Security+ - Jason Dion with accurate solutions + explanations(pass guaranteed)

CIA Triad

Confidentiality, Integrity, Availability

AAA of Security

Authentication, Authorization, and Accounting

AAA of Security - Authentication

When a person's identity is established with proof and confirmed by a system:

- Something you know

- Something you are

- Something you have

- Something you do

-Something you are

AAA of Security - Authorization

Occurs when a user is given access to a certain piece of data or certain areas of a building

AAA of Security - Accounting

Tracking of data, computer usage, and network resources

Non-repudiation occurs when you have proof that someone has taken an action

Security Threats

Things like malware, unauthorized access, system failure, and social engineering

What is Malware

Short-hand term for malicious software

Unauthorized Access

Occurs when access to computer resources and data occurs without the consent of the owner

System Failure

Occurs when a computer crashes or an individual application fails

Social Engineering

Act of manipulating users into revealing confidential information or performing other detrimental actions

Mitigating Threats

Physical Controls, Technical Controls, Administrative Controls

Physical Controls

Any security measures that are designed to deter or prevent unauthorized access to sensitive information or the systems that contain it

Alarm systems, locks, surveillance cameras, identification cards, and security guards

Technical Controls

Safeguards and countermeasures used to avoid, detect, counteract, or minimize security risks to our systems and information

Smart cards, encryption, access control lists (ACLs), intrusion detection systems, and network authentication

Administrative Controls

Focused on changing the behavior of people instead of removing the actual risk involved

Policies, procedures, security awareness training, contingency planning, and disaster recovery plans

User training is the most cost-effective security control in use

Types of Hackers

White Hats, Black Hats, Gray Hats, Blue Hats, and Elite

White Hat Hackers

Non-malicious hackers who attempt to break into a company's systems at their request

Black Hat Hackers

Malicious hackers who break into computer systems and networks without authorization or permission

Gray Hat Hackers

Hackers without any affiliation to a company who attempt to break into a company's network but risk the law by doing so

Blue Hat Hackers

Hackers who attempt to hack into a network with permission of the company but are not employed by the company

Elite Hackers

Hackers who find and exploit vulnerabilities before anyone else does

Threat Actor Types

Script kiddies, hacktivists, organized crime, advanced persistent threats

Threat Hunting

A cyber security technique designed to detect presence of threat that have not been discovered by a normal security monitoring

Threat Hunting - Establishing a hypothesis

A hypothesis is derived from the thread modeling and is based on potential events with higher likelihood and higher impact

Threat Hunting - Profiling threat actors and activities

Involves the creation of scenario that show how a prospective attacker might attempt an intrusion and what their objectives might be

Attack Framework - Kill Chain

A model developed by Lockheed Martin that describes the stages by which a threat actor progresses and network intrusion

Steps:

Reconnaissance - The attacker determines what methods to use to complete the phases of the attack

Weaponization - The attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system

Delivery - The attacker identifies a vector by which to transmit the weaponized code to the target environment

Exploitation - The weaponized code is executed on the target system by this mechanism

Installation - This mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system

Command & Control (C2) - The weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack

Actions on Objectives - The attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives

Attack Framework - MITRE ATT&CK Framework

A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures (attack.mitre.org)

The pre-ATT&CK tactics matrix aligns to the reconnaissance and weaponization phases of the kill chain

Attack Framework - Diamond Model of Intrusion Analysis

A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim

Malware

Software designed to infiltrate a computer system and possibly damage it without the user's knowledge or consent.

