1.6 Explain the impact associated with types of vulnerabilities

Question 1

Which of the following are reasons why many medical devices with embedded systems are vulnerable to malicious exploits? (Select two)

Answer 1

Their control systems use outdated operating systems.

They use unsecure communication protocols.

Many of the control systems for medical device embedded systems run on unsecure protocols, since the costs of updating the software are high and disruptive to patient services.

Many of the control systems for medical device embedded systems run on unsupported versions of operating systems, since the costs of updating the software is high and disruptive to patient services.

Some vehicles are fitted with a “black box,” or event data recorder, that can log the car’s telemetry (acceleration, braking, and position).

SCADA systems run as software on ordinary computers, gathering data from and managing plant devices and equipment with embedded PLCs, referred to as field devices. They are used in fabrication and manufacturing, controlling automated assembly lines.

Question 2

Which of the following is true about default configurations of devices from vendors?

Answer 2

Security on them is minimal.

In the last few years, vendors have started shipping devices and software in secure default configurations. This means that the default installation is (theoretically) secure, but minimal.

Default configurations may leave administrative access protected with a default password that is publicly available, and therefore not secure.

Devices with default configurations are shipped with all the “bells and whistles” activated to make set up easier. When installing any new device or software, owners must use a security policy to determine the strongest possible configuration, and not just leave it to the default.

Any service or interface that is enabled through the default installation or default configuration and left unconfigured should be considered a vulnerability.

Question 3

Which of the following results from improperly configured accounts? (Select two)

Answer 3

Data breach events

Increased risk of infection

An impact from vulnerabilities arising from improperly configured accounts is an increased risk of malware infection.

An impact from vulnerabilities arising from improperly configured accounts is data breach type of events from over-privileged accounts.

Usage auditing means configuring the security log to record key indicators and then reviewing the logs for suspicious activity.

Single points of failure are “pinch points” that rely on a single hardware server or appliance or network channel. A single point of failure is a component or system that would cause a complete interruption of a service if it failed.

Question 4

Which of the following is most likely NOT a potential major threat for motor vehicle embedded systems?

Answer 4

The ability to remotely control the air conditioning inside the vehicle.

Modern motor vehicles use a substantial amount of electronics that have potential vulnerabilities that could be exploitable. However, remotely controlling the air conditioning is not a major threat.

Modern motor vehicles use a substantial amount of electronics that have potential vulnerabilities that could be exploitable, such as compromising the computer system that controls the vehicle’s steering.

In 2010, researchers demonstrated a way to remotely activate the brakes of a car using Wi-Fi and a laptop hooked up to the car’s diagnostic port.

Modern motor vehicles use a substantial amount of electronics that have potential vulnerabilities that could be exploitable, such as compromising the “black box” or event data rec

Question 5

An attacker wants to crash a process by setting the pointer to a null value through a malicious process. Which of the following did the attacker performed?

Answer 5

A pointer dereference

Pointer dereference is a software vulnerability that can occur when the code attempts to remove the relationship between a pointer and the thing it points to (pointee). Dereferencing may crash the application and corrupt memory.

To exploit a buffer overflow vulnerability, the attacker passes data that deliberately overfills the buffer (an area of memory) that the application reserves to store the expected data.

A race condition vulnerability is found where multiple threads are attempting to write at the same memory location. Race conditions have been used as an anti-virus evasion technique.

An integer overflow attack causes the target software to calculate a value that exceeds the upper and lower bounds. This may cause a positive number to become negative.

Question 6

Which of the following is a sign of a malicious or corrupted process, and is particularly serious within service applications and in the operating system kernel?

Answer 6

A memory leak

Memory leaks in the OS kernel are extremely serious. A memory leak may itself be a sign of a malicious or corrupted process.

DLL injection is not a vulnerability, but of the way the operating system allows one process to attach to another, and then force it to load a malicious link library.

If the pointer that references an object at a memory location was set to a null value by a malicious process, then this can create a null pointer exception, causing instability and crashes.

Race conditions occur when the outcome from execution processes is dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended.

Question 7

After obtaining local administrator privileges on a machine, a hacker evaded antivirus detection using code refactoring, and was then able to get the Windows machine to load a malicious binary package in memory. What type of attack is this?

Answer 7

Dynamic Link Library (DLL) injection

DLL injection is a software vulnerability that can occur when a Windows-based application attempts to force another running application to load a dynamic-link library (DLL) in memory, that could cause the victim application to experience instability or leak sensitive information.

SQL injection is an attack that injects a database query into the input data directed at a server by accessing the client side of the application.

Directory traversal is an application attack that allows access to content that is outside the web document root directory.

XML injection is fundamentally the same thing, but targeted against web servers using XML applications rather than SQL.

