lessons 5-9 Flashcards
(146 cards)
1
Q
Targeted attack
A
is when a threat actor chooses a target for a specific objective. The choice of the target is influenced by the perceived value of the outcome
2
Q
Opportunistic attack
A
is when a threat actor takes advantage of a vulnerable target (not previously knowing them). the choice of target is generally influenced by work factors (Time effort and resources to accomplish a task)
3
Q
Hacktivist
A
threat actor making a Political statement, generally talented. Funding variable
4
Q
Organized crime (cyber criminals)
A
out to make money, well organized, well funded
5
Q
Insiders | Shadow IT
A
someone at the organization that’s disgruntled
6
Q
Script Kiddies
A
threat actor that does it for bragging rights or notoriety. Low level of sophistication
7
Q
Hackers
A
financial gain, notoriety. Generally talented
8
Q
NON-ADVERSARIAL THREATS
A
- Natural: natural occurrences such as earthquakes, floods, fire, pollutants, pandemics
- Operational: Loss of service like electricity, HVAC, technical issues, com, failure
- Human: Accidents, civil disturbances, work stoppages.
9
Q
Threat Modeling
A
Is a structured process by which potential threats and threat actors can be identified, enumerated, and prioritized.
10
Q
Asset-centric
A
What/why. Identifies valued assets and motivation
11
Q
Architecture-centric
A
How. identifies system design components, strengths, and weaknesses.
12
Q
Attacker-centric
A
Who- identifies the adversaries.
13
Q
THREAT INTELLIGENCE
A
evidence-based knowledge about emerging threats that can be used to inform control decisions
14
Q
OSINT - OPEN SOURCE INTELLIGENCE
A
is a term used to refer to the data collected from publicly available sources to be used in an intelligence context. OSINT framework is a structured collection of OSINT tools.
15
Q
CISA
A
America’s cyber defense agency- resources, visit on a regular basis!
16
Q
THREAT VECTOR
A
Also known as an attack vector is a potential pathway, or scenario that can be exploited
*Common threat vectors include: malicious emails in phishing attacks, weak or stolen passwords, drive-by download attacks, web applications, out of date applications or devices, and trusted relationships
17
Q
attack surface
A
is the sum of all threat vectors.
18
Q
DEFAULT CREDENTIALS
A
*Issue- initially set up by the vendor. Built-in admin username and password
*Impact- unauthorized access and compromise. Pathways to pivot to other devices- a quick Google search will usually reveal default credentials for a specific product.
*Causes- convenience, forgetfulness, laziness
*Response- change or disable the default credentials
19
Q
WEAK PERMISSIONS
A
- Issue- are those that allow for unnecessary access (device, cloud, application)
- Impact- unauthorized access, access violations, privacy violations
- Causes- lack of understanding, poor classification, overconfidence.
- Response- documented policies and procedures. Management education, config. Management and standards
20
Q
DATA EXFILTRATION
A
the unauthorized transfer of data from a computer or network, typically carried out by cyber attackers to steal sensitive information such as personal data, financial records, or intellectual property.
21
Q
OPEN SOURCE PORTS
A
network ports that are actively listening for incoming connections and are accessible from outside the network.
* Issue- ports are those in listening mode
* Impact- exposure, potential exploit, unauthorized access, denial of service, integrity of device management
* Causes- poor or nonexistent config. Management, unrestricted permission to install a device or software
* Response- Config. Management, ongoing system hardening, account restrictions
22
Q
UNSUPPORTED SYSTEMS & SOFTWARE
A
*Issue- 2 issues: unauthorized installation of devices/software OR end of life (EOL)/ end of support (EOS)
* Impact- exploits, compatibility issues, unauthorized access.
* Causes- lack of centralized control, and local admin privileges. Absence of refresh policies and lack of understanding.
* Response- refresh policies and standards, resource management, budget allocation
23
Q
THIRD-PARTY THREAT VECTORS
A
include vendors, managed service providers (MSPs), business partners, consultants, and contractors that in some interact with our organization data
24
Q
Fourth-parties
A
are vendors that third-party sources through- these manifest as risks to the organization
25
supply chain
an entire ecosystem or organizations, processes, people, and resources involved in providing a product or service
26
END OF LIFE
EOL: the date when the product, or service of subscription is determined to be obsolete.
27
END OF SUPPORT
EOS: the last date to receive applicable service and support
28
EOL | EOS RISKS
Why can’t we just keep using the hardware?
Adversaries will continue to identify and exploit vulnerabilities
Exposure to litigation for not upholding the standard or due care
Risk of downtime due to lack of support
Incompatibility with newer OS, applications, and hardware.
