Chapter 5 Securing Individual Systems Flashcards

1
Q

Malware

A

Software that is detrimental to the operation of a host or system, causing harm or disruption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Virus

A

A type of malware that replicates itself by attaching to other executable files or programs and activates to perform malicious actions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Ransomware

A

A form of malware that encrypts a victim’s files or system, demanding a ransom payment to restore access or decrypt the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Worm

A

A self-replicating type of malware that spreads through networks or the internet without requiring user interaction, often utilizing email or other communication channels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Trojan

A

A type of malware that disguises itself as legitimate software or files, tricking users into executing them, allowing unauthorized access or control of the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Remote Access Trojan (RAT)

A

A type of Trojan that enables remote control and administration of a victim’s computer or system, providing unauthorized access to the attacker.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Backdoor

A

A hidden entry point or vulnerability intentionally created by a developer or attacker to bypass security measures and gain unauthorized access to a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Keylogger

A

A type of malware that records and captures keystrokes made by a user, allowing an attacker to monitor and collect sensitive information such as passwords or credit card details.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Rootkit

A

A type of malware designed to gain privileged access and control over a computer or system by concealing its presence and evading detection, often installed at the root level of the operating system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Logic Bomb

A

A type of malware that remains dormant until triggered by a specific event or condition, such as a certain date, time, or action. Upon activation, it executes a malicious action, potentially causing damage or disruption to the system or data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Botnet

A

A network of computers or devices that have been infected with malware, allowing a remote attacker to control and commandeer them for malicious activities, such as distributed denial-of-service (DDoS) attacks or sending spam emails.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Potentially Unwanted Programs (PUP)

A

Software programs that are typically installed without the user’s full knowledge or consent and may exhibit behaviors that users find undesirable or annoying, such as displaying intrusive advertisements or changing browser settings. While not necessarily malicious, PUPs are often considered unwanted and can impact system performance or user experience.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are some examples of weak configurations?

A

Open Wi-Fi networks, default configurations, guest user accounts, inadequate intruder lockout settings, excessive permissions, improper use of the root account, insecure cryptographic solutions, unnecessary open ports, default installation locations, failure to change default admin credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Why are open Wi-Fi networks a security concern?

A

Open Wi-Fi networks lack authentication and encryption, making them vulnerable to unauthorized access and data interception.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the risk associated with default configurations?

A

Default configurations in devices like routers or baby monitors prioritize convenience over security, potentially allowing unauthorized access if default settings are not changed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Why should guest user accounts be disabled if not necessary?

A

Disabling guest accounts reduces the risk of unauthorized access and helps maintain tighter control over user privileges.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

: How can inadequate intruder lockout settings pose a security risk?

A

Without proper monitoring and limits on failed login attempts, attackers can launch brute force or dictionary-based attacks more easily, potentially compromising user accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the principle of least privilege and why is it important?

A

The principle of least privilege advocates for granting users only the minimum access privileges required to perform their tasks, reducing the risk of unauthorized access or accidental data breaches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Why is the improper use of the root account a security concern?

A

The root account in Linux provides full administrative privileges, but its unrestricted use increases the likelihood of mistakes, accidental file deletions, and potential compromise if the account is targeted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Why are insecure cryptographic solutions a problem?

A

Outdated or insecure cryptographic algorithms can compromise the security of network communications, potentially leading to unauthorized access or data breaches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is the risk associated with unnecessary open ports?

A

Unnecessary open ports provide potential entry points for attackers, increasing the surface area for potential attacks. Closing or disabling such ports reduces the attack surface and mitigates the risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Why should default installation locations be avoided?

A

Installing software or web servers in default locations can make it easier for attackers to locate and exploit vulnerabilities, potentially leading to unauthorized access or data compromise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Why is it important to change default admin credentials?

A

Failure to change default admin usernames and passwords on devices like IoT devices or wireless routers increases the risk of unauthorized access, as default credentials are widely known and easily exploited.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is a zero day attack?

A

A zero day attack is an exploit that takes advantage of a vulnerability in software or hardware that is unknown to the vendor or manufacturer, giving them zero days to fix the issue before it is exploited.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is the Zero Day Initiative (ZDI)?

A

The Zero Day Initiative is a program that promotes the responsible disclosure of discovered vulnerabilities to benefit the internet community. It also offers monetary rewards to security researchers for disclosing such vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What are bug bounty programs?

A

Bug bounty programs are initiatives offered by companies, such as Intel, Yahoo!, Snapchat, Cisco, Dropbox, Apple, and Facebook, where individuals can receive financial rewards for responsibly disclosing vulnerabilities in their software or systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is a DNS sinkhole attack?

A

A DNS sinkhole attack involves modifying DNS results to redirect users to malicious websites or servers, leading to potential security risks and data compromise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is privilege escalation?

