black box testing
74
What are the four types of vulnerability scans ?
Intrusive scans - These actively probe the vulnerability and could lead to damage or changes in the system state
Non Intrusive scans - These just listen and identify vulnerabilities and are much safer
Non-credentialed scans - A quick scan by looking for common exposed services (ports) but it can scan application or os vulnerabilities
Credentialed scans - A longer scan but it has the ability to produce a more detailed report because it has privileges in its credential.
75
Whats the difference between vulnerability scanning and pentesting ?
Vulnerability scanning is unlike pen testing an inhouse activity and is solely concerned with finding vulnerabilities not understanding their impact or their remediation.
AWS Config is a tool that helps identifies vulnerability scanning
Pen Testing is understanding the whole systems security posture - sometimes some controls are not appropriate and we then rely on the next set of controls in a defence in depth strategy. Pen testing with its emphasis on seeing how deep a vulnerability is tests this approach.
76
What is Misconfiguration ?
Misconfiguration, weak configuration or relying on default configuration can lead to vulnerabilities being exposed. This type of problem can be seen on routers which would have a devastating effect on the whole system
Improperly configured IAM accounts such as an over reliance on individual accounts, placing people in the wrong groups or allowing local admin or root privileges on single machines is another form of misconfiguration. Privilege escalation is a common theme here.
77
What are the effects of improper error handling ?
A common technique of hackers is to force errors in the hope that the error handling within an application has not been implemented correctly.
Server names, file structures and filenames can be revealed in RPC scenarios whereas a SQL Injection attack could show errors revealing a database name.
The best way around this is to have a plain vanilla message shown to the users and the details of the error logged out to a file protected by ACL.
78
What are the effects of improper input handling ?
Lack of proper input validation and handling is the number one cause of vulnerabilities within applications. Users can manipulate or effect input, so developers must ensure their code is written in a way that appropriately handles input to prevent malicious entries.
Buffer Overflow
Cross Site Scripting
Cross Site Request Forgery
SQL Injection
These are the common causes of not handling input properly.
79
What are the effects of memory and buffer issues ?
Buffers are areas written to in memory by programs. Overflowing a buffer by storing values to large for the allocated space can cause crashes or incorrect output as contiguous areas of memory are corrupted.
80
What is buffer overflow ?
Same idea as the other two but also despite crashes or inconsistent output a buffer overflow could allow a malicious program to be stored and executed.
81
What is DLL Injection ?
DLL are libraries that contain functionality that can be used by programs. It is perfectly possible for a malicious dll or one containing vulnerabilities to be added to a programs execution space.
82
What is integer overflow ?
This is where an integer (any numerical) is allocated to a storage space that is not sized correctly again similar problems as to buffer overflows
83
What is memory leak ?
Cause by not handling errors correctly - Memory should be cleared when not needed so as to prevent memory leaks which could cause
race conditions, resource exhaustion
84
What is pointer dereferencing
ff
85
What are the three ways of handling race conditions ?
Race conditions occur when you have multiple inputs vying for resources to produce an output. If the the sequence of the inputs does not happen as expected then this can occur as a race condition leading to either a system crash or weird unpredictable output.
There are three counter measures
1. Reference Counters - Structures within the kernel that reference if a resource is in use
2. Kernel Locking - Kernel locking has performance degradation issues
3. Thread Synchronisation - We synchronise thread access to resources in a queue like structure to prevent race conditions and locking of resources
86
What are the issues with embedded systems vulnerabilities ?
Embedded systems are those which are dependencies for other systems and as such may get left out of your patch management program because they are not as visible as line of business systems.
Again the impact is similar to other system vulnerabilities.
87
What are end of life systems ?
These are systems that are no longer supported by the vendor. New vulnerabilities are not patched and that compatibility with new software and hardware is not tested.
Vulnerabilities that are not patched or not tested leaving them exposed to exploitation.
88
What is lack of vendor support ?
This occurs either when the vendor goes out of business or software is bought without support agreements. The impact is the same as the End Of Life.
89
What issues do untrained users cause ?
Not training users properly can cause users to bypass security controls or expose vulnerabilities within the application down to ignorance.
90
What is the effect of a vulnerable business process ?
If there is a fault in a business process such a paying invoices that lends itself to fraud then putting automation over the top of it could amplify those faultlines
91
What is the effect of weak cryptography ?
Implementing poor or old cryptography libraries will be as bad as not implementing any cryptography
92
What are the other issues ?
System Sprawl - Undocumented systems or old documentation leading to vulnerability through ignorance
Architecture Design Issues - E.g. no network segmentation
Improper Key management and Cryptography.
