2.4

Question 1

Software doing bad things to your system

Answer 1

Malware

Question 2

A download that happens automatically without the user clicking on or opening anything

Answer 2

Drive-by download

Question 3

A type of malware that encrypts or exfiltrates your computer’s data, and then asks for a sum of money to return or not expose the data

Answer 3

Ransomware

Question 4

If you log into your computer and find that your files are encrypted, what type of malware is your computer infected with? Besides the encryption, your computer works normally.

Answer 4

Ransomware

Question 5

True/False

Keep your backups online so that you can quickly restore them.

Answer 5

False

Keep your backups offline so that attackers can’t access them

Question 6

4 ways to protect against ransomware

Answer 6

Have an offline backup
Keep your OS updated
Keep your applications patched
Keep your antimalware signatures up-to-date

Question 7

A type of malware that replicates itself via user intervention (ex. clicking a link, running an executable)

Answer 7

Virus

Question 8

A type of virus that runs as part of an application

Answer 8

Program virus

Question 9

A type of virus that automatically runs as the system boots

Answer 9

Boot sector virus

Question 10

A type of virus that runs as part of a script on a browser

Answer 10

Script virus

Question 11

A type of virus commonly found in Microsoft Office files as part of a small application embedded within the file

Answer 11

Macro virus

Question 12

A type of virus that never writes any software or malicious code to your storage drives. It operates in memory, but is never installed in a file or application.

Answer 12

Fileless virus

Question 13

A type of malware that self-replicates without human intervention. This malware can attack at any time and move freely within your network once it gets in.

Answer 13

Worm

Question 14

What are the 2 main technologies that stop worm infections?

Answer 14

Firewalls and IPS/IDS

Question 15

A type of malware that monitors your browsing, takes screen captures, and may log your keystrokes. This data is sometimes used for advertising, identity theft, or affiliate fraud.

Answer 15

Spyware

Question 16

4 ways to protect against spyware

Answer 16

Maintain your antimalware signatures
Research what you’re installing
Keep a backup!
Run antimalware scans

Question 17

A type of malware that might be benign other than the fact it takes up storage and memory, and reduces performance. It’s something that you don’t need and don’t expect, often forcibly bundled with other apps.

This malware can open your system to exploits, even if it doesn’t damage your device on its own.

Answer 17

Bloatware

Question 18

3 ways to remove bloatware

Answer 18

Manually remove it
Use the built-in uninstaller
Third-party uninstallers and cleaners (always have a backup!)

Question 19

A type of spyware that logs your keystrokes and sends them to the attacker

Often includes clipboard logging, screen logging, instant messaging, and search engine queries

Answer 19

Keylogger

Question 20

A type of malware that performs an action after a predefined event has happened (ex. date and time or user event)

This malware is usually left by someone with a grudge. Because they are created by a person, they are very difficult to identify with malware signatures. There are NO KNOWN SIGNATURES.

Answer 20

Logic bomb

Question 21

3 ways to prevent a logic bomb

Answer 21

Processes and procedures to protect configurations from being changed (formal change control)

Electronic monitoring (alert on changes, HIDS)

Constant auditing

Question 22

A type of malware that modifies the core system files in a way that is invisible to the OS. Essentially, to becomes a part of the kernel/OS of the machine. Because of this, it’s invisible to antivirus.

It has full run of your computer.

Answer 22

Rootkit

Question 23

3 ways to find and remove rootkits

Answer 23

Look for unusual symptoms (identify with antimalware software)

Use a remover specific to the type of rootkit

Secure boot with UEFI

Question 24

How can a secure boot help identify and remove a rootkit?

Answer 24

The secure boot will search for a OS signature, and verify that the kernel of the OS hasn’t changed before the system is booted. Even if the rootkit has been installed, the secure boot will stop the rootkit from running once the computer boots up for real.

Question 25

A type of physical attack where the attacker gains physical access to the device that they want to break into. They do this by forcing doors open or breaking windows.

Answer 25

Brute force

Question 26

A type of physical attack where attackers make copies of access badges or key fobs of authorized personnel. They can read one card/fob and then immediately copy it to another in a matter of seconds, without the authorized individual knowing.

Answer 26

RFID cloning

Question 27

How is RFID cloning mitigated?

Answer 27

MFA

The attacker might have the badge, but they likely don’t have other information

Question 28

A type of physical attack where the attacker attacks everything supporting the technology. Cutting off power, interfering with HVAC (Heating, Ventilation, AC) or humidity controls, taking down fire suppression, etc.

Answer 28

Environmental attack

Question 29

A type of attack where the attacker causes a service or device to fail, preventing authorized users from accessing it

Answer 29

DoS

Question 30

A DoS attack where the cause is unintentional, often performed by legitimate individuals. This can happen through a programming error, accidentally downloading something too large/complex for a device to handle, or by a piece of equipment breaking (ex. a water line breaking in the IT dept)

Answer 30

“Friendly” DoS

Question 31

A type of attack where the attacker causes a service or device to fail by enlisting a large number of computers to take up the resources of that device.

