CHAPTER 21 Questions Flashcards
Dylan is reviewing the security controls currently used by his organization and realizes that he lacks a tool that might identify abnormal actions taken by an end user. What type of tool would best meet this need?
A. EDR
B. Integrity monitoring
C. Signature detection
D. UEBA
D. UEBA
User and entity behavior analytics (UEBA) tools develop profiles of individual behavior and then monitor users for deviations from those profiles that may indicate malicious activity and/or compromised accounts. This type of tool would meet Dylan’s requirements. Endpoint detection and response (EDR) tools watch for unusual endpoint behavior but do not analyze user activity. Integrity monitoring is used to identify unauthorized system/file changes. Signature detection is a malware detection technique.
Tim is working to improve his organization’s antimalware defenses and would also like to reduce the operational burden on his security team. Which one of the following solutions would best meet his needs?
A. UEBA
B. MDR
C. EDR
D. NGEP
B. MDR
All of these technologies are able to play important roles in defending against malware and other endpoint threats. User and entity behavior analysis (UEBA) looks for behavioral anomalies. Endpoint detection and response (EDR) and next-generation endpoint protection (NGEP) identify and respond to malware infections. However, only managed detection and response (MDR) combines antimalware capabilities with a managed service that reduces the burden on the IT team.
Carl works for a government agency that has suffered a ransomware attack and has lost access to critical data but does have access to backups. Which one of the following actions would best restore this access while minimizing the risk facing the organization?
A. Pay the ransom
B. Rebuild systems from scratch
C. Restore backups
D. Install antivirus software
C. Restore backups
If Carl has backups available, that would be his best option to recover operations. He could also pay the ransom, but this would expose his organization to legal risks and incur unnecessary costs. Rebuilding the systems from scratch would not restore his data. Installing antivirus software would be helpful in preventing future compromises, but these packages would not likely be able to decrypt the missing data.
What attack technique is often leveraged by advanced persistent threat groups but not commonly available to other attackers, such as script kiddies and hacktivists?
A. Zero-day exploit
B. Social engineering
C. Trojan horse
D. SQL injection
A. Zero-day exploit
Although an advanced persistent threat (APT) may leverage any of these attacks, they are most closely associated with zero-day attacks due to the cost and complexity of the research required to discover or purchase them. Social engineering, Trojans (and other malware), and SQL injection attacks are often attempted by many different types of attackers.
John found a vulnerability in his code where an attacker can enter too much input and then force the system running the code to execute targeted commands. What type of vulnerability has John discovered?
A. TOCTTOU
B. Buffer overflow
C. XSS
D. XSRF
B. Buffer overflow
Buffer overflow vulnerabilities exist when a developer does not properly validate user input to ensure that it is of an appropriate size. Input that is too large can “overflow” a data structure to affect other data stored in the computer’s memory. Time-of-check to time-of-use (TOCTTOU) attacks exploit timing differences that lead to race conditions. Cross-site scripting (XSS) attacks force the execution of malicious scripts in the user’s browser. Cross-site request forgery (XSRF) attacks exploit authentication trust between browser tabs.
Mary identified a vulnerability in her code where it fails to check during a session to determine whether a user’s permission has been revoked. What type of vulnerability is this?
A. Backdoor
B. TOC/TOU
C. Buffer overflow
D. SQL injection
B. TOC/TOU
TOC/TOU is a type of timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request. Backdoors are code that allows those with knowledge of the backdoor to bypass authentication mechanisms. Buffer overflow vulnerabilities exist when a developer does not properly validate user input to ensure that it is of an appropriate size. Input that is too large can “overflow” a data structure to affect other data stored in the computer’s memory. SQL injection attacks include SQL code in user input in the hopes that it will be passed to and executed by the backend database.
What programming language construct is commonly used to perform error handling?
A. If…then
B. Case…when
C. Do…while
D. Try…catch
D. Try…catch
The try…catch clause is used to attempt to evaluate code contained in the try clause and then handle errors with the code located in the catch clause. The other constructs listed here (if…then, case…when, and do…while) are all used for control flow.
