Basic Cybersecurity
What is Mapping?
-This is the computer version of "casing the joint" before you launch an attack on a system. You find out what services, devices, and protocols are implemented on a network.
What are the 2 types of VPN?
1. Site-to-Site VPN: Used to connect two office locations. 2. Remote VPN: Used by users to connect to corporate network.
What is RFC 2828?
A processing or communication service provided by a system to give a specific kind of protection to system resources.
What was the Solar Sunrise Operation?
A series of attacks on DoD computer networks in 1998 exploiting a known vulnerability on an OS and tried to dump sensitive information. Launched by two teenagers from California and Israel.
What is X.800?
A service provided by protocol layer of communicating open systems, which ensures adequate security of the systems or of the data transfers. Put on by the International Telecommunication Union.
Define an incident
An event that negatively effects any part of the CIA triad at an organization in a way that impacts business (Negative part of an event).
What is a keylogger?
Any hardware or software the records keystrokes
What is Authentication (X.800 Style)?
Assurance that communicating entity is the one claimed (have both peer-entity & data origin authentication).
What is Step 1 of the "Prepare" phase of the Incident Response Process?
Conduct a criticality assessment for your organization
Who are the major hacking organizations operating worldwide?
Fancy Bears (Russian-Presidential Election Hack), Lizard Group, Anonymous, Syrian Electronic Army, Guardians of the Peace (North Korean-Sony Hack), Chaos Computer Club
Self directing teams unleash _________
Innovation
What two factors do Human Factors break down to?
Internal Factors and External Factors
Describe Reverse Engineering skills
Needed for malware analysis and vulnerability research. Examples: IDA Pro (Disassembler), Win Hex (Hexeditor), OllyDbg (Debugger).
What is Access Control (X.800 Style)?
Prevention of the unauthorized use of a resource
Describe Intrusion Detection skills
Reactive security- identifying and mitigating malicious activity. May be network-based or host-based. Examples: Snort, Suricata, Bro
What is Step 4 of the "Respond" phase of the Incident Response Process?
Recover systems, data, and connectivity
What is Availability (X.800 Style)?
Resource is accessible/usable
True or False, the appropriate strategy should be devised at all levels of the organization?
True
Describe the different levels of Organizational Threats
1. Accidental threats do not involve malicious intent. 2. Intentional threats require a human with intent to violate security. 3. If an intentional threat results in action (some change in the state of a security ecosystem), it becomes an attack. 4. Passive threats do not involve any (non-trivial) change to a system. 5. Active threats involve some significant change to a system.
What are some countermeasures to packet sniffing?
1. All hosts in an organization run software that checks periodically if host interface in promiscuous mode. 2. Limit to one host per segment of broadcast media (switched Ethernet at hub).
How do you evaluate data?
1. Ask, "Does the data fit my hypothesis?" Crux of the scientific method. 2. Know your data- what does normal data look like? Establish a baseline 3. Be on the lookout for inconsistent data 4. Cyber data is notoriously difficult to get (policy/privacy/collection issues)- be proactive
How do you consider alternatives?
1. Brainstorm full range of possibilities- go from negative to positive 2. Break into components- 6 W's who/what/when/where/why/how? 3. Null hypothesis- establish the opposite of your main hypothesis- this is useful for anomalous data (outliers). 4. Avoid letting yourself become entrenched in one explanation
Describe the Policy Hierarchy
1. Business Policy: What we're gonna do 2. Security Policy: How we're going to do it 3. Security Mechanisms: The technical implementation of that Security Policy.
What are the 5 key skills of critical thinking?
1. Challenge assumptions 2. Consider alternatives 3. Evaluate data 4. Identify key drivers 5. Understand context
What is security with regards to sending a message? What are the different aspects of keeping a message secure?
1. Confidentiality: Only sender and intended receiver should "understand" message contents. Sender encrypts message and receiver decrypts message. 2. Authentication: Sender, receiver want to confirm identity of each other. 3. Message Integrity: Sender, receiver want to ensure message has not been altered (in transit, or afterwards) without detection. 4. Access and Availability: Services must be accessible and available to users.
Why is critical thinking important in cybersecurity?
1. Cybersecurity is a diverse, multifaceted field- constantly changing environment, fast-paced, multiple stakeholders, and an adversarial presence. 2. Critical thinking helps us to think and act in situations where there are no clear answers. 3. Cybersecurity is part art, part science. 4. Pushing back against the idea of just "Googling it"- more data can overwhelm our reasoning abilities.
What are the 4 things that a general model for network security requires us to do?
1. Design a suitable algorithm for the security transformation (it's encryption most times). 2. Generate the secret information (keys) used by the algorithm. 3. Develop methods to distribute and share the secret information. 4. Specify a protocol enabling the principals to use the transformation and secret information for a security service.
Identify the threats to a data communication system
1. Destruction of information and/or other resources 2. Corruption or Modification of information 3. Theft, Removal, or Loss of information and/or other resources 4. Disclosure of information 5. Interruption of services
What are the defensive courses of action that can be taken against these phases?
1. Detect: Determine whether an intruder is present 2. Deny: Prevent information disclosure and unauthorized access 3. Disrupt: Stop or change outbound traffic (to attacker) 4. Degrade: Counter-attack command and control 5. Deceive: Interfere with command and control 6. Contain: Network Segmentation Changes
What are the two forms of passive attack that Stalling describes?
1. Disclosure- the content of a message is revealed to unauthorized parties. Violates the confidentiality of the message. Note: A disclosure is the interception PLUS the reveal of information. Just intercepting the information without the ability to decrypt and read it does not constitute a disclosure attack. 2. Traffic (flow) analysis- when an opponent cannot read the content of the intercepted messages, but can still gather useful information about the sender and their traffic- frequency, size, timing, etc. Also an attack on confidentiality.
What is the purpose of a security service?
