Module 2 Flashcards by parabellum smith

are anything of value to an organization, such as data and other intellectual property, servers, computers, smart phones, tablets, and more.

Assets

How well did you know this?

Not at all

Perfectly

A potential danger to an asset such as data or the network itself.

Threat

How well did you know this?

Not at all

Perfectly

A weakness in a system or its design that could be exploited by a threat.

Vulnerability

How well did you know this?

Not at all

Perfectly

An attack surface is the total sum of the vulnerabilities in a given system that are accessible to an attacker. The attack surface describes different points where an attacker could get into a system, and where they could get data out of the system. For example, your operating system and web browser could both need security patches. They are each vulnerable to attacks and are exposed on the network or the internet. Together, they create an attack surface that the threat actor can exploit.

Attack surface

How well did you know this?

Not at all

Perfectly

The mechanism that is used to leverage a vulnerability to compromise an asset. Exploits may be remote or local. A remote exploit is one that works over the network without any prior access to the target system. The attacker does not need an account in the end system to exploit the vulnerability. In a local exploit, the threat actor has some type of user or administrative access to the end system. A local exploit does not necessarily mean that the attacker has physical access to the end system.

Exploit

How well did you know this?

Not at all

Perfectly

The likelihood that a particular threat will exploit a particular vulnerability of an asset and result in an undesirable consequence.

Risk

How well did you know this?

Not at all

Perfectly

is the process that balances the operational costs of providing protective measures with the gains achieved by protecting the asset.

Risk management

How well did you know this?

Not at all

Perfectly

There are four common ways to manage risk (Risk Management Strategy)

Risk acceptance
Risk avoidance
Risk reduction
Risk transfer

How well did you know this?

Not at all

Perfectly

This is when the cost of risk management options outweighs the cost of the risk itself. The risk is accepted, and no action is taken.

Risk acceptance

How well did you know this?

Not at all

Perfectly

This means avoiding any exposure to the risk by eliminating the activity or device that presents the risk. By eliminating an activity to avoid risk, any benefits that are possible from the activity are also lost.

Risk avoidance

How well did you know this?

Not at all

Perfectly

This reduces exposure to risk or reducing the impact of risk by taking action to decrease the risk. It is the most commonly used risk mitigation strategy. This strategy requires careful evaluation of the costs of loss, the mitigation strategy, and the benefits gained from the operation or activity that is at risk.

Risk reduction

How well did you know this?

Not at all

Perfectly

Some or all of the risk is transferred to a willing third party such as an insurance company.

Risk transfer

How well did you know this?

Not at all

Perfectly

The actions that are taken to protect assets by mitigating a threat or reducing risk.

Countermeasure -

How well did you know this?

Not at all

Perfectly

The potential damage to the organization that is caused by the threat.

Impact -

How well did you know this?

Not at all

Perfectly

requires inside network access such as a user with an account on the network.

A local exploit

How well did you know this?

Not at all

Perfectly

does not require an account on the network to exploit that network’s vulnerability.

A remote exploit

How well did you know this?

Not at all

Perfectly

is a common term used to describe a threat actor.

hacker

How well did you know this?

Not at all

Perfectly

A clever programmer capable of developing new programs and coding changes to existing programs to make them more efficient.

A network professional that uses sophisticated programming skills to ensure that networks are not vulnerable to attack.

A person who tries to gain unauthorized access to devices on the internet.

An individual who run programs to prevent or slow network access to a large number of users, or corrupt or wipe out data on servers.

Hacker

How well did you know this?

Not at all

Perfectly

are ethical hackers who use their programming skills for good, ethical, and legal purposes. They may perform network penetration tests in an attempt to compromise networks and systems by using their knowledge of computer security systems to discover network vulnerabilities. Security vulnerabilities are reported to developers and security personnel who attempt to fix the vulnerability before it can be exploited. Some organizations award prizes or bounties to ____ when they provide information that helps to identify vulnerabilities.

White hat hackers

How well did you know this?

Not at all

Perfectly

are individuals who commit crimes and do arguably unethical things, but not for personal gain or to cause damage. An example would be someone who compromises a network without permission and then discloses the vulnerability publicly. ___ may disclose a vulnerability to the affected organization after having compromised their network. This allows the organization to fix the problem.

