Chapter 7 Protecting Against Advanced Attacks

Question 1

____ attacks typically include sustained, abnormally high network traffic

Answer 1

DDoS

Question 2

_______ occurs when one person or entity impersonates or masquerades as someone or something else.

Answer 2

Spoofing

Question 3

____ flood attacks disrupt the TCP handshake process and can prevent legitimate clients from connecting.

Answer 3

SYN

Question 4

True or False: In a SYN attack, the attacker never finishes the handshake sequence

Answer 4

True

The attacker floods the server with SYN packets but never sends the final ACK packets

Question 5

True or False: Attackers often spoof the source IP address when conducting SYN flood DoS attacks

Answer 5

True

Question 6

A ________ attack is a form of active interception or active eavesdropping. It uses a separate computer that accepts traffic from each party in a conversation and forwards the traffic between the two.

Answer 6

man-in-the-middle(MITM)

Question 7

_____ ______ is one way that an attacker can launch an MITM attack.

Answer 7

Address Resolution Protocol (ARP) poisoning

Question 8

Kerberos helps prevent man-in-the-middle attacks with ______ ______.

Answer 8

mutual authentication

Question 9

______ ______ is an attack that misleads computers or switches about the actual MAC address of a system.

Answer 9

ARP poisoning

Question 10

_____ resolves the IP addresses of systems to their hardware address and stores the result in an area of memory known as the ARP cache.

Answer 10

ARP

Question 11

True or False : The ARP request broadcasts the MAC address and essentially asks, “Who has this MAC address?”

Answer 11

False

It broadcasts the IP address

Question 12

True or False : The computer with the IP address in the ARP request responds with its MAC address. The computer that sent the ARP request caches the MAC address for the IP.

Answer 12

True

Question 13

True or False : In a man-in-the-middle attack, an attacker can redirect network traffic and, in some cases, insert malicious code.

Answer 13

True

Question 14

An attacker can also use ARP poisoning in a ____attack.

Answer 14

DoS

Question 15

The ____ ____ is the IP address of a router connection that provides a path out of the network.

Answer 15

default gateway

Question 16

True or False : If all the computers cache a bogus MAC address for the default gateway, a few of them can reach it.

Answer 16

False

None of them can reach the default gateway and it stops all traffic out of the network.

Question 17

A ___ ____ attack attempts to modify or corrupt DNS results.

Answer 17

DNS poisoning

Question 18

True or False : Many current DNS servers use Domain Name System Security Extensions(DNSSEC) to protect the DNS records and prevent DNS poisoning attacks.

Answer 18

True

Question 19

A ______ attack is another type of attack that manipulates the DNS name resolution process.

Answer 19

pharming

Question 20

True or False : Pharming attacks on the client computer modify the hosts file used on Windows systems.

Answer 20

True

Question 21

An _____ _____ is a type of DDoS attack which typically uses a method that significantly increases the amount of traffic sent to, or requested from, a victim.

Answer 21

amplification attack

Question 22

A _____ attack spoofs the source address of a directed broadcast ping packet to flood a victim with ping replies.

Answer 22

smurf

Question 23

__ amplification attacks send DNS requests to DNS servers spoofing the IP address of the victim.

Answer 23

DNS

Question 24

True or False : DNS poisoning attacks attempt to corrupt DNS data.

Answer 24

True

Question 25

True or False : Amplification attacks increase the amount of traffic sent to or requested from a victim and can be used against a wide variety of systems, including individual hosts, DNS servers, and NTP servers.

Answer 25

True

Question 26

A ____ ____ attack attempts to guess all possible character combinations.

Answer 26

brute force

Question 27

List the two types of brute force attacks

Answer 27

1. Online

2. Offline

Question 28

An ______ password attack attempts to discover a password from an _____ system.

Answer 28

online

Question 29

______ password attacks attempt to discover passwords from a captured database or captured packet scan.

Answer 29

Offline

Question 30

True or False : One of the first steps to thwart offline brute force attacks is to use complex passwords and to store the passwords in an encrypted or hashed format.

Answer 30

True

Question 31

A ______ attack is one of the original password attacks which uses a ______ of words and attempts every word in the _____ to see if it works.

