Comprehensive Cyber Security Study Guide

Confidentiality

Data Confidentiality: Ensuring that confidential information is not disclosed to unauthorized individuals. Privacy: Allowing users to control their personal data.

Integrity

Protecting information from improper modification or unauthorized manipulation.

Availability

Ensure authorized users have access to information and resources when needed.

Low Impact

Limited adverse effect on organizational operations.

Moderate Impact

Serious adverse effect on organizational operations.

High Impact

Severe or catastrophic adverse effect on organizational operations.

Adversary (Threat Agent)

Entity that performs detrimental activities.

Passive Attacks

Eavesdropping on communications.

Active Attacks

Modifying system resources or operations.

Insider Attacks

Attacks from within the security perimeter.

Outsider Attacks

Attacks from outside the security perimeter.

Countermeasures

Prevent, detect, and recover from attacks.

Risk

Measure the extent of potential threats.

Security Policy

Set of criteria for security services.

System Resources (Assets)

Hardware, software, data, communication facilities, and networks.

Threats

Circumstances or events that can cause harm.

Vulnerabilities

Weaknesses in an information system.

Awareness

Informing employees about security issues.

Training

Teaching skills to perform IT tasks securely.

Education

Targeted at security professionals.

Symmetric Encryption

Uses a single key for both encryption and decryption.

Public-Key Encryption

Encryption: private key, Decryption: public key.

RSA

Encrypt: C=M^e mod n, Decrypt: M=C^d mode n = (M^e)^d mod n = M.

Hash Functions

Example: SHA-3.

Multi-factor authentication

Basic Requirements: Multi-factor authentication.

Password-Based Authentication

Vulnerabilities: Offline dictionary attacks, specific account attacks, popular password attacks, password guessing, workstation hijacking.

Biometric Authentication

Types: Fingerprints, facial recognition, iris scans, voice patterns.

Discretionary Access Control (DAC)

Based on the identity of the requestor and access rules.

Mandatory Access Control (MAC)

Based on comparing security labels with security clearances.

Role-Based Access Control (RBAC)

Based on roles assigned to users.

Attribute-Based Access Control (ABAC)

Based on attributes of the user, resource, and environment.

Subjects

A capable of accessing objects - 1. owner 2. Group 3. World rwx/rwx/rwx.

Objects

A resource.

Access right

Way to access.

Inodes (index nodes)

Control structures containing key information for managing files.

Permissions

Read, write, execute permissions for owner, group, and others.

Special Permissions

Set user ID, set group ID, sticky bit.

Secure Sockets Layer (SSL)

Protocols for secure communication over a computer network.

Transport Layer Security (TLS)

Protocols for secure communication over a computer network.

MIME

Multipurpose Internet Mail Extensions for email.

S/MIME

Secure/Multipurpose Internet Mail Extensions for encrypted and signed email.

SQL Injection

Techniques: Premature termination of a text string and appending a new command.

Countermeasures for SQL Injection

Defensive coding, detection, run-time prevention.

Database Access Control

Principles: Allowing users to access only portions of the database they are authorized to use.

Encryption

Key management, making it difficult to perform record searching.

Viruses

Infection vectors, phases (dormant, triggering, propagation, execution).

Worms

Self-propagating programs exploiting software vulnerabilities.

Trojan Horses

Malicious programs disguised as legitimate software.

Advanced Persistent Threats (APTs)

Characteristics: Advanced techniques, persistent efforts, targeted attacks.

Flooding Attacks

Overloading network capacity.

Distributed Denial of Service (DDoS)

Using multiple systems to generate attacks.

Reflection Attacks

Using third-party servers to amplify the attack.

DNS Amplification Attacks

Exploiting DNS servers to flood the target with traffic.

Firewalls

First line of defense that acts as a gateway, protecting the network perimeter.

Anomaly Detection

Detects deviations from normal behavior based on a baseline (e.g., unusual web activity).

Signature Detection

Compares observed activities against known malicious patterns (e.g., virus definitions).

Intrusion Prevention System (IPS)

Actively monitors and prevents attacks in real-time.

