WEBVTT 1 00:00:00.000 --> 00:00:01.180 foreign [Music] 2 00:00:23.040 --> 00:00:26.280 involves indicators of compromise 3 00:00:27.300 --> 00:00:34.380 all of the following are examples of indicators of compromise except for what 4 00:00:37.440 --> 00:00:43.500 please take a moment look at the answers and let's see what you're thinking 5 00:00:47.040 --> 00:00:49.380 okay so far 6 00:00:51.900 --> 00:00:54.540 it looks like everybody is saying that a 7 00:00:55.800 --> 00:01:01.080 an incorrect login attempt is not an indicator of compromise 8 00:01:01.740 --> 00:01:10.560 and another vote for a so the correct answer here is an incorrect login attempt 9 00:01:11.460 --> 00:01:23.700 and basically an indicator of compromise is some kind of element or artifact 10 00:01:24.240 --> 00:01:34.380 that indicates there's been a security breach so excessive bandwidth usage could be one of those 11 00:01:35.160 --> 00:01:45.240 certainly suspicious emails or Rogue Hardware but an incorrect login attempt is not a breach okay so 12 00:01:45.240 --> 00:01:53.340 that is the one that is not like the others and a is the correct answer for this question okay 13 00:02:05.340 --> 00:02:12.420 an employee suspects that their work email account has been compromised because they 14 00:02:12.420 --> 00:02:19.260 keep getting suspicious email advertisements from companies that they did not subscribe to 15 00:02:20.220 --> 00:02:27.660 what reconnaissance tool should the employee use to further investigate this situation 16 00:02:28.440 --> 00:02:32.460 take a moment look at your choices and let's see what you're thinking 17 00:02:40.560 --> 00:02:41.280 okay 18 00:02:43.740 --> 00:02:48.360 anybody have any suggestions as to which is the correct answer 19 00:02:54.120 --> 00:02:55.800 okay we have one response 20 00:03:00.060 --> 00:03:00.560 two 21 00:03:03.600 --> 00:03:04.200 okay 22 00:03:09.900 --> 00:03:16.320 so the two responses um both are for Choice C 23 00:03:18.480 --> 00:03:23.340 open source intelligence does anybody else have a suggestion 24 00:03:33.660 --> 00:03:39.420 okay and we have another response in the chat D no 25 00:03:41.040 --> 00:03:48.300 um C is the correct Choice open source intelligence so in the question 26 00:03:50.160 --> 00:03:56.760 you're asked what reconnaissance tool should the employees to further investigate 27 00:03:57.600 --> 00:04:05.880 and I I'm thinking and hoping that it's pretty obvious that choices A and B are the ones that 28 00:04:05.880 --> 00:04:12.840 can be the most easily eliminated um I've really never heard of academic journals being 29 00:04:12.840 --> 00:04:21.900 a reconnaissance tool or requests or comments rfcs that does leave us with open source intelligence 30 00:04:22.560 --> 00:04:31.200 and private internet information sharing and Analysis centers private information 31 00:04:33.000 --> 00:04:39.900 sharing and Analysis centers so with open source intelligence 32 00:04:41.220 --> 00:04:51.240 um we can get all kinds of information fairly easily um uh using open source roasts and 33 00:04:51.240 --> 00:04:57.180 tools you can easily retrieve information about a company that is available publicly 34 00:04:58.620 --> 00:05:04.080 um so information sharing and Analysis centers 35 00:05:05.520 --> 00:05:11.580 um basically we're talking about organizations that provide a central resource for gathering 36 00:05:11.580 --> 00:05:18.360 information on Cyber threats and in many cases that are the information that is critical to 37 00:05:18.360 --> 00:05:25.200 infrastructure as well as allow two-way sharing of information between the private and public sector 38 00:05:26.100 --> 00:05:34.920 about root causes incidents threats as well as sharing experience and knowledge and Analysis 39 00:05:35.640 --> 00:05:43.140 okay so private isacs were created to address U.S critical infrastructure vulnerabilities 40 00:05:43.860 --> 00:05:50.340 and facilitated the sharing of actionable cyber security intelligence among trusted organizations 41 00:05:51.060 --> 00:05:55.680 within an industry and between sectors private sector and public sector 42 00:05:56.400 --> 00:06:03.240 okay so open source intelligence is the best answer for this question 43 00:06:05.640 --> 00:06:08.280 right let's go on to the next one 44 00:06:15.780 --> 00:06:20.160 okay I believe this is mint 45 00:06:22.860 --> 00:06:31.980 okay threat actor types when someone is worried about malicious users potentially compromising 46 00:06:31.980 --> 00:06:41.280 their servers while remaining undetected for a period of time this is known as a blank threat 47 00:06:42.480 --> 00:06:46.740 okay do you think is the correct answer here 48 00:06:53.760 --> 00:07:02.220 all right let's see what we have in chat okay votes for