2.4 Threats and Vulnerabilites

Question 1

Phishing

Answer 1

Fake emails/texts sent by an attacker attempting to obtain confidential information from victims

Question 2

Vishing

Answer 2

Fraudulent phonecalls used to trick victims into providing sensitive information

Question 3

Shoulder surfing

Answer 3

Attacker observing another person’s computer or mobile device screen and/or keyboard to obtain sensitive information

Question 4

Whaling

Answer 4

Spear-fishing attack aimed exclusively at a high-level executive or official

Question 5

Tailgating

Answer 5

An unauthorised actor gains access to a controlled area by closely following someone with legitimate access credentials

Question 6

Impersonation

Answer 6

A criminal poses as a known person or organisation to steal confidential data or money

Question 7

Dumpster diving

Answer 7

Extracting sensitive information and potential vulnerabilities from discarded physical or digital assets

Question 8

Evil twin

Answer 8

Spoofing cyberattack that tricks users into connecting to a fake Wi-Fi AP mimicking a legitimate network

Question 9

What information can attackers gather from deploying an evil twin attack?

Answer 9

Network traffic, private login credentials, financial data and credit card transactions

Question 10

DDoS attack

Answer 10

Forcing a website, PC, or online service offline by flooding the target with requests from different IP addresses so it cannot respond to legitimate requests

Question 11

DoS attack

Answer 11

Flooding a target with traffic (more TCP/UDP packets than it can process) from a single system

Question 12

Zero-day attack

Answer 12

Where an unknown or unaddressed security flaw in software, hardware, or firmware is exploited

Question 13

Spoofing

Answer 13

Attempting to obtain personal information by pretending to be a known, trusted, and/or legitimate source

Question 14

On-path attack

Answer 14

An attacker places themselves between two devices and can intercept or modify communications (including impersonating as either agent)

Question 15

Brute-force attack

Answer 15

Using many attempts to try and crack passwords, login credentials, and encryption keys

Question 16

Dictionary attack

Answer 16

Attempting to crack a password with a “dictionary list” of common words and phrases

Question 17

Insider threat

Answer 17

Any person with authorised access that causes harm (wittingly or unwittingly) to an organisation and/or it’s resources

Question 18

SQL injection

Answer 18

A web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database

Question 19

Cross-site scripting

Answer 19

Malicious executable scripts are injected into the code of
otherwise benign and trusted websites

Question 20

Non-compliant system

Answer 20

A system that does not comply with the required security criteria

Question 21

Name three security vulnerabilities caused by BYOD.

Answer 21

• Devices can easily go missing (loss/theft)
• Shadow IT: Employees can download apps to improperly access company data or exploit/introduce security vulnerabilities
• Unsecured Wi-Fi access in public places

Question 22

Name three security vulnerabilities caused by EOL OSs.

Answer 22

• Lacking latest security patches so increased vulnerability to cyberattacks
• May be non-compliant with regulatory standards
• Software incompatibility

Question 23

Name three security vulnerabilities caused by unprotected systems

Answer 23

• Viruses and malware can be transmitted much easier
• Websites are unsecure and are easier to be compromised
• Attackers can gain access to the network and therefore sensitive information

Question 24

Define what constitutes an unprotected system

Answer 24

Missing antivirus and/or a firewall