CompTIA Security+ Flashcards 2

Question 1

Pass the Hash Attack

Answer 1

provides a captured authentication hash to try to act like an authorized user.

Question 2

Internal vs. External

Answer 2

We most often think about the threat actors who exist outside our organizations: competitors, criminals, and the curious. However, some of the most dangerous threats come from within our own environments.

Question 3

Level of Sophistication/Capability

Answer 3

range from the unsophisticated/unskilled attacker simply running code borrowed from others to the advanced persistent threat (APT) actor exploiting Vulnerabilities discovered in their own research labs and unknown to the security community.

Question 4

Resources/Funding

Answer 4

Just as threat actors vary in their sophistication, they also vary in the resources available to them. Highly organized attackers sponsored by organized crime or national governments often have virtually limitless resources, whereas less organized attackers may simply be hobbyists working in their spare time.

Question 5

Intent/Motivation

Answer 5

Attackers also vary in their motivation and intent. The unskilled attacker may be simply out for the thrill of the attack whereas competitors may be engaged in highly targeted corporate espionage.

Question 6

Nation-states

Answer 6

seek to achieve political objectives; organized crime often focuses on direct financial gain.

OR

attackers hacking into either foreign governments or corporations.

Question 7

Unskilled Attackers

Answer 7

the term script kiddie is a derogatory term for unskilled attackers who Use hacking techniques but have limited skills.

Question 8

Hacktivists

Answer 8

Hacktivists Use hacking techniques to accomplish some activist goal.

Question 9

Organized crime

Answer 9

appears in any case where there is money to be made, and cybercrime is no exception.

Question 10

Advanced persistent threats (APTs)

Answer 10

describes a series of attacks that they first traced to sources connected to the Chinese military.

Question 11

Zero-day attacks

Answer 11

Attacks that exploit these vulnerabilities. Zero-day attacks are particularly dangerous because they are unknown to product vendors, and therefore, no patches are available to correct them.

Question 12

Insider attacks

Answer 12

occur when an employee, contractor, vendor, or other individual with authorized access to information and systems uses that access to wage an attack against the organization.

Question 13

Shadow IT

Answer 13

individuals and groups seek out their own technology solutions

Question 14

Attacker Motivations:

Answer 14

Data exfiltration
-Espionage
-Service disruption
-Blackmail
-Financial gain
-Philosophical/political belief
-Ethical attacks
-Revenge attacks
-disruption/chaos
-War

Question 15

Data exfiltration

Answer 15

attacks are motivated by the desire to obtain sensitive or proprietary information, such as customer data or intellectual property.

Question 16

Espionage

Answer 16

attacks are motivated by organizations seeking to steal secret information from other organizations. This may come in the form of nation-states attacking each other or corporate espionage.B35

Question 17

Service disruption

Answer 17

attacks seek to take down or interrupt critical systems or networks, such as banking systems or health-care networks.

Question 18

Blackmail

Answer 18

attacks seek to extort money or other concessions from victims by threatening to release sensitive information or launch further attacks.

Question 19

Financial gain

Answer 19

attacks are motivated by the desire to make money through theft or fraud. Organized crime is generally motivated by financial gainas are other types of attackers.

Question 20

Philosophical/political belief

Answer 20

attacks are motivated by ideological or political reasons such as promoting a particular cause or ideology. Hacktivists are generally motivated by philosophical or political beliefs.

Question 21

Ethical attacks

Answer 21

or white-hat hacking are motivated by a desire to expose vulnerabilities and improve security. These attacks are often carried out by security researchers or ethical hackers with the permission of the organization being tested.

Question 22

Revenge attacks

Answer 22

are motivated by a desire to get even with an individual or organization by embarrassing them or exacting some other form of retribution against them.

Question 23

Disruption/chaos

Answer 23

attacks are motivated by a desire to cause chaos and disrupt normal operations.

Question 24

War

Answer 24

may also be a motivation for cyberattacks. Military units and civilian groups may Use hacking in an attempt to disrupt Military operations and change the outcome of an armed conflict.