1. Enhance security of data processing systems and information transfers of an organization. 2. Counter security attacks using one or more security mechanisms. 3. Often replicates functions normally associated with physical documents (which have signatures and dates; need disclosure from tampering, or destruction; have to be notarized or witnessed; be recorded and licensed).
What are some countermeasures for DOS attacks?
1. Filter out the flooded packets (e.g. SYN) before reaching host- unfortunately you're throwing out all of the specified packets, good and bad. 2. Traceback to the source of the floods (most likely and innocent compromised machine).
With regards to Security Architecture, What needs to be protected?
1. Information and data 2. Communication and data processing services 3. Equipment and facilities
What are the 4 types of actors and their motives?
1. Internal Users: Most likely to cause security problems. Loss and sale of information is most normal, along with installation of malware. 2. Hackers (Pay or Not): Attackers paid by private or public organizations- or simply someone with enough time and knowledge to bother. 3. "Hacktivism": Similar to governments but not as much financial power. Normally look to reveal sensitive or confidential information to public and carry out DDos campaigns 4. Governments: They have enough power to cause very large financial and operational losses- normal for them to attack infrastructure, spy, and monitor important politicians and are the most used APT (Advanced Persistent Threat).
Describe a passive attack
1. It is essentially an attack that involves eavesdropping- a benefit of this kind of attack is that it could go unnoticed for a long time while you read the content of messages sent back and forth. 2. A second kind of passive attack is traffic analysis- doesn't look so much at the content of the messages, but the frequency and the size of messages being sent. 3. Passive attacks are hard to detect because, while the confidentiality aspect of the CIA triad has been violated, the availability and integrity aspects remain intact.
What are some motivation factors?
1. Just play and demonstrate their abilities 2. Political actions and movements- making a statement. 3. Gain money in conjunction with government or criminal organizations. 4. Hire me! Demonstrate capabilities for someone so they'll hire them.
What are some countermeasures to implement against host insertions?
1. Maintain an accurate inventory of computer hosts by MAC address. 2. Use a host scanning capability to match discoverable hosts against known inventory. Note: Missing hosts are okay (can be turned off for maintenance or just be a laptop or something), new hosts are NOT okay (Red Flags)
Describe the 4 basic categories of active attacks
1. Masquerade: The masking of an entity and appearing as another- Darth pretending to be Bob, Darth setting up a fake service pretending to be Google. An attack on authentication and identity. 2. Replay: Basically a copy of a legitimate message is captured by an opponent and re-transmitted. Oftentimes a Person-In-The-Middle- Darth intercepts a message from Bob and then sends it to Alice an hour later with the correct time stamp. An attack on the integrity of the system's data. 3. Modification: Changing the contents- Darth intercepts an email from Bob, changes it, and then sends it to Alice 4. Denial of Service: An opponent prevents authorized users from accessing a system. Ex. Stops an email from going from Bob to Alice. An attack on the availability of the system.
What are three changes made by the US government involving cybersecurity post 9/11?
1. New Freedom Act 2. "Start" of massive surveillance programs 3. Putting a cyber component in future ground wars
What are the 3 phases of the Incident Response Process?
1. Prepare 2. Respond 3. Follow Up
How do you understand context?
1. Put yourself in other's shoes- reframe the problem. This is the MOST IMPORTANT 2. What is needed from me? How an I frame the issue? Do I need to place their questions in a broader context? Think above your paygrade. 3. Who or what are the key components of this issue? 4. What are the driving forces? 5. What patterns and relationships exist among the components and factors? 6. Are there historical analogies? Have I seen this before somewhere? 7. Can I reframe this problem somehow? What do I know, and what don't I know? Rephrase and paraphrase the issue- what is the root cause?
What are the Phases of the Intrusion of the Cyber Kill Chain?
1. Reconnaissance: Intruder selects target, researches it, and attempts to identify vulnerabilities in the target network. 2. Weaponization: Intruder creates remote access malware weapon, such as a virus or worm, tailored to one or more vulnerabilities. 3. Delivery: Intruder transmits weapon to target (e.g. email attachments, websites, or USB drives). 4. Exploitation: Malware weapon's program code triggers, which takes action on target network to exploit vulnerabilities. 5. Installation: Malware weapon installs access point (e.g. "backdoor") usable by intruder. 6. Command and Control: Malware enables intruder to have "hands on the keyboard" persistent access to target network. 7. Actions on Objective: Intruder takes action to achieve their goals, such as data exfiltration, data destruction, or encryption for ransom.
What are some countermeasures against mapping?
1. Record traffic entering network 2. Look for suspicious activity (IP addresses, ports being scanned sequentially) 3. Use a host scanner and keep a good inventory of hosts on network- it should a big red flag when an unexpected 'computer' appears on the network.
What are some tools and attacks used in major cyberattacks?
1. SeaDaddy and SeaDuke (CyberBears US Election) 2. BlackEnergy 3.0 (Russian Hackers) 3. Shamoon (Iran Hackers) 4. Duqu and Flame (Olympic Games, US and Israel) 5. DarkSeoul (Lazarous and North Korea) 6. WannaCry (Lazarous and North Korea)
What are some high-level security challenges?
1. Security architectures require constant efforts, balancing strategic vs tactical perspectives. 2. Security is often a decision afterthought and is often iced on rather than baked in. 3. Security is often viewed as in the way.
What is the motivation for security in open systems according to X.800?
1. Society's increasing dependence on computers that are accessed by, or linked by, data communications and which require protection against various threats. 2. The appearance in several countries of "data protection" legislation which obliges suppliers to demonstrate system integrity and privacy. 3. The wish of various organizations to use OSI recommendations, enhanced as needed, for existing and future secure systems.
Describe the major different types of cyber attacks and the impacts they've had.
