Cybersecurity Final Exam
Why stress test your BCP?
"Even just a few moments of downtime can be costly, so it is essential that firms implement sound business continuity procedures," you don't know what works and what doesn't if you don't test, testing verifies the effectiveness of your plan, trains plan participants on what to do in a real scenario and identifies areas where the plan needs to be strengthened.
Privileged Access Management (PAM)
"Trust but verify". Relied on well-defined boundaries.
DNS Spoofing
(1) Injects fake DNS entry, (2) Issues request to real website, and (3) Request resolves to a fake website
Microsoft's Address of Government Stockpiling of Vulnerabilities
(1) No targeting of tech companies, private sector, or critical infrastructure, (2) Assist private sector efforts to detect, contain, respond to, and recover from events, (3) Report vulnerabilities to vendors rather than to stockpile, sell, or exploit them, (4) Exercise restraint in developing cyber weapons and ensure that any developed are limited, precise, and not reusable, (5) Commit to nonproliferation activities to cyberweapons, and (6) Limit offensive operation to avoid a mass event
Risk Acceptance
Accept the potential risk, continue operating with no controls, and absorb any damages that occur.
Backdoor
Access to a computer system or encrypted data that bypasses the system's normal security or operation.
Blacklisting
Allows EVERYTHING to run (app permissions) and pass through UNLESS it is on the FORBIDDEN list.
Whitelisting
Allows NOTHING to run (app permissions) or pass through (online traffic) UNLESS it is on an APPROVED list.
Verify Explicitly
Always authenticate and authorize based on all available data points, including user identity, location, device health, data classification, and anomalies.
Federal Information Security Management Act (FISMA) (2002)
An act that requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources.
Man-In-The-Middle Attack
An attack that intercepts a communication between two systems without detection.
Whaling Attack
An attack that targets high ranking people in an organization (i.e. CEO, CFO).
Spear Phishing
An attack that targets large groups of people. The perpetrators find out as much information about an individual as possible to improve their chances that phishing techniques will obtain sensitive, personal information.
Distributed Denial-of-Service Attack (DDOS)
An attacker first takes over many computers, usually by malicious software. These computers are called zombies or bots. The attacker uses these bots—which form a botnet—to deliver a coordinated stream of information requests to a target computer, causing it to crash.
Denial-of-Service Attack (DOS):
An attacker sends so many information requests to a target computer system that the target cannot handle them successfully and typically crashes (ceases to function)
SSL (Secure Socket Layer)
An encryption standard used for secure transactions such as credit card purchases and online banking.
Social Sign-In
An existing social media or digital account (Facebook, Google)
Sandbox
An isolated virtual emulation of an end-user operating environment, used to safely test and execute suspicious code without risking harm to the host device or network. Virtual Machines can used as these. If the test goes wrong, the VM operating system can be deleted, without affecting the rest of the computer or network.
ToR (The Onion) Browser
An open source browser a web browser that anonymizes your web traffic using the Tor network, thereby protecting identity online. It began as a worldwide network of servers developed with the U.S. Navy that enabled people to browse the internet anonymously.
OSI Model Layers
Application, Presentation, Session, Transport, Network, Data Link, Physical
Three Steps of Risk Analysis
Assessing the value of each asset being protected, estimating the probability that each asset will be compromised, and comparing the probable costs of the assets being compromised with the costs of protecting that asset.
Phishing Attack
Attacks that use deception to acquire sensitive personal information by masquerading as official-looking e-mails or instant messages.
Clous Access Security Broker (CASB)
A cloud-hosted software or on-premises software or hardware that act as an intermediary between users and cloud service providers. The ability of them to address gaps in security extends across software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) environments. In addition to providing visibility, they also allow organizations to extend the reach of their security policies from their existing on-premises infrastructure to the cloud and create new policies for cloud-specific context.
Platform-as-a-Service (PaaS)
A complete development & deployment environment in the cloud, with resources that enable you to deliver everything from simple cloud-based apps to sophisticated, cloud-enabled enterprise applications.
Shadow Brokers
A group that allegedly stole and leaked "EternalBlue" from "The Equation Group", a hacking team associated with the NSA.
Gartner Inc.
