Chapter 6 Securing individual systems Flashcards
What is malware?
Software that is detrimental to the operation of a host, causing harm or unwanted behavior.
What are the two main functions of a virus?
To replicate and to activate, causing harm or performing some action once triggered.
What is a fileless malware or fileless virus?
Malware that resides in memory and does not rely on files to spread or execute.
What is ransomware (crypto malware)?
Malware that encrypts a user’s data and demands a ransom for the decryption key.
How does a worm differ from a virus?
A worm can replicate itself and spread over networks without user intervention.
What is a Trojan horse?
A program that appears legitimate but performs malicious actions in the background.
What is a Remote Access Trojan (RAT)?
A type of Trojan that allows an attacker to remotely control an infected computer.
What is a backdoor in the context of malware?
A hidden way to bypass normal authentication and gain access to a system.
What are Potentially Unwanted Programs (PUPs)?
Software that may be unwanted by the user, often bundled with other software.
What is a botnet?
A network of infected computers (zombies) controlled by an attacker for malicious activities like DDoS attacks.
What is a keylogger?
Malware that records keystrokes to capture sensitive information like passwords.
What is a rootkit?
Malware designed to gain root access and hide its presence on a system, often installed in the boot sector.
What is a logic bomb?
Malware that triggers a malicious action when certain conditions are met, such as a specific date or number of logins.
What type of attack typically uses botnets?
Distributed Denial of Service (DDoS) attacks.
How can hardware keyloggers be detected?
: They are difficult to detect with software, often requiring physical inspection of the device.
Why are rootkits particularly dangerous?
Because they operate with high-level privileges and can be difficult to detect and remove.
What is the main characteristic of a logic bomb?
It activates based on specific conditions or a timer, causing harm when triggered.
How can Trojans be spread?
Through seemingly legitimate software or files that users download and execute.
Why are PUPs considered a threat?
They can slow down systems, introduce unwanted changes, and potentially lead to further security issues.
What is a weak configuration in cybersecurity?
A setup that presents security risks due to default settings, lack of hardening, or other vulnerabilities.
Why are open Wi-Fi networks considered weak configurations?
Because they allow anyone to connect without authentication, posing security risks, especially in non-public environments.
Why should guest user accounts be disabled if not needed?
They can provide unauthorized access and should be turned off if not required to reduce security risks.
What is the purpose of intruder lockout settings?
To lock out user accounts after multiple failed login attempts, preventing brute force or dictionary attacks.
What is a common issue with permissions that can lead to weak configurations?
Assigning too many permissions, violating the principle of least privilege, and giving users more access than needed.
Why is using the root account directly in Linux considered a weak configuration?
Because it provides unrestricted access and increases the risk of accidental or malicious changes; using sudo is recommended instead.
What is the risk of insecure cryptographic solutions like WEP, DES, and SSL?
These outdated encryption methods are vulnerable to attacks and should be replaced with more secure alternatives like WPA3, AES, and TLS 1.2+.
Why is it important to change default settings on devices?
Default settings, including IP addresses and port numbers, are widely known and can be exploited by attackers.
What is a common weak configuration found in older Wi-Fi routers and multifunction network printers?
Having Universal Plug and Play (UPnP) enabled, which can expose devices to attacks.
Why should default usernames and passwords be changed on devices?
They are often easily found in online lists and can be exploited by attackers to gain unauthorized access.
What is a directory traversal attack and why is it a risk with default installation locations?
It’s an attack that gains unauthorized access to files and directories, made easier if the attacker knows the default file paths.
How can default passwords left unchanged impact security?
They can provide easy access for attackers, especially on internet-facing devices.
What tool can be used to find devices with default passwords on the internet?
Shodan.io, a search engine that identifies devices with default settings and other security vulnerabilities.
What is the principle of least privilege?
A security concept that users should be granted the minimum levels of access – or permissions – necessary to perform their job functions.
What is a common consequence of weak configurations in IoT devices?
Increased vulnerability to attacks, leading to potential unauthorized control or data breaches.
Why should older encryption standards like SSL and TLS versions below 1.2 be avoided?
They have known vulnerabilities and are no longer considered secure for protecting network communications.
What is a zero day attack?
