Chapter 5 Securing Individual Systems

Question 1

Malware

Answer 1

Software that is detrimental to the operation of a host or system, causing harm or disruption.

Question 2

Virus

Answer 2

A type of malware that replicates itself by attaching to other executable files or programs and activates to perform malicious actions.

Question 3

Ransomware

Answer 3

A form of malware that encrypts a victim’s files or system, demanding a ransom payment to restore access or decrypt the data.

Question 4

Worm

Answer 4

A self-replicating type of malware that spreads through networks or the internet without requiring user interaction, often utilizing email or other communication channels.

Question 5

Trojan

Answer 5

A type of malware that disguises itself as legitimate software or files, tricking users into executing them, allowing unauthorized access or control of the system.

Question 6

Remote Access Trojan (RAT)

Answer 6

A type of Trojan that enables remote control and administration of a victim’s computer or system, providing unauthorized access to the attacker.

Question 7

Backdoor

Answer 7

A hidden entry point or vulnerability intentionally created by a developer or attacker to bypass security measures and gain unauthorized access to a system.

Question 8

Keylogger

Answer 8

A type of malware that records and captures keystrokes made by a user, allowing an attacker to monitor and collect sensitive information such as passwords or credit card details.

Question 9

Rootkit

Answer 9

A type of malware designed to gain privileged access and control over a computer or system by concealing its presence and evading detection, often installed at the root level of the operating system.

Question 10

Logic Bomb

Answer 10

A type of malware that remains dormant until triggered by a specific event or condition, such as a certain date, time, or action. Upon activation, it executes a malicious action, potentially causing damage or disruption to the system or data.

Question 11

Botnet

Answer 11

A network of computers or devices that have been infected with malware, allowing a remote attacker to control and commandeer them for malicious activities, such as distributed denial-of-service (DDoS) attacks or sending spam emails.

Question 12

Potentially Unwanted Programs (PUP)

Answer 12

Software programs that are typically installed without the user’s full knowledge or consent and may exhibit behaviors that users find undesirable or annoying, such as displaying intrusive advertisements or changing browser settings. While not necessarily malicious, PUPs are often considered unwanted and can impact system performance or user experience.

Question 13

What are some examples of weak configurations?

Answer 13

Open Wi-Fi networks, default configurations, guest user accounts, inadequate intruder lockout settings, excessive permissions, improper use of the root account, insecure cryptographic solutions, unnecessary open ports, default installation locations, failure to change default admin credentials.

Question 14

Why are open Wi-Fi networks a security concern?

Answer 14

Open Wi-Fi networks lack authentication and encryption, making them vulnerable to unauthorized access and data interception.

Question 15

What is the risk associated with default configurations?

Answer 15

Default configurations in devices like routers or baby monitors prioritize convenience over security, potentially allowing unauthorized access if default settings are not changed.

Question 16

Why should guest user accounts be disabled if not necessary?

Answer 16

Disabling guest accounts reduces the risk of unauthorized access and helps maintain tighter control over user privileges.

Question 17

: How can inadequate intruder lockout settings pose a security risk?

Answer 17

Without proper monitoring and limits on failed login attempts, attackers can launch brute force or dictionary-based attacks more easily, potentially compromising user accounts.

Question 18

What is the principle of least privilege and why is it important?

Answer 18

The principle of least privilege advocates for granting users only the minimum access privileges required to perform their tasks, reducing the risk of unauthorized access or accidental data breaches.

Question 19

Why is the improper use of the root account a security concern?

Answer 19

The root account in Linux provides full administrative privileges, but its unrestricted use increases the likelihood of mistakes, accidental file deletions, and potential compromise if the account is targeted.

Question 20

Why are insecure cryptographic solutions a problem?

Answer 20

Outdated or insecure cryptographic algorithms can compromise the security of network communications, potentially leading to unauthorized access or data breaches.

Question 21

What is the risk associated with unnecessary open ports?