Viruses

Malicious code that runs on a machine without the user's knowledge and infects the computer when executed

Boot sector virus

Boot sector viruses are stored in the first sector of a hard drive and are loaded into memory upon boot up

Macro virus

Virus embedded into a document and is executed when the document is opened by the user

Program virus

Program viruses infect an executable or application

Multipartite virus

Virus that combines boot and program viruses to first attach itself to the boot sector and system files before attacking other files on the computer

Polymorphic virus

Advanced version of an encrypted virus that changes itself every time it is executed by altering the decryption module to avoid detection

Metamorphic virus

Virus that is able to rewrite itself entirely before it attempts to infect a file (advanced version of polymorphic virus)

Armored virus

Armored viruses have a layer of protection to confuse a program or person analyzing it

Worm

Malicious software, like a virus, but is able to replicate itself without user interaction

Worms self-replicate and spread without a user's consent or action

Worms can cause disruption to normal network traffic and computing activities

Trojan horse

Malicious software that is disguised as a piece of harmless or desirable software

Remote Access Trojan (RAT)

Provides the attacker with remote control of a victim computer and is the most commonly used type of Trojan

Ransomware

Malware that restricts access to a victim's computer system until a ransom is received

Ransomware uses a vulnerability in your software to gain access and then encrypts your files

Hoax Virus

Fake notification that tells a user they have a virus hopefully leading the user to infecting themselves

Spyware

Malware that secretly gathers information about the user without their consent

Captures keystrokes made by the victim and takes screenshots that are sent to the attacker

Adware

Displays advertisements based upon its spying on you

Grayware

Software that isn't benign nor malicious and tends to behave improperly without serious consequences

Rootkit

Software designed to gain administrative level control over a system without detection

DLL Injection

Malicious code is inserted into a running process on a Windows machine by taking advantage of Dynamic Link Libraries that are loaded at runtime

Driver Manipulation

An attack that relies on compromising the kernel-mode device drivers that operate at a privileged or system level

A shim is placed between two components to intercept calls and redirect them

Spam

Activity that abuses electronic messaging systems, most commonly through email

Spammers often exploit a company's open mail relays to send their messages

Botnet

A collection of compromised computers under the control of a master node

Active Interception

Occurs when a computer is placed between the sender and receiver and is able to capture or modify the traffic between them

Privilege Escalation

Occurs when you are able to exploit a design flaw or bug in a system to gain access to resources that a normal user isn't able to access

Logic Bomb

Malicious code that has been inserted inside a program and will execute only when certain conditions have been met

Easter Egg

Non-malicious code that when invoked, displays an insider joke, hidden message, or secret feature

Dropper

Malware designed to install or run other types of malware embedded in a payload on an infected host

Downloader

A piece of code that connects to the Internet to retrieve additional tools after the initial infection by a dropper

Shellcode

Any lightweight code designed to run an exploit on the target, which may include any type of code format from scripting languages to binary code

Code Injection

Exploit technique that runs malicious code with the identification number of a legitimate process

Living Off the Land

Exploit techniques that use standard system tools and packages to perform intrusions

Detection of an adversary is more difficult when they are executing malware code within standard tools and processes

Personal Firewalls

Software application that protects a single computer from unwanted Internet traffic

Basic Input Output System

Firmware that provides the computer instructions for how to accept input and send output

Self-Encrypting Drive (SED)

Storage device that performs whole disk encryption by using embedded hardware

Content Filters

Blocking of external files containing JavaScript, images, or web pages from loading in a browser

Data Loss Prevention (DLP)

Monitors the data of a system while in use, in transit, or at rest to detect attempts to steal the data

Network DLP System

Software or hardware-based solution that is installed on the perimeter of the network to detect data in transit

Storage DLP System

Software installed on servers in the datacenter to inspect the data at rest

Cloud DLP System

Cloud software as a service that protects data being stored in cloud services

Removable media controls

Technical limitations placed on a system in regards to the utilization of USB storage devices and other removable media

Network Attached Storage (NAS)

Storage devices that connect directly to your organization's network

Storage Area Network (SAN)

Network designed specifically to perform block storage functions that may consist of NAS devices

Trusted Platform Module (TPM)

Chip residing on the motherboard that contains an encryption key

Advanced Encryption Standard

Symmetric key encryption that supports 128-bit and 256-bit keys

Hardware Security Module (HSM)