A

Privilege escalation refers to the process of gaining higher levels of access or privileges on a compromised system or network, often achieved through cracking passwords or exploiting vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What are replay attacks?

A

Replay attacks involve capturing and manipulating network conversations or secure cookies to deceive systems or gain unauthorized access to secure networks or websites.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

How can pointer and object referencing be exploited?

A

Attackers can manipulate memory pointer locations, potentially leading to the disclosure of sensitive information or causing denial of service attacks by writing to improper memory locations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What are some risks associated with error handling in software development?

A

Improper error handling can result in the disclosure of sensitive information, such as usernames or passwords, providing attackers with valuable insights for further attacks.

32
Q

What is DLL injection?

A

DLL injection involves the unauthorized insertion of malicious dynamic link libraries (DLLs) into a host system, allowing execution of malicious code and potential data theft.

33
Q

What is resource exhaustion in a DDoS attack?

A

Resource exhaustion occurs in distributed denial-of-service (DDoS) attacks, where multiple hosts flood a network or target website with excessive traffic, overwhelming its resources and causing disruption.

34
Q

What is a race condition in multithreaded applications?

A

A race condition is a programming issue that arises in multithreaded applications when multiple threads access shared resources or variables simultaneously, potentially leading to crashes, data corruption, or security vulnerabilities.

35
Q

What is a driver shimming attack?

A

A driver shimming attack involves installing a malicious driver that intercepts API calls from other components, allowing the execution of malicious code.

36
Q

What is driver refactoring?

A

Driver refactoring refers to the modification of the internal code of a trusted driver to evade malware detection by using replacement parameters and hiding malicious code within the program.

37
Q

Can free antivirus software be as effective as paid subscriptions?

A

While opinions may vary, some believe that free antivirus software, such as Windows Defender, can provide comparable protection to paid subscriptions. However, research and careful consideration of features and capabilities are advised.

38
Q

What are overflow attacks?

A

Overflow attacks, such as integer overflows and buffer overflows, occur when software developers fail to allocate sufficient memory to store data, leading to potential disclosure of sensitive information, remote exploits, privilege escalation, or application crashes.

39
Q

How does the Heartbleed bug exploit a buffer overflow?

A

The Heartbleed bug exploited a buffer overflow vulnerability in an older implementation of OpenSSL, where a server trusted the length of a heartbeat message sent by the client without proper validation. This allowed an attacker to obtain sensitive information from the server’s memory.

40
Q

What can be done to mitigate driver-related and buffer overflow attacks?

A

Mitigation strategies include applying patches and updates promptly, subscribing to threat intelligence feeds, training developers in secure coding practices, and ensuring code undergoes rigorous testing and review to identify and rectify programmatic errors.

41
Q

What are online and offline password attacks?

A

Online password attacks refer to attempts to crack passwords in real-time, while offline attacks involve using captured password hashes to perform attacks offline using various tools and dictionaries.

42
Q

What is a dictionary password attack?

A

A dictionary password attack involves using a dictionary file containing a list of common passwords or phrases and systematically trying each entry against user accounts to find a match.

43
Q

How does a brute force attack differ from a dictionary attack?

A

A brute force attack involves trying all possible combinations of characters, numbers, and symbols until the correct password is discovered. It does not rely on pre-existing password lists like a dictionary attack.

44
Q

What is password spraying?

A

Password spraying is a technique where a limited number of common passwords are tried against multiple user accounts to avoid triggering account lockouts. It is a slower attack method that can be effective when account lockout settings are enabled.

45
Q

What are some tools used for password attacks?

A

Tools such as John the Ripper, Cain and Abel, and Hydra are commonly used for online and offline password attacks. These tools can automate password cracking attempts and leverage dictionaries and brute force methods.

46
Q

How can organizations mitigate password-based attacks?

A

Organizations can implement measures like complex passwords, multi-factor authentication, account lockout policies, and regular password policy enforcement to mitigate the risk of password attacks. Additionally, user education and awareness can help promote strong password practices.

47
Q

What is a botnet?

A

A botnet is a network of infected machines (bots) that are under the control of a malicious actor. The bots communicate with a command and control (C&C) server, which allows the attacker to issue instructions and control the bots collectively.

48
Q

How can intrusion detection systems help mitigate botnet attacks?

A

Intrusion detection systems can detect suspicious outbound traffic from infected machines to a command and control server. Unusual patterns of outbound connections, such as multiple bots communicating with the same destination, can trigger alerts, allowing organizations to take action and mitigate the threat.

49
Q

How can DNS text records be used in botnet communication?

A

Malicious actors can store instructions for bots in DNS text records. The infected bots query the DNS server to retrieve these instructions, creating a communication channel between the botnet and the attacker. Detecting excessive DNS queries for text records can be an indicator of botnet activity.

