467_Flashcards
1
Q
What is malware as defined by NIST 800-83?
A
A program inserted into a system, usually covertly, to compromise confidentiality, integrity, or availability of data, applications, or operating systems.
2
Q
What is an Advanced Persistent Threat (APT)?
A
A well-resourced, persistent attack using various technologies and malware, often state-sponsored, targeting specific businesses or political entities.
3
Q
What are the main classifications of malware propagation mechanisms?
A
Infected content (viruses), vulnerability exploit (worms), and social engineering (spam emails, Trojans).
4
Q
What is a virus?
A
Malware that replicates itself into executable code and propagates when the infected code is executed.
5
Q
What is a worm?
A
A program that spreads independently by exploiting vulnerabilities and often carries a payload.
6
Q
What is a Trojan horse?
A
Malware that appears legitimate but contains harmful hidden functionality, such as spyware or keyloggers.
7
Q
What are botnets used for?
A
Activities such as DDoS attacks, spamming, sniffing sensitive data, and installing additional malware.
8
Q
What is ransomware?
A
Malware that encrypts user data and demands payment for the decryption key.
9
Q
What is a logic bomb?
A
Code that triggers a payload when specific conditions are met.
10
Q
What is the difference between a rootkit and a backdoor?
A
A rootkit hides its presence and provides admin access, while a backdoor is an entry point bypassing security checks.
11
Q
What is a phishing attack?
A
A social engineering attack where victims are tricked into revealing sensitive information by mimicking trusted sources.
12
Q
What is a macro virus?
A
A virus that uses macro or scripting code in documents to execute and spread.
13
Q
What is a drive-by-download attack?
A
Malware installation through a compromised website without user consent.
14
Q
What are the four generations of anti-virus software?
A
1) Signature-based scanners, 2) Heuristic scanners, 3) Activity traps, 4) Full-featured protection.
15
Q
What is sandbox analysis?
A
Executing potentially malicious code in a controlled environment to analyze its behavior.
16
Q
What is a hash function?
A
A function that converts a variable-length input into a fixed-size output called a hash value.
17
Q
What are the key properties of a cryptographic hash function?
A
Preimage resistance, second preimage resistance, and collision resistance.
18
Q
What is preimage resistance?
A
The property that makes it computationally infeasible to find an input x given its hash value h.
19
Q
What is collision resistance?
A
The property that makes it computationally infeasible to find two distinct inputs x and y such that H(x) = H(y).
20
Q
What is the main application of a message digest?
A
To provide message authentication by verifying data integrity.
21
Q
What is a digital signature?
A
A mechanism where the hash value of a message is encrypted with a private key to ensure authenticity and integrity.
22
Q
What are simple hash functions, and why are they insecure?
A
Functions like XOR-based hashing are prone to collisions and insufficient for secure applications.
23
Q
What is the birthday paradox in the context of hash functions?
A
The probability of finding a collision is significant after approximately √2^m inputs for an m-bit hash value.
24
Q
What is the Secure Hash Algorithm (SHA)?
A
A family of cryptographic hash functions designed by NIST, including SHA-1, SHA-2, and SHA-3.
25
Why was SHA-3 developed?
To provide a secure alternative to SHA-2 due to concerns about its structural similarity to SHA-1, which has vulnerabilities.
26
What is the structure of SHA-3?
Based on a sponge construction, allowing flexibility in output size and security.
27
What are brute-force attacks on hash functions?
Efforts to find preimages, second preimages, or collisions by testing large numbers of inputs.
28
What is a hash-based pseudorandom function (PRF)?
A function using a hash to generate pseudorandom values, often for key generation.
29
What is the significance of the S-box in SHA-2 and SHA-3?
Provides nonlinearity to resist cryptanalytic attacks.
30
How is a hash function used in password storage?
Passwords are hashed, and the hash is stored. Verification is done by comparing the stored hash with the hash of the entered password.
31
What does RSA stand for?
Rivest-Shamir-Adleman, the developers of the algorithm.
32
What is the purpose of public-key cryptography?
