701 - Section 2

Question 1

What is the entity responsible for an event that has an impact on the safety of another entity called?

Answer 1

Threat actor or a malicious actor

Question 2

What are the three attributes of threat actors?

Answer 2

Internal or external, resources or funding, level of sophistication or capability

Question 3

Why is it important to find the motivation of a threat actor?

Answer 3

Because it identifies the purpose of the attack

Question 4

Name five or more motivations for attackers?

Answer 4

Data exfiltration, espionage, service disruption, blackmail, financial gain, philosophical or political beliefs, ethical, revenge, disruption or chaos, war

Question 5

Constant nation state attacks with massive resources are also known as

Answer 5

An advanced persistent threat

Question 6

What are the location, resources, sophistication attributes of a nation state threat actor?

Answer 6

External, extensive, very high

Question 7

What are the location, resources, sophistication attributes for an unskilled threat actor?

Answer 7

External, limited, very low

Question 8

What are the location, resources, sophistication attributes for a Hacktivist threat actor?

Answer 8

External, some funding, can be high

Question 9

What are the location, resources, sophistication attributes for an insider threat threat actor?

Answer 9

Internal, many resources, medium

Question 10

What are the location, resources, sophistication attributes for an organized crime thread actor?

Answer 10

External, often extensive, very high

Question 11

What are the location, resources, sophistication attributes for a shadow IT threat actor?

Answer 11

Internal, many resources, limited

Question 12

What are the possible motivations for a nation state thread actor?

Answer 12

Data filtration, philosophical, revenge, disruption, war

Question 13

What are the possible motivations for an unskilled threat actor?

Answer 13

Disruption, data, exfiltration, philosophical beliefs

Question 14

What are the possible motivation for a Hacktivist thread actor?

Answer 14

Philosophical beliefs, revenge, disruption chaos

Question 15

What are the possible motivations for an insider threat threat actor?

Answer 15

Revenge and financial gain

Question 16

What are the possible motivations for an organized crime thread actor?

Answer 16

Financial

Question 17

What are the possible motivations for shadow IT thread actor?

Answer 17

Philosophical beliefs and revenge

Question 18

What is the method used by an attacker to gain access or to infect a target?

Answer 18

A threat vector or an attack vector

Question 19

What are three types of message based attack vectors?

Answer 19

Fishing attacks for example, providing a link in an email or a text, delivering malware to a user for example and attachment within an email, social engineering attacks for example, invoice or cryptocurrency scams

Question 20

What image format is known as a threat?

Answer 20

The scalable vector graphic format, SVG

Question 21

What are two attack types of an image based attack?

Answer 21

HTML injection and JavaScript attack

Question 22

What can defend against an image based attack?

Answer 22

A web browser providing input validation

Question 23

What are three file based threat vectors?

Answer 23

Adobe PDF, zip or RAR files, Microsoft Office files

Question 24

What are the four types of voice call attack vectors?

Answer 24

Vishing which is fishing over the phone spam over IP, war dialing, call tampering

Question 25

What does an attacker use for a removable device attack vector?

Answer 25

A USB drive

Question 26

Which attack vector can infect an air gapped network?

Answer 26

A removable device attack vector

Question 27

What are two types of software used for a vulnerable software attack vector?

Answer 27

Client and agentless

Question 28

What are the differences between a client based vulnerability and an agent less software vector vulnerability?

Answer 28

For a client based, it is an infected executable that requires installation whereas agentless is not an installed executable, and the impact would affect all users using the service

Question 29

What are two examples of unsupported system vectors?

Answer 29

A system that isn’t regularly patched and an outdated operating system

Question 30

What is the best way to prevent an unsupported system attack vector?

Answer 30

Making sure every system is patched and has all the latest updates, as a single system could represent an entry point

Question 31

What is the best way to prevent an open service port attack vector?

Answer 31

Adding firewall rules for every open port as each one represents a potential entry point for an attacker

Question 32

What is the best way to prevent a default, credential attack vector?

