Selective text from comptia sec + - all book

Questions and Answers

Which type of control is primarily designed to stop a security issue before it occurs?

Deterrent controls

Preventive controls (correct)

Corrective controls

Detective controls

What is an example of a technical security control?

Burglar alarms

User access reviews

Firewalls (correct)

Periodic risk assessments

Which of the following controls focuses on managing technology securely through processes?

Physical controls

Corrective controls

Operational controls (correct)

Preventive controls

What is the purpose of deterrent controls?

To prevent attackers from attempting violations

Which type of control includes mechanisms like fences and locks?

Physical controls

Which control refers to remediation steps taken after a security issue has occurred?

Corrective controls

What is the primary purpose of compensating controls?

To mitigate risks associated with exceptions to security policies

Which of the following is NOT one of the criteria for a satisfactory compensating control according to PCI DSS?

It must provide a unique technical solution

What role do data loss prevention (DLP) systems play in an organization?

They prevent data loss and breach by enforcing information handling policies

How does agent-based DLP operate?

It installs software agents on systems to search for sensitive information

What is an example of a compensating control for an organization running an outdated operating system?

Isolating the machine on a restricted network

Which identification applies to the two environments where DLP systems operate?

Agent-based and agentless (network-based) DLP

What is the primary purpose of data loss prevention (DLP) systems?

To block and protect sensitive information transmissions

Which technique is commonly used by DLP systems to identify sensitive information?

Pattern matching

What does the process of data obfuscation involve?

Transforming data so the original information can't be retrieved

What is a key vulnerability of using hashing for sensitive data?

Rainbow table attacks can determine original values based on hashed values

What is one potential limitation of using tokenization for sensitive data?

The lookup table must be kept secure to prevent data breaches

Which of the following best describes watermarking in the context of DLP systems?

Applying electronic tags to sensitive documents for monitoring

What is a primary goal of data minimization techniques?

To reduce the amount of sensitive information retained

Geographic access restrictions in data security are meant to:

Limit data access based on user location

What is one of the best methods for detecting a rootkit?

Testing the suspected system from a trusted device

Which technique is commonly used alongside signature detection for rootkit identification?

Data validation against expected responses

What is the most common recommendation for removing a rootkit when possible?

Restore the system from a known good backup

Which of the following is an example of behavior-based identification for rootkits?

Creation of unauthorized executable files

What aspect of modern computing has simplified the restoration process from rootkit infections?

Widespread use of virtual machines and containers

Which of the following is a common indicator of compromise (IoC) for rootkits?

File hashes and signatures

What distinguishes worms from Trojans in their method of spreading?

Worms can spread automatically without user interaction.

Which feature is commonly associated with remote access Trojans (RATs)?

They provide attackers with remote access to systems.

Which of the following indicates a common method through which botnets communicate with their command and control servers?

Encrypted HTTP connections and IRC.

What is a common indicator of compromise (IoC) for worms?

Command and control contact with remote systems.

Which of the following best describes spyware?

Software designed to monitor user activity and report it.

Why might false positives occur when using antimalware tools for remote access tools (RATs)?

Legitimate tools can resemble malicious RAT behavior.

What is a unique characteristic of Trojans compared to other types of malware?

They mimic legitimate software to deceive users.

What kind of information can spyware potentially target?

Sensitive personal information and browsing habits.

What is one of the primary ways that worms can spread across devices?

By exploiting vulnerabilities in services without user action.

Which term refers to the collection of compromised devices controlled by a central command?

Botnet

What is the main purpose of ransomware?

To encrypt files and demand a ransom

Which of the following is a common method of delivering ransomware?

Phishing emails and links

Which indicator is considered a sign of a ransomware attack?

Command and control traffic

What technique do malicious actors frequently use alongside ransomware attacks?

Using legitimate tools unusually

What action can ransomware take if a victim does not comply with the ransom demand?

Report the victim to authorities

Which behavior is NOT commonly associated with ransomware indicators of compromise?

Telemetry data collection

What type of malware specifically requires a ransom to restore access to encrypted files?

Ransomware

What is an example of ransomware that encrypts files?

Crypto malware

What primary method do malicious software use to spread and gain access to systems?

Exploiting flaws in software and web browsers

What is the main purpose of a keylogger?

To capture user input for malicious purposes

Which characteristic distinguishes logic bombs from other types of malware?

Condition-based activation

Which technique is NOT commonly used to analyze malware?