Grey hat hackers

How well did you know this?

Not at all

Perfectly

are unethical criminals who violate computer and network security for personal gain, or for malicious reasons, such as attacking networks. __ hackers exploit vulnerabilities to compromise computer and network systems.

Black hat hackers

How well did you know this?

Not at all

Perfectly

emerged in the 1990s. They are teenagers or inexperienced threat actors
running existing scripts, tools, and exploits, to cause harm, but typically not for profit.

Script Kiddies

How well did you know this?

Not at all

Perfectly

are grey hat hackers who attempt to discover exploits and report them
to vendors, sometimes for prizes or rewards.

Vulnerability Brokers

How well did you know this?

Not at all

Perfectly

are grey hat hackers who rally and protest against different political and social
ideas.

Hacktivists

How well did you know this?

Not at all

Perfectly

is a term for black hat hackers who are either self‐employed or working for large cybercrime organizations.

Cybercriminals

are threat actors who steal government secrets, gather intelligence, and sabotage networks of foreign governments, terrorist groups, and corporations.

State‐ Sponsored hackers

Since hacking started in the 1960s with ____ it has evolved to include many types of threat actors.

phone freaking, or phreaking,

are threat actors who are motivated to make money using any means necessary.

Cybercriminals

Cybersecurity tasks

* Use a trustworthy IT vendor * Keep security software up-to-date * Perform regular penetration tests * Back up to cloud and hard disk * Periodically change WIFI password * Keep security policy up-to-date * Enforce use of strong passwords * Use two factor authentication

Many network attacks can be prevented by sharing information about ____ Each attack has unique, identifiable attributes.

indicators of compromise (IOC).

___ are the evidence that an attack has occurred.

Indicators of compromise

IOCs can be features that identify the following:

* malware files * IP addresses of servers that are used in attacks * filenames * characteristic changes made to end system software

___ focus more on the motivation behind an attack and the potential means by which threat actors have, or will, compromise vulnerabilities to gain access to assets.

Indicators of attack (IOA)

are concerned with the strategies that are used by attackers.

Indicators of attack (IOA)

Categories of Tools / Evolution of Security Tools

password crackers wireless hacking tools network scanning and hacking tools packet crafting tools packet sniffers rootkit detectors fuzzers to search vulnerabilities forensic tools debuggers hacking operating systems encryption tools vulnerability exploitation tools vulnerability scanners

Passwords are the most vulnerable security threat. ____ are often referred to as password recovery tools and can be used to crack or recover the password. This is accomplished either by removing the original password, after bypassing the data encryption, or by outright discovery of the password. ____ repeatedly make guesses in order to crack the password and access the system.

password crackers Examples of password cracking tools include John the Ripper, Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and Medusa.

Wireless networks are more susceptible to network security threats. ____ are used to intentionally hack into a wireless network to detect security vulnerabilities.

wireless hacking tools Examples of wireless hacking tools include Aircrack-ng, Kismet, InSSIDer, KisMAC, Firesheep, and NetStumbler.

____ are used to probe network devices, servers, and hosts for open TCP or UDP ports.

network scanning and hacking tools Examples of scanning tools include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.

____ _are used to probe and test a firewall’s robustness using specially crafted forged packets.

packet crafting tools Examples of such tools include Hping, Scapy, Socat, Yersinia, Netcat, Nping, and Nemesis.

_______ are used to capture and analyze packets within traditional Ethernet LANs or WLANs.

packet sniffers Tools include Wireshark, Tcpdump, Ettercap, Dsniff, EtherApe, Paros, Fiddler, Ratproxy, and SSLstrip.

_____ is a directory and file integrity checker used by white hats to detect installed root kits.

rootkit detectors Example tools include AIDE, Netfilter, and PF: OpenBSD Packet Filter.

____are tools used by threat actors when attempting to discover a computer system’s security vulnerabilities.

fuzzers to search vulnerabilities Examples of fuzzers include Skipfish, Wapiti, and W3af.

White hat hackers use _____ to sniff out any trace of evidence existing in a particular computer system.

forensic tools Example of tools include Sleuth Kit, Helix, Maltego, and Encase.

