TestOut Chapter 2
Internal vs. External
- Internal threats are authorized individuals that exploit their inherent privileges to carry out an attack. This category includes employees (both current and former), janitors, security guards, and even customers. - External threats are any individuals or groups that attacks a network from the outside and seeks to gain unauthorized access to data.
Persistent vs. Non-Persistent
- Persistent threats seek to gain access to a network and remain there undetected. With this type of threat, the attacker will go to great lengths to hide their tracks and presence in the network. - Non-Persistent Threats are only concerned with getting into a system and stealing information. The attack is usually a one-time event, and the attacker typically doesn't care if their presence is noticed. An Advanced Persistent Threat (APT) is a type of persistent threat carried out by a nation state. An APT has the goal of continually stealing information without being detected, and the tactics they use are much more advanced than a traditional persistent threat.
Breach
A Breach is the penetration of system defenses, achieved through information gathered by reconnaissance to penetrate the system defenses and gain unauthorized access.
Competitor
A Competitor threat actor carries out attacks on behalf of an organization and targets competing companies.The motive behind such attacks could be financial gains, competitor defamation, or even stealing industry secrets.
Hacktivist
A Hacktivist is any individual whose attacks are politically motivated. Instead of seeking financial gain, Hacktivists are looking to defame, shed light on, or cripple an organization or government. Often times, Hacktivists work alone. Occasionally, they will create unified groups with like-minded hackers.
Script Kiddie
A Script Kiddie is an individual who carries out an attack by using scripts or programs written by more advanced hackers. Script Kiddies typically lack the skills and sophistication of legitimate hackers. Script Kiddies are usually motivated by the chance to impress their friends or garner attention in the hacking community. Because Script Kiddies lack knowledge and sophistication, their attacks often seek to exploit well-known vulnerabilities in systems. As such, defending against script kiddies involves keeping systems up-to-date and using standard security practices.
Technical
A Technical approach is using software or utilities to find vulnerabilities in a system.
Transitive Trust
A hierarchical two-way trust relationship between parent and child entities.
Nation State
A nation state is the most organized, well-funded and dangerous type of threat actor. There are two primary motives for nation state attacks (also called state-sponsored attacks). - Obtaining Information - Some attacks seek to obtain sensitive information, such as government secrets. These attacks usually target organizations that have government contracts or the government systems themselves. Attacks motivated by information gathering are considered a type of APT, as the goal is to remain in the system undetected. - Crippling Systems - Some attacks seek to cripple their target's network or infrastructure.Because nation states use so many different attack vectors and unknown exploits, defending against them involves building a comprehensive security approach that uses all aspects of threat prevention and protection.
Multifactor Authentication
A requirement of more than one method of authentication from independent categories of credentials to verify the user's identity.
Layered Security
A security approach that combines multiple security controls and defenses to create a cumulative effect.
Layered Security Model
A security approach that defines seven layers of security.
Cybercriminal
A subcategory of hacker threat agents that are willing o take more risks and use more extreme tactics for financial gain.
Job Rotation
A technique where users are cross-trained in multiple access control methods instead of relying on a single method.
Competitor
A threat agent that carries out attacks on behalf of an organization and targets competing companies.
Nation State
A threat agent that is a sovereign state who wage an all-out war on a target and have significant resources and money at their disposal.
Insider
A threat agent who has authorized access to an organization and either intentionally or unintentionally carries out an attack.
Internal Threat
A threat from authorized individuals (insiders) that exploit there undetected.
External Threat
A threat from individuals or groups that attack a network from the outside and seeks to gain unauthorized access to data.
Persistent Threat
A threat that seeks to gain access to a network and remain there undetected.
Non-Persistent Threat
A threat where the only concern is getting into a system and stealing information and is usually a one-time event where the attack is not concerned if their presence is noticed.
Advanced Persistent Threat (APT)
A type of persistent threat carried out by a nation state. An APT has the goal of continually stealing information without being detected, and the tactics they use are much more advanced than a traditional persistent threat.
