Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
CYB1UofI_FISCH1.4
Attacks
| Question | Answer |
|---|---|
| what sort of attacks will you face as a security analyst | a wide variety of approaches and angles of attacks |
| what can you do to classify attacks | can break these down according to the type of attack, the risk the attack represents and the controls you might use to mitigate it |
| what are the types of attacks | interception, interruption, modification and fabrication |
| how many categories can you generally place attacks into | four |
| what are the four categories you can generally place attacks into | interception, interruption, modification and fabrication |
| each of the attack categories can affect ___ | one or more of the principles of the CIA traid |
| what principle of the CIA triad does an interception attack affect | confidentiality |
| what principle of the CIA triad does an interruption, modification or fabrication attack affect p1 | integrity |
| what principle of the CIA triad does an interruption, modification or fabrication attack affect p2 | availability |
| what should be considered when classifying an attack and the effects they can have | the line between the categories of attack and the effects they have are subject to interpretation. depending on the attack in question, you might include it in more than one category or have more than one type of effect. |
| what is an Interception attack? | attacks allow unauthorized users to access your data, applications or environments |
| what are interception attacks primarily attacks against | confidentiality |
| what forms can interception attacks take | unauthorized file viewing or copying, eavesdropping on phone conversations or reading someone elses mail |
| what sort of data do you conduct interception attacks on | you can conduct an interception attack against data at rest or in motion |
| when properly executed what sort of attacks can be difficult to detect | interception attacks |
| what does data at rest mean | is stored data that is not in the process of being moved from one place to another |
| what are examples of data at rest | it may be on a hard drive or flash drive, or it may be stored in a database |
| data at rest is generally protected with | some sort of encryption |
| describe the general encryption protections of data at rest | encrypted often at the level of the file or entire storage device |
| what does data in motion mean | is data that is moving from one place to another |
| what is an example of data in motion in a bank scenario | when you are using your online banking session, the sensitive data flowing between your web browser and your bank is data in motion |
| how is data in motion protected | with encryption |
| what encryption is used to protect data in motion | the encryption protects the network protocol or path used to move the data from one place to another |
| what is an optional third category of data | data in use |
| what is data in use | would be data that an application or individual was actively accessing or modifying |
| what sort of protections are used on data in use | include permissions and authentication of users |
| what is the concept of data in use conflated with | data in motion |
| conflated defintion | describes two or more distinct ideas, texts, or elements that have been mistakenly or intentionally blended together into a single whole, often leading to confusion |
| describe whether we should treat data in use as its own category | sound arguments can be made on both sides of the argument |
| according to google the key arguments in support of treating data in use as its own category are | has a distinct vulnerability profile has unique security requirements it addresses the unprotected middle operational visibility |
| according to good the key arguments for including data in use with data in motion are | active state vulnerability, non persistent processing, high speed security requirement's , dynamic data context |
| what are interruption attacks | make your assets unusable or unavailable to you on a temporary or permanent basis |
| what do interruption attacks often affect | availability |
| what can interruption attacks affect besides availability | integrity |
| how would you classify a DoS attack on a mail server | as an availability attack (interruption attack) |
| how would you classify an attack where the attacker manipulated the processes on which a database runs to prevent access to the data it contains | you might consider this an integrity attack because of the possible loss or corruption of data you might consider it a combination of an integrity attack and availability attack (interruption attack) |
| how else could you classify a database attack where the attacker manipulated the process on which a database runs to prevent access to the data it contains | might consider such an attack to be a modification attack rather than an interruption attack |
| what is a modification attack | involve tampering with an asset |
| modification attacks might primarily be considered attacks on | integrity |
| what else can modification attacks be considered attacks on besides integrity | availability |
| what have you affected if you access a file in an unauthorized manner and alter the data it contains | the integrity of the files data |
| what might be affected if you access a configuration file acting as a web server, that manages how a service behaves, in an unauthorized manner and alter the data it contains by changing the contents of the file | might affect the availability of that service |
| what else can be affected if u access a config file(4web server), that manages how a service behaves, in unauthorized manner& alter data it contains by changing contents of the file where the changes affect how the server deals with encryption connections | confidentiality (you could even call this a confidentiality attack) |
