Chapter 4

Question 1

Advanced Persistent Threat (APT)

Answer 1

A network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The purpose of such an attack is to steal data, not to damage the network or organization. Sectors with high-value information, such as national defense, manufacturing, and the financial industry, are commonly the target of such attacks.

Question 2

Adware

Answer 2

Unwanted software that displays advertisements. Often linked with spyware.

Question 3

Alternate Data Stream (ADS)

Answer 3

A feature added to the NTFS file system to support files from POSIX, OS/2, and Macintosh. ADS supports multiple resource forks for file objects. Hackers use ADS to hide files.

Question 4

Arbitrary Code Execution

Answer 4

An exploit that allows a hacker to run any command line function on a compromised system. Buffer overflow attacks and SQL injection attacks can often allow arbitrary code execution.

Question 5

ARP Spoofing

Answer 5

The falsification of ARP replies to trick the requestor into sending frames to a system other than its intended destination.

Question 6

Banner

Answer 6

A message sent by a service in response to a valid or invalid query. A banner can confirm communication is functioning properly or announce an error. Some banners disclose the product name and version number of the service.

Question 7

Banner Grabbing

Answer 7

The act of capturing or extracting banners from services. Hackers often perform banner grabbing after port scanning to learn what service is active on a port.

Question 8

Botnet army

Answer 8

A network of zombie/bot/agent– compromised systems controlled by a hacker. The network consists of the bots, agents, or zombies that intercommunicate over the Internet. Another term for zombie.

Question 9

Buffer Overflow

Answer 9

A condition in which a memory buffer exceeds its capacity and extends its contents into adjacent memory. Often used as an attack against poor programming techniques or poor soft-ware quality control. Hackers can inject more data into a memory buffer than it can hold, which may result in the additional data overflowing into the next area of memory. If the overflow extends to the next memory segment designated for code execution, a skilled attacker can insert arbitrary code that will execute with the same privileges as the current program. Improperly formatted overflow data may also result in a system crash.

Question 10

Chip Creep

Answer 10

The slow movement of a chip out of its socket or solder points because of expansion and contraction caused by extreme temperature fluctuations.

Question 11

Cluster

Answer 11

A logical division of data composed of one or more sectors on a hard drive. A cluster is the smallest addressable unit of drive storage, usually 512, 1,024, 2,048, or 4,096 bytes, depending on the logical volume size.

Question 12

Cold Calling

Answer 12

A tactic of pursuing and extracting information for the purpose of making a sale or performing a social engineering attack. A cold call presupposes little or no knowledge of the person answering the phone. It requires the caller to be able to pick up on vocal and word clues, be knowledge-able about human nature, and adapt quickly to changes in conversation.

Question 13

Command Shell

Answer 13

A software interface with a system that allows code execution. A command shell is often the focus of an attack. If a hacker gains access to a command shell, he or she can perform arbitrary code execution. Also known as a terminal window or a command prompt. For example, in Windows, the command shell prompt is usually “C:>”.

Question 14

Contract Worker

Answer 14

An outsider brought into an organization to work on a temporary basis. Contracted workers can be consultants, temporary workers, seasonal workers, contractors, or even day-laborers. Contracted workers potentially represent a greater risk than regular, full-time regular employees because they might lack loyalty, not see the company as worthy of protection, might not be accountable after a project ends, and so on.

Question 15

Covert Channel

Answer 15

An unknown, secret pathway of communication. Covert channels can be timing or storage-based.

Question 16

Cross-site scripting (XSS)

Answer 16

The malicious insertion of scripting code onto a vulnerable Web site. The results of an XSS attack can include the corruption of the data on the Web site or identity theft of the site’s visitors.

Question 17

Deterrent

Answer 17

A form of security defense that focuses on discouraging a perpetrator with disincentives such as physical harm, social disgrace, or legal consequences. A deterrent can also be a defense that is complex or difficult to overcome, such as strong encryption, multifactor authentication, or stateful inspection filtering.

