2.0 Threats, Vulnerabilities, and Mitigations Flashcards
What distinguishes a nation-state threat actor from an organized crime group?
Nation-state actors are typically government-sponsored with political motives, while organized crime groups focus on financial gain.
How can shadow IT pose a risk to an organization?
Shadow IT can introduce vulnerabilities by bypassing official security protocols.
What is a common motivation for hacktivists?
Promoting political or ideological beliefs through cyber activities.
Why is it important to consider both internal and external threat actors?
Internal actors have legitimate access that can be exploited, while external actors may use different attack vectors.
What mitigation strategy can help prevent insider threats?
Implementing strict access controls and monitoring user activity.
How does data exfiltration differ from espionage?
Data exfiltration focuses on stealing data for any purpose, while espionage specifically involves gathering intelligence.
What role does encryption play in mitigating threats?
Encryption protects data integrity and confidentiality against unauthorized access.
How can an organization detect potential insider threats?
By monitoring unusual behavior patterns and access logs.
What is a key characteristic of an unskilled attacker?
Limited technical skills relying on pre-made hacking tools.
Why might a nation-state engage in cyber warfare?
To disrupt another nation’s infrastructure or gather intelligence.
How can service disruption be a motivation for attackers?
To damage a competitor’s reputation or operations.
What is a common misconception about hacktivists?
That they lack technical skills; many are highly skilled in exploiting vulnerabilities.
How does financial gain motivate organized crime in cyber activities?
By conducting fraud, theft, or extortion online for profit.
What is an effective way to mitigate risks from shadow IT?
Enforcing strict IT governance policies and regular audits.
How does ethical hacking differ from other forms of hacking?
It is authorized and aims to improve security by identifying vulnerabilities.
How do philosophical beliefs motivate certain threat actors?
They may conduct attacks to support causes they believe in strongly.
What can be a direct consequence of ignoring insider threats?
Loss of sensitive data due to unauthorized access by trusted individuals.
Why is continuous monitoring important in cybersecurity?
To detect and respond promptly to emerging threats or attacks.
What distinguishes revenge-motivated attacks from other types?
They are personal and aim at causing harm due to perceived grievances.
How can organizations prepare for potential cyber warfare scenarios?
By strengthening defenses and collaborating with government agencies for intelligence sharing.
What type of attack involves sending fraudulent emails designed to trick recipients into revealing personal information?
Phishing
Which threat vector involves hiding malicious code within an image file?
Image-based attack
What is the term for registering domain names similar to legitimate ones in hopes of catching users who mistype URLs?
Typosquatting
How does vishing differ from phishing?
Vishing uses voice calls, while phishing typically uses email.
What is the risk associated with using default credentials on devices?
Attackers can easily guess default credentials, gaining unauthorized access.
What type of attack targets frequently visited websites by specific groups?
Watering hole attack
What is smishing?
SMS-based phishing attack
Why are unsupported systems considered high-risk?
They no longer receive security updates, leaving known vulnerabilities unpatched.
What is the difference between client-based and agentless software?
Client-based requires installation on endpoints; agentless operates without local installation but still may expose vulnerabilities
Which type of network is more vulnerable if left unencrypted?
Wireless networks
What kind of social engineering technique involves creating a fake scenario to obtain sensitive information from someone?
Pretexting
How do supply chain attacks typically work?
Attackers compromise third-party vendors or suppliers to gain access to their customers’ systems.
What is business email compromise (BEC)?
An attack where cybercriminals spoof executive emails to trick employees into transferring money or sharing sensitive data
Which Bluetooth exploit allows attackers unauthorized access?
Bluesnarfing
What is one way attackers exploit open service ports?
By performing port scanning and exploiting services running on those ports
What is an Indicator of Compromise (IOC)?
A: Forensic evidence suggesting a potential intrusion or malicious activity, such as unusual traffic patterns or suspicious account activities
Describe a scenario where anomalous outbound traffic could indicate a security breach.
A: A sudden spike in outbound data could indicate data exfiltration by malware or a compromised system sending sensitive information to an external server.
How does a DDoS attack differ from a credential replay attack?
A: A DDoS attack overwhelms a target with excessive traffic, while a credential replay attack uses stolen credentials to gain unauthorized access.