Question 25

Threat actors

Answer 25

targeting an organization need some means to gain access to that organization’s information or systems.

Question 26

Attack Surfaces

Answer 26

This is a system, application, or service that contains a vulnerability that they might exploit.

Question 27

Threat vectors

Answer 27

are the means that threat actors Use to obtain access

Question 28

Message-based

Answer 28

attacks may also be carried out through other communications mechanisms such as by sending text messages through Short Message Service (SMS) or instant messaging (IM) applications. Voice calls may also be used to conduct vishing (voice phishing) attacks.

Question 29

Message-Based Threat Vectors Examples

Answer 29

Email is one of the most commonly exploited threat vectors. Phishing messages, spam messages, and other email-borne attacks are simple ways to gain access to an organization’s network. Social media may be used as a threat vector in similar ways

Question 30

Wireless Networks

Answer 30

offer an even easier path onto an organization’s network.

Question 31

Systems

Answer 31

individual systems may also serve as threat vectors depending on how they are configured and the software installed on them

Question 32

Files and Images

Answer 32

Individual files, including images, may also be threat vectors. An attacker may create a file that contains embedded malicious code and then trick a user into opening that file, activating the malware infection. These malicious files may be sent by email, stored on a file server, or placed in any other location where an unsuspecting user might be tempted to open it.

Question 33

Removable Devices

Answer 33

Attackers also commonly use removable media, such as USB drives, to spread malware and launch their attacks. An attacker might distribute inexpensive USB sticks in parking lots, airports, or other public areas, hoping that someone will find the device and plug it into their computer, curious to see what it contains. As soon as that happens, the device triggers a malware infection that silently compromises the finder’s computer and places it under the control of the attacker.

Question 34

Cloud

Answer 34

Cloud services can also be used as an attack vector. Attackers routinely scan popular cloud services for files with improper access controls, systems that have security flaws, or accidentally published API keys and passwords.

Question 35

Supply Chain

Answer 35

Sophisticated attackers may attempt to interfere with an organization’s IT supply chain, including hardware providers, software providers, and service providers. Attacking an organization’s vendors and suppliers provides an indirect mechanism to attack the organization itself.

Question 36

Indicators of compromise (IOCs)

Answer 36

These are the telltale signs that an attack has taken place and may include file signatures, log patterns, and other evidence left behind by attackers. IoCs may also be found in file and code repositories that offer threat intelligence information.

Question 37

Malware

Answer 37

describes a wide range of software that is intentionally designed to cause harm to systems and devices, networks, or users.

Question 38

Ransomware

Answer 38

is malware that takes over a computer and then demands a ransom.

Question 39

Indicators of compromise (IoCs) for ransomware include, but are not limited to:

Answer 39

-Command and control (C&C) traffic and/or contact to known malicious IP addresses

-Use of legitimate tools in abnormal ways to retain control of the compromised system

-Lateral movement processes that seek to attack or gain information about other systems or devices inside the same trust boundaries

-Encryption of files

-Notices to end users of the encryption process with demands for ransom

-Data exfiltration behaviors, including large file transfers

Question 40

Trojan

Answer 40

or Trojan horses are a type of malware that is typically disguised as legitimate software

Question 41

Bots

Answer 41

connect to command and control (C&C) systems, allowing them to be updated, controlled, and managed remotely.

Question 42

Bots, Botnets, and Command and Control

Answer 42

Many types of malware use command and control (C&C) techniques and systems to allow attackers to tell them what to do. These groups of systems that are under central command are called botnets, and individual systems are called bots.

Question 43

Worms & Examples

Answer 43

are malware that spread themselves on networks via vulnerable services, email, or file shares.

Examples:

-Known malicious files

-Downloads of additional components from remote systems

-Command and control contact to remote systems

-Malicious behaviors using system commands for injection and other activities, including use of cmd.exe, msiexec.exe, and others

-Hands-on-keyboard attacker activity

Question 44

Spyware & Examples

Answer 44

is malware that is designed to obtain information about an individual, organizations, or systems

Examples:

-Remote-access and remote-control-related indicators

-Known software file fingerprints

-Malicious processes, often disguised as system processes

-Injection attacks against browsers

Question 45

Bloatware

Answer 45

describe unwanted applications installed on systems by manufacturers.