ATT which is Choice C 49 00:07:02.880 --> 00:07:10.980 vote for D vote for C vote for C okay so yeah advanced persistent threat is correct 50 00:07:12.720 --> 00:07:19.380 um we're worried about server compromise and remaining undetected for a period of time 51 00:07:20.280 --> 00:07:31.500 the first choice um may not be the most obvious denial of service would probably be the most 52 00:07:31.500 --> 00:07:41.340 easily eliminated and denial of services is of course just that um there is no really 53 00:07:42.120 --> 00:07:49.500 um attempt for basic denial of service to remain undetected it happens service is denied 54 00:07:50.580 --> 00:07:57.420 so man in the middle or also known as an on path attack 55 00:07:58.440 --> 00:08:08.700 and this occurs when the attacker sort of sits in the middle between two stations and is able 56 00:08:08.700 --> 00:08:17.160 to intercept information and sometimes they cannot just over not only intercept and read 57 00:08:18.180 --> 00:08:24.180 um or just intercept and have it to work with but they can change the information as well 58 00:08:25.680 --> 00:08:33.060 um so this type of attack can occur without anyone knowing uh that someone is sitting for 59 00:08:33.060 --> 00:08:40.800 example in the middle of a conversation um and again that's that's why the classic name that I 60 00:08:40.800 --> 00:08:50.820 think of uh for this type of attack is man in the middle um cyber Espionage is the act of gathering 61 00:08:50.820 --> 00:08:59.040 secret or sensitive information for personal gain technological purposes or political reasons it's 62 00:08:59.040 --> 00:09:09.540 not military interaction by intent um so really we are left with advanced persistent threat or apts 63 00:09:10.800 --> 00:09:22.800 and here the goal is very clearly to remain undetected um there have been many such attacks 64 00:09:24.000 --> 00:09:30.060 um these some of these have gone undetected for months and months okay 65 00:09:30.780 --> 00:09:36.720 so the key in this question is remaining undetected for a period of time 66 00:09:37.320 --> 00:09:42.960 and advanced persistent threat is the correct answer all right let's move on 67 00:09:49.500 --> 00:09:54.780 okay which best describes the term pactivist 68 00:09:57.720 --> 00:10:00.720 take a moment and let's see what your responses are 69 00:10:07.200 --> 00:10:16.380 good we have lots of responses coming in fairly quickly I think this one is is uh fairly obvious 70 00:10:17.160 --> 00:10:26.940 okay so the correct answer is a a malicious user attempts to promote a political or ideological 71 00:10:26.940 --> 00:10:36.840 stance okay a hacker engaged in authorized pen testing or other security consultancy 72 00:10:37.500 --> 00:10:45.600 that is not a activist and inexperienced unskilled attacker that typically uses tools or scripts 73 00:10:45.600 --> 00:10:56.460 created by others what kind of threat actor is that I scrub Kitty very good a script Kitty 74 00:10:58.080 --> 00:11:02.160 um an unauthorized hacker operating with malicious intent 75 00:11:04.440 --> 00:11:07.260 what name might we give to that type of threat actor 76 00:11:21.540 --> 00:11:24.540 okay nobody has a suggestion for that 77 00:11:26.640 --> 00:11:34.860 and unauthorized hacker operating with malicious intent okay we have a response a cracker okay 78 00:11:36.360 --> 00:11:45.540 um a black hat hacker that is the the typical um moniker given to this type of threat actor 79 00:11:47.100 --> 00:11:52.980 um hacker engagement authorized penetration testing I mean the the key there is 80 00:11:52.980 --> 00:12:01.380 authorized so we're probably almost certainly talking about a white hat okay um all right 81 00:12:02.340 --> 00:12:07.560 so activists political or ideological stance 82 00:12:10.860 --> 00:12:12.240 okay next question 83 00:12:14.100 --> 00:12:18.480 one of your organization's employees doesn't think they are getting paid enough 84 00:12:19.320 --> 00:12:25.440 when they notice that the salary database file is available on the network they try to guess the 85 00:12:25.440 --> 00:12:32.160 password a couple of times which of the following choices best describes this type of threat 86 00:12:38.520 --> 00:12:48.720 okay lots of responses good okay and it looks like they're B this is The Insider thread okay it's 87 00:12:48.720 --> 00:12:56.520 not an external threat that's I would think pretty obvious an external threat would not be Primitives 88 00:12:56.520 --> 00:13:04.740 in organizations employees uh State actor this is not a state actor and it is not a hacktivist 89 00:13:05.580 --> 00:13:16.680 okay so this is um again if we're thinking about you know um 90 00:13:18.120 --> 00:13:26.340 how do you classify threat actors and you know we have a set of nomenclature