Answer 21

Unnecessary open ports provide potential entry points for attackers, increasing the surface area for potential attacks. Closing or disabling such ports reduces the attack surface and mitigates the risk.

Question 22

Why should default installation locations be avoided?

Answer 22

Installing software or web servers in default locations can make it easier for attackers to locate and exploit vulnerabilities, potentially leading to unauthorized access or data compromise.

Question 23

Why is it important to change default admin credentials?

Answer 23

Failure to change default admin usernames and passwords on devices like IoT devices or wireless routers increases the risk of unauthorized access, as default credentials are widely known and easily exploited.

Question 24

What is a zero day attack?

Answer 24

A zero day attack is an exploit that takes advantage of a vulnerability in software or hardware that is unknown to the vendor or manufacturer, giving them zero days to fix the issue before it is exploited.

Question 25

What is the Zero Day Initiative (ZDI)?

Answer 25

The Zero Day Initiative is a program that promotes the responsible disclosure of discovered vulnerabilities to benefit the internet community. It also offers monetary rewards to security researchers for disclosing such vulnerabilities.

Question 26

What are bug bounty programs?

Answer 26

Bug bounty programs are initiatives offered by companies, such as Intel, Yahoo!, Snapchat, Cisco, Dropbox, Apple, and Facebook, where individuals can receive financial rewards for responsibly disclosing vulnerabilities in their software or systems.

Question 27

What is a DNS sinkhole attack?

Answer 27

A DNS sinkhole attack involves modifying DNS results to redirect users to malicious websites or servers, leading to potential security risks and data compromise.

Question 28

What is privilege escalation?

Answer 28

Privilege escalation refers to the process of gaining higher levels of access or privileges on a compromised system or network, often achieved through cracking passwords or exploiting vulnerabilities.

Question 29

What are replay attacks?

Answer 29

Replay attacks involve capturing and manipulating network conversations or secure cookies to deceive systems or gain unauthorized access to secure networks or websites.

Question 30

How can pointer and object referencing be exploited?

Answer 30

Attackers can manipulate memory pointer locations, potentially leading to the disclosure of sensitive information or causing denial of service attacks by writing to improper memory locations.

Question 31

What are some risks associated with error handling in software development?

Answer 31

Improper error handling can result in the disclosure of sensitive information, such as usernames or passwords, providing attackers with valuable insights for further attacks.

Question 32

What is DLL injection?

Answer 32

DLL injection involves the unauthorized insertion of malicious dynamic link libraries (DLLs) into a host system, allowing execution of malicious code and potential data theft.

Question 33

What is resource exhaustion in a DDoS attack?

Answer 33

Resource exhaustion occurs in distributed denial-of-service (DDoS) attacks, where multiple hosts flood a network or target website with excessive traffic, overwhelming its resources and causing disruption.

Question 34

What is a race condition in multithreaded applications?

Answer 34

A race condition is a programming issue that arises in multithreaded applications when multiple threads access shared resources or variables simultaneously, potentially leading to crashes, data corruption, or security vulnerabilities.

Question 35

What is a driver shimming attack?

Answer 35

A driver shimming attack involves installing a malicious driver that intercepts API calls from other components, allowing the execution of malicious code.

Question 36

What is driver refactoring?

Answer 36

Driver refactoring refers to the modification of the internal code of a trusted driver to evade malware detection by using replacement parameters and hiding malicious code within the program.

Question 37

Can free antivirus software be as effective as paid subscriptions?

Answer 37

While opinions may vary, some believe that free antivirus software, such as Windows Defender, can provide comparable protection to paid subscriptions. However, research and careful consideration of features and capabilities are advised.

Question 38

What are overflow attacks?

Answer 38

Overflow attacks, such as integer overflows and buffer overflows, occur when software developers fail to allocate sufficient memory to store data, leading to potential disclosure of sensitive information, remote exploits, privilege escalation, or application crashes.

