S3 Security and Confidentiality

What is a threat agent?

Internal or external attacker that could negatively impact data security through theft, manipulation, or control of sensitive information or systems

What is an adversary threat agent?

Actors with interests in conflict with an organization

What is a government-sponsored/state-sponsored threat agent?

Actors funded, directed, or sponsored by nations for espionage causes

What is a hactivist threat agent?

Group of hackers that operate to promote certain social causes or political agendas

What is an insider threat agent?

Employees that either organically developed into a person with malicious intentions or intentionally infiltrated an organization to achieve nefarious objectives

What is an external threat agent?

Actors outside of the organization, entity, or individual that is the target of the cyberattack

What is a network-based attack?

Attacks that target the infrastructure of a network (switches, routers, servers, and cabling) with the intent to gain unauthorized access or disrupt operations for users

What is a backdoor/trapdoor network-based attack?

Method to bypass security access procedures by creating an entry and exit point to a network that is undocumented

What is a covert channel network-based attack?

Mechanisms used to transmit data using methods not originally intended for data transmission by system designers

What is a buffer overflow network-based attack?

Overload a program’s buffer with more input than it is designed to hold

What is a denial-of-service network-based attack?

Floods a system’s network by congesting it with large volumes of traffic that are greater than the bandwidth it was designed to handle

What is a distributed denial-of-service network-based attack?

Multiple attackers or compromised devices are working in unison to flood an organization’s network with traffic

What is a man-in-the-middle network-based attack?

Attacker acts as an intermediary between two parties intercepting communications, acting as a legitimate entity with a typical secure session

What is a port scanning network-based attack?

Scanning networks for open and unsecured ports

What is a ransomware network-based attack?

Malware that locks a user or a company’s operating systems, applications, and the ability to access data unless a ransom is paid

What is a reverse shell network-based attack?

Victim initiates communication with an attacker from behind a company’s firewall so that the attacker can bypass the firewall and any other network safeguards and remotely control the victim’s machine

What is a replay network-based attack?

Cybercriminal eavesdrops on a secure network communication, intercepts it, and then replays the message at a later time to the intended target to gain access to the network and the data that is behind the firewall

What is a return-oriented network-based attack?

Technique that utilizes pieces of legitimate original system code in a sequence to perform operations useful to the attacker

What is a spoofing network-based attack?

Act of impersonating someone or something to obtain unauthorized access by using falsified credentials or imitating a legitimate person or entity by using fake IP addresses, domains, or email addresses

What are application-based attacks?

Specific software or applications such as databases or websites that are attacked to gain unauthorized access or disrupt functionality

What is a SQL injection application-based attack?

Injection of malicious SQL code into existing SQL code on a company’s website to gain unauthorized access to company’s data

What is a cross-site scripting application-based attack?

Attacks that inject code to a company’s website that attacks users visiting the company’s website

What is a race condition application-based attack?

Exploit a system or application that relies on a specific sequence of operations

What is a mobile code application-based attack?

Software program designed to move from computer to computer to infect other applications by altering them in some way to include a version of the code

What is a host-based attack?

Attacks that target a single host such as a laptop, mobile device, or a server to disrupt functionality or obtain unauthorized access

What is a brute force host-based attack?

Password-cracking schemes in which attackers use an automated program that attempts to guess a password

What is a keystroke logging host-based attack?

Tracking the sequence of keys pressed by a user on a keyboard to collect confidential data such as usernames, passwords, and personal information

What is a malware host-based attack?

Software or firmware intended to perform an unauthorized process that has an adverse impact on the confidentiality, integrity, or availability of an information system

What is a rogue mobile app host-based attack?

Use of a malicious app that appears legitimate

What is a social engineering attack?

Use of psychological manipulation or deception to get employees to divulge sensitive information, provide unauthorized access, or assist an attacker in committing fraud

What is the social engineering attack phishing?

Use of an authentic looking but bogus emails that request information from users or direct them to a fake website that requests information

What is the social engineering attack spear phishing?

Targets employees in a corporate entity by posing as a legitimate department or employee

What is the social engineering attack business email compromise?

Targets executives and other high-ranking individuals

What is the social engineering attack pretexting?

