INMT 543 Exam 1

CIA Triad

Confidentiality, Integrity, Availability

Confidentiality

only authorized individuals may access information

Confidentiality attacks

Phishing, password attacks

Integrity

Ensures information is correct and unaltered

Integrity attacks

SQL injection (alter data once you are in the system)

Availability

Ensures information is accessible to authorized users

Availability attacks

Denial of Service (server unresponsive)

Nonrepudiation

user can't deny that they performed the action

Cybercriminal: competitors

Launch attacks against an opponent's system to steal classified information.

Cybercriminal: Criminal syndicates

Move from traditional criminal activities to more rewarding and less risky online attacks

Cybercriminal: shadow IT

Employees become frustrated with the slow pace of acquiring technology, so they purchase and install their own equipment or resources in violation of company policies

Cybercriminal: brokers

Sell their knowledge of a weakness to other attackers or governments.

Cybercriminal: cyberterrorists

Attack a nation's network and computer infrastructure to cause disruption and panic among citizens

White hat hacker

ethical attackers, they attempt to probe a system (with an organization's permission) for weaknesses and then privately provide that information back to the organization.

Black hat hacker

violate computer security for personal gain (such as to steal credit card numbers) or to inflict malicious damage (corrupt a hard drive).

Gray hat hacker

attempt to break into a computer system without the organization's permission (an illegal activity) but not for their own advantage; instead, they publicly disclose the attack in order to shame the organization into taking action.

Legacy platforms

Limited or non-existent vendor support

On-premises platforms

System sprawl and poor configuration

Cloud platforms

Poor visibility; global availability

Patching challenges

Difficulty patching firmware Few patches for application by non-major vendors Delays in patching OSs

Configuration vulnerabilities

Default settings, open ports and services, unsecured root accounts, open permissions, unsecure protocols, weak encryption

Third-party vulnerabilities

System integration can cause the need for workarounds for incompatible systems. Lack of vendor support.

Zero-day attacks

Vulnerabilities can be exploited by attackers before anyone else even knows it exists

Attack vectors

Pathway or avenue used by a threat actor to penetrate a system

Attack vector examples

Email, wireless, removable media, direct access, social media, supply chain, cloud

Social engineering: authority

impersonate an authority figure or falsely cite their authority

Social engineering: intimidation

frighten and coerce by threat

Social engineering:consensus

To influence by what others do

Social engineering: scarcity

To refer to something in short supply

Social engineering: urgency

demand immediate action

Social engineering: familiarity

give the impression the victim is well known and well received

Social engineering: trust

inspire confidence

Phishing: spear phishing

very small number of people targeted (attacker knows more about these

Phishing: whaling

targeting high profile individual (CEOs, celebrities, politicians)

Phishing: vishing

voice phishing

Phishing: smishing

message service (SMS) text messages and callback recorded phone messages

Phishing: watering hole

executives all tend to visit a common website, such as that of a parts supplier to the manufacturer

Redirection: typosquatting

1 character missing from email or website

Redirection: pharming

IP resolution. Exploits how a URL such as www.cengage.com is converted into its corresponding IP address 69.32.308.75. A threat actor may install malware on a user's computer that redirects traffic away from its intended target to a fake website instead

Physical social engineering examples

Dumpster diving tailgating, shoulder surfing

Red team

Attackers. Scans for vulnerabilities and then exploits them

Blue team

Defenders. Monitors for Red Team attacks and shores up defenses as necessary

White team

Referees. Enforces the rules of the penetration testing

Purple team

Bridge. Provides real-time feedback between the Red and Blue Teams to enhance the testing

War driving

Deliberately searching for Wi-Fi signals while driving by in a vehicle

War driving: mobile computing device

wireless NIC. Portable computer, pad computer, smartphone

War driving: wireless NIC adapter

external wireless NIC adapter that connects into a USB or other port and has an external antenna jack

War driving: global position system (GPS) receiver

Pinpoints location

Rules of engagement (pen testing)

Timing, scope, authorization, exploitation, communication, cleanup, and reporting

Vulnerability scanning: credentialed scan

valid authentication credentials are supplied to the vulnerability scanner

Vulnerability scanning: non-credentialed scan

provides no authentication information

Vulnerability scanning: intrusive scan

may impair network functions (automatically closes a port)

Vulnerability scanning: non-intrusive scan

does not attempt to exploit the vulnerabilities but only records them

Security Information and Event Management (SIEM)

Collects and consolidates data and logs from a wide range of network appliances and applications. Aggregation Correlation Time synchronization Event deduplication Logs

Security Orchestration, automation, and Response (SOAR)

designed to help security teams manage and respond to security warnings and alarms. Combines more comprehensive data gathering and analytics to automate incident response.