A leading information technology research and advisory company. It delivers the technology-related insight necessary for our clients to make the right decisions, every day. From CIOs and senior IT leaders incorporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, it is a valuable partner to clients in over 9,100 distinct enterprises worldwide.
Penetration Test (Pen Test)
A legal hack to find and exploit vulnerabilities in a computer or system performed with the organization's permission.
Honeypot
A lure that appears to be a legitimate target or device, but is instead a decoy. In an enterprise environment, it is isolated and closely monitored. Since there is no reason for legitimate users to access a honeypot, any attempts to communicate with it are considered to be hostile.
Recovery Point Objective (RPO)
A measure of the maximum tolerable amount of data that the business can afford to lose during a disaster. It also helps measure how long it can take between the last data backup and a disaster without seriously damaging your business. (It is useful for determining how often to perform data backups).
Wi-Fi Pineapple
A modified router used for Wi-Fi hacking/auditing primarily on public networks. The device acts as a man in the middle (MiM). It is transparent to the user's device which shows it connecting to a previously used and trusted Wi-Fi network.
Firewall
A network security device that monitors incoming and outgoing network traffic and permits only authorized data packets based on a set of security rules.
Incident Response
A plan that describes the process by which an organization handles a data breach or cyberattack, including the way the organization attempts to manage the consequences of the attack or breach (the "incident"). Ultimately, the goal is to effectively manage the incident so that the damage is limited and both recovery time and costs, as well as collateral damage such as brand reputation, are kept at a minimum.
Business Impact Analysis (BIA)
A prediction of the consequences of disruption of a business function and process (by financial, life/safety, regulatory, legal, reputation -- either natural or man-made) and gathers information needed to develop recovery strategies.
TLS (Transport Layer Security)
A protocol that encrypts and decrypts data between a Web server and a browser end to end. It is indicated by a URL that begins with "https" rather than "http," and it often displays a small padlock icon in the browser's status bar.
Forward Proxy
A proxy that is utilized by users to connect to a webserver.
WannaCry
A ransomware worm that spread rapidly across a number of computer networks in May 2017. After infecting a Windows computers, it encrypts files on the PC's hard drive, making it impossible for users to access, then demands a ransom payment in Bitcoin in order to decrypt them. It first appeared in the U.K. (NHS) and Spain, but ultimately affected 200 million computer in 150 countries.
Virtual Private Network (VPN)
A secure and encrypted tunnel that sends your web traffic through a server controlled by a provider, and from there, onto the web. These mask your internet protocol (IP) address so your online actions are virtually untraceable, as long as your provider doesn't retain logs of user traffic.
Logic Bomb
A segment of computer code that is embedded within an organization's existing computer programs and is designed to activate and perform a destructive action at a certain time or date.
EternalBlue
A series of Microsoft software vulnerabilities and the exploit created by the NSA (U.S. National Security Agency) as a cyber attack tool. Before it leaked, it was one of the most useful exploits in the NSA's cyber arsenal and was used in countless intelligence-gathering and counterterrorism missions.
Single Sign-On (SSO)
A single set of login credentials (login ID & password)
Firewalls
A system that prevents a specific type of information from moving between untrusted networks, such as the Internet, and private networks, such as your company's network. They prevent unauthorized Internet users from accessing private networks. All requests entering or leaving your company's network pass through this. The this examines each request and blocks those that do not meet specified security rules.
Software-As-A-Service (SaaS)
A way of delivering applications over the Internet—as a service. Instead of installing and maintaining software, you simply access it online, freeing yourself from complex software and hardware management.(Example: Office 365, WordPress)
What are the differences between BIA and Risk Assessment?
BIA does not directly focus on the likelihood of events (Risk Assessment does), rather, BIA assumes worst-case scenarios. BIA can be done without Risk Assessment, risk assessment can't be done without BIA: risk assessment should use BIA to quantify and prioritize the risks it finds.
Marshall Forces
Businesses that prepare for attacks in advance tend to better manage the aftermath. When it comes to combatting cases of suspected insider threat, include human resources, supervisors, upper management, security, legal and your IT crew in developing a company-wide plan.
Infrastructure-as-a-Service (IaaS)
Cloud-based, pay-as-you-go services such as storage, networking, and virtualization. Using a dashboard or an API (application programming interface), customers have complete control over the entire infrastructure. In effect, it provides identical technologies and capabilities as a conventional on-premises data center without having to physically manage it.
