Cyber Security Study Guide PDF

🔐 Cyber Security 2 Study Guide 📌 1. 20 Most Common Cyber Security Attacks (With Definitions) 1. Phishing – Fraudulent emails or messages trick users into revealing sensitive data (e.g., passwords, credit cards). 2. Spear Phishing – Targeted phishing aimed at a specific individual or organization, often personalized. 3. Malware – Malicious software designed to damage, disrupt, or gain unauthorized access. Includes: ○ Viruses: Self-replicating code that attaches to clean files. ○ Worms: Spread without human interaction. ○ Trojans: Disguise as legitimate software. 4. Ransomware – Locks or encrypts user data and demands payment for release. 5. Denial of Service (DoS) – Overwhelms systems to make services unavailable. 6. Distributed DoS (DDoS) – DoS attack using multiple systems (often botnets). 7. Man-in-the-Middle (MitM) – Attacker secretly intercepts and possibly alters communication between two parties. 8. SQL Injection – Malicious SQL statements are inserted into an input field to manipulate a database. 9. Cross-Site Scripting (XSS) – Attacker injects malicious scripts into trusted websites. 10.Credential Stuffing – Use of stolen usernames/passwords from one breach to access other accounts. 11.Zero-Day Exploit – Attack on a vulnerability before developers have a fix. 12.Brute Force Attack – Attempts all possible combinations to guess passwords. 13.Session Hijacking – Stealing a session token to impersonate a user. 14.Drive-by Download – Malware is automatically downloaded when visiting a compromised website. 15.Insider Threat – A trusted user misuses their access (malicious or accidental). 16.Password Attack – Includes brute force, dictionary attacks, and password spraying. 17.Keylogging – Tracks keystrokes to capture passwords and sensitive info. 18.DNS Spoofing – Redirects traffic to malicious websites by corrupting DNS records. 19.Privilege Escalation – Attacker gains higher access rights than intended. 20.Watering Hole Attack – Compromises a site likely visited by the target, infecting their systems. 1. DNS Poisoning (a.k.a. DNS Spoofing) Definition: DNS poisoning is a type of cyberattack in which a malicious actor inserts false information into a DNS resolver’s cache, causing it to return an incorrect IP address. This misdirects users to fake websites (often for phishing or malware delivery). How it Works: The attacker exploits a vulnerability in the DNS system to replace the legitimate IP address with a fake one. When a user tries to visit a website (e.g., www.bank.com), their browser contacts a DNS server to resolve the domain name. If that DNS server has been poisoned, it returns the attacker's IP instead of the real one. The user is unknowingly redirected to a malicious website that looks identical to the real one. Consequences: Phishing attacks Malware installation Credential theft Traffic redirection for surveillance or DoS attacks Defenses: Use DNSSEC (Domain Name System Security Extensions) to verify the integrity of DNS data. Regularly flush DNS caches. Configure DNS servers to only accept responses from queries it has made (to prevent unsolicited replies). Monitor for abnormal DNS behavior using IDS/IPS systems. 2. MAC Spoofing Definition: MAC spoofing is the act of changing the Media Access Control (MAC) address of a network interface to impersonate another device on the network. How it Works: Every network card has a unique MAC address. Attackers use tools to change the MAC address of their network card to match another device’s address. This can allow attackers to: ○ Bypass MAC address filters. ○ Impersonate a trusted device to gain network access. ○ Hijack a session or intercept traffic. Consequences: Unauthorized network access Data interception or session hijacking Confusion in network logs or monitoring systems Defenses: Enable Port Security on switches to limit the number of MAC addresses per port. Use 802.1X authentication (network access control). Monitor for duplicate MAC addresses on the network. Use intrusion detection systems (IDS) to detect anomalies. 