1. Sony Hack (2011): PlayStation Hack by a Hacktivities group called Lutz 2. Singapore Cyberattacks (2013): Hacker group Anonymous attack on multiple websites in Singapore as a protest of web censorship regulations. 3. Multiple Attacks in 2014: Ebay, Home Depot, UBISOFT, LinkedIn, Gobiernos 4. Target (2015): More than 100 million credit cards leaked. 5. Year of Hacks (2016): DYN, CNN, EEUU, FB, Netflix, Twitter, TESCO. 6. Hacks of 2017: NSA, EMOTET, Wcry, Jaff, Shadow Brokers, Eternal Rocks
How do you challenge assumptions?
1. Systematically and explicitly list your assumptions 2. Ask "why do I think this is correct? When could this be untrue? What are the consequences if it isn't? 3. Categorize- solid and well-supported, correct with caveats, and unsupported/questionable- uncertainties 4. Remove assumptions that don't hold up and add new ones that emerge 5. Identify additional research required- unsupported doesn't mean invalid, turn those topics into research projects, consider whether additional data needs to be collected
What are some ways we an protect against threats?
1. Technical Controls: Such as Antivirus, IPS/IDS and Unified Threat Management Systems (UTM), and software updates that apply security patches 2. Administrative Controls: Policies, Trainings, Revisions and Tracking
Why can comprehensive cybersecurity architecture be very complex to implement in reality?
1. Translation of simple business requirements into technical specifications and deployment decisions can be very difficult (Easy requirements, tough solutions). 2. The protection mechanism itself is subject to attack, and protection of the enforcement structure will complicate solutions. 3. Protectors have to be right all the time while attackers only have to be right once.
What are some of the tools you can use in Mapping?
1. Use "ping" to determine what hosts have addresses on the network 2. Port-scanning: Try to establish TCP connection to each port in sequence and see what happens 3. Use nmap as a network exploration tool
How do you identify key drivers?
1. What are the driving forces at play? This can help you identify the future. 2. Society, supply chain, employees, threat actors, technology, regulatory bodies all examples
What are the 3 factors that Authentications are based on?
1. What you know 2. What you have 3. What you are
What are some security challenges?
1. You can know what security architectural decisions to make, but it can be tough to know where to do them. 2. Key management is really hard. 3. Protectors have to be right all the time. 4. Seat belt philosophy- no one likes security until its needed.
Describe the second major factor that contributed to the rise of cybersecurity attention in the US.
9/11 made government officials wary of incidents similar to the world trade center attacks but in the cybersecurity sphere- destruction of power network for example.
What is the difference between a Business Continuity Plan (BCP) and Disaster Recovery?
A BCP focuses on keeping business operational during a disaster, while disaster recovery focuses on restoring data access and IT infrastructure after a disaster.
What is a RAT?
A RAT stands for "Remote Access Tool" or "Remote Access Trojans". They allow and attacker to gain unauthorized access and control a computer.
What is setoolkit?
A Social Engineering Toolkit is an open source, free Python cybersecurity tool that offers multiple options to perform social engineering attacks. Runs on Kali Linux easily.
What can an audit trail be compared to in the criminal justice world?
A chain of custody
What was a Clipper Chip?
A chipset that was developed by the NSA as an encryption device that secured voice and data messages with a built in backdoor intended to allow government officials the ability to decode intercepted transmissions. Introduced in 1993 and defunct by 1996.
What is the SANS Institute?
A cooperative research and education institution comprised of many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community.
What is the role of a Chief Information Security Officer (CISO)?
A high-level management position responsible for the entire computer security department and staff.
What is pentesting?
A method of evaluating computer and network security by simulating an attack on a computer system or network from external and internal threats
What is a virus?
A piece of malicious code that spreads from one machine to another by attaching itself to files and using self replication. Note: Viruses require human interaction to self replicate. Due to its self-replicating nature, a virus can be very difficult to remove, and they also use different tactics to hide on a system from antivirus, like polymorphic code which encrypts and duplicates itself (known as a polymorphic virus)
What is a rootkit?
A piece of software that intends to take full control of a system at the lowest level.
What is a rogue software process?
A software that has been inserted maliciously on the internal network- can be an internal or external threat. Can be used to monitor network traffic and/or exfiltrate sensitive data (crypto keys, plaintext documents, etc.)
What is the OWASP Top 10?
A standard awareness document for developers and web application security that represents a broad consensus about the most critical security risks to web applications
What is a (CSIRT) Computer Security Incident Response Team?
A team that receives reports of security breaches, conducts analyses of the reports and responds to the senders. May be an established group or an ad hoc assembly.
What is a worm?
A worm is a self-replicating piece of malware that does not require human interaction- main goal is to just spread, crippling resources and turning computers into zombies or bots.
What is an APT?
An APT is an advanced persistent threat whose main goal is to gain access and monitor the network, stealing information while remaining undetected for a long period of time. Usually targets companies or organizations that have high volume on information- think military installations, governments, financial corporations
Define an action
An action is some change in the state of a security ecosystem.
Describe an active attack
An active attack is an explicit interception and modification of data- easier to detect than passive attacks.
Define an attack
An attack is an action by a human with intent to violate security. It does not matter if the attack succeeds- it is still considered an attack even if it fails.
What is Multi-Factor Authentication?
An electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is)
Define an event
An observed change to the normal behavior of a system, environment, process, workflow, or person. Example: ACLs were updated, firewall policy was pushed.
What is Data Integrity (X.800 Style)?
Assurance that data received is as sent by an authorized entity
What is a botnet?
Botnets are a group of compromised hosts that enable attackers to exploit their resources to mount attacks- used to run large spam, DDoS, phishing, spyware, and malware attacks.
What will Agile highlight but not improve?
Capability
What's Step 2 of the "Prepare" phase of the Incident Response Process?
Carry out a cyber security threat analysis, supported by realistic scenarios and rehearsals.
What is Step 3 of the "Follow Up" phase of the Incident Response Process?
Carry out a post incident review
What are the aspects of Asset Management?
Classification, implementation steps, asset control, and documents
What is adware?
Code that automatically displays or downloads unsolicited advertisements- usually seen on a browser popup.
What is a logic bomb?