29
service level agreements (SLA)
a contract between a service provider and a customer that outlines the expected level of service, including specific performance standards and responsibilities.
30
SYSTEM SPRAWL
the uncontrolled growth and spread of IT systems and resources within an organization, making them difficult to manage and secure.
31
non conformance
a situation where products, processes, or services fail to meet specified standards, requirements, or regulations, resulting in deviations from expected quality or performance.
32
ISA
Information Sharing and Analysis. the sharing of information and analysis related to cybersecurity threats and vulnerabilities among organizations to improve the overall security posture of the supply chain.
33
Social Engineering
Is the action of exploiting human nature rather than technical hacking techniques to gain access to minds, systems, data or building
34
Pretexts
are fabricated stories or scenarios used to conceal the true purpose of an activity. Pretexts generally use enough truth to make them appear plausible.
35
Impersonation
is an act of pretending to be someone else.
36
Phishing-
pretexting and impersonation using email, casting a wide net. Spear phishing targets a specific group or individual, whaling targets high-profile individuals.
37
SMAshing
pretexting and impersonation using texts.
38
Vishing
pretexting and impersonation using voice
39
Watering Hole-
describes the exploitation of a website or social media app that is frequented by the target. (making fake profiles to target you on Facebook, and Instagram)
40
Shoulder Surfing
covert observation nearby or remote
41
Piggybacking/ Tailgating
when an unauthorized person enters a checkpoint close behind, or in concert with authorized personnel
42
Dumpster diving
the act or going through trash for information
43
Baiting
the use of a gift for infiltration. (like a USB drive)
44
Disinformation-
false or misleading information spread on purpose to deceive.
45
Shallow fake
the alteration of media content using simple video editing software
46
Deep fake-
the use of machine learning and or AI to manipulate or generate deceptive audio or video content.
47
Ethical disclosure
is the practice of publishing information related to a vulnerability or finding. The purpose is to inform others of potential risks so they can make informed decisions and take appropriate action.
48
Full disclosure
is making all details public without regard to additional harm that may be caused to others including exploitation by adversaries.
49
Responsible disclosure
is making enough information known so that informed decisions can be made while not releasing details that could be useful to an adversary.
50
VULNERABILITY MANAGEMENT
the process of identifying, assessing, reporting, prioritizing,and mitigating vulnerabilities.
51
zero day (0-day) vulnerability
is a flaw in hardware or software that has been discovered but a fix is not yet available.
52
window of vulnerability (WoV)
The time from when an exploit first becomes active to when the number of vulnerable systems shrinks to an insignificant number
53
Escalation
access to a protected area
54
Buffer overflow
a buffer overflow is a type of software bug where a program writes more data to a block of memory, or buffer than it is supposed to hold, causing the excess data to overwrite adjacent memory. This can lead to crashes, data corruption, or give attackers a way to exploit the system.
55
Memory leak
when a program fails to release memory that is no longer needed, causing it to consume more and more memory over time. This can eventually slow down the system or cause it to run out of memory and crash.
56
Race condition
is a flaw that produces an unexpected result when the timing of actions impact other actions
57
Time-of- check- TOC
is when a program checks the state of a resource and then uses that info to make a decision.
58
Time-of-evaluation- TOE
is when a program relies on the timing of events concurrently or in a specific order
59
Time-of-use- TOU
is when the state of a resource changes between TOC and YOU often because of a concurrent thread.
60
Injection-
is the insertion of code or commands by exploiting input validation or processing mechanisms
61
Directory Traversal
the ability to access files and directories outside of the intended directory
62
Privileged escalation
gaining elevated access to resources that are normally protected from an application or a user.
63
Side-channel
a weakness in the physical properties of a device. Like power consumption or electromagnetic radiation that can be used to extract sensitive information.
64
Sideloading
installing and running software on a mobile device from a source other than the app store
65
Jailbreaking
bypassing the security restrictions on a mobile device to gain greater control and access to the device’s OS and files.
66
Indicators of Attacks (IoAs)
behaviors or actions suggest an attack that is happening or about to happen- IoAs are proactive
67
Indicators of Compromise (IoCs)
are evidence that a system may have been compromised- IoCs are reactive
68
CYBER KILL CHAIN
Is a framework developed by Lockheed Martin that explains how attackers move through networks to identify vulnerabilities that they can then exploit.
recon- weaponization-delievery-exploit-installation-commande and control(C2)- action on objectives
69
COMMON INDICATORS OF ATTACK (IoA)
Unusual network traffic- could be indicative of communication with a C&C server, data exfiltration or recon activity
Phishing emails- an increase in volume could be an indicator of an attack
Unusual system events- such as errors, warnings, crashes, account lockouts, missing system logs and anomalies in admin activity can be indicators of an attack
Unauthorized software- The presence of unauthorized software, files, or unapproved devices on a network can be an indicator of an attack
70
Artifacts
are evidence or clues
*Typical artifacts left behind by an attacker include new user accounts, file hashes, virus signatures, malicious files, command and control connections, modification of system and registry settings, evidence of data exfiltration, and patterns of suspicious behavior.