for doing this of 91 00:13:26.340 --> 00:13:34.860 course examples again are useful um Insider threats of course are dangerous because they 92 00:13:34.860 --> 00:13:42.120 can be hard to detect especially if they are designed to go undetected for some time 93 00:13:43.380 --> 00:13:53.460 um the the common scenario here might be the disgruntled employee or or uh for for whatever 94 00:13:53.460 --> 00:14:00.840 reason so they're not getting paid as much as someone else or you know maybe they suspect that 95 00:14:00.840 --> 00:14:10.500 they're going to be uh released from employment for for some reason um uh one common scenario with 96 00:14:11.880 --> 00:14:17.040 um programmers or software Engineers was that it they thought something like this would 97 00:14:17.040 --> 00:14:25.680 happen they might plant something like a logic bomb inside companies application uh product 98 00:14:25.680 --> 00:14:38.220 for sale to customers and um if we software wasn't contacted or given some type of code or 99 00:14:39.000 --> 00:14:46.140 validating access for a period of time then that would set off the logic bomb and cause 100 00:14:46.140 --> 00:14:56.760 whatever damage the disgruntled employee intended so there's an example of an Insider threat right 101 00:15:04.140 --> 00:15:08.820 okay Janus has just graduated from college 102 00:15:09.540 --> 00:15:17.820 and her first job has her conducting penetration tests which type of hacker best describes Janice 103 00:15:21.540 --> 00:15:22.200 okay 104 00:15:25.200 --> 00:15:33.480 this is what I expect okay lots of boats per D white hat and that is the correct answer 105 00:15:34.740 --> 00:15:46.140 um obviously not a script Kitty um let's see conducted penetration tests it does say her 106 00:15:46.140 --> 00:15:57.120 first job so we can barely safely assume it's not a black hat threat actor type nor is it a gray hat 107 00:15:58.440 --> 00:16:10.860 okay that was pretty obvious um on the subject of gray hats foreign there is a 108 00:16:12.600 --> 00:16:21.720 they are a type of in between sort of threat actor and what I mean by that is that a gray hat could 109 00:16:21.720 --> 00:16:32.400 be someone who violates um ethical standards or principles but may not have the same malicious 110 00:16:32.400 --> 00:16:40.560 intent that a black hat hacker would have okay or that that we would ascribe to a black hat packet 111 00:16:41.700 --> 00:16:49.620 um they can engage in practices that are you know not exactly above board 112 00:16:50.400 --> 00:16:55.500 but sometimes they do these things and operate for the common good 113 00:16:57.480 --> 00:17:08.940 so if we try to uh classify great hat hackers um there are those that great hats that hack 114 00:17:08.940 --> 00:17:18.180 for personal gain and then those who hack for personal gain but also to improve security which 115 00:17:19.080 --> 00:17:25.740 you know it's it's hard to say exactly what um those motivations are 116 00:17:27.060 --> 00:17:37.140 um so as far as um classifying threat actor types so sometimes we refer to 117 00:17:38.160 --> 00:17:48.540 a white hat with a black heart okay so wrong very um figurative speech 118 00:17:49.740 --> 00:17:58.140 um but um you know again you've kind of got this this individual who is you know 119 00:17:58.140 --> 00:18:06.480 part white hat and part black hat you know and and um and that's really what it boils down to 120 00:18:07.500 --> 00:18:16.740 um it is a controversial practice that sort of fits in between somewhere in between illegal and 121 00:18:16.740 --> 00:18:26.700 legal activity okay so a little unusual um again you know I'm sure that there are many reasons uh 122 00:18:26.700 --> 00:18:34.860 why somewhat would exploit a vulnerability and then after receiving some type of gain for it 123 00:18:34.860 --> 00:18:43.380 make it widely known or publicly known okay all right let's go on to the next question 124 00:18:48.780 --> 00:18:58.380 okay a blank is the type of malicious actor that is most likely to have the 125 00:18:58.380 --> 00:19:05.100 most resources and funding since they work with their country's military and Security Services 126 00:19:06.180 --> 00:19:08.700 okay this one should be really easy 127 00:19:12.960 --> 00:19:25.440 okay I'm judging by the number of responses yeah we are talking about the state Factor here um and 128 00:19:25.440 --> 00:19:35.400 I I would like to point out that this even though the question is talking about a malicious Factor 129 00:19:37.020 --> 00:19:45.960 the real threat here comes from the fact that we aren't talking about just one but a multitude 130 00:19:46.740 --> 00:19:54.900 of threat actors and then of course when you know you have the funding and the backing of the state 131 00:19:55.500 --> 