414 Midterm Study Guide

Information Risk, Assets, Threats, Vulnerabilities, And Risk Response

• What is Risk?

  • Risk is the potential for loss, damage, or destruction of an asset due to a threat exploiting a vulnerability. In cybersecurity, risk involves balancing security measures against the likelihood and impact of threats.

• What are the Risk Formulas?

  • Risk = Impact * Likelihood

  • Risk = Asset Vulnerability  

• Assets

  • Identification – How is this done?

    • Asset inventories (hardware/software lists)

    • Data classification (sensitive, public, internal use)

    • Includes valuation (cost to replace, value provided to organization, value to hacker, cost of non-compliance with laws or regulations)

  • Losses – How do we estimate? What factors are involved?

    • Forms of loss

      • Decreased Productivity (spending time/resources solving the problem instead of on projects)

      • Replacement Cost (fixing hardware/software, etc.)

      • Expenses Incurred Handling Loss (paying to fix it, etc.)

      • Fines or Legal Judgments (fines, lawsuits)

      • Diminished Competitive Advantage

      • Reputation (loss of customer trust)

    • Types of Loss

      • Primary loss (related to asset itself, eg replacement cost)

      • Secondary Loss (related to org. and external factors, eg. fines, reputation)

    • Determining Asset value

      • Criticality

      • Cost

      • Sensitivity

        • Reputation

        • Competitive advantage

        • legal/regulatory

        • other

• Threats

  • Where can we find out about them?

    • Threat intelligence feeds (e.g., MITRE ATT&CK, FireEye)

    • Security blogs/reports (Krebs on Security, US-CERT)

    • Vendor advisories (Microsoft, Cisco, etc.)

  • Know the sources of threats from the slides and any threats discussed in class.

    • Natural threats (earthquakes, floods)

    • Human threats (hackers, insiders)

    • Technological threats (malware, zero-day exploits)

    • Supply chain threats (compromised vendors)

• Controls

  • Effective controls decrease threats and/or decrease likelihood

  • Process Controls

  • Security Controls

    • Physical

    • Network

    • Host

• Vulnerabilities

  • Where do we find vulnerabilities (e.g., NIST or MITRE database)

    • NIST National Vulnerability Database (NVD)

    • MITRE CVE database

    • Bug bounty programs (HackerOne, Bugcrowd)

  • CVSS Score – What is this? How is it calculated? What dimensions make up the calculation? What are the limitations?

    • The Common Vulnerability Scoring System (CVSS) is a standardized method for assessing the severity of vulnerabilities.

    • How is it calculated?

      • Base score: Intrinsic characteristics (e.g., exploitability, impact)

      • Temporal score: Changes over time (e.g., exploit code availability)

      • Environmental score: Organization-specific impact

    • Dimensions of Calculation

      • Exploitability Metrics: Attack vector, complexity, privileges required

      • Impact Metrics: Confidentiality, Integrity, Availability

      • Scope Metrics: Whether an exploit impacts multiple systems

    • Limitations

      • Does not account for real-world exploitability

      • Static scoring (may not reflect new attack methods)

• Risk Assessment and Estimation of Risk

  • Qualitative vs. Quantitative

    • Qualitative: Uses expert opinions and ordinal scales (low, medium, high)

    • Quantitative: Uses numerical values (monetary impact, probability)

  • OWASP factors for estimating likelihood and impact

    • Threat agent factors

      • Skill level, motive, opportunity, size

    • Vulnerability factors

      • Ease of discovery, ease of exploit, awareness, intrusion detection

    • Technical Impact Factors

      • Loss of confidentiality, loss of integrity, loss of availability, loss of accountability

    • Business Impact Factors

      • Financial damage, reputation damage, non-compliance, privacy violation

  • Four types of Risk Response

    • Avoidance – Eliminate the risk (e.g., discontinue product/service)

    • Mitigation (Reduction) – Retention, avoidance, transfer

    • Transfer – Shift risk (e.g., cyber insurance, outsourcing)

    • Acceptance (Retention) – Take no action if risk is low

  • Cost-Benefit Analysis of Controls

    • Compare control cost vs. expected loss reduction

    • Justify security spending with return on investment (ROI)

Sample Exam Questions

Which of the following Privileges Required (PR) metric (as part of the CVSS Score) is the worst (meaning leads to a higher CVSS Score)?

a) None

b) Low

c) High

d) Moderate

A company decides that the likelihood of an adverse event happening is so small that they choose not to add any controls or make any plans to prepare for the event. What type of risk response are they choosing to use?

a) Reduction

b) Retention

c) Avoidance

d) Transfer

Fraud

• What is fraud? What are the legal requirements?