Network behavior analysis

What is one common indication of keylogger IoCs (Indicators of Compromise)?

Unusual file hash signatures

What method can help mitigate the impact of a keylogger?

Using multifactor authentication

How do rootkits typically conceal themselves from detection?

By infecting the Master Boot Record

What type of malware collects user input through various methods including keyboard strokes?

Keyloggers

In the context of malware, what does IoC stand for?

Indicators of Compromise

What is the typical goal of a logic bomb embedded in software?

To invoke a function when certain conditions are met

What is the main goal of spyware despite its various propagation methods?

To gather information about a user or system

What is a characteristic of bloatware compared to other types of malicious software?

It is usually poorly written but not malicious.

Which of the following best describes how computer viruses spread?

By requiring specific activation mechanisms to spread

What distinguishes a memory-resident virus from a non-memory-resident virus?

Non-memory-resident viruses execute, spread, and terminate.

What type of software installation may include spyware disguised as a useful tool?

Installer packages for applications

Which of the following is a common practice to combat spyware in organizations?

Implementation of user awareness and control measures

What might be a potential consequence of having bloatware installed on a system?

Increased risk of system vulnerabilities

Which type of virus resides specifically in the boot sector of a drive?

Boot sector virus

What is a primary focus of mitigation techniques for spyware?

Awareness and control of software on devices

Which type of virus uses macros or code within software like word processors to propagate?

Macro virus

What is spear phishing primarily designed to target?

Specific individuals or groups in an organization

Which technique is commonly used to detect phishing emails?

Keyword and text pattern matching

What is the primary method used in vishing to deceive victims?

Voice or voicemail messages

Which form of phishing targets high-level executives specifically?

Whaling

What is a key strategy to reduce the risk of successful phishing attacks?

Raising awareness and education among staff

What is the primary intention behind vishing scams that ask for funds?

Executing wire fraud

What type of phishing uses SMS messages to deceive victims?

Smishing

What is commonly employed as a preventive measure against phishing attacks?

Filtering tools with reputation systems

What is a common characteristic of vishing attacks?

They often present themselves as authorities to extract information.

Which technique is primarily used in smishing attacks?

Utilizing text messages to prompt users to click on links.

How does misinformation differ from disinformation?

Misinformation is often based on mistakes, while disinformation is fabricated to influence public opinion.

In the context of social engineering, what does impersonation involve?

Pretending to be another person to achieve goals.

What is a common method used for business email compromise (BEC)?

Employing similar-sounding domain names to mislead victims.

What is the primary goal of pretexting in social engineering?

To create a convincing narrative that justifies an approach.

Which of the following is NOT a method used in smishing attacks?

Sending infected file attachments via text.

What might be a motive behind disinformation campaigns conducted by organizations?

To influence public opinion for political or financial gain.

Which tactic can enhance the effectiveness of impersonation in social engineering?

Leveraging a sense of urgency to prompt quick action.

What is a potential consequence of identity fraud?

Loss of personal reputation and financial resources.

What is the main objective of pretexting in impersonation attacks?

To make the impersonator appear more believable.

How do attackers typically conduct a watering hole attack?

By compromising frequently visited websites.

In brand impersonation attacks, what is a common tactic used to deceive targets?

Sending emails that appear to come from a trusted brand.

What distinguishes a typosquatting attack from pharming?

Typosquatting exploits mistyped URLs, while pharming changes DNS settings.

What defines a password spraying attack?

Employing a single or few common passwords across many accounts.

Which method is NOT typically associated with brute-force password attacks?

Sending phishing emails to gather passwords directly.

What is the primary characteristic of dictionary attacks in password cracking?

They rely on a predefined list of common words.

Which attack exploits the tendency of users to mistype URLs?

Typosquatting

What role does malware often play in brand impersonation attacks?

To attach itself to phishing emails for malicious actions.

What is a primary goal of pretexting in social engineering attacks?

To establish a false sense of trust.

Study Notes

Security Control Categories

• Security controls are categorized by their mechanism of action: technical, operational, managerial, and physical.
• Technical Controls: Enforce confidentiality, integrity, and availability using tools like firewalls, access control lists, intrusion prevention systems, and encryption.
• Operational Controls: Focus on processes for secure technology management, including user access reviews, log monitoring, and vulnerability management.
• Managerial Controls: Procedural mechanisms for risk management, involving periodic risk assessments, security planning, and integrating security into organizational practices.
• Physical Controls: Protect the physical environment through measures such as fences, locks, perimeter lighting, fire suppression systems, and burglar alarms.

