Previously, you learned about the eight Certified Information Systems Security Professional (CISSP) security domains. The domains can help you better understand how a security analyst’s job duties can be organized into categories. Additionally, the domains can help establish an understanding of how to manage risk. In this reading, you will learn about additional methods of attack. You’ll also be able to recognize the types of risk these attacks present.
Attack types
Password attack
A password attack is an attempt to access password-secured devices, systems, networks, or data. Some forms of password attacks that you’ll learn about later in the certificate program are:
-
Brute force
-
Rainbow table
Password attacks fall under the communication and network security domain.
Social engineering attack
Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. Some forms of social engineering attacks that you will continue to learn about throughout the program are:
-
Phishing
-
Smishing
-
Vishing
-
Spear phishing
-
Whaling
-
Social media phishing
-
Business Email Compromise (BEC)
-
Watering hole attack
-
USB (Universal Serial Bus) baiting
-
Physical social engineering
Social engineering attacks are related to the security and risk management domain.
Physical attack
A physical attack is a security incident that affects not only digital but also physical environments where the incident is deployed. Some forms of physical attacks are:
-
Malicious USB cable
-
Malicious flash drive
-
Card cloning and skimming
Physical attacks fall under the asset security domain.
Adversarial artificial intelligence
Adversarial artificial intelligence is a technique that manipulates artificial intelligence and machine learning technology to conduct attacks more efficiently. Adversarial artificial intelligence falls under both the communication and network security and the identity and access management domains.
Supply-chain attack
A supply-chain attack targets systems, applications, hardware, and/or software to locate a vulnerability where malware can be deployed. Because every item sold undergoes a process that involves third parties, this means that the security breach can occur at any point in the supply chain. These attacks are costly because they can affect multiple organizations and the individuals who work for them. Supply-chain attacks can fall under several domains, including but not limited to the security and risk management, security architecture and engineering, and security operations domains.
Cryptographic attack
A cryptographic attack affects secure forms of communication between a sender and intended recipient. Some forms of cryptographic attacks are:
-
Birthday
-
Collision
-
Downgrade
Cryptographic attacks fall under the communication and network security domain.
Key takeaways
The eight CISSP security domains can help an organization and its security team fortify against and prepare for a data breach. Data breaches range from simple to complex and fall under one or more domains. Note that the methods of attack discussed are only a few of many. These and other types of attacks will be discussed throughout the certificate program.
攻擊類型
密碼攻擊
密碼攻擊是指試圖存取受密碼保護的設備、系統、網路或數據。你在證書課程後續部分中將學習到一些密碼攻擊的形式,例如:
- 暴力破解
- 彩虹表攻擊
密碼攻擊屬於通信與網路安全領域。
社交工程攻擊
社交工程是一種利用人為疏失來獲取私人資訊、存取權限或貴重物品的操控技術。你在課程中將持續學習到一些社交工程攻擊的形式,包括:
- 網路釣魚
- 短信釣魚
- 語音釣魚
- 定向釣魚
- 鯨魚攻擊
- 社交媒體釣魚
- 商業電子郵件詐騙(BEC)
- 水坑攻擊
- USB 誘騙
- 實體社交工程
社交工程攻擊與安全與風險管理領域相關。
實體攻擊
實體攻擊是一種安全事件,不僅影響數位環境,也影響事件部署的實體環境。一些實體攻擊的形式包括:
- 惡意 USB 線纜
- 惡意隨身碟
- 卡片複製與竊讀
實體攻擊屬於資產安全領域。
對抗性人工智慧
對抗性人工智慧是一種利用 人工智慧與機器學習 技術來更有效地進行攻擊的技術。對抗性人工智慧同時屬於通信與網路安全以及身份與存取管理領域。
供應鏈攻擊
供應鏈攻擊針對系統、應用程式、硬體和/或軟體,以尋找可部署惡意軟體的漏洞。由於每件銷售產品都經歷涉及第三方的流程,因此安全漏洞可能在供應鏈的任何環節發生。這些攻擊代價高昂,因為它們可能影響多個組織及其員工。供應鏈攻擊可能屬於多個領域,包括但不限於安全與風險管理、安全架構與工程,以及安全運營領域。
密碼學攻擊
密碼學攻擊影響發送者與目標接收者之間的安全通信。一些密碼學攻擊的形式包括:
- 生日攻擊
- 碰撞攻擊
- 降級攻擊
密碼學攻擊屬於通信與網路安全領域。
重點摘要
這八大 CISSP 安全領域可以幫助組織及其安全團隊加固防禦,並為資料洩露做好準備。資料洩露的情形可能從簡單到複雜,且可能涵蓋一個或多個領域。請注意,此處所討論的攻擊方法僅為眾多方法中的一部分,而這些及其他類型的攻擊將在整個證書課程中進一步探討。