BIS 300 chapter 9
APT Attacks steps
1.reconnaissance- the intruder begins by conducting reconnaissance on the network to gain useful information about the target 2. incursion-the attacker next gains incursion to the network at a low level to avoid setting off any alarms or suspicion. Some form of spear-fishing may be employed in this phase. Once incursion to the target has been gained, the attacker establishes a back door, or a means of accessing a computer program that bypasses security mechanisms. 3.discovery-the intruder now begins a discovery process to gather valid user credentials and move laterally across the network, installing more back doors.these back doors enable the attacker to install bogus utilities for distributing malware that remains hidden in plain sight 4.capture-the attacker is now ready to access unprotected or compromised systems and capture information over a long period of a time. 5.export-captured data is then exported back to the attackers home base for analysis and/or used to commit fraud and other crimes.
Bring Your Own Device (BYOD)
A business policy that permits, and in some cases, encourages, employees to use their own mobile devices (smartphones, tablets, or laptops) to access company computing resources and applications, including email, corporate databases, the corporate intranet, and the Internet. -It is highly likely that such devices are also used for non work activity that exposes them to malware much more than a frequently that a device used strictly for business purposes, which could spread through the company. It makes it extremely difficult for IT organizations to adequately safeguard additional portable devices with various operating systems and a myriad of applications.
security audit
A careful and thorough analysis that evaluates whether an organization has a well-considered security policy in place and if it is being followed.
zombie
A computer that is controlled by a hacker who uses it to launch attacks on other computer systems.
computer forensics
A discipline that combines elements of law and computer science to identify, collect, examine, and preserve data from computer systems, networks, and storage devices in a manner that preserves the integrity of the data gathered so that it is admissible as evidence in a court of law.
logic bomb
A form of Trojan horse malware that executes when it is triggered by a specific event. EX: this can be triggered by a change in a particular file, by typing a series of keystrokes or at a specific time or date
Department of Homeland Security (DHS)
A large federal agency with more than 240,000 employees and a budget of almost $65 billion whose goal is to provide for a "safer, more secure America, which is resilient against terrorism and other potential threats."
viruses
A piece of code that is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data
trojan horse
A seemingly harmless program in which malicious code is hidden. A user is tricked into opening it because it appears to be useful software from legitmate sources such as an update for a software the computer is currently using.
rootkit
A set of programs that enables its user to gain administrator level access to a computer without the end user's consent or knowledge.
blended threat
A sophisticated threat that combines the features of a virus, worm, Trojan horse, and other malicious code into a single payload.
security policy
A statement that defines an organization's security requirements, as well as the controls and sanctions needed to meet those requirements.
botnet
A term used to describe a large group of computers, that are controlled from one or more remote locations by hackers, without the knowledge or consent of their owners.
spear phishing
A variation of phishing in which the phisher sends fraudulent emails to a certain organization's employees. The difference between this and phishing is that this is more narrow, like the tip of a spear. The phony emails are directing employees to a fake site that asks them to put in their personal information. Botnets are the primary means for distributing these scams.
distributed denial-of-service (DDoS) attack
An attack in which a malicious hacker takes over computers via the Internet and causes them to flood a target site with demands for data and other small tasks.
zero-day attack
An attack that takes place before the security community or software developer knows about the vulnerability or has been able to repair it. -any delay in installing a patch exposes the user to a potential security breach. The need to install a fix to prevent a hacker from taking advantage of a known system vulnerability can create a time-management dilemma for system support personnel trying to balance a busy work schedule
smishing
Another variation of phishing that involves the use of Short Message Service (SMS) texting. EX: there is something wrong with a persons bank account and they should call a number to a "fake" organization to fix this, leading to the person to give out their personal information.
botnet
Based on a command by the attacker or at a preset time, the ________ computer called a zombie go into action, each sending a simple request for access to the target site again and again-dozens of times per service that legitimate users are unable to get through to the target computer. They are frequently used to distribute spam and malicious code.
security dashboard
the purpose is to reduce the effort required to monitor and identify threats in time to take action.
ransomware
Malware that prevents a user's device from properly operating until a fee is paid.
vishing
Similar to smishing except that the victims receive a voice mail message telling them to call a phone number or access a Web site.
cyber-espionage
The deployment of malware that secretly steals data in the computer systems of organizations, such as government agencies, military contractors, political organizations, and manufacturing firms. Many times this data is a patent or copyright giving a competitive advantage tot he perpetrator.
