1.0 - Threats, Attacks, & Vulnerabilities Flashcards

1
Q

Define

Typosqautting

A

A type of URL hijacking, using a misspelled version of a legitimate website URL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Define

Pharming

A

• Like phishing, but harvesting large groups of people

• Often utilizes a poisoned DNS server or client vulnerabilities

• Relatively rare, but they do occur

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Define

Vishing

A

• Voice phishing, done over phone or voicemail

• Caller ID spoofing is common

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Define

Smishing

A

• SMS phishing, performed via text message

• Caller ID spoofing is common

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Define

Spear phishing

A

• Target phishing attacks, going after a very specific person or group.

• Utilize inside information, or public information gathered through reconnaissance, to make the attack more believable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Define

Whaling

A

• A spear phishing attack with a large target such as a CEO or CFO

• Typically for the purpose of getting funds from someone with access to a large bank account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Define

Dumpster Diving

A

• Gather personal details by going through trash, to use for phishing attacks and impersonation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How to Protect against Dumpster Diving?

A

• Shred or burn your documents

• Secure your garbage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Define

Shoulder Surfing

A

• Looking over someone’s shoulder to view private information, passwords, etc.

• Can be done from a distance using binoculars, telescopes, webcam monitoring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How to protect against Shoulder Surfing?

A

• Be aware of surroundings

• Use privacy filter (screen that blocks view from angles)

• Keep monitor facing away from windows, hallways

• Don’t do sensitive work in public area

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Define

Watering Hole Attack

A

• When you can’t attack an organization directly, you can attack a third-party that is associated with them.

• The third party is termed the “watering hole.”

• Ex, hijack a website that the victim uses.

• The attack is looking for specific victims, but often all visitors of the watering hole are infected / attacked.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How to protect against a Watering Hole Attack?

A

• Make sure your own defenses are very good

• Use a multi-layered defense

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Define

SPIM

A

Spam over Instant Messaging

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Define

Spam

A

• Unsolicited messages, typically over email or on forums, etc.

• Can be malicious, but not necessarily so.

• Includes commercial advertising, non-commercial proselytizing, as well as malicious attacks like phishing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the problems caused by spam?

A

• Security concerns

• resource utilization

• storage costs

• management of spam

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How to protect against spam?

A

• It is necessary to combine multiple approaches.

• Mail gateways / filters

• Utilize Allow lists

• SMTP standards checking (blocking anything not following RFC standards)

• rDNS check

• Tarpitting

• Recipient filtering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Define

Recipient Filtering

A

Blocking all email not addressed to a valid recipient

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Define

rDNS

A

• Reverse DNS

• Confirms if a sender’s domain matches their IP address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Define

Tarpitting

A

• Intentionally slowing down server performance to slow down / mitigate an attack

• Ex. slow delivery of e-mail to prevent mass mailed spam, so the spammers move on from you

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Define

Tailgating

A

• use an authorized person to gain unauthorized access to a building

• May involve social engineering such as walking with your hands full, posing as a 3rd party vendor, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How to protect against tailgaiting?

A

• A no-tailgating policy

• Policy that all visitors must wear badges

• Mechanically prevent more than one person from entering at a time, such as a rotary, vestibule, airlock

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are some principles of social engineering?

A

• Authority

• Intimidation

• Scarcity

• Urgency

• Consensus / social proof

• Familiarity / Liking

• Trust

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Define

Virus

A

• Malware that can reproduce itself

• Requires human interaction to execute

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Define

Worm

A

A virus that can replicate and jump from machine to machine without requiring any human interaction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Describe some virus types

A

• Program virus: part of an application

• Boot sector virus: runs when booting system

• Script virus: can be operating-system or browser-based

• Macro virus: common in Microsoft Office

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

How to protect against ransomware?

A

• Always have a backup, ideally offline and disconnected

• Keep OS and applications up-to-date

• Keep anti-virus/malware signatures up-to-date

• Keep everything up-to-date

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Difference between ransomware and crypto-malware?

A

• Ransomware may not necessarily encrypt your files, it can be any malware that requires payment to remove it

• Crypto-malware that encrypts your files is the most common form of ransomware today

• Therefore, ransomware is usually used exclusively to refer to crypto-malware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Define

Trojan horse

A

• Software that pretends to be something else

• Doesn’t really care much about replicating

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Define

Fileless Virus

A

• Runs only in memory, saves nothing to system

• That makes it difficult to be detected

• Might modify the registry so it can run again after reboot

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Examples of a PUP?

A

• Browser toolbar

• Backup utility that displays ads

• Browser search engine hijacker

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Define

RAT

A

• Remote Access Trojan

• aka Remote Administration Tool

• A tool that gives administrative access to a remote user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

How to protect against RATs?