Answer 32

Changing all default username and passwords, as it’s very easy to find the default credentials for every device.

Question 33

Why is a supply chain attack vector difficult to defend against?

Answer 33

Because they provide many points of entry and some or most are out of an organizations control

Question 34

What are two methods to defeat a fishing attack vector?

Answer 34

Check the URL of all links by hovering over them and usually there’s something not quite right with the spelling, the fonts or the graphics

Question 35

What is at the root of a business email compromise attack vector?

Answer 35

Because we trust the email source and the attacker takes advantage of this trust

Question 36

Why are tricks and misdirection attack vectors difficult to defend against?

Answer 36

Because of how realistic that they are. There may be a slight typo in the URL known as typosquatting or they use a highly believable character in a realistic situation also known as pre-texting

Question 37

What are two types of fishing that use voice and SMS messages?

Answer 37

Vishing known as voice phishing and Smishing known as SMS phishing

Question 38

Why are impersonation attacks so successful?

Answer 38

Because they include a realistic pretext or story

Question 39

What are some of the methods used in an impersonation attack?

Answer 39

They use pieces of information that they know about you, they will act as if they are higher in rank, they will throw many technical details around, they will act as if they are your friend

Question 40

What is the result of a successful impersonation attack against a person?

Answer 40

They have enough information regarding your identity to commit fraud such as credit card for fraud, bank fraud, loan fraud, government benefits fraud

Question 41

What are ways you can protect against impersonation?

Answer 41

Never volunteer any personal information or personal details and always verify through third parties

Question 42

How does a watering hole attack work?

Answer 42

By infecting a website or system, which an organization is known to use.. these infections can impact just those in the organization or they can infect all visitors

Question 43

How do you defend against a watering hole attack?

Answer 43

Using a lay defense known as defense in depth, firewalls, update to date antivirus and anti-malware software

Question 44

How does a misinformation or disinformation attack work?

Answer 44

Attackers create fake users and fake content, they post on social media and amplify the message, real users begin to share the message, then the mass media picks up the story

Question 45

What are the different types of processes that a memory injection attack can infect?

Answer 45

Malware can be hidden in all of these… DLLs, threads, buffers, memory management functions

Question 46

What are the two types of memory injections?

Answer 46

Memory and DLL

Question 47

How does a memory injection attack work?

Answer 47

By adding the malicious code into the memory of an existing process, which allows access and system privileges to the data in that process

Question 48

How does a DLL injection attack work?

Answer 48

An attacker injects a path to the malicious DLL, which then runs as part of the target process

Question 49

How does a buffer overflow attack work and what does it need to be successful?

Answer 49

By overwriting a buffer of memory which spills into other memory areas. This is not a simple exploit, and the buffer overflow needs to be repeatable.

Question 50

How do you defend against a buffer overflow attack?

Answer 50

By having the developers perform bounds checking within their code

Question 51

How does a race condition work?

Answer 51

It is a result of two conditions happening at the same time that can produce a vulnerability

Question 52

What is another name for a race condition attack?

Answer 52

Time of check to time of use attack TOCTOU

Question 53

What is the best defense against malicious updates?

Answer 53

Keeping your operating system and applications up-to-date

Question 54

How do you prevent against a malicious update when downloading an update?

Answer 54

By having a good known backup , By confirming the source visiting the trusted download site directly and not disabling operating system security controls

Question 55

How do you defend against an operating system vulnerability?

Answer 55

By having a good back up in case of an issue and always keeping the system up-to-date

Question 56

How does a SQL injection attack work?

Answer 56

The attacker will add their own malicious bits of SQL code into a form field that is submitted to the server and executed within the DB

Question 57

What is the best defense against a SQL injection attack?

Answer 57

Having the application properly validate and properly escape (using escape keys) all input and output

Question 58

How does a cross site scripting attack work?