| what are fabrication attacks | involve generating data, processes, communications, or other similar material with a system |
| fabrication attacks primarily affect | integrity |
| fabrication attacks can also affect | availability |
| what are some examples of fabrication attacks | generating fake information in a database generate email generate additional processes, network traffic, email, web traffic or nearly anything else that consumes resouces |
| how can a fabrication attack be used as a common method for propagating malware | by generating a bad email |
| how can a fabrication attack conduct an availability attack | by generating enough additional processes, network traffic, email, web traffic or nearly anything else that consumes resources you can render the service that handles such traffic unavailable to legitimate users |
| what can you use to describe attacks and how they might affect you | threats, vulnerabilities and the associated risk |
| what is an example of a type of attack that could harm your assets | unauthorized modification of data |
| what is a threat | is something that has the potential to cause harm |
| what are threats specific to | certain environments (particularly in the world of information security) |
| give an example of how threats are specific to certain environments: regarding viruses and operating systems | although a virus might be problematic on a windows operating system, the same virus will be unlikely to have any effect on a linux operating system |
| what are vulnerabilities | are weaknesses or holes that threats can exploit to cause you harm |
| what are some examples of vulnerabilities | might involve a specific operating system or app that your running the physical location of your office building data center is overpopulated with servers producing more heat than its air conditioning system can handle a lack of backup generators |
| what is risk | the likelihood that something bad will happen |
| what is needed to have a risk in an enviornment | need to have both a threat and a vulnerability that the threat could exploit |
| determine if this scenario has risk: you have a structure that is made from wood and you light a fire nearby | you have both a threat (the fire) and a matching vulnerability (the wood structure) so you definitely have risk |
| determine if this scenario has risk: you have a structure that is made from concrete and you light a fire nearby | you don't have a credible risk because your threat (fire) doesn't have a vulnerability (the concrete structure) to exploit. Note: you could argue that a sufficiently hot flame could damage the concrete but this is a less likely event |
| what sort of attacks are often talked about in computing environments | potential but unlikely attacks |
| what is the best strategy to prevent attacks | to spend your time mitigating the most likely attacks |
| what happens if you sink your resources into trying to plan for every possible attack | you'll spread yourself thin and lack protection where you need it most |
| what organizations add impact to the threat/vulnerability/risk equation | US National Security Agency |
| what does NSA stand for | National Security Agency |
| what is a factor that is often added to the threat/vulnerability/risk equation | impact |
| what is impact | takes into account the value of the asset being threatened and uses it to calculate risk |
| determine if this scenario has risk using the factor of impact: consider that you lost unencrypted tapes containing only your collection of chocolate chip cookie recipes | You can safely say that you have no risk. You may not actually have a risk because the data exposed contains nothing sensitive and you can make additional backups from the source data. |
| what does the risk management process do | compensate for risks in your environment |
| what is a typical risk management process at a high level | 1. Identify Assets 2. Identify Threats 3. Assess Vulnerabilities 4. Assess Risks 5. Mitigate Risks 6. Repeat 1-5 |
| what do you need to do in the risk management process | identify your important assets, figure out the potential threats against them, assess your vulnerabilities and then take steps to mitigate these risk |
| what is the first part of the risk management process | identifying assets your protecting |
| what is arguably the most important part of the risk management process | identifying assets your protecting |
| what happens if you can't enumerate your assets and evaluate the importance of each | protecting them can become a difficult task |
| is enumerating your assets and evaluating the important of each a simple task | no, it can be a more complex problem than it might seem |
| what environments can enumerating your assets and evaluating the importance of each be a complex problem | in larger enterprises. |
| why is enumerating your assets and evaluating the importance of each a complex problem in larger enterprises | an organization might have various generations of hardware, assets from acquisitions of other companies lurking in unknown areas, and scores of unrecorded virtual hosts in use, any of which may be critical to the continued functionality of the business |
| what happens once you have identified the assets in use when identifying assets | you have to decide which of them are critical business assets |
| what is required to make an accurate determination of which assets are truly critical to conducting business | will generally require the input of functions that make use of the assets, those that support the asset itself and potentially other involved parties as well |
| what is the step after enumerating your critical assets | you begin to identify the threats that might affect them |
| what is often useful to have for discussing the nature of a given threat | a framework such as the CIA triad or Parkerian Hexad |