Security Control Types

• Preventive Controls: Aim to prevent security issues before they occur, e.g., firewalls and encryption.
• Deterrent Controls: Discourage attempts to violate security policies, such as guard dogs and barbed wire fences.
• Detective Controls: Identify events that have already occurred, like intrusion detection systems.
• Corrective Controls: Remediate issues post-occurrence, e.g., restoring backups after ransomware attacks.
• Compensating Controls: Mitigate risks from exceptions to security policies, providing alternative means to achieve security objectives.
• Directive Controls: Inform individuals of their responsibilities in achieving security, such as documented policies and procedures.

Exploring Compensating Controls

• PCI DSS outlines criteria for satisfactory compensating controls: align with original requirements, provide equivalent defense, and exceed other PCI DSS requirements.
• Organizations may isolate outdated systems on separate networks to fulfill compensating controls while managing security risks.
• Compensating controls are often used as a temporary measure until compliance with original controls can be restored.

Data Loss Prevention (DLP)

• DLP systems enforce information handling policies to prevent unauthorized data access and theft.
• Agent-Based DLP: Utilizes installed software agents to search for sensitive information, monitor user actions, and block unauthorized data removal.
• Agentless DLP: Monitors network traffic for sensitive data transmissions and can block or encrypt outgoing information.
• Mechanisms of action include Pattern Matching to identify sensitive data formats and Watermarking to track documents containing sensitive tags.

Data Minimization Techniques

• Aim to reduce risk by minimizing sensitive information retained by organizations.
• Destroy data when it is no longer required, or deidentify it to reduce sensitivity.
• Data Obfuscation Methods:
  • Hashing: Converts data to a hash value using a secure function, though hash vulnerabilities exist (rainbow table attacks).
  • Tokenization: Replaces sensitive data with a unique identifier linked to a secure lookup table.
  • Masking: Partially redacts sensitive information for confidentiality.

Access Restrictions

• Limit individuals' access to sensitive information and resources through geographic and permission restrictions.
• Geographic Restrictions: Control access based on users' physical location, preventing unauthorized external access.
• Permission Restrictions: Regulate access based on user roles, ensuring only trained and vetted personnel access sensitive data.

Malware Overview

• Malware refers to harmful software intended to damage, disrupt, or gain unauthorized access to systems, networks, or users.
• Includes various types, each with distinct characteristics and behaviors.
• Security+ exam objectives cover identification and combating techniques for common malware types.

Ransomware

• Ransomware demands payment to restore access to compromised files.
• Types include crypto malware that encrypts data and uses threats related to law enforcement and data exposure.
• Phishing is a common delivery method, alongside direct attacks on services like Remote Desktop Protocol.
• Indicators of compromise (IoCs) include:
  • Command and control traffic to malicious IPs.
  • Unusual use of legitimate tools for maintaining system control.
  • File encryption notifications demanding ransom.

Trojans

• Trojans disguise themselves as legitimate software to trick users into installation.
• Examples include Remote Access Trojans (RATs), which provide unauthorized remote control.
• IoCs often seen with Trojans include:
  • Malware signatures and suspicious hostnames.
  • Creation of unauthorized files on devices.
• Combating Trojans involves user training and the use of antimalware and endpoint detection tools.

Bots, Botnets, and Command and Control

• Botnets consist of multiple infected systems controlled remotely.
• Command and control servers issue directives to bots, often using encrypted communications.
• Identifying C&C communications is crucial to prevent network compromise.

Worms

• Worms self-replicate and spread without user interaction, exploiting vulnerabilities in networks or services.
• Distribution methods include email attachments and network shares.
• Common IoCs include:
  • Known malicious files or additional component downloads.
  • Unusual system command behaviors and unauthorized user activities.

Spyware

• Spyware collects personal or organizational data, often targeting sensitive information.
• Can monitor browsing habits or provide unauthorized access to devices.
• Common indicators include:
  • Unusual processes disguised as legitimate applications.
  • Remote-access indicators and injection attacks on browsers.
• Mitigation focuses on awareness and the use of antimalware tools.

Bloatware

• Bloatware describes pre-installed, unwanted applications on new devices, which may not be harmful but can slow performance.
• Removal strategies involve uninstalling or using clean OS images.
• Not typically associated with IoCs but can contribute to security vulnerabilities.