Answer 58

Attacker sends a link containing malicious script to a victim, the victim clicks the link and visits the legitimate site, the legitimate site loads in the victims browser and the malicious script is executed. the malicious script sends the victims information to the attacker. This includes credentials session IDs, and cookies.

Question 59

What are the two types of cross scripting attacks?

Answer 59

A non-persistent or reflected attack and a persistent or stored attack

Question 60

How does a non-persistent (aka reflected) cross scripting attack work?

Answer 60

An attacker emails a link that execute the script that sends credentials, session, IDs, cookies to the attacker…this script is embedded within a URL…

Question 61

What is a common source of a cross site scripting attack? And why?

Answer 61

A website search box…Search boxes accept user input, which can be manipulated by attackers to inject malicious code. If the input is not properly sanitized or validated, it opens up the possibility for attacks like SQL injection or cross-site scripting (XSS).

Question 62

What is a persistent or stored scripting attack?

Answer 62

When the attacker post a message to a social network that includes the malicious payload. It’s called persistent because everyone who views the page will get this malicious code.

Question 63

How do you protect against a cross site scripting attack?

Answer 63

By avoiding clicking on untrusted links, disabling JavaScript in your browser, keeping your browser and applications properly updated and validating input fields

Question 64

Why are hardware vulnerabilities so dangerous?

Answer 64

Because we are surrounded by intelligent hardware devices, many of which do not have an accessible operating system. Each of these pose an entry point for an attack

Question 65

What are main security risks with hardware vulnerabilities?

Answer 65

The vendors are the only ones who can fix their issues, assuming they know about the problem, or care about fixing it… The end of life or the technological end of service life, which is the time when the product stops being sold and or stops being supported.

Question 66

What is a legacy platform?

Answer 66

A device that has been running for a length of time and no longer is receiving updates to its software

Question 67

What does a virtualization vulnerability pertain to?

Answer 67

A virtual machine

Question 68

What are the different vulnerabilities associated with a virtualization vulnerability?

Answer 68

Local privilege escalations, command injection, information disclosure

Question 69

What is VM escape mean?

Answer 69

An issue where an attacker is able to break out of the VM and interact with the host operating system or hardware… this will allow an attacker to potentially gain full control of the virtual environment…

Question 70

Why does a VM escape happen?

Answer 70

Because the hyper visor manages the VM‘s on a server, and those resources can be reused between VMs allowing data to be in advertently shared between the VM’s

Question 71

What is the best way to mitigate the risk of a virtualization vulnerability?

Answer 71

By properly updating your VM software

Question 72

What are some of the reasons why we have cloud specific vulnerabilities?

Answer 72

Cloud adoption has been nearly universal, much sensitive data is in the cloud, the right protections are not being utilized by organizations including simple, best practices

Question 73

What are some of the ways that a cloud service can be attacked?

Answer 73

Denial of service, taking advantage of week or faulty authentication, faulty directory traversal
configurations, remote code execution and taking advantage of unpatched cloud systems

Question 74

What are some of the ways to mitigate a supply chain vulnerability?

Answer 74

Contractual ongoing security audits of all providers, using a small trusted supplier base, confirming digital signatures from updates provided by software vendors

Question 75

What makes a supply chain so vulnerable to attack?

Answer 75

The chain contains many moving parts and an attacker can affect any step along the way which can infect the entire chain

Question 76

What are the different types of misconfiguration vulnerabilities?

Answer 76

Open permissions which are easy for a hacker to find, unsecured administrator accounts, using insecure protocols vice their encrypted counterparts, using default settings, and ports opened by services that are not configured properly

Question 77

What does MDM stand for?

Answer 77

Mobile device manager

Question 78

What does jailbreaking or rooting mean?

Answer 78

When a mobile devices operating system is replaced by a different operating system

Question 79

What makes jailbreaking or rooting dangerous?

Answer 79

Uncontrolled access to the device that circumvent security features and the MDM becoming relatively useless with a jailbreak or rooted device

Question 80

What is sideloading?

