CompTIA Security plus

Studying guide for Sec+. It is still being updated daily

Information Systems Security

Act of protecting the systems that hold and process our critical data

CIA Triad

Confidentiality, Integrity, Availability

What is confidentiality?

Information not disclosed to unauthorized people.

What is integrity?

Information not modified without proper authorization.

Example of CIA Traid

Bank

password - confidentiality

bank cant just make numbers up - integrity

Access the banks website - availability

Three A's (AAA) of Security

Authentication, Authorization, and Accounting

Authentication

person's identity is established with proof and confirmed by a system.

something you know

something you are

something you have

something you do

somewhere you are

Authorization

A user is given access to a piece of data or areas of a building

Accounting

Tracking of data, computer usage, and network resources

What is Weaponization?

Coupling payload code (gain access) with exploit code (vulnerability).

What is Installation?

Enabling weaponized code to run a remote access tool and achieve persistence on the target system.

What is the Diamond Model of Intrusion Analysis?

A framework for analyzing cybersecurity incidents and intrusions.

Information Security

Act of protecting data and information from unauthorized access, unlawful modification and disruption, disclosure, corruption, and destruction

What is availability?

Information able to be stored, accessed, or protected at all times.

When you hear encryption what comes to mind?

confidentiality

What are administrative (managerial) controls?

Policies, procedures, security awareness training, contingency planning, and disaster recovery plans.

What are White Hats?

Non-malicious hackers who attempt to break into a company's systems at their request.

What are Black Hats?

Malicious hackers who break into computer systems and networks without authorization or permission.

What are Threat Actors? What types are there?

Individuals or groups who engage in malicious activities.

from most skilled to least

APTs > Organized Crime > Hacktivists > Script Kiddies

What are Advanced Persistent Threats (APTs)?

Highly trained and funded hacker groups, often backed by nation states, with access to covert and open-source intelligence.

What is the purpose of the pre-ATT&CK tactics matrix?

To align with the reconnaissance and weaponization phases of the kill chain.

What is malware?

Software designed to infiltrate and damage computer systems without user consent.

What is a multipartite virus?

Virus that combines boot and program viruses to first attach itself to the boot sector and system files before attacking other files on the computer

What is a polymorphic virus?

Virus that changes itself to avoid detection (advanced encrypted virus).

What can worms cause?

Disruption to network traffic and computing activities.

What is the most commonly used type of Trojan?

Remote Access Trojan (RAT).

Can you provide an example of ransomware attack?

SamSam cost the City of Atlanta $17 million.

What is DLL injection?

Malicious code is inserted into a running process on a Windows machine by taking advantage of Dynamic Link Libraries that are loaded at runtime.

What is driver manipulation?

An attack that relies on compromising the kernel-mode device drivers that operate at a privileged or system level.

Non-repudiation

The security principle of providing proof that a transaction occurred between identified parties. Repudiation occurs when one party in a transaction denies that the transaction took place.

What is malware?

Malicious software

Define unauthorized access.

Accessing computer resources and data without consent

What is system failure?

Computer crash or application failure

What is social engineering?

Manipulating users into revealing confidential information or preforming other detrimental actions

What are physical controls?

Alarm systems, locks, surveillance cameras, identification cards, and security guards.

What are technical controls?

Smart cards, encryption, access control lists (ACLs), intrusion detection systems, and network authentication.

What is the most cost-effective security control?

User training.

5 types of hackers

White Hat, Black Hat, Gray Hat, Blue Hat, Elite

What are Gray Hats?

Hackers without affiliation who attempt to break into a company's network.

What are Blue Hats?

Hackers who attempt to hack into a network with permission but are not employed by the company.

What are Elite hackers?

Hackers who find and exploit vulnerabilities before anyone else. 1 in 10,000 hackers

What are Script Kiddies?

Hackers with limited skills who use other people's exploits and tools.

Who are Hacktivists?

Hackers driven by causes like social change , political agendas, or terrorism.

Who are Organized Crime hackers?

Hackers who are part of well-funded and sophisticated crime groups.

What is timeliness?

Property of an intelligence source that ensures it is up-to-date.

What is relevancy?

Property of an intelligence source that ensures it matches the use cases intended for it.

What is accuracy?

Property of an intelligence source that ensures it produces effective results. (Is it valid and true)

What are confidence levels?

