Chapter 6 Securing individual systems

Question 1

What is malware?

Answer 1

Software that is detrimental to the operation of a host, causing harm or unwanted behavior.

Question 2

What are the two main functions of a virus?

Answer 2

To replicate and to activate, causing harm or performing some action once triggered.

Question 3

What is a fileless malware or fileless virus?

Answer 3

Malware that resides in memory and does not rely on files to spread or execute.

Question 4

What is ransomware (crypto malware)?

Answer 4

Malware that encrypts a user’s data and demands a ransom for the decryption key.

Question 5

How does a worm differ from a virus?

Answer 5

A worm can replicate itself and spread over networks without user intervention.

Question 6

What is a Trojan horse?

Answer 6

A program that appears legitimate but performs malicious actions in the background.

Question 7

What is a Remote Access Trojan (RAT)?

Answer 7

A type of Trojan that allows an attacker to remotely control an infected computer.

Question 8

What is a backdoor in the context of malware?

Answer 8

A hidden way to bypass normal authentication and gain access to a system.

Question 9

What are Potentially Unwanted Programs (PUPs)?

Answer 9

Software that may be unwanted by the user, often bundled with other software.

Question 10

What is a botnet?

Answer 10

A network of infected computers (zombies) controlled by an attacker for malicious activities like DDoS attacks.

Question 11

What is a keylogger?

Answer 11

Malware that records keystrokes to capture sensitive information like passwords.

Question 12

What is a rootkit?

Answer 12

Malware designed to gain root access and hide its presence on a system, often installed in the boot sector.

Question 13

What is a logic bomb?

Answer 13

Malware that triggers a malicious action when certain conditions are met, such as a specific date or number of logins.

Question 14

What type of attack typically uses botnets?

Answer 14

Distributed Denial of Service (DDoS) attacks.

Question 15

How can hardware keyloggers be detected?

Answer 15

: They are difficult to detect with software, often requiring physical inspection of the device.

Question 16

Why are rootkits particularly dangerous?

Answer 16

Because they operate with high-level privileges and can be difficult to detect and remove.

Question 17

What is the main characteristic of a logic bomb?

Answer 17

It activates based on specific conditions or a timer, causing harm when triggered.

Question 18

How can Trojans be spread?

Answer 18

Through seemingly legitimate software or files that users download and execute.

Question 19

Why are PUPs considered a threat?

Answer 19

They can slow down systems, introduce unwanted changes, and potentially lead to further security issues.

Question 20

What is a weak configuration in cybersecurity?

Answer 20

A setup that presents security risks due to default settings, lack of hardening, or other vulnerabilities.

Question 21

Why are open Wi-Fi networks considered weak configurations?

Answer 21

Because they allow anyone to connect without authentication, posing security risks, especially in non-public environments.

Question 22

Why should guest user accounts be disabled if not needed?

Answer 22

They can provide unauthorized access and should be turned off if not required to reduce security risks.

Question 23

What is the purpose of intruder lockout settings?

Answer 23

To lock out user accounts after multiple failed login attempts, preventing brute force or dictionary attacks.

Question 24

What is a common issue with permissions that can lead to weak configurations?

Answer 24

Assigning too many permissions, violating the principle of least privilege, and giving users more access than needed.

Question 25

Why is using the root account directly in Linux considered a weak configuration?

Answer 25

Because it provides unrestricted access and increases the risk of accidental or malicious changes; using sudo is recommended instead.

Question 26

What is the risk of insecure cryptographic solutions like WEP, DES, and SSL?

Answer 26

These outdated encryption methods are vulnerable to attacks and should be replaced with more secure alternatives like WPA3, AES, and TLS 1.2+.

Question 27

Why is it important to change default settings on devices?

Answer 27

Default settings, including IP addresses and port numbers, are widely known and can be exploited by attackers.

Question 28

What is a common weak configuration found in older Wi-Fi routers and multifunction network printers?

Answer 28

Having Universal Plug and Play (UPnP) enabled, which can expose devices to attacks.

Question 29

Why should default usernames and passwords be changed on devices?

Answer 29

They are often easily found in online lists and can be exploited by attackers to gain unauthorized access.