Answer 31

dictionary

Question 32

_____ attacks attack the ____ of a password instead of the password.

Answer 32

Hash

Question 33

True or False : Most authentication protocols encrypt the password or the hash before sending it across the network.

Answer 33

True

Question 34

In a _______ attack, the attacker discovers the hash of the user’s password and then uses it to log on to the system as the user.

Answer 34

pass the hash

Question 35

True or False : Any authentication protocol that passes the hash over the network in an unencrypted format is susceptible to a pass the hash attack

Answer 35

True

Mostly associated with MS LAN Manager (LM) and NT LAN Manager (NTLM). Two older MS security protocols used to authenticate MS clients

Question 36

______ uses a number used once (nonce) on both the client and the authenticating server.

Answer 36

NTLMv2

Question 37

What is a better alternative to NTLM?

Answer 37

NTLMv2 or Kerberos

Question 38

In a ______ attack, an attacker is able to create a password that produces the same hash as the user’s actual password.

Answer 38

birthday

Question 39

A hash _____ occurs when the hashing algorithm creates the same hash from different passwords.

Answer 39

collision

Question 40

True or False : Birthday attacks on hashes are thwarted by decreasing the number of bits used in the hash to decrease the number of possible hashes.

Answer 40

False

Birthday attacks on hashes are thwarted by increasing the number of bits used in the hash to increase the number of possible hashes

Question 41

______ attacks are a type of attack that attempts to discover the password from the hash. It is a huge database of precomputed hashes.

Answer 41

Rainbow table

Question 42

______ passwords is a common method of preventing rainbow table attacks, along with other password attacks such as dictionary attacks.

Answer 42

Salting

Question 43

A ____ is a set of random data such as two additional characters.

Answer 43

salt

Question 44

True or False : Using additional characters add complexity to the password, and also result in a different hash than the system would create using only the original password. This causes password attacks that compare hashes to fail.

Answer 44

True

Question 45

A _____ attack is one where an attacker _____ data that was already part of a communication session. In this scenario, a third party attempts to impersonate a client that is involved in the original session.

Answer 45

replay

Question 46

True or False : Many protocols use timestamps and sequence numbers to thwart replay attacks.

Answer 46

True

Question 47

True or False : An attacker can launch a known plaintext attack if he has samples of both the plaintext and the ciphertext.

Answer 47

True

Question 48

A ____ plaintext attack uses targeted parts of a message to encrypt and match against entire ciphertext to determine the encryption algorithm being used.

Answer 48

chosen

Question 49

In a _______ only attack, the attacker doesn’t have any information on the plaintext.

Answer 49

ciphertext

Question 50

_____/______ occurs when someone buys a domain name that is close to a legitimate domain name.

Answer 50

Typo squatting/URL hijacking

Question 51

List a few reasons why attackers might buy a similar domain i.e. comptai.org vs original comptia.org

Answer 51

Hosting a malicious web site.
Earning ad revenue.
Reselling the domain.

Question 52

______ tricks users into clicking something other than what they think they’re clicking.

Answer 52

Clickjacking

Question 53

_____ hijacking takes advantage of ____ IDs stored in cookies.

Answer 53

Session

Question 54

True or False : Attackers can read cookies installed on systems through several methods, such as through cross-site scripting attacks (described later in this chapter). Once they have the session ID, they can insert it into the HTTP header and send it to the web site. If the web server uses this session ID to log the user on automatically, it gives the attacker access to the user’s account.

Answer 54

True

Question 55

A _______ is a type of proxy Trojan horse that infects vulnerable web browsers.

Answer 55

man-in-the-browser

Question 56

_____ provides the solution that makes it appear that the older drivers are compatible. A driver ____ is additional code that can be run instead of the original driver.

Answer 56

Shimming, shim

Question 57

______ code is the process of rewriting the internal processing of the code, without changing its external behavior.

Answer 57

Refactoring

Question 58

A _____ vulnerability is a weakness or bug that is unknown to trusted sources

Answer 58

zero-day

Question 59

A ________ is a bug in a computer application that causes the application to consume more and more memory the longer it runs.

Answer 59

memory leak

Question 60

An _______ attack attempts to use or create a numeric value that is too big for an application to handle.

