Chapter 1 Missed Questions

Question 1

Which protocol is a common Command-and-Control mechanism for botnets?

Answer 1

IRC Protocol

Question 2

Where do file-less viruses store themselves in order to maintain persistence?

Answer 2

Windows Registry

Question 3

What security technology best assists with automation of security workflows?

• IPS
• SIEM
• SOAR
• CASB

Answer 3

SOAR

Question 4

What type of approach to threat identification begins with a listing of all resources owned by the organization?

Answer 4

An Asset Focused approach

Question 5

What type of artificial intelligence technique is most commonly associated with optimization?

Answer 5

Prescriptive analytics

Question 6

What CVSS value is the threshold at which PCI DSS requires remediation to achieve a passing scan?

Answer 6

4

Question 7

This is a layer 2 attack where the attacker sends messages to corrupt the ARP table and causes packets to be misrouted. (This is done to set up a MitM attack)

Answer 7

ARP Poisoning

Question 8

This attack floods the table with addresses, making the switch unable to find the correct address for a packet

Answer 8

MAC Flooding

Question 9

This is a layer 3 attack where the attacker sends a large number of connection requests to open network services

Answer 9

SYN Flooding

Question 10

This is a layer 3 attack where the attacker attempts to manipulate the source or destination IP address of network traffic

Answer 10

IP Spoofing

Question 11

What is an IV (Initialization Vector) used for in a wireless communication protocol?

Answer 11

The IV is used in wireless systems as the randomization element at the beginning of a connection

Question 12

What is considered the most secure current encryption protocol used in securing HTTPS sessions?

Answer 12

TLS 1.3

Question 13

What is the condensed penetration process?

Answer 13

Planning, Discovery, Attack, Reporting

Question 14

What is the dark web?

Answer 14

The dark web uses obfuscation methods to restrict access, requires TOR, and uses onion routing (.onion instead of .com, etc.)

Question 15

What is the deep web?

Answer 15

Websites that are not indexed by traditional search engines and require additional methods of access or authentication are considered to be part of the ‘deep web’

Question 16

What type of attack method did Morris finger worm, Code Red, and Slammer use to compromise systems?

Answer 16

Buffer Overflow

Question 17

What is an SQL injection?

Answer 17

Code injection attacks that can be used to bypass login forms by tricking a web application into evaluating a statement that is always true. ‘password is correct OR 1=1’ can be used to login without credentials

Question 18

What can be used to stop SQL injections?

Answer 18

Input Filtering

Question 19

What is Sentiment Analysis?

Answer 19

A technique used to identify and track patterns in human emotions, opinions, or attitudes that may be present in data

Question 20

Difference between Phishing, Vishing, Smishing, Spim, and Spam?

Answer 20

Phishing - Scam E-Mails
Vishing - Scam Phone Calls
Smishing - Scam Text Messages (SMS)
Spim - Spam Instant Messaging
Spam - Unsolicited communication sent in bulk

Question 21

What is an Evil Twin?

Answer 21

A wireless access point that looks and acts like a legitimate access point, but with a stronger signal to trick users into connecting to it

Question 22

What is a Rogue Access Point?

Answer 22

An unauthorized access point connected to an organizations network, but does not try to impersonate a legitimate AP

Question 23

What is a worm?

Answer 23

A self-propagating program that attempts to penetrate networks and computer systems through vulnerable network services. It installs itself and attempts to spread to additional systems. (They don’t need to attach to pieces of software or files to spread)

Question 24

What is a virus?

Answer 24

A virus is a program that attaches to a piece of software, code or file

Question 25

What is a bot?

Answer 25

Functioning piece of software that performs some task or tasks under the control of another program

Question 26

What is a botnet?

Answer 26

A series of bots controlled across the network in a group

Question 27

What is the packet sequence for a TCP 3-way handshake?

Answer 27

SYN –> SYN/ACK –> ACK

Question 28

What happens during a TCP 3-way handshake?

Answer 28

The sender system sends a SYN packet to the target system it wants to communicate with. The target system responds with a SYN/ACK packet if it is able to accept the request. When the sender system receives the SYN/ACK packet, it responds back with an ACK packet and the communication can proceed.

Question 29

What is the difference of shimming vs refactoring in driver manipulation?

Answer 29

Shimming is the process of putting a layer of code between the driver and the OS to change behavior without modifying original code. Refactoring is the process of restructuring existing computer code to add functions to an existing driver.

Question 30

What are some common application protocols along with descriptions, ports, and are they secure?