Question 30

What is a directory traversal attack and why is it a risk with default installation locations?

Answer 30

It’s an attack that gains unauthorized access to files and directories, made easier if the attacker knows the default file paths.

Question 31

How can default passwords left unchanged impact security?

Answer 31

They can provide easy access for attackers, especially on internet-facing devices.

Question 32

What tool can be used to find devices with default passwords on the internet?

Answer 32

Shodan.io, a search engine that identifies devices with default settings and other security vulnerabilities.

Question 33

What is the principle of least privilege?

Answer 33

A security concept that users should be granted the minimum levels of access – or permissions – necessary to perform their job functions.

Question 34

What is a common consequence of weak configurations in IoT devices?

Answer 34

Increased vulnerability to attacks, leading to potential unauthorized control or data breaches.

Question 35

Why should older encryption standards like SSL and TLS versions below 1.2 be avoided?

Answer 35

They have known vulnerabilities and are no longer considered secure for protecting network communications.

Question 36

What is a zero day attack?

Answer 36

An attack that exploits a vulnerability not yet known to the software vendor or hardware manufacturer, making it unpatched and unknown to the target.

Question 37

What is the Zero Day Initiative (ZDI)?

Answer 37

A program promoting the responsible disclosure of discovered vulnerabilities, often with financial rewards for security researchers.

Question 38

What are bug bounty programs?

Answer 38

Programs where companies pay security researchers to find and report vulnerabilities in their software or systems.

Question 39

What is a DNS sinkhole?

Answer 39

A security measure where DNS responses are manipulated to redirect malicious traffic or block access to malicious domains.

Question 40

What is privilege escalation?

Answer 40

Gaining higher access rights than initially granted, often through exploiting vulnerabilities or misconfigurations.

Question 41

What is a replay attack?

Answer 41

An attack where valid data transmission is maliciously repeated or delayed, often to gain unauthorized access.

Question 42

What is pointer and object dereferencing?

Answer 42

An attack that manipulates memory pointers to access unauthorized memory locations, potentially exposing sensitive data or crashing systems.

Question 43

What are common issues with error handling in software?

Answer 43

Poor error handling can disclose too much information, aiding attackers in understanding the system’s vulnerabilities.

Question 44

What is DLL injection?

Answer 44

A technique where malicious code is inserted into a running process by exploiting dynamic link libraries (DLLs).

Question 45

What is resource exhaustion?

Answer 45

An attack that depletes system resources, such as memory or CPU, causing denial of service (DoS).

Question 46

What is a race condition?

Answer 46

A flaw in multi-threaded applications where the timing of threads can lead to unpredictable behavior and potential security issues.

Question 47

How can error messages contribute to security vulnerabilities?

Answer 47

Detailed error messages can provide attackers with insights into the system, revealing potential attack vectors.

Question 48

What is a man-in-the-middle attack?

Answer 48

An attack where a malicious actor intercepts and potentially alters communication between two parties without their knowledge.

Question 49

What is a dynamic link library (DLL)?

Answer 49

A collection of small programs that can be called upon by larger programs to perform specific functions.

Question 50

How can you mitigate the risk of zero day attacks?

Answer 50

Employing strong security practices, such as regular updates, using intrusion detection/prevention systems (IDS/IPS), and participating in or supporting bug bounty programs.

Question 51

What is memory injection in cybersecurity?

Answer 51

Memory injection is when unauthorized code is placed into a program’s running memory, causing it to act in unexpected and potentially harmful ways.

Question 52

How is memory injection similar to adding unwanted ingredients in a kitchen?

Answer 52

Just as adding unwanted ingredients can change the flavor of a dish, memory injection changes the behavior of a program, making it do things it wasn’t supposed to.

Question 53

What is a buffer overflow?

Answer 53

A buffer overflow occurs when a program receives more data than it can handle, causing the excess data to overflow into other parts of memory, potentially causing a system crash or allowing an attacker to exploit the system.

Question 54

How is a buffer overflow similar to overfilling a glass with water?

Answer 54

Just like overfilling a glass causes water to spill everywhere, a buffer overflow causes excess data to spill into other parts of the program, potentially causing damage.

