Principles of Inform Security | TestOut

General defense methodologies include the following items:

- Layering - Principle of least privilege - Variety - Randomness - Simplicity

Specific protections against organized crime threat actors include:

- Proper user security training - Implementing email filtering systems - Properly secure and stored data backups

Additional Preventive Measures In addition, implement the following measures:

- Train users to not download files from unknown sources or open files in suspicious emails. Spyware, adware, crimeware, and Trojans all take advantage of downloads. - Remove removable drives to prevent unauthorized software from being installed on a system. - Show full file extensions on all files. Viruses, worms, and Trojans often make use of double file extensions to change files that are normally deemed harmless. For example, adding the extension .TXT.EXE to a file will make the file appear as a text file in an attachment when, in reality, it is an executable. - Enable antivirus scanning for all email attachments. - Enable antivirus scanning for all removable storage, such as USB flash drives and CD-ROMs. - Block executable files that have been copied from another computer. Require that they be manually unblocked before execution. - Enable privacy controls in Windows Internet Explorer.Delete browsing history.Configure - Autocomplete settings to not store entries such as usernames, passwords, web addresses, and forms. Use third-party tools to scan for issues and cleanup problems.

Regardless of the type of malware, there are some common things you can do to prevent malware infection:

- Use the latest version and patch level for your web browser. - Install the latest patches for the operating system. - Install antivirus, anti-spyware, anti-rootkit, and personal firewall software. - Keep definition files up-to-date. - Use a pop-up blocker to prevent adware. - Use software to control cookies on the system. - Perform regular scheduled scans to look for malware. - Choose anti-malware software from a reputable company. Don't let scareware fool you into purchasing a product that may not work.

Malware can permanently damage your system. Recovery from malware can include the following steps:

- You may have to reinstall applications, features, or even the entire operating system from scratch. - If your organization uses imaging solutions, you can quickly re-image a machine if it is infected with malware. - Re-imaging or installing from scratch is often faster and more effective than malware removal and cleanup. - Remediation is the process of correcting problems. Most antivirus software remediates problems automatically or semi-automatically by prompting you to identify the action to take. Possible actions in response to problems are: - Repair the infection. Repair is possible for true viruses that have attached themselves to valid files. During the repair, the virus is removed and the file is placed back in its original state, if possible. - Quarantine the file. Quarantine moves the infected file to a secure folder where it cannot open or run normally. You might quarantine an infected file that cannot be repaired to see if another tool or utility might be able to recover the file at another time. - Delete the file. You should delete malicious files such as worms, Trojan horse programs, spyware, or adware programs. - Periodically review the quarantine folder and delete any files you do not want to recover.

Authentication and authorization, user management, group policies, and web application security.

Application

__________________________ of an attack can grow to millions of computers in a matter of minutes or days due to its ability to proliferate on the internet. Because modern attacks are not limited to user interactions, such as using a floppy disk, to spread an attack from machine to machine, the attacks often affect very large numbers of computers in a relatively short amount of time.

Attack Scale and Velocity

______________________ rely on power to get a target to comply without questioning the attacker.

Authority techniques

__________ ensures the uptime of the system so that data is available when needed.

Availability

__________________ and _____________ work because sharing a hobby, life experience, or problem instantly builds a connection and starts forming trust between two parties.

Common ground and shared interest

____________ ensures that data is not disclosed to unintended persons. This is provided through encryption, which converts the data into a form that makes it less likely to be usable by an unintended recipient.

Confidentiality

__________ is designed to perpetrate identity theft to allow access to online accounts at financial services, such as banks and online retailers.

Crimeware Crimeware can: - Use keystroke loggers to capture keystrokes, mouse operations, or screenshots and transmit those actions back to the attacker to obtain passwords. - Redirect users to fake sites. - Steal cached passwords. - Conduct transactions in the background after logon.

Some attacks seek to cripple the target's network or infrastructure. For example, an attack could target a city's power grid or water system.