Creating a fake identity or scenario so that the employee has a sense of urgency to act

What is the social engineering attack catfishing?

Creation of a fake online persona that is used to lure a victim into a personal relationship with a fraudster

What is the social engineering attack pharming?

Victim entering personal information into a website or portal that imitates a legitimate website

What is the social engineering attack vishing?

Fraudulent schemes using a telephonic system Voice over Internet Protocol

What is a physical (on-premises) attack?

Security breach carried out on an organization’s premises or performed in some way that physically involves a bad actor gaining control of sensitive data, hardware, and/or software

What is the physical attack intercepting discarded equipment?

Obtaining access to outdated or discarded equipment in the trash or through companies that accept discarded equipment

What is physical attack piggybacking?

Attacker using an authorized person’s access to gain entrance to a physical location or electronic access

What is the physical attack targeted by attackers?

Attackers knowingly look for targets that lack sophisticated cybersecurity defenses or have a lack of awareness of potential cyber threats

What is physical attack tampering?

Gaining physical access to a company’s IT infrastructure and modifying the way its network collects, stores, processes, or transmits data

What is the physical attack theft?

Physically stealing data, hardware, or software

What are supply chain attacks?

Target the production and distribution of goods within a supply chain

What is the supply chain attack embedded software code?

Inserting code into prepackaged software or firmware

What is the supply chain attack foreign-sourced attack?

Governments may use products sold to other countries to conduct surveillance or deliver malicious code

What is the supply chain attack pre-installed malware or hardware?

Installing malware on devices that will be used by companies in a supply chain, such as USB drives, cameras, or phones

What is the supply chain attack vendor attacks?

Attack is perpetrated upon key vendors

What is the supply chain attack watering hole attack?

Identify websites of suppliers, customers, or regulatory entities that are known to be used by several companies or even entire industries

What are the stages in a cyberattack?

• Reconnaissance

• Gaining access

• Escalation of privileges

• Maintaining access

• Network exploitation and exfiltration

• Covering tracks

What are some risks specific to cloud computing?

• Additional industry exposure

• Cloud malware injection attacks

• Compliance violations

• Loss of control

• Loss of data

• Loss of visibility

• Multi-cloud and hybrid management issues

• Theft or loss of intellectual property

What are some of the risks specific to mobile devices?

• Application malware

• Lack of updates

• Lack of encryption

• Physical threats

• Unsecured wifi networks

• Location tracking

What are some of the risks specific to IoT technology?

• Device management

• Device spoofing

• Escalated cyberattacks

• Expanded footprint

• Information theft

• Outdated firmware

• Malware

• Network attacks

What are the phases of threat modeling?

• Identifying assets

• Identifying threats

• Perform reduction analysis

• Analyze impact of an attack

• Develop countermeasures and controls

• Review and evaluate

What is the Process for Attack Simulation and Threat Analysis threat model?

Seven stages that focus on risks and countermeasures that are prioritized by the value of the assets being protected

What is the Visual, Agile, and Simple Threat model?

Based on the Agile project management methodology to integrate threat management into a programming environment on a scalable basis

What is the Spoofing, Tampering, Repudiation, Information Disclosure, Denial-of-service attack, and Elevation of privilege threat model?

Used for assessing threats related to applications and operating systems

What is an acceptable use policy?

Control document created by an organization to regulate and protect technology resources by assigning varying levels of responsibilities to job roles, listing acceptable behavior by employees and vendors, and specifying consequences of those who violate the AUP

Bring-your-own-device policies should address:

• Monitoring and enforcement actions on personal devices

• Ownership of the data on the device

• Personal liability and indemnification

• Restricted activities and application downloads on personal devices

What is system hardening?

Multipronged comprehensive security approach that reduces risk by minimizing the number of access points through which a company can be attacked

What is the concept of zero trust?

Assumes that a company’s network is always at risk, even after a user has been authenticated, and it shifts a company’s cybersecurity focus away from one-time authentication to continuous authentication at every point of a user’s interaction with a network

What is the concept of least privilege?

Users and systems are granted the minimum authorization and system resources needed to perform a function

What is the concept of need-to-know?