Question 55

What is a race condition in cybersecurity?

Answer 55

A race condition occurs when the outcome of a program depends on the sequence or timing of uncontrollable events, leading to unpredictable behavior.

Question 56

How can a race condition be compared to two people trying to unlock the same door?

Answer 56

Just as two people trying to unlock the same door at the same time might cause confusion, a race condition causes unpredictable behavior in a program when multiple operations attempt to access the same resource simultaneously.

Question 57

What is the “Time of Check” and “Time of Use” (TOCTOU) vulnerability?

Answer 57

TOCTOU is a type of race condition where a system checks a condition and then acts on it, but the condition changes between the check and the action, leading to potential security issues.

Question 58

How is TOCTOU similar to reserving a book at the library and finding it checked out when you arrive?

Answer 58

Just as a book might be checked out by someone else after you reserve it but before you pick it up, TOCTOU vulnerabilities exploit the gap between checking a condition and using the result of that check.

Question 59

How can attackers exploit TOCTOU vulnerabilities?

Answer 59

Attackers can exploit TOCTOU vulnerabilities by changing the condition after it is checked but before it is used, leading to unauthorized actions like privilege escalation.

Question 60

What is the Meltdown attack?

Answer 60

Meltdown is a race condition-oriented exploit that allows attackers to bypass the barrier between user applications and the operating system, enabling access to sensitive data like passwords and personal information.

Question 61

How does the Meltdown attack exploit race conditions?

Answer 61

Meltdown exploits the timing gap between checking user permissions and executing privileged instructions, allowing attackers to access restricted memory.

Question 62

What are the consequences of TOCTOU vulnerabilities?

Answer 62

TOCTOU vulnerabilities can lead to unexpected system behaviors, unauthorized access, or data breaches by exploiting the timing gap between condition checks and their usage.

Question 63

What is an online password attack?

Answer 63

An online password attack is performed live against a user account over the network, trying various passwords to gain access.

Question 64

What is an offline password attack?

Answer 64

An offline password attack involves obtaining a database of hashed passwords and attempting to crack them without interacting with the live system.

Question 65

Name some common tools used for password attacks.

Answer 65

Common tools include John the Ripper, Cain and Abel, Hydra, and tools available in Kali Linux.

Question 66

What is a dictionary password attack?

Answer 66

: A dictionary attack uses a precompiled list of potential passwords, like common passwords or phrases, and tries each one against a user account.

Question 67

How does a brute force attack differ from a dictionary attack?

Answer 67

A brute force attack tries all possible combinations of characters until it finds the correct password, while a dictionary attack uses a predefined list of common passwords.

Question 68

What is password spraying?

Answer 68

Password spraying involves using a single password against multiple user accounts to avoid triggering account lockouts and then cycling through a list of passwords.

Question 69

What is the purpose of enabling account lockout settings?

Answer 69

Account lockout settings disable an account after a certain number of failed login attempts to prevent unauthorized access through brute force or dictionary attacks.

Question 70

What is the command to perform a dictionary attack using Hydra against an RDP server in Kali Linux?

Answer 70

The command is hydra -l administrator -P /usr/share/wordlists/rockyou.txt rdp://<target_IP>.</target_IP>

Question 71

Why is it important to avoid exposing services like RDP directly to the internet?

Answer 71

Exposing services like RDP to the internet makes them easy targets for automated attacks and unauthorized access attempts.

Question 72

How can multi-factor authentication (MFA) help mitigate password attacks?

Answer 72

MFA adds an additional layer of security, requiring not only the password but also a second form of verification, making it harder for attackers to gain access.

Question 73

What is a bot in cybersecurity?

Answer 73

A bot is an infected machine under the control of a malicious user, often referred to as a zombie.

Question 74

What is a botnet?

Answer 74

A botnet is a network of infected machines (bots or zombies) under the control of a single malicious actor.

Question 75

What is a command and control (C2) server?

Answer 75

A C2 server is a central server used by an attacker to send commands and control infected machines (bots) within a botnet.

Question 76

How do infected bots usually communicate with a command and control server?

Answer 76

Infected bots often reach out to the C2 server themselves, bypassing firewall restrictions that might prevent the attacker from directly connecting to the bots.