Question 18

Dialer

Answer 18

A rogue program that automatically dials a modem to a pre-defined number. Sometimes this is to auto-download additional malware to the victim or to upload stolen data from the victim. In other cases, the dialer calls premium rate telephone numbers to rack up massive long distance charges.

Question 19

Disgruntled Employee

Answer 19

A worker who feels wronged by his or her employer and who may take malicious, unethical, potentially illegal actions to exact revenge on the organization.

Question 20

Distributed denial of service (DdoS) Attack

Answer 20

An attack that uses multiple remotely controlled software agents disseminated across the Internet. Because the denial of service attack comes from multiple machines simultaneously, it is “distributed.” DDoS attacks can include flooding, spam, eavesdropping, interception, MitM, session hijacking, spoofing, packet manipulation, distribution of malware, hosting phishing sites, stealing passwords, cracking encryption, and more.

Question 21

DNS Poisoning

Answer 21

A form of exploitation in which the data on a DNS server are falsified so subsequent responses to DNS resolution queries are incorrect. DNS poisoning can wage man-in-the-middle attacks.

Question 22

DNS Spoofing

Answer 22

A form of exploitation in which unauthorized or rogue DNS server responds to DNS queries with false, spoofed resolutions. DNS poisoning can wage man-in-the-middle attacks.

Question 23

Domain registration

Answer 23

The information related to the owners and managers of a domain name accessed through domain registrar’s Web sites and whois lookups. A domain registration might include a physical address, people’s names, e-mail addresses, and phone numbers. This information is useful in waging social engineering attacks.

Question 24

Dumpster diving

Answer 24

A type of reconnaissance in which an attacker examines an organization’s trash or other discarded items to learn internal or private information. The results of dumpster diving are often used to wage social engineering attacks.

Question 25

Enumeration

Answer 25

The process of discovering sufficient details about a potential target to learn about network or system vulnerabilities. Enumeration often starts with operating system identification, followed by application identification, then extraction of information from discovered services.

Question 26

Flaw Exploitation Attack

Answer 26

A form of DoS that uses a software specific exploit to cause the interruption of availability. Once you apply the appropriate patch, the system is no longer vulnerable to this particular exploit.

Question 27

Flooding

Answer 27

An attack, usually resulting in a DoS, in which hackers direct massive amounts of traffic toward a target to fully consume available band-width or processing capabilities.

Question 28

Footprinting

Answer 28

The act of researching and uncovering information about a potential attack target. Also known as reconnaissance.

Question 29

Hacktivism

Answer 29

Politically or socially motivated hacking, seen by activists as a form of civil disobedience in the interest of free speech and human rights, but seen by its opponents as a form of cyberterrorism.

Question 30

Hierarchical File System (HFS)

Answer 30

A storage device file system developed by Apple Inc. for use on Macintosh computers. HFS supports multiple resource forks for file objects.

Question 31

ICMP Redirect

Answer 31

An announcement message sent to hosts to adjust the routing table. ICMP type 5 messages are known as redirects. Hackers can use ICMP redirects to perform man-in-the-middle or session hijacking attacks.

Question 32

IDS Insertion

Answer 32

An attack that exploits the nature of a network-focused IDS to collect and analyze every packet to trick the IDS into thinking an attack took place when it actually hasn’t. The common purpose of IDS injection attacks is to trick signature or pattern matching detection of malicious network events.

Question 33

Insertion attack

Answer 33

An exploit-based on the introduction of unauthorized content or devices to an otherwise secured infrastructure. Three common insertion-based attacks include SQL injection, IDS insertion, and rogue devices.

Question 34

Instant messaging

Answer 34

A form of near real-time text communication. Also known as chat, IRC, and SMS messaging.

Question 35

Intentional Electromagnetic Interference (IEMI)

Answer 35

The result of an intentional discharge made to damage or destroy electronic equipment ranging from cell phones to computers and servers.

Question 36

Interception Attack

Answer 36

Any attack that positions the attacker inline with a session between a client and server. Such attacks typically allow the hacker to eavesdrop and manipulate the contents of the session. Also known as a man-in-the-middle attack.

Question 37

Internet Relay Chat (IRC)

Answer 37

A real-time text communication system. Hackers commonly use IRC as a way to communicate anonymously and control botnets.