An attack that exploits a vulnerability not yet known to the software vendor or hardware manufacturer, making it unpatched and unknown to the target.
What is the Zero Day Initiative (ZDI)?
A program promoting the responsible disclosure of discovered vulnerabilities, often with financial rewards for security researchers.
What are bug bounty programs?
Programs where companies pay security researchers to find and report vulnerabilities in their software or systems.
What is a DNS sinkhole?
A security measure where DNS responses are manipulated to redirect malicious traffic or block access to malicious domains.
What is privilege escalation?
Gaining higher access rights than initially granted, often through exploiting vulnerabilities or misconfigurations.
What is a replay attack?
An attack where valid data transmission is maliciously repeated or delayed, often to gain unauthorized access.
What is pointer and object dereferencing?
An attack that manipulates memory pointers to access unauthorized memory locations, potentially exposing sensitive data or crashing systems.
What are common issues with error handling in software?
Poor error handling can disclose too much information, aiding attackers in understanding the system’s vulnerabilities.
What is DLL injection?
A technique where malicious code is inserted into a running process by exploiting dynamic link libraries (DLLs).
What is resource exhaustion?
An attack that depletes system resources, such as memory or CPU, causing denial of service (DoS).
What is a race condition?
A flaw in multi-threaded applications where the timing of threads can lead to unpredictable behavior and potential security issues.
How can error messages contribute to security vulnerabilities?
Detailed error messages can provide attackers with insights into the system, revealing potential attack vectors.
What is a man-in-the-middle attack?
An attack where a malicious actor intercepts and potentially alters communication between two parties without their knowledge.
What is a dynamic link library (DLL)?
A collection of small programs that can be called upon by larger programs to perform specific functions.
How can you mitigate the risk of zero day attacks?
Employing strong security practices, such as regular updates, using intrusion detection/prevention systems (IDS/IPS), and participating in or supporting bug bounty programs.
What is memory injection in cybersecurity?
Memory injection is when unauthorized code is placed into a program’s running memory, causing it to act in unexpected and potentially harmful ways.
How is memory injection similar to adding unwanted ingredients in a kitchen?
Just as adding unwanted ingredients can change the flavor of a dish, memory injection changes the behavior of a program, making it do things it wasn’t supposed to.
What is a buffer overflow?
A buffer overflow occurs when a program receives more data than it can handle, causing the excess data to overflow into other parts of memory, potentially causing a system crash or allowing an attacker to exploit the system.
How is a buffer overflow similar to overfilling a glass with water?
Just like overfilling a glass causes water to spill everywhere, a buffer overflow causes excess data to spill into other parts of the program, potentially causing damage.
What is a race condition in cybersecurity?
A race condition occurs when the outcome of a program depends on the sequence or timing of uncontrollable events, leading to unpredictable behavior.
How can a race condition be compared to two people trying to unlock the same door?
Just as two people trying to unlock the same door at the same time might cause confusion, a race condition causes unpredictable behavior in a program when multiple operations attempt to access the same resource simultaneously.
What is the “Time of Check” and “Time of Use” (TOCTOU) vulnerability?
TOCTOU is a type of race condition where a system checks a condition and then acts on it, but the condition changes between the check and the action, leading to potential security issues.
How is TOCTOU similar to reserving a book at the library and finding it checked out when you arrive?
Just as a book might be checked out by someone else after you reserve it but before you pick it up, TOCTOU vulnerabilities exploit the gap between checking a condition and using the result of that check.
How can attackers exploit TOCTOU vulnerabilities?
Attackers can exploit TOCTOU vulnerabilities by changing the condition after it is checked but before it is used, leading to unauthorized actions like privilege escalation.
What is the Meltdown attack?
Meltdown is a race condition-oriented exploit that allows attackers to bypass the barrier between user applications and the operating system, enabling access to sensitive data like passwords and personal information.
How does the Meltdown attack exploit race conditions?
Meltdown exploits the timing gap between checking user permissions and executing privileged instructions, allowing attackers to access restricted memory.
What are the consequences of TOCTOU vulnerabilities?
TOCTOU vulnerabilities can lead to unexpected system behaviors, unauthorized access, or data breaches by exploiting the timing gap between condition checks and their usage.
What is an online password attack?
