2.4 Flashcards

An overview of malware, viruses and worms, spyware and bloatware, other malware types, physical attacks, denial of service, DNS attacks, wireless attacks, on-path attacks, replay attacks, malicious code, application attacks, cryptographic attacks, password attacks, indicators of compromise

1
Q

Software doing bad things to your system

A

Malware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A download that happens automatically without the user clicking on or opening anything

A

Drive-by download

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A type of malware that encrypts or exfiltrates your computer’s data, and then asks for a sum of money to return or not expose the data

A

Ransomware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

If you log into your computer and find that your files are encrypted, what type of malware is your computer infected with? Besides the encryption, your computer works normally.

A

Ransomware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

True/False

Keep your backups online so that you can quickly restore them.

A

False

Keep your backups offline so that attackers can’t access them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

4 ways to protect against ransomware

A

Have an offline backup
Keep your OS updated
Keep your applications patched
Keep your antimalware signatures up-to-date

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A type of malware that replicates itself via user intervention (ex. clicking a link, running an executable)

A

Virus

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A type of virus that runs as part of an application

A

Program virus

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A type of virus that automatically runs as the system boots

A

Boot sector virus

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A type of virus that runs as part of a script on a browser

A

Script virus

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A type of virus commonly found in Microsoft Office files as part of a small application embedded within the file

A

Macro virus

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A type of virus that never writes any software or malicious code to your storage drives. It operates in memory, but is never installed in a file or application.

A

Fileless virus

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A type of malware that self-replicates without human intervention. This malware can attack at any time and move freely within your network once it gets in.

A

Worm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the 2 main technologies that stop worm infections?

A

Firewalls and IPS/IDS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A type of malware that monitors your browsing, takes screen captures, and may log your keystrokes. This data is sometimes used for advertising, identity theft, or affiliate fraud.

A

Spyware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

4 ways to protect against spyware

A

Maintain your antimalware signatures
Research what you’re installing
Keep a backup!
Run antimalware scans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A type of malware that might be benign other than the fact it takes up storage and memory, and reduces performance. It’s something that you don’t need and don’t expect, often forcibly bundled with other apps.

This malware can open your system to exploits, even if it doesn’t damage your device on its own.

A

Bloatware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

3 ways to remove bloatware

A

Manually remove it
Use the built-in uninstaller
Third-party uninstallers and cleaners (always have a backup!)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A type of spyware that logs your keystrokes and sends them to the attacker

Often includes clipboard logging, screen logging, instant messaging, and search engine queries

A

Keylogger

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A type of malware that performs an action after a predefined event has happened (ex. date and time or user event)

This malware is usually left by someone with a grudge. Because they are created by a person, they are very difficult to identify with malware signatures. There are NO KNOWN SIGNATURES.

A

Logic bomb

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

3 ways to prevent a logic bomb

A

Processes and procedures to protect configurations from being changed (formal change control)

Electronic monitoring (alert on changes, HIDS)

Constant auditing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

A type of malware that modifies the core system files in a way that is invisible to the OS. Essentially, to becomes a part of the kernel/OS of the machine. Because of this, it’s invisible to antivirus.

It has full run of your computer.

A

Rootkit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

3 ways to find and remove rootkits

A

Look for unusual symptoms (identify with antimalware software)

Use a remover specific to the type of rootkit

Secure boot with UEFI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

How can a secure boot help identify and remove a rootkit?

A

The secure boot will search for a OS signature, and verify that the kernel of the OS hasn’t changed before the system is booted. Even if the rootkit has been installed, the secure boot will stop the rootkit from running once the computer boots up for real.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A type of physical attack where the attacker gains physical access to the device that they want to break into. They do this by forcing doors open or breaking windows.

A

Brute force

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

A type of physical attack where attackers make copies of access badges or key fobs of authorized personnel. They can read one card/fob and then immediately copy it to another in a matter of seconds, without the authorized individual knowing.

A

RFID cloning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

How is RFID cloning mitigated?

A

MFA

The attacker might have the badge, but they likely don’t have other information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

A type of physical attack where the attacker attacks everything supporting the technology. Cutting off power, interfering with HVAC (Heating, Ventilation, AC) or humidity controls, taking down fire suppression, etc.

A

Environmental attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

A type of attack where the attacker causes a service or device to fail, preventing authorized users from accessing it

A

DoS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

A DoS attack where the cause is unintentional, often performed by legitimate individuals. This can happen through a programming error, accidentally downloading something too large/complex for a device to handle, or by a piece of equipment breaking (ex. a water line breaking in the IT dept)

A

“Friendly” DoS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

A type of attack where the attacker causes a service or device to fail by enlisting a large number of computers to take up the resources of that device.