_____ are used by black hats to reverse engineer binary files when writing exploits. They are also used by white hats when analyzing malware.

debuggers Debugging tools include GDB, WinDbg, IDA Pro, and Immunity Debugger.

_____ are specially designed operating systems preloaded with tools and technologies optimized for hacking.

hacking operating systems Examples of specially designed hacking operating systems include Kali Linux, SELinux, Knoppix, Parrot OS, and BackBox Linux.

These tools safeguard the contents of an organization’s data when it is stored or transmitted. ______use algorithm schemes to encode the data to prevent unauthorized access to the data.

encryption tools Examples of these tools include VeraCrypt, CipherShed, Open SSH, OpenSSL, OpenVPN, and Stunnel.

These tools identify whether a remote host is vulnerable to a security attack.

vulnerability exploitation tools Examples of vulnerability exploitation tools include Metasploit, Core Impact, Sqlmap, Social Engineer Tool Kit, and Netsparker.

These tools scan a network or system to identify open ports. They can also be used to scan for known vulnerabilities and scan VMs, BYOD devices, and client databases.

vulnerability scanners Examples of these tools include Nipper, Securia PSI, Core Impact, Nessus, SAINT, and Open VAS.

Categories of Attacks

eavesdropping attacks data modification attack IP address spoofing attack password-based attacks denial-of-service (DoS) attack man-in-the-middle attack (MiTM) compromised key attack sniffer attack

is when a threat actor captures and listens to network traffic. This attack is also referred to as sniffing or snooping.

eavesdropping attack or sniffing or snooping

occur when a threat actor has captured enterprise traffic and has altered the data in the packets without the knowledge of the sender or receiver.

Data modification attacks

is when a threat actor constructs an IP packet that appears to originate from a valid address inside the corporate intranet.

IP address spoofing attack

occur when a threat actor obtains the credentials for a valid user account. Threat actors then use that account to obtain lists of other users and network information. They could also change server and network configurations, and modify, reroute, or delete data.

Password-based attacks

prevents normal use of a computer or network by valid users. After gaining access to a network, a _____can crash applications or network services. A ___ _can also flood a computer or the entire network with traffic until a shutdown occurs because of the overload. A _____can also block traffic, which results in a loss of access to network resources by authorized users.

denial-of-service DoS attack

occurs when threat actors have positioned themselves between a source and destination. They can now actively monitor, capture, and control the communication transparently.

man-in-the-middle attack MiTM attack

occurs when a threat actor obtains a secret key. This is referred to as a compromised key. A compromised key can be used to gain access to a secured communication without the sender or receiver being aware of the attack.

compromised-key attack

is an application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, a ____ provides a full view of the data inside the packet. Even encapsulated (tunneled) packets can be broken open and read unless they are encrypted and the threat actor does not have access to the key.

sniffer

can occur when threat actors have gained access to user account information that allows them to access a system like authorized users.

A password-based attack

threat actors alter the contents of legitimate messages without the knowledge of the sender or receiver.

In data modification attacks,

a threat actor causes network traffic to pass through his computer. The traffic is then forwarded on as usual. The threat actor can then access then read and analyze the traffic for valuable information.

In man-in-the-middle (MiTM) attacks,

When encryption keys are stolen and use to decrypt private communications, ____ has occurred.

a compromised-key attack

A threat actor has attached to the network and uses a sniffer to read the contents of network traffic. This is an _____

eavesdropping attack.

A threat actor uses a tool to construct IP packets that appear to come from a valid source within the corporate network. This is an example of

IP address spoofing.

uses fake traffic to prevent legitimate users to access a network or system.

A denial of service (DoS) attack

It is code or software that is specifically designed to damage, disrupt, steal, or generally inflict some other “bad” or illegitimate action on data, hosts, or networks.

Malware is short for malicious software or malicious code.

are especially prone to malware attacks.

End devices

Three most common types of malware are:

* virus * worm * Trojan horse

is a type of malware that spreads by inserting a copy of itself into another program. After the program is run, ____ then spread from one computer to another, infecting the computers. Most ____ require human help to spread. A simple ___ may install itself at the first line of code in an executable file. When activated, the ___ might check the disk for other executables so that it can infect all the files it has not yet infected. ___ can also be programmed to mutate to avoid detection. Most____ are now spread by USB memory drives, CDs, DVDs, network shares, and email.