00:20:03.660 of some countries military or Security Services or other governmental service 132 00:20:05.280 --> 00:20:10.980 um you have typically a formidable Force to deal with 133 00:20:12.300 --> 00:20:19.620 um resources and funding typically not a problem um think about it in the uh 134 00:20:20.160 --> 00:20:29.940 sense that you can have hundreds of people who you know go to a job and their job is to sit there and 135 00:20:29.940 --> 00:20:38.820 poke at us or some other country or organization and to seek out vulnerabilities and exploit them 136 00:20:39.360 --> 00:20:49.680 and that really is a danger here um not just that it's one malicious actor okay 137 00:20:51.720 --> 00:20:54.240 all right and let's go on to the next question 138 00:20:58.320 --> 00:21:04.320 which of the following is not considered a potential Insider threat 139 00:21:06.360 --> 00:21:09.420 okay take a moment and let's see what you think about this one 140 00:21:12.660 --> 00:21:20.160 okay so we have several responses um for d and that is the correct choice 141 00:21:21.060 --> 00:21:26.460 uh as I I've pointed out before and I will point this out again 142 00:21:27.660 --> 00:21:37.740 when you are asked a question but it is not which of the following is not this or that 143 00:21:39.300 --> 00:21:48.420 um these questions can sometimes be a little confusing or not as obvious you just have to 144 00:21:48.420 --> 00:21:55.200 think about it and as always good practice is to read the question twice make sure you understand 145 00:21:55.200 --> 00:22:03.300 what you're being asked for so which of the following is not considered a potential Insider 146 00:22:03.300 --> 00:22:14.220 threat contractors business partners all would be involved with an organization at or By Request 147 00:22:15.180 --> 00:22:22.020 infected email file attachments not an Insider threat it comes 148 00:22:22.020 --> 00:22:29.400 from an external source so all of these answers are correct all right let's go on 149 00:22:39.600 --> 00:22:46.800 okay which of the following is not true about a TTP 150 00:22:49.200 --> 00:22:56.040 okay take a moment read the answer choices carefully and let's see what you're thinking 151 00:22:58.680 --> 00:22:59.940 okay 152 00:23:01.740 --> 00:23:08.280 so we have a response in the chat or D Choice d 153 00:23:10.320 --> 00:23:20.040 any other suggestions which of the following is not true about a TTP clearly one of the 154 00:23:21.000 --> 00:23:27.600 things this question hinges on is understanding the acronym TTP and what does it mean 155 00:23:29.760 --> 00:23:37.380 okay so a couple more choices uh one for C and one for I'm confused about this one understandable 156 00:23:37.380 --> 00:23:47.340 okay so again when faced with questions that are asking you what something is not 157 00:23:48.180 --> 00:23:55.980 it helps to pinpoint what the question is talking about okay and the question is talking about 158 00:23:55.980 --> 00:24:05.040 TTP which does stand for tactics techniques and procedures so which of the following is not true 159 00:24:06.060 --> 00:24:16.800 TTP stands for tactics techniques and procedures well that is a true statement okay all right TTP 160 00:24:16.800 --> 00:24:27.660 encompasses the mapping out of specific malicious user activity okay and that is a true statement 161 00:24:29.760 --> 00:24:35.220 TTP is evidence of an indicator of compromise 162 00:24:39.360 --> 00:24:49.800 that is not a true statement answer Choice C is the correct answer TTP is a generalized 163 00:24:49.800 --> 00:25:00.600 statement of adversary Behavior and it can be so the tactic is a high level description 164 00:25:01.920 --> 00:25:16.200 of an action a threat actor takes a technique is a more detailed description of a tactic and the 165 00:25:16.200 --> 00:25:25.740 procedure provides step-by-step details on how the threat actor would accomplish the behavior 166 00:25:26.640 --> 00:25:34.740 okay so again the question hinges on understanding what TTP means 167 00:25:34.740 --> 00:25:40.560 tactics techniques and procedures are what it's an acronym for but then understanding 168 00:25:41.400 --> 00:25:49.800 the meanings of the terms tactics techniques and procedures and by what I've just told you 169 00:25:49.800 --> 00:25:59.220 tactics being sort of the high level description techniques being a more detailed explanation of a 170 00:25:59.220 --> 00:26:07.980 tactic okay or description and then the procedures finally are the step-by-step breakdown okay so you 171 00:26:07.980 --> 00:26:18.600 can see that they sort of follow from one another okay and so when you get this or you understand 172 00:26:18.600 --> 00:26:26.220 that you can see why it is a generalized statement of adversary behavior and Compasses mapping