Crippling systems

______________ is ransomware that encrypts files until a ransom is paid.

Crypto-malware

_____________________, who generally use the Internet to carry out terrorist activities, such as disrupting network-dependent institutions.

Cyber terrorists

_____________, who usually seek to exploit security vulnerabilities for some kind of financial reward or revenge.

Cybercriminals

Storing data properly, destroying data, classifying data, cryptography, and data transmission security.

Data

Once a target is selected, the attacker will start forming a relationship with the target through conversations, emails, shared interests, and so on. The relationship helps build the target's trust in the attacker, allowing the targets to be comfortable, relaxed, and more willing to help.

Development Phase

The ______________ phase involves two parts: selecting individual targets within the organization being attacked and forming a relationship with the selected targets.

Development Phase

Possible motives for an insider threat actor can include:

Disgruntlement with an employer Bribery by a competitor Personal financial gain

_________________ is an unauthorized person listening to private conversations between employees or other authorized personnel when sensitive topics are being discussed.

Eavesdropping

________ can be the most overlooked yet most dangerous threat agent because they have greater access to information assets than anyone on the outside trying to break in.

Employees

___________________ is a primary objective of an attacker. Once an attacker has breached the system, obtaining higher privileges allows the attacker to access more information and gain greater control within the system.

Escalating privileges

In the _____________ phase, the attacker takes advantage of the relationship with the target and uses the target to extract information, obtain access, or accomplish the attacker's purposes in some way.

Exploitation Phase

Most attackers tie up loose ends, such as erasing digital footprints and ensuring no items or information are left behind for the target to determine that an attack has taken place or identify the attacker. A well-planned and smooth exit strategy is the attacker's goal and final act in the ________________ phase

Exploitation Phase

_______________ agents are individuals or groups that attack a network from the outside and seek to gain unauthorized access to data.

External threat

Attackers use social engineering schemes to get users to click a link in a phishing email. When the webpage opens, the virus gets into the inner recesses of a trusted application such as PowerShell or Windows script host executables.

Fileless malware

______________ works in a similar way as a traditional virus, but it operates in memory. It never touches the hard drive.

Fileless malware

Stoned, Michelangelo, CIH/Chernobyl Virus, Melissa, ILOVEYOU, Code Red, Nimda, and Klez

Historic Malware Events

Log management, OS hardening, patch implementation, patch management, auditing, anti-malware, and password attack prevention on each workstation, laptop, and mobile device.

Host

__________ means the target is not educated in social engineering tactics and prevention, so the target doesn't recognize social engineering when it is happening. The attacker knows this and exploits the ignorance.

Ignorance

Attackers often exploit a target's natural tendency to trust others. The attacker wears the right clothes, has the right demeanor, and speaks words and terms the target is familiar with so that the target will comply with requests out of trust.

Innate human trust

____________ ensures that data is not modified or tampered with. This is provided through hashing.

Integrity

________________ agents are authorized individuals that carry out an attack by exploiting their inherent privileges. This category includes employees (both current and former), janitors, security guards, and even customers.

Internal threat

Employees are also known as _____________ ____________

Internal threats. Employees can: - Become disgruntled with their employer - Be bribed by a competitor - Be an unintentional participant in an attack - Accidentally delete or cause data corruption

____________ involves implementing multiple security strategies to protect the same asset.

Layering

___________ works well because humans tend to do more to please a person they like as opposed to a person they don't like.

Likeability

An attacker uses _________________ and a sense of responsibility to exploit the target's willingness to be helpful.

Moral obligation

______________ use many attack vectors and unknown exploits. Defending against them involves building a comprehensive security approach that uses all aspects of threat prevention and protection.

Nation states

Attacks from _______________ have several key components that make them especially powerful. Typically, ____________________ attacks: ...