Question 39

How does the Heartbleed bug exploit a buffer overflow?

Answer 39

The Heartbleed bug exploited a buffer overflow vulnerability in an older implementation of OpenSSL, where a server trusted the length of a heartbeat message sent by the client without proper validation. This allowed an attacker to obtain sensitive information from the server’s memory.

Question 40

What can be done to mitigate driver-related and buffer overflow attacks?

Answer 40

Mitigation strategies include applying patches and updates promptly, subscribing to threat intelligence feeds, training developers in secure coding practices, and ensuring code undergoes rigorous testing and review to identify and rectify programmatic errors.

Question 41

What are online and offline password attacks?

Answer 41

Online password attacks refer to attempts to crack passwords in real-time, while offline attacks involve using captured password hashes to perform attacks offline using various tools and dictionaries.

Question 42

What is a dictionary password attack?

Answer 42

A dictionary password attack involves using a dictionary file containing a list of common passwords or phrases and systematically trying each entry against user accounts to find a match.

Question 43

How does a brute force attack differ from a dictionary attack?

Answer 43

A brute force attack involves trying all possible combinations of characters, numbers, and symbols until the correct password is discovered. It does not rely on pre-existing password lists like a dictionary attack.

Question 44

What is password spraying?

Answer 44

Password spraying is a technique where a limited number of common passwords are tried against multiple user accounts to avoid triggering account lockouts. It is a slower attack method that can be effective when account lockout settings are enabled.

Question 45

What are some tools used for password attacks?

Answer 45

Tools such as John the Ripper, Cain and Abel, and Hydra are commonly used for online and offline password attacks. These tools can automate password cracking attempts and leverage dictionaries and brute force methods.

Question 46

How can organizations mitigate password-based attacks?

Answer 46

Organizations can implement measures like complex passwords, multi-factor authentication, account lockout policies, and regular password policy enforcement to mitigate the risk of password attacks. Additionally, user education and awareness can help promote strong password practices.

Question 47

What is a botnet?

Answer 47

A botnet is a network of infected machines (bots) that are under the control of a malicious actor. The bots communicate with a command and control (C&C) server, which allows the attacker to issue instructions and control the bots collectively.

Question 48

How can intrusion detection systems help mitigate botnet attacks?

Answer 48

Intrusion detection systems can detect suspicious outbound traffic from infected machines to a command and control server. Unusual patterns of outbound connections, such as multiple bots communicating with the same destination, can trigger alerts, allowing organizations to take action and mitigate the threat.

Question 49

How can DNS text records be used in botnet communication?

Answer 49

Malicious actors can store instructions for bots in DNS text records. The infected bots query the DNS server to retrieve these instructions, creating a communication channel between the botnet and the attacker. Detecting excessive DNS queries for text records can be an indicator of botnet activity.

Question 50

How does the Tor network help hide the origin of botnet communications?

Answer 50

The Tor network anonymizes network traffic by routing it through a series of volunteer-operated nodes. By using the Tor network, botnet communications can be routed through multiple nodes, making it difficult to trace the origin of the communication back to the attacker.

Question 51

How can packet capture analysis help detect botnet activity?

Answer 51

Analyzing packet captures can reveal suspicious DNS queries, such as queries for text records, which are not typical for regular client behavior. Unusual DNS traffic patterns can indicate that a machine is part of a botnet and communicating with a command and control server.

Question 52

How can online services like VirusTotal assist in analyzing packet captures for botnet activity?

Answer 52

Online services like VirusTotal allow users to upload packet captures for analysis. These services utilize various detection mechanisms, including antivirus solutions and intrusion detection systems, to identify potential malware or suspicious activities in the captured traffic. This can help identify and mitigate botnet-related threats.

Question 53

What does RAID stand for

Answer 53

Redundant Array of Independent Disks.

Question 54

What is the purpose of RAID?

Answer 54

RAID is used to improve performance, increase storage capacity, and provide fault tolerance.

