2.1 to 2.5 objectives

Questions and Answers

Which motivation is primarily driven by the desire to take revenge on a perceived wrongdoing?

Financial Gain

Espionage

Ethical Reasons

Revenge (correct)

What term describes attacks conducted due to attackers' philosophical or political beliefs?

Ransomware

Espionage

Hacktivism (correct)

Data Exfiltration

Which motivation involves the unauthorized transfer of sensitive information from a computer?

Data Exfiltration (correct)

War

Service Disruption

Financial Gain

Service disruption can serve several fundamental purposes, which of the following is NOT one of them?

Improving security

What motivation involves using cyber attacks for strategic military objectives?

War

What is the primary goal of blackmail attacks?

To extort money or concessions from victims

Which of the following methods is commonly used in blackmail attacks?

Threats to release sensitive information

Which type of information is typically at risk during a blackmail attack?

Sensitive personal information

What is the term for phishing campaigns that use impersonation via messages to extract sensitive information from victims?

Smishing

Which method involves embedding malicious code within an image file to execute an attack?

Image-based threat vector

Which threat vector is characterized by malware being disguised as legitimate files sent through various channels?

File-based threats

What method involves leaving a malware-infected device in a location for a target to find and use?

Baiting

What attack technique exploits vulnerabilities in Bluetooth technology to take control of devices?

BlueBorne

Which of the following describes the type of attack that can send a specially crafted packet to deny service to a Bluetooth device?

BlueSmack

What is a significant risk associated with unsecure wireless networks?

Unauthorized interception of communications

Which type of threat is NOT typically associated with removable devices?

Email phishing

What is the primary concern associated with third-party vendor risks?

Impact on integrity and data security

Which type of vulnerability involves the absence of cybersecurity protocols?

Operational Vulnerabilities

What is a critical step in the vendor assessment process?

Pre-partnership assessment

What is a significant risk posed by secondary or aftermarket sources for hardware acquisition?

Potential for counterfeit or tampered devices

Which of the following considerations is essential when evaluating managed service providers (MSPs)?

Historical performance and commitment to security

What type of attack focuses on exploiting vulnerabilities in suppliers or service providers to compromise more secure systems?

Supply Chain Attacks

Which of the following should be assessed to ensure data security when working with software providers?

Correct licensing and known vulnerabilities

What kind of agreements can provide specific safeguards between businesses and vendors?

Non-disclosure Agreements (NDAs)

What is the primary aim of the federal statute related to semiconductor research and manufacturing?

To enhance the domestic supply chain and reduce reliance on foreign semiconductors

Which of the following best describes the purpose of vendor due diligence?

To evaluate vendor cybersecurity and supply chain practices

How does penetration testing contribute to cybersecurity practices in supply chains?

It simulates cyberattacks to identify vulnerabilities in supplier systems

What is the significance of incorporating a right-to-audit clause in contracts with vendors?

It ensures organizations can evaluate the vendor's compliance with standards

What role do independent assessments play in vendor evaluation?

They are assessments without any stakeholder interests, providing unbiased evaluations

What is the primary focus of supply chain analysis in the context of cybersecurity?

To assess the entire vendor supply chain for security and reliability

What is the purpose of regular monitoring and audits in the supply chain?

To detect suspicious activities and ensure compliance

What benefit does education and collaboration provide within the industry regarding cybersecurity?

Facilitates the sharing of threat information and best practices

What distinguishes misinformation from disinformation?

Misinformation is shared without harmful intent.

Which term describes the moment when a system checks access permissions?

Time-of-Check (TOC)

What is a Time-of-Check-to-Time-of-Use (TOCTTOU) issue linked to?

Revoking permissions too late.

What is the primary risk associated with race conditions?

Unauthorized data access due to event sequence.

What can buffer overflow vulnerabilities allow an attacker to do?

Insert their own content into memory locations.

How can developers prevent Time-of-Check-to-Time-of-Use vulnerabilities?

By evaluating permissions on each request.