Code that is remains dormant on a system until it is triggered by a specific event- such as a specific date date and time. When a condition is met, the logic bomb detonates and performs whatever task it is designed to do- usually erasing data or corrupting systems.
Describe Virtualization Skills
Common across IT organizations- for research, lab development, and reverse engineering. Examples: VMware, VirtualBox.
What is Step 4 of the "Follow Up" phase of the Incident Response Process?
Communicate and build on lessons
What's Step 3 of the "Prepare" phase of the Incident Response Process?
Consider the implications of people, process, technology and information.
What's Step 4 of the "Prepare" phase of the Incident Response Process?
Create an appropriate control framework.
What are CIS Controls?
Critical Security Controls (CIS) are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today's most pervasive and dangerous attacks.
Define critical thinking
Critical thinking is controlled, purposeful thinking directed toward a goal
What are the main specific security mechanisms mentioned in the X.800?
Cryptography, digital signatures, access controls, data integrity, authentication exchange, traffic padding, routing control, notarization
Where can you get information on Cyber Crime
Cybercrime reports can be found in the X-force report, and personalized reports can be obtained at X-fore exchange (information about certain Ip addresses, hash values, etc.)
What is Cybersecurity Ventures?
Cybersecurity Ventures is the home of the Cybercrime Magazine which will give you some of the latest information about what is happening in cybersecurity today.
What is Electronically Stored Information (ESI)?
Data inventory- helps to understand the current tech status, data classification, data management- can use automated systems.
What is Step 2 of the "Respond" phase of the Incident Response Process?
Define objectives and investigate situation
What are some technical implementations that ensure Non-repudiation?
Digital Signatures and Logs.
What are the two stages for Project type work?
Discover and Deliver
What are the aspects of a Security Program?
Evaluating, creating teams, baselines, identifying and modeling threats, use cases, risk, and monitoring and control
Agile means little or no documentation- true for false?
False
True or False, leaders only need to focus on "doing the right work"?
False
True or False- Agile is only suitable for software work?
False
What is FIRST?
Forum of Incident Response and Security Teams (FIRST) is a group of security incident response teams who assist a defined constituency in preventing and handling security-related incidents.
Describe the Front end and Back end responsibilities of the Risk Based Approach
Front end needs to assess the risk, back end needs to activate workflow based on risk
In order to do more, you have to throttle the _________
Funnel
What is the Gramm-Leach-Bliley Act (GLBA)?
GLBA compliance requires that companies develop privacy practices and policies that detail how they collect, sell, share and otherwise reuse consumer information.
What is a host insertion?
Generally an insider threat, a computer 'host' with malicious intent is inserted in sleeper mode on the network.
Getting a shared understanding of a common _________, is the leader's first task
Goal
What is Gophish?
Gophish is an open source phishing platform that will give you a lot of information and lets you build and perform a phishing campaign. Good way to test your company's security training and awareness by hitting them with a fake phishing campaign.
What is the Health Insurance Portability and Accountability Act (HIPPA)?
HIPPA compliance is what health care organizations must implement within their business in order to protect the privacy, security, and integrity of protected health information.
What is a trojan horse?
Hidden malware that causes damage to a system or gives an attack access to the host- usually gain access by posing as a package to be downloaded, like a game or wallpaper or something
What is Step 1 of the "Respond" phase of the Incident Response Process?
Identify cyber security incident
What was the Moonlight Maze Operation?
In 1999, the Russians hacked numerous American government agencies- including NASA, the Pentagon, military contractors, civilian academies, the Department of Energy- and used proxies to hide their true identity, making it very difficult for the US to determine who was doing it.
Describe the normal flow of information
Information flows directly from the source to the destination
What some countermeasures to IP Spoofing?
Ingress filtering- routers should not forward outgoing packets with invalid source addresses (e.g. datagram source address not in router's network). This is great, but ingress filtering cannot be mandated for all networks.
What are the biggest technical skills that Cybersecurity companies are looking for?
Intrusion Detection, Reverse Engineering, Programming, Virtualization, Cryptography, Networking, Operating Systems, Database Modeling
What is Step 1 of the "Follow Up" phase of the Incident Response Process?
Investigate incident more thoroughly
Define Incident Response/Management
Involves the monitoring and detection of security events on a computer or a computer network and the execution of proper resources to those events. The information security or the incident management team will regularly check and monitor the security events occurring on a computer or in the network.
What is social engineering?
It is the use of humans for cyber purposes- tricking someone to give you something that is private.
Listen, ______, learn and course _______ are the basics of principle two
Iterate, Correct
Iterations help us ______, _________, and ________
Iterate, Time Box, and Focus
Teams should be _________coupled and__________ aligned
Loosely coupled and tightly aligned
What is ransomware?
Malware that effects the host by restricting access to the computer and/or the data on it. The attacker then demands a ransom be paid in order to get the data back in a certain amount of time or else the data will be destroyed.
What is spyware?
Malware whose main goal is to track and report the usage of a host or collect data- web browsing history, personal information, marketing information
Name any 3 Agile Practices
Mood Marbles, Social Contract, Stand-Ups
What is NSDD-145?
National Security Decision Directive 145 (NSDD-145) established a high-level interagency group to guide federal activities toward safeguarding systems which process or communicate sensitive information from hostile exploitation."
What are the aspects of Tech Controls?
Network infra, endpoints, servers, identity management, vulnerability management, and monitoring and logging.
Describe the Critical Thinking model
Originally developed for healthcare- the critical thinking model is the intersection of critical thinking characteristics (attitudes and behaviors), technical skills, interpersonal skills, theoretical & experimental knowledge, and intellectual skills.
The first principle is to begin with clarity of the ______ and let it guide every step of the way
Outcomes
What is the Payment Card Industry Data Security Standard (PCI/DSS) Act?
PCI/DSS compliance is adherence to the set of policies and procedures developed to protect credit, debit, and cash card transactions and prevent the misuse of cardholder's personal information.
