Attacks, Threats, and Vulnerabilities Flashcards

Question 1

Q

Cross-site Request Forgery (XSRF)

Answer

A

is a malicious script hosted on the attacker’s site that can exploit a session started on another site in the same browser.

Question 2

Q

Cross-site scripting (XSS)

Answer

A

is a malicious script hosted on the attacker’s site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site.

Exploits the fact that the browser is likely to trust scripts that appear to come from a site the user has chosen to visit

Question 3

Q

Shimming

Answer

A

is the process of developing and implementing additional code between an application and the operating system to enable functionality that would otherwise be unavailable.

Question 4

Q

How serious are Memory leaks in the OS kernel? What could it mean?

Answer

A

are extremely serious. A memory leak may itself be a sign of a malicious or corrupted process.

Question 5

Q

If the pointer that references an object at a memory location was set to a null value by a malicious process,

Answer

A

then this can create a null pointer exception, causing instability and crashes.

Question 6

Q

When does a memory leak vulnerability occur?

What does it lead to?

Answer

A

A memory leak vulnerability occurs when software does not release allocated memory when it has finished using it, potentially leading to system instability.

Question 7

Q

If the pointer is set to a null value by a malicious process

Answer

A

this creates a null pointer exception, and the process will crash. Programmers can use logic statements to test that a pointer is not null before trying to use it.

Question 8

Q

Document Object Model (DOM) Cross-Site Scripting (XSS) exploits vulnerabilities in …

Answer

A

client-side scripts to modify the content and layout of a web page.

Question 9

Q

What is a Stored (or persistent) Cross-Site Scripting (XSS)

Answer

A

is a server-side script attack that inserts code into a back-end database used by the trusted site.

Question 10

Q

Reflected Cross-Site Scripting (XSS)

Answer

A

is a server-side input validation exploit that injects a script into a website. Once the victim visits the infected website, the malicious code executes in the user’s browser.

Question 11

Q

Clickjacking

Answer

A

occurs when the attacker inserts an invisible layer into a trusted web page that can intercept or redirect input without the user realizing it.

Question 12

Q

What Error or exception handling?

Answer

A

is the process of responding to the occurrence of an error in the form of an outputted message. This can provide insight to issues in the code which are not necessarily related to security.

Question 13

Q

What is a client-side (or cross-site) request forgery?

Answer

A

is an attack that forces a user to execute unwanted actions to a web server that the user is currently authenticated to.

Question 14

Q

What does a “server-side request forgery” do?

Answer

A

abuses the functionality and services of backend servers to read and update internal resources. This can expose, for example, database information, even without an authenticated session

Question 15

Q

What does a command injection attack do?

What does it allow?

Answer

A

runs OS shell commands from the browser, and allows commands to operate outside of the server’s directory root, allowing commands to run as the web “guest” user.

Question 16

Q

describe a DLL injection

Answer

A

is not a vulnerability of an application, but of the way the operating system allows one process to attach to another, and then forces it to load a malicious link library.

Question 17

Q

Improper input handling exposes …

Answer

A

software to input validation attacks. When an attacker exploits improper input handling, it crashes the process hosting the code, performs

Question 18

Q

What is “Refactoring” (coding, programing)

Answer

A

means the code performs the same function by using different methods. Refactoring means that the antivirus software may no longer identify the malware by its signature.

Question 19

Q

Pointer dereference, what is it and what would it do?

Answer

A

is a software vulnerability that can occur when the code attempts to remove the relationship between a pointer and the thing it points to (pointee). Dereferencing may crash the application and corrupt memory.

Question 20

Q

An integer overflow attack

Answer

A

causes the target software to calculate a value that exceeds the upper and lower bounds.

Question 21

Q

How To exploit a buffer overflow vulnerability,

Answer

A

the attacker passes data that deliberately overfills the buffer (an area of memory) that the application reserves to store the expected data.

Question 22

Q

Default application settings may expose more information than necessary when errors occur.

Answer

A

Exposing such information over an HTTP connection may provide insight of the environment to the attacker.

Question 23

Q

An application programming interface (API) intrusion occurs when

Answer

A

an attacker takes advantage of unsecure communication with application services to perform denial of service attacks using multiple API calls, for example.

Question 24

Q

An application programming interface (API) intrusion occurs when …

Answer

A

an attacker takes advantage of unsecure communication with application services to perform denial of service attacks using multiple API calls, for example.

Question 25

Q

Why are API calls use keys, made up of alphanumeric characters, used for?

Answer

A

to authorize requests to the web application. These keys are exposed over an unsecure connection such as HTTP. An attacker can use the key to perform other API calls.

Question 26

Q

A “time of check to time of use” (TOCTTOU) vulnerability

Answer

A

will take advantage of this timing to modify data before finally using it. - it’s a race condition.