3. ARP Poisoning (a.k.a. ARP Spoofing) Definition: ARP poisoning is a technique used by attackers to associate their MAC address with the IP address of another host (like the default gateway) in the ARP cache of a target device. How it Works: ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on local networks. Attackers send forged ARP replies to a victim’s device, tricking it into sending traffic meant for another host (usually the gateway) to the attacker instead. The attacker can now perform a Man-in-the-Middle (MitM) attack. Consequences: Eavesdropping on sensitive data Session hijacking Traffic manipulation or disruption Denial of Service (DoS) Defenses: Use static ARP entries for critical devices (though not scalable for large networks). Implement dynamic ARP inspection (DAI) on switches. Use encrypted protocols (e.g., HTTPS, SSH) to protect data even if intercepted. Monitor network traffic for unexpected ARP replies. 4. MAC Flooding Definition: MAC flooding is a type of DoS attack in which an attacker sends a large number of frames with fake source MAC addresses to a switch, overwhelming its MAC address table. How it Works: Switches store MAC-to-port mappings in a CAM (Content Addressable Memory) table. If the table is full, the switch enters fail-open mode and starts broadcasting traffic to all ports (like a hub). The attacker can now sniff traffic that would normally not be visible. Consequences: Network slowdowns Loss of confidentiality (due to broadcast mode) Platform for further attacks (e.g., ARP poisoning) Defenses: Enable Port Security: limit the number of MAC addresses per port. Use Dynamic ARP Inspection (DAI) and DHCP Snooping. Use switches with MAC address table overflow protection. Monitor and alert for abnormal traffic volumes. 🧠 2. Developing a Threat Model Definition: A structured approach to identifying and addressing potential security threats. Steps: ○ Assets: What needs protection (e.g., data, systems)? ○ Threat Actors: Who might attack (e.g., hackers, insiders)? ○ Entry Points: How could they get in? ○ Vulnerabilities: Weaknesses they could exploit. ○ Countermeasures: How to block or mitigate the attack. ⚠️ 3. Risk Assessments Definition: Evaluating the likelihood and impact of threats to prioritize security efforts. Key Components: ○ Asset Identification ○ Threat Identification ○ Vulnerability Analysis ○ Impact & Likelihood Ratings ○ Risk Rating: High/Medium/Low ○ Controls/Mitigations 🛡️ 4. Defense in Depth Definition: A layered approach to cybersecurity, using multiple defenses at different levels. Layers: ○ Physical: Doors, locks, guards ○ Network: Firewalls, segmentation ○ Host: Antivirus, endpoint detection ○ Application: Secure coding, patching ○ Data: Encryption, backups ○ Procedural: Policies and training A layered approach to security, ensuring that multiple controls are in place in case one fails. Physical Controls – Locks, guards Technical Controls – Firewalls, encryption Administrative Controls – Policies, training 🔐 5. Access Control Definition: Rules and technologies used to restrict access to data and systems. Types: ○ DAC – Data owner controls access. ○ MAC – Access based on classification levels. ○ RBAC – Roles assigned to users determine access. ○ ABAC – Policies based on user, action, resource, environment. Principles: ○ Least Privilege: Users get the minimum access needed. ○ Separation of Duties: No single user controls all aspects. ○ Need to Know: Only access necessary info. 🧟‍♂️ 6. Types of Adversaries Script Kiddies – Inexperienced attackers using pre-made tools. Hacktivists – Attack for political or social reasons. Insiders – Employees or contractors misusing access. Cyber Criminals – Motivated by financial gain. Nation-State Actors – Highly skilled attackers with political motives. APTs – Stealthy, persistent attackers, often linked to nations. Competitors – Corporate espionage. 🏢 7. Physical and Administrative Controls 🔐 Physical Controls Purpose: Prevent physical access to systems. Examples: Locks, biometrics, motion sensors, surveillance, ID badges. 🗂️ Administrative Controls Purpose: Guide and manage people and processes. Examples: Security policies, background checks, awareness training, disciplinary actions, security policies, employee training, incident response plans Acceptable Use Policies (AUPs) 🌐 8. Technical Controls for Network Security Firewalls – Block or allow traffic based on rules. IDS/IPS – Detects (IDS) or blocks (IPS) malicious traffic. VPNs – Encrypts internet connections for secure remote access. NAC – Controls device access based on compliance. Segmentation – Divides networks to contain breaches. Proxies – Intermediaries between users and internet, can block threats. 