Nation states. Typically, nation state attacks: - Are highly targeted. - Identify a target and wage an all-out war. - Are extremely motivated. - Use the most sophisticated attack techniques of all the attackers. This often includes developing completely new applications and viruses in order to carry out an attack. - Are well financed.

The installation and configuration of switches and routers; implementation of VLANs; penetration testing; and virtualization use.

Network

___________________ provides validation of a message's origin. For example, if a user sends a digitally signed email, they cannot claim later that the email was not sent. _____________________ is enforced by digital signatures.

Non-repudiation

Some attacks seek to obtain sensitive information, such as government secrets. These attacks usually target organizations that have government contracts or the government systems themselves. Attacks motivated by information gathering are considered a type of APT, because the goal is to remain in the system undetected.

Obtaining information

Offering something for very little to nothing refers to an attacker promising huge rewards if the target is willing to do a very small favor. The small favor can include sharing what the target thinks is a very trivial piece of information for something the attacker offers.

Offering something for very little to nothing

Because of this, many companies that need immediate access to their data (such as hospitals and financial institutions) stockpile digital currency in case of an attack.

Organized Crime

___ is software that contains adware, installs toolbars, or has other unclear objectives. A ___ is different from malware because the user gives consent to download it

PUP

Firewalls using ACLs and securing the wireless network.

Perimeter

Fences, door locks, mantraps, turnstiles, device locks, server cages, cameras, motion detectors, and environmental controls.

Physical

________________ includes all hardware and software necessary to secure data, such as firewalls and antivirus software.

Physical security

________ are the rules an organization implements to protect information.

Policies

User education; manageable network plans; and employee onboarding and off-boarding procedures.

Policies, procedures, and awareness

Research may provide information for _____________. ___________ is using a fictitious scenario to persuade someone to perform an unauthorized action such as providing server names and login information.

Pretexting

A wide variety of attack tools are available on the internet, allowing anyone with a moderate level of technical knowledge to download the tools and run an attack.

Proliferation of Attack Software

A ___ is a malware program that includes a back door that allows administrative control over the target computer. ____ are usually downloaded invisibly with a user-requested program, such as a game or an email attachment.

RAT, RATS. A RAT can: - Use keystroke loggers that capture keystrokes, mouse operations, or screenshots, and transmits those actions back to the attacker to obtain passwords. - Access confidential information, like credit card and social security numbers. - Format drives. - Activate a system's webcam and record video. - Delete, download, or alter files and file systems. - Distribute viruses and other malware.

__________ in security is the constant change in personal habits and passwords to prevent predictable behavior.

Randomness

_____________ denies access to a computer system until the user pays a ransom.

Ransomware

_______________ is the process of gathering information about an organization

Reconnaissance. Including: - System hardware information - Network configuration - Individual user information

Because insiders are one of the most dangerous and overlooked threats to an organization, you need to take the appropriate steps to protect against them.

Require mandatory vacations. Create and follow onboarding and off-boarding procedures. Employ the principal of least privilege. Have appropriate physical security controls in place. Require security awareness training that is tailored for the role of the employee (role-based awareness training). Typical roles include: Data owner, System administrator, System owner, User Privileged user, Executive user.

______ appeals to the target's greed.

Scarcity. If something is in short supply and will not be available, the target is more likely to fall for it.

___________ is a scam to fool users into thinking they have some form of malware on their system. The intent of the scam is to sell the user fake antivirus software to remove malware they don't have.

Scareware

_______________ who download and run attacks available on the internet, but generally are not technically savvy enough to create their own attacking code or script.

Script kiddies

How many levels does layered security have?

Seven

___________________ involves looking over someone's shoulder while that person works on a computer or reviews documents. This attack's purpose is to obtain usernames, passwords, account numbers, or other sensitive information.

Shoulder surfing

Security measures should provide protection, but not be so complex that it is difficult to understand and use them.

