CompTIA Security+

Question 1

Each piece of Malware has 2 steps

Answer 1

Propagation and Payload

Question 2

What is the propagation method of a Virus?

Answer 2

Spreads by human action. User education can prevent this.

Question 3

What is the propagation method of a worm?

Answer 3

Spread by themselves. Best way to defend is to update and patch.

Question 4

What is the propagation method of a Trojan horse?

Answer 4

Disguise themselves as good programs. Act as advertised when run. Deliver a payload behind the scenes. App control provides a good defence.

Question 5

What is a RAT?

Answer 5

A remote access trojan. It allows attackers to control systems.

Question 6

What are the kinds of payloads that can be delivered?

Answer 6

Adware, Spyware, Ransomware

Question 7

What are the characteristics and mechanisms of Adware?

Answer 7

Malware that displays advertisements.

• Changing the default search engine
• Displays pop up advertisements
• Replacing legitimate ads with other ads

Question 8

What are the characteristics and mechanisms of Spyware?

Answer 8

Gathers information without the user knowing.

• Logging keystrokes
• Monitoring Web Browsing
• Searches hard drives and cloud storage

Question 9

What are the characteristics and ways to prevent Ransomware?

Answer 9

Blocks access until the ransom is paid

• Anti Malware Software
• Security patches
• User Education

Question 10

What types of malicious code are there?

Answer 10

Backdoors, Logic bomb, Advanced Malware, Rootkits (User Mode and Kernal mode), Polymorphic viruses, Armoured Viruses, Botnets, Advanced persistent threats.

Question 11

What are advanced persistent threats?

Answer 11

Well funded, highly skilled groups that are typically government sponsored. They have access to zero days and sophisticated weapons

Question 12

What is ethical disclosure

Answer 12

Disclosing to the vendor when you have discovered a vulnerability.

Question 13

How would you differentiate between adversaries?

Answer 13

Internal and External attackers, Level of sophistication, access to resources, motivation, intent

Question 14

What kind of hackers are there?

Answer 14

Script Kiddies, Hactivists, organised crime, competitors, Nation states

Question 15

How to you prevent against insider threats?

Answer 15

Implement HR practices: Background checks, principal of least privilege, Separation of duties, Mandatory holidays.
Behavioural indicatiors: Taking work materials home, interest in issues outside of responsibility, duplication of materials, strange network access patterns, using personal hardware.

Question 16

What is a denial of service attack?

Answer 16

Making a resource unavailable for long periods of time, sends huge numbers of requests to a server, hard to distinguish between legit requests.

Question 17

What are the limitations of DOS attacks?

Answer 17

Require a substantial amount of bandwidth, easy to block.

Question 18

What is a DDOS attack?

Answer 18

Distribution denial of service (DDOS) is a DOS attack that leverages a botnet to overwhelm a target.

Question 19

What is a smurf attack?

Answer 19

Where the attacker sends echo requests to the broadcast address of a 3rd party server using a fake source address. The fake address is actually the real IP of the victim.

Question 20

What is am amplified DDOS attack?

Answer 20

The attacker choses requests that have very large responses so they can send in lots of very small requests and generate a lot of noise on the other side.

Question 21

What is the amplification factor?

Answer 21

The degree to which the attack increases in size - Reply/Request=Amplification.

Question 22

What is an eavesdropping attack?

Answer 22

There is where the attacker relies on a compromised communications path (which is done with Network device tapping, ARP poisoning or DNS poisoning) to listen in.

Question 23

What is a man in the middle attack?

Answer 23

The attacker tricks the system during the initial communication using DNS or ARP poisoning to force the user to connect directly with the attacker, then the legitimate server. The user however connects with a fake server and the attacker acts as the relay. MITM browser attacks exploit flaws in browsers and plugins.

Question 24

What is a replay attack?

Answer 24

Uses previously captured data such as encrypted authentication tokens to create a separate connection to the server which is authenticated but doesn’t involve the end user.

Question 25

How do you prevent eavesdropping attacks?

Answer 25

Use tokens and timestamps

Question 26

What is a Christmas tree attack?

Answer 26

Where all the flags in a network packets headers are set to 1111111- some systems crash and cant handle the fact that all flags have been set

Question 27

Domain name service (DNS)

Answer 27

A service that translates common domain name into an IP Address for the purpose of network routing

Question 28

What is DNS poisoning?