A

• Don’t run unknown software

• Don’t follow unknown links

• Keep anti-virus/OS/applications up-to-date

• Always have a backup

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Define

Rootkit

A

• Modifies core system files, becomes part of the kernel

• Can therefore be invisible to the OS; won’t be seen in task manager

• Thus invisible to traditional anti-virus utilities

• Very difficult to remove even if discovered, because it is now part of the operating system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

How to protect against Rootkits?

A

• Use a remover that is specific to the rootkit; these are usually developed after a rootkit is discovered

• Use Secure Boot on UEFI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Define

Secure Boot

A

• A feature of UEFI

• Looks at the kernel, and will not boot a system that has been modified (or a system that does not support the Secure Boot feature)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Define

Bot

A

• Malware that infects a machine for purposes of automation.

• Receives instructions from a Command and Control server.

• May make your machine participate in attacks, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Define

C&C

A

• Command and Control

• The server that controls bots / botnets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Define

Botnet

A

• A system of Bots working together

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What are botnets often used for?

A

• DDoS attacks

• Relay spam

• Proxy network traffic

• Various distributed computing tasks

• That computing power may be rented out for sale (DDoS as a Service)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

How to protect against bots?

A

• Prevent initial infection by keeping up-to-date, don’t download unknown things, etc.

• Network monitoring

• Use firewall to block C&C communications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Define

Logic Bomb

A

• Something left on a system that waits for a predefined event

• Can be triggered by a date/time, or by a user action, or system event, etc.

• Often destroys itself, making it difficult to gather evidence after attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

How to protect against Logic Bombs?

A

• Each is unique, so there are no predefined signatures; difficult to detect

• Process and procedures are a good strategy

• Formal change control; all modifications must be documented; undocumented changes trigger an investigation

• Monitoring that alerts on changes

• Host-based intrusion detection

• Applications like Tripwire

• Constant auditing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Define

Spraying Attack

A

• Trying a small number of very common passwords to log in to a multitude of accounts

• Avoids locking any accounts by only trying a few of the most common passwords before moving on

• No lockouts, no alarms, no alerts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Define

Brute Force Attack

A

• Try every possible password combination until the right one is matched

• Can take a very long time if a strong hashing algorithm is used

• Requires a large amount of processing power.

• When performed Online, it usually results in account lockouts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Define

Offline Brute Force Attack

A

• When an attacker has obtained a hashed password, they can create hashes of guessed passwords and see if the hashes match. If they match, the attacker has guessed the password.

• Does not result in an account lockout or any alerts because the attack is not performed against the login system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Define

Dictionary Attack

A

• Similar to brute force, but uses common words rather than every possible combination of characters

• Password crackers may utilize letter common substitutions
e.g., as in p@$$w0rd

• Still takes a very long time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Define

Rainbow Table

A

• An optimized, pre-built set of hashes

• Contains pre-calculated hash chains

• Allows you to compare password hashes without needing to do hash calculations of guessed passwords.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Define

Salt

A

• Random data added to a password when hashing

• Every user gets their own unique salt, so hashes are unique even if passwords are the same

• A type of cryptographic nonce

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Where is a password’s Salt information stored?

A

• It is commonly stored with the password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

What does the use of Salt protect against?

A

• It prevents the use of rainbow tables

• Does not stop a brute force, but slows it down.

• If an attacker acquires a hashed password, they would also need to know the salt in order to perform an Offline Brute Force attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Define:

Malicious USB Cable

A

• Looks like a normal USB cable / charger, but has additional electronics inside

• When a victim inserts it into a computer, it runs malicious software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Define:

Malicious USB flash drive

A

• Looks like a normal USB thumb drive / flash drive, but has additional electronics inside

• When a victim inserts it into a computer, it runs malicious software

• Attackers may leave flash drives on tables or on the ground, knowing curious people will plug them in to see what’s on them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

How do malicious USB cables / drives initiate malicious software?

A
  1. Auto-Run: Older operating systems would automatically run files on USB devices, but in modern systems, this is now disabled or removed by default.
  2. HID: The device can still act as an HID (Human Interface Device) and behave as a keyboard and/or mouse, allowing it to type pre-programmed input on your system, such as launching a command prompt and running commands.
  3. Files: The flash drive may simply contain malicious files and malware that, once interacted with by the user, will infect the system.
  4. Boot Device: If configured as a boot device, and a victim leaves it inserted when they reboot their computer, it may boot to the malicious USB which can then infect the computer.
  5. Wireless network adapter: Can connect the device to another network, redirect or modify internet traffic requests, act as a wireless gateway for other devices, etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Define

HID

A

• Human Interface Device

• Examples: Keyboard, Mouse

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Define

Skimming

A

• Stealing credit card information, usually during a normal transaction

• Can either be skimmed from the card itself (the magnetic strip) or from the computer that it interacts with

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Define

ATM Skimming

A

• An additional step of a Skimming attack, a small camera is added to the environment to record your PIN entry

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Define:

Card Cloning

A

• Creating a duplicate of a credit card using information obtained from a skimmer.