Answer 80

Apps that are loaded onto a mobile device that do not come from an approved App Store

Question 81

What is a zero day vulnerability?

Answer 81

It is a vulnerability that the vendor has no awareness of… applications have vulnerabilities, they just have not yet been identified…

Question 82

What is a zero day attack?

Answer 82

An attack on an unknown vulnerability for which the vendor has no fix for this unknown problem…

Question 83

What is an IDS?

Answer 83

Intrusion detection system

Question 84

What is an IPS?

Answer 84

Intrusion prevention system

Question 85

What is an SIEM?

Answer 85

Security information and event manager system, think SPLUNK

Question 86

What is another name for malicious software?

Answer 86

Malware

Question 87

Name three things that malware can do to your system

Answer 87

Gather information such as your keystrokes, show you advertising, encrypt your system

Question 88

Name five malware types and methods?

Answer 88

Viruses, worms, ransomware, Trojan horse, root kit, key logger, spyware, bloatware, logic bomb

Question 89

What are the ways your system get malware?

Answer 89

A link in an email, a webpage pop-up, a drive-by download, a worm

Question 90

What is the name of malware that makes your data unavailable until you provide cash? And how does it work?

Answer 90

RansomWare… With malware, your system will run, but because everything is encrypted it will effectively not work upon payment. A description key will be provided to you.

Question 91

How do you protect against ransomware?

Answer 91

Always have a good off-line backup, keep your system up-to-date with security patches, keep your antivirus anti-malware signature up-to-date

Question 92

What type of malware can reproduce itself?

Answer 92

A virus

Question 93

What are the four types of viruses?

Answer 93

A program virus which is part of an application, a boot sector virus, a script virus, a macro virus which are common in Microsoft Office

Question 94

What type of virus is good at avoiding detection, is never installed in any file or application and operates in memory?

Answer 94

A file less virus

Question 95

What type of virus self replicates, spreads quickly and uses a network as a transmission medium

Answer 95

A worm

Question 96

What can mitigate many worm infestations?

Answer 96

A firewall, an IDS, and IPS

Question 97

What does a fireless virus use to be restarted?

Answer 97

It adds an auto start to the registry

Question 98

What is malware that spies on you by monitoring your browser, and capturing your key strokes?

Answer 98

Spyware

Question 99

How do you protect against spyware?

Answer 99

Keeping your antivirus and anti-malware software up-to-date, watch additional options during installation of software, having an offsite back up

Question 100

What do you call applications that are preinstalled on a system but are not needed and can cause a system to run slower?

Answer 100

Bloatware

Question 101

To remove bloatware, what do you need to do?

Answer 101

Identify and remove it

Question 102

To remove bloatware, what do you need to do?

Answer 102

Identify and remove it

Question 103

What is the malware that captures your key strokes, including such things as login, IDs, passwords, etc.?

Answer 103

Keyloggers

Question 104

What is the type of malware that waits for a predefined event whether it be a date or time, or a user event?

Answer 104

A logic bomb

Question 105

How do you prevent against a logic bomb even though it is difficult to recognize?

Answer 105

Have a formal change control procedure and process, electronic monitoring of the system that alerts on any changes, constant auditing by the administrator

Question 106

What is a root kit? And why is it difficult to deal with?

Answer 106

Malware that modifies core system files in other words, part of the kernel… It is not a separate task so it won’t be seen in task manager, and it is also invisible to traditional antivirus utilities

Question 107

How do you find and remove a root kit?

Answer 107

Look for anything unusual with anti-malware, scans, use a remover specific to the root kit, which are usually built after the root kit is discovered

Question 108

What does secure boot with UEFI provide

Answer 108

It provides security in the bios, which helps protect against a root kit

Question 109

Name four types of physical attacks?

Answer 109

Brute force to gain access to the server, RFID cloning, environmental attacks.

Question 110

Which type of physical attack would use a counterfeit badge or fob?