What role do Intrusion Detection Systems play in identifying malicious activity?
A: IDS monitor network traffic for known threat signatures and unusual behavior patterns to detect potential security breaches.
Explain the difference between static and dynamic malware analysis.
A: Static analysis examines malware without execution, focusing on file signatures, while dynamic analysis runs malware in a controlled environment to observe behavior.
What are common indicators of a ransomware attack?
A: Encrypted files with ransom notes, unusual file extensions, and unexpected system performance degradation.
How can establishing a baseline for network traffic help in detecting threats?
A baseline helps identify deviations from normal traffic patterns, making it easier to spot anomalies that may indicate malicious activity.
What is the significance of account lockout as an indicator?
A: Account lockout can indicate attempted unauthorized access or brute force attacks due to repeated failed login attempts.
Describe how RFID cloning can be used in physical attacks.
A: RFID cloning copies data from an RFID card/device to create duplicates for unauthorized access to secure areas or systems.
What are the potential impacts of a buffer overflow attack?
A: Buffer overflow attacks can lead to arbitrary code execution, allowing attackers to take control of systems or cause them to crash.
How can privilege escalation be detected within an application?
A: By monitoring for unauthorized changes in user permissions or access levels within applications.
Why is it important to monitor for impossible travel scenarios?
A: Impossible travel involves login attempts from geographically distant locations in short time frames, indicating potential credential misuse.
What are the differences between spraying and brute force password attacks?
A: Password spraying tries common passwords across many accounts, while brute force attacks try many passwords on one account until successful.
How do cryptographic collision attacks work?
A: Collision attacks exploit weaknesses in hash functions by producing two different inputs that result in the same hash output, compromising data integrity
Explain the importance of monitoring concurrent session usage as an indicator.
A: Monitoring concurrent sessions helps detect unauthorized access when multiple sessions are active simultaneously from different locations for the same user account.
What steps should be taken when suspicious registry changes are detected?
A: Investigate changes for legitimacy, restore the registry from backups if necessary, and monitor for further unauthorized modifications.
Describe how directory traversal can be exploited by attackers.
A: Directory traversal exploits vulnerabilities allowing attackers to access files outside the intended web root folder by manipulating file paths.
How does analyzing DNS requests help in identifying potential threats?
Analyzing DNS requests can reveal attempts to connect to malicious domains or unusual patterns suggesting command-and-control communications.
What are the challenges associated with detecting logic bombs?
A: Logic bombs are difficult to detect because they remain dormant until triggered by specific conditions, making them hard to identify until activation.
In what ways can rootkits evade detection by traditional security measures?
What is the primary purpose of network segmentation?
To isolate parts of a network and reduce the attack surface.
What does an Access Control List (ACL) specify?
It specifies which users or systems are granted access to resources and what actions they are allowed to perform
How does least privilege contribute to enterprise security
It limits user permissions to only what is necessary for their role, reducing potential misuse
What is the difference between a DACL and an SACL?
A DACL specifies who is allowed or denied access, while an SACL logs access attempts for auditing purposes
Why is patching important in securing an enterprise?
Patching fixes known vulnerabilities in software that could be exploited by attackers.
What is an application allow list used for?
It restricts which applications are allowed to run on a system, preventing unauthorized software from executing
How does encryption protect data?
Encryption converts data into an unreadable format unless decrypted with the correct key.
What is configuration enforcement?
Ensuring that all systems adhere strictly to predefined security settings.
Why should ports/protocols be disabled when not in use?
To reduce potential entry points for attackers by limiting unnecessary services
What is involved in decommissioning hardware securely?
Securely wiping all data from devices before disposal or repurposing them
How does monitoring help in enterprise security?
It allows real-time detection of suspicious activities and potential breaches
What is host-based intrusion prevention (HIPS)?
A system that monitors and prevents malicious activities on individual hosts by analyzing behavior patterns
Why should default passwords be changed immediately after installation?
Default passwords are well-known and could be easily exploited by attackers if not changed promptly
How does isolation contribute to securing critical systems?
It prevents unauthorized communication with sensitive systems by separating them from less secure networks.
What role does encryption play in endpoint protection?
It ensures that data stored on endpoints remains confidential even if the device is compromised