71
Malware
malicious software
*It is used by hackers, cybercriminals, hacktivists, and cyber terrorists to either steal information, harm, or disrupt operations, extort and or weaponize devices
72
rootkit
a type of malicious software designed to gain unauthorized access to a computer system and hide its presence, allowing an attacker to maintain control over the system without being detected.
73
types of rootkits
*Firmware- override the firmware BIOS so the rootkit can start before the OS.
*Bootkit- replaces the OS bootloader (the small piece of software that starts the OS) so that the PC loads the bootkit before the OS.
*Kernel- replace the portion of the operating system kernel so the rootkit can start automatically when the OS loads.
*Driver- impersonates a trust driver that the os uses to communicate with the hardware ( addresses by UEFI and Driver attestation)
74
Stealth (malware technique)
is designed to be inconspicuous in order to avoid detection by concealing file size or moving to an alternate location
75
Memory resident (malware technique)
stays resident in memory upon execution and can infect other programs running at the same time.
76
Metamorphic (malware technique)
is rewritten with each iteration so that each succeeding version of the code is different from the preceding program
77
Polymorphic (malware technique)
evades pattern-matching detection by frequently changing identifiable characteristics like file name, type or encryption keys
78
Command and control (C2)
the objective for C2 is for the compromised system to contact the command center which gives the attacker control of the infected device
79
Advanced persistent threat (APT)
sophisticated, slow, stealthy and prolonged attack on a specific target with the intention to compromise their system and gain information from or about that target
80
Bot | Zombie
are automated processes that either have instructions embedded or listen for instructions
81
Ransomware
encrypts files and demands ransom for the decryption key
82
Bloatware
unwanted and potentially harmful software preloaded onto new devices. Also known as potentially unwanted application (PUAs)
83
backdoors
code embedded in an application by the developer, backdoors (bypass control)
84
logic bombs
code embedded in an application by the developer, executes when a certain event or time occurs
85
brute force
a hacking method where an attacker tries all possible combinations of passwords or encryption keys until they find the correct one, to gain unauthorized access to a system.
86
Work Factor
is the estimate of time, effort and resources needed by an adversary to succeed.
87
Conduct-BRUTE FORCE APPROACHES
the payload of the attack is the conduct of the attack itself- denial of service attack
88
Discovery -BRUTE FORCE APPROACHES
the payload of the attack is used to discover a hidden secret- discovering a password
89
Rainbow table-
uses a precomputed table of hashes to find the original plaintext- password cracking
90
intrusion prevention systems (IPS)
a security tool designed to detect and block malicious activities and attacks on a network or system in real-time
91
Information technology (IT) infrastructure attack
are primarily concerned with managing data and information assets
92
operational technology OT infrastructure attack
s focused on the use of hardware and software systems to monitor and control physical processes in industrial settings. For example, a manufacturing plant or transportation system.
93
CYBER ATTACK TERMS
1. Targeted- Choose a target for a specific objective
2. Opportunistic- the attacker takes advantage of a weak target
3. Amplification- uses an amplification factor in order to multiply its power- use of botnets to launch DDoS attacks or spam campaigns.
4. Reflection- sends a large number of requests to a device with the victim's IP address as the source address. Often used with amplification attacks.
94
Spoofing
is impersonating an address, system or person- enables an attacker to act as the trusted source and redirect or manipulate actions
95
Poisoning
manipulating the trusted source of data- enables the attacker to control the trusted source of data and redirect or manipulate actions
96
Hijacking
intercepting communication between two or more systems- enables the attacker to eavesdrop, capture, manipulate, or reuse data packets.
97
Denial of service
overwhelming system resources- enables the attacker to make services unavailable for their intended use.
98
Distributed denial of service DDoS
massive volume of service requests from multiple sources, and often uses amplification and reflection techniques.
99
URL Squatting
registering or using an internet domain name belonging to someone else
100
Typosquatting
taking advantage of common typos to create fraudulent domain
101
Input validation
is the process of properly validating input from the client or environment
102
Output validation
is used to control what is returned to the screen
103
Injection- (application attack)
Tricks an app to include unintended commands in the data sent to an interpreter.