Answer 110

RFID Cloning

Question 111

Which type of physical attack would attack everything supporting the technology, the power, HVAC or any other structure/device supporting the system

Answer 111

An environmental attack

Question 112

What kind of attack forces a service to fail by overloading it?

Answer 112

Denial of service

Question 113

What are the different types of denial of service?

Answer 113

A friendly one, a DDOS, a DDOS reflection and amplification

Question 114

Which denial of service will turn a small attack into a big one by reflecting off of another device or service?

Answer 114

DDOS reflection and amplification

Question 115

What does a DDOS reflection and amplification attack use?

Answer 115

It uses protocols with Lil if any authentication or checks… NTS, DNS, ICMP are examples

Question 116

Which denial of service relies on an army of computers using all the bandwidth or sources? And what is the name given to this army of computers?

Answer 116

A distributed denial of service attack… a botnet

Question 117

How can a friendly denial of service attack happen?

Answer 117

By performing network intensive operations or by using a lot of bandwidth, for example, by downloading a large file

Question 118

What are three ways that DNS poisoning can occur?

Answer 118

By modifying the DNS server, modifying the client host file or by sending a fake response to a valid request (on path attack)

Question 119

What is it called when an attacker gets access to the domain registration, which controls where all of the traffic flows?

Answer 119

Domain hijacking

Question 120

What kind of attack relies on a slight change to a URL to confuse users?

Answer 120

URL hijacking

Question 121

Using typo, squatting/brand jacking, outright misspellings or using different top level domains are all examples of what?

Answer 121

Types of URL hijacking

Question 122

What wireless standard includes a number of management features that protect against attackers?

Answer 122

802.11

Question 123

Which standard protects against wireless deauth attacks? And how does it protect?

Answer 123

802.11W… By encrypting certain important management frames that are used in a deauth attack…

Question 124

What kind of wireless attack prevents wireless communication by transmitting, interfering wireless signals?

Answer 124

Radio, frequency, RF jamming, it is effectively a denial of service attack

Question 125

What type of wireless attack is similar to RF jamming but instead is sending #DATA to jam the communications?

Answer 125

Wireless jamming

Question 126

What does ARP stand for?

Answer 126

Address resolution protocol

Question 127

Which attack passes the communication through the attacker who redirects the traffic and then passes it to the destination?

Answer 127

And on path network attack formally known as a man in the middle attack

Question 128

Which attack is similar to an on path network attack, but the attacker, using malware, proxies all of the network traffic from the same computer as the victim

Answer 128

On path, browser attack, formally known as man in the browser

Question 129

Which attack takes advantage of the useful information from a user that is transferred over the network, including things such as cookies and session IDs?

Answer 129

A replay attack

Question 130

Which type of replay attack is where the attacker captures the username and password hash and uses it to send their own request from the captured credentials?

Answer 130

Pass the hash

Question 131

Which type of replay attack is where the attacker intercepts the session ID and uses it to access the server with the victims credentials

Answer 131

Session hijacking also known as side jacking

Question 132

Which type of replay attack modifies the headers and or the cookies?

Answer 132

Header manipulation

Question 133

What are two ways to prevent session hijacking?

Answer 133

Encrypt end to end using HTTPS and encrypt end to somewhere using a VPN

Question 134

What might a layered defense use to protect against malicious code attacks?

Answer 134

Firewall, anti-malware and anti-virus, continuous updates and patches, using secure computing habits

Question 135

Which type of attack allows an attacker to gain a higher access level to a system by exploiting a vulnerability within an application?

Answer 135

Privilege escalation

Question 136

Which attack takes advantage of the trust that a web application has for a user? And what can be used to prevent such an attack?

Answer 136

Cross site request forgery, aka XSRF or CSRF… anti-CSRF tokens

Question 137

How does a cross site request forgery attack work?