A virus

is software that appears to be legitimate, but it contains malicious code which exploits the privileges of the user who runs it. Often, ___are found attached to online games. The ____concept is flexible. It can cause immediate damage, provide remote access to the system, or access through a back door. It can also perform actions as instructed remotely, such as "send me the password file once per week."

Trojan horse malware

Trojan Horse Classification / Type of Trojan Horse

remote-access data-sending destructive proxy FTP Security software disabler Denial of Service (DoS) Keylogger

Enables unauthorized remote access.

Remote-access

Provides the threat actor with sensitive data, such as passwords.

Data-sending

Corrupts or deletes files.

Destructive

Uses the victim's computer as the source device to launch attacks and perform other illegal activities.

Proxy

Enables unauthorized file transfer services on end devices.

FTP

Stops antivirus programs or firewalls from functioning.

Security software disabler

Slows or halts network activity.

Denial of Service (DoS)

Actively attempts to steal confidential information, such as credit card numbers, by recording keystrokes entered into a web form.

Keylogger

are like viruses because they replicate and can cause the same type of damage. Specifically, ____ replicate themselves by independently exploiting vulnerabilities in networks. _____ can slow down networks as they spread from system to system.

Computer worms

____ known as the worm that ate the internet, was a denial of service (DoS) attack that exploited a buffer overflow bug in Microsoft’s SQL Server. At its peak, the number of infected servers doubled in size every 8.5 seconds. It infected 250,000+ hosts within 30 minutes, as shown in the figure.

SQL Slammer,

Most worm attacks consist of three components,

Enabling vulnerability Propagation mechanism Payload

A worm installs itself using an exploit mechanism, such as an email attachment, an executable file, or a Trojan horse, on a vulnerable system.

Enabling vulnerability

After gaining access to a device, the worm replicates itself and locates new targets.

Propagation mechanism

Any malicious code that results in some action is a payload. Most often this is used to create a backdoor that allows a threat actor access to the infected host or to create a DoS attack.

Payload

are self-contained programs that attack a system to exploit a known vulnerability. Upon successful exploitation, the ____ copies itself from the attacking host to the newly exploited system and the cycle begins again. Their propagation mechanisms are commonly deployed in a way that is difficult to detect.

Worms

Code Red Worm Propagation

1. Propagate for 19 days 2. Launch Dos attack for next 7 days 3. Stop and go dormant for a few days 4. Repeat the cycle

Currently, the most dominant malware is ____. * ____ is malware that denies access to the infected computer system or its data. The cybercriminals then demand payment to release the computer system. * ____ has evolved to become the most profitable malware type in history. * There are dozens of ___ _variants. * _____ frequently uses an encryption algorithm to encrypt system files and data. * Payments are typically paid in Bitcoin because users of bitcoin can remain anonymous. * Email and malicious advertising, also known as malvertising, are vectors for ____ campaigns. * Social engineering is also used.

ransomware

Other Malware, / type of malware

spyware adware scareware phishing rootkits

Used to gather information about a user and send the information to another entity without the user’s consent. ____ can be a system monitor, Trojan horse, Adware, tracking cookies, and key loggers.

Spyware

Displays annoying pop-ups to generate revenue for its author. The malware may analyze user interests by tracking the websites visited. It can then send pop-up advertising pertinent to those sites.

Adware

Includes scam software which uses social engineering to shock or induce anxiety by creating the perception of a threat. It is generally directed at an unsuspecting user and attempts to persuade the user to infect a computer by taking action to address the bogus threat.

Scareware

Attempts to convince people to divulge sensitive information. Examples include receiving an email from their bank asking users to divulge their account and PIN numbers.

Phishing

Installed on a compromised system. After it is installed, it continues to hide its intrusion and provide privileged access to the threat actor.

Rootkits

Common Malware Behaviors

Appearance of strange files, programs, or desktop icons Antivirus and firewall programs are turning off or reconfiguring settings Computer screen is freezing or system is crashing Emails are spontaneously being sent without your knowledge to your contact list Files have been modified or deleted Increased CPU and/or memory usage Problems connecting to networks Slow computer or web browser speeds Unknown processes or services running Unknown TCP or UDP ports open Connections are made to hosts on the Internet without user action Strange computer behavior

replicate by sending copies of themselves across the network to other hosts.