What does the Target of Evaluation (TOE) refer to?

The specific component or system being evaluated.

Which consequence can arise from both misinformation and disinformation?

Public trust in institutions may be undermined.

What is the main goal of a cross-site scripting (XSS) attack?

To manipulate user interactions on trusted websites

How does an amplified denial-of-service attack function?

By sending small queries that return large responses

What role does a spoofed IP address play in a reflected denial-of-service attack?

It ensures the attack remains anonymous by masking the attacker’s identity

What is a significant threat posed by combining reflected and amplified denial-of-service attacks?

They can cause extensive service disruption with less identifiable attackers

What is an important characteristic of the traffic generated by a DNS server in an amplified denial-of-service attack?

The traffic is usually small requests resulting in large amounts of data

What is the primary outcome of domain hijacking?

Alteration of domain's settings and configurations

What common method can lead to a domain being acquired maliciously?

Failure to renew the domain

Which of the following techniques is commonly associated with DNS poisoning?

Pretending to be an authoritative DNS server

How can users detect domain hijacking effectively?

Implementing security tools from domain registrars

What is a potential long-term effect of a successful DNS cache poisoning attack?

Retaining malicious entries until cache is purged

What describes a password spraying attack?

Attempting one password against many accounts.

What is a characteristic of dictionary attacks?

Employing a predefined list of words or phrases.

Which tool is known for its built-in capabilities for brute-force attacks?

John the Ripper

What is a common approach used in brute-force attacks?

Utilizing modification rules to generate variations.

What are custom dictionaries typically built for in penetration testing?

To enhance intelligence gathering and reconnaissance.

What function does a host-based intrusion prevention system (HIPS) perform on incoming traffic?

It analyzes traffic and can actively block malicious content.

What is the primary disadvantage of host-based firewalls compared to more advanced security measures?

They only block traffic based on application and port settings.

In what way does network segmentation enhance security for sensitive systems?

It isolates sensitive systems from other networks, limiting potential attack vectors.

What potential issue might arise from misconfiguration of a host-based intrusion prevention system?

It could inadvertently block legitimate traffic, causing outages.

What distinguishes isolation from segmentation in network security?

Isolation completely separates a system from any form of communication outside its network.

What characterizes attribute-based access control (ABAC)?

It is flexible and driven by user attributes.

Which of the following is a benefit of least privilege access control?

It minimizes potential damage from unauthorized access.

What is a potential downside of applying attribute-based access control (ABAC)?

It can be complex to manage and configure.

What function do time-of-day restrictions serve in access control?

They limit access to certain hours to prevent abuse.

What is an example of rule-based access control?

Firewalls that check rules before granting access.

Study Notes

Threat Actor Motivation

• Intent refers to the specific goal of an attack, while motivation is the underlying reason for the attack.
• Data Exfiltration involves the unauthorized transfer of data from a computer system.
• Financial Gain can be achieved through methods such as ransomware attacks or by using banking trojans to steal financial information.
• Blackmail involves a threat actor obtaining sensitive information and demanding payment to prevent its release.
• Service Disruption aims to disrupt an organization's services for various reasons, including causing chaos, making a political statement, or demanding a ransom.
• Philosophical or Political Beliefs drive attacks known as hacktivism, a common motivation for hacktivists.
• Ethical Reasons motivate ethical hackers or authorized hackers, who aim to improve security.
• Revenge can be a motivation for targeting entities perceived to have wronged the threat actor.
• Disruption or Chaos involves actions like spreading malware or launching cyberattacks against critical infrastructure to cause widespread disruption.
• Espionage involves spying to gather sensitive or classified information from individuals, organizations, or nations.
• War encompasses cyber warfare activities aimed at disrupting infrastructure, compromising national security, and causing economic damage.

Motivation: Revenge

• Driven by the desire to retaliate for perceived wrongdoing.

Motivation: Ideological

• Attacks driven by attackers' political or philosophical beliefs.

Motivation: Espionage

• Unauthorized transfer of sensitive information from a computer.

