Definitions

Question 1

Phishing

Answer 1

social engineering with a touch of spoofing - college access credentials

Question 2

Prepending

Answer 2

the beginning of a URL has the error ex: theverge.com. vs ttheverge.com

Question 3

Pharming

Answer 3

redirecting a legit site to a bogus site - poisoned DNS server or client vulnerabilities - Harvest large groups of people. RARE, and hard for anti-malware to stop.

Question 4

SPIM

Answer 4

SPAM via instant messaging

Question 5

watering hole

Answer 5

infect a website or site that employees go to that you want to target. That way you can collect their information from the 3rd party’s hacked website. Usually well trained employees who won’t click on phishing emails or open any attachments.

Question 6

tarpitting

Answer 6

slowing down a server on purpose to make it harder and more annoying for spammers to send messages. It also slows their servers down and they would rather just try screwing with someone else.

Question 7

viruses

Answer 7

1. Malware that can reproduce itself.
2. It requires you to execute a program.
3. Reproduces through file system or the network.
4. May or may not cause problems.

Question 8

Program virus

Answer 8

1. Part of an application

Question 9

Boot sector virus

Answer 9

1. In the boot sector of the virus. When you start OS, the virus is activated.

Question 10

Script virus

Answer 10

OS and browser-based

Question 11

Macro virus

Answer 11

Common in MS Office

Question 12

Fileless virus

Answer 12

Operates in RAM, can avoid antivirus software since it is not written to the storage drive. Can auto-start each time you boot your computer.

Question 13

Worm

Answer 13

1. Type of virus that doesn’t need any user intervention.
2. Moves from system to system without user intervention.
3. Once ID’d and a signature created, it can be stopped at the firewall or the IPS.

Question 14

Trojan

Answer 14

1. Pretends to be something else and looks like normal software.
2. Can disable your security tools.
3. Can configure backdoors or download additional malware to install on your system.

Question 15

PUP

Answer 15

Potentially Unwanted Program - may not be malicious, but could be undesirable and may cause performance problems on your computer. (toolbar, backup utility with tons of ads, etc)

Question 16

Remote Access Trojan (RAT)

Answer 16

Also called a Remote Administration Tool. - the ultimate backdoor. Can take pretty much full control of your system.

Question 17

Rootkits

Answer 17

modify core system files, won’t see it in task manager. Invisible to traditional anti-virus utilities.

Question 18

Spyware

Answer 18

Can have keyloggers

Question 19

Bots (Botnet)

Answer 19

Usually get on your computer through an OS or application vulnerability. Relay spam, proxy network traffic, distributed computing tasks. Can be for sale creating DDoS as a service in itself!

Question 20

Logic bomb

Answer 20

Occurs when a separate event is triggered (usually a time bomb), but could be from placing something in a folder, or even just turning off the computer.

Question 21

Logic bombs follow a particular signature so it’s easy to identify

Answer 21

FALSE

Question 22

How to prevent logic bombs

Answer 22

1. Have formal change control processes and procedures
2. Electronic monitoring that scans for specific changes. (tripwire)

Question 23

hashed passwords

Answer 23

The cryptographic algorithm cannot be reversed. Best way to store passwords. The hash algorithm is different across OSes and applications.

Question 24

spraying attack

Answer 24

When someone uses the top common passwords to try to break into an account. If they don’t succeed after 3 tries, they just move on to the next potential victim. This avoids any alerts, lockouts, etc.

Question 25

Dictionary attacks

Answer 25

Discover passwords for common words

Question 26

Rainbow tables

Answer 26

Contains a massive number of hashes. Pre-calculated hash chains. Much faster especially with longe password lengths. Specific to an app or OS.

Question 27

Salt

Answer 27

Little bit of extra random data added to the password before it is hashed. If two users happen to be using exactly the same password, the hash that’s stored in the password table is going to be different.

Question 28

Rainbow tables will not work on _______ passwords

Answer 28

salted

Question 29

Card cloning

Answer 29

Can only be done with magnetic stripe cards. The chip can’t be cloned!