• The cloned card can only be used for transactions using the magnetic stripe, as the chip can’t be cloned.

• Common for gift cards, which don’t utilize a chip.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Define

“Poisoning the training data”

A

• An attack on machine learning / AI

• Attackers send modified training data to confuse the AI / cause it to behave incorrectly

• AI is only as good as its training process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Define

Evasion Attack

A

• Finding limitations in an AI system in order to circumvent it

• Since AI is trained by specific criteria, it can be fooled if attackers change up their approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

How to protect against attacks on AI / machine learning?

A

• Check the training data to verify contents

• Constantly retrain with new data, more data, better data

• Train the AI to recognize potential poison data and evasion attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Define

Supply Chain

A

• All steps in the process from raw materials to end-user

• Includes raw materials, suppliers, manufacturers, distributors, customers, consumers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Define

Supply Chain Attack

A

• Attacking a target by going after another vendor in their supply chain

• Ex., if an HVAC vendor has VPN access to a target’s network, you attack the vendor to exploit that access

• Ex., you put malicious code or hardware into a device that is being sold down the supply chain

• One exploit can infect the entire chain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

On-Premises vs. In-Cloud Security:

List PROS of ON PREM

A

• Full control of security

• Local on-site IT can manage more attentively

• System checks can occur at any time

• Don’t need to call outside team for support

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

On-Premises vs. In-Cloud Security:

List CONS of ON PREM

A

• A local team can be expensive and difficult to staff

• Security changes can take time. New equipment, configurations, and additional costs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

On-Premises vs. In-Cloud Security:

List PROS of IN-CLOUD

A

• Data is in a secure environment

• Strict physical access controls

• Automated security updates

• Fault-tolerance and redundancy lead to limited downtime, higher availability

• One-click deployments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

On-Premises vs. In-Cloud Security:

List CONS of IN-CLOUD

A

• Third-parties may have access to your data

• Users must still be trained to follow security best-practices

• May not be as customizable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Define

Birthday Attack

A

• A type of Cryptographic Attack

• The attacker generates multiple versions of plaintext to try to match the hash of the target encrypted text

• i.e., try to find a collision through brute force

• Once matched, they can fake signatures, certificates, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

Define

Collision

A

• In Cryptography, a collision is when two different plaintexts have the same hash value

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

How to protect against a Birthday Attack?

A

Use a long hash output size

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

What is a Downgrade Attack?

A

• An attacker forces systems to downgrade their security to a form of encryption that is more vulnerable

• May be performed by influencing / intercepting the initial negotiation when encryption forms are determined

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

How to protect against Downgrade Attacks?

A

Do not allow a fallback to lower levels of encryption that are known to be vulnerable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

Define

Privilege Escalation

A

• Gaining higher level access to a system

• Either through exploiting a vulnerability, bug, or design flaw

• Typically used to access the root or admin account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

Define

Horizontal Privilege Escalation

A

• Gaining access through one account to a different account

• Unlike normal privilege escalation, the access is not necessarily higher, just different

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

How to protect against Privilege Escalation?

A

• Ensure all systems are patched

• Keep AV software updated

• Utilize Data Execution Prevention

• Utilize Address space layout randomization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

Define

Data Execution Prevention

A

• A safeguard on an operating system

• Only allows applications to run in certain areas of memory where that function is allowed.

• Allows only applications in executable areas to run

• If an attacker tries to run an application in the data section of memory, it is blocked

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

Define

Address Space Layout Randomization

A

• A safeguard on an operating system

• Randomizes where information is stored in memory

• If an attacker finds a way to take advantage of a memory address on one system, they will not be able to duplicate that on another system

• Prevents a buffer overrun at a known memory address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

What are the legalities around Dumpster Diving?

A

• Varies in different countries

• In the US, it is LEGAL, not illegal, to go through someone else’s trash. Nobody owns trash.

• However, you cannot break the law in order to gain access to the trash (i.e. if it is on private property with No Trespassing signs)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

Define

XSS

A

• Cross Site Scripting

• Name comes from its original association with browser security flaws.

• Info from one site could be shared with another.

• A common vulnerability with web-based applications.