93
What is pretexting ?
Pretexting is the act of impersonating someone
94
What is baiting ?
Baiting is the use of usbs or qr codes as bait to lead victims to nefarious sites for example.
95
What key capability of SIEM should I use to understand insider threats ?
User Behaviour analysis
96
What is the role of the White team in cybersecurity exercises ?
To set up the rules and parameters of the exercise
97
How do you bypass a NAC looking at hardware addressed ?
Spoof MAC address
98
What is domain hijacking ?
When details of the domain such as the owner, contact and admin details have been changed.
99
Whats an unknown environment test ?
A.k.a Black Box
100
What is a SSL stripping attack ?
SSL stripping attacks (also known as SSL downgrade or HTTP downgrade attacks) are a type of cyber attack in which hackers downgrade a web connection from the more secure HTTPS to the less secure HTTP. Prevelant in open hotspots that dont assert their identity.
101
What is the CIA triad used for ?
We can use the CIA to evaluate controls and threats.
102
What is confidentiality ?
Confidentiality ensures that unauthorised individuals are not able to gain access to sensitive information. Typical controls are firewalls encryption and access control lists.
103
What is integrity ?
Integrity ensures that there are no unauthorised modifications to information systems either intentionally hashing is a good example.
104
What is availability ?
Availability ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them. Examples are fault tolerance, backups and clustering are examples
105
What is non repudiation ?
Non Repudiation means that someone who performed some action cannot later deny having taken that action.
106
What is the DAD triad ?
Description of the key threats in cybersecurity - Denial, Disclosure, Alteration
107
What are the types of breach ?
Financial, Reputational, Compliance, Operational, Strategic
108
Whats the difference between a strategic risk and an operational risk
Strategic risk is more serious as it threatens the organisation itself whereas an operational risk is an inconvenience to day to day practices.
109
What is a watering hole attack?
Watering Hole Attack - Normally a compromised web site that draws users in and harvests their information. A watering hole attack differs from phishing and spear-phishing attacks, which typically attempt to steal data or install malware onto users’ devices but are often equally targeted, effective, and challenging to prevent. Instead, a watering hole attack aims to infect users’ computers then gain access to a connected corporate network. Cyber criminals use this attack vector to steal personal information, banking details, and intellectual property, as well as gain unauthorized access to sensitive corporate systems. Typically, attackers will target public websites frequented by professionals from specific industries, such as discussion boards, industry conferences, and industry-standard bodies.
110
What is a APT threat actor ?
A sophisticated opponent discovering and exploiting vulnerabilities not yet known to security community.
111
White is a semi authorised hacker known as ?
Gray Hat
112
What are common targets for Script Kiddies ?
Schools and University networks
113
Are Hactivists always external attackers ?
No they can be internal if they disagree with a company policy
114
Which common classification of threat actors are most likely to be APT actors ?
Nation State
115
What tool can be used to identify internal threat actors ?
Behavioural analysis conducted in conjuction with HR.
116
What is shadow IT and why is it a problem ?
Shadow IT represents IT activities that are undertaken by non IT departments. It is a problem because its motivation is usually to bypass normal security controls put in place by the IT department. It could lead to data existing in outside sources not known to IT
117
Name some common threat vectors ?
Cloud, Files and Images, Wired and Wireless Networks, Supply Chain, Systems, Removable Devices, Message Based
118
What is a threat map ?
Geographic view of threat intelligence used to get insight into the source of attacks.
119
Why might a company use a propriety threat intelligence source rather than a OSINT source ?
So as not to expose info to public
120
What is a downgrade attack ?
Tries to trick the user into downgrading to a less secure protocol
121
What are the five common controls to maintain confidentiality ?
Encryption
Access Controls
Data Masking
Physical Security Measures
Training and Awareness
122
What is the best way to launch a dissassociation attack ?
The best way for an attacker to launch a dissociation attack is typically to send a deauthentication frame containing a spoofed IP address of the device to disassociate. WPA2 does not encrypt management frames so it is easy to do. WPA3 does encrypt management frames.
Jamming is a cruder method which puts the act of disassociation back to the owner of the device who thinks there is a problem.
123
What are the four main ways OS can be exploited ?
OS Vulnerabilities, Default Values, Configuration and Misconfigurations
124
Why are firmware vulnerabilities of particular concern ?
Because re-installing the OS or other software will not cure the problem.
125
What is secure boot ?
Malware targeting drivers present a problem because they get loaded before security tools and therefore can be missed. Secure boot only allows drivers signed and vetted to be installed and trusted by the original equipment manufacturer. Requires a signature database.
