10 Questions
What type of person might have restricted access to grounds, network, or system?
Service technician, pizza delivery driver, or security guard
What is the primary goal of dumpster diving?
To find medical records, resumes, and personal information
What is the main purpose of shoulder surfing?
To steal sensitive data by watching over the shoulder
What is the main difference between phishing attacks and baiting?
Baiting offers free items, while phishing attacks ask for login credentials
How often should users receive social engineering attack training?
Bi-annually
Why should users avoid opening emails in the spam folder?
They may contain malware
What is the goal of malicious emails with password-protected archives?
To encourage users to open malicious attachments
What is the weakest link in social engineering attacks?
Humans
What is the purpose of training users about social engineering attacks?
To make users aware of the latest attacks
What is the goal of baiters who offer free music or movie downloads?
To compromise users' security
Study Notes
Privilege Escalation
- Begins by stealing one user's account, then attempting to gain elevated access to other resources
- Can use transitive attacks to gain additional access, exploiting permissions on one system to access another
- Insider threats, such as members of an organization's staff, can also use privilege escalation attacks
Zero-Day Attacks
- Occur before a vulnerability is announced or fixed
- No patch is available for a zero-day exploit when it occurs
- Can quickly compromise hundreds or thousands of systems
- Examples of zero-day libraries include the Zero-Day Vulnerability Database (zero-day.cz)
Identifying Types of Cyber Attacks
- Types of cyber attacks include:
- Client-side Attacks
- Web Attacks
- Network Attacks
- Wireless Attacks
- Social Engineering Attacks
Web Attacks
- Common attacks include:
- Cross-Site Scripting (XSS)
- SQL Injection
- XSS exploits web application vulnerabilities, injecting scripts into webpages served to visitors
- SQL Injection is a common attack against web applications, injecting Structured Query Language (SQL) instructions into an application's input
Network Attacks
- Attacks that occur on the network during transmission of data
- Types of attacks include:
- Spoofing
- Packet Sniffing
- Man-in-the-middle (MITM)
- Denial of Service Attacks
Spoofing
- Providing false information on a network, such as email spoofing
- Can be used to gain restricted access to a system or network
Social Engineering
- Includes attacks such as:
- Dumpster Diving (looking for sensitive information in trash)
- Shoulder Surfing (watching someone enter sensitive data)
- Baiting (offering free items or goods in exchange for login credentials)
Dealing with Social Engineering Attacks
- Do not open emails from unknown sources or attachments from unknown origin
- Train humans to be aware of the latest attacks through bi-annual training sessions
- Recognize and avoid malicious emails with password-protected archives
Learn about privilege escalation attacks, where an attacker gains elevated access to resources by exploiting existing privileges. This includes transitive attacks, where access to one system is used to gain access to another trusted system.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free