Question 30

downgrade attack

Answer 30

if you can sit in the middle and influence that conversation, you could have the two sides downgrade to a type of encryption that might be very easy to break.

Question 31

Data execution prevention

Answer 31

only data in executable areas can run.

Question 32

address space layout randomization (ASLR)

Answer 32

involved in preventing exploitation of memory corruption vulnerabilities.[1] In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.

Question 33

XSS Cross site scripting

Answer 33

Information from 1 site could be shared with another.

Question 34

Non-persistent (reflected) XSS attack

Answer 34

website allows scripts to run in user input (search boxes). Script embedded in a URL. Usually through a phishing email targeting a single person

Question 35

Perisistent (stored) XSS attack

Answer 35

Attacker posts a message on a forum with malicious payload. Not a specific target, everyone who visits gets it.

Question 36

Injection attack types

Answer 36

1. SQL injection
2. XML injection - XML is a set of rules for data transfer and storage between 2 kinds of devices.
3. LDAP injection - LDAP used for storing info about authentication such as usernames, passwords, and other info about devices/users.
4. DLL injection - a way to execute some code into an application to have that application execute the code for us.

Question 37

Buffer overflow

Answer 37

overwriting a buffer of memory - spills over into other memory areas. Can cause a program to exploit in a particular way. Could also crash the program. “EXCESSIVE” example in notes.

Question 38

Cross-site request forgery

Answer 38

XSRF, CSRF - takes advantage of the trust that a web app has for the user. Requests are made without your consent or your knowledge. The application should have anti-forgery techniques added.

Question 39

Server side request forgery (SSRF)

Answer 39

SSRF - vulnerable server - web server performs request on behalf of attacker.

Question 40

Shimming

Answer 40

filling the space between 2 objects (wood shim for a door and a wall). Windows has its own shim for backwards compatibility with previous versions of Windows for apps that need to run on a previous version. Malware authors write their own shims.

Question 41

Refactoring

Answer 41

metamorphic malware - acts like a different program each time its downloaded. NOP (no-op— does nothing) or loops, or pointless code strings that make it look different and prevent antivirus/antimalware signatures from catching it.

Question 42

POODLE attack

Answer 42

forces downgrade in encryption. Forces client to fall back to SSL 3.0

Question 43

Race conditions (TOCTOU)

Answer 43

When a program checks access permissions too far in advance of a resource request. (Ex - a person might have permissions cached in his active session until logged out, but if a permission is removed while still logged in, he will have those permissions indefinitely until he logs out).

Question 44

What are some memory vulnerabilities?

Answer 44

1. Memory leak - unused memory not properly released. Can lead to DoS.
2. NULL Pointer reference - programming technique that references a portion of memory to nothing instead of the proper data. Can crash application.
3. Integer overflow - larger number into a smaller space.

Question 45

What is directory traversal?

Answer 45

Read files from a web server that are outside of the website’s file directory. Shouldn’t be able to browse the WINDOWS folder. Could be a software vulnerability.

Question 46

API attacks

Answer 46

similar to HTTP request. An application programming interface that asks web server and might go into the database.

Question 47

What are 3 types of Resource exhaustion?

Answer 47

1. Special DoS attack - 1 device on low bandwidth might be all that is needed.
2. ZIP bomb - a 42kb .zip file might be uncompressed to 4,500 terabytes! Easy for anti-virus to find these.
3. DHCP starvation - a single device cycles through lots of MAC addresses to try and assign IPs. Can be slowed down or stopped with switch configurations to limit the rate of DHCP requests.

Question 48

802.1X (Network Access Control)

Answer 48

You must authenticate to login, regardless of connection type.(like at work)

Question 49

Bluejacking

Answer 49

sending unsolicited messages to another device via Bluetooth

Question 50

Bluesnarfing

Answer 50

access a bluetooth-enabled device and transfer data - serious security issue.

Question 51

What is protected against disassociation attacks with 802.11w?

Answer 51

Dissociate, deauthenticate, channel switch announcements, etc.