Data at Rest Protection
DAR Encryption
Data in Use
Data currently being accessed by users or one or more applications. This includes the files used by the applications themselves (Ex. Data created or modified by local apps such as Adobe Reader, MS Office, or the operating system).
Data in Transit
Data in motion, travelling from one location to another (Ex. Data travelling through an email, web, collaborative work app, or any public or private communication channel. Includes Gmail, LMU Mail, Zoom, Teams, Slack, WordPress, Remote Desktop).
Data in Use Protection
Data in use must be accessed only on systems that are authorized for the classification level of the data and only by users and applications that have appropriate permissions (clearance) and purpose (need-to-know). Track and report data access to detect suspicious activity and potential threats. For example, monitoring login attempts to platforms with sensitive information. Encryption? No.
Data at Rest
Data not currently being accessed that is stored in a physical or logical medium (Ex. Files stored on hard disks, USB drives, cloud storage, servers, databases).
Preparation
Developing policies and procedures to follow in the event of a cyber breach. This will include determining the exact composition of the response team and the triggers to alert internal partners. Key to this process is effective training to respond to a breach and documentation to record actions taken for later review.
GLBA - Gramm-Leach-Bliley Act
Directed toward financial institutions, where organizations are fined up to $100,000 for each violation of this law, and the officers and directors of the organization may be fined up to $10,000 personally. Individual may also face up to 5 years in prison.
HIPAA - Health Insurance Portability and Accountability Act (HIPAA)
Directed toward healthcare providers, health insurers, doctors' offices and any entity that handles patient information. The fine for breaking this act is calculated based on the number of medical records exposed, with fines ranging from $50-$50,000 per record. Fines are capped at $1.5 million per year, but organizations may receive the maximum fine for multiple years. Violators may even face prison time ranging from 1-10 years.
Timeliness
Does the user need to know now?
How to protect against phishing, spear phishing, and whaling?
Employee awareness, Multifactor authentication, Data protection policies, Social media education, Anti-phishing tools and organizations
Data in Transit Protection
Encryption, network security measures like firewalls and network access control to protect from malware attacks or intrusions. Choose data protection solutions with policies that enable user prompting, blocking, or automatic encryption for sensitive data in transit, such as when files are attached to an email message or moved to cloud storage, removable drives, or transferred elsewhere.
Risk Analyses
Ensures IS security programs are cost effective.
Covering Tracks
Escaping the security personnel. They do this by clearing the cache and cookies, tampering the logfiles, and closing all the open ports. This step is important because it clears the system information making hacking a great deal harder to track.
What tips can be used for stress-testing?
Expect things to fail, put someone in chare and accountable for testing & ongoing BCM, assign a budget for BC and stress-testing, make sure top management understands the importance of BCP, and plan stress-tests strategically.
Biometric
Fingerprint, retinal scan, facial recognition.
Vulnerabilities
Flaws in software, firmware, or hardware that can be exploited by an attacker to perform unauthorized actions in a system. They can be caused by software programming errors. Attackers take advantage of these to infect computers with malware or perform other malicious activity.
Business Continuity Planning (BCP)
How a business will continue operating during an unplanned disruption in service. It may provide detailed strategies on how business operations can be maintained for both short-term and long-term outages.
Risk Management
Identifies, controls, and minimizes the impact of threats. In other words, it seeks to reduce risk to acceptable levels.
Multi-Factor Authentication (MFA)
In addition to a username and password, an additional piece of data is required from the user, such as a one-time code sent to a mobile phone, or email, or a DUO System "push" or phone call.
Active Reconnaissance
Interacting with the company (phone calls, website)
Passive Reconnaissance
Internet & public searching.
Zero Trust Architecture
John Kindervag's model that states "never trust, always verify, enforce least privilege" approach to privileged access, from inside or outside the network.
Risk Limitation
Limit the risk by implementing controls that minimize the impact of the threat.
