TestOut Chapter 2: Security Basics:2.1 Understanding Attacks

Internal vs. External

-Internal threats are authorized individuals that exploit their inherent privileges to carry out an attack. This category includes employees (both current and former), janitors, security guards, and even customers. -External threats are any individuals or groups that attacks a network from the outside and seeks to gain unauthorized access to data.

Persistent vs. Non-Persistent

-Persistent threats seek to gain access to a network and remain there undetected. With this type of threat, the attacker will go to great lengths to hide their tracks and presence in the network. -Non-persistent threats are only concerned with getting into a system and stealing information. The attack is usually a one-time event, and the attacker typically doesn't care if their presence is noticed.

What protections can you implement against organized crime threat actors?

-proper user security training -implementing email filtering systems -proper securing and storing of data backups

Which five methodologies can be used to defend your network?

1. Layering 2. Principle of least privilege 3. Variety 4. Randomness 5. Simplicity

What is the general attack strategy for attackers?

1. Reconnaissance 2. Breaching 3. Escalating Privileges 4. Staging 5. Exploitation

How do persistent and non-persistent threats differ?

A Persistent threat seeks to gain access and remain undetected. A non-persistent threat is a threat where the attackers only concern is to getting into a system and stealing info in a one time event. They are not concerned with remaining undetected.

Breach

A breach is the penetration of system defenses, achieved through information gathered by reconnaissance to penetrate the system defenses and gain unauthorized access.

Competitor

A competitor threat actor carries out attacks on behalf of an organization and targets competing companies. For example, a payment processing company could hire someone to carry out a DDoS attack on a competing payment processing company to force users to choose the attacker's product. The motive behind such attacks could be financial gain, competitor defamation, or even stealing industry secrets.

Hacktivist

A hacktivist is any individual whose attacks are politically motivated. Instead of seeking financial gain, hacktivists are looking to defame, shed light on, or cripple an organization or government. Often times, hacktivists work alone. Occasionally, they will create unified groups with like-minded hackers. For example, the website wikileaks.org is a repository of leaked government secrets, some of which have been obtain by hacktivists.

Nation State

A nation state is the most organized, well-funded, and dangerous type of threat actor. There are two primary motives for nation state attacks (also called state-sponsored attacks). Obtaining information - Some attacks seek to obtain sensitive information, such as government secrets. These attacks usually target organizations that have government contracts or the government systems themselves. Attacks motivated by information gathering are considered a type of APT, as the goal is to remain in the system undetected. Crippling systems - Some attacks seek to cripple their target's network or infrastructure. For example, an attack could target a city's power grid or water system.

Script Kiddie

A script kiddie is an individual who carries out an attack by using scripts or programs written by more advanced hackers. Script kiddies typically lack the skills and sophistication of legitimate hackers. Script kiddies are usually motivated by the chance to impress their friends or garner attention in the hacking community. Because script kiddies lack knowledge and sophistication, their attacks often seek to exploit well-known vulnerabilities in systems. As such, defending against script kiddies involves keeping systems up-to-date and using standard security practices.

Cybercriminal

A subcategory of hacker threat agents that are willing to take more risks and use more extreme tactics for financial gain.

Technical

A technical approach is using software or utilities to find vulnerabilities in a system. Port scan Ping sweep

Competitor

A threat agent that carries out attacks on behalf of an organization and targets competing companies.

Nation State

A threat agent that is a sovereign state who may wage an all-out war on a target and have significant resources and money at their disposal.

Insider

A threat agent who has authorized access to an organization and either intentionally or unintentionally carries out an attack.

Internal Threat

A threat from authorized individuals (insiders) that exploit their inherent privileges to carry out an attack.

External Threat

A threat from individuals or groups that attack a network from the outside and seeks to gain unauthorized access to data.

Persistent Threat

A threat that seeks to gain access to a network and remain there undetected.

Non-Persistent Threat

A threat where the only concern is getting into a system and stealing information and is usually a one-time event where the attacker is not concerned if their presence is noticed.

Targeted Attack

A type of threat in which threat actors actively pursue and compromise a target entity's infrastructure while maintaining anonymity.

Opportunistic Attack

An attack where the threat actor is almost always trying to make money as fast as possible and with minimal effort.

Exploit

An exploitation takes advantage of known vulnerabilities in software and systems. Types of exploitation include: -Stealing information -Denying services -Crashing systems -Modifying/Altering information

Insider

An insider is any individual who has authorized access to an organization and either intentionally or unintentionally carries out an attack. The most common type of insider is a full-time employee; however, other inside actors include customers, janitors, security guards, and even former employees. Possible motives for an insider threat actor can include: -Becoming disgruntled with an employer -Being bribed by a competitor -Seeking personal financial gain Because insiders are one of the most dangerous and overlooked threats to an organization, you need to take the appropriate steps to protect against them. -Require mandatory vacations -Create and follow onboarding and off-boarding procedures -Employ the principal of least privilege -Have appropriate physical security controls in place -Require security awareness training which should be tailored for the role of the employee (role-based awareness training)Data ownerSystem AdministratorSystem ownerUserPrivileged userExecutive user