• (Not to be confused with Cascading Styles Sheets / CSS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

Define

Non-Persistent XSS Attack

A

• If a website allows scripts to be run in user input (such as a search field), it is vulnerable for this type of attack.

• An attacker e-mails a link to the site, containing embedded input to run a script

• Once clicked, the site executes in the victim’s browser, as if it came from the server.

• The payload of the script is usually sent to the attacker, and may contain session IDs, credentials, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

“Reflected XSS Attack” is also known as?

A

Another name for a Non-Persistent XSS Attack.

81
Q

Define

Persistent XSS Attack

A

• An XSS attack where the embedded code is permanently stored on the server, such as in a social media post

• Everyone who views the page receives the payload and runs the script, without requiring a special link

82
Q

“Stored XSS Attack” is also known as?

A

Another name for a Persistent XSS Attack

83
Q

How to protect against XSS?

A

• Never click an untrusted link

• Consider disabling JavaScript, or control when it is enabled

• Keep browsers and applications updated

• Developers: validate input; don’t allow users to add scripts to input field

84
Q

Define

Code Injection

A

• Adding your own information or commands to a data stream

• Should never be allowed to happen, but may be vulnerable due to bad programming

85
Q

What are common data types used in Code Injection?

A

• HTML injection

• SQL injection

• XML injection

• LDAP injection

• DLL injection

86
Q

Define

Buffer Overflow

A

• When one section of memory is able to overwrite a different section of memory

• Overwriting a buffer of memory so that it spills over into other memory areas

• This grants an attacker the ability to modify memory they do not have access to

• This should never happen, but an attacker can take advantage of poor programming

• Very rare to find a vulnerability, particularly one that is repeatable and useful.

87
Q

How to avoid a Buffer Overflow

A

• Developers need to perform bounds checking, to ensure that this cannot happen

88
Q

Define

Replay Attack

A

• An attacker gains a copy of information transmitted over the network

• May be done via Network tap, ARP poisoning, Malware on the victim’s computer.

• This information can be replayed by the attacker to pose as the victim.

89
Q

Define

Pass the Hash

A

• A type of replay attack

• When a user logs into a server, the hashed password is sent

• The attacker receives that traffic to gain the hashed password

• They can then provide that same hash to the server to appear as though they know the password

90
Q

How to protect against a Pass the Hash attack?

A

• Always use an secured connection to the server so that intercepted traffic is encrypted (SSL, TLS)

• Servers should salt the hash, such as by using a Session ID along with the password, to create a unique authentication hash each time

91
Q

Define

Sidejacking

A

• A name for session hijacking

• If an attacker can know your Session ID, they can use it to hijack / pose as your session, even from a different location and system

• With the session ID, the attacker does not need to authenticate the username and password

92
Q

Define

Cross-Site Request

A

• When one website requests information from another web server

• Common and usually perfectly legitimate

• Ex. embedding a YouTube video or Instagram Photos on another webpage

93
Q

What does this stand for?

XSRF

A

Cross-Site Request Forgery

94
Q

What does this stand for?

CSRF

A

Cross-Site Request Forgery

(pronounced “Sea-Surf”)

95
Q

Define

One-Click Attack

A

Another term for a Cross-Site Request Forgery

96
Q

Session Riding

is also known as?

A

Another term for a Cross-Site Request Forgery

97
Q

Define

Cross-Site Request Forgery

A

• An attacker sends requests to a web server through a victim’s own computer/browser. Since the webserver trusts the victim’s browser, it accepts the attacker’s request

• The attack requires access or control of the victim’s browser, but may be invisible to the victim.

98
Q

How to protect against Cross-Site Request Forgery?

A

• Developers should have anti-forgery techniques added

• Usually a cryptographic token to prevent forgery

99
Q

Define

SSRF

A

• Server-Side Request Forgery

• An attack on a vulnerable web application

• Attacker sends requests directly to a web server, and it performs the requests

• Allows the attacker to gain whatever access the web server itself has, such as access to an internal network

100
Q

How to protect against SSRF?

A

• It is caused by bad programming. Ensure your application does not have these vulnerabilities.

• Server should always validate user input and responses.

101
Q

Define

Driver Manipulation

A

• Drivers control the interaction between the hardware and your OS, and are trusted by the OS

• If an attacker can exploit a vulnerability in a driver, they can perform trusted actions

• Hardware interactions often contain very sensitive information (webcam video, microphone audio, everything you type in)

102
Q

Define

Application Compatibility Shim Cache

A

• Used by Windows for applications running in Compatibility Mode

• The Shim Cache is what caches the information that goes between the existing operating system and the previous operating system being used for compatibility.