Question 27

Q

Describe a race condition
(software vulnerability)

When does it occur?

What do Attackers used this as?

Answer

A

It’s when the execution processes are dependent on the timing of certain events, and those events fail to execute in the order and timing intended.

Occurs when multiple threads are attempting to write at the same memory location.

Attackers have used race conditions as an anti-virus evasion technique

Question 28

Q

An integer overflow attack causes …

Answer

A

the target software to calculate a value that exceeds the upper and lower bounds.

Question 29

Q

A pointer is a reference to …

Answer

A

An object in memory.

Attempting to access that memory address is called dereferencing. An integer is a positive or negative whole number.

Question 30

Q

A shim is a …

Answer

A

Code library that intercepts and redirects calls to enable legacy mode on a system.

The shim database represents a way that malware with local administrator privileges can run on reboot (persistence).

Question 31

Q

Transitive access describes…

Answer

A

the problem of authorizing a request for a service that depends on an intermediate service.

Question 32

Q

Directory traversal occurs when…

Answer

A

The attacker gets access to a file outside the web server’s root directory.

The attack uses specific code to request for information from a web server’s root directory by submitting the directory path.

Question 33

Q

An SQL injection attack inserts…

Answer

A

An SQL query as part of user input, which allows an attacker to extract or insert information into the database or execute arbitrary code.

Question 34

Q

A replay attack consists of…

Answer

A

Intercepting a key or password hash, then reusing it to gain access to a resource. Using once-only session tokens or timestamping sessions prevents this type of attack. - Cookie Stealing

An attacker with system access is able to obtain keys from system memory or pagefiles/scratch disks. Privilege escalation is the practice of exploiting flaws in an operating system or other application to gain a greater level of access than intended for the user or application.

Question 35

Q

Pass-the-hash occurs when…

Answer

A

The attacker steals hashed credentials and uses them to authenticate to the network. Using once-only session tokens or timestamping sessions prevents this type of attack.

Question 36

Q

In what layer does packet filtering operate?

What does it do?

Answer

A

Layer 3 firewall technology that compares packet headers against ACLs to determine which network traffic to accept.

Question 37

Q

A DoS attack causes …

Answer

A

A service at a given host to fail or to become unavailable to legitimate users. DoS attacks focus on overloading a service by using up CPU, system RAM, disk space, or network bandwidth (resource exhaustion). Reconfiguring default web settings to throttle or limit calls can prevent this. AKA resource exhaustion

Question 38

Q

DRDoS or amplification attack is …

Answer

A

A more powerful TCP SYN flood attack where the adversary spoofs the victim’s IP address and attempts to open connections with multiple servers.

Question 39

Q

SYN attacks cause …

Answer

A

resource exhaustion on the host’s processing requests, consuming CPU cycles, and memory. This delays the processing of legitimate traffic and could potentially crash the host system completely.

Question 40

Q

What is a mine? (cyber security)

Is it easily detectable?

Answer

A

scripted trap that runs in the event an account gets deleted or disabled. Anti-virus software is unlikely to detect this kind of malicious script or program, so the security specialist would not be able to discover the script during an investigation. The security specialist would uncover the mine once it gets executed and causes damage.

Question 41

Q

Fileless malicious software (malware)

Answer

A

does not write code to disk. The malware uses memory resident techniques to run in its own process.

can be classified as using low observable characteristics (LOC) attacks which can make it less intrusive than other malware.

uses “live off the land” techniques rather than compiled executables to evade detection. This means that the malware code uses legitimate scripting tools like Windows PowerShell.

Question 42

Q

What is a rootkit?

Answer

A

backdoor malware that changes core system files and programming interfaces so that local shell processes no longer reveal their presence.

Question 43

Q

Man-in-the-Middle (MitM) attack is a …

Answer

A

form of eavesdropping in which the attacker makes an independent connection between two victims and steals information to use fraudulently

Question 44

Q

Pass-the-Hash attacks

Answer

A

if an attacker obtains the hash of a user’s password, it is possible to authenticate with the hash, without cracking it

Question 45

Q

Describe Birthday Attack

Describe a collision.

What can this attack do?

Answer

A

Is a type of Brute force attack aimed at exploiting collisions in hash functions.

A collision is where a function produces the same hash value for two different plaintexts. This type of attack can forge a digital signature.

Question 46

Q

Macro Virus uses

Answer

A

The programming features available in Microsoft Office file

Question 47

Q

Program Virus

Answer

A

Sequences of code insert themselves into another executable program. When executing the application, the virus code becomes active.

Question 48

Q

Worm

Answer

A

memory-resident viruses that replicate over network resources.

The primary effect of a worm infestation is to rapidly consume network bandwidth as the worm replicates. A worm may also be able to perform a Denial of Service attack by crashing operating systems and servers.