out 173 00:26:26.220 --> 00:26:32.520 of specific malicious activity and of course stands for tactics techniques and procedures 174 00:26:33.240 --> 00:26:41.700 leaving us with only evidence of an indicator or compromise okay all right 175 00:26:44.280 --> 00:26:54.060 so again C is the correct answer TTP is evidence of an ioc that is not true okay 176 00:26:58.680 --> 00:27:03.000 and again uh and I just want to add this as well that 177 00:27:03.960 --> 00:27:09.540 um when we talk about indicators of compromise we are talking about 178 00:27:10.800 --> 00:27:20.340 um elements found on or in a system that indicate that there has been a security breach 179 00:27:20.340 --> 00:27:27.540 okay that's what an indicator of compromise is okay all right let's move on to the next question 180 00:27:33.780 --> 00:27:44.340 okay which of the following is true regarding gray hat hackers and white hat hackers okay so 181 00:27:44.340 --> 00:27:50.640 please take a moment read through the answer choices and cast your vote for the correct one 182 00:27:55.260 --> 00:27:58.080 okay we got responses in the chat 183 00:28:00.240 --> 00:28:17.100 and let's see so D votes for d a vote for b and a and d and a okay so most of the votes Choice t 184 00:28:17.100 --> 00:28:29.880 a gray hat hacker and a white hat hacker both do not have malicious intent okay so this question 185 00:28:30.960 --> 00:28:37.800 sort of again shows us how you really have to read the choices carefully and 186 00:28:37.800 --> 00:28:43.260 if we start with say the first answer a gray hat hacker has malicious intent 187 00:28:43.800 --> 00:28:50.760 as soon as we read that if you you understand how gray hats work and perhaps what their motivation 188 00:28:50.760 --> 00:29:00.900 is that is not necessarily true okay so we can eliminate that choice um a white hat hacker does 189 00:29:00.900 --> 00:29:08.700 not have malicious intent that we know but the gray hat has malicious intent not guaranteed 190 00:29:09.960 --> 00:29:17.460 a gray hat hacker and a white hat hacker both have authorization well we can say that a 191 00:29:17.460 --> 00:29:24.840 white hat does and and be confident in that a gray hat again may not have authorization 192 00:29:26.280 --> 00:29:31.800 a gray hat hacker and by the way typically does not have authorization 193 00:29:33.060 --> 00:29:41.040 a gray hat hacker does not have malicious intent while a white hat hacker has malicious intent in 194 00:29:41.040 --> 00:29:49.260 that second phrase clearly rules out answer Choice C so the correct answer a great hat hacker and a 195 00:29:49.260 --> 00:29:57.180 white hat both do not have malicious intent is the best answer for this question the best answer 196 00:29:58.740 --> 00:30:05.100 okay let's see what we have here that one is confusing 197 00:30:05.760 --> 00:30:18.120 um confusing because neither I feel like neither a or D are are um definitants because 198 00:30:19.860 --> 00:30:29.520 yeah go ahead is it not possible for gray hat hackers to um have a malicious intent okay is it 199 00:30:29.520 --> 00:30:35.580 is that impossible to rule out is that an absolute that a gray hat does not have malicious intent 200 00:30:37.380 --> 00:30:43.740 I'm asking could could it be that they do have malicious intent it could be 201 00:30:43.740 --> 00:30:53.040 I mean and again it kind of sort of depends on your your interpretation of malicious intent 202 00:30:53.040 --> 00:31:02.340 so if a gray hat compromises the system and for some personal gain 203 00:31:03.360 --> 00:31:10.620 and it stops right there so the the system the network the resources compromised the gray hat 204 00:31:11.460 --> 00:31:17.580 gets something out of it and that's the end of it I mean do you think that's malicious 205 00:31:24.300 --> 00:31:30.720 because I mean I would consider that somewhat malicious I would too okay 206 00:31:31.740 --> 00:31:43.440 if a gray hat compromises some resource that they clearly are not authorized to access 207 00:31:44.700 --> 00:31:55.560 and they do it anyway but then they publicize the vulnerability that they were to exploit or that 208 00:31:55.560 --> 00:32:06.000 they did exploit and made it available here again you have to ask okay so they found a vulnerability 209 00:32:06.720 --> 00:32:14.760 exploited but then they made it available the real sort of balance point here or the point 210 00:32:14.760 --> 00:32:19.860 that's going to throw it out of balance is who did they make it available to you 211 00:32:19.860 --> 00:32:30.420 for example if you compromise you know maybe Acme bank for example right and then you know 212 00:32:30.420 --> 00:32:34.920 you called up Acme headquarters and go hey guess what I was able to get in your system 213 00:32:37.260 --> 00:32:45.360 