467_Flashcards

Question 1

What is malware as defined by NIST 800-83?

Answer 1

A program inserted into a system, usually covertly, to compromise confidentiality, integrity, or availability of data, applications, or operating systems.

Question 2

What is an Advanced Persistent Threat (APT)?

Answer 2

A well-resourced, persistent attack using various technologies and malware, often state-sponsored, targeting specific businesses or political entities.

Question 3

What are the main classifications of malware propagation mechanisms?

Answer 3

Infected content (viruses), vulnerability exploit (worms), and social engineering (spam emails, Trojans).

Question 4

What is a virus?

Answer 4

Malware that replicates itself into executable code and propagates when the infected code is executed.

Question 5

What is a worm?

Answer 5

A program that spreads independently by exploiting vulnerabilities and often carries a payload.

Question 6

What is a Trojan horse?

Answer 6

Malware that appears legitimate but contains harmful hidden functionality, such as spyware or keyloggers.

Question 7

What are botnets used for?

Answer 7

Activities such as DDoS attacks, spamming, sniffing sensitive data, and installing additional malware.

Question 8

What is ransomware?

Answer 8

Malware that encrypts user data and demands payment for the decryption key.

Question 9

What is a logic bomb?

Answer 9

Code that triggers a payload when specific conditions are met.

Question 10

What is the difference between a rootkit and a backdoor?

Answer 10

A rootkit hides its presence and provides admin access, while a backdoor is an entry point bypassing security checks.

Question 11

What is a phishing attack?

Answer 11

A social engineering attack where victims are tricked into revealing sensitive information by mimicking trusted sources.

Question 12

What is a macro virus?

Answer 12

A virus that uses macro or scripting code in documents to execute and spread.

Question 13

What is a drive-by-download attack?

Answer 13

Malware installation through a compromised website without user consent.

Question 14

What are the four generations of anti-virus software?

Answer 14

1) Signature-based scanners, 2) Heuristic scanners, 3) Activity traps, 4) Full-featured protection.

Question 15

What is sandbox analysis?

Answer 15

Executing potentially malicious code in a controlled environment to analyze its behavior.

Question 16

What is a hash function?

Answer 16

A function that converts a variable-length input into a fixed-size output called a hash value.

Question 17

What are the key properties of a cryptographic hash function?

Answer 17

Preimage resistance, second preimage resistance, and collision resistance.

Question 18

What is preimage resistance?

Answer 18

The property that makes it computationally infeasible to find an input x given its hash value h.

Question 19

What is collision resistance?

Answer 19

The property that makes it computationally infeasible to find two distinct inputs x and y such that H(x) = H(y).

Question 20

What is the main application of a message digest?

Answer 20

To provide message authentication by verifying data integrity.

Question 21

What is a digital signature?

Answer 21

A mechanism where the hash value of a message is encrypted with a private key to ensure authenticity and integrity.

Question 22

What are simple hash functions, and why are they insecure?

Answer 22

Functions like XOR-based hashing are prone to collisions and insufficient for secure applications.

Question 23

What is the birthday paradox in the context of hash functions?

Answer 23

The probability of finding a collision is significant after approximately √2^m inputs for an m-bit hash value.

Question 24

What is the Secure Hash Algorithm (SHA)?

Answer 24

A family of cryptographic hash functions designed by NIST, including SHA-1, SHA-2, and SHA-3.

Question 25

Why was SHA-3 developed?

Answer 25

To provide a secure alternative to SHA-2 due to concerns about its structural similarity to SHA-1, which has vulnerabilities.

Question 26

What is the structure of SHA-3?

Answer 26

Based on a sponge construction, allowing flexibility in output size and security.

Question 27

What are brute-force attacks on hash functions?

Answer 27

Efforts to find preimages, second preimages, or collisions by testing large numbers of inputs.

Question 28

What is a hash-based pseudorandom function (PRF)?

Answer 28

A function using a hash to generate pseudorandom values, often for key generation.

Question 29

What is the significance of the S-box in SHA-2 and SHA-3?

Answer 29

Provides nonlinearity to resist cryptanalytic attacks.

Question 30

How is a hash function used in password storage?

Answer 30

Passwords are hashed, and the hash is stored. Verification is done by comparing the stored hash with the hash of the entered password.

Question 31

What does RSA stand for?

Answer 31

Rivest-Shamir-Adleman, the developers of the algorithm.

Question 32

What is the purpose of public-key cryptography?

Answer 32

To provide secure communication and digital signatures without relying on a trusted key distribution center.

Question 33

What are the six components of a public-key cryptosystem?

Answer 33

Plaintext, encryption algorithm, public key, private key, ciphertext, decryption algorithm.

Question 34

What is a trap-door one-way function?