Employees are only given what they must know to perform their job

What is a defense-in-depth cybersecurity strategy?

Multilayered security approach that does not rely on technology alone but rather it combines people, policies, technology, as well as both physical and logical access controls

What the concept of layering?

Adds redundancy by breaking up an operation into smaller chunks that can be managed by different people, performed by a machine or computer, or completely isolated from other parts of the process

What is the concept of isolation?

Use of a machine or computer involving segmenting processes using logical controls to isolate different processes in a system to prevent them from influencing one another

What is hardware segmentation?

Divides a network into smaller units each governed by its own security policies and controls

What is discretionary access control?

Decentralized control that allows data owners, custodians, or creators to manage their own access to the data or object they own or created

What is mandatory access control?

Nondiscretionary controls that allow administrators to centrally manage and enforce rules consistently across an environment

What is role-based access control?

Administer access based on a user’s job role instead of individually assigning permissions

What is rule-based access control?

Manage access to areas, devices, or databases according to a predetermined set of rules or access permissions independent of the user’s role or position within the organization

What is policy-based access control

Uses combination of user roles and policies consisting of rules to maintain and evaluate user access dynamically

What is risk-based access control

Apply controls based on the risk level of the asset being accessed, the identity of the user, the intentions of accessing the asset, and the security risk that exists between the user and the system or asset being accessed

What is an access control list?

List of rules that outlines which users have permission to access certain resources such as a file, folder, directory, or other IT resource

What is the concept of privacy?

Protects the rights of an individual and gives the individual control over what information they are willing to share

What is the concept of confidentiality?

Preservation of authorized restrictions on access and disclosure of data

What is the concept of obfuscation?

Process of replacing production data or sensitive information with data that is less valuable to unauthorized users

What is the obfuscation application encryption?

Scrambles unencrypted data using cryptography so that it can generally only be deciphered with a key

What is the obfuscation application tokenization?

Removes production data and replaces it with a surrogate value or token

What is the obfuscation application masking?

Swaps data with other like data so that the original identifying characteristics are disguised or masked while maintaining a similar structure to the unmodified data set

What is symmetric encryption?

Involves a single shared or private key for encryption and decryption of data within a group

What is asymmetric encryption?

Use of two keys, a public and private key, where one is used to encrypt the message and the other to decrypt it

What is a cipher?

Technique of applying encryption algorithms that encode unencrypted messages into an encrypted form, resulting in a combination of numbers and letters that are meaningless and illegible to those without a key

What is a data loss prevention system?

Enable organizations to detect and prevent attempts by employees or unauthorized users to transfer sensitive information out of the organization electronically across multiple protocols, ports, and communication methods

What is a network-based DLP?

Scans outoing data that meet specific criteria and are transmitted using means such as email, file transfer protocols, and direct messaging

What is a cloud-based DLP?

Apply the same protection as a network-based DLP but to a cloud environment

What is an endpoint-based DLP?

Scan files stored or sent to devices that might be outside of a network, such as a printer, USB drive, or any other device to which data can be transferred

What is an incident response plan?

Documentation of a set of procedures, people, and information to detect, respond to, and limit consequences of a cyberattack against an organization

What is an incident response timeline?

Delineates the point at which the incident starts, when it is detected, contained, and eradicated, and when normal business operations are restored

What is a centralized incident response team?

Single incident response team tasked with managing incidents across the organization

What is a distributed incident response team?

Multiple incident response teams responsible for specific logical or physical segments of a company’s network

What is a coordinating team?

Coordinates with other departments without having authority over those teams

What is an event?

A benign or possible threat observable occurrence in a system or network

What is a cybersecurity event?

A cybersecurity change that may have an impact on organizational operations

What is an adverse event?

Any event with a negative consequence

What is an incident?

An occurrence that actually or potentially jeopardizes the integrity of an information system or the information that the system processes

What is a computer security incident?

An adverse event that is computer security-related and caused by malicious human intent

What is a cybersecurity incident?

A cybersecurity event that has been determined to have an impact on the organization prompting the need for response and recovery

What are the 7 steps in responding to incidents in an incident response plan?

• Preparation

• Detection

• Containment

• Eradication

• Reporting

• Recovery

• Learning