that's different than I compromised you and then I made it publicly available 214 00:32:46.380 --> 00:32:56.940 if you make it publicly available who's to say that another bad actor would not read about your 215 00:32:57.660 --> 00:33:02.760 your information about a vulnerability found and exploited and then go in and do the same thing 216 00:33:06.000 --> 00:33:11.400 do you see what I'm saying yes that's what that's what makes it confusing it does make 217 00:33:11.400 --> 00:33:17.760 it confusing because because the answers are the are the answers are written as absolutes 218 00:33:17.760 --> 00:33:28.440 sorry go ahead I was just saying trying to do deductive reasoning just from even this this 219 00:33:28.440 --> 00:33:33.900 uh tonight's training because you you spoke about this just a little while ago and about 220 00:33:33.900 --> 00:33:43.140 how sometimes gray hat hackers may have a malicious intent mm-hmm yeah so so going 221 00:33:43.140 --> 00:33:47.820 with that reasoning and then trying to answer this question it's just confusing a little bit 222 00:33:49.020 --> 00:33:55.380 okay so so it's safe to assume when we see a question like this that 223 00:33:56.220 --> 00:34:00.300 we're not going to think that the gray hat hacker has malicious intent 224 00:34:01.980 --> 00:34:10.380 okay so I'm not sure I would say that or make that statement um let's let's take the other 225 00:34:10.380 --> 00:34:16.260 comment and then come come back around with us so someone else was saying something yeah I was 226 00:34:16.260 --> 00:34:21.720 going to say that this question seemed it's like it's based off a probability and if that a gray 227 00:34:21.720 --> 00:34:32.340 hat hacker goes one way a is the answer and the other way D is the answer so here again this is 228 00:34:32.340 --> 00:34:44.040 the problem with this so-called gray area right I mean you know so a white hat hacker is one 229 00:34:44.040 --> 00:34:52.320 extreme and a black hat hacker is another extreme and then there's this gray area the problem can 230 00:34:52.320 --> 00:35:01.140 easily be your definition or their definition the test creators definition of malicious intent okay 231 00:35:02.460 --> 00:35:10.200 um the other sort of bit of information that I want to throw out at you is that these questions 232 00:35:11.880 --> 00:35:19.440 were developed based on the text that I believe you will have access to 233 00:35:21.120 --> 00:35:29.580 and um so in order to avoid any kind of problems with copyright 234 00:35:31.200 --> 00:35:40.380 um for lack of a better way to put it these questions are paraphrases of the information okay 235 00:35:40.920 --> 00:35:54.480 so I'm not sure that it would be this confusing okay um based on what I've seen um 236 00:35:56.580 --> 00:36:03.300 Certification testing not just you know SEC Plus or CompTIA or whatever agency you want to choose 237 00:36:03.300 --> 00:36:12.360 Cisco for example um they do tend to have some anchorable information that is some information 238 00:36:12.360 --> 00:36:23.040 that when you discover it and if you understand it that you know it would take some of the 239 00:36:23.760 --> 00:36:32.100 either confusion out or give you a basis to reason on to choose or to then choose a correct answer 240 00:36:32.760 --> 00:36:41.520 but the way this is worded it's it's a little confusing okay um and again it really does 241 00:36:41.520 --> 00:36:48.360 hinge on this whole phrase about malicious intent Let's see we have some more comments in the chat 242 00:36:50.460 --> 00:36:57.360 okay gray hat is a computer hacker computer security expert who may sometimes violate the 243 00:36:57.360 --> 00:37:03.780 law or typical ethical standards but usually does not have malicious intent typical of black hat 244 00:37:04.440 --> 00:37:11.580 black hat hackers sole focus is to sow chaos gray hats may do it but as a byproduct of 245 00:37:11.580 --> 00:37:16.680 their actions motivated by personal gain okay and this is someone's interpretation 246 00:37:18.660 --> 00:37:27.180 gray hat might not have had and the white hat has no malicious intent okay again so 247 00:37:27.180 --> 00:37:37.200 it's the use of the phrase malicious intent and your interpretation because again and even if 248 00:37:38.400 --> 00:37:46.200 well let's go back again to the example of the Acme Bank okay this this fictional bank that 249 00:37:46.200 --> 00:37:55.560 we're making up and if you are doing whatever maybe you're a student and a researcher or 250 00:37:55.560 --> 00:38:03.420 or some some situation such as that and you find the vulnerability and exploited 251 00:38:05.820 --> 00:38:13.980 you do so without permission so right away that takes you out of the realm 252 00:38:13.980 --> 00:38:24.480 of the quote