Answer 34

A function that is easy to compute but infeasible to invert without special knowledge (the trap-door).

Question 35

What are the basic requirements for a public-key algorithm?

Answer 35

Easy to generate key pairs, encrypt with the public key, decrypt with the private key, and infeasible to derive private key from public key.

Question 36

What is the mathematical basis of RSA encryption?

Answer 36

C = M^e mod n, where C is ciphertext, M is plaintext, e is the public exponent, and n is the modulus.

Question 37

What are the prime factors of n in RSA used for?

Answer 37

They are used to compute the private key through the totient function ø(n).

Question 38

What are the common attacks on RSA?

Answer 38

Brute force, mathematical attacks, timing attacks, hardware fault-based attacks, chosen ciphertext attacks.

Question 39

How does RSA use the Chinese Remainder Theorem (CRT)?

Answer 39

To speed up decryption by breaking calculations into smaller moduli.

Question 40

What is a common public exponent used in RSA?

Answer 40

e = 65537, because it has only two 1 bits, minimizing computational overhead.

Question 41

What is the countermeasure for timing attacks on RSA?

Answer 41

Using constant exponentiation time, adding random delays, or blinding ciphertexts.

Question 42

What is Optimal Asymmetric Encryption Padding (OAEP)?

Answer 42

A procedure to add random padding to plaintext to prevent chosen ciphertext attacks on RSA.

Question 43

What are the applications of public-key cryptosystems?

Answer 43

Encryption/decryption, digital signatures, and key exchange.

Question 44

What is the main advantage of public-key cryptography over symmetric encryption?

Answer 44

Key distribution is simpler as the public key can be shared openly.

Question 45

What does AES stand for?

Answer 45

Advanced Encryption Standard.

Question 46

What are the block and key sizes for AES?

Answer 46

Block size: 128 bits. Key sizes: 128, 192, or 256 bits.

Question 47

What is the structure of AES?

Answer 47

Processes data as a 4x4 matrix (State array) through multiple rounds of substitution and permutation.

Question 48

What are the four main transformation functions of AES?

Answer 48

SubBytes, ShiftRows, MixColumns, AddRoundKey.

Question 49

What is the purpose of the SubBytes transformation?

Answer 49

It substitutes each byte in the State using an S-box designed for cryptographic strength.

Question 50

What does the ShiftRows transformation do?

Answer 50

Performs a cyclic shift of the rows in the State matrix to ensure diffusion.

Question 51

What is the MixColumns transformation?

Answer 51

A column-wise mixing operation that combines the bytes in each column of the State matrix.

Question 52

What is the AddRoundKey transformation?

Answer 52

Performs a bitwise XOR between the State matrix and a round key.

Question 53

How does AES decryption differ from encryption?

Answer 53

Decryption uses inverse transformations and applies the round keys in reverse order.

Question 54

What is the S-box used for in AES?

Answer 54

A 16x16 matrix designed to provide nonlinearity and resistance to cryptanalytic attacks.

Question 55

What is the role of the Key Expansion in AES?

Answer 55

Generates round keys from the initial key using transformations like RotWord and SubWord.

Question 56

What is the Avalanche Effect in AES?

Answer 56

A small change in plaintext or key results in a significant change in ciphertext.

Question 57

Why was AES selected as a standard?

Answer 57

Efficiency, security, and its ability to be implemented on various hardware and software platforms.

Question 58

What is the equivalent inverse cipher in AES?

Answer 58

A decryption cipher that mirrors the encryption structure with inverse transformations.

Question 59

What is a block cipher?

Answer 59

A cipher that processes a fixed-size block of plaintext to produce a ciphertext block of the same size.

Question 60

What are the advantages of larger block sizes in block ciphers?

Answer 60

Greater security but reduced encryption/decryption speed.

Question 61

What is a Feistel cipher?

Answer 61

A cipher that alternates substitutions and permutations to achieve confusion and diffusion.

Question 62

What is the Data Encryption Standard (DES)?

Answer 62

A symmetric encryption algorithm that encrypts data in 64-bit blocks using a 56-bit key.

Question 63

What are the main phases of DES encryption?

Answer 63

1) Initial permutation, 2) 16 rounds of substitution and permutation, 3) Final permutation.

Question 64

How is decryption performed in DES?

Answer 64

Using the same algorithm as encryption but with the subkeys applied in reverse order.

Question 65

What is the Avalanche Effect in DES?

Answer 65

A small change in plaintext or key results in significant changes in ciphertext.

Question 66

What is the Strict Avalanche Criterion (SAC)?

Answer 66

Every output bit should change with a 50% probability when a single input bit is inverted.

Question 67

What is the Bit Independence Criterion (BIC)?

