Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
CYB1100-UI CH1.4
Foundations of Information Security _ Attacks
| Question | Answer |
|---|---|
| True or False: You may face attacks from a wide variety of approaches and angles | True |
| how do you categorize attacks | the type of attack, the risk the attack represents, and the controls you might use to mitigate it. |
| what are the types of attacks | You can generally place attacks into one of four categories: interception, interruption, modification, and fabrication |
| what are the type of attacks (categories) that affect confidentiality | interception |
| what are the type of attacks (categories) that affect integrity | Interruption, modification and fabrication |
| what are the type of attacks (categories) that affect availability | Interruption, Modification, and Fabrication |
| True or false: Depending on the type of attack in question, you may include it in more than one category or have more than one type of effect | True |
| Interception attacks | allow unauthorized users to access your data, applications, or environments |
| Interception attacks are | primarily attacks against confidentiality. |
| what forms might interception attacks take | take the form of unauthorized file viewing or copying, eavesdropping on phone conversations, or reading someone else’s email |
| what sort of data can interception attacks use | interception attacks can be conducted on data at rest or in motion |
| When interception attacks are properly executed, interception attacks can be | difficult to detect. |
| Interruption attacks | make your assets unusable or unavailable to you on a temporary or permanent basis |
| what do interruption attacks affect | These attacks often affect availability but can affect integrity, as well |
| how would you classify a DoS attack on a mail server | as an availability attack. |
| if an attacker manipulated the processes on which a database runs to prevent access to the data it contains, you might consider this _ attack and why | consider this an integrity attack because of the possible loss or corruption of data, or you might consider it a combination of the integrity attack and availability attack. You might also consider such an attack to be a modification attack |
| Modification attacks | involve tampering with an asset. |
| attacks involving tampering with an asset might primarily be considered attacks on | integrity but could also represent attacks on availability |
| If you access a file in an unauthorized manner and alter the data it contains, you’ve affected the | integrity of the file’s data |
| Suppose you access a file (a configuration file that manages how a service behaves—perhaps one that is acting as a web server) in an unauthorized manner and alter the data it contains you've created an availability attack but how | changing the contents of the file might affect the availability of that service. |
| If you access a file (config file that manages how service behaves that is acting as a web server) in an unauthorized manner/alter the data it contains in a way which changes how the server deals with encrypted connections, what sort of attack is this | you could even call this a confidentiality attack. |
| Fabrication attacks | involve generating data, processes, communications, or other similar material with a system |
| fabrication attacks primarily affect | integrity |
| fabrication attacks can also affect | availability |
| Generating fake information in a database would be a kind of | fabrication attack |
| generate email would be a kind of | fabrication attack |
| what is generating email a common method for | propagating malware |
| If you generated enough additional processes, network traffic, email, web traffic, or nearly anything else that consumes resources, you might be conducting an _ attack and why | availability attack by rendering the service that handles such traffic unavailable to legitimate users. |
| how can you describe how an attack might affect you | you can speak of it in terms of threats, vulnerabilities, and the associated risk. |
| types of attacks that could harm your assets | the unauthorized modification of data |
| a threat is | something that has the potential to cause harm |
| Threats tend to be specific to | certain environments (particularly in the world of information security) |
| what is an example that demonstrates that threats tend to be specific to certain environments | a virus might be problematic on a Windows operating system, the same virus will be unlikely to have any effect on a Linux operating system. |
| Vulnerabilities are | weaknesses, or holes, that threats can exploit to cause you harm. |
| A vulnerability might involve | a specific operating system/app that you’re running,physical location of your office building, a data center that is overpopulated with serversproducing more heat than its air-conditioning system can handle, a lack of backup generators, or other factors |
| Risk is | the likelihood that something bad will happen |
| you need to have both a threat and a vulnerability that the threat could exploit for you to have | a risk in an environment |
| an example of risk. | if you have a structure that is made from wood and you light a fire nearby, you have both a threat (the fire) and a matching vulnerability (the wood structure). |
| what is not an example of a risk due to environmental factors | have the same threat of fire but your structure is made of concrete, you no longer have a credible risk because your threat doesn’t have a vulnerability to exploit. could argue that a sufficiently hot flame could damage concrete, itsmuch less likely event |
| what sort of attacks due we talk about in computing environments | We often talk about potential, but unlikely, attacks |
| what is the best strategy when it comes to preventing computer attacks and analyzing their computing environments | The best strategy is to spend your time mitigating the most likely attacks |