Question 46

Viruses & Examples

Answer 46

are malicious programs that self-copy and self-replicate once they are activated.

Examples:

Memory-resident viruses
Non-memory-resident viruses
Boot sector viruses
Macro viruses
Fileless virus

Question 47

Memory-resident viruses

Answer 47

which remain in memory while the system of the device is running

Question 48

Non-memory

Answer 48

which execute, spread, and then shut down

Question 49

Boot sector viruses

Answer 49

which reside inside the boot sector of a drive or storage media

Question 50

Macro viruses

Answer 50

which use macros or code inside word processing software or other tools to spread

Question 51

Email viruses

Answer 51

that spread via email either as email attachments or as part of the email itself using flaws inside email clients

Question 52

Fileless virus

Answer 52

They spread via methods like spam email and malicious websites and exploit flaws in browser plug-ins and web browsers themselves. Once they successfully find a way into a system, they inject themselves into memory and conduct further malicious activity, including adding the ability to reinfect the system via the same process at reboot through a Registry entry or other technique. At no point do they require local file storage, as they remain memory resident throughout their entire active life.

Question 53

Keyloggers

Answer 53

are programs that capture keystrokes from a keyboard, although keylogger applications may also capture other input such as mouse movement, touchscreen inputs, or credit card swipes from attached devices.

Question 54

Logic Bombs

Answer 54

unlike the other types of malware described here, are not independent malicious programs.

Question 55

Rootkits

Answer 55

are malware that is specifically designed to allow attackers to access a system through a backdoor.

Question 56

Phishing

Answer 56

is a broad term used to describe the fraudulent acquisition of information, often focused on credentials like usernames and passwords, as well as sensitive personal information like credit card numbers and related data.

Question 57

Smishing

Answer 57

phishing via SMS (text) messages. Relies on text messages as part of the phishing scam

Question 58

Vishing

Answer 58

phishing via telephone or phishing accomplished via voice or voicemail messages.

Question 59

Impersonation

Answer 59

Pretending to be someone else. Is a key tool in a social engineer’s toolkit and can be used for malicious purposes.

Question 60

Identity fraud

Answer 60

or identity theft is the use of someone else’s identity.

Question 61

Business email compromise-

Answer 61

often called BEC, relies on using apparently legitimate email addresses to conduct scams and other attacks.

Methods:

-Using compromised accounts
-Sending spoofed emails
-Using common fake but similar domain techniques
-Using malware or other tools

Question 62

Pretexting

Answer 62

process of using a made-up scenario to justify why you are approaching an individual. _________ is often used as part of impersonation efforts to make the impersonator more believable.

Question 63

Watering Hole Attack

Answer 63

use websites that target frequent to attack them. These frequently visited sites act like a watering hole for animals and allow the attackers to stage an attack, knowing that the victims will visit the site. Once they know what site their targets will use, attackers can focus on compromising it, either by targeting the site or deploying malware through other means such as an advertising network.

Question 64

Brand Impersonation Attack (brand spoofing)

Answer 64

This common form of attack uses emails that are intended to appear to be from a legitimate brand relying on name recognition and even using email templates used by the brand itself.

Question 65

Typosquatting

Answer 65

use misspelled and slightly off but similar to the legitimate site URLs to conduct __________ attacks. ________ rely on the fact that people will mistype URLs and end up on their site,A130 thus driving ad traffic or even sometimes using the typo-based website to drive sales of similar but not legitimate products.

Question 66

Password Related Attack

Answer 66

-Brute-force attacks, which iterate through passwords until they find one that works.

-Password spraying attacks are a form of brute-force attack that attempts to use a single password or small set of passwords against many accounts.

-Dictionary attacks are yet another form of brute-force attack that uses a list of words for their attempts.