Service Disruption: Purpose

• Service disruption does not primarily serve the purpose of testing security defenses.

Motivation: Cyberwarfare

• Utilizing cyberattacks for strategic military objectives.

Motivation: Blackmail

• The primary goal is to extort money or other valuable assets from victims.

Blackmail: Common Methods

• DDoS attacks: Overwhelming a target's network with traffic, causing service disruption.
• Data extortion: Stealing sensitive information and threatening to release it unless a ransom is paid.
• Website defacement: Altering the content of a website to display a message demanding payment.

Blackmail: Victim Coercion

• Victims might be coerced into providing sensitive information, financial resources, or cooperation with attacker demands.

Blackmail: Information at Risk

• Financial information, personal data, confidential documents, intellectual property.

Blackmail: Non-Compliance Consequences

• Further attacks, public disclosure of sensitive information, reputational damage.

Blackmail: Compliance Outcome

• Temporary relief from immediate threats, but potential for ongoing extortion or future attacks.

Message-based Threat Vectors

• Attackers can use email, SMS, or instant messaging to deliver threats
• Phishing campaigns are a common tactic, with attackers impersonating trusted entities to steal sensitive information

Image-based Threat Vectors

• Malicious code can be embedded within image files

File-based Threat Vectors

• Files disguised as legitimate documents or software can be delivered as email attachments, through file-sharing services, or hosted on malicious websites

Voice Calls

• Vishing involves attackers using voice calls to trick victims into revealing sensitive information

Removable Devices

• Baiting is a technique where attackers leave malware-infected USB drives in public locations to entice victims

Unsecure Networks

• Wireless, wired, and Bluetooth networks can be vulnerable if not adequately secured
• Wireless networks lacking proper security measures can be intercepted or accessed by unauthorized individuals
• Wired networks, while generally more secure, are still susceptible to attacks, especially if physical access to the network infrastructure is gained

MAC Address Cloning

• Attackers can mimic legitimate devices by copying their MAC addresses

VLAN Hopping

• Attackers can bypass network security measures by exploiting vulnerabilities in VLAN configurations

Bluetooth Vulnerabilities

• BlueBorne is a set of vulnerabilities allowing takeover of devices, malware spread, and communication interception
• BlueSmack is a Denial of Service (DoS) attack targeting Bluetooth devices by sending malicious packets

Third-Party Vendor Risks

• Definition: Potential security and operational challenges from external collaborators (vendors, suppliers, or service providers).
• Impact: Can affect integrity, data security, and overall business continuity.

Common Threat Vectors and Attack Surfaces

• Threat Vectors: Paths attackers use to gain access.
• Attack Surfaces: Points where unauthorized users can try to enter.

Various Types of Vulnerabilities

• Hardware Vulnerabilities: Components with vulnerabilities.
• Software Vulnerabilities: Applications with hidden backdoors.
• Operational Vulnerabilities: Lack of cybersecurity protocols.

Vendor Assessments

• Evaluation: Pre-partnership assessment of a vendor's security.
• Penetration Testing: Testing vendor security by simulating cyberattacks.
• Audit Rights: Organizations' right to audit vendors.
• Evidence Collection: Gathering internal and external audit evidence.

Vendor Selection and Monitoring

• Importance: Meticulous vendor selection process.
• Vigilance: Ongoing monitoring of vendor performance.
• Contracts and Agreements: Basic contracts for forming relationships, and nuanced agreements like SLAs, MOUs, and NDAs for specific safeguards.

Supply Chain Risks

• Hardware Manufacturers: Products like routers and switches have many components from various suppliers. Component tampering or untrustworthy vendors can introduce vulnerabilities.
  • Trusted Foundry Programs: Ensure secure manufacturing.
• Secondary/Aftermarket Sources: Risk of acquiring counterfeit or tampered devices with malware or vulnerabilities.
• Software Developers/Providers: Software can introduce vulnerabilities.
  • Open-Source Software: Allows source code review.
  • Proprietary Software: Can be scanned for vulnerabilities.
• Service Providers/MSPs: Organizations providing technology services and support to businesses.
  • Security challenges with Software-as-a-Service (SaaS) providers: Concerns about data confidentiality and integrity.
  • Vendor Selection: Consider due diligence, historical performance, and commitment to security.