Answer 67

Output bits should change independently when any single input bit is inverted.

Question 68

What are timing attacks?

Answer 68

Attacks that attempt to determine keys by observing the time taken to perform cryptographic operations.

Question 69

What is the purpose of the subkey generation algorithm in block ciphers?

Answer 69

To make deducing individual subkeys and working back to the main key difficult.

Question 70

What is the main limitation of DES?

Answer 70

Its 56-bit key size makes it vulnerable to brute-force attacks.

Question 71

What replaced DES as the standard encryption algorithm?

Answer 71

The Advanced Encryption Standard (AES) in 2001.

Question 72

What is the key design feature of the Feistel cipher structure?

Answer 72

Alternating substitution and permutation functions to create secure encryption.

Question 73

What is plaintext?

Answer 73

The original, unencrypted message.

Question 74

What is ciphertext?

Answer 74

The coded version of the original message after encryption.

Question 75

What are the three main types of cryptographic systems?

Answer 75

Substitution, transposition, and symmetric/asymmetric key encryption.

Question 76

What is the Caesar cipher?

Answer 76

A substitution cipher that shifts each letter a fixed number of places in the alphabet.

Question 77

What is the main weakness of the Caesar cipher?

Answer 77

It is easily broken with brute-force as there are only 25 possible keys.

Question 78

What is a polyalphabetic cipher?

Answer 78

A cipher that uses multiple substitution alphabets for encryption.

Question 79

What is the Vigenère cipher?

Answer 79

A polyalphabetic substitution cipher using multiple Caesar ciphers determined by a keyword.

Question 80

What is the one-time pad?

Answer 80

An unbreakable cipher that uses a random key as long as the message and is used only once.

Question 81

What is the main limitation of the one-time pad?

Answer 81

The difficulty of generating and securely distributing large quantities of random keys.

Question 82

What is the Playfair cipher?

Answer 82

A cipher that encrypts pairs of letters using a 5x5 matrix constructed with a keyword.

Question 83

What is a transposition cipher?

Answer 83

A cipher that rearranges the order of letters in plaintext to create ciphertext.

Question 84

What is the Rail Fence cipher?

Answer 84

A simple transposition cipher where plaintext is written diagonally and then read row by row.

Question 85

What is the Row Transposition cipher?

Answer 85

A cipher that writes plaintext in a grid and reads it column by column in a permuted order.

Question 86

What is steganography?

Answer 86

The practice of hiding information within other non-secret text or data.

Question 87

What is the difference between encryption and steganography?

Answer 87

Encryption disguises the content of a message; steganography hides the existence of a message.

Question 88

What is the definition of an intrusion detection system (IDS)?

Answer 88

A system that gathers and analyzes information to identify possible security intrusions in a network or computer.

Question 89

What are the three components of an IDS?

Answer 89

Sensors to collect data, analyzers to determine intrusions, and user interfaces to view outputs or control behavior.

Question 90

What is the difference between HIDS and NIDS?

Answer 90

HIDS monitors host-specific activities like system calls; NIDS monitors network traffic for suspicious activity.

Question 91

What is the purpose of a honeypot?

Answer 91

To lure attackers away from critical systems, collect information on their activities, and give administrators time to respond.

Question 92

What is anomaly detection in IDS?

Answer 92

Analyzing current behavior against a model of legitimate user behavior to classify it as normal or anomalous.

Question 93

What is signature detection in IDS?

Answer 93

Matching known malicious patterns or attack rules with current behavior to identify threats.

Question 94

What is a distributed or hybrid IDS?

Answer 94

An IDS combining host-based and network-based sensors to analyze data centrally for better intrusion detection.

Question 95

What are the classes of intruders?

Answer 95

Cyber criminals, activists, state-sponsored organizations, and others like hobby hackers.

Question 96

What is a low-interaction honeypot?

Answer 96

A simulated environment emulating IT services well enough to detect and warn of imminent attacks.

Question 97

What is a high-interaction honeypot?

Answer 97

A real system with full operating environments that occupy attackers for extended periods.

Question 98

What are the advantages of machine-learning in anomaly detection?

Answer 98

Flexibility, adaptability, and ability to capture interdependencies between observed metrics.

Question 99

What is the Snort tool used for?

Answer 99

An open-source IDS for real-time packet capture, protocol analysis, and intrusion detection.

Question 100

What are examples of intruder behaviors during an attack?

Answer 100

Target acquisition, initial access, privilege escalation, maintaining access, and covering tracks.

Question 101

What are the three types of IDS analysis approaches?

Answer 101

Anomaly detection, signature detection, and heuristic detection.

Question 102

What is the role of Stateful Protocol Analysis (SPA) in IDS?