Answer 28

Disrupting normal DNS operations by providing false results. Attacker inserts incorrect DNS records at any point along the hierarchy. They can then redirect traffic to the attackers system. The attackers system includes a web server designed to closely resemble the legit server.

Question 29

Address resolution protocol (ARP)

Answer 29

A protocol that translates logical IP addresses into the hardware MAC address on LANs

Question 30

What is ARP poisoning?

Answer 30

Disrupting normal ARP operations by providing false results. Attacker inserts false ARP records so they can redirect traffic back to their server. Only works on LANs

Question 31

What is TypoSquatting (URL Hijacking)?

Answer 31

An attack that relies on people making simple typing mistakes. Consists of registering similar domain names in hopes that the user will make a typo.

Question 32

What is a MAC spoofing attack?

Answer 32

It alters hardware addresses. Anyone with Admin access to a system can change its MAC address

Question 33

What is an IP spoofing attack?

Answer 33

Alters the IP address. Anyone with system admin privileges can alter an IP address.

Question 34

Ingress filtering

Answer 34

Blocks incoming traffic from external networks bearing an internal source IP address.

Question 35

Egress filtering

Answer 35

Blocks outbound traffic from internal network bearing a source IP address you don’t control.

Question 36

/etc/password: Removed passwords

Answer 36

Can remove publicly accessible EXE > Passwords are stored in shadow files. They can be locked down and are highly restricted.

Question 37

Hash function

Answer 37

• Must produce a completely different output for each input
• Must be computationally difficult to retrieve the input from the output
• Must be computationally difficult to find 2 different inputs that generate the same output.

Question 38

The Birthday problem

Answer 38

An occurrence where the collisions become rather common with large samples.

Question 39

Brute force attacks

Answer 39

Attacker guesses all possibilities for the password and keeps battering the system.

Question 40

Dictionary attacks

Answer 40

Try all English words first

Question 41

Hybrid password attacks

Answer 41

Adds variations to the tries EG: Year, Day, Season etc

Question 42

Rainbow table attacks

Answer 42

Precomputes hashes to try and crack the password

Question 43

Brute force cryptographic attacks

Answer 43

Attacker separately guesses the keys that are being used. Also known as Ciphertext attacks.

Question 44

Simple shift cipher

Answer 44

With a shift of 1, A’s become B’s, B’s become C’s etc.

Question 45

What is a keyspace?

Answer 45

The set of all possible encryption keys usable with an algorithm.
EG: 56 bit DES = 72 quadrillion keys

Flawed algorithms may still be susceptible to brute force attacks.

Question 46

Frequency analysis

Answer 46

Detects patterns in Cypher text - studies the patterns of letters in cypher text.

Question 47

Known Plaintext attack

Answer 47

Attacker has access to an unencrypted message

Question 48

Chosen Plaintext attack

Answer 48

Attacker can create an encrypted message of his/her choice.

Question 49

Downgrade attack

Answer 49

Attacker forces 2 systems to use weak cryptographic implementations.

Question 50

Watering hole attacks

Answer 50

Websites spread malware effectively.

• Users trust websites they frequently visit
• Browsers and addons have vulnerabilities
• Users are conditioned to just click “OK”

Limits:

• Attackers can’t just build their own websites
• Why would users visit the attackers sites
• Content filtering can block known malware sites

How a watering hole attack works:

1) Identify and compromise a highly used site
2) Chose a client exploit and bundle in a botnet
3) Place the malware on the compromised site
4) Sit back and wait for infected systems to phone home.

Question 51

Wireless networking

Answer 51

Governed by IEEE 802.11 standard.
Uses plaintext service set identifies (SSID)
Uses beaconing to advertise to other devices.

Question 52

Security concerns over wireless networking

Answer 52

Wireless networking uses radio signals that anyone can pluck out of the air

Question 53

Wireless encryption

Answer 53

Protects confidentiality of communication.
Prevents eavesdropping.
Allows use of insecure transmission methods.

Question 54

Wi-Fi encryption options

Answer 54

1) Use no Encryption
2) Wired equivalent privacy (WEP) - uses a static key
3) Wi-Fi protected access (WPA) - Uses temportal jet integrity protocol (TKIP)
4) WPA2 uses advanced encryption standard (AES) via CCMP

WEP attacks depend on capturing initialisation vectors (IVs)

Question 55

Is WPA Secure?