Supply Chain Attacks

• Definition: An attack that targets a weaker link in the supply chain to gain access to a primary target. Exploits vulnerabilities in suppliers or service providers to access more secure systems.
• CHIPS Act of 2022: U.S. federal statute providing funding to boost semiconductor research and manufacturing. Aims to reduce reliance on foreign-made semiconductors, strengthen the domestic supply chain, and enhance security.
  • Semiconductors: Essential components in a wide range of products.
• Safeguarding Against Supply Chain Attacks:
  • Vendor Due Diligence: Rigorous evaluation of vendor cybersecurity and supply chain practices.
  • Regular Monitoring & Audits: Continuous monitoring and periodic audits of supply chains to detect suspicious activities.
  • Education and Collaboration: Sharing threat information and best practices. Collaborating with organizations and industry groups for joint defense.
  • Incorporating Contractual Safeguards: Embedding cybersecurity clauses in contracts with suppliers or service providers.

Vendor Assessments

• Definition: Process to evaluate the security, reliability, and performance of external entities (vendors, suppliers, and MSPs).
• Penetration Testing of Suppliers: Simulated cyberattacks to identify vulnerabilities in supplier systems.
• Right-to-Audit Clause: Contract provision allowing organizations to evaluate vendor's internal processes for compliance.
• Internal Audits: Vendor's self-assessment of practices against industry or organizational requirements.
• Independent Assessments: Evaluations conducted by third-party entities without a stake in the organization or vendor.
• Supply Chain Analysis: Assessment of an entire vendor supply chain for security and reliability.

Misinformation and Disinformation

• Misinformation is false or inaccurate information shared unintentionally.
• Disinformation is the deliberate creation and sharing of false information with the intent to deceive or mislead.
• Both misinformation and disinformation can have serious consequences:
  • Undermining public trust in institutions.
  • Fueling social divisions.
  • Influencing election outcomes.

Race Conditions

• Race conditions occur when the security of a code segment depends on the sequence of events occurring within the system.
• Key terms related to race conditions:
  • Time-of-Check (TOC): The moment when a system verifies access permissions or other security controls.
  • Time-of-Use (TOU): The moment when the system accesses the resource or uses the permission granted.
  • Target of Evaluation (TOE): The specific component, system, or mechanism being evaluated for potential vulnerabilities, such as managing and validating access permissions.

Time-of-Check-to-Time-of-Use (TOCTTOU) Issue

• A type of race condition where a program checks access permissions too far ahead of a resource request.
• Example: If an operating system builds a list of access permissions for a user upon logon and refers to that list throughout the session, a vulnerability exists.
  • If an administrator revokes permissions, the user won't be affected until their next logon, allowing access to the resource indefinitely if the session remains open.
• Prevention: Evaluate access permissions at the time of each request instead of caching a list of permissions.

Buffer Overflow Vulnerabilities

• Attempt to use more space than allocated, allowing attackers to inject their own content into sensitive memory locations.
• Race conditions are a factor when the security of a code segment depends on the order of events in the system.

Cross-Site Scripting (XSS) Attacks

• An attacker embeds scripting commands on a website to be executed by unsuspecting visitors.
• The goal is to trick users into executing malicious code from an untrusted third party on a trusted website.

Amplified Denial-of-Service (DoS) Attacks

• Take advantage of protocols that allow small queries to return large results (e.g., DNS queries).
• An attacker spoofs a system's IP address to cause a DNS server to send more traffic to the spoofed IP address than originally received.
• This amplifies a small amount of traffic into a large response.
• This type of attack leverages reflected DoS attacks, where a legitimate service carries out the attack due to the spoofed IP address, making attacker identification challenging.
• The combination of reflected and amplified DoS attacks creates a powerful and difficult-to-stop attack.