What is packet sniffing?
Packet Sniffers are applications or utilities that detect and read packet data flowing across the network- a promiscuous NIC (Network Interface Card) reads all the packets passing by- can read all unencrypted data.
What are the two major attack classifications?
Passive attacks and active attacks
What is Step 6 of the "Follow Up" phase of the Incident Response Process?
Perform trend analysis
What are the aspects of Admin Controls?
Policies, procedures, standards, user education, incident response, disaster recovery, compliance, and physical security.
What are the two classes of users?
Privileged users and general users
What is Non-Repudiation (X.800 Style)?
Protection against denial by one of the parties in a communication. Basically valid proof of the identity of the data sender or receiver.
What is Data Confidentiality (X.800 Style)?
Protection of data from unauthorized disclosure
What is the function of Access Management?
Provides secure access for authenticated users inside and outside of your enterprise with proactive policies
What is Step 2 of the "Follow Up" phase of the Incident Response Process?
Report incident to relevant stakeholders
Name 3 of the key Agile Values
Respect, Trust, and Courage
What is a Post-Incident Review (PIR)?
Review to find the Root-cause analysis, understand the difference between error, problem, and isolated incident. Also figure out lessons learned and generate reports.
What's Step 5 of the "Prepare" phase of the Incident Response Process?
Review your state of readiness in cyber security incident response.
Describe some facets of Automated Systems used in Incident Response?
SIEMs, SOAs, UBAs. They use big data analysis, honeypots/honey-tokens. AI or other technologies can also be used to enhance detection mechanisms and control incidents that could compromise the tech environment.
What is the Sarbanes-Oxley Act (SOX)?
SOX compliance is designed to protect shareholders in public companies by ensuring the accuracy of these companies' financial reports (Created in response to 2002 Enron Scandal).
Define an investigation
Seeks to determine the circumstances of an incident. Every incident will warrant or require an investigation. Collects evidence- chain of custody important for this.
What is malware?
Short for malicious software, malware is any software used to disrupt computer or mobile operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising. Before the term "malware" was coined by Yisrael Radai in 1990, malicious software was referred to as "computer viruses".
____________, cross-functional teams, aligned to ___________ value are the best way to structure teams.
Small, Customer
What ae the three types of work Agile can be used for?
Strategy, Project, and Operations
Describe Operating System skills
System architecture, application execution, logging details, configurations and settings.
Who are the major government hacking organizations?
Tailored Access Operations (US, NSA), Unit 61398 (China), Unit 8200 (Israel), GCHQ (UK), GRU (Russia), etc.
What is Step 3 of the "Respond" phase of the Incident Response Process?
Take appropriate action
What is ISSA?
The Information Systems Security Association (ISSA) is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members.
What is OWASP?
The Open Web Application Project (OWASP) is a not-for-profit organization with a mission to make security visible to everyone and to focus on improving the security of software.
What could you reference for a yearly report on cybersecurity attacks and vulnerabilities?
The X-Force Intelligence Index
Define Security Mechanisms
The combination of hardware, software, and processes that implement a specific security policy- protocol suppression, ID and authentication for example.
What is E-Discovery?
The electronic aspect of identifying, collecting, and producing electronically stored information (ESI) in response to a request for production in a law suit or investigation.
What was the Buckshot Yankee Operations?
The most significant breach of US military computers ever- a series of compromises beginning in 2008 stemming from the insertion of a USB drive, used a Trojan worm called "agent.btz" that stayed on the network for 14 months. Led to the creation of US Cyber Command.
What is the cyber kill chain?
The phases in which a computer intrusion and attack takes place, presented in a step-by-step "chain" format.
What is Step-up authentication?
The practice of requiring additional levels of authentication to ensure that high-risk actions involving sensitive information and transactions are not accessed by unauthorized people
Describe the Elevator problem solution
The problem wasn't that the elevator was too old and slow, the problem was that people felt that waiting was boring. Instead of installing a faster elevator, they installed mirrors and played music so people were distracted while they rode. Then the complaints stopped. Instead of "Making the elevator faster", they shortened the perceived wait time.
Describe Security Architecture in the context of X.800
The term "security" is used in the sense of minimizing the vulnerabilities of assets and resources. An asset is anything of value. A vulnerability is any weakness that could be exploited to violate a system or the information it contains. A threat is a potential violation of security.
Describe what is meant by cyberwar
The use of computer technology to disrupt activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes.
What are Security Services?
They are a processing or communication service that is provided by a system to give a specific kind of protection to a system resource. Security services implement security policies and are implemented by security mechanisms (the technical implementation of security policy).
What is the role of an Information Security Analyst?
This position conducts information security assessments for organizations and analyzes the events, alerts, alarms and any information that could be useful to identify any threats that could compromise the organization. Often works with a SIEM.
What is the role of an Information Security Auditor?
This position is in charge of testing the effectiveness of computer information systems, including the security of the systems and reports their findings.
What are the main pervasive security mechanisms mentioned in the X.800?
Trusted functionality, security labels, event detection, security audit trails, security recovery.
What is the significance of Desert Storm and Bosnia with regards to cyber war?
Two of the first instances of cyber warfare being used in conflict- Desert Storm had radar and communications tampered with via destruction or misinformation being used. In Bosnia, there was a lot of misinformation directed to enemy soldiers in the field.
Describe Cryptography skills
Understand and develop algorithms, ciphers, and security systems. Examples: Encryption, digital signatures, hash functions, etc.
Describe Networking skills
Understand networking protocols, packet sniffing, firewalls, routers, etc. Examples: TCP/IP, ICMP, Wireshark.
What is Step 5 of the "Follow Up" phase of the Incident Response Process?
Update key information, controls and processes
Describe Programming Skills
Useful for scripting, tools development, security research, and reverse engineering. Examples: Python, C/C++, Java, Assembly.
Describe Database Modeling skills
Useful for threat modeling and incident investigation. Examples: Maltego, Synapse.
