Computer Security: Vulnerabilities, Threats & Cyber Attacks

Questions and Answers

In the context of an attack lifecycle, what is the primary goal of the 'Establish Foothold' stage?

• To escalate privileges to domain administrator level.
• To perform internal reconnaissance and map network shares.
• To gain initial access to a system within the network.
• To ensure persistent remote access to a compromised system. (correct)

An attacker successfully uses a SQL injection attack. According to the text, which stage of the attack lifecycle does this correspond to?

• Maintain Presence
• Initial Compromise (correct)
• Complete Mission
• Escalate Privileges

During an investigation, analysts discover multiple backdoor variants from different families on a compromised system. Which attack lifecycle stage were the attackers most likely focusing on?

• Escalate Privileges
• Maintain Presence (correct)
• Internal Reconnaissance
• Move Laterally

An attacker pivots from JMPSRV to MAIL to gain internet access. What attack lifecycle stage leverages compromised systems to access other restricted assets in a network?

Move Laterally (D)

An attacker dumps password hashes and cracks domain administrator credentials. What attack lifecycle stage do these actions represent?

Escalate Privileges (B)

Which type of control is exemplified by the use of security policies that dictate how employees handle sensitive data?

Procedural controls (B)

A company decides to implement a system that automatically redirects network traffic away from a server experiencing a denial-of-service attack. This measure is an example of which type of control?

Deflection control (D)

A security team discovers that an attacker has been attempting to exploit a vulnerability in their web application. They immediately deploy a patch to fix the vulnerability. Which type of harm management are they employing?

Prevention (D)

In 'Case Study #1', what initial vulnerability did the attacker exploit to gain access to the small business unit's systems?

A Structured Query Language (SQL) injection vulnerability on WEB1 (B)

Using multiple layers of security controls to protect against a single threat is known as what?

Defense in depth (B)

Following the initial SQL injection in 'Case Study #1', what action did the attacker take to ensure continued access to the corporate environment?

Implanted a backdoor (B)

Which of the following is an example of a technical control?

Using encryption to protect sensitive data at rest (A)

In 'Case Study #1', what was the primary purpose of the keystroke-logging malware installed by the attacker?

To capture user credentials and sensitive information (A)

Which capability was NOT attributed to the BKDOOR malware?

Directly exfiltrating stolen data via FTP. (C)

What security measure did the attacker bypass to access sensitive financial data?

Network segmentation enforced by firewalls. (C)

How did the attacker initially attempt to gain a foothold in the targeted network?

By targeting usernames and passwords. (B)

What was the significance of the jump server (JMPSRV) in the attacker's strategy?

It was the only system authorized to access the restricted segment of the network containing sensitive financial data. (C)

Which encryption algorithm did the BKDOOR malware use to protect its command-and-control communications?

RC4 (D)

What type of data was the attacker primarily interested in stealing from the financial environment?

Credit and debit card information (PCI). (D)

Which of the following scenarios represents a compromise of integrity in a computer system?

A disgruntled employee intentionally modifies financial records to misrepresent the company's financial status. (C)

How did the attacker configure the BKDOOR malware instances to communicate with the PROXY malware?

By directly connecting to the PROXY malware listening on TCP port 88 on JMPSRV. (A)

What is the relationship between vulnerability, threat, and attack?

A threat exploits a vulnerability to execute an attack. (B)

What technique did the BKDOOR malware employ to maintain persistence on compromised systems?

DLL search order hijacking. (B)

An attacker requires method, opportunity, and motive to launch a successful attack. Which of the following scenarios demonstrates the removal of opportunity as a factor?

Applying security patches to eliminate known software vulnerabilities. (A)

Which of the following best describes the purpose of risk management in computer security?

To determine which threats to mitigate and allocate resources for protection. (B)

Which of the following scenarios primarily demonstrates a violation of confidentiality?

An employee accidentally sends a spreadsheet containing sensitive salary information to an unauthorized recipient. (D)

Consider a scenario where a company's database is encrypted to protect sensitive information. Which security goal is most directly addressed by this measure?

Confidentiality. (D)

A hospital uses a complex authentication system to allow doctors access to patient records from remote locations. Despite this, a doctor's account is compromised, and patient data is leaked. Which security principle was most likely poorly implemented or circumvented?

Confidentiality. (A)

A company implements redundant servers and backup power systems to ensure that its critical applications remain accessible even during outages. Which security goal is being primarily addressed?

Availability. (C)

Flashcards

Computer Security

Protection of computer assets (hardware, software, data) that you value.

Vulnerability

A weakness in a system's design, implementation, or procedures that can be exploited.

Threat

Circumstances that COULD cause loss or harm to a computing system/asset.

Harm

The negative consequence of a threat being realized.

Attack

Exploiting a vulnerability to cause harm to a system/asset.

Confidentiality

Ensuring data is viewed only by authorized parties.

Integrity

Ensuring data is modified only by authorized parties and methods.

Availability

Ensuring authorized parties can use an asset when needed.

Control (Countermeasure)

A protection measure that prevents threats from exploiting vulnerabilities.

Preventative Control

Blocking an attack or fixing a vulnerability to stop harm from occurring.

Deterrent Control

Discouraging an attack by making it more difficult, but not impossible.

Deflective Control

Redirecting an attack to a less valuable target.

Mitigative Control

Reducing the severity of an attack's impact after it occurs.

Detective Control

Discovering an attack as it happens or after it has occurred.

Physical Controls

Using tangible objects to stop or block an attack.

Procedural/Administrative Controls

Using commands or agreements that instruct people how to act for security.