Cyberterrorism
The intimidation of government or civilian population by using information technology to disable critical national infrastructure (e.g., energy, transportation, financial, law enforcement, emergency response) to achieve political, religious, or ideological goals.
spam
the use of email systems to send unsolicited email to large numbers of people. Most of these are a form of low-cost commercial advertising. This is a good inexpensive marketing method used by many legitimate organizations. Although it can be used to deliver harmful worms and other malware.
risk assessment
The process of assessing security-related risks to an organization's computers and networks from both internal and external threats. step 1. identify the set of IS assets abut which the organization is most concerned. Priority is typically given to those assets that support the organization's mission and the meeting of its primary business goals. step 2. Identify the loss events or the risks or threats that could occur, such as a distributed denial-of-service attack or insider fraud. step 3. Assess the frequency or events or the likelihood of each potential threat; some threats, such as insider fraud, are more likely to occur that others. step 4. determine the impact of each threat occurring. Would the threat have a minor impact on the organization, or could it keep the organization from carrying out its mission for a lengthy period of time? step 5. determine how each threat can be mitigated so that it becomes much less likely to occur or, if it does occur, has less of an impact on the organization. step 6. assess the feasibility of implementing the mitigation options step 7. perform a cost-benefit analysis to ensure that your efforts will cost effective. step 8. make the decision on whether or not to implement a particular countermeasure.
data breach
The unintended release of sensitive data or the access of sensitive data by unauthorized individuals.
identity theft
Theft of personal information (social security id, driver's license, or credit card numbers) to impersonate someone else
worms
____ differ from viruses in that they can propagate without human intervention, often sending copies of themselves to other computers by email. the negative impact of this attack on an organization is lost data and programs, lost productivity due to workers being unable to use their computers.
rootkits deletes compromised
_______ are one part of a type of blended threat that consists of a dropper, a loader, and a rootkit. the dropper code gets the rootkit installation started and can be activated by clicking on a link to a malicious Web site in an email or opening an infected PDF file. The dropper launches the loader program and then ________ itself. The loader loads the rootkit into memory; at that point, the computer has been ____________.
knowledge-based intrusion detection system behavior based intrusion detection system
__________________ ______ __________ ____________contains information about specific attacks and system vulnerabilities and watch for attempts to exploit these vulnerabilities such as repeated failure login attempts or recurring attempts to download a program to a server. When such an attempt is detected, and alarm is triggered. - a_______________ based intrusion detection system models normal behavior of a system and its users from reference information collected by various means. The intrusion detection system compares current activity to this model and generates an alarm if it finds a deviation. EX: include unusual traffic at odd hours or a user in the human resources department who access an accounting program that she has never used before.
manager security service provider (MSSP)
a company that monitors, manages, and maintains computer and network security for other organizations. -for most small and mid sized organizations, the level of in-house network security expertise needed to protect their business operations can be too costly to acquire and maintain. As a result, many organizations outsource their network security operations to this.
next-generation firewall (NGFW)
a hardware or software based network security system that is able to detect and block sophisticated attacks by filtering network traffic dependent on the packet contents. Compared to first generation and second generation firewalls, a NGFW goes deeper to inspect the payload of packets and match sequences of bytes for harmful activities, such as known vulnerabilities ,exploit attacks, viruses and malware.
worm
a harmful program that resides in the active memory of the computer and duplicates itself.
Advanced Persistent Threat (APT)
a network attack in which intruder gains access to network & stays there—undetected—w/ intention of stealing data over long period of time. Attackers in an ATP must continuously rewrite code and employ sophisticated evasion techniques to avoid discovery. The goal is to steal data rather than disrupt services.