Answer 55

• Known attacks allow injection of packets and some limited decryption
• These attacks work against TKIP principals
• Play it safe and use WPA2

Question 56

Wi-Fi protected Setup (WPS)

Answer 56

• WPS allows quick set up of devices
• 2 methods for establishing connections:
  - Pressing the button on devices
  - Use 8 WPS pin

Question 57

WPS attacks

Answer 57

Flaws in WPS make it trivial to guess the pin.
Though there are 10,000,000 possibilities, a flaw requires only 11000 guesses.
Got the pin? You can now get WEP/WPA/WPA2 key
Pin can’t be changed.

Question 58

Jamming and interface attacks

Answer 58

• Denial of service attacks are easy on wireless
• The radio spectrum is open, but in a limited account
• The loudest signal always wins, so it doesn’t take much to interfere with signals.

Question 59

War driving attacks

Answer 59

Attackers cruise neighbourhoods and commercial areas, using tools that capture Wi-Fi networks.

Question 60

Rogue access points

Answer 60

Can bypass other wireless authentication methods.

Question 61

Rogue access points detection

Answer 61

Enterprise grade wireless has built in intrusion detection capabilities.
Unknown radios on the network can be identified.
Handheld tools can pinpoint these.

Question 62

Evil twins

Answer 62

Easy victims: Linksys, Homes

Question 63

Karma Toolkit

Answer 63

• Automates the evil twin process
• Searches for adjacent networks
• Creates a matching fake network
• Redirects traffic to phony sites and captures credentials

Question 64

DE Authentication frame

Answer 64

Immediately disconnects clients
Source: Wireless AP
Destination: Laptop
Process Deauthenticate

Question 65

Dissassociation attack goals

Answer 65

• Gather authentication information for cryptographic attacks
• Conduct denial of service attacks on wireless networks

Question 66

Near field communications (NFC) attacks

Answer 66

It is used for very short range links between devices (30-50 feet).
Most common attack is on bluetooth

Question 67

What is Bluejacking?

Answer 67

• An attacker sends bluetooth spam to users devices
• The attacker tries to entice the user into taking some action
• This is essentially Bluetooth spam and phishing

Question 68

What is Bluesnarfing?

Answer 68

Attacker exploits firmware flaw in older bluetooth devices.
Attacker forces pairing between devices.
The connection grants access to the device.

Question 69

NFC Security

Answer 69

Turn off discoverable mode when not in use.
Apply firmware updates
Watch out for suspicious activity

Question 70

Security concerns

Answer 70

Business wants strong authentication and encryption to protect to protect the integrity of the RFID system.
Consumers want privacy safeguards to protect their personal info.

Question 71

Application Security hardening

Answer 71

Use proper authentication
Encrypt sensitive data
Validate user input
Avoid and remediate known issues

Question 72

Application configuration

Answer 72

• Type and scope of encryption
• Users with access to the application
• Access granted to authorised users
• Security of underlying infrastructure

Configurnig baselines allows quick identification and remediation of security gaps

Question 73

How to prevent against SQL injection attacks?

Answer 73

Validate all user input

Question 74

Other injection attacks

Answer 74

LDAP injection
XML injection
Command injection (Arbitrary code execution)

Question 75

Cross site scripting (XSS)

Answer 75

This attack occurs when an attacker embeds malicious scripts into 3rd party websites that are later run by visitors to that site.

Question 76

Imbedding scripts into a website

Answer 76

the tag allows devs to embed code into a page
EG:

Alert (“This site is under construction”) ;

Question 77

Cross site request forgery (CSRF, XSRF and “Sea Surf”)

Answer 77

XSRF attacks leverage the fact that users are often logged into multiple sites at the same time and use one site to trick the browser into sending malicious requests to another site without the user knowing.

Question 78

Defending against XSRF

Answer 78

Re-architect web applications
Prevent the use of HTTP GET requests
Advise users to log out of sites
Automatically log out users after an idle period

Question 79

What is clickjacking?

Answer 79

An attack where the attacker hides elements of a web page behind other elements so that a user cannot see what he or she is actually clicking.

Question 80

What is cursorjacking?

Answer 80

A specialised form of clickjacking that tricks the user about the cursors location on the screen

Question 81

Defending against Directory Traversal attacks

Answer 81

• Use input validation to prevent the inclusion of periods in user requests
• Implement strict file access controls to limit the web servers ability to read files

Question 82

Buffer overflow attacks

Answer 82

Occurs when develops dont put limits of what can be selected in a field within a web application. An attacker could enter a number with 10000000 digits in which is far beyond the limits of a web server and could cause it to show sensitive information.