Answer 137

An attacker creates a funds transfer request, that request is sent as a hyperlink to a user who may be already logged into the website, the user click the link which unknowingly sends the transfer request to the bank website, the bank validates the transfer and sends the funds to the attacker

Question 138

Which type of cryptographic attack Requires an attacker to generate many versions of plain text in an attempt to find a collision? And how do you protect yourself against a birthday attack?

Answer 138

A birthday attack By using a large hash output size

Question 139

What is the type of an on path attack, which rewrites the URL by removing the S on the request? And why is it dangerous?

Answer 139

SSL stripping because the attacker reverts the original HTTPS request to HTTP and the user unknowingly communicates via HTTP and all of their subsequent requests are sent clear text

Question 140

What form of a password attack is when the attacker might use a few common passwords against each account?

Answer 140

A spraying attack

Question 141

What type of password attack would attempt to match every password or password against a users password?

Answer 141

A brute force attack

Question 142

What is an event that indicates an intrusion?

Answer 142

An indicator of compromise

Question 143

What are five indicators of compromise?

Answer 143

Unusual amount of network activity, changes to file hash values, irregular international traffic, uncommon login patterns, spikes of read request to certain files, DNS data changes

Question 144

This indicator of compromise locks a users account from a brute force attack?

Answer 144

Account lockout

Question 145

This indicator of compromise shows up as an account logging in from multiple locations at the same time?

Answer 145

Concurrent session usage

Question 146

This indicator of compromise shows up as a user logging into system from two locations that is not physically possible within the timeframe of each login?

Answer 146

Impossible travel

Question 147

This indicator of compromise may show up as activity at an unusual time?

Answer 147

Resource consumption

Question 148

This indicator of compromise shows up when these are no where to be found?

Answer 148

System logs

Question 149

What are the two lists that are used by an operating system to limit usage? And what are they also known as? And which one is more restrictive?

Answer 149

Allow or Whitelist, Deny or Blacklist…the allow list is more restrictive

Question 150

What is another name for separating the physical logical or virtual devices on a network?

Answer 150

Segmenting the network

Question 151

What is a mitigation technique that requires prompt updating of systems?

Answer 151

Regular Patching or updating

Question 152

Name five mitigation techniques?

Answer 152

Patching, encryption, monitoring, least privilege, configuration enforcement, decommissioning

Question 153

Which medical mitigation technique requires a physical device to be formatted or destroyed after initial usage?

Answer 153

Decommissioning

Question 154

Which mitigation technique performs a security posture assessment upon each device connection?

Answer 154

Configuration enforcement

Question 155

Which mitigation technique, assigns rights, and permissions to the bare minimum of what’s needed to execute the system?

Answer 155

Least privilege

Question 156

Which mitigation technique aggregates logging information from all the sensors (IPS, firewall logs, web servers logs, DB logs, email logs, etc?

Answer 156

Monitoring

Question 157

What does an SIEM do?

Answer 157

It aggregates and collects all types of sensor/logging data and provides an engine in which a user can compare and query the data… Think spunk

Question 158

What mitigation technique prevents easy viewing of system data? And what are some of the types?

Answer 158

Encryption… file system, full disk (bit locker or FileVault), file level (Windows EFS) , application data

Question 159

What is it when you apply best practices to a system across all defense layers?

Answer 159

Hardening techniques

Question 160

What does EDR stand for and what is it?

Answer 160

Endpoint detection and response…it is software that continuously monitors for threats and provides the ability to detect, investigate and respond to threats

Question 161

What is software that allows or disallows, incoming or outgoing application traffic and can identify and block unknown processes?

Answer 161

Host based firewall

Question 162

What is a prevention system that recognizes and blocks known attacks and validates incoming service request?

Answer 162

Host based intrusion and prevention system a.k.a. HIPS

Question 163

Name three other best practice hardening techniques?

Answer 163

Closing of all ports except for those that are required, require default password changes, removal of unnecessary software

Question 164

What is another name for a layered defense?

Answer 164

Defense in depth