Simplicity

____________________ is the process of manipulating others into providing sensitive information. Social engineering tactics include: Intimidation Sympathy

Social engineering. Social engineering tactics include: - Intimidation - Sympathy

___________ attacks are complex, making them difficult to detect and thwart.

Sophisticated attacks: - Use common internet tools and protocols, making it difficult to distinguish an attack from legitimate traffic. - Vary their behavior, making the same attack appear differently each time.

When using spam, the attacker sends an email or banner ad embedded with a compromised URL that entices a user to click it.

Spam

_____ can be employed in corporate espionage to obtain information about competitors for commercial purposes.

Spies. Spies are typically deployed in the following scenarios: - A spy applies for a job with a commercial competitor and then exploits internal vulnerabilities to steal information and return it to their client. - A spy attacks an organization from the outside by exploiting external vulnerabilities and then returns the information to their client.

_____ is similar to spam, but the malicious link is sent to the target using instant messaging instead of email.

Spim

__________ is software that is installed without the user's consent or knowledge. It is designed to intercept or take partial control over the user's interaction with the computer.

Spyware Spyware is: - Is installed on a machine when the user visits a particular web page or runs a particular application. - Collects various types of personal information, such as internet surfing habits and passwords. It sends the information back to its originating source. - Uses tracking cookies to collect and report a user's activities. - Can interfere with user control of the computer such as installing additional software, changing computer settings, and redirecting web browser activity.

_____________________ involves preparing it to perform additional tasks in the attack, such as installing software designed to attack other systems.

Staging a computer. This is an optional step.

__________________________ states that users or groups are given only the access they need to do their jobs and nothing more. When assigning privileges, be aware that it is often easier to give a user more access when it is needed than to take away privileges that have already been granted.

The principle of least privilege

A _________ ___________ (sometimes known as an attacker) is an entity that can carry out a threat, such as a disgruntled employee who copies a database to a thumb drive and sells it to a competitor.

Threat agent

An attacker may try to intimidate a target with threats to make the target comply with a request. This is especially the case when when moral obligation and innate human trust tactics are not effective.

Threatening

A ______________ is a malicious program that is disguised as legitimate or desirable software.

Trojan horse. A Trojan horse: - Cannot replicate itself. - Does not need to be attached to a host file. - Often contains spying functions, such as a packet sniffer, or backdoor functions that allow a computer to be remotely controlled from the network. - Often is hidden in useful software, such as screen savers or games. A wrapper is a program that is used legitimately, but has a Trojan attached to it. The Trojan infiltrates the computer that runs the wrapper software. - Relies on user decisions and actions to spread.

Sometimes, an employee can become a threat actor without even realizing it. This is known as an unintentional threat actor. T/F?

True

When on site, a social engineer also has the ability to steal data through a USB flash drive or a keystroke logger. Social engineers often employ keystroke loggers to capture usernames and passwords. As the target logs in, the username and password are saved. Later, the attacker uses the username and password to conduct an exploit.

USB and keyloggers

_____________ and ________________ are the people who use the software and the people who manage the software, respectively.

Users and Administrators

Defensive layers should incorporate a variety of methods. Implementing multiple layers of the same defense does not provide adequate protection against attacks.

Variety

A skilled hacker who uses knowledge and skills only for defensive purposes. A _______ hacker obtains explicit permission to interact a system or systems. These are the ethical hackers.

White hat

An _______ is something that has value to the person or organization, such as sensitive information in a database.

asset

Creating a ____________ is an alternative method of accessing an application or operating system for troubleshooting. Hackers often create these to exploit a system without being detected

backdoor

This hacker is also very skilled, but uses knowledge and skills for illegal or malicious purposes. A ________ is also known as a cracker. They are highly unethical.

black hat

A ________ refers to a group of zombie computers that are commanded from a central control infrastructure.

botneet. A botnet: - Operates under a command and control infrastructure where the zombie master (also known as the bot herder) can send remote commands to order the bots to perform actions. - Is detected through the use of firewall logs to determine if a computer may be acting as a zombie participating in external attacks.