Question 67

SQL Injection Attack

Answer 67

malicious code is inserted into strings of code that are later passed to a SQL database server.

Question 68

Legacy Platforms

Answer 68

Software vendors eventually discontinue support for every product they make.

Question 69

Weak Configurations

Answer 69

Default settings that pose a security risk such as administrative setup pages that are meant to be disabled before moving a system to production.

-default credentials or unsecured accounts, including both normal user accounts and unsecured root accounts with administrative privileges. Accounts may be considered unsecured when they either lack strong authentication or use default passwords.

-Open service ports that are not necessary to support normal system operations.

-Open permissions that allow users access that violates the principle of least privilege.

Question 70

Privilege escalation

Answer 70

uses hacking techniques to shift from the initial access gained by the attacker to more advanced privileges such as root access on the same system.

Question 71

Code Injection Attacks

Answer 71

These attacks seek to insert attacker-written code into the legitimate code created by a web application developer.

Question 72

Dynamically Linked Libraries (DLLs)

Answer 72

containing malicious code in a DLL injection attack.

Question 73

Session Hijacking Attack

Answer 73

take a different approach by stealing an existing authenticated session. These attacks don’t require that the attacker gain access to the authentication mechanism; instead, they take over an already authenticated session with a website.

Question 74

Cookies

Answer 74

Most websites that require authentication manage user sessions using ______ managed in the user’s browser and transmitted as part of the HTTP header information provided by a website.

Ways an attacker might obtain a cookie:

-Eavesdropping on unencrypted network connections and stealing a copy of the cookie as it is transmitted between the user and the website.

-Installing malware on the user’s browser that retrieves cookies and transmits them back to the attacker.

-Engaging in an on-path attack, where the attacker fools the user into thinking that the attacker is actually the target website and presenting a fake authentication form. They may then authenticate to the website on the user’s behalf and obtain the cookie.

Question 75

Pass the Hash Attack

Answer 75

is another form of replay attack that takes place against the operating system rather than a web application.

Question 76

Directory Traversal Attack

Answer 76

-when web servers allow the inclusion of operators that navigate directory paths and filesystem access controls don’t properly restrict access to files stored elsewhere on the server.

Question 77

Privilege Escalation Attack

Answer 77

seek to increase the level of access that an attacker has to a target system.

Question 78

Cross-Site Scripting (XSS) Attacks

Answer 78

occur when web applications allow an attacker to perform HTML injection inserting their own HTML code into a web page.

Question 79

Reflected XSS (Input)

Answer 79

XSS attacks commonly occur when an application allows reflected input.

Question 80

Stored/Persistent XSS

Answer 80

is to store cross-site scripting code on a remote web server in an approach known as stored XSS. These attacks are described as persistent because they remain on the server even when the attacker isn’t actively waging an attack.

Question 81

Cross-Site Request Forgery (CSRF/XSRF) Attack

Answer 81

are similar to cross-site scripting attacks but exploit a different trust relationship. XSRF attacks exploit the trust that remote sites have in a user’s system to execute commands on the user’s behalf.

Question 82

Buffer Overflows Attack

Answer 82

occur when an attacker manipulates a program into placing more data into an area of memory than is allocated for that program’s use. The goal is to overwrite other information in memory with instructions that may be executed by a different process running on the system.

Question 83

Memory Injection

Answer 83

technique of maliciously inserting information into memory.

Question 84

Race Conditions

Answer 84

the security of a code segment depends upon the sequence of events occurring within the system

Question 85

Time-of-Check-to-Time-of-Use (TOCTTOU or TOC/TOU)

Answer 85

is a type of race condition that occurs when a program checks access permissions too far ahead of a resource request.

Question 86

Collisions

Answer 86

Cases where a hash function produces the same value for two different methods.

Question 87

Birthday attacks-This is an attack on cryptographic hashes

Answer 87

based on something called the birthday theorem or they find collisions where two different inputs produce the same hash value output

Question 88

Downgrade Attack

Answer 88

is sometimes used against secure communications such as TLS in an attempt to get the user or system to inadvertently shift to less secure cryptographic modes.