Viruses

• Viruses replicate by attaching to legitimate programs and require user actions to spread.
• Types include memory-resident, macro, and boot sector viruses.
• Fileless viruses operate through memory and exploit system flaws.
• Effective detection requires attention to specific behavior patterns.

Keyloggers

• Keyloggers capture user input data, including keystrokes and other interactions.
• They can work through various methods, such as capturing data from memory or using scripts.
• Mitigation strategies include standard security practices and multi-factor authentication.

Logic Bombs

• Logic bombs are hidden within other software and activate upon meeting specific conditions.
• They are rare and often require thorough code analysis for detection.

Analyzing Malware

• Techniques for malware analysis include online tools like VirusTotal, sandbox environments, and manual code inspection.
• Tools can extract artifacts from malware to aid in understanding its purpose and functionality.

Rootkits

• Rootkits provide backdoor access to compromised systems and hide their presence through various techniques.
• Detection challenges arise from compromised systems, requiring scans from trusted devices.
• Common IoCs include suspicious file behavior, command invocations, and unusual network traffic.
• Removal often necessitates system rebuilding or restoring from backups due to complexity.

Conclusion

• Understanding various malware types and their indicators is crucial for cybersecurity.
• Proactive measures, awareness training, and robust detection tools play key roles in defending against malware threats.

Phishing

• Phishing involves fraudulent attempts to acquire sensitive information such as usernames, passwords, and credit card details, primarily through email.
• Smishing refers to phishing conducted through SMS (text messages), while vishing is carried out via phone calls.
• Spear phishing targets specific individuals or groups, aiming to gather delicate information, whereas whaling focuses on senior executives like CEOs or CFOs.

Defense Mechanisms

• Awareness training for employees plays a crucial role in mitigating phishing risks.
• Periodic exercises can enhance recognition and response to phishing attacks.
• Technical defenses include reputation tools, keyword matching, and techniques to detect phishing emails, calls, or texts.

Vishing

• Vishing uses voice or voicemail messages to trick individuals into revealing personal or financial information.
• Common vishing scams include requests for help from relatives, tax-related frauds, and threats involving law enforcement.
• Urgency is often emphasized to manipulate victims into compliance.

Smishing

• Smishing relies on enticing recipients to click on malicious links in text messages.
• Links may lead to fake websites for credential harvesting, malware downloads, or phishing for multifactor authentication (MFA) input.

Misinformation and Disinformation

• Online campaigns for manipulating public opinion have increased, particularly during significant political events like the 2016 and 2020 U.S. elections.
• Misinformation is inaccurate information resulting from mistakes, while disinformation is intentionally false information designed to mislead.

Impersonation

• Impersonation is a tactic used in social engineering, allowing attackers to gain trust and access information.
• Identity fraud involves the unauthorized use of someone's identity, often for financial gain, but may also be used in penetration testing scenarios.

Business Email Compromise (BEC)

• BEC involves scams using legitimate-looking email addresses for fraud, including invoice scams and account compromise.
• Techniques include using compromised accounts, spoofing emails, and fake domain creation.

Pretexting

• Pretexting entails creating a fictitious scenario to justify communication with a target, often enhancing impersonation credibility.
• Verification steps by aware users can thwart such attempts.

Watering Hole Attacks

• Attackers compromise frequently visited websites to target specific victims, leveraging high traffic to deploy attacks.

Brand Impersonation

• Brand spoofing uses emails that mimic legitimate brands to deceive users into revealing passwords or making payments.
• Common tactics include utilizing familiar logos and email templates.

Typosquatting and Pharming

• Typosquatters exploit common misspellings in URLs to trap users, potentially redirecting them to malicious sites.
• Pharming manipulates DNS settings to reroute users to lookalike sites, similar to typosquatting but using more sophisticated methods.

Password Attacks

• Various methods exist for attacking passwords, including brute-force and dictionary attacks.
• Brute-force attacks attempt all password combinations, while password spraying uses a small set of common passwords across multiple accounts.
• Dictionary attacks employ lists of common words, with tools like John the Ripper assisting in password cracking.

Description

Test your knowledge on the different categories of security controls, including technical and operational controls. This quiz will help you understand the mechanisms behind enforcing confidentiality, integrity, and availability in cybersecurity. Explore examples to solidify your understanding of security mechanisms.