• (A “shim” is something that fills the space between two objects)

103
Q

Define

Shimming

A

• Malicious code created to run in the Application Compatibility Shim Cache to get around security.

104
Q

Define

Refactoring

A

• Malware that is made to appear as a different program every time it is downloaded

• Can be done by reordering functions, adding random code strings and pointless instructions

• This helps it avoid signature-based anti-virus / anti-malware detection

105
Q

What is this also known as?

Metamorphic Malware

A

Another term for Refactoring

106
Q

How to protect against Refactoring?

A

• Signature-based security will not be effective.

• Use a layered approach to security that looks at behavior.

107
Q

What versions of SSL/TLS are deprecated, and what are current standards?

A

• SSL 3.0 and prior (i.e. all versions of SSL) are deprecated

• TLS 1.0 and 1.1 are deprecated

• TLS 1.2 and 1.3 are both current standards

108
Q

Define

SSL Stripping

A

• An on-path attack and downgrade attack.

• Attack sits between victim and server and modifies the data sent between them.

• If the server requires encryption, the attacker communicates with the server using encryption but relays it to and from the victim without encryption, so that they can see and modify all data.

109
Q

Define

HTTP Downgrade

A

Another name for SSL Stripping

110
Q

How can an on-path attack be achieved?

A

Attack may utilize a proxy server, ARP Spoofing, Rogue Wi-Fi hotspot, etc.

111
Q

How to protect against SSL Striping?

A

• Both clients and servers must be updated

• Require from the client side (such as in the browser) that all communication be in HTTPS, not allowing HTTP to even be requested.

• Require from the server side not to respond to HTTP and require HTTPS

112
Q

Define

Race Condition

A

• A programming conundrum

• Can occur when more than one thing is happening at the same time, especially when unexpected, and the order in which they complete causes unintended results

113
Q

Define

TOCTOU

A

•Time-of-Check to Time-of-Use

• An attack that takes advantage of a race condition

• The attack occurs between when a victim checks the result of something, and when they actually use those results, not being aware that the data has been altered since it was checked.

114
Q

How to protect against Race Conditions?

A

Very thoughtful programming. Must account for every possible situation and circumstances that their program may be used in.

115
Q

Define

Rogue Access Point

A

• An unauthorized wireless access point

• May or may not be malicious, but a security concern either way

116
Q

Define

802.1X

A

• A form of Network Access Control

• Requires you to authenticate when accessing the network, regardless of type of connection (wireless, ethernet, etc.)

117
Q

How to protect against Rogue Access Points?

A

• Schedule periodic site surveys

• Evaluate wireless spectrum

• Use network access controls so that even if an attacker did get access to the network, they would still need to authenticate

118
Q

Define

Wireless Evil Twin

A

• An attacker configures a rogue wireless access point to use the same (or similar) SSID and security settings as the legitimate network

• If well-placed with strong signal, they can even overpower existing access points

119
Q

How to protect against Wireless Evil Twins?

A

• Do not do sensitive work on open wireless networks

• Use HTTPS

• Use a VPN

120
Q

Define

Bluejacking

A

• Sending unsolicited messages to another device via Bluetooth

• Not typically a serious threat, since it’s just a message, and requires close physical proximity

• Some devices and software may allow the message to include an image, contact card, or video

121
Q

Define

Bluesnarfing

A

• Accessing data on a device using the Bluetooth communications channel without needing to authenticate

• May include Contacts list, calendar, e-mail, photos, and any files on the device.

• Patched in 2003, modern devices are not susceptible.

• If using an older Bluetooth device, it is a serious security concern.

122
Q

Wireless Deauthentication is also known as?

A

• Another name for Wireless Disassociation Attack

123
Q

Define

Wireless Disassociation Attack

A

• A DoS attack that causes wireless devices to be unable to communicate with the access point

• Performed by sending deauthentication or disassociation management frames to the AP

• A flaw of 802.11, which originally sent management frames unencrypted

• Patched in 2014, now some of the important management frames are encrypted

124
Q

Define

Wireless Jamming

A

• A form of radio frequency interference

• A type of DoS attack to prevent wireless communication

• Interference may not be intentional, such as microwave ovens or fluorescent lights, but jamming is intentional.

• May be constant, or intermittent, data sent over the network to overwhelm the signal

• Requires close physical proximity to be effective

125
Q

Define

Reactive Jamming

A

• A type of wireless jamming

• The attacker only creates interference when someone else tries to communicate

• May be targeting a specific individual device

126
Q

Define

Fox Hunting

A

• Using a directional antenna and headphones to try to locate the source of a signal

• Can be used in locating the source of wireless jamming or interference

127
Q

Define

RFID

A

• Radio Frequency Identification

• Uses RADAR technology: Radio energy is transmitted to the tag, the RF powers the tag and an ID is transmitted back.