Answer 60

integer overflow

Question 61

A _______ occurs when an application receives more input, or different input, than it expects. The result is an error that exposes system memory that would otherwise be protected and inaccessible.

Answer 61

buffer overflow

Question 62

True or False : If the attacker uses the buffer overflow to crash the system or disrupt its services, it is a DoS attack.

Answer 62

True

Question 63

True or False : A buffer overflow attack includes several different elements, but they happen all at once. The attacker sends a single string of data to the application. The first part of the string causes the buffer overflow. The next part of the string is a long string of NOPs followed by the attacker’s malicious code, stored in the attacked system’s memory. Last, the malicious code goes to work.

Answer 63

True

Question 64

True or False : Buffer overflows occur when an application receives more data than it can handle, or receives unexpected data that exposes system memory. Buffer overflow attacks often include NOP instructions (such as x90) followed by malicious code. When successful, the attack causes the system to execute the malicious code. Input validation helps prevent buffer overflow attacks.

Answer 64

True

Question 65

____ ____ is an attack that injects a DLL into a system’s memory and causes it to run.

Answer 65

DLL injection

Question 66

True or False : In a successful DLL injection attack, the attacker attaches to a running process, allocates memory within the running process, connects the malicious DLL within the allocated memory, and then executes functions within the DLL.

Answer 66

True

Question 67

____ ___ has been optimized by an application (called a compiler) and converted into an executable file..

Answer 67

Compiled code

Question 68

____ ___ is evaluated, interpreted, and executed when the code is run.

Answer 68

Runtime code i.e. HTML
Note: Python is a hybrid of compiled and runtime code. Code is initially compiled then accessed each time during runtime. If interpreter detects change in source code it recompiles it.

Question 69

____ ___ is the practice of checking data for validity before using it and is one of the most important security steps that developers should take.

Answer 69

Input validation

Question 70

_____ ____ prevents an attacker from sending malicious code that an application will use by either sanitizing the input to remove malicious code or rejecting the input.

Answer 70

Input validation

Question 71

True or False : Improper input handling (or the lack of input validation) is one of the most common security issues on web-based applications. It allows many different types of attacks, such as buffer overflow attacks, SQL injection, command injection, and cross-site scripting attacks.

Answer 71

True

Question 72

Preventing the use of specific characters (, = -) can be used to prevent _____ attacks

Answer 72

SQL injection attacks

Question 73

Preventing the use of special characters (< >) can be used to block _____ code

Answer 73

HTML

Question 74

True or False : Other input validation techniques attempt to sanitize HTML code before sending it to a web browser also referred to as escaping the HTML code or encoding the HTML code.

Answer 74

True

Question 75

True or False : Improper error handling can often give attackers information about an application.

Answer 75

True

Question 76

List two factors about error handling

Answer 76

1. Errors to users should be general.

2. Detailed information should be logged.

Question 77

True or False : Error and exception handling helps protect the integrity of the operating system and controls the errors shown to users. Applications should show generic error messages to users but log detailed information.

Answer 77

True

Question 78

True or False : Certificates can be used to authenticate and validate software code

Answer 78

True

Question 79

What are two benefits with code signing?

Answer 79

1. The certificate identifies the author

2. The hash verifies the code has not been modified

Question 80

___ ___ is code that is never executed or used

Answer 80

Dead code

Question 81

____ code analyzers examines the code without executing it

Answer 81

Static

Question 82

____ analysis checks the code as it is running

Answer 82

Dynamic

Question 83

____ uses a computer program to send random data to an application.

Answer 83

Fuzzing

Question 84

____ testing attempts to simulate a live environment and determine how effective or efficient an application operates with a load

Answer 84

Stress

Question 85

______ is an isolated area used for testing programs

Answer 85

Sandbox

Question 86

_____ _____ is the process of ensuring that software meets specifications and fulfills its intended purpose.

Answer 86

Model verification

Question 87

_____ models attempt to give structure to software development projects

Answer 87

Software development life cycle (SDLC)

Question 88

List two popular SDLC models

Answer 88

1. Waterfall

2. Agile

Question 89

______ model includes multiple stages going from top to bottom.

Answer 89

Waterfall

Question 90

List typical stages used with the waterfall model

Answer 90

1. Requirements
2. Design
3. Implementation
4. Verification
5. Maintenance

Question 91

True or False : A challenge with the waterfall method is that it is overly flexible

Answer 91

False

The waterfall method is said to lack flexibility

Question 92

_____ model uses a set of principles shared by cross-functional teams.

Answer 92

Agile

Question 93

True or False : Instead of strict phases, the agile model uses iterative cycles

Answer 93

True

Question 94

True or False : A key difference of the waterfall model is that emphasizes interaction between customers, developers, and testers during each cycle.

