All Types of Attacks and Defenses

Question 1

filename=../../../../../etc/passwd

what is this attack and what is the best defense for the attack

Answer 1

A directory traversal attack, also known as path traversal attack, occurs when an attacker exploits a vulnerability in a web application to access files and directories outside of the intended directory.

–best defense is proper input validation

Question 2

Application attack that is freely available on the internet and exploit vulnerabilities in various operating systems enabling attackers to elevate privilege.

Answer 2

Rootkit (escalation of privilege)

–keep security patches up to date
–anti malware software
–edr/xdr

Question 3

Undocumented command sequences that allow individuals with knowledge of the ____ to bypass normal access restrictions.
–often used in development and debugging

Answer 3

Backdoor

–countermeasures: firewalls, anti-malware, network monitoring, code review

Question 4

type of virus-ransomware that encrypts files stored on a computer or mobile device in order to extort money

-back up computer
-store backups separately
-file auto versioning

Answer 4

Ransomware

Question 5

Type of virus that is a nuisance that results in wasted resources. Used to “spread through email from a friend” but have changed with social media.

Answer 5

Virus Hoaxes

Question 6

malicious code objects that infect a system and lie dormant until triggered by the occurrence of one or more conditions, such as time program launch, website login

Answer 6

logic bomb

Question 7

Type of virus that is a software program that appears good and harmless but carries a malicious, hidden payload that has the potential to wreak havoc on a system or network

Answer 7

Trojan horse

–best defenses—only allow software from trusted sources
–dont let users install software

Question 8

a type of malware that spreads copies of itself from computer to computer,
replicating itself without human interaction.

Answer 8

Worm

Question 9

a program that may be an unwanted app, often delivered alongside a program
the user wants. PUPs include spyware, adware, and dialers

Answer 9

Potentially Unwanted Program (PUP)

Question 10

type of malware Designed to log keystrokes, creating records of everything you type on a
computer or mobile keyboard.

Answer 10

Keylogger

Question 11

Malware designed to obtain information about an individual, system, or
organization.

Answer 11

spyware

Question 12

a type of malicious software that does not rely on virus
laden files to infect a
host. Instead, it exploits applications that are commonly used for legitimate
and justified activity to execute malicious code in resident memory.

Answer 12

Fileless Virus

Question 13

a computer controlled by an attacker or cybercriminal which is used to send
commands to systems compromised by malware and receive stolen data
from a target network.

Answer 13

Command and Control

Question 14

a malware program that gives an intruder administrative control over a
target computer.

Answer 14

Remote Access Trojan (RAT)

Question 15

Use programs with built in dictionaries.
They attempt all dictionary words to try and find the
correct password, in the hope that a user would have
used a standard dictionary word.

Answer 15

Dictionary Attacks

–countermeasures:
MFA, biometrics, limit number of attempts, force reset after too many attempts

Question 16

Attacker tries a password against many different
accounts to avoid lockouts that typically come when
brute forcing a single account.
Succeeds when admin or application sets a default
password for new users.

Answer 16

Password Spraying (brute force)

–countermeasures:
MFA, CAPTCHA, password change on first login

Question 17

Attempts to randomly find the correct cryptographic key
attempting all possible combinations (trial and error)
Password complexity and attacker resources will determine
effectiveness of this attack.

Answer 17

Brute Force Attack

—Countermeasures:
cryptographic salts, CAPTCHA, throttling rate of repeated logins, IP blocklists

Question 18

which contain precomputed values of cryptographic hashfunctions to identify commonly used passwords

Answer 18

Rainbow Tables

Question 19

is random data that is used as an additional input to a one way function that hashes data, a password or passphrase.

Answer 19

Salt

–adding salts to the password before hashing them reduces effectiveness of rainbow table attacks

Question 20

MFA (something you know, have, are) prevents these attacks

Answer 20

-Phishing
-Spear Phishing
-Keyloggers
-Credential Stuffing
-Brute and reverse brute force attacks
-MITM attacks

Question 21

a collection of compromised computing devices (often called bots or zombies).

Answer 21

Botnet

Question 22

criminal who uses a command
and control server
to remotely control the zombies
often use the botnet to launch attacks on other
systems, or to send spam or phishing emails

Answer 22

Bot Herder

Question 23

Focuses on accomplishing “smart” tasks
combining machine learning and deep
learning to emulate human intelligence

Answer 23

Artificial Intelligence

Question 24

A subset of
AI, computer algorithms that
improve automatically through experience
and the use of data.