🖥️ 9. Computer Security and Access Controls Antivirus/Anti-malware – Detects and removes malicious software. OS Hardening – Disabling unnecessary services and enforcing secure settings. Patch Management – Applying updates to fix vulnerabilities. EDR Tools – Monitors endpoints for suspicious behavior. Application Control – Restricts what software can run. MFA – Requires two or more authentication methods (e.g., password + code). 🔒 10. Encrypting Data (Cryptography) Encryption – Scrambles data so only authorized users can read it. Symmetric Key – Same key for encryption and decryption (e.g., AES). Asymmetric Key – Uses public/private key pair (e.g., RSA). Hashing – One-way function for integrity checking (e.g., SHA-256). Digital Signature – Ensures authenticity and integrity. TLS/SSL – Encrypts web communications. 🕵️ 11. Detecting Attacks Intrusion Detection System (IDS) – Monitors for known threats and alerts. Intrusion Prevention System (IPS) – Actively blocks suspicious traffic. SIEM – Aggregates and analyzes log data for signs of threats. Log Monitoring – Review logs for anomalies or indicators of compromise (IOCs). Behavioral Analysis – Flags unusual activity (e.g., user logging in at odd hours). Honeypots – Decoy systems to attract and analyze attackers. 🚨 12. Responding to Attacks Incident Response Plan (IRP): 1. Preparation – Set up policies, tools, and training. 2. Identification – Recognize signs of an attack. 3. Containment – Limit the damage. 4. Eradication – Remove the threat. 5. Recovery – Restore systems and validate. 6. Lessons Learned – Analyze and update processes. Forensics – Analyzing data to understand the attack. Reporting – Internal and external communication (may include law enforcement or regulatory bodies). 🛠️ 13. Tools & Techniques Used to Respond to Attacks These tools, models, and techniques help cybersecurity professionals identify, analyze, mitigate, and recover from attacks. 📊 Frameworks & Models 🔺 CIA Triad Confidentiality – Prevent unauthorized access to information. Integrity – Ensure data isn’t altered or tampered with. Availability – Ensure systems and data are accessible when needed. 🛡️ OWASP (Open Web Application Security Project) A non-profit focused on web application security. Provides the OWASP Top 10: The 10 most critical web security risks (e.g., Injection, Broken Authentication, XSS). Tools: ZAP Proxy, OWASP Dependency-Check, Threat Dragon (for modeling). 🧠 NIST Cybersecurity Framework Identify, Protect, Detect, Respond, Recover Provides guidelines for managing and reducing cybersecurity risk. 🧰 MITRE ATT&CK Framework A knowledge base of adversary tactics and techniques based on real-world observations. Helps understand attacker behavior and design defense strategies. 📌 Kill Chain Model (Lockheed Martin) Describes stages of a cyber attack: 1. Reconnaissance 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Command & Control 7. Actions on Objectives 🧪 Security Tools (Open Source & Commercial) 🔍 John the Ripper Password cracking tool used to detect weak passwords by simulating brute force or dictionary attacks. 🔧 Metasploit Penetration testing framework used to test vulnerabilities and deliver payloads. Helps simulate attacks for testing defenses. 🦠 Wireshark Network protocol analyzer that inspects network traffic in real-time. Useful for detecting suspicious patterns or traffic. 🔐 Burp Suite Web vulnerability scanner used to test and exploit web apps (e.g., SQL injection, XSS). ⚠️ Snort Open-source intrusion detection and prevention system (IDS/IPS). Monitors traffic and generates alerts for suspicious activity. 📈 Splunk / ELK Stack (Elasticsearch, Logstash, Kibana) Log management and analysis platforms used for threat detection and incident response. 🧲 ZAP (Zed Attack Proxy) OWASP tool for finding vulnerabilities in web apps during development or testing. 🛠️ Autopsy / FTK / EnCase Digital forensics tools used to examine devices post-incident for evidence and trace of attacks. 🧲 Sysinternals Suite Windows utilities (by Microsoft) used to investigate system processes, registry, and memory during or after an attack. 🧷 Techniques & Best Practices Threat Hunting – Proactively searching for signs of compromise. Security Audits – Systematic reviews of security controls. Penetration Testing – Simulated attacks to find vulnerabilities. Vulnerability Scanning – Using tools (e.g., Nessus, OpenVAS) to detect flaws. Patch Management – Regularly updating software to fix known vulnerabilities. Incident Response Playbooks – Step-by-step guides for specific types of attacks.

Cyber Security Study Guide PDF

Document Details

Tags

Related

Summary

Full Transcript