Chapter 7 Protecting Against Advanced Attacks

Question 1

A DoS attack is an attack launched from a single system and attempts to disrupt services.

Answer 1

DDoS attacks are DoS attacks from multiple computers. DDoS attacks typically include sustained, abnormally high network traffic.

Question 2

Spoofing attacks attempt to impersonate another system. MAC address spoofing changes the source MAC address and IP spoofing changes the source IP address.

Answer 2

ARP poisoning attacks attempt to mislead computers or switches about the actual MAC address of a system. They can be used to launch a man-in-the-middle attack.

Question 3

DNS poisoning attacks modify DNS data and can redirect users to malicious sites. Many DNS servers use DNSSEC to protect DNS records and prevent DNS poisoning attacks.

Answer 3

Amplification attacks send increased traffic to, or request additional traffic from, a victim.

Question 4

Password attacks attempt to discover passwords. A brute force attack attempts to guess all possible character combinations and a dictionary attack uses all the words and character combinations stored in a file. Account lockout policies thwart online brute force attacks and complex passwords thwart offline password attacks.

Answer 4

Passwords are often stored as a hash. Weak hashing algorithms are susceptible to collisions, which allow different passwords to create the same hash.

Question 5

In a pass the hash attack, the attacker discovers the hash of the user’s password and then uses it to log on to the system as the user.

Answer 5

In a birthday attack, an attacker is able to create a password that produces the same hash as the user’s actual password. This is also known as a hash collision.

Question 6

A hash collision occurs when the hashing algorithm creates the same hash from different passwords.

Answer 6

Password salting adds additional characters to passwords before hashing them and prevents many types of attacks, including dictionary, brute force, and rainbow table attacks.

Question 7

Replay attacks capture data in a session with the intent of using information to impersonate one of the parties. Timestamps and sequence numbers thwart replay attacks.

Answer 7

A known plaintext attack is possible if an attacker has both the plaintext and the ciphertext created by encrypting the plaintext. It makes it easier to decrypt other data using a similar method.

Question 8

Attackers buy domain names with minor typographical errors in typo squatting (also called URL hijacking) attacks. The goal is to attract traffic when users enter incorrect URLs. Attackers can configure the sites with malware to infect visitors or configure the site to generate ad revenue for the attacker.

Answer 8

Clickjacking tricks users into clicking something other than what they think they’re clicking.

Question 9

Attackers utilize the user’s session ID to impersonate the user in a session ID attack.

Answer 9

Domain hijacking attacks allow an attacker to change the registration of a domain name without permission from the owner.

Question 10

A man-in-the-browser is a proxy Trojan horse that exploits vulnerable web browsers. When successful, it allows attacks to capture keystrokes and all data sent to and from the browser.

Answer 10

A driver shim is additional code that can be run instead of the original driver.

Question 11

Attackers exploiting unknown or undocumented vulnerabilities are taking advantage of zero-day vulnerabilities. The vulnerability is no longer a zero-day vulnerability after the vendor releases a patch to fix it.

Answer 11

Buffer overflows occur when an application receives more data, or unexpected data, than it can handle and exposes access to system memory. Integer overflow attacks attempt to use or create a numeric value bigger than the application can handle.

Question 12

Buffer overflow attacks exploit buffer overflow vulnerabilities. A common method uses NOP instructions or NOP sleds such as a string of x90 commands. Two primary protection methods against buffer overflow attacks are input validation and keeping a system up to date.

Answer 12

Compiled code has been optimized by an application and converted into an executable file. Runtime code is code that is evaluated, interpreted, and executed when the code is run.

Question 13

A common coding error in web-based applications is the lack of input validation.

Answer 13

Input validation checks the data before passing it to the application and prevents many types of attacks, including buffer overflow, SQL injection, command injection, and cross-site scripting attacks.

Question 14

Server-side input validation is the most secure. Attackers can bypass client-side input validation, but not server-side input validation.

Answer 14

Race conditions allow two processes to access the same data at the same time, causing inconsistent results. Problems can be avoided by locking data before accessing it.

Question 15

Error-handling routines within applications can prevent application failures and protect the integrity of the operating systems. Error messages shown to users should be generic, but the application should log detailed information on the error.

Answer 15

Code signing uses a digital signature within a certificate to authenticate and validate software code.

Question 16

Code quality and testing techniques include static code analysis, dynamic analysis (such as fuzzing), stress testing, sandboxing, and model verification.

Answer 16

Software development life cycle (SDLC) models provide structure for software development projects. Waterfall uses multiple stages with each stage feeding the next stage. Agile is a more flexible model and it emphasizes interaction with all players in a project.

Question 17

Secure DevOps is an agile-aligned methodology. It stresses security throughout the lifetime of the project.

Answer 17

Common web servers are Apache (running on Linux) and Internet Information Services (running on Microsoft servers).

Question 18

Databases are optimized using a process called normalization. A database is considered normalized when it conforms to the first three normal forms.

Answer 18

SQL injection attacks provide information about a database and can allow an attacker to read and modify data within a database. Input validation and stored procedures provide the best protection against SQL injection attacks.

Question 19

Cross-site scripting (XSS) allows an attacker to redirect users to malicious web sites and steal cookies. It uses HTML and JavaScript tags with < and > characters.

Answer 19

Cross-site request forgery (XSRF) causes users to perform actions on web sites without their knowledge and allows attackers to steal cookies and harvest passwords.

Question 20

XSS and XSRF attacks are mitigated with input validation techniques.

Answer 20

Frameworks are references that provide a foundation. Cybersecurity frameworks typically use a structure of basic concepts and provide guidance on how to implement security.

Question 21

Regulatory frameworks are based on relevant laws and regulations. A non-regulatory framework is not required by any law.

Answer 21

Some frameworks are used within a single country (and referred to as national frameworks), while others are used internationally.

Question 22

Some frameworks only apply to certain industries. As an example, organizations that handle credit cards typically comply with the Payment Card Industry Data Security Standard (PCI DSS).

Answer 22

Vendor-specific guides should be used when configuring specific systems.