A

DDoS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

A type of threat where the attacker has comparatively fewer resources than the victim

A

Asymmetric threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What kind of attack is often called an asymmetric threat?

A

DDoS

The attacker by themself often has fewer resources than the network they attempt to bring down. But with the help of a botnet, they can be successful.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

A method of carrying out a DDoS attack in which the attacker sends a query to a server, and spoofs their IP address so the response of that query will be sent to the victim.

Both the query and response are relatively the same size and are of the same protocol.

A

DDoS reflection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

A method of carrying out a DDoS attack in which the attacker sends a query to a server, and spoofs their IP address so the response of that query will be sent to the victim.

The response is much larger than the original query, meaning that the attacker doesn’t have to expend many resources in exchange for a large attack.

A

DDoS amplification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which 3 protocols can be abused to perform DDoS amplification?

A

NTP, DNS, ICMP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

3 methods to perform DNS poisoning

A

Modify the DNS server

Modify the device’s host files (they take precedent over DNS queries)

Via MITM, intercept the legitimate DNS server response, and instead send one of your own (real-time redirection)

38
Q

A type of attack where the attacker causes the victim to resolve a valid domain name into a malicious IP address or vice versa

A

DNS poisoning

39
Q

A type of attack where the attacker gets access to the domain registration of a legitimate website

That way, the attacker has control over where the traffic flows

A

Domain hijacking

40
Q

3 ways an attacker can get into the account used for the domain registration for a website

A

Brute force

Social engineer the password

Gain access to the email address that manages the account

41
Q

A type of attack where the victim is redirected to an advertising site, a competitor site, a phishing site, or a site that performs drive-by downloads when attempting to access a legitimate website.

A

URL hijacking

AKA typosquatting
AKA brandjacking

42
Q

2 other names for URL hijacking

A

Typosquatting
Brandjacking

43
Q

A type of wireless attack where the attacker disconnects the victim from their network connection. A type of DoS attack.

A

Wireless deauthentication attack

44
Q

What type of frames does the wireless deauthentication attack take advantage of?

A

802.11 management frames

45
Q

Frames used for the management of network connections. They are sent/received by the AP, and are used to connect to the network, manage the connection, and then disconnect from the network. They are also used to associate to and dissociate from an AP.

A

802.11 management frames

46
Q

RF stands for

A

Radio frequency

47
Q

A type of wireless attack where the attacker transmits interfering wireless signals (noise) until the victim cannot discern the legitimate traffic from the noise. It prevents any nearby victims from being able to receive signals from the AP.

A

RF jamming

AKA wireless jamming

48
Q

Which IEEE update addressed the problem enabling wireless deauthentication attacks by encrypting management frames?

A

802.11ac

49
Q

What equipment can inadvertently cause RF jamming?

A

Microwave
Fluorescent lights

50
Q

RF jamming is AKA

A

Wireless jamming

51
Q

3 different ways to carry out wireless/RF jamming

A

Constant, random bits/frames

Random intervals of noise

Reactive jamming - only happens when someone else tries to communicate

52
Q

True/False

Wireless/RF jamming can be carried out across the globe

A

False

Wireless/RF jamming needs to be performed close-by

53
Q

The method of finding the source of RF jamming

A

Fox hunting

54
Q

What 2 types of tools are useful during fox hunting?

A

Directional antenna - locates the direction of the signal

Attenuator - lowers the signal strength to make it easier to tell where it’s coming from (it gets louder as you get closer)

55
Q

A type of attack where the attacker sits between two devices and watches all the traffic occurring between them

A

On-path attack

AKA MITM attack

56
Q

MITM stands for

A

Man-in-the-middle

57
Q

A type of on-path attack where the attacker gets on the same subnet as the victim devices.

The attacker then spoofs their IP address to one of a trusted device, and then advertises their IP/MAC pair to legitimate devices. That way, the legitimate devices will then send their traffic to the malicious device instead of the legitimate device.

A

ARP poisoning

58
Q

What enables ARP poisoning?

A

No security in ARP

59
Q

A type of on-path attack in which the attacker resides between the device and the network, acting as a proxy. In fact, the attacker resides in the same system as the victim.

Even if the network traffic is encrypted, because the attacker is on the same system, they would be able to see the data

Once the victim logs into their bank account, the attacker can get those credentials for later use. They can then start other sessions behind the scenes that the victim will not see. Online shopping, money transfers, etc.

A

On-path browser attack

AKA man-in-the-browser attack

60
Q

A type of attack where the attacker reuses legitimate information in order to authenticate to a service

A

Replay attack

61
Q

Why do attackers want your cookies?