Answer 102

Comparing observed network traffic against vendor-supplied profiles of benign protocol traffic.

Question 103

What are the challenges of implementing IDS?

Answer 103

High resource use, high false positive rates, and difficulty adapting to dynamic network environments.

Question 104

What is the definition of a Denial-of-Service (DoS) attack according to NIST?

Answer 104

An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as CPU, memory, bandwidth, or disk space.

Question 105

What is a Distributed Denial-of-Service (DDoS) attack?

Answer 105

A DoS attack that uses multiple systems, often forming a botnet, to generate attacks on a target system or network.

Question 106

What are the three main categories of resources that could be attacked in a DoS attack?

Answer 106

Network bandwidth, system resources, and application resources.

Question 107

What is source address spoofing in the context of DoS attacks?

Answer 107

Using forged source addresses to make attacking systems harder to identify and trace.

Question 108

What is a TCP SYN flood attack?

Answer 108

A DoS attack that sends a large number of SYN packets to fill the table of known TCP connections on the server, preventing legitimate users from accessing it.

Question 109

What is an ICMP flood?

Answer 109

A ping flood attack using ICMP echo request packets to overwhelm network capacity.

Question 110

What is a DNS amplification attack?

Answer 110

A reflection-based attack that uses small DNS requests to generate large responses, overwhelming the target system.

Question 111

What are the four lines of defense against DDoS attacks?

Answer 111

1) Attack prevention and preemption, 2) Attack detection and filtering, 3) Attack source traceback and identification, 4) Attack reaction.

Question 112

What are reflection and amplification attacks?

Answer 112

Attacks where responses to spoofed requests are directed at the target, often using intermediaries to amplify the traffic volume.

Question 113

What is the Tribe Flood Network (TFN)?

Answer 113

An early DDoS tool capable of ICMP flood, SYN flood, UDP flood, and ICMP amplification attacks, used to obscure the path back to the attacker.

Question 114

What is an HTTP-based attack like Slowloris?

Answer 114

An attack that monopolizes server request handling threads by sending incomplete HTTP requests, eventually consuming all connection capacity.

Question 115

What are good practices to prevent DoS attacks?

Answer 115

Blocking spoofed addresses, managing application attacks with CAPTCHAs, using mirrored servers, and employing good system security practices.

Question 116

How should organizations respond to ongoing DoS attacks?

Answer 116

Identify the attack type, analyze packets, filter traffic upstream, and, if necessary, switch to backup servers or new addresses.

Question 117

What does NIST 800-83 define as malware?

Answer 117

A program inserted into a system, usually covertly, with intent to compromise data, applications, or OS integrity, confidentiality, or availability.

Question 118

What is an Advanced Persistent Threat (APT)?

Answer 118

Cybercrime targeting business/political entities using persistent intrusion technologies, often state-sponsored.

Question 119

What are the characteristics of an APT?

Answer 119

Advanced: custom malware; Persistent: sustained attacks over time; Threats: organized, well-funded attackers.

Question 120

Name two examples of early computer viruses.

Answer 120

Brain virus (1986) targeting MSDOS, and Chernobyl virus (1998), which overwrites hard drive data.

Question 121

What is the difference between a worm and a bot?

Answer 121

A worm propagates and activates itself; a bot requires remote control for activation and coordination.

Question 122

Describe the function of a rootkit.

Answer 122

Hides presence on a system by subverting monitoring mechanisms, giving attackers admin privileges.

Question 123

What is ransomware?

Answer 123

Malware encrypting user data, demanding payment for decryption keys.

Question 124

What are the four main elements of malware prevention?

Answer 124

Policy, Awareness, Vulnerability Mitigation, Threat Mitigation.

Question 125

What is clickjacking?

Answer 125

UI redress attack tricking users into clicking unintended actions, often using invisible frames.

Question 126

What is a watering-hole attack?

Answer 126

Highly targeted drive-by download where attackers compromise sites likely visited by their victims.

Question 127

What are the phases of a virus?

Answer 127

Dormant, Triggering, Propagation, Execution.

Question 128

What is a logic bomb?

Answer 128

Malware code triggered by specific conditions to execute its payload.

Question 129

How does sandbox analysis help in malware detection?

Answer 129

Runs potentially malicious code in an isolated environment to monitor behavior safely.

Question 130

Name two types of phishing attacks.

Answer 130

General phishing (mass emails) and spear-phishing (targeted emails crafted for specific recipients).

Question 131

What are the main types of malware propagation mechanisms?

Answer 131

Infected content (viruses), vulnerability exploit (worms), and social engineering (spam emails, Trojans).

Question 132

What is malvertising?

Answer 132

Using malicious ads to distribute malware without compromising the hosting site.