Question 77

What is a DNS TXT record and how can it be misused by attackers?

Answer 77

A DNS TXT record is normally used for storing text information to verify domain ownership. Attackers can misuse it to store and retrieve commands for infected bots.

Question 78

What is the Tor network, and how do attackers use it?

Answer 78

The Tor network anonymizes internet traffic, making it difficult to trace. Attackers use it to hide the origin of their communications with C2 servers.

Question 79

How can intrusion detection systems (IDS) help detect botnet activity?

Answer 79

IDS can detect unusual outbound traffic patterns, such as multiple bots reaching out to the same C2 server, and raise alerts.

Question 80

In Wireshark, what would a suspicious DNS query for a TXT record indicate?

Answer 80

It may indicate that a bot is retrieving commands from a DNS TXT record, which is not typical behavior for most clients.

Question 80

What is the significance of filtering DNS traffic in Wireshark?

Answer 80

Filtering DNS traffic helps identify unusual queries, such as those for TXT records, which can be indicative of botnet activity.

Question 80

What tool can be used to analyze packet captures for suspicious activity?

Answer 80

VirusTotal can be used to upload and analyze packet captures for suspicious activity, using various antivirus and intrusion detection engines.

Question 81

What is Snort and how does it help in intrusion detection?

Answer 81

Snort is an open-source intrusion detection system (IDS) that analyzes network traffic and raises alerts for suspicious activity.

Question 82

What might Snort alerts indicating commands being sent over DNS TXT record queries suggest?

Answer 82

These alerts suggest that a botnet might be using DNS TXT records to receive commands from a C2 server, indicating a potential botnet communication.

Question 83

What is RAID in the context of IT?

Answer 83

RAID (Redundant Array of Inexpensive Disks) is a technology that combines multiple physical disks into one logical unit for improved performance and/or redundancy.

Question 84

Why is RAID important for security and availability?

Answer 84

RAID enhances data availability, a key component of the CIA triad in cybersecurity, by ensuring data remains accessible even in the event of disk failures.

Question 85

What is the difference between hardware RAID and software RAID?

Answer 85

Hardware RAID uses dedicated controllers for better performance and reliability, while software RAID relies on the operating system to manage the RAID configuration.

Question 86

What is RAID 0, and what are its benefits and drawbacks?

Answer 86

RAID 0, or disk striping, improves performance by spreading data across multiple disks, but offers no redundancy; if one disk fails, all data is lost.

Question 87

What is RAID 1, and how does it ensure data availability?

Answer 87

RAID 1, or disk mirroring, duplicates data on two disks, providing high availability because if one disk fails, the other can still provide all the data.

Question 88

Describe RAID 5 and its advantages.

Answer 88

RAID 5 uses disk striping with distributed parity, offering both improved performance and fault tolerance. It can survive a single disk failure by using parity information to rebuild data.

Question 89

How does RAID 6 differ from RAID 5?

Answer 89

RAID 6 is similar to RAID 5 but with an additional parity block, allowing it to tolerate the failure of two disks, enhancing data redundancy and availability.

Question 90

Explain the concept of RAID 10.

Answer 90

RAID 10 combines RAID 1 and RAID 0 by mirroring data for redundancy and then striping it for performance. It requires a minimum of four disks and provides both high availability and performance benefits.

Question 91

What is a storage area network (SAN), and how does it relate to RAID?

Answer 91

A SAN is a dedicated network that provides access to consolidated storage. RAID can be configured within a SAN to enhance performance and ensure data availability.

Question 92

How does a host bus adapter (HBA) function in a SAN?

Answer 92

An HBA is a card installed in a server that connects it to a SAN, enabling the server to communicate with storage arrays over high-speed networks like Fibre Channel.

Question 93

What is the purpose of a Fibre Channel switch in a SAN?

Answer 93

A Fibre Channel switch connects servers and storage devices within a SAN, allowing for high-speed data transfer and redundancy in the storage network.

Question 94

Describe the process of setting up a software RAID 1 in Windows Server.