Question 83

What are cookies?

Answer 83

Small pieces of content that can track users between sites. They are essentially data stored by websites in browsers.
They are useful to recognise users.
They are used to remember information.

Question 84

Privacy risks with using cookies

Answer 84

Cookies can be used across different websites.
Can track user activity
If you log into a site, everything is de-anonymised.

Question 85

Session hijacking

Answer 85

Cookie values are weak if guessable.
We can figure out users authentication cookies by looking at trends and similarities between cookies.
Once you have worked out the authentication cookie, you can login to the account using header manipulation - You can change the JSESSIONID to include the authentication cookie at the end.

Question 86

What are add-ons?

Answer 86

Also known as extensions
Add new functionality to browsers and other software
Are written and developed by 3rd parties

Question 87

Security risks with Add ons

Answer 87

You may not know who wrote the code
Trojans may perform malicious secondary activity
Permissions may be overly broad

Question 88

What are code execution attacks?

Answer 88

They occur when an attacker exploits a vulnerability in a system that allows the attacker to run commands on that system

EG: A public facing web server must open port 80 and 443 to work, which could open the opportunity for attackers to exploit vulnerabilities in unpatched servers

Question 89

Arbitrary code execution

Answer 89

Code execution attacks where the attacker runs commands of his/her choice.

Question 90

Remote code execution

Answer 90

Code execution attacks that take place over a network connection

Question 91

Code execution objectives

Answer 91

• Install malicious code
• Join a system to a botnet
• Steal sensitive information
• Create accounts for later access

Question 92

Defending against code execution attacks

Answer 92

Limit admin access

Patch systems and applications

Question 93

What is a device driver

Answer 93

Serves as the software interface between hardware devices and the operating system
Device drivers require low level access to the operating system

Question 94

What is refactoring a device driver?

Answer 94

Modifying a driver to carry out malicious activities

This requires access to the drivers source code

Question 95

What is shimming a Device driver?

Answer 95

Wrapping a legitimate driver with a malicious shim

Does not require access to the source code of the driver.

Question 96

How to protect against malicious drivers?

Answer 96

Code signing protects against malicious drivers

Question 97

What is error handling in code?

Answer 97

Avoids unpredictable states by providing the computer with explicit instructions if something unpredictable were to happen

Question 98

Social engineering

Answer 98

Use psychological tricks to manipulate people into divulging information or performing an action that undermines security

Question 99

Main reasons social engineering attacks are successful

Answer 99

1) Authority - People defer to authority
2) Intimidation - Scaring people into doing what you want
3) Consensus - The herd mentality
4) Scarcity - Getting the last one
5) Urgency - Time is running out
6) Familiarity - We say yes to people we like

Question 100

What is Spam?

Answer 100

Unsolicited commercial Emails

Question 101

What is phishing?

Answer 101

Targeting users to steal credentials

Question 102

What is Spear phishing?

Answer 102

a Very targeted Phish

Question 103

What is Whaling?

Answer 103

Targeting executives with phishing emails

Question 104

What is Pharming?

Answer 104

Using Fake websites and going to great lengths to make it look legitimate

Question 105

Which is Vishing?

Answer 105

Voice Phishing

Question 106

What is Spim?

Answer 106

Instant Messaging spam

Question 107

What is spoofing?

Answer 107

Faking an identity

Question 108

Shoulder surfing

Answer 108

Attacker simply looks over the shoulder of the victim

Question 109

Trash

Answer 109

Social engineers love going through peoples trash to see what they can find

Question 110

Tailgating

Answer 110

This can be as simple as holding doors open to let attackers gain access to areas

Question 111

Vulnerability assessment tools

Answer 111

• Passive tools
  - Obscure activity
• Active tools
  - Interact with machines

Question 112

Honeypots

Answer 112

Attractive decoy machines put in by administrators

Question 113

Honeynets

Answer 113

Decoy networks, similar to honeypots

Question 114

Protocol analysers

Answer 114

Peek into network traffic (EG: wireshark)

Question 115

Scanning for vulnerabilities

Answer 115

1. Port Scanners
2. Vulnerability scanners
3. Application scanners