USB Rubber Ducky
Looking like a standard drive, it registers itself as a USB keyboard (to avoid triggering any users access prompts), then initiates keystroke payloads (such as installing backdoors, exfiltrating documents, or capturing credentials)
Assume Compromise
Minimize scope of breach damage and prevent lateral movement by segmenting access via network, user, devices and application awareness. Verify all sessions are encrypted end to end. Use analytics to get visibility and drive threat detection.
Least Privilege
Minimize user access with Just-In-Time and Just-Enough Access (JIT/JEA), risk-based adaptive policies, and data protection which protects data and productivity.
Containment
One of the first steps after identification is to contain the damage and prevent further penetration. This can be accomplished by taking specific sub-networks offline and relying on system backups to maintain operations. Your company will likely remain in a state of emergency until the breach is contained.
Lessons Learned
One of the most important and often overlooked stages. During this stage, the incident response team and partners meet to determine how to improve future efforts. This can involve evaluating current policies and procedures, as well specific decisions the team made during the incident. Final analysis should be condensed into a report and used for future training.
Authorization
Permitting an authenticated user the proper permissions: "What am I allowed to do?"
Inheritance
Physical characteristic unique to the individual - fingerprint, retinal scan, facial recognition
Reverse Proxies
Proxies that are deployed on the web server's side rather than by a user or client; they are typically used to enhance performance, security, and reliability of the web server.
Firewall-as-a-Service (FWaaS)
Refers to a cloud firewall that delivers advanced Layer 7/next-generation firewall (NGFW) capabilities, including access controls, such as URL filtering, advanced threat prevention, intrusion prevention systems (IPS) and DNS security.
Ramifications of Data Breaches
Revenue loss, damage to brand reputation, loss of intellectual property, hidden costs (legal fees, PR, investigations), fines, online vandalism.
Employee Protections
Route all offsite access through a VPN, test your disaster recovery plan, block unapproved software, disable ex-employee accounts and passwords, block root access to everything, make suspect behavior cause for concern, beware resignations and terminations, marshall forces
Encryption
Scrambling data so people without a key cannot read it
Recovery
Security teams need to validate that all affected systems are no longer compromised and can be returned to working condition. This also requires setting timelines to fully restore operations and continued monitoring for any abnormal network activity. At this stage, it becomes possible to calculate the cost of the breach and subsequent damage.
Worm
Segment of computer code that performs malicious actions and will replicate, or spread, by itself (without requiring another computer program).
Virus
Segment of computer code that performs malicious actions by attaching to another computer program.
General Data Protection Regulation (GDPR)
Set of regulations is designed to protect the personal information of all citizens in the European Union. International businesses that work with the European Union must comply with GDPR. Unlike most other cybersecurity laws, this one mandates the use of encryption. Under this act, the EU's data protection authorities can impose fines of up to up to €20 million (roughly $20,372,000), or 4 percent of worldwide turnover for the preceding financial year—whichever is higher.
Ransomware
Software program that encrypts a victim's files until a sum of money is paid.
Trojan Horse
Software program that hides in other computer programs and reveal its designed behavior only when it is activated.
Virtual Machine
Software, generally called an image, which behaves like an actual computer. Demonstrated in class were Oracle's open source Virtual Box and LMU's Virtual Desktop.
Possession
Something the user has (physical or virtual token, key card, digital asset like an email account, a mobile phone, a social media account
Knowledge
Something the user knows (all password-based login systems use this). Least secure. How to hack?
Vulnerability Management Systems
Systems that manage software vulnerabilities. These days this includes Pen (Penetration) Testing and (BAS) Breach and Attack Simulation, which both take the position of a hacker in order to find vulnerabilities.
Computer Fraud and Abuse Act (CFAA)
The act that prohibits intentionally accessing a computer without authorization, and was drafted to combat various forms of "computer crime." At that time, this was largely understood to cover "hacking or trespassing into computer systems or data." It came about after President Regan had watched "War Games and had asked if someone could break into their most sensitive computers.
Cybersecurity
The art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.
Secure Access Service Edge (SASE)
The cloud-based convergence existing security technologies, specifically software-defined wide-area networking (SD-WAN), and network security services like CASB, FWaaS and Zero Trust, into a single, comprehensive service model. Its capabilities are delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems or edge computing locations.
Gaining Access
The hacker gains access to the system, applications, and network, and escalates their user privileges to control the systems connected to it.