Question 38

Keystroke Logger

Answer 38

Malware that records all keyboard input and transmits the keystroke log to a hacker.

Question 39

Leetspeak

Answer 39

A somewhat secret form of communication or language hackers use based on replacing letters with numbers, symbols, or other letters that somewhat resemble the original characters. For example, “elite” becomes “eleet,” and then becomes “31337.”

Question 40

Logic Bomb

Answer 40

Malware that acts like an electronic land mine. Once a hacker places a logic bomb in a system, it remains dormant until a triggering event takes place. The trigger can be a specific time and date, the launching of a program, the typing of a specific keyword, or accessing a specific URL. Once the trigger occurs, the logic bomb springs its malicious event on the unsuspecting use.

Question 41

MAC Spoofing

Answer 41

The act of a hacker changing the MAC address of their network interface. Commonly used to bypass MAC filtering on a wireless access point by impersonating a valid client.

Question 42

Maximum transmission unit (MTU)q

Answer 42

The largest amount of data that a datagram can hold based on the limitations of the networking devices managing a given segment. As an MTU changes across a communication path, a datagram may be fragmented to comply with the MTU restriction.

Question 43

Mean time between failures (MTBF)

Answer 43

A rating on some hardware devices expressing the average length of time between significant failures.

Question 44

Mean time to failure (MTF)

Answer 44

A rating on some hard-ware devices expressing the average length of time until the first significant failure is likely to happen.

Question 45

Metacharacter

Answer 45

A character that has a special meaning assigned to it and recognized as part of a scripting or programming language. Metacharacters should be filtered, escaped, or blocked to prevent script injection attacks. Escaping metacharacters is a programmatic tactic to treat all characters as basic ASCII rather than as some-thing with special meaning or purpose.

Question 46

MITRE

Answer 46

The MITRE Corporation is a not-for-profit organization chartered to work in the public interest. It sponsors a vulnerability research, cataloging, and information organization: http://cve.mitre.org/.

Question 47

Mobile Code

Answer 47

A form of software transmitted to and executed on a client. Hackers can use mobile code for malicious purposes.

Question 48

Monkey-in-the-middle attack

Answer 48

Another term for man-in-the-middle attack.

Question 49

National Institute of Standards and Technology (NIST)

Answer 49

NIST is a non-regulatory federal agency within the U.S. Department of Commerce whose mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology. As part of its mission, the NIST performs vulnerability research, cataloging, and information distribution: http://nvd.nist.gov/.

Question 50

New technology file system (NTFS)

Answer 50

A file format developed by Microsoft commonly used on Windows systems. NTFS offers file security, large volume size, large file size, and alternate data streams (ADS).

Question 51

Nmap

Answer 51

A network mapping tool that performs network scanning, port scanning, OS identification, and other types of network probing. Nmap is avail-able at http://www.insecure.org/.

Question 52

Non-authenticating query service

Answer 52

Any communication exchange that does not verify the identity of the endpoints of a communication and accepts any properly formed response as valid. DNS and ARP are common examples. Hackers can easily spoof such a service.

Question 53

Opportunistic Hacker

Answer 53

A person who takes advantages of unique or abnormal situations to perform malicious actions, but who would not initiate such actions otherwise.

Question 54

OS/2

Answer 54

A multi-tasking operating system developed jointly by Microsoft and IBM. First released in 1987, it lost nearly its entire market share to Windows after the two companies ceased collaboration in 1990. IBM discontinued support in 2006.

Question 55

Partition

Answer 55

A logical division of a hard drive that can be formatted with a file system.

Question 56

Phishing

Answer 56

An attack that seeks to obtain information from a victim by presenting false credentials or luring victims to an attack site. Phishing can occur face to face, over the phone, via e-mail, on a Web site, or through IM.

Question 57

Ping Sweep

Answer 57

A network scan that sends ICMP type 8 echo requests to a range of IP addresses to obtain ICMP type 0 echo responses. A ping sweep can discover active systems and identify the IP addresses in use.

Question 58

Playback attack

Answer 58

See also Replay attack.