Organized Crime

An organized crime threat actor is a group of cybercriminals whose main goal is financial gain. Attacks carried out by organized crime groups can last several months and are very well-funded and extremely sophisticated. A common tactic used by organized crime is a targeted phishing campaign. Once access is gained, the group will either steal data and threaten to release it or use ransomware to hold data hostage. Due to the level of sophistication and amount of funding, attacks from organized crime groups are extremely hard to protect against. In a lot of cases, it's simply a matter of time until a data breach occurs or ransomware takes hold. Because of this, many companies that need immediate access to their data (such as hospitals and financial institutions) stockpile digital currency in case of an attack. Specific protections against organized crime threat actors include: -Proper user security training -Implementing email filtering systems -Proper securing and storing of data backups

Hacker

Any threat agent who uses their technical knowledge to bypass security, exploit a vulnerability, and gain access to protected information.

Vulnerable Business Processes

Attacks on business processes have recently come into focus. Attackers target a business's unique processes and machines and manipulate them for personal benefit. When they identify a weakness, they can alter a process to help them achieve their aims. For example, shipping companies working in the Belgian port of Antwerp were hacked by drug traffickers. They were able to modify the movement and location of containers, making it possible to move and retrieve illegal drugs.

Open-Source Intelligence (OSINT)

Before carrying out an attack, a threat actor will typically gather open-source intelligence (OSINT) about their target. OSINT is information that is readily available to the public and doesn't require any type of malicious activity to obtain. Sources of OSINT include the following: -Media (newspapers, magazines, advertisements) -Internet (websites, blogs, social media) -Public government data (public reports, hearings, press conferences, speeches) -Professional and academic publications (journals, academic papers, dissertations)

Which method is used to access an application or operating system for troubleshooting?

Creating a backdoor

Create a Backdoor

Creating a backdoor is an alternative method of accessing an application or operating system for troubleshooting. Hackers often create backdoors to exploit a system without being detected.

Variety

Defensive layers should have variety and be diverse; implementing multiple layers of the exact same defense does not provide adequate strength against attacks.

Improper Certificate and Key Management

Due to the proliferation and complexity of digital certificates used for identity and encryption, many organizations find it difficult to manage their certificates and cipher keys. Expiring certificates are a leading cause of system downtime. To better manage their certificates, organizations should track when certificates expire, their issuing CA, and their encryption key strengths.

Escalate Privileges

Escalating privileges is one of the primary objectives of an attacker and can be achieved by configuring additional (escalated) rights to do more than just breaching the system.

Improper Error Handling

Improper handling of errors, especially by a website, can lead to other security problems. If an error message displays stack traces, database dumps, and error codes, an attacker can use this information to form a more customized offensive. Even error message that give limited details can reveal important clues to the inner workings of a website. For example, a message that says Access Denied lets an attacker know that a file exists, while a message that reads File Not Found does not.

Improper Input Handling

Improper input handling may be the chief security vulnerability in today's software applications and web pages. It involves the improper validation, sanitization, and filtering, as well as encoding and decoding of input data. During application development, all inputs should be considered untrusted, especially external inputs that can be transferred in various formats.

Open-Source Intelligence (OSINT)

Information that is readily available to the public and doesn't require any type of malicious activity to obtain.

Layering

Layering involves implementing multiple security strategies to protect the same asset. Defense in depth or security in depth is the premise that no single layer is completely effective in securing the assets. The most secure system/network has many layers of security and eliminates single points of failure.

Improperly Configured Accounts

Password length and complexity polices help prevent attackers from gaining unauthorized access. But there are other account configurations that can increase security. Attackers know the default domain, service, and device accounts, their default passwords, and the default privileges assigned to them. If these accounts are left enabled and unchanged, they can be an entry point for adversaries. Also, accounts should be configured with the least amount of permissions and privileges needed to perform their duties. It is better to give privileges later than to remove privileges after a security problem has occurred.

Randomness

Randomness in security is the constant change in personal habits and passwords to prevent anticipated events and exploitation.

Reconnaissance

Reconnaissance is the process of gathering information about an organization, including: System hardware information Network configuration Individual user information

Simplicity

Security measures should provide protection, but not be so complex that you do not understand and use them.

Social Engineering

Social engineering is the process of manipulating others to give you sensitive information such as: Intimidation Sympathy

Stage

Staging a computer involves preparing it to perform additional tasks in the attack, such as installing software designed to attack other systems. This is an optional step.

Principle of Least Privilege

The principle of least privilege states that users or groups are given only the access they need to do their job and nothing more. When assigning privileges, be aware that it is often easier to give a user more access when they need it than to take away privileges that have already been granted.

Weak Cipher Suites and Implementations

To secure data that is transferred across external paths, TLS/SSL makes use of one or more cipher suites. Old and outdated cipher suites, especially those with documented vulnerabilities, can allow attackers access to secret data. Weak encryption keys are more likely to fail brute force attacks.