Worms

causes messages to appear that direct the user to purchase a product or visit a commercial website.

Adware

malware masquerades as a legitimate request for personal information, but actually sends that information to threat actors.

Phishing

will prevent access to computer systems, sometimes by encrypting device storage. Payment needs to be made to regain access to the system.

Ransomware

What type of malware executes arbitrary code and installs copies of itself in the memory of the infected computer? The main purpose of this malware is to automatically replicate from system to system across the network.

Worm

What type of malware attempts to convince people to divulge their personally identifiable information (PII)?

Phishing

Types of Network Attacks / classifies attacks in three major categories.

Reconnaissance Attacks Access Attacks DoS Attacks

is information gathering. Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and mapping of systems, services, or vulnerabilities. Recon attacks precede access attacks or DoS attacks. Some of the techniques used by malicious threat actors to conduct reconnaissance attacks are described in the table.

Reconnaissance attacks

The threat actor is looking for initial information about a target. Various tools can be used, including the Google search, organizations website, whois, and more.

Perform an information query of a target

The information query usually reveals the target’s network address. The threat actor can now initiate a ping sweep to determine which IP addresses are active.

Initiate a ping sweep of the target network

This is used to determine which ports or services are available. Examples of port scanners include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.

Initiate a port scan of active IP addresses

This is to query the identified ports to determine the type and version of the application and operating system that is running on the host. Examples of tools include Nipper, Secuna PSI, Core Impact, Nessus v6, SAINT, and Open VAS.

Run vulnerability scanners

The threat actor now attempts to discover vulnerable services that can be exploited. A variety of vulnerability exploitation tools exist including Metasploit, Core Impact, Sqlmap, Social Engineer Toolkit, and Netsparker.

Run exploitation tools

progress of a reconnaissance attack

from information query, to ping sweep, to port scan.

exploit known vulnerabilities in authentication services, FTP services, and web services. The purpose of this type of attack is to gain entry to web accounts, confidential databases, and other sensitive information.

Access attacks

the threat actor attempts to discover critical system passwords using various methods.

Password Attacks

the threat actor’s device attempts to pose as another device by falsifying data. Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing.

Spoofing Attacks

a threat actor uses unauthorized privileges to gain access to a system, possibly compromising the target.

Trust Exploitation

a threat actor uses a compromised system as a base for attacks against other targets.

Port redirection

the threat actor is positioned in between two legitimate entities in order to read or modify the data that passes between the two parties.

Man-in-the-Middle

the threat actor exploits the buffer memory and overwhelms it with unexpected values. This usually renders the system inoperable, resulting in a DoS attack.

Buffer Overflow Attack

is an access attack that attempts to manipulate individuals into performing actions or divulging confidential information.

Social engineering

A threat actor pretends to need personal or financial data to confirm the identity of the recipient.

Pretexting

A threat actor sends fraudulent email which is disguised as being from a legitimate, trusted source to trick the recipient into installing malware on their device, or to share personal or financial information.

Phishing

A threat actor creates a targeted phishing attack tailored for a specific individual or organization.

Spear phishing

Also known as junk mail, this is unsolicited email which often contains harmful links, malware, or deceptive content.

Spam

Sometimes called “Quid pro quo”, this is when a threat actor requests personal information from a party in exchange for something such as a gift.

Something for Something

A threat actor leaves a malware infected flash drive in a public location. A victim finds the drive and unsuspectingly inserts it into their laptop, unintentionally installing malware.

Baiting

In this type of attack, a threat actor pretends to be someone else to gain the trust of a victim.

Impersonation

This is where a threat actor quickly follows an authorized person into a secure location to gain access to a secure area.

Tailgating

This is where a threat actor inconspicuously looks over someone’s shoulder to steal their passwords or other information.

Shoulder surfing

This is where a threat actor rummages through trash bins to discover confidential documents.

Dumpster diving

was designed to help white hat hackers and other network security professionals create social engineering attacks to test their own networks. It is a set of menu-based tools that help launch social engineering attacks.