| Apply the Parkerian Hexad to Examine the threats you might face against an application that processes credit card payments: Confidentiality | If you expose data inappropriately you could potentially have a breach |
| Apply the Parkerian Hexad to Examine the threats you might face against an application that processes credit card payments: Integrity | If data becomes corrupt, you may incorrectly process payments |
| Apply the Parkerian Hexad to Examine the threats you might face against an application that processes credit card payments: Availability | If the system or application goes down, you won't be able to process payments |
| Apply the Parkerian Hexad to Examine the threats you might face against an application that processes credit card payments: Possession | If you lose backup media, you could potentially have a breach |
| Apply the Parkerian Hexad to Examine the threats you might face against an application that processes credit card payments: Authenticity | If you don't have authentic customer information, you may process a fraudulent transaction |
| Apply the Parkerian Hexad to Examine the threats you might face against an application that processes credit card payments: Utility | If you collect invalid or incorrect data, that data will have limited utility |
| what type of threat assessment does the Parkerian hexad examination provide | a high level pass at assessing threats for the system |
| what does the Parkerian Hexad examination threat assessment point out | a few problem areas immediately. you need to be concerned with losing control of data maintaining accurate data keeping the system up and running |
| once you have done threat assessment using a model what can you begin to do | look at areas of vulnerability and potential risk |
| how do you assess vulnerabilites | you need to do so in the context of potential threats |
| describe the number of threats any given asset might have that could impact it | thousands or millions |
| describe the relevancy of the thousands or millions of threats any given asset might have | only a small fraction of these will be relevant |
| Determine whether vulnerabilities exist given the potential threats against a system that processes credit card transactions : Confidentiality Threat : If you expose data inappropriately, you could have a breach | Your sensitive data is encrypted at rest and in motion. Your systems are regularly tested by an external penetration testing company. This is not a risk |
| Determine whether vulnerabilities exist given the potential threats against a system that processes credit card transactions : Integrity Threat : If data becomes corrupt, you may incorrectly process payments | You carefully validate that payment data is correct as part of the processing workflow. Invalid data results in a rejected transaction. This is not a risk. |
| Determine whether vulnerabilities exist given the potential threats against a system that processes credit card transactions : Availability Threat : If the system or application goes down, you can’t process payments. | You do not have redundancy for the database on the back end of the payment processing system. If the database goes down, you can’t process payments. This is a risk. |
| Determine whether vulnerabilities exist given the potential threats against a system that processes credit card transactions : Possession Threat : If you lose backup media, you could have a breach. | Your backup media is encrypted and hand-carried by a courier. This is not a risk. |
| Determine whether vulnerabilities exist given the potential threats against a system that processes credit card transactions : Authenticity Threat : If you don’t have authentic customer information, you may process a fraudulent transaction. | Ensuring that valid payment and customer information belongs to the individual conducting the transaction is difficult. You do not have a good way of doing this. This is a risk. |
| Determine whether vulnerabilities exist given the potential threats against a system that processes credit card transactions : Utility Threat : If you collect invalid or incorrect data, that data will have limited utility. | To protect the utility of your data, you checksum credit card numbers, make sure that the billing address and email address are valid, and perform other measures to ensure that your data is correct. This is not a risk. |
| Given the vulnerability analysis about a system that processes credit card transactions what are the areas of concern | the areas of authenticity and availability |
| what happens after the vulnerability analysis | you can begin to evaluate the areas in which you may have risks |
| what happens after you've identified the threats and vulnerabilities for a given asset | you can assess the overall risk |
| what is risk | the conjunction of a threat and a vulnerability |
| what does not constitute a risk | a vulnerability with no matching threat OR a threat with no matching vulnerability |
| Assess risks4potential threat&area of vulnerability AvailabilityIf system/app goes down,you can't process payments. You don't have redundancy for database on backend of your payment processing system if database goes down wont be able2process payments | in this case you have both a threat and a corresponding vulnerability, meaning you risk losing ability to process credit card payments because of a single point of failure on your database back end. |
| what happens once you've worked through your threats and vulnerabilities analysis | you can mitigate the risks |
| how do you mitigate risks | can put measures in place to account for each threat |
| what are the measures put in place to account for each threat called | controls |
| what categories are controls divided into | physical, logical and administrative |
| what are the number of categories controls are divided into | 3 |
| what are physical controls | protect the physical environment in which your systems sit, or where your data is stored. They control access in and out of such enviornments |