white hat hacker or pen tester okay because you never do something like this without 253 00:38:24.480 --> 00:38:31.200 full knowledge and disclosure and permission okay and and that's that's just how it is 254 00:38:31.980 --> 00:38:42.900 so again the question becomes is that malicious intent and you cannot say necessarily that it is 255 00:38:43.740 --> 00:38:49.740 you know maybe uh someone does this and who knows maybe it's their Bank 256 00:38:51.240 --> 00:38:56.820 right and they feel like they have a stake in it because they have a mortgage 257 00:38:56.820 --> 00:39:01.020 with this bank and checking accounts and savings accounts and they're like 258 00:39:01.620 --> 00:39:07.260 and I just found a vulnerability and when I was trying to exploit it I was able to do so 259 00:39:07.800 --> 00:39:14.760 so now I'm going to contact this Bank and make it known to them is that malicious intent 260 00:39:16.980 --> 00:39:26.340 no no I don't think it is but it's certainly illegal yeah right I mean so 261 00:39:27.360 --> 00:39:32.760 again interpretation of malicious intent but that's like also what certain people do for 262 00:39:32.760 --> 00:39:37.680 like work they go around and exploit vulnerability not vulnerabilities and try to get paid from it 263 00:39:37.680 --> 00:39:41.040 they're not necessarily trying to do anything bad to the companies but they're trying to show them 264 00:39:41.040 --> 00:39:47.100 that they're vulnerable and then hopefully also get paid in the process and and this is why though 265 00:39:47.100 --> 00:39:55.020 we have codes and laws that we follow and and procedures and and things such as you know full 266 00:39:55.020 --> 00:40:03.360 disclosure and and not even trying to do something like this um because you know it's it's not 267 00:40:04.620 --> 00:40:14.040 your property it is not a system or a resource that is under your Authority or direct control 268 00:40:14.040 --> 00:40:25.140 so therefore if you've found a vulnerability that does not give you the right to exploit it and if 269 00:40:25.140 --> 00:40:36.480 you found a vulnerability you must be poking at this system or resource so having rules procedures 270 00:40:37.860 --> 00:40:46.560 um what we would call Legal action versus illegal action is how we stay out of this 271 00:40:46.560 --> 00:40:54.240 message how we keep it from being what it is okay could be depends on the individuals 272 00:40:56.340 --> 00:40:58.800 and default otherwise they would be a black hat 273 00:41:00.600 --> 00:41:06.900 that is still different this is really interesting so the argument here is that gray hat does not 274 00:41:06.900 --> 00:41:14.100 have malicious intent by default otherwise we would classify them as a black hat hacker 275 00:41:15.060 --> 00:41:18.780 if they change their intent after the fact that's different 276 00:41:19.500 --> 00:41:26.160 that's a very interesting point of view yes sir I guess I could unmute my mic for that that's how I 277 00:41:26.160 --> 00:41:32.160 look at it like if you initially have malicious intent you're a black cat hacker but if you go 278 00:41:32.160 --> 00:41:37.560 into something without trying to have personal gain but then change your mind in the process and 279 00:41:37.560 --> 00:41:44.760 decide that you could get away with it it might be worth it then you're the gray hat hacker Okay so 280 00:41:45.720 --> 00:41:56.580 if we don't have um the intention of let's say uh exfiltrating information okay 281 00:41:59.040 --> 00:42:02.100 the question still has to be asked 282 00:42:02.880 --> 00:42:08.640 why are you poking and looking for vulnerabilities without permission 283 00:42:11.220 --> 00:42:18.240 I think by the very nature of the action right that the default 284 00:42:19.080 --> 00:42:24.360 sort of response is going to be you're you're doing something that is illegal 285 00:42:25.080 --> 00:42:32.820 and I guess then the question becomes do we associate any legal action with malicious intent 286 00:42:36.540 --> 00:42:40.680 this this is starting to sound like a very circular conversation 287 00:42:41.820 --> 00:42:49.320 it's the way the question is worded it's asking what is true of both of them in my opinion only 288 00:42:49.320 --> 00:42:55.560 two options address that and only one is correct I think they're also an organization not to like 289 00:42:55.560 --> 00:43:01.200 drag this topic out but isn't there also an organization that is like built and kind of 290 00:43:01.200 --> 00:43:05.280 helps out people who do hack into systems and get in trouble legally like they kind of help 291 00:43:05.940 --> 00:43:10.320 ERS who might kind of get caught up in a mess when their intentions initially weren't to 292 00:43:10.320 --> 00:43:13.440 do something bad they