To provide secure communication and digital signatures without relying on a trusted key distribution center.
33
What are the six components of a public-key cryptosystem?
Plaintext, encryption algorithm, public key, private key, ciphertext, decryption algorithm.
34
What is a trap-door one-way function?
A function that is easy to compute but infeasible to invert without special knowledge (the trap-door).
35
What are the basic requirements for a public-key algorithm?
Easy to generate key pairs, encrypt with the public key, decrypt with the private key, and infeasible to derive private key from public key.
36
What is the mathematical basis of RSA encryption?
C = M^e mod n, where C is ciphertext, M is plaintext, e is the public exponent, and n is the modulus.
37
What are the prime factors of n in RSA used for?
They are used to compute the private key through the totient function ø(n).
38
What are the common attacks on RSA?
Brute force, mathematical attacks, timing attacks, hardware fault-based attacks, chosen ciphertext attacks.
39
How does RSA use the Chinese Remainder Theorem (CRT)?
To speed up decryption by breaking calculations into smaller moduli.
40
What is a common public exponent used in RSA?
e = 65537, because it has only two 1 bits, minimizing computational overhead.
41
What is the countermeasure for timing attacks on RSA?
Using constant exponentiation time, adding random delays, or blinding ciphertexts.
42
What is Optimal Asymmetric Encryption Padding (OAEP)?
A procedure to add random padding to plaintext to prevent chosen ciphertext attacks on RSA.
43
What are the applications of public-key cryptosystems?
Encryption/decryption, digital signatures, and key exchange.
44
What is the main advantage of public-key cryptography over symmetric encryption?
Key distribution is simpler as the public key can be shared openly.
45
What does AES stand for?
Advanced Encryption Standard.
46
What are the block and key sizes for AES?
Block size: 128 bits. Key sizes: 128, 192, or 256 bits.
47
What is the structure of AES?
Processes data as a 4x4 matrix (State array) through multiple rounds of substitution and permutation.
48
What are the four main transformation functions of AES?
SubBytes, ShiftRows, MixColumns, AddRoundKey.
49
What is the purpose of the SubBytes transformation?
It substitutes each byte in the State using an S-box designed for cryptographic strength.
50
What does the ShiftRows transformation do?
Performs a cyclic shift of the rows in the State matrix to ensure diffusion.
51
What is the MixColumns transformation?
A column-wise mixing operation that combines the bytes in each column of the State matrix.
52
What is the AddRoundKey transformation?
Performs a bitwise XOR between the State matrix and a round key.
53
How does AES decryption differ from encryption?
Decryption uses inverse transformations and applies the round keys in reverse order.
54
What is the S-box used for in AES?
A 16x16 matrix designed to provide nonlinearity and resistance to cryptanalytic attacks.
55
What is the role of the Key Expansion in AES?
Generates round keys from the initial key using transformations like RotWord and SubWord.
56
What is the Avalanche Effect in AES?
A small change in plaintext or key results in a significant change in ciphertext.
57
Why was AES selected as a standard?
Efficiency, security, and its ability to be implemented on various hardware and software platforms.
58
What is the equivalent inverse cipher in AES?
A decryption cipher that mirrors the encryption structure with inverse transformations.
59
What is a block cipher?
A cipher that processes a fixed-size block of plaintext to produce a ciphertext block of the same size.
60
What are the advantages of larger block sizes in block ciphers?
Greater security but reduced encryption/decryption speed.
61
What is a Feistel cipher?
A cipher that alternates substitutions and permutations to achieve confusion and diffusion.
62
What is the Data Encryption Standard (DES)?
A symmetric encryption algorithm that encrypts data in 64-bit blocks using a 56-bit key.
63
What are the main phases of DES encryption?
1) Initial permutation, 2) 16 rounds of substitution and permutation, 3) Final permutation.
64
How is decryption performed in DES?
Using the same algorithm as encryption but with the subkeys applied in reverse order.
65
What is the Avalanche Effect in DES?
A small change in plaintext or key results in significant changes in ciphertext.