Scanning
The hacker identifies a quick way to gain access to the network and look for information. This information extraction phase is where the attackers collect information about ports, live machines and OS details to launch an attack. There are generally three methods: pre-attack, port scanning/sniffing, and information extraction.
Maintaining Access
The hacker secures access to the organization and launch additional attacks on the network.
Marcus Hutchins
The man responsible for finding the WannaCry kill switch and disabling the malware.
Maximum Tolerable Downtime (MTD)
The maximum amount of time an application or data can be unavailable to users, as specified by management. This is based on the impact on business functions, and analysis of anticipated lost revenue and other costs that are incurred for every hour, day, or week a given application or database might be unavailable. It is an operational determination because following restoration of applications or data after a crash, the system will not be considered fully operational until the users catch up on any work they missed during the outage (with its clock still ticking). In that regard, it serves as a metric by which to compute a more granular threshold. It is equal to RTO + WRT
Work Recovery Time (WRT)
The maximum tolerable amount of time that is needed to verify the system and/or data integrity. AKA Catch-up time.
Risk Mitigation
The organization takes concrete actions against risks which has two functions: (1) implementing controls to prevent identified threats from occurring, and (2) developing a means of recovery if the threat becomes a reality.
Risk
The probability that a threat will impact an information resource.
Identification
The process of detecting a breach and enabling a quick, focused response. IT security teams identify breaches using various threat intelligence streams, intrusion detection systems, and firewalls. Some people don't understand what threat intelligence is but it's critical to protecting your company. Threat intelligence professionals analyze current cyberthreat trends, common tactics used by specific groups, and keep your company one step ahead.
Recovery Time Objective (RTO)
The time to recover your IT infrastructure and services following a disaster to ensure business continuity (continue normal business operations). It will generally be a technical consideration, to be determined by the IT department.
Data Breach
The unlawful and unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of personal information.
Need to Know
The user is cleared, but does this user need this info?
Corporate Firewall
These typically consist of software running on a computer dedicated to the task. A demilitarized zone (DMZ) is located between the two. Messages from the Internet must first pass through the external one. If they conform to the defined security rules, they are then sent to company servers located in the DMZ. These servers typically handle Web page requests and e-mail. Any messages designated for the company's internal network—for example, its intranet—must pass through the internal one, again with its own defined security rules, to gain access to the company's private network.
Why do employees take data with them?
They simply forgot, they don't feel it's wrong, or they do so with malicious
Patriot Act
This act grants law enforcement new powers to detect and prevent terrorism. Compliance with the Act is now an essential aspect of doing business. All businesses should have mechanisms in place to identify and properly report" suspicious transactions," currency transactions in excess of $10,000, and people or entities listed on any of the "watch lists."
Federal Information Security Management Act (FISMA) (2014)
This act modernizes federal security practices to address evolving security concerns: strengthening the use of continuous monitoring in systems, increasing focus on issues caused by security incidents. It also required the Office of Management and Budget (OMB) to eliminate inefficient and wasteful reporting and reflect changes in law and advances in technology. Penalties: Organizations may be stripped of federal funding, be barred from receiving future federal contracts, and may be called to Washington D.C. for a government hearing to testify on what went wrong
Eradication
This stage involves neutralizing the threat and restoring internal systems to as close to their previous state as possible. This can involve secondary monitoring to ensure that affected systems are no longer vulnerable to subsequent attack.
Risk Transference
Transfer the risk by using other means to compensate for the loss, such as by purchasing insurance.
Back Door (Trap Door)
Typically a password, known only to the attacker, that allows him or her to access a computer system at will, without having to go through any security procedures.
Malicious Code (aka Malware)
Unwanted programs that can harm a computer or compromise stored data. Various classifications of malicious code include viruses, worms, and Trojan horses. Can deploy if you open an email attachment or visit a particular webpage. Can spread without user intervention and typically starts by exploiting a software vulnerability. Once the targeted computer has been infected, they may attempt to locate and infect other computers, propagating via email, websites, or network-based software.
Authentication
Validating the identity of authorized users. Prove to a digitized system: "I am who I say I am;" it acts as a precursor to Authorization
Reconnaissance
Where the hacker gathers information about a target before launching an attack and is completed in phases prior to exploiting system vulnerabilities.