CEH Bullet Points
Functionality
features of the system
Misconfiguration Attacks
Hacker gains access to the system that has poorly configured security. Can affect works, databases, web servers, etc.
zero-day attack
exploits previously unknown vulnerabilities in software applications, hardware, and operating system program code
Psychological warfare
"Capture their minds and their hearts and souls will follow" E.g. propaganda or terror
Technical Controls
(Logical) Security tokens
Functionality, usability, security triangle
Any change made to one component directly affects decreases the other two
Business continuity and disaster recovery (BCDR)
1. Risk assessment -Business Impact Analysis(BIA) 2. Business Continuity Plan (BCP) -Includes Disaster recovery plan
Shrink-wrap code vulnerabilities
A bug is fixed in library but application uses older version. Application uses libraries in debug mode or with default configurations.
ALE equation
ARO (Annual rate of occurrence) x SLE (Single loss expectancy)
SLE Equation
AV (Asset Value) x EF (Exposure Factor)
Hacker warfare
Acquire information about subject A, sell it to subject B
Corrective controls
After other controls Backups, restore
Information Security Management Program
All activities the organization takes to protect sensitive information E.g. security policies, rules, standards, business resilience, training and awareness, security metrics and reporting.
Risk Mitigation
Also known as risk reduction Taking action to reduce an organization's exposure to potential risks and reduce the likelihood that those risks will happen again
Return on Investment (ROI)
Amount of money saved by implementing a safeguard.
Residual Risk
Amount of risk that remains after controls are accounted for
Daisy chaining
An attack in which hackers gain access to one network/device and then using it to access next networks/devices.
Annualized Loss Expectancy (ALE)
Annual cost of a loss due to a risk
Guideline Documentation
Flexible, recommended actions users are to take in the event there is no standard to follow
Motives
Attack = Motive + Vulnerability + Method (exploit) (General core is access to the valuable information)
Host Threats
Attack that tries to gain access to information from a system (E.g. • password attacks • unauthorized access • profiling • malware attacks • footprinting • denial of service attacks (DoS) • arbitrary code execution • privilege escalation • backdoor attacks • physical security threats)
Shrink-wrap code Attacks
Attacks on libraries and frameworks that the software is depended on. Finding vulnerabilities in libraries allows re-using same exploits on more than single application (Use libraries: older, more mature, maintained, updated actively with proven track record.)
Security Attacks
Attempt to gain unauthorized access to a system or network. Actualization of a threat
Preventative controls
Authentication, Encryption
Risk Responses
Avoid Mitigate Transfer Accept Share
Exploit
Breach through vulnerabilities
OS Vulnerabilities
Bugs (as it's a big codebase) Buffer overflow Unpatched operating systems (can lead to e.g. zero day vulnerabilities)
Application-level vulnerabilities
Caused by lack of testing as developers rush development of applications and miss something. E.g. • sensitive information disclosure • buffer overflow attack • SQL injection v cross-site scripting • session hijacking denial of service • man in the middle • phishing
Risk Avoidance
Change the strategy/plan to avoid the risk
Economic information warfare
Channeling or blocking information to pursue economic dominance
Attack Vector Types
Cloud computing threats such as data breach and loss. IoT threats usually caused by insecure devices and hardware constraints (battery, memory, CPU etc.) Ransomware: Restricts access to your files and requires payment to be granted access Mobile threats
CIA triad
Confidentiality: so no one can see what's inside. Integrity: no one tampers data-in transit Availability: data is accessible on demand
Level of risk equation
Consequence x Likelihood
Risk Acceptance
Decide to take the risk, as without risk there's no movement/rewards.
Risk Level
Defined based on events possible consequences to evaluate
Procedure Documentation
Detailed step-by-step instructions for accomplishing a task or goal
Risk Sharing
Distribution of risk
Usability
GUI of the system and how user friendly it is
Non-repudiation
Guarantee that: sender of a message cannot deny having sent the message recipient cannot deny having received the message
Electronic warfare
Enhance, degrade, or intercept the flow of information
Confidentiality
Ensures that information is available only to people who are authorized to access it.