66
What is the Strict Avalanche Criterion (SAC)?
Every output bit should change with a 50% probability when a single input bit is inverted.
67
What is the Bit Independence Criterion (BIC)?
Output bits should change independently when any single input bit is inverted.
68
What are timing attacks?
Attacks that attempt to determine keys by observing the time taken to perform cryptographic operations.
69
What is the purpose of the subkey generation algorithm in block ciphers?
To make deducing individual subkeys and working back to the main key difficult.
70
What is the main limitation of DES?
Its 56-bit key size makes it vulnerable to brute-force attacks.
71
What replaced DES as the standard encryption algorithm?
The Advanced Encryption Standard (AES) in 2001.
72
What is the key design feature of the Feistel cipher structure?
Alternating substitution and permutation functions to create secure encryption.
73
What is plaintext?
The original, unencrypted message.
74
What is ciphertext?
The coded version of the original message after encryption.
75
What are the three main types of cryptographic systems?
Substitution, transposition, and symmetric/asymmetric key encryption.
76
What is the Caesar cipher?
A substitution cipher that shifts each letter a fixed number of places in the alphabet.
77
What is the main weakness of the Caesar cipher?
It is easily broken with brute-force as there are only 25 possible keys.
78
What is a polyalphabetic cipher?
A cipher that uses multiple substitution alphabets for encryption.
79
What is the Vigenère cipher?
A polyalphabetic substitution cipher using multiple Caesar ciphers determined by a keyword.
80
What is the one-time pad?
An unbreakable cipher that uses a random key as long as the message and is used only once.
81
What is the main limitation of the one-time pad?
The difficulty of generating and securely distributing large quantities of random keys.
82
What is the Playfair cipher?
A cipher that encrypts pairs of letters using a 5x5 matrix constructed with a keyword.
83
What is a transposition cipher?
A cipher that rearranges the order of letters in plaintext to create ciphertext.
84
What is the Rail Fence cipher?
A simple transposition cipher where plaintext is written diagonally and then read row by row.
85
What is the Row Transposition cipher?
A cipher that writes plaintext in a grid and reads it column by column in a permuted order.
86
What is steganography?
The practice of hiding information within other non-secret text or data.
87
What is the difference between encryption and steganography?
Encryption disguises the content of a message; steganography hides the existence of a message.
88
What is the definition of an intrusion detection system (IDS)?
A system that gathers and analyzes information to identify possible security intrusions in a network or computer.
89
What are the three components of an IDS?
Sensors to collect data, analyzers to determine intrusions, and user interfaces to view outputs or control behavior.
90
What is the difference between HIDS and NIDS?
HIDS monitors host-specific activities like system calls; NIDS monitors network traffic for suspicious activity.
91
What is the purpose of a honeypot?
To lure attackers away from critical systems, collect information on their activities, and give administrators time to respond.
92
What is anomaly detection in IDS?
Analyzing current behavior against a model of legitimate user behavior to classify it as normal or anomalous.
93
What is signature detection in IDS?
Matching known malicious patterns or attack rules with current behavior to identify threats.
94
What is a distributed or hybrid IDS?
An IDS combining host-based and network-based sensors to analyze data centrally for better intrusion detection.
95
What are the classes of intruders?
Cyber criminals, activists, state-sponsored organizations, and others like hobby hackers.
96
What is a low-interaction honeypot?
A simulated environment emulating IT services well enough to detect and warn of imminent attacks.
97
What is a high-interaction honeypot?
A real system with full operating environments that occupy attackers for extended periods.
98
What are the advantages of machine-learning in anomaly detection?
Flexibility, adaptability, and ability to capture interdependencies between observed metrics.
99
What is the Snort tool used for?
An open-source IDS for real-time packet capture, protocol analysis, and intrusion detection.
100
What are examples of intruder behaviors during an attack?
Target acquisition, initial access, privilege escalation, maintaining access, and covering tracks.
101
What are the three types of IDS analysis approaches?
Anomaly detection, signature detection, and heuristic detection.
102
What is the role of Stateful Protocol Analysis (SPA) in IDS?