Answer 31

DDoS

Question 32

A type of threat where the attacker has comparatively fewer resources than the victim

Answer 32

Asymmetric threat

Question 33

What kind of attack is often called an asymmetric threat?

Answer 33

DDoS

The attacker by themself often has fewer resources than the network they attempt to bring down. But with the help of a botnet, they can be successful.

Question 34

A method of carrying out a DDoS attack in which the attacker sends a query to a server, and spoofs their IP address so the response of that query will be sent to the victim.

Both the query and response are relatively the same size and are of the same protocol.

Answer 34

DDoS reflection

Question 35

A method of carrying out a DDoS attack in which the attacker sends a query to a server, and spoofs their IP address so the response of that query will be sent to the victim.

The response is much larger than the original query, meaning that the attacker doesn’t have to expend many resources in exchange for a large attack.

Answer 35

DDoS amplification

Question 36

Which 3 protocols can be abused to perform DDoS amplification?

Answer 36

NTP, DNS, ICMP

Question 37

3 methods to perform DNS poisoning

Answer 37

Modify the DNS server

Modify the device’s host files (they take precedent over DNS queries)

Via MITM, intercept the legitimate DNS server response, and instead send one of your own (real-time redirection)

Question 38

A type of attack where the attacker causes the victim to resolve a valid domain name into a malicious IP address or vice versa

Answer 38

DNS poisoning

Question 39

A type of attack where the attacker gets access to the domain registration of a legitimate website

That way, the attacker has control over where the traffic flows

Answer 39

Domain hijacking

Question 40

3 ways an attacker can get into the account used for the domain registration for a website

Answer 40

Brute force

Social engineer the password

Gain access to the email address that manages the account

Question 41

A type of attack where the victim is redirected to an advertising site, a competitor site, a phishing site, or a site that performs drive-by downloads when attempting to access a legitimate website.

Answer 41

URL hijacking

AKA typosquatting
AKA brandjacking

Question 42

2 other names for URL hijacking

Answer 42

Typosquatting
Brandjacking

Question 43

A type of wireless attack where the attacker disconnects the victim from their network connection. A type of DoS attack.

Answer 43

Wireless deauthentication attack

Question 44

What type of frames does the wireless deauthentication attack take advantage of?

Answer 44

802.11 management frames

Question 45

Frames used for the management of network connections. They are sent/received by the AP, and are used to connect to the network, manage the connection, and then disconnect from the network. They are also used to associate to and dissociate from an AP.

Answer 45

802.11 management frames

Question 46

RF stands for

Answer 46

Radio frequency

Question 47

A type of wireless attack where the attacker transmits interfering wireless signals (noise) until the victim cannot discern the legitimate traffic from the noise. It prevents any nearby victims from being able to receive signals from the AP.

Answer 47

RF jamming

AKA wireless jamming

Question 48

Which IEEE update addressed the problem enabling wireless deauthentication attacks by encrypting management frames?

Answer 48

802.11ac

Question 49

What equipment can inadvertently cause RF jamming?

Answer 49

Microwave
Fluorescent lights

Question 50

RF jamming is AKA

Answer 50

Wireless jamming

Question 51

3 different ways to carry out wireless/RF jamming

Answer 51

Constant, random bits/frames

Random intervals of noise

Reactive jamming - only happens when someone else tries to communicate

Question 52

True/False

Wireless/RF jamming can be carried out across the globe

Answer 52

False

Wireless/RF jamming needs to be performed close-by

Question 53

The method of finding the source of RF jamming

Answer 53

Fox hunting

Question 54

What 2 types of tools are useful during fox hunting?

Answer 54

Directional antenna - locates the direction of the signal

Attenuator - lowers the signal strength to make it easier to tell where it’s coming from (it gets louder as you get closer)

Question 55

A type of attack where the attacker sits between two devices and watches all the traffic occurring between them

Answer 55

On-path attack

AKA MITM attack

Question 56

MITM stands for

Answer 56

Man-in-the-middle

Question 57

A type of on-path attack where the attacker gets on the same subnet as the victim devices.

The attacker then spoofs their IP address to one of a trusted device, and then advertises their IP/MAC pair to legitimate devices. That way, the legitimate devices will then send their traffic to the malicious device instead of the legitimate device.

Answer 57

ARP poisoning

Question 58

What enables ARP poisoning?

Answer 58

No security in ARP

Question 59

A type of on-path attack in which the attacker resides between the device and the network, acting as a proxy. In fact, the attacker resides in the same system as the victim.

Even if the network traffic is encrypted, because the attacker is on the same system, they would be able to see the data

Once the victim logs into their bank account, the attacker can get those credentials for later use. They can then start other sessions behind the scenes that the victim will not see. Online shopping, money transfers, etc.