Question 49

Q

What is a RAT’s (vulnerability)

Answer

A

Remote Access Trojan

Question 50

Q

PUP

Answer

A

Potentially unwanted program

Question 51

Q

Skimming

Answer

A

like credit card skimming

RFID attack where an attacker uses a fraudulent RFID reader to read the signals from a contactless bank card.

Question 52

Q

the intimidation tactic

Answer

A

Compared to using a familiarity/liking is riskier as there is a greater chance of arousing suspicion and the target reporting the attack attempt.

Question 53

Q

the authority tactic?

how Risky is to compared to other tactiques?

Answer

A

Compared to using a familiarity/liking approach
is riskier as there is a greater chance of arousing suspicion and the target reporting the attack attempt.

Question 54

Q

Describe Liking approach. How risky is it?

Answer

A

is low risk. If the victim refuses the request, it is unlikely to cause suspicion and the social engineer can move to a different target without being detected.

Question 55

Q

Familiarity approach

Answer

A

Is low risk. If the victim refuses the request, it is unlikely to cause suspicion and the social engineer can move to a different target without being detected.

Question 56

Q

Rogueware

Answer

A

is a fake antivirus web pop-up that claims to have detected viruses on the computer and prompts the user to initiate a full scan, which installs the attacker’s Trojan.

Question 57

Q

Phishing

Answer

A

is a combination of social engineering and spoofing, where the attacker sets up a spoof website to imitate a trusted one.

Question 58

Q

Spyware

Answer

A

is a program that monitors user activity and sends the information to someone else. This can occur with or without the user’s knowledge.

Question 59

Q

In a hoax attack …

Answer

A

an email alert or web pop-up will claim to have identified some sort of security problem, such as a virus infection, and offer a tool to fix the problem. The tool, of course, will be some sort of Trojan application.

Question 60

Q

SPIM

Answer

A

Spam in Instant Messengers

Question 61

Q

SoC

Answer

A

System on Chip

Question 62

Q

What is Domain Name System (DNS) poisoning

Answer

A

is an attack that compromises the process by which clients query name servers to locate the IP address for a Fully Qualified Domain Name (FQDN).

Question 63

Q

Domain hijacking

Answer

A

Is an attack where an adversary acquires a domain such as the full.com address for a company’s trading name or trademark.

Question 64

Q

A disassociation attack

Answer

A

uses disassociation packets to remove a known wireless access point (WAP) from a client’s list of available networks. This is a type of DoS on wireless networks.

Answer 65

A

sends a stream of spoofed frames to cause a client to deauthenticate.

This is a type of DoS attack on wireless networks.

Answer 66

A

targets vulnerabilities in the headers and payloads of specific application protocols.

For example, one type of amplification attack targets DNS services with bogus queries.

Answer 67

A

s a network attack that involves connections between embedded system devices.

The term is “operational” because these systems monitor and control physical electromechanical components.

Answer 68

A

changes the hardware address configured on an adapter interface or asserts the use of an arbitrary MAC address.

Answer 69

A

is a type of hijacking attack where the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity. Brandjacking is another term for domain hijacking.

Answer 70

A

is the act of continually registering, deleting, and reregistering a name within the five-day grace period without having to pay for it.

Answer 71

A

is a Domain Name Server (DNS) exploit that involves registering a domain temporarily to see how many hits it generates within the five-day grace period.

Answer 72

A

Is a form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently.

Answer 73

A

consists of intercepting a key or password hash, then reusing it to gain access to a resource, such as the pass-the-hash attack.

Answer 74

A

refers to using an exploit in Bluetooth to steal information from someone else’s phone. The exploit (now patched) allows attackers to circumvent the authentication mechanism.

Answer 75

A

Bluetooth-discoverable device is vulnerable, similar to spam, where someone sends an unsolicited text (or picture/video) message or vCard (contact details).

This can be a vector for Trojan malware.

Answer 76

A

a rogue Access Point (AP) masquerading as a legitimate one.

Answer 77

A

occurs when the attacker compromises the web browser by installing malicious plug-ins, scripts, or intercepting API calls. Attackers can install vulnerability exploit kits on a website and will actively try to exploit vulnerabilities in clients browsing the site.

Answer 78

A

Occurs when the attacker would craft a malicious URL and convince the victim to submit it to the web server.

Answer 79

A

are data stored on a user’s computer by websites that use Adobe Flash Player. A site may be able to track a user’s browsing behavior through LSOs.

Answer 80

A

Is a network that connects two to three devices with cables.

Answer 81

A

Interference can disrupt a wireless network from other radio sources.

One way to defeat a jamming attack is to locate the offending radio source and disable it.
Another way to defeat a jamming attack is to boost the signal of the legitimate equipment.

Answer 82

A

Will only detect the source of interference but does not defeat or prevent it.