Answer 94

In Windows Server, use the Disk Management tool to select two unallocated disks, create a new mirrored volume, assign a drive letter, and format the disks. This configures a RAID 1 array, ensuring data is mirrored for redundancy.

Question 95

Why is limiting physical access to hardware crucial for security?

Answer 95

Physical access to hardware allows a malicious user to bypass many security controls and directly manipulate or steal data from the system.

Question 96

What are some physical security measures to protect hardware?

Answer 96

: Measures include alarms, sensors, secure door locks, non-forgeable access cards, and limiting the use of removable media.

Question 97

How does encryption help protect physical hardware from malicious actors?

Answer 97

Encrypting disks ensures that even if a physical disk is stolen, the data remains inaccessible without the decryption key.

Question 98

What is the role of group policy in securing removable storage media in Windows?

Answer 98

Group policy can be used to deny read and write access to removable storage media, preventing unauthorized use of USB drives and other devices.

Question 99

What is firmware, and why is updating it important for security?

Answer 99

Firmware is the software that provides low-level control for a device’s hardware. Updating firmware is crucial to patch security vulnerabilities and improve functionality.

Question 100

What is a USB data blocker?

Answer 100

: A USB data blocker allows only power to be transmitted through a USB connection, preventing data transfer and protecting devices from potential malware infections.

Question 101

What is TPM and how does it enhance hardware security?

Answer 101

Trusted Platform Module (TPM) is a hardware-based security feature that ensures the integrity of the boot process and can store cryptographic keys, enhancing overall system security.

Question 102

How can a denial of service (DoS) attack affect hardware?

Answer 102

A DoS attack can make hardware unusable by overwhelming it with traffic or exploiting vulnerabilities to crash the system, affecting availability.

Question 103

What is Nic teaming and how does it improve hardware availability?

Answer 103

Nic teaming involves using multiple network interface cards in a host to ensure network connectivity even if one card fails, thus improving network reliability and availability.

Question 104

Why are uninterruptible power supplies (UPS) important for hardware security?

Answer 104

UPS devices provide backup power to hardware during outages, ensuring systems stay up long enough to shut down gracefully, thus preventing data loss and hardware damage.

Question 105

What is a power distribution unit (PDU), and how does it help in securing hardware?

Answer 105

A PDU distributes electrical power to multiple devices within a rack, often with redundancy to ensure continued operation if one power source fails.

Question 106

How does load balancing contribute to hardware availability in a network?

Answer 106

Load balancing distributes network or application traffic across multiple servers or resources, ensuring no single device is overwhelmed and enhancing overall system reliability.

Question 107

What security measures can be taken to secure data in cloud computing?

Answer 107

Measures include using multiple network connections for redundancy, load balancing for high availability, and replicating data across regions for data redundancy.

Question 108

What is EDR in cybersecurity?

Answer 108

Endpoint Detection and Response (EDR) is a system that monitors endpoints (user devices, firewalls) for suspicious activity, including malware, and triggers alarms or notifications to users and administrators.

Question 109

What is the primary purpose of a host-based firewall?

Answer 109

A host-based firewall limits incoming and outgoing traffic on an individual device, providing an additional layer of protection by controlling network communications.

Question 110

Why is real-time protection important in antivirus software?

Answer 110

Real-time protection continuously monitors the system for malware and other threats, detecting and blocking them as they occur, preventing infections from spreading.
Flashcard 4:

Question 111

What is the role of centralized management in enterprise malware solutions?

Answer 111

Centralized management allows administrators to monitor and manage security incidents across all endpoints from a single console, improving response times and coordination.

Question 112

What is a dictionary attack?

Answer 112

A dictionary attack involves using a precompiled list of common passwords to attempt to gain unauthorized access to user accounts.

Question 113

How does a brute force attack differ from a dictionary attack?

Answer 113

A brute force attack tries all possible combinations of characters until it finds the correct password, while a dictionary attack uses a specific list of potential passwords.

Question 114

What is a password spraying attack?

Answer 114

Password spraying involves using a single password attempt against many different user accounts before trying a second password, to avoid account lockout mechanisms.

Question 115

What is a Host Intrusion Detection System (HIDS)?