Answer 59

On-path browser attack

AKA man-in-the-browser attack

Question 60

A type of attack where the attacker reuses legitimate information in order to authenticate to a service

Answer 60

Replay attack

Question 61

Why do attackers want your cookies?

Answer 61

Cookies contain session IDs; the attacker could gain access to a server without any authentication credentials by using the session ID

Question 61

2 ways to avoid replay attacks

Answer 61

Encrypt the authentication credentials

Use a salt that changes for every session

Question 62

A type of attack where the attacker gains access to a session ID, and then uses it in order to authenticate to the server

Answer 62

Session hijacking

AKA sidejacking

Question 63

2 ways to prevent session hijacking

Answer 63

End-to-end encryption (HTTPS)

End-to-somewhere encryption (VPN concentrator; if you can’t encrypt the whole journey, you can at least encrypt part of it. It’s best to avoid cleartext over a local network)

Question 64

Session hijacking is AKA

Answer 64

Sidejacking

Question 65

An attack where the attacker inserts their own information into a data stream

Answer 65

Code injection

Question 66

What enables code injection?

Answer 66

Bad programming

Question 67

A really useful buffer overflow is ____

Answer 67

Repeatable

Buffer overflows can often be unpredictable. If the attacker can find a way to consistently get their desired outcome, it is very a very useful exploit.

Question 68

In order to perform a replay attack, the attacker needs what kind of data?

Answer 68

Raw network data (through a network tap, ARP poisoning)

Question 69

True/False

A replay attack is an on-path attack

Answer 69

False

While the attacker may gather the data to perform the replay attack through an on-path attack, the actual replay attack is not on-path

Question 70

An application attack where an attacker gains elevated permissions on a system

Answer 70

Privilege escalation

Question 71

4 ways to mitigate privilege escalation

Answer 71

Keep applications patched

Update anti-malware signatures

Data Execution Prevention

Use address space layout randomization (This changes the location in memory that an application runs each time it’s launched; prevents buffer overflow attacks)

Question 72

What is it called when a legitimate website uses the user’s browser to make legitimate requests for other web pages to display content on the original website?

For example, when you go on one page, a video from YouTube and pictures from Instagram are also present.

Answer 72

Cross-site requests

Question 73

CSRF takes advantage of what?

Answer 73

CSRF takes advantage of the trust that a web application has for the user

The web site trusts your browser

Requests are made without your consent or your knowledge

Attacker posts a Facebook status on your account

Question 74

An attack that takes advantage of the trust that a web application has for the user

Answer 74

CSRF / XSRF

Question 75

What anti-forgery solution has been implemented to prevent CSRF?

Answer 75

Cryptographic token

It verifies that the user has authenticated properly, and that the token is the correct one for that specific session

Question 76

An attack that allows an attacker to read files on a website that are outside of the website’s file directory

Answer 76

Directory traversal

Question 77

What enables directory traversal attacks?

Answer 77

Web server misconfiguration
OR
Web application software vulnerability

Question 78

A cryptographic attack that takes advantage of the chances of a hash collision occurring. They check for this collision by brute force.

This method is much more efficient than brute force attacks, though it is a type of brute force.

1) The attacker gains a list of password hashes

2) Using a cryptographic algorithm, they generate hashes of would-be passwords until they find a collision. This process happens offline.

3) They then attempt to input the credentials

Answer 78

Birthday attack

Question 79

What mitigates a birthday attack?

Answer 79

Large hash output sizes

The larger the hash, the more difficult it will be for the attacker to duplicate it

Question 80

Which cryptographic algorithm has a problem with hash collisions?

Answer 80

MD5

Question 81

A cryptographic attack where the attacker forces a system to revert its security to an older (less secure) model

Usually affects the encryption algorithm

Answer 81

Downgrade attack

Question 82

SSL stripping is a form of what 2 kinds of attack?

Answer 82

On-path attack and downgrade attack

The attacker sits in the middle of the conversation and strips the S from HTTPS by rewriting URLs

Question 83

A password attack in which the attacker attempts to use the top most common passwords on every account they can get their hands on.

NOTE

They stop short of raising any alarms or account lockouts.

Answer 83

Spraying attack

Question 84

A password attack in which the attacker tries every password combination until the hash is matched.

Answer 84

Brute force attack

Question 85

True/False

A strong hashing algorithm can slow down a brute force attack

Answer 85

True

Question 86

Online brute force attacks involve

Answer 86

Passwords

Question 87

Offline brute force attacks involve

Answer 87

Hashes

They take the stored hash offline and attempt all passwords until it matches the hash

This sidesteps account lockout procedures

Question 88

IOC stands for

Answer 88

Indicators of Compromise

Question 89

An event that happens at an unusual time, documented by a log, is called:

Answer 89

Out-of-cycle logging

Question 90

True/False

Out-of-cycle logging typically reflects a configuration error

Answer 90

False

Out-of-cycle logging can be an IOC

Question 91

True/False

Since logs record everything, you don’t have to worry that attackers can hide from them

Answer 91

False

Attackers can delete logs from the system