Fred is reviewing the logs from his web server for malicious activity and finds this request: http://www.mycompany.com/../../../etc/passwd. What type of attack was most likely attempted?
A. SQL injection
B. Session hijacking
C. Directory traversal
D. File upload
C. Directory traversal
In this case, the .. operators are the telltale giveaway that the attacker was attempting to conduct a directory traversal attack. This particular attack sought to break out of the web server’s root directory and access the /etc/passwd file on the server. SQL injection attacks would contain SQL code. File upload attacks seek to upload a file to the server. Session hijacking attacks require the theft of authentication tokens or other credentials.
A developer added a subroutine to a web application that checks to see whether the date is April 1 and, if it is, randomly changes user account balances. What type of malicious code is this?
A. Logic bomb
B. Worm
C. Trojan horse
D. Virus
A. Logic bomb
Logic bombs wait until certain conditions are met before delivering their malicious payloads. Worms are malicious code objects that move between systems under their own power, whereas viruses require some type of human intervention. Trojan horses masquerade as useful software but then carry out malicious functions after installation.
Francis is reviewing the source code for a database-driven web application that his company is planning to deploy. He is paying particular attention to the use of input validation within that application. Of the characters listed here, which is most commonly used in SQL injection attacks?
A. !
B. &
C. *
D. ‘
D. ‘
The single quote character (‘) is used in SQL queries and must be handled carefully on web forms to protect against SQL injection attacks.
Katie is concerned about the potential for SQL injection attacks against her organization. She has already put a web application firewall in place and conducted a review of the organization’s web application source code. She would like to add an additional control at the database level. What database technology could further limit the potential for SQL injection attacks?
A. Triggers
B. Parameterized queries
C. Column encryption
D. Concurrency control
B. Parameterized queries
Developers of web applications should leverage parameterized queries to limit the application’s ability to execute arbitrary code. With stored procedures, the SQL statement resides on the database server and may only be modified by database developers or administrators. With parameterized queries, the SQL statement is defined within the application and variables are bound to that statement in a safe manner.
What type of malicious software is specifically used to leverage stolen computing power for the attacker’s financial gain?
A. RAT
B. PUP
C. Cryptomalware
D. Worm
C. Cryptomalware
Although any malware may be leveraged for financial gain, depending on its payload, cryptomalware is specifically designed for this purpose. It steals computing power and uses it to mine cryptocurrency. Remote access Trojans (RATs) are designed to grant attackers remote administrative access to systems. Potentially unwanted programs (PUPs) are any type of software that is initially approved by the user but then performs undesirable actions. Worms are malicious code objects that move between systems under their own power.
David is responsible for reviewing a series of web applications for vulnerabilities to cross-site scripting attacks. What characteristic should he watch out for that would indicate a high susceptibility to this type of attack?
A. Reflected input
B. Database-driven content
C. .NET technology
D. CGI scripts
A. Reflected input
Cross-site scripting attacks are often successful against web applications that include reflected input. This is one of the two main categories of XSS attack. In a reflected attack, the attacker can embed the attack within the URL so that it is reflected to users who follow a link.
You are the IT security manager for a retail merchant organization that is just going online with an ecommerce website. You hired several programmers to craft the code that is the backbone of your new web sales system. However, you are concerned that although the new code functions well, it might not be secure. You begin to review the code to track down issues and concerns. Which of the following do you hope to find in order to prevent or protect against XSS? (Choose all that apply.)
A. Input validation
B. Defensive coding
C. Allowing script input
D. Escaping metacharacters
A. Input validation
B. Defensive coding
D. Escaping metacharacters
A programmer can implement the most effective way to prevent XSS by validating input, coding defensively, escaping metacharacters, and rejecting all script-like input.
Sharon believes that a web application developed by her organization contains a cross-site scripting vulnerability, and she would like to correct the issue. Which of the following is the most effective defense that Sharon can use against cross-site scripting attacks?
A. Limiting account privileges
B. Input validation
C. User authentication
D. Encryption
B. Input validation
Input validation prevents cross-site scripting attacks by limiting user input to a predefined range. This prevents the attacker from including the HTML
tag in the input.