| what is the downside of sinking your resources into trying to plan for every possible attack, however unlikely? | you’ll spread yourself thin and lack protection where you need it the most. |
| Some organizations ( US National Security Agency (NSA),) add a factor to the threat/vulnerability/risk equation called | impact |
| Impact | takes into account the value of the asset being threatened and uses it to calculate risk |
| what does impact show in this scenario: In the backup tape example (where you lost the physical tapes) , if you consider that the unencrypted tapes contain only your collection of chocolate chip cookie recipes. | you may not actually have a risk because the data exposed contains nothing sensitive and you can make additional backups from the source data. In this case, you might safely say that you have no risk. |
| Risk management processes compensate for | risks in your environment |
| risk management process | 1. identify assets 2. identify threats 3. assess vulnerabilities 4. assess risks 5. mitigate risk 6. repeat |
| what is the general flow of the risk management process | you need to identify your important assets, figure out the potential threats against them, assess your vulnerabilities, and then take steps to mitigate these risks. |
| what is the first part of the risk management process | identifying the assets you’re protecting |
| what is arguably one of the most important parts of the risk management process | identifying the assets you’re protecting |
| what can make protecting assets a difficult task | If you can’t enumerate your assets and evaluate the importance of each |
| what may sound like an exceedingly simple task, but can be a more complex problem than it might seem on the surface (particularly larger enterprises) | identifying the assets you're protecting |
| why can identifying the assets you're protecting be a complex problem particularly for larger enterprises | an organization might have various generations of hardware, assets from acquisitions of other companies lurking in unknown areas, and scores of unrecorded virtual hosts in use, any which may be critical to the continued functionality of the business. |
| what happens after identifying the assets in use | deciding which of them are critical business assets |
| Making an accurate determination of which assets are truly critical to conducting business will generally require | the input of functions that make use of the asset, those that support the asset itself, and potentially other involved parties as well. |
| what is the second part of the risk management process | identifying threats |
| what happens after enumerating your critical assets | you can then begin to identify the threats that might affect them |
| what is often useful to have for discussing the nature of a given threat | a framework, CIA triad or Parkerian hexad |
| apply the Parkerian hexad to examine the threats you might face against an application that processes credit card payments : Confidentiality | If you expose data inappropriately, you could potentially have a breach. |
| apply the Parkerian hexad to examine the threats you might face against an application that processes credit card payments: Integrity | If data becomes corrupt, you may incorrectly process payments. |
| apply the Parkerian hexad to examine the threats you might face against an application that processes credit card payments: Availability | If the system or application goes down, you won’t be able to process payments. |
| apply the Parkerian hexad to examine the threats you might face against an application that processes credit card payments: Possession | If you lose backup media, you could potentially have a breach. |
| apply the Parkerian hexad to examine the threats you might face against an application that processes credit card payments: Authenticity | If you don’t have authentic customer information, you may process a fraudulent transaction. |
| apply the Parkerian hexad to examine the threats you might face against an application that processes credit card payments: Utility | If you collect invalid or incorrect data, that data will have limited utility. |
| what does the Parkerian hexad model allow you to do | gives a high-level pass at assessing threats for this system |
| what are the advantages of doing a high-level pass at assessing threats for a system | it points out a few problem areas immediately |
| what are some common problem areas | You need to be concerned with losing control of data, maintaining accurate data, and keeping the system up and running. |
| what can you do once you know the problem areas when assessing threats for a system | you can begin to look at areas of vulnerability and potential risk. |
| what is the third step of the risk management process | assessing vulnerabilities |
| When assessing vulnerabilities, you need to do so in the context of | potential threats |
| Any given asset may have thousands or millions of threats that could impact it, but | only a small fraction of these will be relevant |
| Let’s look at the issues that were identified and attempt to determine whether vulnerabilities exist in any of them: Confidentiality If you expose data inappropriately, you could have a breach. | Your sensitive data is encrypted at rest and in motion. Your systems are regularly tested by an external penetration testing company. This is not a risk. |
| Let’s look at the issues that were identified and attempt to determine whether vulnerabilities exist in any of them: Integrity If data becomes corrupt, you may incorrectly process payments. | You carefully validate that payment data is correct as part of the processing workflow. Invalid data results in a rejected transaction. This is not a risk. |