Agile is a way of working based on a set of _____ and ______?
Values and Principles
The practices of Agile make the _______ and ______ come alive by changing _________
Values, Principles, Behavior
What is the first step in using Agile for Operations?
Visualize
What is Vishing?
Voice phishing- a kind of social engineering attack, not using email, using your voice, like on the phone
What movie did Ronald Reagan see that made him worry about cybersecurity threats to the US government?
War Games (1983)
What is IP Spoofing?
When someone uses an application that can generate "raw" IP packets and out any value into the IP source address field. The receiver can't tell if source is spoofed.
What is WiCys
Women in Cybersecurity- started in 2013 by Dr Ambareen Siraj through a National Science Foundation grant awarded to Tennessee Tech University. In less than ten years, it has grown into an organization representing a leading alliance between trailblazers from academia, government, and industry.
Total cycle time can be improved if you reduce the ________in__________
Work in Progress
What is the difference between privileged users and general users?
general users are "you and me" while privileged users can change security policy.
What are the elements of Cybersecurity?
- Information Security - Network Security - Operational Security - Application Security - End-User Security - Business Continuity Planning
If you had to both compress and encrypt data during a transmission, which would you do first?
Compress before encryption is surely more space efficient. If you encrypt data then your data turns into a stream of random bits. Random bits are incomprehensible.
Describe 5 ways to make sure you have a strong password?
1. Don't use personal information in passwords- no birthday, name, or email addresses. 2. Never recycle passwords for your accounts- always use unique password combinations for each of your online accounts. 3. Use long passphrases that contain spaces and unique characters- numbers, symbols, upper and lowercase letters. 4. Make sure it's longer than 6 characters- 15 characters or longer is best. 5. Don't use dictionary words from any language- random character strings are better.
Explain what the following ports are used for: 80, 22, 443, 53
80: HTTP 22: Secure Shell (SSH) 443: HTTPS 53: TCP/UDP
What is a cluster?
A group of servers and other resources that act like a single system and enable high availability, load balancing, and parallel processing.
Explain a brute force attack
A hacking method that uses trial and error to crack passwords, login credentials, and encryption keys.
What is a Distributed Denial-of-Service (DDOS) attack?
A malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target by involving multiple connected online devices, collectively known as a botnet.
Explain Packet Structure
A packet has three main sections: 1. IP Header 2. TCP Header 3. Payload A few important fields in the packets: - Source IP - Destination IP - Source Port - Destination Port - TCP Flags - Data
What is a Vulnerability Assessment?
A vulnerability assessment is a search for weaknesses/exposures in order to apply a patch or fix to prevent a compromise.
What technical controls can you use to maintain integrity?
Algorithms and Hashes (MD5, SHA1, etc.)
What is an exploit?
An exploit is a defined way to breach the security of an IT system through a vulnerability.
What does data leakage mean?
An unauthorized transfer of data to the outside world and can occur via email, optical media, laptops, USB keys, etc.
What two factors do Security Threats break down to?
Human factors and Natural factors
What does a filtered port respond indicate? START HERE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
It indicates that a request packet was sent, but the host did not respond and is not listening. Usually means that a request packet was filtered out and/or blocked by a firewall. Often respond with error messages reading "destination unreachable" or "communication prohibited". Attackers cannot use these to find out more information.
What is a risk?
It is the likelihood or probability of exposure to danger. It is also whatever the qualified exposure is to a security incident.
What port does ping work over?
No ports. A ping test uses ICMP, so no ports are being used- it just roofs (sits) on top of the IP address.
What is the CIA triad?
Stands for confidentiality, integrity, and availability
Why is DNS monitoring important?
The Domain Name System is a popular target for hackers
What is a CAPTCHA?
stands for "Completely Automated Public Turing test to tell Computers and Humans Apart". Basically, they are challenges that are difficult for automated computer programs to perform but are easy for humans- such as spotting patterns or clicking in a specific area on a webpage. Used by websites to restrict usage by bots and spam.
Describe a Web Application Firewall (WAF)
usually enforces a maximum number of requests to a URL space from a source during a specific time interval. WAFs can prevent denial-of-service (DOS) attacks and brute force attacks.
What is a VPN?
A Virtual Private Network (VPN) extends a private network across a public network, and enables users to send and receive data across public networks as if they were directly connected to the private network.
What is Password Spraying?
A brute force attack where an attacker will use one password against many different accounts on the application to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.
What is a vulnerability?
A flaw, loophole, oversight, or error that can be exploited to violate a system security policy.
What is a SSL/TLS Handshake?
A protocol for establishing trust and negotiate what secret key is used to encrypt and decrypt the conversation. 1. "Client Hello": Client sends a hello message to the server- includes which TLS version the client supports, cipher suites supported, and "client random". 2. "Server Hello": Reply to the client hello message, contains servers SSL certificate, servers cipher suite, and "server random". 3. Authentication: Client verifies servers SSL certificate. 4. Premaster Secret: Client sends premaster secret, which is encrypted with the public key and can only be decrypted with private key by server- which the client gets from server's SSL certificate. 5. Private Key Used: Server decrypts premaster secret. 6. Session Keys Created: Both client and server generate session keys from client random, server random, and premaster secret. 7. Client is Ready: Client sends finished message that is encrypted with a session key. 8. Server is Ready: Server responds in kind Secure Symmetric Encryption Achieved: Handshake is completed and communication continues using the session keys.
What is an Intrusion Detection System (IDS)?
A system designed to provide an alert about a potential incident, which enables a security operations center (SOC) analyst to investigate the event and determine whether it requires further action.
Define Cryptography
A technique that is used to protect information by using protocols that disallow third parties from reading private data.
What is the Secure Sockets Layer (SSL)?
A technology creating encrypted connections between a web server and a web browser.
What is a Host Intrusion Detection System (HIDS)?
An IDS that is only concerned with threats related to the host system/computer.