Comparing observed network traffic against vendor-supplied profiles of benign protocol traffic.
103
What are the challenges of implementing IDS?
High resource use, high false positive rates, and difficulty adapting to dynamic network environments.
104
What is the definition of a Denial-of-Service (DoS) attack according to NIST?
An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as CPU, memory, bandwidth, or disk space.
105
What is a Distributed Denial-of-Service (DDoS) attack?
A DoS attack that uses multiple systems, often forming a botnet, to generate attacks on a target system or network.
106
What are the three main categories of resources that could be attacked in a DoS attack?
Network bandwidth, system resources, and application resources.
107
What is source address spoofing in the context of DoS attacks?
Using forged source addresses to make attacking systems harder to identify and trace.
108
What is a TCP SYN flood attack?
A DoS attack that sends a large number of SYN packets to fill the table of known TCP connections on the server, preventing legitimate users from accessing it.
109
What is an ICMP flood?
A ping flood attack using ICMP echo request packets to overwhelm network capacity.
110
What is a DNS amplification attack?
A reflection-based attack that uses small DNS requests to generate large responses, overwhelming the target system.
111
What are the four lines of defense against DDoS attacks?
1) Attack prevention and preemption, 2) Attack detection and filtering, 3) Attack source traceback and identification, 4) Attack reaction.
112
What are reflection and amplification attacks?
Attacks where responses to spoofed requests are directed at the target, often using intermediaries to amplify the traffic volume.
113
What is the Tribe Flood Network (TFN)?
An early DDoS tool capable of ICMP flood, SYN flood, UDP flood, and ICMP amplification attacks, used to obscure the path back to the attacker.
114
What is an HTTP-based attack like Slowloris?
An attack that monopolizes server request handling threads by sending incomplete HTTP requests, eventually consuming all connection capacity.
115
What are good practices to prevent DoS attacks?
Blocking spoofed addresses, managing application attacks with CAPTCHAs, using mirrored servers, and employing good system security practices.
116
How should organizations respond to ongoing DoS attacks?
Identify the attack type, analyze packets, filter traffic upstream, and, if necessary, switch to backup servers or new addresses.
117
What does NIST 800-83 define as malware?
A program inserted into a system, usually covertly, with intent to compromise data, applications, or OS integrity, confidentiality, or availability.
118
What is an Advanced Persistent Threat (APT)?
Cybercrime targeting business/political entities using persistent intrusion technologies, often state-sponsored.
119
What are the characteristics of an APT?
Advanced: custom malware; Persistent: sustained attacks over time; Threats: organized, well-funded attackers.
120
Name two examples of early computer viruses.
Brain virus (1986) targeting MSDOS, and Chernobyl virus (1998), which overwrites hard drive data.
121
What is the difference between a worm and a bot?
A worm propagates and activates itself; a bot requires remote control for activation and coordination.
122
Describe the function of a rootkit.
Hides presence on a system by subverting monitoring mechanisms, giving attackers admin privileges.
123
What is ransomware?
Malware encrypting user data, demanding payment for decryption keys.
124
What are the four main elements of malware prevention?
Policy, Awareness, Vulnerability Mitigation, Threat Mitigation.
125
What is clickjacking?
UI redress attack tricking users into clicking unintended actions, often using invisible frames.
126
What is a watering-hole attack?
Highly targeted drive-by download where attackers compromise sites likely visited by their victims.
127
What are the phases of a virus?
Dormant, Triggering, Propagation, Execution.
128
What is a logic bomb?
Malware code triggered by specific conditions to execute its payload.
129
How does sandbox analysis help in malware detection?
Runs potentially malicious code in an isolated environment to monitor behavior safely.
130
Name two types of phishing attacks.
General phishing (mass emails) and spear-phishing (targeted emails crafted for specific recipients).
131
What are the main types of malware propagation mechanisms?
Infected content (viruses), vulnerability exploit (worms), and social engineering (spam emails, Trojans).
132
What is malvertising?
Using malicious ads to distribute malware without compromising the hosting site.
