Advanced Attacks Flashcards
An attacker enters a string of data in a web application’s input form and crashes it. What type of attack is this?
A. DoS
B. DDoS
C. Man-in-the-middle
D. Header manipulation
A. The question describes a buffer overflow attack, which can be used as a denial-of-service (DoS) attack. A DDoS attack comes from multiple computers. A man-in-the-middle attack can interrupt network traffic and insert malicious code into a session, but it doesn’t attack applications. A header manipulation manipulates flags and data in packets.
What will protect against a SYN attack?
A. Input validation
B. Error handling
C. Flood guard
D. Cross-site scripting
C. Flood guards help protect against SYN flood attacks. Input validation checks input data and can help mitigate buffer overflow, SQL injection, and cross-site scripting attacks. Error handling routines are a part of input validation and can prevent application failures and many application attacks. Cross-site scripting is an attack that uses HTML or JavaScript tags.
What can an administrator use to detect a DDoS attack?
A. Privilege escalation
B. Performance baseline
C. Web form sanitization
D. Antivirus software
B. A performance baseline can help detect a distributed denial-of-service (DDoS) by showing differences in performance. Malware uses privilege escalation to gain more rights and permissions after compromising a system. Web form sanitization (or input validation) can prevent injection attacks, but won’t detect a DDoS attack. Antivirus software can detect viruses, worms, and Trojan horses, but not DDoS attacks.
A user browsing the Internet notices erratic behavior right before the user’s system crashes. After rebooting, the system is slow, and the user detects hundreds of outbound connections. What likely occurred?
A. The system has become a botnet
B. The system is hosting a botnet
C. The system is spamming other users
D. The system has joined a botnet
D. This describes a drive by download that downloads malware onto a user’s system after visiting a web site, and joins it to a botnet (indicated by the hundreds of outbound connections). A botnet is composed of multiple systems, not a single system and criminals (known as bot herders) control the systems in the botnet. Botnets members can spam (and attack) others but the symptoms don’t indicate that this what is happening.
A computer is regularly communicating with an unknown IRC server and sending traffic without user interaction. What is likely causing this?
A. Buffer overflow
B. Cross-site scripting
C. Botnet
D. RootkitC. Botnets control computers in the botnet and can use Internet Relay Chat (IRC) messages. A buffer overflow occurs when a system receives unexpected data, such as a string of NOOP instructions. Cross-site scripting allows an attacker to inject malicious code into a website’s HTML pages. Rootkits provide attackers with system level access and can modify file system operations, but don’t use IRC.
Of the following choices, what uses a command and control server?
A. DoS attacks
B. Trojans
C. Man-in-the-middle attacks
D. Botnet
D. Criminals control botnets through command and control software running on Internet servers. Botnets frequently launch DDoS attacks from each system, but not DoS attacks from a single system. A Trojan is malware that appears to be something useful but instead includes something malicious. A man-in-the-middle attack can intercept traffic and insert malicious code but it doesn’t use a command and control server.
Of the following choices, what type of attack can intercept traffic and insert malicious code into a network conversation?
A. Spim
B. Xmas attack
C. LDAP injection
D. Man-in-the-middle
D. A man-in-the-middle attack can intercept traffic and insert malicious code, but Kerberos helps prevent man-in-the-middle attacks with mutual authentication. Spim attacks send messages over instant messaging channels but can’t intercept traffic. A Xmas attack is a port scan attack where an attacker attempts to detect the operating system of the scanned system.LDAP injection is an attack used against Active Directory based systems.
What can a header manipulation attack modify? A. Flags B. Buffers C. Databases D. Signature definitions
A. A header manipulation modifies flags and data in a packet and can launch a session hijacking attack. Buffer overflow attacks can modify memory buffers. SQL injection attacks can modify databases. Antivirus software requires up-to-date signature definitions, but header manipulation does not modify these.
An attacker is sending false hardware address updates to a system, causing the system to redirect traffic to an attacker. What type of attack is this?