| Let’s look at the issues that were identified and attempt to determine whether vulnerabilities exist in any of them: Availability If the system or application goes down, you can’t process payments. | You do not have redundancy for the database on the back end of the payment processing system. If the database goes down, you can’t process payments. This is a risk. |
| Let’s look at the issues that were identified and attempt to determine whether vulnerabilities exist in any of them: Possession If you lose backup media, you could have a breach. | Your backup media is encrypted and hand-carried by a courier. This is not a risk. |
| Let’s look at the issues that were identified and attempt to determine whether vulnerabilities exist in any of them: Authenticity If you don’t have authentic customer information, you may process a fraudulent transaction. | Ensuring that valid payment and customer information belongs to the individual conducting the transaction is difficult. You do not have a good way of doing this. This is a risk. |
| Let’s look at the issues that were identified and attempt to determine whether vulnerabilities exist in any of them: Utility If you collect invalid or incorrect data, that data will have limited utility. | To protect the utility of your data, you checksum credit card numbers, make sure that the billing address and email address are valid, and perform other measures to ensure that your data is correct. This is not a risk. |
| once you have assessed vulnerabilities if you see a few areas of concern, you can | you can begin to evaluate the areas in which you may have risks. |
| what is the fourth step of the risk management process | assess risk |
| when can you assess the overall risk | Once you’ve identified the threats and vulnerabilities for a given asset |
| risk is the conjunction of | a threat and a vulnerability. |
| A vulnerability with no matching threat or a threat with no matching vulnerability does | not constitute a risk. |
| what do you risk with this scenario: following item was both a potential threat and an area of vulnerability: Availability If the system or application goes down, you can’t process payments. | In this case, you have both a threat and a corresponding vulnerability, meaning you risk losing ability to process credit card payments because of a single point of failure on your database back end. |
| what is the potential threat and area of vulnerability for: Availability If the system or application goes down, you can’t process payments. | You don’t have redundancy for the database on the back end of your payment processing system, so if the database goes down, you won’t be able to process payments. |
| what happens after analyzing through your threats and vulnerabilities to assess risk | you can mitigate these risks |
| what is the fifth step of the risk management process | Mitigate Risks |
| controls | To mitigate risks, you can put measures in place to account for each threat. |
| Controls are divided into | three categories |
| the categories that controls are divided into are | three categories: physical, logical, and administrative. |
| Physical controls | protect the physical environment in which your systems sit, or where your data is stored. |
| what do physical controls control | Such controls also control access in and out of such environments. |
| Physical controls include | fences, gates, locks, bollards, guards, and cameras, but also systems that maintain the physical environment, such as heating and air-conditioning systems, fire suppression systems, and backup power generators. |
| what are one of the most critical controls to information security | Physical controls |
| why are physical controls one of the most critical controls to information security | if you’re not able to physically protect your systems and data, any other controls that you put in place become irrelevant. |
| in the best case, what happens if attackers can physically access your systems | they can steal or destroy them, rendering them unavailable for your use |
| in the worst case, what happens if attackers can physically access your systems | attackers will be able to access your applications and data directly and steal your information and resources or subvert them for their own use |
| what is another term for logical controls | sometimes called technical controls |
| what do logical controls do | protect the systems, networks, and environments that process, transmit, and store your data. |
| what are examples of logical controls | Logical controls can include items such as passwords, encryption, access controls, firewalls, and intrusion detection systems |
| what does having logical controls enable | Logical controls enable you to prevent unauthorized activities |
| what happens if your logical controls are implemented properly and are successful | an attacker or unauthorized user can’t access your applications and data without subverting the controls. |
| Administrative controls | are based on rules, laws, policies, procedures, guidelines, and other items that are “paper” in nature |
| Administrative controls dictate | how the users of your environment should behave |
| Depending on the environment and control in question, administrative controls can represent | differing levels of authority |
| Example of administrative control with low level of authority | You may have a simple rule such as “turn the coffee pot off at the end of the day,” aimed at avoiding a physical security problem (burning your building down at night) |
| Example of administrative control with high level of authority | You may also have a more stringent administrative control, such as one that requires you to change your password every 90 days |
| One important part of administrative controls is | the ability to enforce them. |
| If you don’t have the authority or the ability to ensure that people comply with your controls, they are | worse than useless because they create a false sense of security. |