• Usually unidirectional, but can actually be bi-directional

• Some tag formats can be active/powered

• Used everywhere: in access badges, pet identification, inventory, anything that needs to be tracked

128
Q

What are some RFID security concerns?

A

• Data capture: view communication if sent in the clear

• Decrypt communication: Many default keys of common device are publicly available.

• Replay attack

• Spoof the reader

• DoS by signal jamming

129
Q

Define

NFC

A

• Near-Field Communication

• A type of enhanced RFID

• Bidirectional communication

130
Q

What are some common applications of NFC?

A

• In-store payment systems to pay via mobile phone

• Bluetooth can use NFC to bootstrap pairing process

• Authentication card / access token

131
Q

What are some NFC security concerns?

A

• Remote capture of data (NFC is its own wireless network)

• Frequency jamming, DoS

• Relay / Replay attack, on-path attack

• Loss of device control (such as a lost/stolen phone)

132
Q

Define

Nonce

A

• In cryptography, a nonce is an arbitrary number used only once

• From the term “for the nonce” meaning “for the time being”

• A random or pseudo-random number, though it may also be a counter

133
Q

Define

IV

A

• Initialization Vector

• A type of cryptographic nonce, added to the front of a cryptographic key

• Often used in WEP, and some SSL implementations

134
Q

What are examples of nonces?

A

• Initialization Vector

• Salt

135
Q

Define

On-Path Attack

A

• Formerly known as man-in-the-middle

• An attacker (for example, perhaps, a “man”) might sit in-between (that is to say, in “the middle”) of two communicating devices. (But we won’t use those words, because that would be
patriarchal)

• The attacker intercepts and redirects your traffic without your knowledge.

• They may merely read all the communication, or may modify it for malicious purposes.

136
Q

Define

ARP Poisoning

A

• Address Resolution Protocol Poisoning

• A type of on-path attack

• An attacker sends false ARP response messages to devices that it wants to poison. This may allow it to impersonate various devices.

• The attack must be on the LAN to perform

137
Q

Define

ARP

A

• Address Resolution Protocol

• Protocol used for devices to track and match IP addresses to MAC addresses in their ARP Cache.

• ARP as a protocol has no security built into it. Devices make and receive modifications to ARP tables without any authentication or encryption.

138
Q

Define

On-Path Browser Attack

A

• A type of on-path attack where the “man in the middle” is on the victim’s own device

• Malware runs in the browser to perform the interception and redirection.

139
Q

Define

MAC Flooding

A

• Attack sends traffic with so many different source MAC addresses that it fills a switch’s MAC Table and overwrites all legitimate MAC addresses on the network.

• Every switch has a limit to how many addresses it can store in its MAC table, and when it gets full, it will recognize that and start flooding traffic to all interfaces since it can no longer track destinations

• Effectively turning a switch into a hub - all traffic is transmitted to all interfaces

• This gives an attacker the opportunity to capture all network traffic

140
Q

How to protect against MAC Flooding?

A

• Most switches have security features to detect MAC flooding.

• The switch can restrict how many MAC addresses can come in from a single interface

141
Q

Define

MAC Cloning

A

• An attacker changes their MAC address to match that of an existing device

• May be used to circumvent MAC filters

• Or, may be used to create a DoS, as traffic for the legitimate MAC address will be disrupted

142
Q

Another name for MAC Cloning?

A

MAC Spoofing

143
Q

How to protect against MAC Cloning?

A

• Most modern switches have security features that look out for it and prevent it from disrupting the network.

144
Q

Define

DNS Poisoning

A

• Modify DNS records so that traffic is redirected

Can be achieved by:

• modifying a device’s hosts file

• sending a fake response to a valid DNS request

• gaining access to the DNS server and modifying records

145
Q

Define

Domain Hijacking

A

• Gaining access to domain registration, allowing you to control traffic flows for the domain

• May be achieved by brute force, social engineering, gaining access to e-mail address of account manager, etc.

146
Q

Define

URL Hijacking

A

• Registering domains that are slight variations or common misspellings of legitimate domain names

Could be used for purposes of:

• Showing Ads

• A phishing site, made to appear as the legitimate site

• Redirecting to a competitor’s site

• Selling the hijacked domain to the legitimate domain’s owner

• Infecting computers with a drive-by download

147
Q

Define

Brandjacking

A

• Another term for typosquatting

• A type of URL hijack, taking advantage of a common misspelling

148
Q

Define

Domain Reputation

A

• ISPs, search engines, and e-mail providers track reputations of domains

• If a domain receives too many reports of spam or malicious activity, it may get added to a blacklist

• The blacklist may result in all e-mail from that domain being marked as spam or rejected, or in a browser warning/preventing a user before they visit the site.