Answer 24

Machine Learning (ML)

Question 25

a subfield of machine learning concerned with algorithms inspired by the structure and function of the brain called artificial neural networks

Answer 25

Deep Learning

Question 26

Cloud Based Attacks vs On premise Attacks

Answer 26

—less attacks to worry about with cloud model because data center is more secure and less vulnerable

Question 27

attack on a cryptographic hash to find
two inputs that produce the same
hash value

Answer 27

Collision Attack

–beat with collision resistant hashes

Question 28

cryptographic attack when a protocol is downgraded
from a higher mode or version to a
low quality mode or lower version.

Answer 28

Downgrade attack

–commonly targets TLS

Question 29

an attempt to reuse authentication
requests.

–targets authentication (Kerberos)
—defeat with date time stamps

Answer 29

Replay Attack

Question 30

attempt to find collisions in hash functions

–targets digital signatures
–defeat with long hash output

Answer 30

Birthday Attack

Question 31

A type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
Occur when an attacker uses a web application to send malicious code to a different end user.

–java script and html
—uses malicious scripts

identified by looking for var command and html script
–

var money

Answer 31

Cross-Site Scripting (XSS)

–input validation and filtering
–validate data length and data type

Question 32

similar to cross-site scripting attacks but exploits a different trust relationship.
exploits trust a website has for your browser to execute code on the user’s computer.

–exploits website trust to execute code

Answer 32

Cross Site request Forgery (CSRF or XSRF)

–create web apps that use secure tokens, and sites that check the referring URL in requests to ensure it came from a local site

—example: chaanging bank transfer from 100 to 100,000 by exploiting url

http://bank.com/transfer.do?acct=George&amount= 1000000

Question 33

Is a situation in which the malware tries to inject code into the memory process
space of a library using a vulnerable/compromised ____

Answer 33

Dynamic Link Library (DLL)

Question 34

when users enter values that query XML (known as XPath) with values that take
advantage of exploits, it is known as an _____

Answer 34

XML Injection Attack

Question 35

Use unexpected input to a web application to gain
unauthorized access to an underlying database.

Answer 35

SQL Injection Attacks

—countermeasures:
input validation, use prepared statements, limit account privileges

Question 36

exist when a developer does not validate user input to ensure that it is of an appropriate size (allows Input that is too large can “overflow” memory buffer).

Answer 36

Buffer Overflow

–strcpy could create one

–example:
int fun (char data [256]) {
int I
char tmp [64]; strcpy (tmp,data)

–prevent with input validation

Question 37

a timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request.

Answer 37

Time of Check to Time of Use (TICTOU)

—file locking, transactions in file system or OS kernal

Question 38

Related to input validation is _______
Every function that has any meaningful functionality should have appropriate _______.
Properly done, the user will simply see an error message box

Answer 38

Error Handling

–element of good coding practices

Question 39

an attacker steals a valid session ID of a
user and reuses it to impersonate an
authorized user and perform fraudulent
transactions or activities.

Answer 39

Session Replay

–dissalow Session ID reuse in web apps

Question 40

Putting too much information into too small of
a space that has been set aside for numbers.

–arithmitic overflow error does not fit with allocated memory space

Answer 40

Integer Overflow

–countermeasures:
good coding practices, appropriate typing of variables

Question 41

When an application continuously allocates additional resources, exhausting machine resources, leading the system to hang or crash.

When exploited, ________ vulnerabilities in apps, software, or system security that hang, crash, or interfere with external programs perform designated tasks properly. Memory leaks can lead to resource exhaustion (see “memory
leaks” in this session).
However, these attacks can be executed by exhausting other resource subsystems, such as CPU, disk, or network.

Answer 41

Resource Exhaustion (form of DoS attack when intentional)

Question 42

Many modern programming languages (such as C# and Java) don’t allow the programmer to directly allocate or deallocate memory.
Therefore, those programming languages are not prone to memory leaks.
However, certain older languages, most notably C and C++, give the programmer a great deal of control over memory management.

Answer 42

Memory Leak (most common issue in memory management)

–static code analyzer can check if all memory allocation commands

Question 43

Involves creating a library (or modifying an existing) to bypass a driver and perform a function other than the one for which the API was created.

Answer 43

Shimming

Question 44

The name given to a set of techniques used to identify the flow and then modify
the internal structure of code without changing the code’s visible behavior.
In legitimate scenarios, this is done in order to improve the design, to remove
unnecessary steps, and to create better code.