126
What is measured boot and the boot attestation process ?
Measured boots records info in the boot process from drivers to firmware and stores the information in the TPM. The boot attestation process allows comparison between known and present states and alerts administrators of deviations.
127
What are the three major functions of a TPM chip ?
Remote attestation - allowing hardware and software configurations to be verified
Binding - Encrypts Data
Sealing- Encrypts data and sets requirements for the state of the TPM chip before encryption.
128
Describe the differences between TPM, HSM and KSM
TPM - System Security, HSM key storage for multiple systems KMS - Secret management
129
What are the four considerations you should make before undertaking a vulnerability scan ?
1. What is the data classification of the information stored, processed or transmitted by the system
2. Is the system exposed to the internet or other public or semi public network
3. What services are offered by the system
4. Is the system production, test or development
130
How do vulnerability scans help asset inventory and asset criticality ?
Help build an asset inventory and the criticality drives the type of scans and their priority
131
What are the five main things that determine vulnerability scan frequency ?
Organisations Risk Appetite - A risk averse organisation may choose to scan more frequently
Regulatory Requirements - Some standards enforce this such as PCIDSS
Technical Constraints - Some systems can only support some frequencies
Business Constraints - May prevent scans especially in periods of high availability
Licensing Limitations - May curtail the bandwith consumed
132
What are some of the issues with scan levels within vulnerability scanning ?
Administrators often create a template that specifies this. Also specific plugins that are not applicable are also removed in these templates. Also some scans are intrusive and they may be removed for non intrusive scans especially during operational hours.
133
What is a credentialed vulnerability scan ?
A credentialed scan has been provided credentials so that it can log on to systems and probe deeper than a non credentialed scan. Although a credentialed scan should only report without making changes best practice dictates that the supplied credentials should be read only.
134
What is an agent based vulnerability scan and what are the potential issues with it ?
An agent based scan involves software being installed on a host to provide an inside out. A downside or worry is that this software can consume resources and therefore impede performance
135
Whats the difference between an internal and external vulnerability scan ?
An external scan is run from the internet and is designed to offer insights from the attackers perspective where as an internal scan may by more intrusive to give more detailed information to aid blue team defensive approaches.
136
What tools can get in the way of a vulnerability scan ?
Firewall Settings
Network Segmentations
IDS
IPS
137
What role do vulnerability feed play in vulnerability scanners ?
They keep the scanners updated either automatically or manually
138
What is SCAP ?
SCAP is an effort by the security community to create a standardised approach for communicating security related information.
139
What is CCE as part of SCAP ?
Provides a common nomenclature for system configuration issues.
140
What is CPE as part of SCAP ?
Provides a standard nomenclature for describing product names and versions
141
What is CVE as part of SCAP ?
Provides a standard nomenclature for describing security related software flaws
142
What part of SCAP provides a common vulnerabilty scoring system ?
CVSS
143
What is Extensible Configuration Checklist Description Format (XCCDF)
A language for specifying checklists and reporting checklist results
144
What is Open Vulnerability and Assessment Language (OVAL)
A language for specifying low-level testing procedures used by checklists.
145
What is software interactive testing ?
A combination of interactive and dynamic testing analysing source code while testers are actively testing
146
What are the four values the CVSS Attack Vector can have ?
Physical, Local, Adjacent, Network
147
What is a pretexting social engineering attack ?
Pretexting is a type of social engineering attack that involves a situation, or pretext, created by an attacker in order to lure a victim into a vulnerable situation and to trick them into giving private information, specifically information that the victim would typically not give outside the context of the pretext
A common one is someone claiming your pc has malware and they need to take control of it to clean it up.
148
What is the difference between disinformation and misinformation in an influence campaign ?
Influence campaigns are coordinated efforts to affect public perception or behaviour towards a particular cause, individual or group. Malicious campaigns are usually perpetrated by Hacktivists or Nation State actors.
Misinformation - inaccurate information shared unintentionally
Disinformation - inaccurate information shared to deliberately deceive or mislead.
149
What is a rootkit ?
Designed to give an attacker root level access over an OS. It allows a user to operate in Ring 0 or kernel mode on a system which allows interaction with devices, sound cards and monitors and is the most powerful. Rootkits get installed at Ring 1 and try to dig into the operating system as close to Ring 0 as possible. DLL Injection and Shim techniques are common methods of operation for rootkits.
150
Whats the best way to detect a rootkit ?
External scan
151
What is the difference between DDoS and DoS ?
Similar to the differences between spear phising and phising in the DoS is more targeted whereas DDoS is more arbitary
152