Question 52

What is NOT protected against disassociation attacks with 802.11w? In other words, what data is still sent in the clear?

Answer 52

beacons, probes, authentication, association

Question 53

cryptographic nonce

Answer 53

a random number that can’t be easily guessed. Initiation vectors are a type of nonce.

Question 54

ON-path network attack

Answer 54

have to be on same network as the victim. Much harder to do. Data transfers still encrypted so attacker can’t see login credentials.

Question 55

On path browser attack

Answer 55

You are on the same computer as the victim. All data can be seen in the clear.

Question 56

MAC flooding

Answer 56

The MAC table is only so big
* Attacker starts sending traffic with different source MAC addresses
– Force out the legitimate MAC addresses
* The table fills up
– Switch begins flooding traffic to all interfaces
* This effectively turns the switch into a hub – All traffic is transmitted to all interfaces – No interruption in traffic flows
* Attacker can easily capture all network traffic!

Question 57

MAC cloning

Answer 57

An attacker changes their MAC address to match the MAC address of an existing device
– A clone / a spoof
* Circumvent filters
– Wireless or wired MAC filters
– Identify a valid MAC address and copy it
* Create a DoS
– Disrupt communication to the legitimate MAC

Question 58

DNS poisoning

Answer 58

• Modify the DNS server
  – Requires some crafty hacking
• Modify the client host file
  – The host file takes precedent over DNS queries
• Send a fake response to a valid DNS request
  – Requires a redirection of the original request
  or the resulting response

Question 59

Domain hijacking

Answer 59

• Get access to the domain registration,
  and you have control where the traffic flows
  – You don’t need to touch the actual servers
  – Determines the DNS names and DNS IP addresses
• Many ways to get into the account
  – Brute force
  – Social engineer the password
  – Gain access to the email address that manages the account – The usual things

Question 60

URL hijacking

Answer 60

Sell the badly spelled domain to the actual owner – Sell a mistake
* Redirect to a competitor
– Not as common, legal issues
* Phishing site
– Looks like the real site, please login
* Infect with a drive-by download – You’ve got malware!

Question 61

DDoS amplification

Answer 61

• Turn your small attack into a big attack
  – Often reflected off another device or service
• An increasingly common DDoS technique
  – Turn Internet services against the victim
• Uses protocols with little (if any) authentication or checks
  – NTP, DNS, ICMP
  – A common example of protocol abuse

Question 62

Application DoS

Answer 62

• Make the application break or work harder
  – Increase downtime and costs
• Fill the disk space
  – A 42 kilobyte .zip compressed file
  – Uncompresses to 4.5 petabytes (4,500 terabytes)
  – Anti-virus will identify these
• Overuse a measured cloud resource
  – More CPU/memory/network is more money
• Increase the cloud server response time
  – Victim deploys a new application instance - repeat

Question 63

Operational Technology (OT) DoS

Answer 63

• The hardware and software for industrial equipment
  – Electric grids, traffic control, manufacturing plants, etc.
• This is more than a web server failing
  – Power grid drops offline
  – All traffic lights are green
  – Manufacturing plant shuts down
• Requires a different approach
  – A much more critical security posture

Question 64

Windows PowerShell

Answer 64

• Command line for system administrators
  – .ps1 file extension
  – Included with Windows 8/8.1 and 10
• Extend command-line functions
  – Uses cmdlets (command-lets)
  – PowerShell scripts and functions
  – Standalone executables
• Attack Windows systems
  – System administration
  – Active Domain administration
  – File share access

Question 65

Python
* General-purpose scripting language
– .py file extension
* Popular in many technologies
– Broad appeal and support
* Commonly used for cloud orchestration
– Create and tear down application instances
* Attack the infrastructure
– Routers, servers, switches

Answer 65

• General-purpose scripting language
  – .py file extension
• Popular in many technologies
  – Broad appeal and support
• Commonly used for cloud orchestration
  – Create and tear down application instances
• Attack the infrastructure
  – Routers, servers, switches