A ________ is the penetration of system defenses. It is often achieved by using information gathered by through reconnaissance.

breach.

A __________ threat actor carries out attacks on behalf of an organization and targets competing companies.

competitor

A ___________ is a way to mitigate a potential risk. ____________________ reduce the risk of a threat agent exploiting a vulnerability.

countermeasure, Countermeasures. An appropriate countermeasure: - Provides a security solution to an identified problem. - Is not dependent on secrecy. - Is testable and verifiable. - Provides uniform or consistent protection for all assets and users. - Is independent of other safeguards. - Requires minimal human intervention. - Is tamper-proof. - Has overrides and fail-safe defaults.

An ________ is a procedure or product that takes advantage of a vulnerability to carry out a threat, such as when a disgruntled employee waits for the server room door to be left ajar, copies the database to a thumb drive, and then sells it.

exploit

An _____________ takes advantage of known vulnerabilities in software and systems. Once a vulnerability has been _________, an attacker can often:

exploitation, exploited. - Steal information - Deny services - Crash systems - Modify/alter information

Authority is often combined with ____?

fear.

A _______________ uses legitimate programs to infect a computer. Because it doesn't rely on files, it leaves no footprint, making it undetectable by most antivirus, whitelisting, and other traditional endpoint security solutions.

fileless virus

In the research phase, the attacker gathers information about the target organization. Attackers use a process called _________, which takes advantage of all resources available to gain information.

footprinting

The most common type of insider is a full-time _________; however, other inside actors include:

full-time employee, Include: customers, janitors, security guards, and even former employees. Possible motives for an insider threat actor can include:

The ______ hacker falls in the middle of the white hat and black hat hackers. The gray hat may cross the line of what is ethical, but usually has good intentions and isn't malicious like a black hat hacker.

gray hat

A _______ is any threat actor who uses technical knowledge to bypass security, exploit a vulnerability, and gain access to protected information.

hacker

In general, a ______ is any threat agent who uses their technical knowledge to bypass security mechanisms to exploit a vulnerability to access information. Hacker subcategories include the following:

hacker. Hacker subcategories include the following: - Script kiddies - Cybercriminals - Cyber terrorists

A _________ is any individual whose attacks are politically motivated. Instead of seeking financial gain, __________ are looking to defame; shed light on; or cripple an organization or government. Often times, they work alone. Occasionally, they create unified groups of like-minded hackers.

hacktivist

Email ________ are often easy to spot because of the bad spelling and terrible grammar. However, _____ emails use a variety of tactics to convince the target they're real.

hoaxes

An ______ could be a customer, a janitor, or even a security guard; but most of the time, it's an employee.

insider

An _______ is any individual who has authorized access to an organization and either intentionally or unintentionally carries out an attack.

insider

Defense in depth or security in depth is based on the premise that no single ________ is completely effective in securing assets.

layer

The most secure system/network has many _________ of security and eliminates single points of failure.

layers

A ______________ is designed to execute only under predefined conditions. It lies dormant until the predefined condition is met.

logic bomb. A logic bomb: - Uses a trigger activity such as a specific date and time, the launching of a specific program, or the processing of a specific type of activity. - Does not self-replicate. - Is also known as an asynchronous attack.

Layered security is not about specific mechanisms, but the ___________________ by employing various techniques at one time.

method of protecting a network

A _____________ is the most organized, well-funded, and dangerous type of threat actor.

nation state

There are two primary motives for ____________ attacks (also called state-sponsored attacks).

nation state

The goal of _______________ threats is to get into a system and steal information. The attack is usually a one-time event. The attacker typically doesn't care if the attack is noticed.

non-persistent

Before carrying out an attack, a threat actor typically gathers _________________________ (OSINT) about the target. OSINT is information that is readily available to the public and doesn't require any type of malicious activity to obtain.