A. IRC
B. ARP poisoning
C. Xmas attack
D. DNS poisoning
B. Hardware addresses are MAC addresses, and an ARP poisoning attack misleads computers or switches about the actual MAC address of a system and can redirect traffic. Botnets sometimes communicate via IRC channels, but IRC channels don’t send false updates to a switch. An Xmas attack is a port scan where an attacker attempts to detect the operating system of the scanned system. DNS poisoning attacks corrupt name resolution data used to resolve names to IP addresses.
What can mitigate ARP poisoning attacks in a network?
A. Disable unused ports on a switch
B. Man-in-the-middle
C. DMZ
D. VLAN segregation
D. Address Resolution Protocol (ARP) poisoning attacks modify the hardware addresses in ARP cache to redirect traffic, and virtual local area network (VLAN) segregation can limit the scope of these attacks. Disabling unused physical ports on a switch is a good security practice, but it doesn’t prevent ARP poisoning attacks. A man-in-the middle attack can interrupt traffic and insert malicious code, and ARP poisoning is one way to launch a man-in-the middle attack. A DMZ provides access to services from Internet clients while segmenting access to an internal network.
You manage a server hosting a third-party database application. You want to ensure that the application is secure and all unnecessary services are disabled. What should you perform?
A. Secure code review
B. Application hardening
C. White box testing
D. Black box testing
B. Application hardening ensures that a system is secure and includes basics such as disabling unnecessary services and checking vendor documentation. The developer should perform secure code reviews and test the application before releasing it, but these aren’t steps for the customer of the application. In other words, the developer should have already performed these steps. Applications developed in-house (not third-party applications) require secure code reviews, and third party black box testing is the most effective method of application testing.
Of the following choices, what is a step used to harden a database application?
A. Enabling all services
B. Disabling default accounts and changing default passwords
C. Disabling SQL
D. Disabling stored procedures
B. Application hardening (including hardening database applications) includes disabling default accounts and changing default passwords. Application hardening includes disabling unnecessary services, not enabling all of them. SQL is the language used to communicate with most databases, so it shouldn’t be disabled in a database application. Stored procedures increase performance, can help prevent SQL injection attacks, and shouldn’t be disabled.
An organization develops its own software. Of the following choices, what is a security practice that should be included in the process?
A. Check vendor documentation
B. SDLC Waterfall model
C. Code review
D. Enabling command injection
C. Secure software development includes security at each stage of development, including code reviews for security. Vendor documentation for purchased software is an important application-hardening step, but in-house developed software wouldn’t have vendor documentation during development. Using an SDLC model helps an organization manage the development process, but there is nothing in the question to indicate that the Waterfall model should be used. Attacks use command injection, and applications should block command injection.
An attacker is entering incorrect data into a form on a web page. The result shows the attacker the type of database used by the website and provides hints on what SQL statements the database accepts. What can prevent this?
A. Error handling
B. Antivirus software
C. Anti-spam software
D. Flood guards
A. Error handling will return a generic error web page rather than a detailed error that can provide an attacker with valuable information to launch a SQL injection attack. Antivirus software can detect malware, such as viruses and worms, and prevent it from running on a computer. Anti-spam software can filter out unwanted or unsolicited e-mail (also called spam). Flood guards can prevent SYN flood attacks.
Your organization hosts several websites accessible on the Internet and is conducting a security review of these sites. Of the following choices, what is the most common security issue for web-based applications?
A. Input validation
B. Phishing
C. Whaling
D. Social engineering
A. Input validation checks input data, but because so many sites do not use it, they are vulnerable to buffer overflow, SQL injection, and cross-site scripting attacks. Phishing is the practice of sending e-mail to users with the purpose of tricking them into revealing personal information (such as bank account information). Whaling is a phishing attack that targets high-level executives. Social engineering is the practice of using social tactics to encourage a person to do something or reveal some piece of information.