Targeted Attack
A type of threat in which threat actors actively pursue and compromise a target entity's infrastructure while maintaining anonymity.
Insider
An Insider is any individual who has authorized access to an organization and either intentionally or unintentionally carries out an attack. The most common type of insider is a full-time employee; however, other inside actors include customers, janitors, security guards, and even former employees. Possible motives for an insider threat actor can include: - Becoming disgruntled with an employer - Being bribed by a competitor - Seeking personal financial gain Because insiders are one of the most dangerous and overlooked threats to an organization, you need to take the appropriate steps to protect against them. - Require mandatory vacations - Create and follow on-boarding and off-boarding procedures - Employ the principal of least privilege - Have appropriate physical security controls in place - Require security awareness training which should be tailored for the role of the employee (role-based awareness training)
Organized Crime
An Organized Crime Threat Actor is a group of cybercriminals whose main goal is financial gain. Attacks carried out by organized crime groups can last several months and are very well-funded and extremely sophisticated. A common tactic used by Organized Crime is a targeted phishing campaign. Once access is gained, the group will either steal data and threaten to release it or use ransomware to hold data hostage. Due to the level of sophistication and amount of funding, attacks from Organized Crime groups are extremely hard to protect against. In a lot of cases, it's simply a matter of time until a data breach occurs or ransomware takes hold. Because of this, many companies that need immediate access to their data (such as hospitals and financial institutions) stockpile digital currency in case of an attack. Specific protections against organized crime threat actors include: - Proper user security training - Implementing email filtering systems - Proper securing and storage of data backups
Defense-in-Depth
An access control principle that implements multiple access control methods instead of relying on a single method.
Opportunistic Attack
An attack where the threat actor is almost always trying to make money as fast as possible and with minimal effort.
Exploit
An exploitation takes advantage of known vulnerabilities in software and systems. Types of exploitation include: - Stealing information - Denying services - Crashing systems - Modifying/Altering information
Hacker
Any threat agent who uses their technical knowledge to bypass security, exploit a vulnerability, and gain access to protected information.
Vulnerable Business Processes
Attacks on business process have recently come into focus. Attackers target a business' unique processes and machines and manipulate them for personal benefit. When they identify a weakness, they can alter a process to help them achieve their aims.
Open-Source Intelligence (OSINT)
Before carrying out an attack, a threat actor will typically gather Open-Source Intelligence (OSINT) about their target. OSINT is information that is readily available to the public and doesn't require any type of malicous activity to obtain. Sources of OSINT include the following: - Media (newspapers, magazines, advertisements) - Internet (websites, blogs, social media) - Public government data (public reports, hearings, press conferences, speeches) - Professional and academic publications (journals, academic papers, dissertations)
Create a Backdoor
Create a Backdoor is an alternative method of accessing an application or operating system for troubleshooting. Hackers often create backdoors to exploit a system without being detected.
Variety
Defensive layers should have variety and be diverse; implementing multiple layers of the exact same defense does not provide adequate strength against attacks.
Improper Certificate and Key Management
Due to the proliferation and complexity of digital certificates used for identity and encryption, many organizations find it difficult to manager their certificates and cipher keys. Expiring certificates are a leading cause of system downtime. To better manage their certificates, organizations shoudl track when certificates expire, their issuing CA, and their encryption key strengths.
Escalate Privileges
Escalating Privileges is one of the primary objects of an attacker and can be achieved by configuring additional (escalated) rights to do more than just breaching a system.
Improper Input Handling
Improper Input Handling may be the chief security vulnerability in today's software applications and web pages. It involves the improper validation, sanitation, and filtering, as well as encoding and decoding of input data. During application development, all inputs should be considered untrusted, especially external inputs that can be transferred in various formats.
Application
Includes authentication and authorization, user management, group policies, and web application security.
Host
Includes each individual workstation, laptop, and mobile device. The Host layer includes log management, OS hardening, patch management and implementation, auditing, malware, and password attacks.
Physical
Includes fences, door locks, mantraps, turnstiles, device locks, server cages, cameras, motion detectors, and environment controls.