  • Gaining an unfair advantage over another person; “white collar”

  • Fraud is intentional deception for financial or personal gain. Legal requirements:

    • A false statement, representation, or disclosure

    • A material fact that induces a person to act

    • An intent to deceive

    • A justifiable reliance; the person relies on the misrepresentation to take an action

    • An injury or loss suffered by the victim

• Fraud triangle

  • Opportunity – Commit, conceal, convert

  • Rationalization – Attitude, Justification, Lack of Personal Integrity

  • Pressure - Employee Financial – Lifestyle, Emotional; Financial Statement – Industry conditions, management characteristics

• Fraud Methods – Methods discussed in class (e.g., Triangulation Fraud, Skimming, Nigerian Prince, etc.)

  • Phreaking – Hacking phone networks (Example: Free calls hack)

  • Pretexting – Impersonating to get info (Example: Fake bank call)

  • Ransomware – Locking files for ransom (Example: WannaCry virus)

  • Scareware – Fake virus warnings (Example: Fake antivirus pop-up)

  • Salami Slicing – Stealing small amounts (Example: Extra cent fraud)

  • Skimming – Stealing card data (Example: ATM skimmer)

  • Smishing – SMS phishing scam (Example: Fake delivery text)

  • Structuring (Smurfing) – Breaking transactions to avoid detection (Example: Money laundering deposits)

  • Triangulation Fraud – Fake sellers using stolen cards (Example: E-commerce scam)

  • Vishing – Voice phishing calls (Example: IRS phone scam)

  • Blackmail – Threatening for money/info (Example: Extortion emails)

  • Cramming – Unauthorized charges on bills (Example: Hidden phone fees)

  • Credit Card Fraud – Unauthorized card use (Example: ATM skimming)

  • Cryptocurrency Scams – Fraud involving crypto (Example: Fake Bitcoin investment)

  • Friendly Fraud – False chargeback claims (Example: Refund abuse)

  • Identity Theft – Stealing personal info (Example: Fake credit application)

  • Impersonation – Posing as someone else (Example: Fake police officer)

  • Nigerian Letter (419) Fraud – Fake inheritance scams (Example: "Prince" email scam)

  • Phishing – Tricking users into giving data (Example: Fake login page)

• Fraud Examples – What method? What Happened? What do we learn? Why were they caught (or not)? What’s interesting about these examples?

  • Diann Cattani: Expense fraud, caught due to audit, didn’t plan to fraud

  • OneCoin: Ponzi scheme pretending to be a cryptocurrency (ingatova)

Sample Exam Question

OneCoin primarily committed fraud by …?

1. Convincing victims that profits are coming from sales where instead they are coming from new investors (i.e., a Ponzi scheme)

2. Using the Triangulation Technique

3. Overstating revenue and physical assets

4. Underreporting sales to avoid taxes

5. Keeping two sets of “books” to hide from lenders, investors, and auditors

Vulnerability Management & System Hardening

• Steps of Managing Vulnerabilities

  • Discovery (vulnerability scanning, e.g., Nmap, Nessus)

  • Analysis (risk prioritization)

  • Prioritization (based on CVSS, business impact)

  • Mitigation/Remediation (patching, compensating controls)

• Cyber Kill Chain - What is it? Why is it useful? What are the steps? We didn't really get to discussing steps 2-7, so they are not on the exam, but useful to know in the future.

  • Reconnaissance – Gathering target info

  • Weaponization – Creating an exploit

  • Delivery – Sending malicious payload

  • Exploitation – Running the exploit

  • Installation – Establishing persistence

  • Command & Control (C2) – Remote control of system

  • Actions on Objectives – Exfiltration, damage

• Hardening

  • All about reducing the attack surface

  • Patch Management – Regular updates to software

  • Firewalls – Block unauthorized network access

  • Anti-virus/Malware – Detect and remove threats

  • Sandboxing – Isolate untrusted applications

  • Encryption – Protect data in transit and at rest

  • Passwords – Enforce strong authentication

SAMPLE QUESTIONS

• What part of the cyber kill chain corresponds to vulnerability scanning?

• What is an example of sandboxing?

• What are the benefits / drawbacks of full-drive encryption?

• What does a stateful firewall do that a traditional packet filtering firewall does not? What does an application-level firewall (or next gen firewall) do that a traditional packet filtering firewall does not?

Network security

• TAP/SPAN

  • Network monitoring techniques

  • Terminal Access Points (TAPs, eg modem)

  • Switched Port Analyzer (SPAN, switches)

• Defensible Networks

  • Can be watched (audited, inventoried)

  • Can be kept current (patch management)

  • Limit an Intruder’s Freedom to Maneuver

  • Offer a minimum number of services

• Denial-of-Service (DoS) attacks

  •  Overloading a system with traffic

    • SYN floods, Pings, UDP, HTTP, Slowlorsis, NTP, DNS

• Intrusion Prevention Systems / Intrusion Detection Systems

  • Detect and prevent intrusions

• Man-in-the-Middle (aka person-in-the-middle or "on path" attack)

  • Intercepting communications

• Heartbleed

• Honeypots

  • Fake systems to attract hackers

• Session Hijacking (the concept is fair game on this exam, the remedies are out of scope for the midterm)

  • Stealing session cookies (gets ACK back from another user’s valid SYN)