149
Q

List examples of “Unintentional DoS”

A

• Accidentally creating a network loop (without STP enabled)

• Using more bandwidth that the network can handle

• A waterline breaking and damaging equipment

• Power outage

150
Q

Define

OT

A

• Operation Technology

• The hardware and software used for industrial equipment

• Ex. electric grids, traffic control, manufacturing plants

151
Q

What is unique about security for OT?

A

• It requires a much more critical security posture

• Must be extremely segmented and protected

• Failures can result in catastrophic events

152
Q

Define

Amplified DDoS

A

• Uses reflection and spoofing techniques to turn a smaller attack into a larger one

• For example, the attacker may spoof the victim web server’s IP address, and send a small request out to a third-party server that results that results in a response much larger than the request. That response goes to the victim, since their IP was spoofed.

• Thus the attacker only sent small amounts of traffic but used a third party to send much larger traffic to the victim.

153
Q

What is a malicious PowerShell script best-suited to attack?

A

• Windows systems

• Active Directory Administration

• File Share Access

154
Q

What is a malicious Python script best-suited to attack?

A

• Cloud-based systems

• infrastructure such as routers, servers, switches

• When an single script needs to target a variety of OS types (Works with Windows, MacOS, and Linux)

155
Q

What is a malicious Shell script best-suited to attack?

A

• Linux/Unix environments

• Web servers, databases, hypervisors

156
Q

What is a malicious Macro script best-suited to attack?

A

• Users who can be fooled into opening the file that it contains and running the Macro

• Since the Macro may run in a familiar program, such as Word or Excel, it may be easier to fool a user

• Since Microsoft Office Macros use VBA, it has access to run commands on the Windows OS

157
Q

Define

Semi-Authorized Hacker

A

• A hacker that is not formally authorized, but finds a vulnerability and does not use it.

• May be working for research purposes or to help expose the vulnerability so it can be patched.

158
Q

Define

OSINT

A

• Open-Source Intelligence

• Publicly available sources such as discussion groups on the Internet, or Government hearings and reports

159
Q

Define

CVE

A

• “Common Vulnerabilities and Exposures”

• a publicly available vulnerability database

• a community-managed list of vulnerabilities

• sponsored by DHS and CISA

160
Q

Define

DHS

A

U.S. Department of Homeland Security

161
Q

Define

CISA

A

Cybersecurity and Infrastructure Security Agency

162
Q

Define

NVD

A

• “US National Vulnerability Database”

• A summary of CVEs

• Provides additional details over the CVE list, such as patch availability and severity scoring

• Sponsored by DHA and CISA

163
Q

Define

AIS

A

• “Automated Indicator Sharing”

• An industry standard for automated sharing of important threat data freely and efficiently

164
Q

Define

STIX

A

• “Structured Threat Information Expression”

• Part of the standards for AIS

• Standardized format for describing cyber threat information

• Includes motivations, abilities, capabilities, and response information

165
Q

Define

TAXII

A

• “Trusted Automated Exchange of Indicator Information”

• Part of the standards for AIS

• Standard format for communication / transfer of STIX data

• Securely shares STIX data

166
Q

Define

IOC

A

• Indicator(s) of Compromise

• An event that indicates an intrusion

167
Q

List six examples of IOCs

A

• Unusual amount of network activity

• Change to file hash values

• Irregular international traffic

• Changes to DNS data

• Uncommon login patterns, such as time of day

• Spikes of read requests to certain files

168
Q

What does this stand for:

NIST

A

• “National Institute of Standards and Technology”

169
Q

Define

Vulnerability Feed

A

• Various sources that publish information on vulnerabilities

Includes:

• National Vulnerability Database

• CVE Data Feeds

• Third-party feeds

170
Q

Define

RFC

A

• “Request for Comments”

• A type of online document, usually containing standards or methods for doing a particular task, but may technically contain any number of things

• A way to track and formalize standards that anyone on the Internet can use

• Published by the ISOC, and often written by the IETF

171
Q

Define

ISOC

A

• “Internet Society”

• Publishes RFCs

172
Q

Define

IETF

A

• “Internet Engineering Task Force”

• One of the most common authors of RFCs

173
Q

Define:

TTP

A

• “Tactics, techniques, and procedures”

• The methods that attackers use to gain access, and what they do once they have access

• Having more information on a TTP will aid in preventing and recognizing the attack

174
Q

Define

Zero-Day Attack

A

• An attack that leverages a vulnerability that has, before now, never been detected, published, or exploited before

• Due to this, there is usually no patch or prevention immediately available for the attack.