Answer 44

Refactoring

–malware take advantage of weak code

Question 45

a technique whereby an attacker captures a password hash (as opposed to the password characters) and then passes it through for authentication and lateral access

–Kerberos TGT tickets expire 10 hours whereas NTML hashes only change when user changes password

Answer 45

Pass the Hash (targets NTML)

—prevent by enforcing least privilege access, analyze applications to determine which require admin privileges

Question 46

Attacker sits in the middle between two endpoints and is able to intercept traffic, capturing (and potentially changing) information.

–fools parties into communicating with attacker instead of directly with each other

Answer 46

Man in the middle attack (MITM)

–countermeasures:
use secured WiFi, VPN, HTTPS, and MFA

Question 47

pranksters push unsolicited messages to engage
or annoy other nearby Bluetooth through a
loophole in Bluetooth messaging options

Answer 47

Bluejacking

-prevent with long pin, 2FA, disable discvoery mode

Question 48

data theft using Bluetooth. Vulnerable devices
are those using bluetooth in public places with
device in discoverable mode.

Answer 48

Bluesnarfing

–prevent with long pin, 2fa

Question 49

developed a year after bluejacking, creates a
backdoor attack before returning control of the
phone to its owner.

Answer 49

Bluebugging

Question 50

A malicious fake wireless access point set up to
appear as a legitimate, trusted network.

Answer 50

Evil Twin
–common in airports and coffee shops

Question 51

A type of DoS attack in which the attacker
breaks the wireless connection between the
victim device and the access point.

Answer 51

Disassociation

Question 52

A DoS attack that prevents other nodes from
using the channel to communicate by occupying
the channel that they are communicating on.

Answer 52

Jamming (often unintention)

Question 53

attacker alters the domain
name to IP address mappings in a DNS system
may redirect traffic to a rogue system OR
perform denial of service against system.

Answer 53

DNS Poisoning

–countermeasures: allow only authorized changes to DNS, restrict zone transfers

Question 54

attacker sends false replies to a
requesting system, beating the real
reply from the valid DNS server.

Answer 54

DNS Spoofing

Question 55

Similar to DNS spoofing
Can take the form of DNS spoofing or can simply be an alteration of the hyperlink URLs

Answer 55

Hyperlink Spoofing

Question 56

is a resource consumption attack
intended to prevent legitimate activity
on a victimized system.

Answer 56

Denial of Service (DoS)

countermeasures:
firewalls, routers, intrusion detection (IDS), SIEM,
disable broadcast packets entering/leaving, disable echo replies, patching

Question 57

a DoS attack utilizing multiple
compromised computer systems as
sources of attack traffic.

Answer 57

Distributed Denial of Service DDoS

–firewalls, routers, intrusion detection (IDS), SIEM,
disable broadcast packets entering/leaving, disable echo replies, patching

Question 58

Types of DDoS Attacks

Answer 58

—Network volume based attacks targeting flaws in network protocols, often using botnets,
using techniques such as UDP, ICMP flooding, or SYN flooding (TCP based).

—Application exploit weaknesses in the application layer (Layer 7) by opening connections and
initiating process and transaction requests that consume finite resources like disk
space and available memory.

–Operational Technology (OT)Targets the weaknesses of software and hardware devices that control systems in factories, power plants, and other industries, such as IoT devices.

Question 59

Three way handshake order

Answer 59

1. SYN
2. SYN-ACK
3. ACK

TCP/IP

Question 60

a vulnerability which allows an attacker
to force users of your application to an
untrusted external site.

Answer 60

URL Redirection

Question 61

services and tools provide info as to
whether a domain is a trusted email
sender or is a source of spam email.

Answer 61

Domain Reputation

Question 62

involves an individual changing the domain
registration information for a site without
the original registrant’s permission.

Answer 62

Domain Hijacking

–COUNTERMEASURES:
domain registration auto renewal, privacy
protection (blocking your name from WHOIS), a trusted domain provider

Question 63

forcing legitimate MAC table contents out of the
switch and forcing a unicast flooding behavior.
potentially sends sensitive info to areas of the
network where it is not normally intended to go.

Answer 63

MAC Flooding

Question 64

sending ARP packets across the LAN that
contain the attacker’s MAC address and the
target’s IP address.

Answer 64

ARP poisoning spoofing

Question 65

Duplicates the MAC address (hardware
address) of a device, allowing attacker
to appear as a trusted device.

Answer 65

MAC Cloning

—Countermeasures: network access control (NAC) toprovide a validation gate to network access.

Question 66

attack that looks for open ports

Answer 66

Xmas

Question 67

an exploit in which the attacker runs code on a VM that allows an OS running within it to break out and interact directly with the hypervisor

Answer 67

VM Escape