Domain Hijacking

• Domain hijacking involves changing the registration of a domain, either through technical means (like exploiting vulnerabilities or gaining unauthorized control) or non-technical means (like social engineering).
• Attackers can hijack domains to change settings and configurations, allowing them to intercept traffic, send and receive emails, or perform other actions while pretending to be legitimate owners.
• Domain hijacking is not the only way domains can be acquired for malicious purposes. Many domains are lost due to non-renewal.
• Domain owners can use security tools and features provided by domain registrars to protect and monitor their domains.

DNS Poisoning

• DNS poisoning is a type of attack where an attacker provides a false DNS response, pretending to be an authoritative DNS server.
• Vulnerabilities in DNS protocols or implementations can also lead to DNS poisoning, though this is less common.
• DNS poisoning can also involve modifying the DNS cache on systems, impacting them until the cache is purged or updated.
• This makes it difficult to detect and can have lasting effects.
• DNS cache poisoning may be noticed by users or detected by network defenses, but it is difficult to spot if executed effectively.

Brute-Force Attacks

• Brute-force attacks are used to gain access to a system by trying different password combinations
• Brute-force methods involve trying commonly used passwords, words specifically designed for the target, and modifications to account for security rules
• Brute-force attacks can be complex and involve sophisticated techniques to find the correct password

Password Spraying Attacks

• Password spraying attacks are a specific type of brute-force attack that attempts to use a single password or a small set of passwords against many accounts
• This attack can be effective against targets that use known default passwords
• This attack can also be used by targeting specific groups with commonly known or related terms, such as a sports team's fan website

Dictionary Attacks

• Dictionary attacks use a list of words to try to find the correct password
• Popular open-source password cracking tools, like John the Ripper, come with built-in word lists
• Penetration testers often create custom dictionaries as part of their intelligence gathering and reconnaissance processes

Host-Based Firewalls

• Most modern operating systems come with built-in host-based firewalls.
• Host-based firewalls are typically enabled by default and can block unwanted network traffic.
• These firewalls are often limited in their ability to provide insight into the traffic they are filtering.
• They typically block or allow specific applications, services, ports, or protocols.

Host Intrusion Prevention and Detection Systems (HIPS)

• A host intrusion prevention system (HIPS) analyzes network traffic before it reaches services or applications on the host.
• It can take action on the traffic by filtering out malicious traffic or blocking specific elements of the data.
• HIPS can examine traffic across multiple packets or throughout entire communications, allowing it to detect complex or spread-out malicious activity.
• As HIPS can actively block traffic, it's important to consider the potential risks of misidentification or misconfiguration which could lead to blocking legitimate traffic and potential outages.

Segmentation and Isolation

• Organisations can limit access to sensitive systems by segmenting them on separate networks.
• Segmentation allows for communication between sensitive systems within the same network but restricts communication with systems on other networks.
• Isolation goes further by completely cutting off a system from communicating with any outside networks.

Rule-Based Access Control (RBAC)

• Rules or Access Control Lists (ACLs) determine access to objects or resources.
• When an attempt is made to access an object, the rule is checked to see if the access is allowed.
• A common example is a firewall ruleset.

Attribute-Based Access Control (ABAC)

• Policies are driven by attributes of the users, allowing complex rules based on attribute combinations.
• Users have specific rights tailored to their attributes.
• ABAC schemes are flexible due to context-specific attribute settings.
• Difficult to manage due to their flexibility.
• Useful for enterprise systems with complex user roles and varying rights.
• Used with databases, content management systems, microservices, and APIs.

Time-of-Day Restrictions

• Limit access to specific times.
• Example: Configurable logon hours in Windows Active Directory.
• Prevent account or system abuse by restricting access to defined work hours.

Least Privilege

• Accounts and users should only have the minimum permissions and capabilities necessary.
• A common concept in information security practices.
• Should be designed into any permission or access scheme.

Description

Objectivos del examen.