Answer 83

A

Does not provide encryption, so eavesdropping and Man-in-the-Middle attacks are possible if the attacker can find some way of intercepting the communication and other software services are not encrypting the data.

Answer 84

A

is a redirection attack, that aims to corrupt the records held by the DNS server itself.

The intention is to redirect traffic for a legitimate domain to a malicious IP address.

Answer 85

A

The sensor attaches to a specially configured port on the switch that receives copies of frames addressed to nominated access ports (or all the other ports).

Answer 86

A

Uses Open Source Intelligence (OSINT) to gather information about a domain (subdomains, hosting provider, administrative contacts, and so on).

Answer 87

A

on an internetwork (a network of routed IP subnets), the attacker will want to discover how the routers connect the subnets, and whether any misconfigured gateways between subnets exist.

Answer 88

A

The ping command can detect the presence of a host on a particular IP address or one that responds to a particular host name. Users can apply a simple script to perform a ping sweep.

Answer 89

A

Security Information and Event Management (SIEM)

Answer 90

A

Data Loss Protection System - They can log policy violations, like the use of a USB thumb drive from a client computer. The DLP system can forward that data to a SIEM for further analysis and reporting.

I can also examine mail gateways and determine if email content can be sent.

Answer 91

A

Security content automation protocol (SCAP) determines whether a computer meets a configuration baseline. Perform configuration reviews to ensure the system is secure and ready for production

Answer 92

A

A web application scanner, searches for known web exploits, such as SQL injection and cross-site scripting (XSS).

Answer 93

A

It’s a network vulnerability scanner, tests network hosts, including client computers, and compares them with known vulnerabilities.

Answer 94

A

The overall analysis report which may showcase a number of incidents in the past week, or how many systems are currently on an old version of Windows.

Answer 95

A

Configuring appropriate data inputs, so they analyze and report an accurate account of the security of the network.

Answer 96

A

Is a machine learning technique of log analysis to identity intent. This can be used, for example, to monitor social media for brand “incidents,” such as a customer complaining on Twitter about poor service.

Answer 97

A

Is a solution to the volume of alerts overwhelming an analyst’s ability to respond.

It analyzes an organization’s store of security intelligence and uses deep learning techniques to:

• automate and provide data enrichment to
• improve incident response.
• improve threat hunting workflows.

Answer 98

A

is a collector tool that allows for a centralized collection of events from multiple sources. It is an open format for event logging messages.

Answer 99

A

Determines whether a computer meets a configuration baseline. Perform configuration reviews to ensure the system is secure and ready for production.

Answer 100

A

Is a metric score between 0 to 10 based on the characteristic of the vulnerability, such as whether it can be triggered remotely or if it requires user intervention.

Answer 101

A

Techniques applied with security information, event management (SIEM), and threat analytics platforms.

Analysts can develop queries and filters to correlate threat data from these systems.

Answer 102

A

Is a military doctrine term relating to obtaining positional advantage.

In a defensive maneuver, an analyst can perform passive discovery techniques so that threat actors have no hint that the analyst has discovered an intrusion.

Answer 103

A

may initiate updates to security policies and even signatures, to ensure security administrators can monitor those threats.

Answer 104

A

Using the network mapper (Nmap) tool to obtain information about a host or network topology - Non-intrusive footprinting is limited to packet sniffing.

Answer 105

A

the consultant has complete access to information about the network. Sometimes the consultant will conduct this type of test, as a follow-up to a black box test, to fully evaluate flaws discovered during the black box test. - No Recon Needed!!!

Answer 106

A

The white team is responsible for setting the rules of engagement and monitors the penetration testing exercise.

Answer 107

A

The purple team members act as facilitators during a purple team exercise. This type of exercise involves collaboration between red and blue teams during breaks throughout the exercise.

Answer 108

A

War flying is war driving, but in the air with a drone or unmanned aerial vehicle (UAV).

This maps the location and type of wireless networks operated by the target.

Answer 109

A

Persistence

followed by further reconnaissance, occurs when the pen tester attempts to map out the internal network and discover the services running on it and accounts configured to access it.

Answer 110

A

During a black box pen test, the consultant has no privileged information about the network, its security systems, and its configuration. Black box tests are useful for simulating the behavior of an external threat.

Answer 111

A

Action on objectives is the very last step of a penetration test after establishing a pivot point and escalating privileges.

This step is basically data exfiltration.

Answer 112

A

Log aggregation refers to normalizing data from different sources so that it is consistent and searchable. This makes it easier to integrate with dynamic reporting engines.

Answer 113

A

If the pointer is set to a null value by a malicious process, this creates a null pointer exception, and the process will crash.

Programmers can use logic statements to test that a pointer is not null before trying to use it.

Brainscape's Knowledge GenomeTM

Attacks, Threats, and Vulnerabilities Flashcards

Brainscape's Knowledge Genome^TM