Question 66

Shell script

Answer 66

• Scripting the Unix/Linux shell
  – Automate and extend the command line
  – Bash, Bourne, Korn, C
• Starts with a shebang or hash-bang #!
  – Often has a .sh file extension
• Attack the Linux/Unix environment
  – Web, database, virtualization servers
• Control the OS from the command line
  – Malware has a lot of options

Question 67

Visual Basic for Applications (VBA)

Answer 67

• Automates processes within Windows applications
  – Common in Microsoft Office
• A powerful programming language
  – Interacts with the operating system
• CVE-2010-0815 / MS10-031
  – VBA does not properly search for ActiveX
  controls in a document
  – Run arbitrary code embedded in a document
  – Easy to infect a computer

Question 68

Shadow IT

Answer 68

Going rogue
– Working around the internal IT organization
* Information Technology can put up roadblocks
– Shadow IT is unencumbered
– Use the cloud
– Might also be able to innovate
* Not always a good thing
– Wasted time and money
– Security risks
– Compliance issues
– Dysfunctional organization

Question 69

Shadow IT

Answer 69

Going rogue
– Working around the internal IT organization
* Information Technology can put up roadblocks
– Shadow IT is unencumbered
– Use the cloud
– Might also be able to innovate
* Not always a good thing
– Wasted time and money
– Security risks
– Compliance issues
– Dysfunctional organization

Question 70

Direct access attack vectors

Answer 70

• There’s a reason we lock the data center
  – Physical access to a system is a significant attack
  vector
• Modify the operating system
  – Reset the administrator password in a few minutes
• Attach a keylogger
  – Collect usernames and passwords
• Transfer files
  – Take it with you
• Denial of service
  – This power cable is in the way

Question 71

Wireless attack vectors

Answer 71

• Default login credentials
• Modify the access point configuration
• Rogue access point
• A less-secure entry point to the network
• Evil twin
• Attacker collects authentication details
• On-path attacks
• Protocol vulnerabilities
• 2017 - WPA2 Key Reinstallation Attack (KRACK)
• Older encryption protocols (WEP, WPA)
  *WPA-2 or later on wireless networks is the standard.

Question 72

Supply chain attack vectors

Answer 72

• Tamper with the underlying infrastructure
  – Or manufacturing process
• Gain access to a network using a vendor
  – 2013 Target credit card breach
• Malware can modify the manufacturing process
  – 2010 - Stuxnet disrupts Iran’s uranium enrichment program
• Counterfeit networking equipment
  – Install backdoors, substandard performance and availability
  – 2020 - Fake Cisco Catalyst 2960-X and WS-2960X-48TS-L

Question 73

Vulnerability databases

Answer 73

• Common Vulnerabilities and Exposures (CVE)
  – A community managed list of vulnerabilities
  – Sponsored by the U.S. Department of Homeland
  Security (DHS) and Cybersecurity and Infrastructure
  Security Agency (CISA)
• U.S. National Vulnerability Database (NVD)
  – A summary of CVEs
  – Also sponsored by DHS and CISA
• NVD provides additional details over the CVE list
  – Patch availability and severity scoring

Question 74

Cyber Threat Alliance (CTA)

Answer 74

– Members upload specifically formatted threat intelligence
– CTA scores each submission and validates
across other submissions
– Other members can extract the validated data

Question 75

Automated indicator sharing (AIS)

Answer 75

• Intelligence industry needs a standard way to share
  important threat data
  – Share information freely
• Structured Threat Information eXpression (STIX)
  – Describes cyber threat information
  – Includes motivations, abilities, capabilities, and
  response information
• Trusted Automated eXchange of Indicator Information (TAXII)

Question 76

Indicators of compromise (IOC)

Answer 76

• An event that indicates an intrusion
  – Confidence is high
  – He’s calling from inside the house
• Indicators
  – Unusual amount of network activity
  – Change to file hash values
  – Irregular international traffic
  – Changes to DNS data
  – Uncommon login patterns
  – Spikes of read requests to certain files