US Computer Emergency Readiness Team (US-CERT)
a partnership between the department of homeland security and the public and private sectors; established to provide timely handling of security incidents as well as conducting improved analysis of such incidents. This serves as a clearinghouse for information on new viruses, worms, and other computer security topics.
virus signature
a sequence of bytes that indicates the presence of a specific virus
firewall
a system of software, hardware or a combination of both that stands guard between an organization's internal network and the internet and limits network access based on the organization's access policy
backdoor email
a trojan horse often creates a "________" on a computer that enables attackers to gain future access to the system and compromise confidential or private information. It can be delivered through an _____ attachment, dvd, usb and common host programs including screen savers, greeting card systems and games
attachment infected macro
a virus is spread to other machines when a computer user shares an infected file or sends an email with a virus-infected _____________. In other words, viruses spread by the action of the "__________" computer user. _____ viruses have become a common and easily created form of a virus.Attackers use an application macro language to create programs that infect documents and templates.
Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act
an act that states that is legal to spam, provided the messages meet a few basic requirements. Spammers cannot disguise their identity by using a false return address, the email must include a label specifying that it is an ad or a solicitation, and the email must include a way for recipients to indicate that they do not want future mass mailings.
exploit
an attack on an information system that takes advantage of a particular system vulnerability
Identitiy
computer help desks are under intense pressure to respond very quickly to users' questions. Under duress, help desk personnel sometimes forget to verify users ______________.
regain control
in a security incident, the primary goal must be to ______ control and limit damage, not to attempt to monitor or catch an intrude.
Why computer incidents are so prevelant
increasing computing complexity, higher computer user expectations, expanding and changing systems, an increase in the prevelance of bring your own device policies, a growing relieance on software with known vulnerabilities, and the increasing sophistication of those who would do harm have caused a dramatic increase in the number, variety, and severity of security incidents are increasingly dramatically.
DDoS Attack
instead of infiltration ______ attack keeps the target so busy responding to a stream of automated requests that legitimate users cannot get in-the internet equivalent of dialing a telephone number repeatedly so that all other callers hear a busy signal. The targeted machine essentially holds the line open while waiting for a reply that never comes, eventually, the request exhaust all resources of the target
change risks
it is increasingly difficult for IT organizations to keep up with the pace of technological _______, successfully perform an ongoing assessment of new security _____, and implement approaches for dealing with them,
transaction risk scoring software
keeps track of a customer's historical shopping patterns and notes deviations from the norm.
investigation
proper handling of a computer forensics _________ is the key to fighting computer crime successfully in a court of law.
intrusion detected systems (IDS)
software and/or hardware that monitors system and network resources and activities and notifies network, security personnel when it detects network traffic that attempts to circumvent the security measures of a networked computer environment
CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart)
software that generates and grades tests that humans can pass all but the most sophisticated computer programs cannot.
antivirus software
software that scans a computer's memory, disk drives, and USB ports regularly for viruses
bot
spammers can defeat the registration process of the free email services by launching a coordinated ___ attack that can sign up for thousands of email accounts. These accounts are then used by the spammers to send thousands of untraceable email messages for free
phising
the act of fraudulently using email to try to get the recipient to reveal personal data. Con artists send legitimate-looking emails urging the recipient to take action to avoid negative consequence or to receive a reward. Sometimes just accessing the web site can trigger an automatic and unnoticeable download of malicious software to a computer
reasonable assurance
the concept that recognizes that the costs of control activities should not exceed the benefits that are expected from the control activities
expands
the number of possible entry points to a network _________ continually as more devices are added, increasing the possibility of security breaches.
Encryption
to reduce the potential for online credit card fraud, most e-commerce Web sites use some form of __________ technology to protect information as it comes i'm from the consumer. Some web sites verify the address submitted online against the one the issuing bank has on file. EX: asking for the card verification value (CVV)