Question 89

Sensors

Answer 89

are another way to provide security monitoring.

Question 90

Detecting Physical Attacks

Answer 90

Brute-force attacks which include breaking down doors cutting off locks or other examples of the simple application of force or determination to physical entry.

-Radio frequency identification (RFID) cloning attacks work by cloning an RFID tag or card.

-Environmental attacks include attacks like targeting an organization’s heating and cooling systems, maliciously activating a sprinkler system, and similar actions.

Question 91

Virtual machines

Answer 91

are the basic building block of compute capacity in the cloud.

Question 92

Virtual machine (VM) escape

Answer 92

vulnerabilities are the most serious issue that can exist in a virtualized environment particularly when a virtual host runs systems of differing security levels.

Question 93

Resource reuse

Answer 93

occurs when cloud providers take hardware resources that were originally assigned to one customer and reassign them to another customer. If the data was not properly removed from that hardwarethe new customer may inadvertently gain access to data belonging to another customer.

Question 94

Firmware

Answer 94

is the embedded software that allows devices to function.

Question 95

End-of-life or legacy

Answer 95

hardware drives concerns around lack of support. Once a device or system has reached end-of-life they typically will also reach the end of their support from the manufacturer.

Question 96

End of sales

Answer 96

The last date at which a specific model or device will be soldalthough devices often remain in the supply chain through resellers for a period of time.

Question 97

End of life

Answer 97

While the equipment or device is no longer sold it remains supported. End-of-life equipment should typically be on a path to retirement but it has some usable lifespan left.

Question 98

End of support

Answer 98

the last date on which the vendor will provide support and/or updates.

Question 99

Legacy

Answer 99

This term is less well defined but typically is used to describe hardware, software, or devices that are unsupported.

Question 100

Allow Lists-

Answer 100

_____ list tools allow you to build a list of software, applications, and other system components that are allowed to exist and run on a system. If they are not on the list, they will be removed or disabled, or they will not be able to be installed. (sometimes referred to as whitelisting)

Question 101

Endpoint Detection and Response-systems provide monitoring

Answer 101

systems provide monitoring, detection, and response capabilities for systems. EDR systems capture data from endpoints and send it to a central repository, where it can be analyzed for issues and indicators of compromise or used for incident response activities.

Question 102

Deny Lists

Answer 102

Block lists, or _____ lists, are lists of software or applications that cannot be installed or run, rather than a list of what is allowed. (sometimes referred to as blacklists)

Question 103

Host-based intrusion prevention system (HIPS)

Answer 103

analyzes traffic before services or applications on the host process it.

Question 104

Hardening A System

Answer 104

or application involves changing settings on the system to increase its overall level of security and reduce its vulnerability to attack.

Question 105

Open ports and services

Answer 105

One of the fastest ways to decrease the attack surface of a system is to reduce the number of _________ that it provides by disabling ports and protocols. After all, if attackers cannot connect to the system remotely, they’ll have a much harder time exploiting the system directly.

Question 106

Removing Unnecessary Software

Answer 106

removing software that isn’t needed removes the potential for a disabled tool to be reenabled. It also reduces the amount of patching and monitoring that will be required for the system.

Question 107

Default Passwords

Answer 107

Changing default passwords is a common hardening practice and should be a default practice for any organization.

Question 108

Configuration Enforcement

Answer 108

a process that not only monitors for changes but makes changes to system configurations as needed to ensure that the configuration remains in its desired state.

Question 109

Patching

Answer 109

Ensuring that systems and software are up to date helps ensure endpoint security by removing known vulnerabilities.

Question 110

Full-disk encryption (FDE)

Answer 110

encrypts the disk and requires that the bootloader or a hardware device provide a decryption key and software or hardware to decrypt the drive for use.

Question 111

Decommissioning

Answer 111

When systems and devices are at the end of their useful life cycle

Question 112

Defense in Depth

Answer 112

Built in layers or they are built around multiple controls designed to ensure that a failure in a single control— or even multiple controls—is unlikely to cause a security breach

Question 113

Access control lists (ACLs)

Answer 113

are rules that either permit or deny actions.