Question 59

Port Scanning

Answer 59

A network scan that sends various constructions of TCP or UDP packets to determine the open or closed state of a port. Tools such as nmap are used to perform port scanning.

Question 60

POSIX

Answer 60

A variant of the UNIX operating system. Supported by Windows NT 4.0, but not in any subsequent version of Windows. POSIX used the ADS feature of NTFS.

Question 61

Privilege escalation

Answer 61

The act of obtaining a higher level of privilege or access for a user account or a session. A tactic employed by hackers once they intrude into a network through the compromise of a normal user account.

Question 62

Professional hacker

Answer 62

A criminal whose objective is to compromise IT infrastructures. Whether operating as individuals, offering mercenary hacking services, or functioning as members of a criminal ring, professional hackers focus time and energy on becoming effective cyber attackers. A professional hacker is someone who contracts out his or her hacking skills to others.

Question 63

Proxy Attack

Answer 63

See also Man-in-the-middle (MinM) attack.

Question 64

Proxy Manipulation

Answer 64

An attack in which a hacker modifies the proxy settings on a client to redirect traffic to another system, such as the hacker’s own machine. The hacker may host a proxy server in addition to eavesdropping and manipulating the redirected traffic.

Question 65

Pwned

Answer 65

A leetspeak word derived from a common IRC typo of “owned.” Used to mean hacking and taking over control of a computer or network.

Question 66

reconnaissance

Answer 66

The act of learning as much as possible about a target before attempting attacks. Reconnaissance consists of collecting data about the target from multiple sources online and offline. Effective reconnaissance is done covertly, without tipping off the target about the research. Reconnaissance can also be called footprinting, discovery, research, and information gathering.

Question 67

Recreational hacker

Answer 67

Someone who enjoys exploring and learning about computer technology but may put an organization’s network at risk by bringing in unapproved software, experimenting on the network, or just trying an exploit to “see if it works.”

Question 68

redundant array of inexpensive disks (RAID)

Answer 68

A disk set management technology that gains speed and fault tolerance. RAID can provide some protection against hard drive failure, but does not protect against software or data compromises, such as virus infection.

Question 69

Return on investment (ROI)

Answer 69

A business evaluation technique to determine whether an investment will earn back equivalent or greater benefit within a specific time.

Question 70

Rogue access point

Answer 70

An access point set up and configured by a hacker to fool users into connecting with it. The hacker may then use the connection to carry out an attack such as a man-in-the-middle attack.

Question 71

Rogue DHCP

Question 72

Rootkit

Answer 72

A form of malware that hackers can upload and deploy on a target system. It often replaces multiple components of the host operating system with altered code.

Question 73

Scanning

Answer 73

The act of probing a network using custom crafted packets. Scanning can determine the IP addresses in use and whether ports are open or closed. The tool nmap can be used to perform scanning.

Question 74

Script Kiddie

Answer 74

A new, inexperienced, or ignorant hacker who uses pre-built attack tools and scripts instead of writing his or her own or customizing existing ones. Even though a derogatory term in the hacker community, “script kiddie” still describes a serious threat to network security.

Question 75

Sector

Answer 75

A subdivision of computer storage medium that represents a fixed size of user-accessible data. Magnetic disks typically have 512-byte sectors; optical disks have 2,048-byte sectors. When a device is formatted, sectors are grouped into clusters.

Question 76

Session hijacking

Answer 76

When a hacker is able to take over a connection after a client has authenticated with a server. To perform this attack, a hacker must eavesdrop on the session to learn details, such as the addresses of the session endpoints and the sequencing numbers. With this information, the hacker can desynchronize the client, take on the client’s addresses, and then inject crafted packets into the data stream. If the server accepts the initial false packets as valid, then the session has been hijacked.

Question 77

Shell code

Answer 77

The content of an exploit to be executed on or against a target system.

Question 78

Slack space

Answer 78

The unused portion of the last cluster allocated to a stored file. It may contain remnants of prior files stored in that location. Hackers can hijack slack space to create hidden storage compartments.