Initial Compromise

Gaining initial access to a target system or network.

Establish Foothold

Establishing a persistent remote access to a compromised system.

Escalate Privileges

Obtaining higher-level privileges on a compromised system.

Internal Reconnaissance

Exploring the internal network and gathering information about systems and resources.

Move Laterally

Moving from one compromised system to other systems within the network.

BKDOOR Malware

Malware that allowed attackers to modify the binary, control the victim system, upload/download files, tunnel traffic, and proxy network traffic.

RC4 Algorithm

An encryption algorithm used by BKDOOR to encrypt its command-and-control communications.

C2 Server

Servers controlled by attackers, typically outside the victim environment, used to send commands to and receive data from malware.

DLL Search Order Hijacking

A technique used by BKDOOR malware to maintain persistence on a system.

PROXY Malware

Malware used to proxy connections to specified destinations.

Jump Server (JMPSRV)

A tightly controlled system that is the only one allowed to access sensitive resources.

PCI Data

Data containing credit and debit card information.

Attacker's Strategy

Used BKDOOR malware on systems to communicate with PROXY malware listening on TCP port 88 on JMPSRV.

Study Notes

Introduction to Computer Security

• Computer security protects computer assets or systems that are valued.
• Security protection is required for hardware, software, and data contained in computer systems because they have value.

Key Concepts: Vulnerabilities, Threats, and Controls

• A vulnerability is a weakness that can be exploited to cause loss or harm in a system's procedures, design, or implementation.
• A threat is a set of circumstances with the potential to cause loss or harm to a computing system.
• Potential harm to assets can be assessed by examining possible negative events and their causes.
• Risk management involves choosing threats to control and allocating resources for protection.
• Harm is the negative consequence of a threat becoming real and being actualized.

Cyber Attackers

• An attack on a system is perpetrated by a human exploiting a vulnerability.
• An attack can also be launched by another system.
• To be successful, a malicious attacker requires a method, an opportunity, and a motive.
• One can prevent the success of an attack if deny any of the method, the opportunity, and the motive from an attacker.
• Attackers include terrorists, hackers, organized crime members, and individuals.

Security Goals

• Confidentiality ensures only authorized parties can view an asset.
• Integrity ensures an asset is modified only by authorized parties.
• Availability ensures authorized parties can use an asset.

Controls

• It is possible to Control vulnerabilities by using a control or countermeasure as protection to prevent threats.
• Harm can be dealt with by preventing, deterring, deflecting, mitigating, detecting, or recovering from its effects.

Types of Security Controls

• Physical controls: use tangible means to stop or block an attack, such as fences, locks, guards, sprinklers, and fire extinguishers.
• Procedural or administrative controls: use commands or agreements to influence behavior, like laws, regulations, policies, procedures, guidelines, copyrights, patents, and contracts.
• Technical controls: counter threats with technology such as hardware and software, including passwords, access controls, network protocols, firewalls, intrusion detection systems, encryption, and network traffic flow regulators.
• Overlapping controls or defense in depth can be effective, even when there is more than one class of control.

Attack Lifecycle

• Common phases: initial comprise, establish foothold, escalate privileges, internal recon, move laterally, maintain presence, and complete mission.

Case Study #1: Show Me the Money

• In early January, an attacker exploited a SQL injection vulnerability on a web page hosted by WEB1.
• WEB1 was in a demilitarized zone (DMZ) for a small business unit.
• Exploiting the vulnerability allowed the attacker to execute commands on the backend DB1 database system.
• The attacker implanted a backdoor one week post internal access.
• The backdoor gave access to the corporate environment without the necessity to re-use SQL injection.
• The attacker extracted and cracked DB1's local administrator account's password hash to obtain local administrative access to the majority of the systems in the environment.
• The attacker installed keystroke-logging malware following reconnaissance efforts.
• By mid-February, 20 backdoors or more were put in place by the attacker.
• The BKDOOR malware family facilitated modification to evade antivirus detection, file control, Remote Desktop Protocol (RDP) tunneling, and network traffic proxying.
• The RC4 algorithm was used by the BKDOOR malware to encrypt command and control functions (C2) to a server outside the controlled environment of the victim, for use by the attacker.
• The BKDOOR malware maintained persistence via "DLL search order hijacking.”
• The second malware family, PROXY, proxied connections to a specified location.
• The attacker targeted usernames, passwords, network architecture data, and other IT data
• The attacker obtained data on how the company managed financial information to plan the next course of action.
• The attacker exfiltrated data using outbound FTP and transferred data to the backdoor's C2 server.
• Attackers discovered JMPSRV jump server in June, it is limited system used to give system administrators with access to sensitive segements handling all the financial information.

Initial Compromise

• The attacker used a SQL injection attack against a vulnerable database server.

Establish Foothold

• The attacker ensures remote access to a recently compromised system.
• Backdoor malware was established on a system within the internal environment.

Escalate Privileges

• The attacker used password hash dumping before cracking them for domain admin access.

Internal Reconnaissance

• The attackers manually explored local user directories.

Move Laterally

• The attacker leveraged RDP connections, mapped network shares, and interacted with backdoors.

Maintain Presence

• The attacker implanted different backdoor variants.
• Each family operates uniquely, evading single-point detection.

Complete Mission

• The the attacker stole the cardholder data.

Description

Explore computer security fundamentals including vulnerabilities, threats, and controls. Learn how vulnerabilities can be exploited, threats can cause harm, and the role of risk management in protection. Understand the nature and actors involved in cyber attacks on computer systems.