open-source intelligence. Sources of OSINT include the following: - Media (newspapers, magazines, advertisements) - Internet (websites, blogs, social media) - Public government data (public reports, hearings, press conferences, speeches) - Professional and academic publications (journals, academic papers, dissertations)

A common tactic used by ______________ is a targeted phishing campaign. Once access is gained, the group will either steal data and threaten to release it, or use ransomware to hold data hostage.

organized crime

An ___________________ threat actor consists of a group of cybercriminals whose main goal is financial gain. Attacks carried out by organized crime groups can last several months, are well-funded, and are extremely sophisticated.

organized crime

Due to the level of sophistication and amount of funding, attacks from _______________ groups are extremely hard to protect against. In many cases, it's simply a matter of time until a data breach occurs or ransomware takes hold.

organized crime

The goal of __________ threats is to gain access to a network and retain access undetected. With this type of threat, attackers go to great lengths to hide their tracks and presence in the network.

persistent

A _______ is a set of programs that allows attackers to maintain permanent administrator-level, hidden access to a computer.

rootkit. A rootkit: - Is almost invisible software. - Resides below regular antivirus software detection. - Requires administrator privileges to install and maintains those privileges to allow subsequent access. - Is not always malicious. - Often replaces operating system files with alternate versions that allow hidden access.

A _______________ is an individual who carries out an attack by using scripts or programs written by more advanced hackers. __________________ typically lack the skills and sophistication of legitimate hackers. Script kiddies are usually motivated by the chance to impress their friends or garner attention in the hacking community.

script kiddie

Because __________________ lack knowledge and sophistication, their attacks often seek to exploit well-known vulnerabilities in systems. As such, defending against __________ involves keeping systems up-to-date and using standard security practices.

script kiddies

It is important to know that each layer does not require its own _______________ or ____________

security appliance or software.

With a ____________________ technique, the attacker uses social pressure to convince the target that it's okay to share or do something.

social proof

A ___________________ to obtaining information includes using software or utilities to find vulnerabilities in a system.

technical approach. Methods often used by hackers are: Port scan Ping sweep

A _______ is an entity that can cause the loss of an asset or any potential danger to the confidentiality, integrity, or availability of information or systems, such as a data breach that results in a database being stolen.

threat

To create a sense of __________, an attacker fabricates a scenario of distress to convince an individual that action is immediately necessary.

urgency

Employees are the single greatest threat to network security. Therefore, ______________ is very important.

user education. Look for ways to take the following actions: - Make employees aware that they are the primary targets in most attacks. - Ensure employees understand that phishing attacks are one of the most common attacks directed at employees. - Train employees to identify email, instant messaging, download, and website attacks. - Enforce effective password policies, including a policy that prohibits writing down passwords. - Train employees to identify both internal and external threats. - Ensure that employees are aware of the company's security policies.

A _____________ is a weakness that allows a threat to be carried out, such as a USB port that is enabled on the server hosting the database or a server room door that is frequently left ajar. ____ devices pose the greatest threat to the confidentiality of data in most secure organizations. There are so many devices that can support file storage that stealing data has become easy, and preventing it is difficult.

vulnerability, USB

A _____ is a self-replicating program.

worm. A worm: - Does not require a host file to propagate. - Automatically replicates itself without an activation mechanism. - A worm can travel across computer networks without any user assistance. - Infects one system and spreads to other systems on the network.

A _____ is a malware infected computer that allows remote software updates and control by a command and control center called a zombie master.

zombie A zombie: - Is also known as a bot, short for robot. - Commonly uses Internet Relay Chat (IRC) channels, also known as chat rooms), to communicate with the zombie master. - Is frequently used to aid spammers. - Is used to commit click fraud. The internet uses a form of advertising called pay-per-click, in which a developer of a website places clickable links for advertisers on the website. Each time the link is clicked, a charge is generated. Zombie computers can be used to commit click fraud by imitating a legitimate user clicking an ad. - Is used for performing denial-of-service attacks.