An online password attack is performed live against a user account over the network, trying various passwords to gain access.
What is an offline password attack?
An offline password attack involves obtaining a database of hashed passwords and attempting to crack them without interacting with the live system.
Name some common tools used for password attacks.
Common tools include John the Ripper, Cain and Abel, Hydra, and tools available in Kali Linux.
What is a dictionary password attack?
: A dictionary attack uses a precompiled list of potential passwords, like common passwords or phrases, and tries each one against a user account.
How does a brute force attack differ from a dictionary attack?
A brute force attack tries all possible combinations of characters until it finds the correct password, while a dictionary attack uses a predefined list of common passwords.
What is password spraying?
Password spraying involves using a single password against multiple user accounts to avoid triggering account lockouts and then cycling through a list of passwords.
What is the purpose of enabling account lockout settings?
Account lockout settings disable an account after a certain number of failed login attempts to prevent unauthorized access through brute force or dictionary attacks.
What is the command to perform a dictionary attack using Hydra against an RDP server in Kali Linux?
The command is hydra -l administrator -P /usr/share/wordlists/rockyou.txt rdp://<target_IP>.</target_IP>
Why is it important to avoid exposing services like RDP directly to the internet?
Exposing services like RDP to the internet makes them easy targets for automated attacks and unauthorized access attempts.
How can multi-factor authentication (MFA) help mitigate password attacks?
MFA adds an additional layer of security, requiring not only the password but also a second form of verification, making it harder for attackers to gain access.
What is a bot in cybersecurity?
A bot is an infected machine under the control of a malicious user, often referred to as a zombie.
What is a botnet?
A botnet is a network of infected machines (bots or zombies) under the control of a single malicious actor.
What is a command and control (C2) server?
A C2 server is a central server used by an attacker to send commands and control infected machines (bots) within a botnet.
How do infected bots usually communicate with a command and control server?
Infected bots often reach out to the C2 server themselves, bypassing firewall restrictions that might prevent the attacker from directly connecting to the bots.
What is a DNS TXT record and how can it be misused by attackers?
A DNS TXT record is normally used for storing text information to verify domain ownership. Attackers can misuse it to store and retrieve commands for infected bots.
What is the Tor network, and how do attackers use it?
The Tor network anonymizes internet traffic, making it difficult to trace. Attackers use it to hide the origin of their communications with C2 servers.
How can intrusion detection systems (IDS) help detect botnet activity?
IDS can detect unusual outbound traffic patterns, such as multiple bots reaching out to the same C2 server, and raise alerts.
In Wireshark, what would a suspicious DNS query for a TXT record indicate?
It may indicate that a bot is retrieving commands from a DNS TXT record, which is not typical behavior for most clients.
What is the significance of filtering DNS traffic in Wireshark?
Filtering DNS traffic helps identify unusual queries, such as those for TXT records, which can be indicative of botnet activity.
What tool can be used to analyze packet captures for suspicious activity?
VirusTotal can be used to upload and analyze packet captures for suspicious activity, using various antivirus and intrusion detection engines.
What is Snort and how does it help in intrusion detection?
Snort is an open-source intrusion detection system (IDS) that analyzes network traffic and raises alerts for suspicious activity.
What might Snort alerts indicating commands being sent over DNS TXT record queries suggest?
These alerts suggest that a botnet might be using DNS TXT records to receive commands from a C2 server, indicating a potential botnet communication.
What is RAID in the context of IT?
RAID (Redundant Array of Inexpensive Disks) is a technology that combines multiple physical disks into one logical unit for improved performance and/or redundancy.
Why is RAID important for security and availability?
RAID enhances data availability, a key component of the CIA triad in cybersecurity, by ensuring data remains accessible even in the event of disk failures.
What is the difference between hardware RAID and software RAID?
Hardware RAID uses dedicated controllers for better performance and reliability, while software RAID relies on the operating system to manage the RAID configuration.
What is RAID 0, and what are its benefits and drawbacks?
RAID 0, or disk striping, improves performance by spreading data across multiple disks, but offers no redundancy; if one disk fails, all data is lost.
What is RAID 1, and how does it ensure data availability?
RAID 1, or disk mirroring, duplicates data on two disks, providing high availability because if one disk fails, the other can still provide all the data.