Question 8

An attacker caused a software program to calculate a value that exceeded the fixed lower and upper bounds, and caused a positive number to become a negative number. What vulnerability did the attacker exploit?

Answer 8

An integer overflow

An integer overflow attack causes the target software to calculate a value that exceeds the upper and lower bounds. This may cause a positive number to become negative.

To exploit a buffer overflow vulnerability, the attacker passes data that deliberately overfills the buffer (an area of memory) that the application reserves to store the expected data.

A race condition is a software vulnerability that occurs when the outcome from execution processes is directly dependent on the order and timing of certain events, and events fail to execute in the order and timing intended.

Pointer dereference is a software vulnerability that can occur when the code attempts to remove the relationship between a pointer and the thing it points to (pointee).

Question 9

When upgrading an application at regular intervals and before submitting newly-developed applications, why is it important for application vulnerability scanners to test for vulnerabilities and unsecure coding practices, as well as analyzing for application uses the developer may not expect could occur?

Answer 9

To ensure the application is not vulnerable to new threats

Application vulnerability scans should take place when the application is first commissioned and when it is upgraded or at regular intervals thereafter, to ensure that the application is not vulnerable to new threats.

Code can be made difficult to analyze by using an obfuscator. This type of technique might be used to make reverse engineering an application more difficult and as a way of disguising malware code.

Data exposure is a fault that allows privileged information (such as a token, password, or PII) to be read without being subject to the appropriate access controls.

Unreachable and dead code should be removed from the application to forestall the possibility that it could be misused in some way.

Question 10

Which of the following does NOT correlate with vulnerable business processes?

Answer 10

Bypassing a Mission Essential Function (MEF)

Question 11

An attacker evaded antivirus detection in a Linux kernel, as multiple threads attempted to write an object at the same memory location. What type of vulnerability did the attacker use?

Answer 11

A race condition vulnerability is found where multiple threads are attempting to write at the same memory location. Race conditions have been used as an anti-virus evasion technique.

An integer is a positive or negative whole number. An integer overflow attack causes the target software to calculate a value that exceeds the upper and lower bounds.

A buffer overflow is an application attack that exploits fixed data buffer sizes in a target piece of software by sending data that is too large for the buffer.

Pointer dereference is a software vulnerability that can occur when the code attempts to remove the relationship between a pointer and the thing it points to (pointee). Dereferencing may crash the application and corrupt memory.

Question 12

Which of the following is an example of improper input handling? (Select two)

Answer 12

Overflow

Injection

Many improper input handling attacks can be described as an overflow type, where the attacker submits input that is larger than the variables assigned by the application to store.

Many improper input handling attacks can be described as an injection type, where the attacker embeds code within the input or appends code to it that executes when the server processes the submission.

Social engineering is an activity where the goal is to use deception and trickery to convince unsuspecting users to provide sensitive data or to violate security guidelines.

An Advanced Persistent Threat (APT) refers to the ongoing ability of an adversary to compromise network security (to obtain and maintain access) using a variety of tools and techniques.

Question 13

A software developer created a new application and the software company pressured the developer to release it to the public. Which of the following helps ensure the application is secure before the release? (Select more than one)

Answer 13

Error handling

Input validation

Proper authentication and authorization

The challenges of application development include the pressure to release a solution ahead of schedule, neglecting secure development practices like error handling.

Another secure development practice that should not be neglected is input validation.

Proper authentication and authorization is an important part of secure coding practices.

Application audits should occur after the application is first commissioned and when it is upgraded, or at regular intervals thereafter, to ensure the application is not vulnerable to new threats.

Question 14

Which of the following does NOT correlate with vulnerable business processes?

Answer 14

Bypassing a Mission Essential Function (MEF)

A mission essential function (MEF) is one that cannot be deferred. This means that the organization must be able to perform the function as close to continually as possible, and if there is any service disruption, the mission essential functions must be restored first.

An MTD is the longest period of time that a business function outage may occur for without causing irrecoverable business failure.

An RTO is the period following a disaster that an individual IT system may remain offline. This represents the amount of time it takes to identify that there is a problem and then perform recovery.

An RPO is the longest period of time that an organization can tolerate lost data being unrecoverable.

Question 15

An administrator wants to use virtualization when deploying new systems. Which of the following can be the root of the administrator’s security issues when using virtualization? (Select two)

Answer 15

Undocumented assets

System sprawl

Although one of the primary benefits of virtualization is the ease of deploying new systems, system sprawl can also be the root of security issues. Meaning a system is deployed for temporary use and is left running without any changes.

Although one of the primary benefits of virtualization is the ease of deploying new systems, deployment of undocumented assets can also be the root of security issues.

Virtual machines (VMs) can be deployed and removed on demand at ease. VMs can be deployed across one or more virtualization farms, developer laptops, and online cloud services.