The Social Engineer Toolkit (SET)

Recommended Social Engineering Protection Practices / Protecting against social engineering attacks

Never give your username / password credentials to anyone Never leave your username / password credentials where they can easily be found Never open emails from untrusted sources Never release work related information on social media sites Never re-use work related passwords Always lock or sign out of your computer when unattended Always report suspicious individuals Always destroy confidential information according to the organization policy

The weakest link in cybersecurity can be the ___ organization, and social engineering a major security threat. Because of this, one of the most effective security measures that an organization can take is to train its personnel and create a “security-aware culture.”

personnel

A ____ creates some sort of interruption of network services to users, devices, or applications.

Denial of Service (DoS) attack

There are two major types of DoS attacks:

Overwhelming Quantity of Traffic Maliciously Formatted Packets

The threat actor sends an enormous quantity of data at a rate that the network, host, or application cannot handle. This causes transmission and response times to slow down. It can also crash a device or service.

Overwhelming Quantity of Traffic

The threat actor sends a maliciously formatted packet to a host or application and the receiver is unable to handle it. This causes the receiving device to run very slowly or crash.

Maliciously Formatted Packets

are a major risk because they interrupt communication and cause significant loss of time and money. These attacks are relatively simple to conduct, even by an unskilled threat actor.

DoS attacks

____ it originates from multiple, coordinated sources. For example, A threat actor builds a network of infected hosts, known as zombies. The threat actor uses a command and control (CnC) system to send control messages to the zombies. The zombies constantly scan and infect more hosts with bot malware. The bot malware is designed to infect a host, making it a zombie that can communicate with the CnC system. The collection of zombies is called a botnet. When ready, the threat actor instructs the CnC system to make the botnet of zombies carry out a DDoS attack.

A Distributed DoS Attack (DDoS) is similar to a DoS attack,

attack increases in magnitude because it originates from multiple, coordinated sources, as shown in the figure.

DDoS attacks are similar in intent to DoS attacks, except that a DDoS

Components of DDoS

zombies bots botnet handlers botmasters

This refers to a group of compromised hosts (i.e., agents). These hosts run malicious code referred to as robots (i.e., bots). The zombie malware continually attempts to self-propagate like a worm.

zombies

Bots are malware that is designed to infect a host and communicate with a handler system. Bots can also log keystrokes, gather passwords, capture and analyze packets, and more.

bots

This refers to a group of zombies that have been infected using self-propagating malware (i.e., bots) and are controlled by handlers.

botnet

This refers to a primary command-and-control (CnC or C2) server controlling groups of zombies. The originator of a botnet can use Internet Relay Chat (IRC) or a web server on the C2 server to remotely control the zombies.

handlers

This is the threat actor who is in control of the botnet and handlers.

botmaster

The goal of a threat actor when using a ____ is to find a system memory related flaw on a server and exploit it. Exploiting the buffer memory by overwhelming it with unexpected values usually renders the system inoperable, creating a DoS attack. It is estimated that one third of malicious attacks are the result of ____

buffer overflow DoS attack

An early example of using malformed packets was the ____. In this legacy attack, the threat actor sent a ____, which was an echo request in an IP packet larger than the maximum packet size of 65,535 bytes. The receiving host would not be able to handle a packet of that size and it would crash.

Ping of Death.

evasion methods used by threat actors (to hide is to thrive)

encryption and tunneling resource exhaustion traffic fragmentation protocol-level misinterpretation traffic substitution traffic insertion pivoting rootkits proxies

This evasion technique uses tunneling to hide, or encryption to scramble, malware files. This makes it difficult for many security detection techniques to detect and identify the malware. Tunneling can mean hiding stolen data inside of legitimate packets.

Encryption and tunneling

This evasion technique makes the target host too busy to properly use security detection techniques.

Resource exhaustion

This evasion technique splits a malicious payload into smaller packets to bypass network security detection. After the fragmented packets bypass the security detection system, the malware is reassembled and may begin sending sensitive data out of the network.

Traffic fragmentation

This evasion technique occurs when network defenses do not properly handle features of a PDU like a checksum or TTL value. This can trick a firewall into ignoring packets that it should check.

Protocol-level misinterpretation

In this evasion technique, the threat actor attempts to trick an IPS by obfuscating the data in the payload. This is done by encoding it in a different format. For example, the threat actor could use encoded traffic in Unicode instead of ASCII. The IPS does not recognize the true meaning of the data, but the target end system can read the data.