State-Sponsored Actors

Advanced Persistent Threat (APT) groups with resources and funding, targeting specific entities.

Script-Kiddies

Unskilled attackers using pre-made scripts.

Black Hats

Operate without authority (malicious hackers).

White Hats

Ethical hackers with permission.

Gray Hats

Hackers operating in a gray area, sometimes without full authorization (e.g., bug hunters).

Initial Access

Gaining unauthorized entry.

Privilege Escalation

Gaining higher access levels within the system.

Maintaining Access

Creating a backdoor to allow future re-entry.

False Positives/Negatives

The need to confirm if an alarm is legitimate (true positive) or not (false positive).

Playbooks

Predefined responses to various detected threats.

Application-Level Gateway

Filters traffic at the application layer.

Circuit-Level Gateway

Operates at the session layer, verifying the legitimacy of a connection (like showing your passport at a border).

VPN (Virtual Private Network)

Provides encrypted connections between two points (like buying a proxy to create a secure tunnel between your device and a server).

Snort Inline

An open-source IDS/IPS system often used in honeypot setups to monitor and detect threats in real-time.

Cybercriminals

Aim for financial gain through identity theft, data ransoming, or corporate espionage.

Activists (Hacktivists)

Attack for social or political reasons, often via website defacement or DoS attacks.

State-Sponsored

Government-backed intruders conducting espionage or sabotage (e.g., Advanced Persistent Threats, APTs).

Other Hackers

Motivated by technical challenge or recognition.

Intrusion Detection System (IDS)

Detect unauthorized access or abnormal activities on a system or network.

Host-based (HIDS)

Monitors a single host for suspicious activity (e.g., system calls, log files).

Network-based (NIDS)

Monitors network traffic to detect suspicious behavior.

Distributed or Hybrid IDS

Combines both host and network data for centralized analysis.

Packet Filtering Firewall

Examines packets based on IP address, port number, and protocol.

Stateful Inspection Firewall

Tracks the state of active connections and allows traffic based on established connections.

Application-Level Gateway (Proxy Firewall)

Intermediary for application-level traffic; can monitor and filter content.

Firewall Design Goals

All traffic must pass through the firewall. Only authorized traffic is allowed. The firewall itself must be secure and immune to penetration.

Firewall Policies

Defines which types of traffic are allowed or denied. Can filter based on IP addresses, protocols, applications, or user identity.

Limitations of Firewalls

Cannot protect against internal threats or attacks that bypass the firewall. May be vulnerable to misconfigurations or specific application vulnerabilities.

Intrusion Prevention System (IPS)

An extension of IDS that can block detected threats in real time.

Buffer Overflow

Occurs when a program writes more data to a fixed-length buffer than it can hold, overwriting adjacent memory, leading to data corruption, unexpected control flow changes, and execution of attacker-supplied code.

Morris Internet Worm

Exploited a buffer overflow in the 'fingerd' service in 1988.

Stack-based overflow techniques

Detailed in Aleph One's article 'Smashing the Stack for Fun and Profit' during 1995-1996.

Code Red, Slammer, and Sasser

Worms that exploited buffer overflows in Microsoft products from 2001 to 2004.

Buffer Overflow

Occurs when data exceeds a buffer's storage limits, affecting the stack, heap, or global data regions.

Stack Overflow

Overwrites critical control data such as return addresses in a function's stack frame, allowing attackers to redirect execution.

Heap Overflow

Targets dynamically allocated memory (heap), potentially modifying function pointers or management structures.

Global Data Overflow

Affects global buffers, potentially modifying function pointers or management structures.

Unsafe programming practices

Using functions like gets(), strcpy(), and similar routines without bounds checking in languages like C.

Shellcode

Attacker-supplied machine code that typically launches a command shell or performs another malicious action.

Metasploit Project

Tools and frameworks that automate parts of the exploit development process.

Language Safety

Using memory-safe languages to prevent overflows by enforcing strict type and boundary checks at compile time.

Safe Coding Techniques

Code audits and rewriting insecure routines to mitigate risks.

Stack Canaries

Compiler extensions that inject a random value before return addresses, aborting the program if altered.