104
Cross-site scripting (XSS)
the injection of malicious code into a web application or back end database that will execute scripts in a victim browser. Can be persistent and reflective
105
Cross-site request forgery (CSRF)
trick a web browser into executing a malicious action on a trusted site for which the user is currently authenticated. CSRF exploits the trust that a site has in a user's browser.
106
Directory Traversal
uses specially crafted input that includes …/ sequences to traverse a directory and access files or directories outside of the intended scope.
107
SQLi ATTACK
a type of cyber attack where an attacker inserts malicious SQL code into a query input to manipulate a database, potentially gaining unauthorized access to sensitive data or altering the database's content and behavior.
108
WIRELESS ATTACK
The objective is the disruption, manipulation, or compromise of wireless transmission or devices
109
Sniffing-
Capturing wireless data packets. Enables an attacker to eavesdrop, manipulate or reuse data packets
110
Bluejacking
allows an attacker to send an unsolicited message to a bluetooth device
111
Bluesnarfing
discovering and connecting to a bluetooth device with weak or nonexistent authentication requirements.
112
NFC (near field communication) Bump
enables an NFC-enables attacker to connect to an NFC device by being in close enough range.
113
Evil twin (rogue access point w/ the same SSID)
allows an attacker to trick a user into connecting to an attacker-controlled network. May also impersonate a captive portal to capture credentials or payment info.
114
RFID cloning
allows the attacker to access a system, engage in credit card fraud, remove inventory, or whatever else the RFID chip is used for.
115
802.11
a set of standards for wireless networking (Wi-Fi) that defines how devices communicate over wireless networks
116
IV Attack
is a type of cryptographic attack that exploits weaknesses in the initialization vector
117
Jamming
overwhelming wireless frequencies with illegitimate traffic and the frequency becomes unavailable for legit traffic.
118
Dissociation
spoofing a disassociate message, which forces a device to reassociate, device is continually knocked offline, can be used as a precursor to an evil twin attack
119
cryptanalysis
The process of finding a cryptographic weakness
120
DOWNGRADE ATTACK
A type of attack on a system that forces degradation to a lower quality crypto mode. The attacker then exploits the lesser security control
121
SIDE CHANNEL ATTACK
Is any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself.
122
Timing attack
exploits the fact that different computations take different times to compute on the processor. For example, if the encryption takes a longer time, it indicates that the secret key is long.
123
Dictionary
list of known keys are tested, common wordlists
124
Frequency analysis
analyzes patterns of frequencies in encrypted messages to deduce info about the underlying plaintext or key used to encrypt the message.
125
Birthday
exploits the mathematics behind the birthday problem is probability theory to cause a collision
126
Pass-the-hash
attackers can use captured hashed credentials from one machine to successfully gain control of another machine
127
Survivability
a system property (the ability to prevent, mitigate, and recover from cyber events)
128
open design
the security mechanism should not depend upon the security of the design or implementation. the argument against "security through obscurity"
129
default deny
is a security policy where all access is denied by default, and only explicitly allowed traffic or actions are permitted.
130
sanitization
the process of cleaning or modifying input data to remove or neutralize potentially harmful elements, ensuring it is safe for processing and preventing security vulnerabilities like SQL injection or cross-site scripting (XSS).
131
zero trust
no default trust or privilege. verification is required for access
132
least functionality
a security principle that dictates systems should be configured to provide only the minimum functions necessary for their intended purpose, reducing the risk of exploitation by limiting potential attack surfaces.
133
separation of deuties
breaking a task into segments so that no one subject is in complete control or has complete decision-making power.
134
least privilege
giving a subject only rights and permissions needed to complete assigned tasks
135
psychological acceptance
human interface should be designed for ease of use so that users routinely and automatically apply the protection mechanisms correctly.
136
Segmenting
an enterprise into security zones is useful for creating and enforcing security policies, controlling information flow, and securing network access.
137
Security zone
are divisions of a network based on functional, performance, and or security requirements. They are enforced by firewall ingress and egress(incoming) access control lists (ACL) rules
138
Untrusted
is one where the organization has no control over the internet
139
Screened subnet
has connections to both trusted and untrusted networks
140
Trusted
is one that the organization has complete control over.
141
Enclave
a restricted network within a trusted network - database servers
142
Air gapped
does not connect to any untrusted network
143
Micro-segmentation
a method of creating zones within data centers and cloud environments to isolate workloads from one another and secure them individually.
144
East-West-North-South traffic
north-south is the traffic that flows into and out of data centers or clouds, and east-west is the traffic within a data center or cloud.
145
Protect Surface
made up of the network's most critical and valuable data, assets, applications, and servers (DAAS). It's always knowable
146
Virtualization
creates multiple environments from a single physical hardware system- virtual machines provide fault and security isolation at the hardware level including memory and CPU access.
