2.4 Threats and Vulnerabilites

Question 1

Phishing

Answer 1

Fake emails/texts sent by an attacker attempting to obtain confidential information from victims

Question 2

Vishing

Answer 2

Fraudulent phonecalls used to trick victims into providing sensitive information

Question 3

Shoulder surfing

Answer 3

Attacker observing another person’s computer or mobile device screen and/or keyboard to obtain sensitive information

Question 4

Whaling

Answer 4

Spear-fishing attack aimed exclusively at a high-level executive or official

Question 5

Tailgating

Answer 5

An unauthorised actor gains access to a controlled area by closely following someone with legitimate access credentials

Question 6

Impersonation

Answer 6

A criminal poses as a known person or organisation to steal confidential data or money

Question 7

Dumpster diving

Answer 7

Extracting sensitive information and potential vulnerabilities from discarded physical or digital assets

Question 8

Evil twin

Answer 8

Spoofing cyberattack that tricks users into connecting to a fake Wi-Fi AP mimicking a legitimate network

Question 9

What information can attackers gather from deploying an evil twin attack?

Answer 9

Network traffic, private login credentials, financial data and credit card transactions

Question 10

DDoS attack

Answer 10

Forcing a website, PC, or online service offline by flooding the target with requests from different IP addresses so it cannot respond to legitimate requests

Question 11

DoS attack

Answer 11

Flooding a target with traffic (more TCP/UDP packets than it can process) from a single system

Question 12

Zero-day attack

Answer 12

Where an unknown or unaddressed security flaw in software, hardware, or firmware is exploited

Question 13

Spoofing

Answer 13

Attempting to obtain personal information by pretending to be a known, trusted, and/or legitimate source

Question 14

On-path attack

Answer 14

An attacker places themselves between two devices and can intercept or modify communications (including impersonating as either agent)

Question 15

Brute-force attack

Answer 15

Using many attempts to try and crack passwords, login credentials, and encryption keys

Question 16

Dictionary attack

Answer 16

Attempting to crack a password with a “dictionary list” of common words and phrases

Question 17

Insider threat

Answer 17

Any person with authorised access that causes harm (wittingly or unwittingly) to an organisation and/or it’s resources

Question 18

SQL injection

Answer 18

A web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database

Question 19

Cross-site scripting

Answer 19

Malicious executable scripts are injected into the code of
otherwise benign and trusted websites

Question 20

Non-compliant system

Answer 20

A system that does not comply with the required security criteria

Question 21

Name three security vulnerabilities caused by BYOD.

Answer 21

• Devices can easily go missing (loss/theft)
• Shadow IT: Employees can download apps to improperly access company data or exploit/introduce security vulnerabilities
• Unsecured Wi-Fi access in public places

Question 22

Name three security vulnerabilities caused by EOL OSs.

Answer 22

• Lacking latest security patches so increased vulnerability to cyberattacks
• May be non-compliant with regulatory standards
• Software incompatibility

Question 23

Name three security vulnerabilities caused by unprotected systems

Answer 23

• Viruses and malware can be transmitted much easier
• Websites are unsecure and are easier to be compromised
• Attackers can gain access to the network and therefore sensitive information

Question 24

Define what constitutes an unprotected system

Answer 24

Missing antivirus and/or a firewall

Question 25

What is the weakest link in an organisation’s security?

Answer 25

End users

Question 26

What is the response rate for phishing?

Answer 26

60-70%

Question 27

Business Email Compromise (BEC)

Answer 27

When an attacker takes over a high-level executive’s account and orders employees to conduct tasks

Question 28

Pharming

Answer 28

A two-step process:
- Attacker installs malicious code on victim’s computer/server
- Victim is sent to a spoofed website where they may be tricked into revealing personal or sensitive information

Question 29

Spam

Answer 29

Abuse of electronic messaging systems, most commonly through email

Question 30

Open mail relay

Answer 30

SMTP server configured to allow anyone on the internet to send email through

Question 31

Social engineering

Answer 31

Any attempt to manipulate users into revealing confidential information or performing other actions detrimental to the user or security of the systems

Question 32

Tailgating

Answer 32

Attempting to enter a secure portion of a building by following an authorised person into that area without their knowledge

Question 33

Piggybacking

Answer 33

Gaining access to a secure area by following an authorised person with their knowledge and consent

Question 34

Shoulder surfing

Answer 34

Using direct observation to obtain information from an employee

Question 35

Dumpster diving

Answer 35

Looking in garbage or recycling bins for personal or confidential information

Question 36

Evil twin

Answer 36

A fraudulent WiFi access point that appears legitimate but collects data that victims send through wireless communications

Question 37

Karma attack

Answer 37

Exploits the behaviour of WiFi devices due to a lack of access point authentication protocols being implemented

Question 38

Preferred Network List

Answer 38

A list of the SSIDs (and their original settings) of any access point the device has previously
connected to and will automatically connect to when those
networks are in range

Question 39

Captive portal

Answer 39

A web page that the user of a public network is required to view and interact with before accessing the network

Question 40

Clean desk policy

Answer 40

Employees leave nothing on their desks at the end of the day that could be taken as a password or PIN