50
Q

How does the Tor network help hide the origin of botnet communications?

A

The Tor network anonymizes network traffic by routing it through a series of volunteer-operated nodes. By using the Tor network, botnet communications can be routed through multiple nodes, making it difficult to trace the origin of the communication back to the attacker.

51
Q

How can packet capture analysis help detect botnet activity?

A

Analyzing packet captures can reveal suspicious DNS queries, such as queries for text records, which are not typical for regular client behavior. Unusual DNS traffic patterns can indicate that a machine is part of a botnet and communicating with a command and control server.

52
Q

How can online services like VirusTotal assist in analyzing packet captures for botnet activity?

A

Online services like VirusTotal allow users to upload packet captures for analysis. These services utilize various detection mechanisms, including antivirus solutions and intrusion detection systems, to identify potential malware or suspicious activities in the captured traffic. This can help identify and mitigate botnet-related threats.

53
Q

What does RAID stand for

A

Redundant Array of Independent Disks.

54
Q

What is the purpose of RAID?

A

RAID is used to improve performance, increase storage capacity, and provide fault tolerance.

55
Q

What is the difference between hardware RAID and software RAID?

A

Hardware RAID uses a dedicated RAID controller, while software RAID relies on the operating system to manage the configuration.

56
Q

What is RAID 0?

A

RAID 0, or disk striping, improves performance by striping data across multiple disks but offers no fault tolerance.

57
Q

What is RAID 1?

A

RAID 1, or disk mirroring, creates an exact copy of data on multiple disks, providing high availability and data redundancy.

58
Q

What is RAID 5?

A

RAID 5 combines disk striping with distributed parity, offering both performance and fault tolerance.

59
Q

What is RAID 6?

A

RAID 6 is similar to RAID 5 but uses double distributed parity, allowing for the simultaneous failure of two disks without data loss.

60
Q

What is RAID 10?

A

RAID 10, or RAID 1+0, combines disk mirroring and striping for both performance and high availability.

61
Q

Why is physical access to hardware a concern for cybersecurity professionals?

A

A: Physical access to hardware can bypass security controls, making it easier for malicious actors to compromise systems.

62
Q

How can the use of removable media be limited in a Windows environment?

A

Group Policy settings can be configured to deny read and write access to removable disks, restricting their usage.

63
Q

What is the purpose of using diverse vendor equipment in network security?

A

Mixing different vendor equipment makes it harder for attackers to exploit vulnerabilities across the network.

64
Q

What is a USB data blocker?

A

A USB data blocker is a hardware device that allows only power charging through a USB connection, preventing data transfer.

65
Q

What is TPM (Trusted Platform Module)?

A

TPM is a hardware chip that checks the integrity of a computer’s boot process, stores cryptographic keys, and aids in disk encryption.

66
Q

Why is firmware update management important for hardware security?

A

Applying firmware updates ensures that security vulnerabilities in devices are patched, enhancing overall security.

67
Q

Why is disk encryption beneficial for hardware security?

A

Encrypting disks protects data even if physical disks are stolen, as the encrypted data cannot be accessed without the decryption key.

68
Q

How can uninterruptible power supplies (UPS) contribute to hardware availability?

A

UPS devices provide backup power during outages, allowing servers and critical equipment to continue operating and shut down gracefully.

69
Q

What is an endpoint in the context of cybersecurity?

A

An endpoint refers to a user device or a firewall on the network’s edge where suspicious activity, including malware, can be detected.

70
Q

Why is it important to have both a host-based firewall and an antivirus scanner?

A

A host-based firewall limits incoming traffic, while an antivirus scanner detects and removes malware already present on the device.

71
Q

What is the significance of real-time virus monitoring?

A

Real-time virus monitoring detects and prevents malware infections by continuously scanning and removing threats as they are encountered.

72
Q

How can administrators prevent malware incidents caused by disabling the virus scanner?

A

Administrators should ensure that the virus scanner is re-enabled after temporary disabling, preventing potential security gaps.

73
Q

What is ransomware, and how does it typically operate?

A

Ransomware encrypts data files and demands a ransom payment in exchange for decrypting the files, often using anonymous payment methods like Bitcoin.

74
Q

What is a host intrusion detection system (HIDS)?

A

A host intrusion detection system monitors and detects suspicious activity on a host device, such as analyzing log files or monitoring network traffic.

75
Q

How does a next-generation firewall (NGFW) differ from a traditional firewall?

A

A next-generation firewall combines multiple security features, including packet filtering and deep packet inspection, to make more advanced decisions on allowing or denying traffic.

76
Q

What is an allow list (whitelist) and a deny list (blacklist) in the context of firewall configuration?

A

An allow list specifies what activities or applications are permitted, while a deny list identifies activities or applications that are not allowed, regulating network traffic and system access.