Traffic substitution

Similar to traffic substitution, but the threat actor inserts extra bytes of data in a malicious sequence of data. The IPS rules miss the malicious data, accepting the full sequence of data.

Traffic insertion

This technique assumes the threat actor has compromised an inside host and wants to expand their access further into the compromised network. An example is a threat actor who has gained access to the administrator password on a compromised host and is attempting to login to another host using the same credentials.

Pivoting

A ____ is a complex attacker tool used by experienced threat actors. It integrates with the lowest levels of the operating system. When a program attempts to list files, processes, or network connections, the ____ presents a sanitized version of the output, eliminating any incriminating output. The goal of the ____ is to completely hide the activities of the attacker on the local system.

Rootkits

Network traffic can be redirected through intermediate systems in order to hide the ultimate destination for stolen data. In this way, known command-and-control not be blocked by an enterprise because the proxy destination appears benign. Additionally, if data is being stolen, the destination for the stolen data can be distributed among many proxies, thus not drawing attention to the fact that a single unknown destination is serving as the destination for large amounts of network traffic.

Proxies

is an access attack in which the threat actor is positioned between legitimate entities in order to read or modify the data that passes between them.

Man-in-the-Middle

is a social engineering attack where a threat actor quickly follows an authorized person into a secure location by taking advantage of the authorized person’s credentials.

Tailgating

is a reconnaissance attack in which a threat actor uses a tool like Nmap to scan for open TCP or UDP ports on active devices in a network.

Port scanning

In any organization,___ can be weakest link in network security. ___ fall victim to social engineering attacks, open file attachments that contain malware, or use insecure passwords, for example.

people

are infected computers that make up a botnet. The ____ are used to deploy a distributed denial of service (DDoS) attack.

Zombies

Vulnerability exploits may be remote or local. In a local exploit, the threat actor has some type of user access to the end system, either physically or through remote access. The exploitation activity is within the local network.

a threat actor tries to gain the user password of a remote host by using a keyboard capture software installed on it by a trojan

An access attack tries to gain access to a resource using a hijacked account or other means. The five types of access attacks include the following:

password - a dictionary is used for repeated login attempts trust exploitation - uses granted privileges to access unauthorized material port redirection - uses a compromised internal host to pass traffic through a firewall man-in-the-middle - an unauthorized device positioned between two legitimate devices in order to redirect or capture traffic buffer overflow - too much data sent to a memory location that already contains data

Hackers use rootkits to avoid detection as well as hide any software installed by the hacker.

to gain access to a device without being detected

is the total sum of the vulnerabilities in a system that is accessible to an attacker. The attack surface can consist of open ports on servers or hosts, software that runs on Internet-facing servers, wireless network protocols, and even users.

An attack surface

Which risk management plan involves discontinuing an activity that creates a risk?

During a risk assessment it may be determined that an activity involves more risk than benefit. In such a situation an organization may decide to avoid the risk altogether by discontinuing the activity. This is known as risk avoidance.

Script kiddies is a term used to describe inexperienced hackers.

amateur hacker

What is the term used when a malicious party sends a fraudulent email disguised as being from a legitimate, trusted source? is used by malicious parties who create fraudulent messages that attempt to trick a user into either sharing sensitive information or installing malware.

Phishing

Worms are self-replicating pieces of software that consume bandwidth on a network as they propagate from system to system. They do not require a host application, unlike a virus. Viruses, on the other hand, carry executable malicious code which harms the target machine on which they reside.

worm is self-replicating worm travels to new computers without any intervention or knowledge of the user

Social engineering attempts to gain the confidence of an employee and convince that person to divulge confidential and sensitive information, such as usernames and passwords. DDoS attacks, spam, and keylogging are all examples of software based security threats, not social engineering.

A user receives a phone call from a person who claims to represent IT services and then asks that user for confirmation of username and password for auditing purposes.

Which evasion method describes the situation that after gaining access to the administrator password on a compromised host, a threat actor is attempting to login to another host using the same credentials? is an evasion method that assumes the threat actor has compromised an inside host and the actor wants to expand the access further into the compromised network.

Pivoting

the goal of the attacker is to prevent legitimate users from accessing network services.

In a DoS or denial-of-service attack,