Answer 94

False

It is the agile model that does this.

Question 95

True or False : The agile model can be very effective if the customer has a clear idea of the requirements

Answer 95

True

Question 96

___ ____ is an agile-aligned methodology that stresses security throughout the lifetime of the project.

Answer 96

Secure DevOps

Question 97

_____ _____ helps ensure that developers do not make unauthorized changes.

Answer 97

Change management

Question 98

_____ ____ tracks the versions of software as it is updated, including who made the update and when.

Answer 98

Version control

Question 99

______ an application refers to preparing and configuring the application to launch on different devices and to use different application services.

Answer 99

Provisioning

Question 100

_______ an app refers to removing it from a device.

Answer 100

Deprovisioning

Question 101

List the two primary applications used for web servers

Answer 101

1. Apache is free and can run on UNIX, LINUX, and Windows systems
2. Internet Information Services (IIS) is a Microsoft product and is included free with any Windows Server product

Question 102

______ of a database refers to organizing the tables and columns to reduce redundant data and improve overall database performance.

Answer 102

Normalization

Question 103

True or False : A database is in First Normal Form 1NF if it meets the following criteria:

1. Each row within a table is unique and identified with a primary key
2. Related data is contained in a separate table
3. None of the columns include repeating groups

Answer 103

True

Question 104

True or False : A database is in Second Normal Form 2NF only applies to tables that have a composite key where two or more columns make up the full primary key.

Answer 104

True

Question 105

True or False : A database is in Second Normal Form 2NF if it meets the following criteria:

1. It is in 1NF
2. Non-primary key attributes are completely dependent on the composite primary key

Answer 105

True

Question 106

True or False : A database is in Third Normal Form 3NF if it meets the following criteria:

1. It is in 2NF and 1NF
2. All columns that aren’t primary keys are only dependent on the primary key.

Answer 106

True

Question 107

True or False : In many cases, a SQL injection attack starts by sending improperly formatted SQL statements to the system to generate errors.

Answer 107

True

Question 108

True or False : Attackers use SQL injection attacks to pass queries to back-end databases through web servers. Many SQL injection attacks use the phrase ‘ or ‘1’=’1’ – to trick the database server into providing information.

Answer 108

True

Question 109

_____ ____ is a specific type of command injection attack that attempts to access a file by including the full directory path, or traversing the directory structure.

Answer 109

Directory traversal

Question 110

_____ ____ ___ is another web application vulnerability that can be prevented with input validation techniques. Attackers embed malicious HTML or JavaScript code into a web site’s code. The code executes when the user visits the site.

Answer 110

Cross-site scripting (XSS)

Question 111

True or False : Cross-site scripting (XSS) attacks allow attackers to capture user information such as cookies. Input validation techniques at the server help prevent XSS attacks.

Answer 111

True

Question 112

______ is an attack where an attacker tricks a user into performing an action on a web site.

Answer 112

Cross-site request forgery (XSRF or CSRF)

Question 113

True or False : Cross-site request forgery (XSRF) scripting causes users to perform actions on web sites, such as making purchases, without their knowledge. In some cases, it allows an attacker to steal cookies and harvest passwords.

Answer 113

True

Question 114

A ______ is a structure used to provide a foundation.

Answer 114

Framework

Question 115

_____ ____ typically use a structure of basic concepts and they provide guidance to professionals on how to implement security in various systems.

Answer 115

Cybersecurity frameworks

Question 116

List some categories of frameworks

Answer 116

1. Regulatory frameworks based on relevant laws and regulations
2. Non-regulatory framework typically identifies common standards and best practices that organizations can follow. i.e. COBIT
3. Industry-specific i.e. PCI DSS for credit cards