| what are some examples of physical controls | fences, gates, locks, bollards, guards, and cameras. systems that can maintain the physical environment: heating and air conditioning systems, fire suppression systems and backup power generators |
| what is one of the most critical controls | physical controls |
| why are physical controls one of the most critical controls | if you're not able to physically protect your systems and data, any other controls that you put in place become irrelevant |
| what happens in the best case scenario if your physical controls are compromised | if attackers can physically access your system, they can steal or destroy them, rending them unavailable for your use |
| what happens in the worse case scenario if your physical controls are compromised | attackers will be able to access your applications and data directly and steal your information and resources or subvert them for their own use |
| what is another term for logical controls | technical controls |
| what are logical controls | protect the systems, networks, and environments that process, transmit and store your data |
| what are technical controls | protect the systems, networks and environments that process, transmit and store your data |
| what are examples of logical controls | passwords, encryption, access controls, firewalls and intrusion detection systems |
| what are examples of technical controls | passwords, encryption, access controls, firewalls, and intrusion detection systems |
| what do logical controls do | enable you to prevent unauthorized activities |
| what do technical controls do | enable you to prevent unauthorized activities |
| what is the result of properly implemented and successful logical controls | an attacker or unauthorized user can't access your applications and data without subverting the controls |
| what is the result of properly implemented and successful technical controls | an attacker or unauthorized user can't access your applications and data without subverting the controls |
| what are administrative controls | based on rules, laws, policies. procedures, guidelines and other items that are paper in nature |
| what do administrative controls do | dictate how the users of your environment should behave |
| Depending on the environment and control in question, administrative controls can represent __ | differing levels of authority |
| what is an example of a simple administrative control aimed at avoiding a physical security problem (burning your building down at night) | turn the coffee pot off at the end of the day |
| what is an example of a stringent administrative control | one that requires you to change your password every 90 days |
| what is an important part of administrative controls | the ability to enforce them |
| why are administrative controls that you don't have the authority or ability to ensure that people comply with your controls, worse than useless? | they create a false sense of security |
| what is an example of an administrative control that would need to be enforced | if you create a policy that says employees cant use business resources for personal use |
| why is creating an administrative control policy that says employees cant use business resources for personal use a difficult task P1 | outside of a highly secure environment this can be difficult, you'd need to monitor telephone and mobile usage, web access, email use, instant message conversations, installed software, and other potential areas of abuse. |
| why is creating an administrative control policy that says employees cant use business resources for personal use a difficult task P2 | you'd have to devote a great deal of resources to monitoring and handling violations of the policy |
| what happens when you have an administrative policy that you wouldn't be able to enforce | the next time your audited and asked to produce evidence of policy enforcement you'll face issues |
| what is incident response | if your risk management efforts are not as thorough as you hoped or you're blindsided by something entirely unexpected, you can react with this |
| what should incident response be directed to | at the items that you feel are most likely to cause your organization pain |
| what should be already identified as part of your risk management efforts by the time you get to incident response | items that you feel are most likely to cause your organization pain |
| what should you base your incident response action on | documented incident response plans |
| how should incident response plans be maintained | they should be regularly reviewed, tested and practiced by those who will be expected to enact them |
| why should you maintain incident response documentation | you don't want to wait until an actual emergency to find out documentation that has been languishing on a shelf is outdated and refers to processes or systems that have changed heavily or no longer exist |
| what is the incident response process at a high level | 1. Preparation 2. Detection and Analysis 3. Containment 4. Eradication 5. Recovery 6. Post Incident Activity |
| what is the preparation phase of incident response | consists of all the activities you can perform ahead of time to better handle an incident |
| what does the preparation phase of incident response consist of | typically involves creating policies and procedures that govern incident response and handling, conducting training and education for both incident handlers and those who are expected to report incidents & developing and maintaining documentation |
| how should you handle the preparation phase of incident response | shouldn't underestimate the importance of this phase |
| why shouldn't you underestimate the importance of the preparation phase of incident response | without adequate preparation, it is extremely unlikely that the response to an incident will go well or according to your unpracticed plans |