were just curious and wanted to see how far they could get 293 00:43:15.240 --> 00:43:21.840 um I I mean what do you mean by help like someone who comes to their aid or provides legal yeah 294 00:43:21.840 --> 00:43:25.680 there's like a group of I remember their name but they provide like legal aid for people who 295 00:43:25.680 --> 00:43:31.200 especially like majorities like younger people who are like hacking might not know the legal 296 00:43:31.200 --> 00:43:35.760 precautions of what they're doing but they're just doing it or they can get there's like groups that 297 00:43:35.760 --> 00:43:43.740 are there for that as well and and there may very well be um I think if it gets to that point for 298 00:43:43.740 --> 00:43:50.760 example if we're talking about the high school student and they get caught you know poking at 299 00:43:50.760 --> 00:44:00.360 Bank of America okay for example um you know where that ends up and who makes that decision 300 00:44:01.200 --> 00:44:06.720 I think is going to determine what happens after that point so if it goes to 301 00:44:07.320 --> 00:44:14.460 some type of court or legal procedure um as far as getting help for that 302 00:44:15.960 --> 00:44:24.120 there may very well be organizations that do that um I will say that I am not aware of them 303 00:44:26.760 --> 00:44:34.380 so I think the best advice is to follow what we what we that means what we generally 304 00:44:35.340 --> 00:44:40.860 think of as legal action is to follow those procedures and 305 00:44:41.700 --> 00:44:47.400 you know not poke at something that doesn't belong you and that you have no business poking at 306 00:44:49.980 --> 00:44:56.880 um it's very interesting conversation and I'm glad that we had this time to discuss it a bit 307 00:44:57.780 --> 00:45:00.720 all right let's go on to the next question 308 00:45:06.480 --> 00:45:13.080 what type of hacker has unauthorized access and malicious intent 309 00:45:16.200 --> 00:45:16.860 okay 310 00:45:19.380 --> 00:45:25.800 yeah all right so this is a description of a black hat hacker 311 00:45:27.240 --> 00:45:32.940 uh writing and then finally the last question 312 00:45:37.260 --> 00:45:47.220 when using a tour web browser the user can be confident of which of the following and 313 00:45:47.220 --> 00:45:53.820 you're directed to choose to everybody take a moment and look at the choices 314 00:45:56.640 --> 00:46:08.400 okay you know choices Selections in the chat A and C A and C a C A and C okay 315 00:46:09.660 --> 00:46:21.180 so Choice a and C are the correct choices um I would point out something and 316 00:46:22.320 --> 00:46:27.840 you know obvious or not when you come across a question like this 317 00:46:29.580 --> 00:46:38.100 and especially when the answer choices are displayed in this fashion my eye goes right 318 00:46:38.100 --> 00:46:48.960 to that first phrase because each answer Choice starts with they remain anonymous okay so to me 319 00:46:49.680 --> 00:46:55.200 you know it's it might be a little bit of noise I ignore it because 320 00:46:56.640 --> 00:47:02.280 if you're just looking from the point of view of I've got to determine which answer is correct and 321 00:47:02.280 --> 00:47:08.340 maybe I have to do this through the process of elimination this phrase they remain anonymous 322 00:47:08.340 --> 00:47:14.640 does not figure into it so is it because there are multiple layers of encryption 323 00:47:16.320 --> 00:47:22.560 is it because their network is using ip6 is it because they don't 324 00:47:23.820 --> 00:47:28.800 authenticate to use tour or because there's one layer of encryption 325 00:47:29.760 --> 00:47:38.760 so what it boils down to is looking at the second phrase of all the answers and in this situation 326 00:47:40.440 --> 00:47:49.380 the correct choices correctly describe what's happening when using the Tor web browsing in other 327 00:47:49.380 --> 00:47:58.260 words yes there are multiple layers of encryption because their network is using ip6 not necessarily 328 00:47:59.700 --> 00:48:05.460 because they don't authenticate no you don't authenticate you are Anonymous and you don't 329 00:48:05.460 --> 00:48:13.500 have to authenticate kind of you know would sort of not work right for remaining anonymous 330 00:48:14.040 --> 00:48:19.560 and then because there is one layer of encryption well that's just not true there are multiple 331 00:48:19.560 --> 00:48:26.820 layers okay so again you're looking at the second half and you're really looking at which 332 00:48:26.820 --> 00:48:35.940 of these statements are true concerning to our web browsing okay and that's the last question 333 00:48:35.940 --> 00:48:43.380 for this evening session and I'd like to thank you all for joining us for this review session