Question 114

On-path Attack (or Man-in-the-middle (MitM))

Answer 114

attack occurs when an attacker causes traffic that should be sent to its intended recipient to be relayed through a system or device the attacker controls.

Question 115

SSL Stripping

Answer 115

an attack that in modern implementations removes TLS encryption to read the contents of traffic that is intended to be sent to a trusted endpoint.

Question 116

Browser-Based On-Path attack (or man-in-the-browser MitB or MiB)

Answer 116

This attack relies on a Trojan that is inserted into a user’s browser.

Question 117

Domain hijacking

Answer 117

changes the registration of a domain, either through technical means like a vulnerability with a domain registrar or control of a system belonging to an authorized user, or through nontechnical means such as social engineering.

Question 118

DNS poisoning

Answer 118

Ways:

-One form is another form of the on-path attack where an attacker provides a DNS response while pretending to be an authoritative DNS server. Vulnerabilities in DNS protocols or implementations can also permit DNS poisoning, but they are rarer.

-DNS poisoning can also involve poisoning the DNS cache on systems.

Question 119

URL redirection

Answer 119

When domain hijacking isn’t possible and DNS cannot be poisoned, another option for attackers is ________. ________ can take many forms, depending on the vulnerability that attackers leverage, but one of the most common is to insert alternate IP addresses into a system’s hosts file.

Question 120

Distributed Denial of Service (DDoS)

Answer 120

conducted from multiple locations, networks, or systems, making it difficult to stop and hard to detect or consume resources or target services to cause them to fail.

Question 121

Sideloading

Answer 121

is the process of transferring files to a mobile device, typically via a USB connection, a MicroSD card, or via Bluetooth in order to install applications outside of the official application store.

Question 122

Jailbreaking

Answer 122

takes advantage of vulnerabilities or other weaknesses in a mobile device’s operating system to conduct a privilege escalation attack and root the systemproviding the user with more access than is typically allowed.

Question 123

Account lockout

Answer 123

which is often due to brute-force login attempts or incorrect passwords used by attackers.

Question 124

Concurrent session usage

Answer 124

when users aren’t likely to use concurrent sessions. If a user is connected from more than one system or device, particularly when the second device is in an unexpected or uncommon location or the application is one that isn’t typically used on multiple devices at once, this can be a strong indicator that something is not right.

Question 125

Blocked content

Answer 125

is content that the organization has blocked, often via a DNS filter or other tool that prohibits domains, IP addresses, or types of content from being viewed or accessed. If this occurs, it may be because a malicious actor or malware is attempting to access the resource.

Question 126

Impossible travel

Answer 126

which involves a user connecting from two locations that are far enough apart that the time between the connections makes the travel impossible to have occurred typically indicates that someone else has access to the user’s credentials or devices.

Question 127

Resource consumption

Answer 127

like filling up a disk or using more bandwidth than usual for uploads or downloads, can be an indicator of compromise. Unlike some of the other IoCs here, this one often requires other actions to become concerning unless it is much higher than usual.

Question 128

Resource inaccessibility

Answer 128

can indicate that something unexpected is happening. If a resource like a system, file, or service isn’t available identifying the underlying cause and ensuring that the cause isn’t malicious, can be important.

Question 129

Missing logs

Answer 129

may indicate that an attacker has wiped the logs to attempt to hide their actions. This is one reason that many organizations centralize their log collection so that a protected system will retain logs even if they are wiped on a server or workstation.

Question 130

Published/Documented

Answer 130

describes indicators that have been discovered and published or documented.

Question 131

Least Privilege

Answer 131

individuals should be granted only the minimum set of permissions necessary to carry out their job functions.

Question 132

Out-of-cycle logging

Answer 132

occurs when an event that happens at the same time or on a set cycle occurs at an unusual time. This might be a worker logging in at 2 a.m. who normally works 9-5 or a cleanup process that gets activated when it normally runs once a week.