Virtual Machine Lifecycle Management (VMLM) solutions provide you with a centralized dashboard for maintaining and monitoring all the virtual environments in your organization.

Question 16

What are the main issues with dedicated firewalls implemented on device firmware for embedded systems? (Select two)

Answer 16

A lack of processing power

A lack of memory space

One of the main issues with firewalls implemented on the device firmware is the lack of processing power.

One of the main issues with firewalls implemented on the device firmware is the memory space available to run functions.

Network access should only be required for applying firmware updates and management controls and should be segmented from the corporate network using firewalls and VLANs.

One way of increasing the security of data in transit for embedded systems is using wrappers. A wrapper usually includes a header, which precedes the encapsulated data, and a trailer, which follows it.

Question 17

An administrator purchased an operating system with a policy that had five years of mainstream support and five years of extended support. Once the ten years of support are complete, what type of operating system is this?

Answer 17

An end of life

An end of life system is one that is no longer supported by its developer or vendor. End of life systems no longer receive security updates, and therefore, represent a critical vulnerability if any remain in active use.

It is possible for both open source and commercial projects to be abandoned. If a company continues to rely on such abandonware, then it will have to assume development responsibility for it.

A hotfix is a patch that is often issued on an emergency basis to address a specific security flaw.

Service packs and update rollups form a collection of updates and hotfixes that can be applied in one package.

Question 18

Which of the following does NOT make a network more susceptible to undetected intrusions and catastrophic service failures?

Answer 18

Places In the Network (PIN)

Cisco’s SAFE architecture is a good starting point for understanding the complex topic of network architecture design. The SAFE guidance refers to Places In the Network (PIN).

A single point of failure (a “pinch point”), relies on a single hardware server or appliance or network channel.

Often it is tempting to take “shortcuts” to get a service up and running. Compromising security might represent a quick fix, but creates long term risks if the network architecture emphasizes availability over confidentiality and integrity.

Network segments, appliances, and services might be added without proper change control documentation and procedures, leading to a lack of visibility into how the network is constituted.

Question 19

An attacker gained remote access to a user’s computer by exploiting a vulnerability in a piece of software on the device. The attacker sent data that was too large for an area of memory that the application reserved to store expected data. What type of vulnerability did the attacker exploit?

Answer 19

A buffer overflow

Question 20

During a SYN (synchronize) flood attack, which of the following can occur that would pose a problem to the exploited device? (Select more than one)

Answer 20

Denial of service (DoS)

Amplification

Resource exhaustion

SYN attacks cause resource exhaustion on the hosts processing requests, consuming CPU cycles and memory. This delays the processing of legitimate traffic and could potentially crash the host system completely.

A DoS attack causes a service at a given host to fail or to become unavailable to legitimate users. DoS attacks focus on overloading a service by using up CPU, system RAM, disk space, or network bandwidth (resource exhaustion).

A more powerful TCP SYN flood attack is a DRDoS or amplification attack, where the adversary spoofs the victim’s IP address and attempts to open connections with multiple servers.

Packet filtering is a Layer 3 firewall technology that compares packet headers against ACLs to determine which network traffic to accept.

Question 21

Many potential threats face medical devices that have embedded systems installed within them. Which of the following is NOT one of these vulnerabilities?

Answer 21

Stealing data from a “black box” event data recorder.

Some vehicles are fitted with computers to control the engine, steering, brakes, and GPS. Some vehicles also have a “black box,” or event data recorder, that can log the car’s telemetry (acceleration, braking, and position).

One goal of attack on medical device embedded systems is pivoting to networks storing medical data to steal Protected Health Information (PHI).

One goal of attack on medical device embedded systems is holding medical units ransom by threatening to disrupt services.

One goal of attack on medical device embedded systems is killing or injuring patients by tampering with dosage levels or device settings.

Question 22

Why are many smart devices vulnerable to standard web application and network attacks? (Select more than one)

Answer 22

Poor documentation of security features

Inadequate vendor patch management

Inadequate vendor security response processes

Your incorrect unselected answer
Poor documentation of security features

Correct answer Your correct selected answer
Inadequate vendor patch management

Correct answer Your correct selected answer
Inadequate vendor security response processes

Question 23

Which of the following does NOT help prevent the misuse of a private key but can help prevent impersonation of a user’s digital certificate?

Answer 23

Identity and Access Management (IAM)

An asymmetric private key or symmetric secret key must be stored somewhere safe (a repository). If these keys are not appropriately secured, the PKI might appear to be functional, but there is the risk of information exposure or inaccurately attest to the identity of a particular person.

An HSM is an appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software based storage.

A TPM is a specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information.

IAM is a security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets.