Describe RAID 5 and its advantages.
RAID 5 uses disk striping with distributed parity, offering both improved performance and fault tolerance. It can survive a single disk failure by using parity information to rebuild data.
How does RAID 6 differ from RAID 5?
RAID 6 is similar to RAID 5 but with an additional parity block, allowing it to tolerate the failure of two disks, enhancing data redundancy and availability.
Explain the concept of RAID 10.
RAID 10 combines RAID 1 and RAID 0 by mirroring data for redundancy and then striping it for performance. It requires a minimum of four disks and provides both high availability and performance benefits.
What is a storage area network (SAN), and how does it relate to RAID?
A SAN is a dedicated network that provides access to consolidated storage. RAID can be configured within a SAN to enhance performance and ensure data availability.
How does a host bus adapter (HBA) function in a SAN?
An HBA is a card installed in a server that connects it to a SAN, enabling the server to communicate with storage arrays over high-speed networks like Fibre Channel.
What is the purpose of a Fibre Channel switch in a SAN?
A Fibre Channel switch connects servers and storage devices within a SAN, allowing for high-speed data transfer and redundancy in the storage network.
Describe the process of setting up a software RAID 1 in Windows Server.
In Windows Server, use the Disk Management tool to select two unallocated disks, create a new mirrored volume, assign a drive letter, and format the disks. This configures a RAID 1 array, ensuring data is mirrored for redundancy.
Why is limiting physical access to hardware crucial for security?
Physical access to hardware allows a malicious user to bypass many security controls and directly manipulate or steal data from the system.
What are some physical security measures to protect hardware?
: Measures include alarms, sensors, secure door locks, non-forgeable access cards, and limiting the use of removable media.
How does encryption help protect physical hardware from malicious actors?
Encrypting disks ensures that even if a physical disk is stolen, the data remains inaccessible without the decryption key.
What is the role of group policy in securing removable storage media in Windows?
Group policy can be used to deny read and write access to removable storage media, preventing unauthorized use of USB drives and other devices.
What is firmware, and why is updating it important for security?
Firmware is the software that provides low-level control for a device’s hardware. Updating firmware is crucial to patch security vulnerabilities and improve functionality.
What is a USB data blocker?
: A USB data blocker allows only power to be transmitted through a USB connection, preventing data transfer and protecting devices from potential malware infections.
What is TPM and how does it enhance hardware security?
Trusted Platform Module (TPM) is a hardware-based security feature that ensures the integrity of the boot process and can store cryptographic keys, enhancing overall system security.
How can a denial of service (DoS) attack affect hardware?
A DoS attack can make hardware unusable by overwhelming it with traffic or exploiting vulnerabilities to crash the system, affecting availability.
What is Nic teaming and how does it improve hardware availability?
Nic teaming involves using multiple network interface cards in a host to ensure network connectivity even if one card fails, thus improving network reliability and availability.
Why are uninterruptible power supplies (UPS) important for hardware security?
UPS devices provide backup power to hardware during outages, ensuring systems stay up long enough to shut down gracefully, thus preventing data loss and hardware damage.
What is a power distribution unit (PDU), and how does it help in securing hardware?
A PDU distributes electrical power to multiple devices within a rack, often with redundancy to ensure continued operation if one power source fails.
How does load balancing contribute to hardware availability in a network?
Load balancing distributes network or application traffic across multiple servers or resources, ensuring no single device is overwhelmed and enhancing overall system reliability.
What security measures can be taken to secure data in cloud computing?
Measures include using multiple network connections for redundancy, load balancing for high availability, and replicating data across regions for data redundancy.
What is EDR in cybersecurity?
Endpoint Detection and Response (EDR) is a system that monitors endpoints (user devices, firewalls) for suspicious activity, including malware, and triggers alarms or notifications to users and administrators.
What is the primary purpose of a host-based firewall?
A host-based firewall limits incoming and outgoing traffic on an individual device, providing an additional layer of protection by controlling network communications.
Why is real-time protection important in antivirus software?
Real-time protection continuously monitors the system for malware and other threats, detecting and blocking them as they occur, preventing infections from spreading.
Flashcard 4:
What is the role of centralized management in enterprise malware solutions?