Integrity
Ensures the accuracy of the information
Authenticity
Ensures the quality of being genuine or uncorrupted (Users are who they claim, a document is uncorrupted)
Availability
Ensuring resources are available whenever the authorized user needs them
Impact
Estimate of the harm that could be caused by an event
Application Threats
Exploitation of vulnerabilities that exists in the application itself (Caused by e.g. bad coding practices Rushed programs has mistakes e.g. lack of validation of input data E.g. • SQL injection • cross-site scripting • session hijacking • identity spoofing • improper input validation • security misconfiguration • information disclosure • hidden-field manipulation • broken session management • cryptography attacks • buffer overflow attacks • phishing)
OS attacks
Exploiting network protocol implementations Authentication attacks Cracking passwords Breaking filesystem security
Physical controls
Fences, Mantrap, locks, security badges
Doxing
Finding and publishing someone's personally identifiable information for malicious reasons
Security
How the processes of the system are used and who is using them
Risk Management Phases
Identification Assessment Treatment Tracking and Review
Risk Management Objectives
Identify the potential risks Identify the impacts of those risks Create risk management strategy and plan Assign priorities to risks Analyze the risks Control the risk Develop strategies and plans for long lasting risks
Pure insider
Inside employee with normal access rights
Elevated pure insider
Insider with elevated access
Insider associate
Insider with limited authorized access (e.g. guard, cleaning person)
Hack Value
It is the notion among hackers that something is worth doing or is interesting
Standard Documentation
Mandatory rules used to achieve consistency
Attack Vectors
Means by which hackers deliver a payload to systems and networks
Risk Management
Ongoing process of identifying, assessing and acting on potential risks. (Reduce risks but can never fully eliminate)
Insider attacks
Performed by a person from within the organization who has authorized access Presents one of the greatest potential of risk and most difficult attacks to defend against
Risk Transfer
Place burden elsewhere; outsourcing or purchasing an insurance
Administrative controls
Policies and continuity of operations plans
Defense in Depth Layers
Policies, Procedures, Awareness: Data Classification, Risk Management, Code Reviews, Educations... Physical security: ID cards, CCTV, fences... Maintenance board should be protected in server room. Not good in schools, universities etc. Perimeter: Encryption, identities...In front of the internal network where traffic in and out is filtered. Internal network: Network zoning, firewalls... Host: Antivirus patches, security updates...Individual devices with networking capability e.g. servers / PCs. Services: Audit logs, authentication, authorization, coding practices. Applications running on hosts Data: Backups, encryption...
Risk Assessment
Prioritizes risks based on severity and likelihood of occurrence Includes an analysis of threats based on the impact to the business
Baseline Documentation
Provide the minimum security level necessary
Enterprise Information Security Architecture (EISA)
Regulates organizations structure and behavior in terms of security, processes and employees. Includes requirements, process, principles and models
Worm
Replicate itself Infects quickly Can spread independently without user action
Virus
Replicate itself Infects quickly Requires user action to be activated
Inherent Risk
Represents the amount of risk that exists before any controls are taken. Raw and untreated risk
Insider attack countermeasures
Restricting access Logging to know who access what at what point of time Active monitoring of employees with elevated privileges Trying to not have disgruntled employees Separation of dutiesAlso known as segregation of dutiesConcept of having more than one person required to complete a task.
Audit risk
Risk of error while performing an audit. Three types: Control risk, detection risk, inherent risk
Control Risks
Risks that occur due to weaknesses in internal controls
Processes to achieve IA
Security policies Network and user authentication strategy Identification of vulnerabilities and threats e.g. pen-testing Identification of problems in the system and resource requirements Plan design for the identified requirements Certification and accreditation to find vulnerabilities and remove them Training for employees
Intelligence-based warfare
Sensor-based technology to disrupt systems
Application-level Attacks
Similar to OS attacks but far less damaging as their scope is far narrower
Risk Mitigation Response
Take action to reduce the risk to a low enough level to be acceptable.
Web application threats
Takes advantage of poorly written code and lack of proper validation of input and output data. (E.g. buffer overflows, SQL injections, cross-site scripting)
Command and control (C2) warfare
Taking down the command center may protect the headquarters but may interfere with their mobility
Outsider affiliate
Unknown and untrusted person from outside the organization. Uses an open access channel or stolen credentials to gain unauthorized access.
Insider affiliate
Spouse, friend, or client of an employee that uses employee's credentials.
APT
Stealthy threat actor with continuous attacks targeting a specific entity (EX: Red Apollo, Equation Group, Cozy Bear)
Information Assurance
The affirmation or guarantee of the confidentiality, integrity, and availability of information in storage, processing, and transmission.
Payload
The part of malware performing malicious action.
Attack Vector
The path or means by which an attacker gains access to a computer.
Risk
Threat of damage or loss
Network Threats
Threat to the set of devices that are connected through communication channels where data exchange happens between devices (E.g. • denial of service attacks (DoS) • password-based attacks • compromised-key attacks, firewall and IDS attacks • DNS and ARP poisoning • man in the middle (MITM) attack • spoofing • session hijacking • information gathering • sniffing...)
Risk equation
Threat x Vulnerability x Asset (E.g. network is very vulnerable (no firewall), asset is critical: high risk. E.g. network is well protected, asset is critical: medium risk)
Security Management Framework
To reduce risks of any system Risks are never zero but you should reduce as much as u can Combination of policies, procedures, guidelines and standards
Total cost of ownership (TCO)
Total cost of a mitigating safeguard
Detective controls
Used after a discretionary event. Audits, alarm bells, alerts
Botnet
Used by hackers to control the infected machines e.g. phones, PC, IoT. Used in DDoS attacks. Typically result of lack of security or proper updates
Risk Matrix
Used to visualize risk probabilities and its consequences
Defense in Depth
Using multiple layers for protection Provides redundancy in the event a security control fails or a vulnerability is exploited
Detection risk
Verifier does not detect a material misstatement
Vulnerability
Weakness which can compromise the system and be used for a possible attack
Bitsquatting
a form of cybersquatting which relies on bit-flip errors that occur during the process of making a DNS request
Security Threats
anything that has potential of causing damage to the system
Likelihood
how probable it is that an event will occur
Cyber warfare
use of information systems against virtual personas
Misconfiguration Vulnerabilities
using default accounts (passwords) • forgetting Apache server online to allow proxy requests enabling DDoS attacks