A

Cookies contain session IDs; the attacker could gain access to a server without any authentication credentials by using the session ID

61
Q

2 ways to avoid replay attacks

A

Encrypt the authentication credentials

Use a salt that changes for every session

62
Q

A type of attack where the attacker gains access to a session ID, and then uses it in order to authenticate to the server

A

Session hijacking

AKA sidejacking

63
Q

2 ways to prevent session hijacking

A

End-to-end encryption (HTTPS)

End-to-somewhere encryption (VPN concentrator; if you can’t encrypt the whole journey, you can at least encrypt part of it. It’s best to avoid cleartext over a local network)

64
Q

Session hijacking is AKA

A

Sidejacking

65
Q

An attack where the attacker inserts their own information into a data stream

A

Code injection

66
Q

What enables code injection?

A

Bad programming

67
Q

A really useful buffer overflow is ____

A

Repeatable

Buffer overflows can often be unpredictable. If the attacker can find a way to consistently get their desired outcome, it is very a very useful exploit.

68
Q

In order to perform a replay attack, the attacker needs what kind of data?

A

Raw network data (through a network tap, ARP poisoning)

69
Q

True/False

A replay attack is an on-path attack

A

False

While the attacker may gather the data to perform the replay attack through an on-path attack, the actual replay attack is not on-path

70
Q

An application attack where an attacker gains elevated permissions on a system

A

Privilege escalation

71
Q

4 ways to mitigate privilege escalation

A

Keep applications patched

Update anti-malware signatures

Data Execution Prevention

Use address space layout randomization (This changes the location in memory that an application runs each time it’s launched; prevents buffer overflow attacks)

72
Q

What is it called when a legitimate website uses the user’s browser to make legitimate requests for other web pages to display content on the original website?

For example, when you go on one page, a video from YouTube and pictures from Instagram are also present.

A

Cross-site requests

73
Q

CSRF takes advantage of what?

A

CSRF takes advantage of the trust that a web application has for the user

The web site trusts your browser

Requests are made without your consent or your knowledge

Attacker posts a Facebook status on your account

74
Q

An attack that takes advantage of the trust that a web application has for the user

A

CSRF / XSRF

75
Q

What anti-forgery solution has been implemented to prevent CSRF?

A

Cryptographic token

It verifies that the user has authenticated properly, and that the token is the correct one for that specific session

76
Q

An attack that allows an attacker to read files on a website that are outside of the website’s file directory

A

Directory traversal

77
Q

What enables directory traversal attacks?

A

Web server misconfiguration
OR
Web application software vulnerability

78
Q

A cryptographic attack that takes advantage of the chances of a hash collision occurring. They check for this collision by brute force.

This method is much more efficient than brute force attacks, though it is a type of brute force.

1) The attacker gains a list of password hashes

2) Using a cryptographic algorithm, they generate hashes of would-be passwords until they find a collision. This process happens offline.

3) They then attempt to input the credentials

A

Birthday attack

79
Q

What mitigates a birthday attack?

A

Large hash output sizes

The larger the hash, the more difficult it will be for the attacker to duplicate it

80
Q

Which cryptographic algorithm has a problem with hash collisions?

A

MD5

81
Q

A cryptographic attack where the attacker forces a system to revert its security to an older (less secure) model

Usually affects the encryption algorithm

A

Downgrade attack

82
Q

SSL stripping is a form of what 2 kinds of attack?

A

On-path attack and downgrade attack

The attacker sits in the middle of the conversation and strips the S from HTTPS by rewriting URLs

83
Q

A password attack in which the attacker attempts to use the top most common passwords on every account they can get their hands on.

NOTE

They stop short of raising any alarms or account lockouts.

A

Spraying attack

84
Q

A password attack in which the attacker tries every password combination until the hash is matched.

A

Brute force attack

85
Q

True/False

A strong hashing algorithm can slow down a brute force attack

A

True

86
Q

Online brute force attacks involve

A

Passwords

87
Q

Offline brute force attacks involve

A

Hashes

They take the stored hash offline and attempt all passwords until it matches the hash

This sidesteps account lockout procedures

88
Q

IOC stands for

A

Indicators of Compromise

89
Q

An event that happens at an unusual time, documented by a log, is called:

A

Out-of-cycle logging

90
Q

True/False

Out-of-cycle logging typically reflects a configuration error

A

False

Out-of-cycle logging can be an IOC

91
Q

True/False

Since logs record everything, you don’t have to worry that attackers can hide from them

A

False

Attackers can delete logs from the system