What is a Network Intrusion Detection System (NIDS)?
An IDS that monitors network traffic for unusual activity.
Where do you place an IPS?
An IPS is usually placed after the firewall. The firewall does the heavy lifting of blocking all the unwanted traffic based on TCP/IP header. And of the traffic that is allowed, IPS will do deep packet inspection because IPs need more processing power than a firewall.
What are some Technical Implementations that we can use to maintain availability?
RAIDs, Clusters, ISP Redundancy, Backups
What is Availability?
The assurance that data is accessible and usable upon demand by an authorized entity. Often involves routine maintenance and upgrading of hardware, software, and operating system environments. Backups are a huge part of availability.
What is Integrity?
The assurance that data is accurate and protected against unauthorized modification or destruction of information.
What is a SYN Flood?
The attacker sends a request to connect to the target server but does not complete the "3-way handshake"- a method used in Transmission Control Protocol (TCP)/IP network to create a connection between a local host/client and server. This incomplete handshake leaves the connected port in an occupied status and unavailable for further requests. The attacker will continue to send requests, saturating all open ports, so the legitimate users cannot connect.
What is Cybersecurity?
The protection of hardware, software, and data from attackers trying to access, change, or destroy sensitive information.
Describe the NIST definition of Cybersecurity
The protection of information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
What are Redundant Array of Inexpensive Disks (RAID)?
These work by placing data on multiple disks and allowing input/output (I/O) operations to overlap in a balanced way, thus improving performance, providing fault tolerance, and increasing storage capacity in the system.
What information can you gather from closed ports?
They are still accessible and can be used to show a host is on that IP address.
What are some things a HIDS is concerned with?
What apps are utilized, what files are accessed, and what information is stored in the kernel logs.
What is a Rainbow Table Attack?
When an attacker uses a rainbow hash table to crack passwords stored in a database. A rainbow table is a precomputed lookup table used to reverse cryptographic hash functions.
What is ISP Redundancy?
When you install a secondary connection to the internet that runs on a different backbone than the primary connection. If there's an outage in the primary connection, the secondary one will kick in.
Should closed ports be monitored?
Yes, they should be monitored by network admin to make sure they don't change to pen status and create potential vulnerabilities.
What is a Hybrid Attack?
combines a simple brute force attack and a dictionary attack to guess mixed login combinations- meaning numbers and letters.
What is Credential Stuffing?
Exposes the fact that people use the same username and password across various systems. They use known username-password combinations to log into user accounts across many websites until they find one that works.
Describe the hierarchy of external factors in the Security Threats Hierarchy
External threats breaks down into malicious events, which breaks down into hackers or crackers, which breaks down finally into viruses, trojans, and worms.
What is FTPS?
File Transfer Protocol Secure (FTPS) is a secure transfer protocol where FTP data travels through the network using either Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols.
What is a Denial-of-Service (DOS) attack?
This attack is accomplished by flooding the targeted host or network with packets until the target cannot respond or simply crashes, preventing access to legitimate users.
What is a dictionary attack?
This brute force attack happens when a hacker attempts to crack a target's passwords by trying all the words in a designated list to guess possible passwords
What does it mean to use Unique Login URLs?
This entails creating unique login URLs for various user groups- this may not necessarily stop a brute force attack, but it can be a time consuming deterrent for an attacker.
What is a Smurf Attack?
This is a DOS attack where the attacker sends ICMP broadcast packets to a number of hosts with a spoofed IP address that belongs to the target machine. The recipients of these spoofed packets will then respond, and the targeted host will be flooded with the responses.
What is a Half-open or SYN Scan used for?
This is a tactic that attackers use to determine the status of a port (open or not?) without establishing a full connection.
What is a simple brute force attack?
This is when hackers attempt to decode your password without the assistance of scripts or automation
What are the advantages of cybersecurity
- It protects businesses against ransomware, malware, social engineering, and phishing. - It protects end-users. - It gives protection for both data and networks. - Increase recovery time after a breach - Prevents unauthorized users from accessing systems.
What is the difference between Firewall deny and drop?
- When the firewall is set to Deny a connection, it blocks the connection and sends a Reset (RST) packet to the requester (source). - When the firewall is set to Drop a connection, it just drops the requests without giving any message to the requester. - It is good practice to deny outbound traffic and drop inbound traffic, so the attacker will not know the presence of the firewall.
What are the 3 Private IP ranges?
1. 10.0.0.0 - 10.255.255.255 2. 172.16.0.0 - 172.31.255.255 3. 192.168.0.0 - 192.168.255.255
How do you prevent data loss and server interruptions?
1. Always backup your data 2. Encrypt Sensitive Data 3. Address Data Security 4. Use anti-virus and email security
What is the difference between encoding, encrypting, and hashing?
1. Encoding: Modifies data from one format to another using a scheme (encoding algorithm) that is publicly available. Doesn't require a key, just a decoder to decode. 2. Encrypting: Used for confidentiality- converts clear text (readable) into ciphertext (unreadable). Encrypted data can only be decrypted by those who have the correct key. 3. Hashing: Used for integrity- converts the data into a string of letters and numbers by applying a hashing algorithm (mathematical formula). They are not reversable to the original input string, but you can crack them using things like Dictionary and brute force attacks to try to find the original input data.
What is the difference between HTTPS, SSL, and TLS?
1. HTTPS: Hypertext Transfer Protocol Secure is used for secure communication over a computer network, and is widely used on the internet. 2. SSL: Secure Sockets Layer is the now-deprecated specifications that TLS builds on. 3. TLS: Transport Layer Security is a cryptographic protocol designed to provide communications security over a computer network- it secures HTTPS.
What are the two most common ways that vulnerabilities are introduced into a system?
1. Many systems are shipped with known and unknown security holes and bugs, and insecure default settings (passwords, etc.) 2. Many vulnerabilities occur as a result of misconfiguration by system administrators.
Name the different layers of the OSI Model?