Question 77

Vulnerability feeds

Answer 77

• Automated vulnerability notifications
• National Vulnerability Database
  (https://nvd.nist.gov)
• CVE Data Feeds (https://cve.mitre.org)
• Third-party feeds
• Additional vulnerability coverage
• Roll-up to a vulnerability management system
• Coverage across teams
• Consolidated view of security issues

Question 78

Request for comments (RFC)

Answer 78

• Published by the Internet Society (ISOC)
  – Often written by the Internet Engineering
  Task Force (IETF)
  – Internet Society description is RFC 1602
• Not all RFCs are standards documents
  – Experimental, Best Current Practice,
  Standard Track, and Historic
• Many informational RFCs analyze threats
  – RFC 3833 - Threat Analysis of the Domain
  Name System
  – RFC 7624 - Confidentiality in the Face of
  Pervasive Surveillance:
  – A Threat Model and Problem Statement

Question 79

TTP

Answer 79

• Tactics, techniques, and procedures
  – What are adversaries doing and how are they doing it?
• Search through data and networks
  – Proactively look for threats
  – Signatures and firewall rules can’t catch everything

Question 80

Unsecured root accounts

Answer 80

• The Linux root account
  – The Administrator or superuser account
• Can be a misconfiguration
  – Intentionally configuring an easy-to-hack password
  – 123456, ninja, football
• Disable direct login to the root account
  – Use the su or sudo option
• Protect accounts with root or administrator access
  – There should not be a lot of these

Question 81

Weak encryption

Answer 81

• Encryption protocol (AES, 3DES, etc.)
  – Length of the encryption key (40 bits, 128 bits,
  256 bits, etc.)
  – Hash used for the integrity check (SHA, MD5, etc.)
  – Wireless encryption (WEP, WPA)
• Some cipher suites are easier to break than others
  – Stay updated with the latest best practices
• TLS is one of the most common issues: Over 300 cipher suites
• Which are good and which are bad?
  – Weak or null encryption (less than 128 bit key sizes),
  outdated hashes (MD5)

Question 82

Insecure protocols

Answer 82

• Some protocols aren’t encrypted
  – All traffic sent in the clear - Telnet, FTP, SMTP, IMAP
• Verify with a packet capture
  – View everything sent over the network
• Use the encrypted versions- SSH, SFTP, IMAPS, etc.

Question 83

Outsourced code development

Answer 83

• Accessing the code base
  – Internal access over a VPN
  – Cloud-based access
• Verify security to other systems
  – The development systems should be isolated : the production services should be on a separate, isolated part of the network, and the development team should not have access to the production
• Test the code security
  – Check for backdoors
  – Validate data protection and encryption

Question 84

• Non-intrusive scans

Answer 84

Gather information, don’t try to exploit a vulnerability

Question 85

Non-credentialed scans
– The scanner can’t login to the remote device

Credentialed scan
– You’re a normal user,
emulates an insider attack

Answer 85

Think of this as someone who is out on the internet, who doesn’t have any access to your network, & this would be a scan run from their perspective. But of course, there is the perspective of someone who is on the inside of your network & trying to exploit a system. So you might want to run these types of vulnerability scans as a user who has rights & permissions to log in. This is a credential scan & it’s a way to tell how much of a vulnerability might exist if you were someone who had a little bit of access to these systems.

Question 86

SIEM

Answer 86

Security Information and Event Management – Logging of security events and information
* Log collection of security alerts – Real-time information
* Log aggregation and long-term storage
– Usually includes advanced reporting features
* Data correlation - Link diverse data types
* Forensic analysis - Gather details after an event

Question 87

Syslog

Answer 87

Standard for message logging
– Diverse systems, consolidated log
* Usually a central log collector – Integrated into the SIEM
* You’re going to need a lot of disk space – No, more. More than that.
– Data storage from many devices over
an extended timeframe

Question 88

What is collected in SIEM data?