Property of an intelligence source that ensures it produces qualified statements about reliability.

What is proprietary?

Threat intelligence provided as a commercial service with a subscription fee.

What is closed-source?

Data derived from the provider's own research and analysis efforts. (Think honeypots)

What is open-source?

Data available without subscription, including threat feeds and reputation lists.

What is US-CERT?

United States Computer Emergency Readiness Team.

What is UK's NCSC?

United Kingdom's National Cyber Security Centre.

What is AT&T Security (OTX)?

AT&T Security Open Threat Exchange.

What is MISP?

Malware Information Sharing Platform.

What is VirusTotal?

Online service for analyzing files and URLs for potential threats.

What is Spamhaus?

Organization that tracks and lists spam sources and provides real-time threat intelligence.

What is SANS ISC Suspicious Domains?

List of suspicious domains maintained by the SANS Internet Storm Center.

What is open-source intelligence (OSINT)?

Methods of obtaining information through public records, websites, and social media.

What is threat hunting?

A technique to detect undiscovered threats.

How is threat hunting different from penetration testing?

Potentially less disruptive.

What is the first step in threat hunting?

Establishing a hypothesis based on threat modeling, based on potential events with higher likelihood and higher impact.

What is involved in profiling threat actors and activities?

Creating scenarios of potential intrusion attempts and objectives.

What tools are used in threat hunting?

Network traffic analysis, executable process list analysis, analysis of other infected hosts, identification of malicious process execution.

What are the benefits of threat hunting?

Improved detection capabilities, integration of intelligence, reduced attack surface, blocked attack vectors, identification of critical assets.

What does threat hunting rely on?

The usage of the tools developed for regular security monitoring and incident response

What do you need to assume while threat hunting?

Existing rules have failed.

Threat hunting consumes

a lot of resources and time to conduct, but can yield a lot of benefits

What is Kill Chain?

A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion

What is Reconnaissance?

The stage where the attacker determines attack methods.

What is Delivery?

Identifying a vector to transmit weaponized code to the target.

What is Exploitation?

Executing weaponized code on the target system.

What is Command & Control (C2)?

The weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack

What are Actions on Objectives?

Covertly collecting information or achieving other goals. and/or enable kill chain.

How can Kill Chain analysis be used?

To identify defensive actions at each stage of an attack.

What is Data Exfiltration?

Covertly transferring information to a remote system.

Who developed the Kill Chain model?

Lockheed Martin.

What is the MITRE ATT&CK Framework?

A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures (attack.mitre.org)

What does the MITRE ATT&CK Framework list and explain?

Specific adversary tactics, techniques, and common knowledge or procedures.

What are the four core features of the Diamond Model?

Adversary, capability, infrastructure, and victim.

Steps of Kill Chain

Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), Actions on Objectives

Types of Malware

● Viruses ● Worms ● Trojan horses ● Ransomware ● Spyware ● Rootkits ● Spam

What is a virus?

Malicious code that infects a computer.

How do viruses reproduce and spread?

They require user action.

What is a boot sector virus?

Virus stored in the first sector of a hard drive and are loaded into memory upon boot up.

What is a macro virus?

Virus embedded in a document and is executed when the document is opened by the user. (excel, word ect)

What do program viruses infect?

Executables or applications.

What is an encrypted virus?

Virus that is encrypted to avoid detection.

What is a metamorphic virus?

Virus that rewrites itself entirely before infecting a file. (advanced polymorphic virus)

What is a stealth virus?

Virus that hides itself from detection.

What is an armored virus?

Virus with a layer of protection to confuse analysis.

What is a hoax virus?

A false virus warning or threat. (not a virus itself but don't install or call to get rid of it.)

Name all virus forms

Hoax, Armored, Stealth, Metamorphic, Polymorphic, Encrypted, Multipartite, Program, Macro, Boot Sector

What is a worm?

Malicious software that replicates without user interaction.

How do worms spread?

Worms self-replicate and spread without user consent or action.

Can you provide an example of a worm?

Conficker infected 9-15 million computers in 2009.

What is a Trojan Horse?

Malicious software disguised as harmless software.

What are the functions of a Trojan?

Perform desired and malicious functions.

What is a Remote Access Trojan (RAT)?

Trojan that provides remote control of a victim computer.

What is ransomware?

Malware that restricts access until ransom is paid.