| when is the time to determine what needs to be done, who needs to do it, and how to do it | during the preparation phase of incident response not when you're faced with an emergency |
| what is the detection and analysis phase of incident response | where the action begins. in this phase you detect an issue, decide whether it's actually an incident and repsond to it appropriately |
| what is the most often way you'll detect an issue | you'll detect the issue with a security tool/service |
| what is a security tool or service that is used to detect an issue | intrusion detection system, antivirus software, firewall logs, proxy logs, or alerts from a security information and event monitoring tool or managed security service provider |
| IDS stands for | intrusion detection system |
| AV stands for | antivirus |
| SIEM stands for | security information and event monitoring tool |
| MSSP stands for | managed security service provider |
| what is the analysis portion of the detection and analysis phase of incident response a combination of | automation from a tool or service (usually a SIEM tool) and human judgement |
| what can be used in the analysis portion of the detection and analysis phase of incident response to say that a certain number of events in a given amount of time is normal or that a certain combination of events is not normal | some sort of thresholding |
| what else is needed in the analysis portion of the detection and analysis phase of incident response besides thresholding | human intervention at some point in the process |
| what are examples of human intervention in the analysis portion of the detection and analysis phase of incident response | a review of logs output by various security, network and infrastructure devices; contact with the party who reported the incident; general evaluation of the situation |
| what is an example of a combination of events that is not normal | two failed logins, followed by a success, a password change, and the creation of a new account |
| when can the detection and analysis phase of incident response happen | these situations often occur at 4 pm on a friday or 2 am on a sunday |
| who handles the detection and analysis phase of incident response | the incident handler |
| what happens when an incident handler evaluates a situation | that person will decide whether the issues constitutes an incident, evaluate the criticality of the incident and contact any additional resources needed to proceed to the next phase |
| what is the containment, eradication and recovery phase of incident response | where most of the work to solve the incident takes place (at least in the short term) |
| what happens during containment | involves taking steps to ensure the situation doesn't cause any more damage than it already has or at least lessen any ongoing harm |
| what is an example of a containment if the problem involves a malware infected server actively being controlled by a remote attacker | might mean disconnecting the server from the network, putting firewall rules in place to block the attacker and updating signatures or rules on an intrusion prevention system to halt the traffic from the malware |
| what does IPS stand for | intrusion prevention system |
| what happens during eradication | you'll attempt to remove the effects of the issue from your environment |
| how do you use eradication in the case of a malware infected server | after isolating the system and cutting it off from its command and control network, now you'll need to clean the malware from the server and ensure that it doesn't exist elsewhere in your environment |
| in the eradication phase what might be involved in cleaning malware from a server and ensuring it doesn't exist elsewhere in the environment | might involve additional scanning of other hosts in the environment to ensure that the malware is not present and perhaps examining logs on the server and network to determine what other systems the infected server has communicated with |
| describe the level of complexity in the eradication phase for cleaning malware (particularly new malware or variants) from a server and ensuring it doesn't exist elsewhere in your enviornment | can be a tricky task |
| what should you do if you're in doubt about whether you've truly evicted malware or attackers from your environment | you should err on the side of caution |
| what happens during recovery | you need to recover the state you were in prior to the incident |
| when does recovery happen | after eradication and containment |
| what does recovery involve | restoring devices or data from backup media rebuilding systems reloading applications |
| describe the level of complexity in the recovery phase for recovering from a malware server attack | this can be a painful task |
| why can it be a painful task to accomplish the recovery phase | ur knowledge of situation might b incomplete/unclear. might find that u are unable 2 verify that backup media is clean/free of infection OR that backup media is entirely bad app install bits may be missing, config files might not be available... |
| what happens during post incident activity | you attempt to determine specifically what happened, why it happened, and what you can do to keep it from happening again |
| what phase of incident response is easy to overlook but should be ensured that it isn't neglected | post incident activity |
| what is another name for the post incident activity phase in incident response | post mortem |
| what is latin for after death | post mortem |
| what is the purpose of post incident activity | not to point fingers or place blame but to ultimately prevent or lessen the impact of future such incidents |
| what sometimes happens in post incident activity | pointing fingers or placing blame |
Created by:
user-1830624
Popular Computers sets