Question 55

What is the difference between hardware RAID and software RAID?

Answer 55

Hardware RAID uses a dedicated RAID controller, while software RAID relies on the operating system to manage the configuration.

Question 56

What is RAID 0?

Answer 56

RAID 0, or disk striping, improves performance by striping data across multiple disks but offers no fault tolerance.

Question 57

What is RAID 1?

Answer 57

RAID 1, or disk mirroring, creates an exact copy of data on multiple disks, providing high availability and data redundancy.

Question 58

What is RAID 5?

Answer 58

RAID 5 combines disk striping with distributed parity, offering both performance and fault tolerance.

Question 59

What is RAID 6?

Answer 59

RAID 6 is similar to RAID 5 but uses double distributed parity, allowing for the simultaneous failure of two disks without data loss.

Question 60

What is RAID 10?

Answer 60

RAID 10, or RAID 1+0, combines disk mirroring and striping for both performance and high availability.

Question 61

Why is physical access to hardware a concern for cybersecurity professionals?

Answer 61

A: Physical access to hardware can bypass security controls, making it easier for malicious actors to compromise systems.

Question 62

How can the use of removable media be limited in a Windows environment?

Answer 62

Group Policy settings can be configured to deny read and write access to removable disks, restricting their usage.

Question 63

What is the purpose of using diverse vendor equipment in network security?

Answer 63

Mixing different vendor equipment makes it harder for attackers to exploit vulnerabilities across the network.

Question 64

What is a USB data blocker?

Answer 64

A USB data blocker is a hardware device that allows only power charging through a USB connection, preventing data transfer.

Question 65

What is TPM (Trusted Platform Module)?

Answer 65

TPM is a hardware chip that checks the integrity of a computer’s boot process, stores cryptographic keys, and aids in disk encryption.

Question 66

Why is firmware update management important for hardware security?

Answer 66

Applying firmware updates ensures that security vulnerabilities in devices are patched, enhancing overall security.

Question 67

Why is disk encryption beneficial for hardware security?

Answer 67

Encrypting disks protects data even if physical disks are stolen, as the encrypted data cannot be accessed without the decryption key.

Question 68

How can uninterruptible power supplies (UPS) contribute to hardware availability?

Answer 68

UPS devices provide backup power during outages, allowing servers and critical equipment to continue operating and shut down gracefully.

Question 69

What is an endpoint in the context of cybersecurity?

Answer 69

An endpoint refers to a user device or a firewall on the network’s edge where suspicious activity, including malware, can be detected.

Question 70

Why is it important to have both a host-based firewall and an antivirus scanner?

Answer 70

A host-based firewall limits incoming traffic, while an antivirus scanner detects and removes malware already present on the device.

Question 71

What is the significance of real-time virus monitoring?

Answer 71

Real-time virus monitoring detects and prevents malware infections by continuously scanning and removing threats as they are encountered.

Question 72

How can administrators prevent malware incidents caused by disabling the virus scanner?

Answer 72

Administrators should ensure that the virus scanner is re-enabled after temporary disabling, preventing potential security gaps.

Question 73

What is ransomware, and how does it typically operate?

Answer 73

Ransomware encrypts data files and demands a ransom payment in exchange for decrypting the files, often using anonymous payment methods like Bitcoin.

Question 74

What is a host intrusion detection system (HIDS)?

Answer 74

A host intrusion detection system monitors and detects suspicious activity on a host device, such as analyzing log files or monitoring network traffic.

Question 75

How does a next-generation firewall (NGFW) differ from a traditional firewall?

Answer 75

A next-generation firewall combines multiple security features, including packet filtering and deep packet inspection, to make more advanced decisions on allowing or denying traffic.

Question 76

What is an allow list (whitelist) and a deny list (blacklist) in the context of firewall configuration?

Answer 76

An allow list specifies what activities or applications are permitted, while a deny list identifies activities or applications that are not allowed, regulating network traffic and system access.