Perimeter
Includes firewalls using ACLs and securing the wireless network.
Data
Includes storing data properly, destroying data, classifying data, cryptography, and data transmission security.
Network
Includes the installation and configuration of switches and routers, implementation of VLANs, penetration testing, and virtualization rate.
Policies, Procedures, and Awareness
Includes user education, manageable network plans, and employee on-boarding and off-boarding procedures.
Layering
Layering involves implementing multiple security strategies to protect the same asset. Defense in Depth or Security in Depth is the premise that no single layer is completely effective in securing the assets. The most secure system/network has many layers of security and eliminates SPOF.
Need-to-Know
Need-to-Know describes the restriction of data that is highly sensitive and is usually referenced in government and military context. Important facts to know: - Even if an individual is fully cleared, information is still not divulged to persons who simply don't need to know. - Need to know discourages casual browsing of sensitive materials. - In a classified environment, a clearance into a Top Secret compartment only allows access to certain information within that compartment. This a form of mandatory access control (MAC).
Improperly Configured Accounts
Password length and complexity policies can help prevent attacks from gaining unauthorized access. But there are other account configurations that can increase security. Attackers know the default domain, service, and device accounts, their default passwords, and the default privileges assigned to them. If these accounts are left enabled and unchanged, they can be an entry point for adversaries. Also, accounts should be configured with the least amount of permission and privileges needed to perform their duties. It is better to give privileges later than to remove privileges after a security problem has occurred.
Randomness
Randomness in security is the constant change in personal habits and passwords to prevent anticipated events and exploitation.
Reconnaissance
Reconnaissance is the process of gathering information about an organization, including: - System hardware information - Network configuration - Individual user information
Simplicity
Security measures should provide protection, but not be so complex that you do not understand and use them.
Separation of Duties
Separation of Duties is the concept of having more than one person required to complete a task. This is a preventive principle primarily designed to reduce conflicts of interest. It also prevents insider attacks because no one person has end-to-end control and no one person is irreplaceable. Important facts to know: - System users should have the lowest level of rights and privileges necessary to perform their work and should only have them for the shortest length of time possible. - To achieve separation of duties, a business can use the principle of split knowledge. This means that no single person has total control of a system's security mechanisms. - In cases of sensitive or high-risk transactions, a business can use two man controls. This means that two operators must review and approve each other's work.
Social Engineering
Social Engineering is the process of manipulating others to give you sensitive information such as: - Intimidation - Sympathy
Stage
Staging a computer involves preparing it to perform additional tasks in the attack, such as installing software designed to attack other systems. This is an optional step.
AAA
The abbreviation for Authentication, Authorization, and Accounting.
Identification
The act of claiming an identification.
Separation of Duties
The concept of dividing a single task's responsibilities so that it cannot be complete without multiple people, thereby reducing conflicts of interest and insider attacks.
Principle of Least Privilege
The principle of least privilege states that users or groups are given only the access they need to do their job (and nothing more). Common methods of controlling access include: - Implicit Deny - users or groups who are not specifically given access to a resource are denied access. Weakest form of privilege control. - Explicit Allow - Specifically users or groups who have access. Moderate form of access control. - Explicit Deny - Identifies users or groups who are not allowed access. Strongest form of access control and overrules all other privileges granted. It is often easier to give a user access than take away privileges that have already been granted. Access Recertification is the process of continually reviewing a user's permissions and privileges to make sure they have the correct level of access.
Authorization
The process of determining whether or not an authenticated user has permission to carry out a specific task or access a system resource.
Authentication
The process of proving an identity.
Accounting
The process of tracking the actions of an authenticated user.
Mutual Authentication
The process whereby two communicating entities authenticate with each other.
Need-to-Know
The restriction of data that is highly sensitive and is usually referenced in government and military context.
Weak Cipher Suites and Implementations
To secure data that is transferred across external paths, TLS/SSL makes use of one or more cipher suites. Old and outdated cipher suites, especially those with documented vulnerabilities, can allow attackers access to secret data. Weak encryption keys are more likely to fail to brute force attacks.