Question 79

Social engineering

Answer 79

The craft of manipulating people into performing tasks or releasing information that violates security. Social engineering relies on telling convincing lies to manipulate people or take advantage of the victim’s desire to be helpful.

Question 80

Spam

Answer 80

Unwanted and often unsolicited messages. Spam is not technically malicious software, but spam can have a serious negative effect on IT infrastructures through sheer volume. Estimates vary, but spam may represents up to 95 percent of all e-mail (which implies for every legitimate e-mail there are up to 19 unrelated spam e-mails.)

Question 81

Spyware

Answer 81

An advancement of keystroke logging to monitor and record many other user activities. Spyware varies greatly, but it can collect a list of applications launched, URLs visited, e-mail sent and received, chats sent and received, and names of all files opened. It can also record network activity, gather periodic screen captures, and even recording from a microphone or Web cam. Can be linked with adware.

Question 82

SQL Injection

Answer 82

A form of Web site/application attack in which a hacker submits SQL expressions to cause authentication bypass, extraction of data, planting of information, or access to a command shell.

Question 83

Static electricity discharge (SED)

Answer 83

A sudden and momentary electric current, usually of high voltage and low amperage, that flows between two objects. Commonly caused by low humidity environments. Humans, polyester, and plastics are prone to static build-up. SED can damage most computer components.

Question 84

Trapdoor

Answer 84

A form of unauthorized access to a system. A trapdoor is any access method or pathway that circumvents access or authentication mechanisms. Also known as a backdoor.

Question 85

Trojan horse

Answer 85

A mechanism of distribution or delivery more than a specific type of malware. The Trojan horse embeds a malicious payload within a seemingly benign carrier or host program. When the host program is executed or otherwise accessed, the malware is delivered. The gimmick of a Trojan horse is the act of fooling someone (a type of social engineering attack) into accepting the Trojan program as safe.

Question 86

Unpartitioned space

Answer 86

The area on a storage device not contained within a partition. Unpartitioned space is not directly accessible by the OS.

Question 87

Upstream filtering

Answer 87

The management of traffic by a firewall or other filtering device located one or more hops away (upstream) from a private network.

Question 88

URL injector

Answer 88

Malware that replaces URLs in HTTP GET requests for alternative addresses. These injected URLs cause a different Web page to appear in the browser than the one requested by the user’s request. These replaced Web pages could be adver-tisement sites, generate traffic to falsify search engine optimization (SEO), or lead to fake or spoofed sites.

Question 89

USENET newsgroups

Answer 89

Persistent public messaging forums accessed over the NNTP (Network News Transfer Protocol). USENET has existed since 1980. Although the Web, e-mail, and BitTorrent are more widely known, USENET is still in use today.

Question 90

Virus

Answer 90

Malware that needs a host object to infect. Most viruses infect files, such as executables, device drivers, DDLs, system files, and sometimes even document, audio, video, and image files. Some viruses infect the boot sector of a storage device, including hard drives, floppies, optical discs, and USB drives. Viruses are spread through the actions of users, and spread file-to-file (compare to worms).

Question 91

Wardialing

Answer 91

A method of discovering active modems by dialing a range of phone numbers.

Question 92

Wardriving

Answer 92

A method of discovering wireless networks by moving around a geographic area with a detection device.

Question 93

Whois

Answer 93

A tool used to view domain registration information. Whois is a command line function of Linux and Unix, but is also a tool on most domain registrar Web sites.

Question 94

Worm

Answer 94

Malware that does not need a host object; instead, a worm is a self-sustaining program in its own right. Worms are designed around specific system flaws. The worm scans other systems for this flaw and exploits the flaw to gain access to another victim. Once hosted on another system, the worm seeks to spread itself by repeating the process. Worms can act as carriers to deposit other forms of malicious code as they multiply and spread across networked hosts.

Question 95

Wrapper

Answer 95

A tool used to create Trojan horses by embedding malware inside of a host file or program.

Question 96

Zombie army

Answer 96

A network of zombie/bot/agent-compromised systems controlled by a hacker. The network consists of the bots, agents, or zombies that intercommunicate over the Internet. Another term for botnet.