• Becoming increasingly common

175
Q

Define

Open Permissions

A

• Technical name for a vulnerability caused by not applying proper access controls on data or systems

• Increasingly common with cloud storage

176
Q

Define

Intelligence Fusion

A

• Process of gathering large volumes of data from different sources and types, between multiple teams, and combining it into a massive database so big data analytics can be used to analyze

177
Q

Define

Non-Intrusive Scan

A

• A type of vulnerability scan

• The scan gathers information but does not try to exploit any vulnerability

178
Q

Define

Intrusive Scan

A

• A type of vulnerability scan

• Makes use of vulnerabilities to see if it works

• Penetration Testing

179
Q

Define

Non-credentialed Scan

A

• A type of vulnerability scan

• Scanner does not have login info, simulating such an attacker

180
Q

Define

Credentialed Scan

A

• A type of vulnerability scan

• The scanner emulates an insider attack, using credentials of a user

181
Q

Define

CVSS

A

• “Common Vulnerability Scoring System”

• Scoring of a vulnerability from 0 to 10

• Scoring standards change over time; there are different versions

• Scores assigned by NVD

182
Q

Define

SIEM

A

• “Security Information and Event Management”

• Aggregates logs and alerts from multiple systems

• Stores them long-term, which can require an extremely high amount of storage space

• Usually includes advanced reporting features and data correlation

183
Q

Define

Syslog

A

• A standard format for message logging

• Allows for a variety of systems to have consolidated logs

• Used with SIEMs

184
Q

Define

UEBA

A

• “User and Entity Behavior Analytics”

• Analyzes actual behavior to look for problematic patterns

185
Q

Define

Sentiment Analysis

A

• Analyzes public opinion and discourse to determine potential threats

• A well-known and much disliked organization is more likely to get attacked

186
Q

Define

SOAR

A

• Security Orchestration, Automation, and Response

• Automate security routine so it eliminates tedious tasks, human error, and speeds up response time

• “Orchestrated” by connecting everything together, then automation takes it from there

187
Q

Define

Lateral Movement

A

• Once an attacker has gained access through one vulnerable point in a network, lateral movement is when they move from one internal system to another.

• Most networks have strong security on the perimeter, but not as much security inside, making lateral movement much easier than the initial penetration.

188
Q

Define

Persistence

A

• Something left behind by an attacker who has penetrated a system so they can easily regain / continue access

• Ex. leaving a backdoor, creating a user account, changing the password of an existing user

• Even if the initial vulnerability / exploit has been closed, “persistence” allows the attacked to continue accessing.

189
Q

Define

Pivot

A

• The “pivot” is the point or device which is used to gain access to systems that are normally not accessible

• Serves as a jumping-off point to other systems. Could act as a relay or a proxy.

190
Q

List the Steps of a Pentest

A

• Define “Rules of Engagement” in official document

• Determine working knowledge (how much will the testers know about the environment)

• Perform reconnaissance

• Exploit vulnerabilities / try to break into the system

• Attain initial exploitation, attain lateral movement, establish persistence, and pivot

• Cleanup - leave the network in its original state

191
Q

Define and Provide Five Examples of

Passive Footprinting

A

• Reconnaissance using open sources, without detection

Sources could include:

• Social media

• Corporate website

• Online forums

• Social engineering

• Dumpster diving

192
Q

Define

Warflying

A

• Same as wardriving, but performed with a drone flying over buildings/areas

193
Q

Define

Wardriving

A

• Scan Wi-Fi across an area to collect SSIDs, type of encryption used, etc.

• Can be combined with GPS info to generate a map

194
Q

Define and Provide Examples of:

Active Footprinting

A

• Reconnaissance by actively sending information into the network or devices.

• Can gain a lot of information, but activity would be detectable on the network and in logs.

Could include:

• Ping scans

• Port scans

• DNS queries

• OS scans, OS fingerprinting

• Service scans

• etc.

195
Q

What teams exist in exercises?

A

• Red team

• Blue team

• purple team

• white team

196
Q

Define

Red team

A

• Offensive security team

• hired to attack for exercise purposes

197
Q

Define

Blue team

A

• Defensive security team in an exercise

• Operational security

• incident response

• threat hunting

• digital forensics

198
Q

Define

Purple team

A

• Red team and blue team combined together for an exercise, to work cooperatively rather than competitively

199
Q

Define

White team

A

• Manages the interactions between red teams and blue teams

• Enforces rules of security exercise, resolves any issues

• Manages post-even assessments, results.