Answer 88

Data inputs
– Server authentication attempts – VPN connections
– Firewall session logs
– Denied outbound traffic flows – Network utilizations

Packet captures
– Network packets
– Often associated with a critical alert
– Some organizations capture everything

Question 89

User and entity behavior analytics (UEBA)

Answer 89

– Detect insider threats
– Identify targeted attacks
– Catches what the SIEM and DLP systems might miss

Question 90

Sentiment analysis

Answer 90

– Public discourse correlates to real-world behavior – If they hate you, they hack you
– Social media can be a barometer

Question 91

SOAR (Security orchestration, automation, and response)

Answer 91

Security orchestration, automation, and response
– Automate routine, tedious, and time intensive activities

Orchestration
– Connect many different tools together
– Firewalls, account management, email filters

Automation - Handle security tasks automatically

Response - Make changes immediately

Question 92

Penetration testing

Answer 92

Similar to vulnerability scanning
– Except we actually try to exploit
the vulnerabilities

Often a compliance mandate
– Regular penetration testing by a 3rd-party

National Institute of Standards and Technology Technical Guide to Information Security Testing and Assessment (PDF link)

Question 93

Pen test process

Answer 93

Initial exploitation - Get into the network

Lateral movement
– Move from system to system
– The inside of the network is relatively unprotected

Persistence
– Once you’re there, you need to make sure there’s a way back in
– Set up a backdoor, build user accounts, change or
verify default passwords

The pivot
– Gain access to systems that would normally not
be accessible
– Use a vulnerable system as a proxy or relay

Question 94

Wardriving or warflying

Answer 94

Combine WiFi monitoring and a GPS to know where a wireless network might be.
– Search from your car or plane
– Search from a drone

Huge amount of intel in a short period of time – And often some surprising results

All of this is free
– Kismet, inSSIDer
– Wireless Geographic – Logging Engine
– http://wigle.net

Question 95

Active footprinting

Answer 95

Trying the doors
– Maybe one is unlocked
– Don’t open it yet
– Relatively easy to be seen

Visible on network traffic and logs

Ping scans, port scans, DNS queries,
OS scans, OS fingerprinting, Service scans, version scans

actively send information into this network or the devices on this network in order to gain more information about what might be there. If someone is monitoring network communication or capturing the packets on this network they will see us perform these active footprinting tasks.

Question 96

Red Team

Answer 96

• Offensive security team - The hired attackers
• Ethical hacking - Find security holes
• Exploit vulnerabilities -Gain access
• Social engineering - Constant vigilance
• Web application scanning - Test and test again

Question 97

Blue Team

Answer 97

• Defensive security - Protecting the data
• Operational security - Daily security tasks
• Incident response - Damage control
• Threat hunting - Find and fix the holes
• Digital forensics - Find data everywhere

Question 98

White Team

Answer 98

• Not on a side
  – Manages the interactions between red teams
  and blue teams
• The referees in a security exercise – Enforces the rules
  – Resolves any issues
  – Determines the score
• Manages the post-event assessments – Lessons learned
  – Results

Question 99

Data sovereignty

Answer 99

• Data sovereignty
  – Data that resides in a country is subject to
  the laws of that country
  – Legal monitoring, court orders, etc.
• Laws may prohibit where data is stored
  – GDPR (General Data Protection Regulation) – Data collected on EU citizens must be stored
  in the EU
  – A complex mesh of technology and legalities
• Where is your data stored?
  – Your compliance laws may prohibit
  moving data out of the country

Question 100

Data masking

Answer 100

• Data obfuscation
  – Hide some of the original data
• Protects PII
  – And other sensitive data
• May only be hidden from view
  – The data may still be intact in storage – Control the view based on permissions
• Many different techniques
  – Substituting, shuffling, encrypting, masking out, etc.

Question 101

Data encryption

Answer 101

• Encode information into unreadable data
  – Original information is plaintext, encrypted
  form is ciphertext
• This is a two-way street
  – Convert between one and the other – If you have the proper key
• Confusion
  – The encrypted data is drastically different
  than the plaintext
• Diffusion
  – Change one character of the input, and many
  characters change of the output. Cipher for “hello world” and “hello world!” are drastically different.

Question 102

start at tokenization (Messer page 35)