Question 24

Many potential threats face the security of smart devices, such as web application and network attacks. Which of the following explains why the devices can have these types of vulnerabilities? (Select more than one)

Answer 24

Inadequate vendor patch management

Poor documentation of security features

Inadequate vendor security response processes

Home automation products often use vendor-specific software and networking protocols. As with embedded devices, security features can be poorly documented.

Home automation products often use vendor-specific software and networking protocols, and patch management processes of vendors can be inadequate.

Home automation products often use vendor-specific software and networking protocols, and security response processes of vendors can be inadequate.

Many embedded systems operate devices that perform acutely time-sensitive tasks, so the kernels or operating systems that run on embedded system devices must be much more stable and reliable than the OS that runs a desktop computer or server.

Question 25

How can admin mitigate a race condition vulnerability?

Answer 25

By ensuring the lock of a memory object, when one thread manipulates it

A race condition vulnerability is found when multiple threads are attempting to write a variable or object at the same memory location. This vulnerability is mitigated by ensuring that a memory object is locked when one thread is manipulating it.

The risk of false negatives can be mitigated somewhat by running repeat scans periodically and by using scanners from more than one vendor.

Perfect Forward Secrecy (PFS) is a characteristic of session encryption that ensures if a key used during a certain session is compromised, then it should not affect data previously encrypted by that key.

Online password attacks can be mitigated by restricting the number or rate of logon attempts, and by shunning logon attempts from known bad IP addresses.

Question 26

Which of the following is true about default configurations of devices from vendors?

Answer 26

Security on them is minimal.

Question 27

An end-user at a company logs in daily, to multiple web portals, each with its own separate password. The user has too many passwords to remember and therefore recycles them, which is against the company’s password policy. Which of the following can help mitigate this unsecure behavior? (Select more than one)

Answer 27

Discipline the user if the user violates policy.

Educate the user about security risks.

Monitor the user on the network.

A security system cannot be too inflexible, or users will complain or adopt unsecure behavior. It is much better to educate users about security risks.

A security system cannot be too inflexible, or users will complain or adopt unsecure behavior. It is much better to monitor behavior.

Users should be educated about security risks and their behavior monitored, to ensure that users are following best practices. This needs to be backed up by a strong disciplinary procedure to sanction users who continue to act carelessly.

It is necessary to educate users about policy violations. However, this needs to be stated in language that the users understand, and phrased in terms that are relevant to what they do daily at work.

Question 28

Which of the following represents a critical vulnerability in the use of weak cipher suites and implementations? (Select two)

Answer 28

Storing and processing data may not be secure.

Attacker masquerades with private key of server.

Use of weak cipher suites and implementations can represent a critical vulnerability for an organization. It means the storing and processing of data may not be secure.

Use of weak cipher suites and implementations can represent a critical vulnerability for an organization. It may allow a malicious attacker to masquerade as the organization, causing huge reputational damage.

When using weak cipher suites and implementations, non-malicious cryptanalysis is undertaken on encryption systems with the purpose of trying to detect weaknesses in the technology.

If weaknesses discovered in a particular cipher or the implementation of a cipher “in the lab” lead to the deprecation of that algorithm, then that does not necessarily mean that the system is immediately vulnerable in practice.

Question 29

Which of the following allows an attacker to exploit a misconfigured device and obtain a bridged connection to the corporate network?

Answer 29

Tethering

Question 30

Which of the following conditions correlate with the process of a SYN (synchronize) flood attack? (Select more than one)

Answer 30

Denial of service (DoS)

Amplification

Resource exhaustion

SYN attacks cause resource exhaustion on the hosts processing requests, consuming CPU cycles and memory. This delays the processing of legitimate traffic and could potentially crash the host system completely.

A DoS attack causes a service at a given host to fail or to become unavailable to legitimate users. DoS attacks focus on overloading a service by using up CPU, system RAM, disk space, or network bandwidth (resource exhaustion).

A more powerful TCP SYN flood attack is a DRDoS or amplification attack, where the adversary spoofs the victim’s IP address and attempts to open connections with multiple servers.

Packet filtering is a Layer 3 firewall technology that compares packet headers against ACLs to determine which network traffic to accept.

Question 31

Which of the following allows an attacker to exploit a misconfigured device and obtain a bridged connection to the corporate network?

Answer 31

Tethering

Tethering allows a mobile device to share its cellular data or WiFi connection with other devices (tethering). A malicious user can set up such an access point with something as basic as a smartphone with tethering capabilities.

NFC (Near Field Communication) is the standard for peer-to-peer radio communications over short distances, facilitating contactless payment and similar technologies.

Some Android USB (Universal Serial Bus) ports support USB OTG (On The Go) and adapters exist for iOS devices. USB OTG allows a port to function either as a host or as a device.

Some Android and Windows devices support removable storage using external media, such as a Micro SecureDigital (SD) card slot; others support the connection of USB based storage devices.