Standard frameworks

NIST RMF, NIST CSF, ISO 27000

Imprison

Ransomware, cryptomalware

Launch

Computer virus (file virus< fileless virus (loaded into RAM), worm bot

Snoop

Spyware (keylogger)

Deceive

Trojan, Remote Access Trojan (RAT)

Evade

Backdoor, logic bomb, rootkits

File-based: appender infection

Attacker injects virus code to bottom of the code

File-based: split infection

Spreads virus code in broken pieces across the program's code

File-based: Metamorphic structure

Constantly changes structure of virus code

Computer worms

Enters through the network. Doesn't modify program code. Exploits vulnerabilities in software or OS and searches for a different endpoint in the network with the same vulnerabilities Deletes files, slows networks, allows remote control

Ransomware

Software that encrypts programs and data until a ransom is paid to remove it.

Crypto-malware

Steals your computing power to mine cryptocurrency. Asks for cryptocurrency to reduce traceability

Trojan

executable program that masquerades as performing a benign activity but also does something malicious

Remote Access Trojan (RAT)

basic functionality of a Trojan but also gives the threat agent unauthorized remote access to the victim's

Potentially Unwanted Programs (PUPs)

Software that users do not want on their computer. become installed along with other programs and are the result of the user overlooking the default installation options on software downloads

Bots/zombie

Allows the infected computer to be under the remote control of an attacker

Bot herder

the controller of hundreds, thousands, or even millions of bot computers are gathered into a logical computer network (botnet)

Backdoor

Negates normal authentication procedures to access a system. Used by developers for easier access during development

Logic bomb

Lies dormant and evades detection until a specific logical event triggers it. Manually triggered Time triggered Event triggered

Rootkits

Hides its presence on the computer by accessing "lower layers" of the OS to make alterations. Infects your computer with malware before the OS is loaded

Cros-site scripting (XSS)

Vulnerability: A website that accepts user input without validation Exploit: The attacker injects malicious scripts into the target website Infection: The website sends the malicious script to the victim's browser.

Cross-Site Request Forgery (CSRF)

Victim unknowingly submits a maliciously crafted web request while authenticated to a certain account. The new page inherits the identity of the victim to perform an undesired function on the attacker's behalf

Server-Side Request Forgery (SSRF)

uses a payload like a URL to force the server to make unauthorized requests to other servers

Buffer overflow

A technique for crashing by sending too much data to the buffer in a computer's memory

Integer overflow

the result of an arithmetic operation—such as addition or multiplication—exceeds the maximum size of the integer type used to store it

Driver manipulation

A shim can be created to allow a driver to run on an OS that the driver had compatibility issues with. Adding a shim could introduce a flaw by accident or on purpose if the hacker created the shim. Example: tricking a device driver to work with an older version of Windows (compatibility mode) to bypass some security controls

Open-Source Intelligence (OSINT)

Information that is readily available to the public and doesn't require any type of malicious activity to obtain.

Cyber Information sharing and collaboration program (CISCP)

Analyst-to-analyst technical exchanges, CISCP analytical products, cross-industry orchestration, Digital malware analysis. Open-source

Concerns of open-source sources

Privacy and Speed (automated indicator sharing (AIS) can help)

Closed source information

Proprietary. Restrict both access to data and participation

Secure coding techniques: Confirming

Secure booting

Secure coding techniques: Protecting

Different types of malware-scanning

Secure coding techniques: hardening

Disabling unnecessary ports and services Disabling default accounts/passwords Employing least functionality

Secure coding techniques: proper input validation

Accounting for errors, such as incorrect user input. Can mitigate XSS and CSRF attacks

Secure coding techniques: obfuscation

Making the inner functionalities of a code hard to understand for outsiders. Adding purposefully incorrect code that will never be executed. Using fake or misleading variable names. Encrypting part of the code

Securing coding techniques: dead code

Section of the code that executes but performs no meaningful functions. Creates an unnecessary attack surface

Securing coding techniques: SDK

Code reuse of third-party libraries. Vetted to detect and eliminate vulnerabilities.

Mobile device: physical security

lost or stolen

Mobile device: limited updates

closed or proprietary

Mobile device: location tracking

vulnerable to targeted physical attacks. Privacy issues

Mobile device: unauthorized recording

spying through malware

Mobile management tools

Mobile Device Management (MDM). Passcodes, PINs, screen lock, on-body detection, trusted places, trusted devices, trusted face, trusted voice

Internet of Things (IoT)

connecting any device to the Internet for the purpose of sending and receiving data to be acted upon

IoT Power constraint

To prolong battery life, devices and systems are optimized to draw very low levels of power and thus lack the ability to perform strong security measures

IoT Compute constraint

Due to their size, small devices typically possess low processing capabilities, which restricts complex and comprehensive security measures.