1. Physical Layer 2. Data Link Layer 3. Network Layer 4. Transport Layer 5. Session Layer 6. Presentation Layer 7. Application Layer
What are some ways you can prevent a brute force attack?
1. Set a limit on login attempts (and monitor attempts from the same IP address) 2. Use strong passwords 3. Use Two-Factor Authentication (2FA) 4. Use CAPTCHAs 5. Use Unique Login URLs 6. Disable Root SSH Logins 7. Use Web Application Firewalls (WAFs)
What are 2 common Denial-of-Service (DOS) attacks?
1. Smurf Attack 2. SYN Flood
What are three DNS vulnerabilities?
1. Subdomain Takeover 2. Anti-Spoofing Mail Records 3. Exposed Origin Servers
What is the difference between a threat, vulnerability, and a risk?
1. Threat: A new incident with the potential to harm a system. 2. Vulnerability: A known weakness that hackers could exploit. 3. Risk: The potential for damage when a threat exploits a vulnerability.
How do I improve the security of my home network?
1. Update your software regularly 2. Remove unnecessary services and software 3. Adjust factory-default configurations on software and hardware 4. Change default log-in passwords and usernames 5. Use strong unique passwords 6. Run up-to-date antivirus software 7. Install a network firewall 8. Install firewalls on network devices 9. Regularly backup your data 10. Increase wireless security 11. Mitigate Email Threats
How do you go about securing a server?
1. Use SSH to establish a protected connection to the server. 2. Use SSH Keys Authentication 3. Use FTPS (File Transfer Protocol Secure) to encrypt data files and your authentication information.
What are some ways to increase wireless security?
1. Use the strongest encryption protocol available 2. Change the router's default administrator password 3. Change the default service set identifier (SSID) 4. Disable Wi-Fi Protected Setup (WPS) 5. Reduce wireless signal strength 6. Turn the network off when not in use 7. Disable Universal Plug and Play (UPnP) when not needed 8. Upgrade Firmware 9. Disable Remote Management 10. Monitor for Unknown Device Connections
What is a firewall?
A network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies.
What is an Intrusion Protection System (IPS)?
A system that takes action to block the attempted intrusion or otherwise remediate an incident.
What is Port Scanning?
A technique for identifying open ports and services available on a specific host.
What is a threat?
A threat is an event, natural or man-made, that is able to cause a negative impact on an organization.
Explain Traceroute
A tool that shows the packet path by listing all the points a packet passes through. Commonly used when a packet does not reach its destination- can be used to see where a connection breaks or stops to identify a failure.
What elements are normally used to enforce confidentiality?
Authentication, encryption, access controls, physical security, and permissions.
When you download a new OS from the internet, what's one of the first things you should do?
Compare the hash value that is provided by the author of the operating system with the hash value of the downloaded file. They must match to make sure integrity is accurate.
What is DNS?
Domain Name System (DNS)is the phonebook of the internet. It translates domain names to IP addresses so browsers can load internet resources.
How do you disable Root SSH logins?
Edit the sshd_config file and set it to "DenyUsers root" and "PermitRootLogin no" options to ensure that the root user cannot be accessed via SSH.
What are the two internal human factors?
Former Employees and Current Employees
How do the results of a XMAS scan indicate if a port is open or closed?
If this scan gets no response back, the port is open. If the port is closed, it will get a RST response back.
What is Implicit Deny?
If traffic is not explicitly allowed within an access list then by default it is denied.
What does a closed port indicate?
Indicates that a server or network received the request, but there is no service "listening" on that port.
What does an open port indicate?
Indicates that a target server or network is actively accepting connections or datagrams and, when connected to, will respond with a packet that indicates it is listening
What makes a XMAS scan sneaky?
It oftentimes goes unnoticed by firewalls, who are primarily looking for SYN packets.
Where do most detected attacks that are critical to an organization come from?
Internal Factors- current or former employees
What is Hashing?
It is the practice of taking a string or input key-a variable created for storing narrative data- and representing it with a hash value, which is typically determined by an algorithm and constitutes a much shorter string than the original.
How does a Half-Open/SYN Scan work?
It sends only a SYN message and, after getting a response from the target, doesn't complete the connection.
What is SSL used for?
It's used to protect the information in online transactions and digital payments to maintain data privacy.
What is a Hub?
Layer 1 device that connects multiple ethernet devices together.
What is a Switch?
Layer 2 device that connects devices on a network using packet switching to receive and forward data to the destination device.
What is a Router?
Layer 3 device that forwards data packets between computer networks.
What are some examples of natural factors?
Lighting, Hurricanes, Tornados, Tsunamis
What 3 kinds of general results can you get from a port scan?
Open ports, closed ports, and filtered ports
What is confidentiality?
Synonymous with privacy. Ensures that sensitive data is accessed only by authorized persons, processes, or devices. Used to prevent any disclosure of data without prior authorization by owner.
What is a ping scan?
The simplest port scan- this is an automated blast of several internet control message protocol (ICMP) requests to different servers to bait responses.
What is a XMAS scan?
This scan is one of the sneakiest port scans- it sends PSH, URG, and FIN flags to the target.
What is TCP?
Transmission Control Protocol (TCP) is a reliable and connection-oriented transport protocol. With TCP, data can be delivered successfully and accurately. Before TCP transmits data, it will use a three-way handshake to establish connection
What applications use TCP?
Web, Email, and FTP to name a few
Explain ARP and how does it work?
stands for Address Resolution Protocol. It helps to resolve an IP address to a physical address (MAC). ARP broadcasts a packet to all the machines on the LAN and asks if any of the machines are using that particular IP. When a machine recognizes the IP address as its own, it sends a reply so ARP can update the cache for future reference and proceed with the communication.
What is a DMZ?
stands for Demilitarized Zone. It is a network segment used to host public facing servers. The DMZ isolates the public facing servers from internal servers, so if the DMZ servers are compromised, the attack doesn't spread to the internal servers.