Answer 30

FTP - Ports 20/21 - File Transfer Protocol (Unsecure)
SSH - Port 22 - Secure Shell (Secure)
Telnet - Port 23 - (Unsecure)
SMTP - Port 25/587 - Simple Mail Transfer Protocol (Secure)
DNS - Port 53 - Domain Name Services (Secure)
HTTP - Port 80 - Hyper Text Transfer Protocol (Unsecure)
HTTPS - Port 443 (Hyper Text Transfer Protocol Secure) (Secure)

Question 31

What is intelligence fusion?

Answer 31

Process involving the collecting and analyzing of threat feeds from both internal and external sources on a large scale

Question 32

What are XSS (Cross Site Scripting) attacks?

Answer 32

Adding scripts to the input and rending the script as part of the webs process

Question 33

What is the difference between persistent, non-persistent and DOM-based XSS (Cross Site Scripting) attack?

Answer 33

Persistent XSS attacks permanently store the injected scripts on the web server or back-end storage, allowing script to be used against others who log into the system. Non-persistent XSS attacks are not stored and immediately executed. DOM-based XSS attacks are executed in the browser via the Document Object Model (DOM) process instead of the web server

Question 34

What is a DLL injection?

Answer 34

A Dynamic Link Library injection adds functionality to a program, at runtime, that has a specific function vulnerability that can be capitalized by the attacker

Question 35

What is an LDAP injection?

Answer 35

A Lightweight Directory Access Protocol constructs user input to validate requests. A LDAP injection adds code to an input to to execute code on the systems directory.

Question 36

What is XML injection?

Answer 36

A Extensible Markup Language (XML) injection is an attack on XML systems to alter configurations, change data streams or change outputs.

Question 37

What is the difference between XSS attacks and SQL injections?

Answer 37

SQL injections are server-side vulnerabilities that attack the applications database whereas XSS attacks are client-side vulnerabilities that target other users using the application

Question 38

What are the differences between DLL, LDAP and XML injections?

Answer 38

The difference is where and how the code is being executed and written. DLL, LDAP and XML are all different types of data that can be used on a website. LDAP code can’t be injected into a XML data stream.

Question 39

What is SSL stripping?

Answer 39

Secure Socket Layer stripping is a MitM attack against all SSL and TLS 1.0 & 1.1 connections that intercepts the initial connection request for HTTPS, redirects it to an HTTP site and captures all information sent to the website.

Question 40

What can TLS 1.3 connections prevent (compared to earlier versions)?

Answer 40

SSL stripping, Man-in-the-Middle attack

Question 41

Explain the DNS record types?

Answer 41

The MX DNS record identifies the mail server for a domain. The A DNS record identifies domain names associated with with IP’s. The CNAMES DNS record is used to create aliases. The SOA (Start of Authority) DNS records contain information about the authoritative servers for a DNS zone.

Question 42

What is an ASLR?

Answer 42

An Address Space Layout Randomization is a security technique that randomizes the locations of objects in memory causing buffer overflow attacks to be less likely to succeed

Question 43

What is SOAR?

Answer 43

Security Orchestration, Automation, and Response. SOAR platforms are designed to react to security information and perform workflows across various systems.

Question 44

What are rainbow tables and how are they used in attacks?

Answer 44

Rainbow tables are pre-computed hash values for common passwords. Attackers can use these values to search password files that aren’t salted.

Question 45

How do you find collisions in a hash function?

Answer 45

Birthday attack

Question 46

What is URL spoofing and what are other names for it?

Answer 46

Hyperlink spoofing and web spoofing. It is a type of attack where a user is redirected to a fake website that appears as a valid session. Takes advantage of hyperlinks instead of DNS addresses.

Question 47

What is a land attack?

Answer 47

An attack where a spoofed TCP SYN packet with the targets IP address and an open port in both the source and destination headers. This makes the machine continuously reply to itself causing a system crash or freeze.

Question 48

What are other names for XSRF? What is XSRF?

Answer 48

Another name for XSRF, cross-site request forgery, is session riding, CSRF, sea surf, and hostile linking. XSRF is an application issue that involves unauthorized commands coming from a trusted user , to a trusted user or website.

Question 49

What are war driving attacks?

Answer 49

A method of discovering 802.11 wireless networks by driving around with a laptop and looking for open wireless networks.

Question 50

What is an armored virus?

Answer 50

A virus including protected code that prevents examination of critical elements, such as anti-virus.