Physical devices that act as a secure cryptoprocessor during the encryption process

Anti-virus (AV)

Software capable of detecting and removing virus infections and (in most cases) other types of malware, such as worms, Trojans, rootkits, adware, spyware, password crackers, network mappers, DoS tools, and others

Host-based IDS/IPS (HIDS/HIPS)

A type of IDS or IPS that monitors a computer system for unexpected behavior or drastic changes to the system's state on an endpoint

Endpoint Protection Platform (EPP)

A software agent and monitoring system that performs multiple security tasks such as anti-virus, HIDS/HIPS, firewall, DLP, and file encryption

Endpoint Detection and Response (EDR)

A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats

User and Entity Behavior Analytics (UEBA)

A system that can provide automated identification of suspicious activity by user accounts and computer hosts

Subscriber Identity Module (SIM)

Integrated circuit that securely stores the international mobile subscriber identity (IMSI) number and its related key

SIM Cloning

Allows two phones to utilize the same service and allows an attacker to gain access to the phone's data

Bluejacking

Sending of unsolicited messages to Bluetooth-enabled devices

Bluesnarfing

Unauthorized access of information from a wireless device over a Bluetooth connection

Remote Lock

Requires a PIN or password before someone can use the device

Remote Wipe

Remotely erases the contents of the device to ensure the information is not recovered by the thief

Mobile Device Management

Centralized software solution that allows system administrators to create and enforce policies across its mobile devices

Geotagging

Embedding of the geolocation coordinates into a piece of data (i.e., a photo)

Storage Segmentation

Creating a clear separation between personal and company data on a single device

Security Groups

A compute security group profile is allocated by using a security group template that also states the cloud account, the location of the resource, and the security rules.

Dynamic Resource Allocation

This uses virtualization technology to upgrade and downscale the cloud resources as the demand grows or falls.

Instance Awareness

: We must monitor VM instances so that an attacker cannot place an unmanaged VM that would lead to VM sprawl and then ultimately VM escape. We must use tools like a Network Intrusion

VPC Endpoint

This allows you to create a private connection between your VPC and another cloud service without crossing over the internet.

Container Security

This is the implementation of security tools and policies that ensures that your container is working as it was intended.

Cloud Access Security Broker (CASB)

Enterprise management software designed to mediate access to cloud services by users across all types of devices

The CASB enforces the company's policies between the on-premises situation and the cloud. There is no group policy in the cloud.

Application Security

This is using products such as Cloud WAF and Runtime Application Self-Protection (RASP) to protect against a zero-day attack, Identifying Threats, Attacks, and Vulnerabilities.

Next Generation Secure Web Gateway

An SWG acts like a reverse proxy, content filter, and an inline NIPS. An example of this is Netskope, which provides advanced web security with advanced data and threat protection with the following features: Cloud Security, Remote Data Access, Managed Cloud Applications, Monitor and Assess, Control Cloud Applications, Acceptable Use, Protect Against Threats, and Protect Data Everywhere.

Type 1 Hypervisor

Installed on a computer without an operating system, called bare metal. Examples are VMWare ESX, Microsoft's Hyper-V, or Zen, which is used by AWS

Type 2 Hypervisor

Installed on an operating system, such as Server 2016 or windows 10, and then the hypervisor is installed like an application. An example of a Type 2 hypervisor is Oracle's VM VirtualBox or Microsoft's virtual machine as a product

System Sprawl

When a virtual host is running out of resources or is overutilizing resources. This could end up with the host crashing and taking out the virtual network.

VM Sprawl

This is where an unmanaged VM has been placed on your network. Because the IT administrator doesn't know it is there, it will not be patched and, therefore, over a period of time it will become vulnerable and could be used for a VM escape attack.

Black Box

Black box pen testers work in an unknown environment and are given no information on the company. They will carry out an initial exploitation looking for vulnerabilities.

Gray Box

Gray box pen testers work in a partially known environment as they are given limited information.