| give a scenario in which the administrative controls wouldnt be able to be enforced | if you create a policy that says employees can’t use business resources for personal use, you’ll need to be able to enforce this |
| why wouldn't the administrative controls be able to be enforced in this scenario: you create a policy that says employees can’t use business resources for personal use | Outsideofhighlysecureenv,canbdificulttask.need2monitortelephone/mobileusage/webaccess/email/instantmsg/software/otherareas4abuse.havetodevotelarge#ofresources2monitoringthese/handling violationsofpolicy,you’dquicklyhaveapolicythatuwouldn’tBable2enforce |
| why is having a scenario in which the administrative controls wouldn't be able to be enforced a problem | The next time you’re audited and asked to produce evidence of policy enforcement, you’ll face issues. |
| incident response | If your risk management efforts are not as thorough as you hoped or you’re blindsided by something entirely unexpected, you can react with ___ |
| what should you direct your incident response to | You should direct your incident response at the items that you feel are most likely to cause your organization pain. |
| before incident response what should be already identified | You should have already identified the items that are most likely to cause your organization pain as part of your risk management efforts. |
| As much as possible, you should base your reaction to incidents on | documented incident response plans |
| how should incident response plans be handled | should be regularly reviewed, tested, and practiced by those who will be expected to enact them in the case of an actual incident. |
| why should incident response plans be regularly reviewed, tested, and practiced by those who will be expected to enact them in the case of an actual incident. | You don’t want to wait until an actual emergency to find out documentation that has been languishing on a shelf is outdated and refers to processes or systems that have changed heavily or no longer exist. |
| what is the incident response process at a high level | Preparation Detection and analysis Containment Eradication Recovery Post-incident activity |
| preparation phase of incident response | consists of all the activities you can perform ahead of time to better handle an incident. |
| what is typically involved in the preparation phase of incident response | This typically involves creating policies and procedures that govern incident response and handling, conducting training and education for both incident handlers and those who are expected to report incidents, and developing and maintaining documentation |
| what phase of incident responses shouldn't be underestimated in its importance | preparation phase |
| why should the preparation phase of incident response not be underestimated in its importance | Without adequate preparation, its extremely unlikely that the response to incident will go well/according 2ur unpracticed plans. The time to determine what needs to be done, who needs to do it, and how to do it is not when you’re faced with an emergency. |
| detection and analysis phase of incident response is | where the action begins |
| what happens in the detection and analysis phase of incident response | In this phase, you detect an issue, decide whether it’s actually an incident, and respond to it appropriately. |
| what will you most often detect an issue with | with a security tool or service |
| security tool or service examples | an intrusion detection system (IDS), antivirus (AV) software, firewall logs, proxy logs, or alerts from a security information and event monitoring (SIEM) tool or managed security service provider (MSSP). |
| how is the analysis portion of the detection/analysis phase of incident response done | is often a combination of automation from a tool or service, usually a SIEM tool, and human judgment. |
| what is wanted from an automation from a tool or service (SIEM tool) in the detection/analysis phase of incident response | you can often use some sort of thresholding to say that a certain number of events in a given amount of time is normal or that a certain combination of events is not normal |
| what is an example of a certain combination of events that is not normal found when in the detection/analysis phase of incident response | two failed logins, followed by a success, a password change, and the creation of a new account, for instance |
| besides automation from tools or service what else will be needed/wanted in detection and analysis phase of incident response | you’ll often want human intervention at some point. |
| Human intervention might include | a review of logs output by various security, network, and infrastructure devices; contact with the party who reported the incident; and general evaluation of the situation. |
| what happens when an incident handler evaluates a situation | that person will decide whether the issue constitutes an incident, evaluate the criticality of the incident, and contact any additional resources needed to proceed to the next phase. |
| containment, eradication, and recovery phase of incident response | is where most of the work to solve the incident takes place, at least in the short term. |
| Containment | involves taking steps to ensure that the situation doesn’t cause any more damage than it already has—or at least lessen any ongoing harm |
| what is an example of containment for this scenario: If the problem involves a malware-infected server actively being controlled by a remote attacker | this might mean disconnecting the server from the network, putting firewall rules in place to block the attacker, and updating signatures or rules on an intrusion prevention system (IPS) to halt the traffic from the malware. |
| what happens during eradication | you’ll attempt to remove the effects of the issue from your environment. |
Created by:
user-1830624