• Wireless security

  • KRACK Attack: Exploits WPA2 encryption weakness

  • Evil Twins: Fake Wi-Fi networks for credential theft

  • Rogue APs: Unauthorized access points

  • ARP/DNS Spoofing: Redirecting network traffic

• ARP/DNS spoofing

• Cloud Security

  • Shared responsibility model (cloud provider vs. customer security)

  • Encryption and access controls for cloud storage

• Secure Access Service Edge (SASE)

  • Network architecture that combines several existing components into a unified architecture

    • Soft-ware-defined wide area networks

    • Zero trust network access (verify explicitly, use least privilege access, assume breach)

    • Next generation firewalls

    • Cloud access security brokers (CASB, sets policy, monitors behavior, and manages risk between the user and the cloud)

    • Secure web gateways (URL/content filtering, malware detection, policy/application enforcement)

SAMPLE QUESTIONS

• Some security professionals will deploy an unneeded server into their production environments that purposely includes security vulnerabilities so they can monitor potential attacks. This practice is know as implementing ...?

• The KRACK (Key Reinstallation Attack) vulnerability exploits an issue with the key exchange in which security standard? Which newer standard is not vulnerable (by design) to KRACK?

Virtualization

• What is virtualization? What are the benefits?

  • Creating virtual versions of OS, storage, and networks

  • Benefits

    • Better resource utilization

    • Isolation of environments

    • Easier disaster recovery

• What is a hypervisor? What is the difference between a type-1 and a type-2 hypervisor?

  • Type-1 (bare metal): Runs directly on hardware (e.g., VMware ESXi)

  • Type-2: Runs on a host OS (e.g., VirtualBox)

Social Engineering

• Definition:

  • The act of manipulating a person to take an action that may or may not be in the “target’s” best interest. This may include obtaining information, gaining access, or getting the target to take certain action.

• Elicitation

  • Extracting information through the course of a regular conversation

  • Requires being natural, knowledgeable, generous

• Preloading

  • Influencing someone’s perception by exposing them to certain information beforehand, making them more likely to comply or believe a false narrative.

• Persuasion Principles

  • Psychological techniques used to convince or manipulate people, such as authority, reciprocity, scarcity, or social proof.

  • Cialdini Principles of Persuasion:

    • Reciprocation: If someone gives you something, you are more likely to feel you owe them something in return

    • Social Validation: People will be more inclined to do something if they notice more others doing it too. 

    • Consistency: People are more likely to keep their commitment to you if they think they’ll be judged for being inconsistent.

    • Authority: People trust those of status, or even those who appear to be of status.

    • Liking: People are more likely to say yes to those they like.

    • Scarcity: Items and opportunities always become more desirable as they become less available. 

• Rapport Principles

  • Building trust and connection with a target to make them more likely to share information or comply with requests.

  • Robin Dreeke’s 10 Principles of Rapport: 

    • Using artificial time constraints

    • Accommodating nonverbals

    • Using a slower rate of speech

    • Employing sympathy or assistance themes

    • Suspending your ego

    • Validating others

    • Asking how, why, and when questions

    • Making use of quid pro quo (i’ll give you this if you give me that)

    • Employing reciprocal altruism

    • Managing expectations

• Pretexting

  • Creating a fabricated scenario to obtain sensitive information from a target by pretending to be someone trustworthy.

• Impersonation

  • Pretending to be a legitimate person (e.g., an authority figure, coworker, or service provider) to deceive a target.

• Phishing/Spearphishing/Vishing

  • Phishing – Sending mass fraudulent emails to steal sensitive information.

  • Spearphishing – Targeting specific individuals or organizations with tailored phishing attacks.

  • Vishing – Using phone calls to trick people into giving up confidential information.

• Password profiling

  • Gathering information about a target (e.g., birthdays, pet names, favorite sports teams) to guess or crack their passwords.

SAMPLE QUESTIONS

• True/False. Using a slower rate of speech tends to decrease rapport with a target.

• Asking individuals to sign a pledge to perform an action (e.g., donating, voting, not cheating on an exam, etc.) prior to the time the action is performed increases the likelihood that an individual performs the action. This is an example of which principle of persuasion?

Target Case

• Target

  • Stakeholders

    • Target CEO (Gregg SteinHafel)

    • Target CFO (John J. Mulligan)

    • Target CIO (Beth Jacob)

    • Fazio CEO (Ross E. Fazio)

    • Fazio Mechanical Services

    • FireEye

    • Security Blogger (Brian Krebbs)

    • The Hackers

  • How did the initial attack occur?

    • Probably Phishing of Fazio 

  • What happened after the initial "entry" to target's systems?

    • FireEye was notified, but ignored. The attackers discovered they could access the credit card information of all registers.

  • Why wasn't the attack discovered earlier?

    • It was ignored. 

  • How did Target handle the response?

    • They eventually made a statement after waiting almost a month. 

  • What are the lessons learned?

  • Compare/Contrast with Home Depot data breach