Centralized management allows administrators to monitor and manage security incidents across all endpoints from a single console, improving response times and coordination.
What is a dictionary attack?
A dictionary attack involves using a precompiled list of common passwords to attempt to gain unauthorized access to user accounts.
How does a brute force attack differ from a dictionary attack?
A brute force attack tries all possible combinations of characters until it finds the correct password, while a dictionary attack uses a specific list of potential passwords.
What is a password spraying attack?
Password spraying involves using a single password attempt against many different user accounts before trying a second password, to avoid account lockout mechanisms.
What is a Host Intrusion Detection System (HIDS)?
HIDS monitors a host for suspicious activity, such as unusual log file entries or network traffic, and can alert administrators of potential security incidents.
How does Host Intrusion Prevention System (HIPS) enhance security compared to HIDS?
HIPS not only detects suspicious activity but also takes active steps to block or stop the activity, such as blocking IP addresses or preventing certain actions on the host.
What is a next-generation firewall (NGF)?
NGF is an advanced firewall that includes traditional packet filtering, deep packet inspection, intrusion detection and prevention, and other security features in one appliance.
What is the difference between an allow list and a block list in security configurations?
An allow list (whitelist) specifies what is permitted (e.g., apps, traffic), while a block list (blacklist) specifies what is denied or blocked.
Why is it important to use both virus scanners and host-based firewalls?
Virus scanners detect and remove malware within the system, while host-based firewalls control network traffic to and from the device, providing comprehensive protection.
What are the risks of disabling real-time protection in antivirus software?
Disabling real-time protection can allow malware to be downloaded and executed on the system without immediate detection, increasing the risk of infection.
What is a USB data blocker, and why is it useful?
A USB data blocker allows only power to be transmitted through a USB connection, preventing data transfer and protecting devices from potential malware infections when charging.
What does TPM stand for, and what is its role in security?
TPM stands for Trusted Platform Module, a hardware component that ensures the integrity of the boot process and can store cryptographic keys, enhancing system security.
What does Full Disk Encryption (FDE) ensure?
FDE ensures that all data on a hard drive, including files and the operating system, is encrypted, preventing access without the right decryption key.
How does Partition Encryption differ from Full Disk Encryption?
Partition Encryption encrypts individual partitions or sections of a hard drive, allowing some sections to be encrypted while others remain unencrypted.
What is File Encryption used for?
File Encryption is used to encrypt individual files, ensuring that even if someone gains access to the computer, they cannot read the files without the decryption key.
What is Volume Encryption?
Volume Encryption encrypts an entire volume or logical data unit, such as a section of a hard drive, an external hard drive, or a virtual drive.
How does Database Encryption secure data?
Database Encryption involves encrypting the entire database, making all information stored within it unreadable without the appropriate decryption key.
What is Record Encryption?
Record Encryption refers to encrypting individual entries or records within a database, protecting specific sets of related data even if the database is accessed
What analogy can be used to describe Full Disk Encryption?
Full Disk Encryption is like putting a big lock on an entire library building, so no one can access any book inside without the proper key.
How is Partition Encryption similar to securing sections in a library?
Partition Encryption is like putting a lock on specific sections of a library (e.g., fiction, nonfiction), allowing access to some sections while keeping others locked.
Describe File Encryption using a library analogy.
File Encryption is like putting a lock on a single book inside a library; even if someone can access the section, they can’t read the locked book without the key.
Using a library analogy, explain Volume Encryption.
Volume Encryption is like locking an entire shelf or rack in the library; only those with the right key can access the books on that shelf.
Explain Database Encryption using a library analogy.
Database Encryption is like locking a special room in the library containing rare manuscripts, ensuring that the entire collection is secure and unreadable without the key.
How does Record Encryption function within a database?
Record Encryption ensures that even if someone accesses the database, individual records remain protected and unreadable without the proper key.
Why is endpoint encryption crucial for organizations?
Endpoint encryption ensures that sensitive data is protected from unauthorized access, even if the device is stolen or accessed physically.
What are the benefits of encrypting data at various levels (disk, partition, file, volume, database, record)?
Encrypting data at various levels provides multiple layers of security, protecting against unauthorized access to different types of data and ensuring privacy.