Answer 115

HIDS monitors a host for suspicious activity, such as unusual log file entries or network traffic, and can alert administrators of potential security incidents.

Question 116

How does Host Intrusion Prevention System (HIPS) enhance security compared to HIDS?

Answer 116

HIPS not only detects suspicious activity but also takes active steps to block or stop the activity, such as blocking IP addresses or preventing certain actions on the host.

Question 117

What is a next-generation firewall (NGF)?

Answer 117

NGF is an advanced firewall that includes traditional packet filtering, deep packet inspection, intrusion detection and prevention, and other security features in one appliance.

Question 118

What is the difference between an allow list and a block list in security configurations?

Answer 118

An allow list (whitelist) specifies what is permitted (e.g., apps, traffic), while a block list (blacklist) specifies what is denied or blocked.

Question 119

Why is it important to use both virus scanners and host-based firewalls?

Answer 119

Virus scanners detect and remove malware within the system, while host-based firewalls control network traffic to and from the device, providing comprehensive protection.

Question 120

What are the risks of disabling real-time protection in antivirus software?

Answer 120

Disabling real-time protection can allow malware to be downloaded and executed on the system without immediate detection, increasing the risk of infection.

Question 121

What is a USB data blocker, and why is it useful?

Answer 121

A USB data blocker allows only power to be transmitted through a USB connection, preventing data transfer and protecting devices from potential malware infections when charging.

Question 122

What does TPM stand for, and what is its role in security?

Answer 122

TPM stands for Trusted Platform Module, a hardware component that ensures the integrity of the boot process and can store cryptographic keys, enhancing system security.

Question 123

What does Full Disk Encryption (FDE) ensure?

Answer 123

FDE ensures that all data on a hard drive, including files and the operating system, is encrypted, preventing access without the right decryption key.

Question 124

How does Partition Encryption differ from Full Disk Encryption?

Answer 124

Partition Encryption encrypts individual partitions or sections of a hard drive, allowing some sections to be encrypted while others remain unencrypted.

Question 125

What is File Encryption used for?

Answer 125

File Encryption is used to encrypt individual files, ensuring that even if someone gains access to the computer, they cannot read the files without the decryption key.

Question 126

What is Volume Encryption?

Answer 126

Volume Encryption encrypts an entire volume or logical data unit, such as a section of a hard drive, an external hard drive, or a virtual drive.

Question 127

How does Database Encryption secure data?

Answer 127

Database Encryption involves encrypting the entire database, making all information stored within it unreadable without the appropriate decryption key.

Question 128

What is Record Encryption?

Answer 128

Record Encryption refers to encrypting individual entries or records within a database, protecting specific sets of related data even if the database is accessed

Question 129

What analogy can be used to describe Full Disk Encryption?

Answer 129

Full Disk Encryption is like putting a big lock on an entire library building, so no one can access any book inside without the proper key.

Question 130

How is Partition Encryption similar to securing sections in a library?

Answer 130

Partition Encryption is like putting a lock on specific sections of a library (e.g., fiction, nonfiction), allowing access to some sections while keeping others locked.

Question 131

Describe File Encryption using a library analogy.

Answer 131

File Encryption is like putting a lock on a single book inside a library; even if someone can access the section, they can’t read the locked book without the key.

Question 132

Using a library analogy, explain Volume Encryption.

Answer 132

Volume Encryption is like locking an entire shelf or rack in the library; only those with the right key can access the books on that shelf.

Question 133

Explain Database Encryption using a library analogy.

Answer 133

Database Encryption is like locking a special room in the library containing rare manuscripts, ensuring that the entire collection is secure and unreadable without the key.

Question 134

How does Record Encryption function within a database?

Answer 134

Record Encryption ensures that even if someone accesses the database, individual records remain protected and unreadable without the proper key.

Question 135

Why is endpoint encryption crucial for organizations?

Answer 135

Endpoint encryption ensures that sensitive data is protected from unauthorized access, even if the device is stolen or accessed physically.

Question 136

What are the benefits of encrypting data at various levels (disk, partition, file, volume, database, record)?

Answer 136

Encrypting data at various levels provides multiple layers of security, protecting against unauthorized access to different types of data and ensuring privacy.