Domain 1 Flashcards
A social engineer used vishing and polite behavior to persuade a target to visit a fake website with fake reviews. The attacker then persuaded the victim to enter personally identifiable information (PII) in a web form. Which of the following did the attacker use to make the site appear more legitimate? (Select all that apply.)
Consensus/social proof and Familiarity/liking
With consensus/social proof impersonation, an attacker fools users into believing that a malicious website is legitimate by posting fake reviews. The victims believe the reviews and place their trust in the website.
One of the tools of social engineers is to be likable, and to present the requests they make as completely reasonable.
A social engineer intercepted an end-user’s phone call to an internet service provider (ISP) about a home internet outage. Pretending to be the caller reporting the outage, the attacker immediately contacted the ISP to cancel the service call, dressed up as an internet tech, and then proceeded to enter the end-user’s home with permission. What type of social engineering attack did the ISP and end-user fall victim to?
Impersonation
Impersonation is a social engineering attack in which the attacker pretends to be someone else.
Which of the following situations describes identity fraud? (Select all that apply.)
Using stolen credit card & Using another persons name
A hacker is using a password spraying attack to gain access to a remote computer connected to the company network. Which of the following attack characteristics describes the actions of the hacker in this case?
Using multiple usernames and passwords
Password spraying is a horizontal brute-force online attack. This means that the attacker chooses one or more common passwords and tries to use them in conjunction with multiple usernames.
What can an attacker do to acquire a duplicate of another user’s smart card?
Clone it.
Card cloning refers to making one or more copies of an existing card. An attacker can physically duplicate a lost or stolen card with no cryptographic protections.
Wrong-Skimming refers to using a counterfeit card reader to capture card details, which the attacker uses to program a duplicate.
A few end-users contacted the cybersecurity department about browser pop-ups on their computer and explained that some websites they visit redirect them to other sites they did not intend to navigate. The security team confirmed the pop-ups and noted modified DNS (Domain Name System) queries that go to nefarious websites hosting malware. What most likely happened to the users’ computers?
Spyware infected the computers.
One spyware technique is to spawn browser pop-up windows, as well as modify DNS queries attempting to direct the user to other websites, often of dubious provenance.
An attacker can exploit a weakness in a password protocol to calculate the hash of a password. Which of the following can the attacker match the hash to, as a means to obtain the password? (Select all that apply.)
Dictionary word and a rainbow table
Password crackers can exploit weaknesses in a protocol to calculate the hash and match it to a dictionary word or brute force it.
Rainbow tables are associated with attacks where an attacker uses a set of related plaintext passwords and their hashes to crack passwords.
Which of the following conditions correlate with the process of a SYN (synchronize) flood attack? (Select all that apply.)
Denial of Service, Amplification, and Resource exhaustion
SYN attacks cause resource exhaustion on the host’s processing requests, consuming CPU cycles, and memory. This delays the processing of legitimate traffic and could potentially crash the host system completely.
A DoS attack causes a service at a given host to fail or to become unavailable to legitimate users. DoS attacks focus on overloading a service by using up CPU, system RAM, disk space, or network bandwidth (resource exhaustion).
A more powerful TCP SYN flood attack is a DRDoS or amplification attack, where the adversary spoofs the victim’s IP address and attempts to open connections with multiple servers.
By compromising a Windows XP application that ran on a Windows 10 machine, an attacker installed persistent malware on a victim computer with local administrator privileges. What should the attacker add to the registry, along with its files added to the system folder, to execute this malware?
A shim
A shim is a code library that intercepts and redirects calls to enable legacy mode on a system. The shim database represents a way that malware with local administrator privileges can run on reboot (persistence).
A security engineer implemented once-only tokens and timestamping sessions. What type of attacks can this type of security prevent? (Select all that apply.)
A replay attack and a pass the hash attack
Pass-the-hash occurs when the attacker steals hashed credentials and uses them to authenticate to the network. Using once-only session tokens or timestamping sessions prevents this type of attack.
A replay attack consists of intercepting a key or password hash, then reusing it to gain access to a resource. Using once-only session tokens or timestamping sessions prevents this type of attack.
An attacker discovered an input validation vulnerability on a website, crafted a URL that performed code injection against it, and then emailed the link to the victim. Once the user clicked the link, the web site returned the page containing the malicious code. What type of attack does this describe?
cross site scripting (XSS)
Cross-site scripting (XSS) is a malicious script hosted on the attacker’s site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site.
An attacker sent a victim an email with a link to a malicious website. The victim then clicked the link, which opened a malicious payload in the browser, and changed the user’s password to a legitimate website. The legitimate site is vulnerable to what type of attack?
Cross-site Request Forgery (XSRF)
A Cross-site Request Forgery (XSRF) is a malicious script hosted on the attacker’s site that can exploit a session started on another site in the same browser. This is successful if the server does not check if the user actually made the request.
The latest web application, using default settings, is currently accepting application programming interface (API) calls over HyperText Transfer Protocol (HTTP). The environment has a moderate key management system. Even with basic server security, the API connection is vulnerable to which of the following? (Select all that apply.)
Key discovery and improper error handling
API calls use keys, made up of alphanumeric characters, to authorize requests to the web application. These keys are exposed over an unsecure connection such as HTTP. An attacker can use the key to perform other API calls.
Default application settings may expose more information than necessary when errors occur. Exposing such information over an HTTP connection may provide insight of the environment to the attacker.
Which of the following is a sign of a malicious or corrupted process, and is particularly serious within service applications and in the operating system kernel?
memory leak
Memory leaks in the OS kernel are extremely serious. A memory leak may itself be a sign of a malicious or corrupted process.
An attacker hosted an exploit script on a malicious website and injected it into a trusted website. The attacker then sent the link to the victim and used open source information gathering (OSINT) and social engineering tactics, such as spear phishing, to convince the victim to click the link, which compromised the user browsing to the site. Which of the following best describes this type of attack?
cross-site scripting
Cross-site scripting (XSS) is a malicious script hosted on the attacker’s site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site.
Which of the following does NOT provide encryption and is, therefore, vulnerable to eavesdropping and Man-in-the-Middle attacks?
NFC NFC (Near Field Communications) does not provide encryption, so eavesdropping and Man-in-the-Middle attacks are possible if the attacker can find some way of intercepting the communication and other software services are not encrypting the data.
External hackers have some access to a company’s website and made some changes. Customers have submitted multiple complaints via email for wrong orders and inappropriate images on the website. The Chief Information Officer (CIO) is now worried about the distribution of malware. The company should prepare for which of the following other issues or concerns? (Select all that apply.)
URL redirection and domain reputation
Domain reputation refers to the beliefs or opinions of the public. If the company does not quickly resolve their website issues, they may lose their current and even future customers, destroying the website’s credibility.
URL redirection refers to redirecting users to other web pages. This is true for links on the website that the attacker may modify, which point to fake or malicious web pages.
Which of the following can perform a Denial of Service (DoS) attack against a wireless network? (Select all that apply.)
deauthentication and disassociation attack
A disassociation attack uses disassociation packets to remove a known wireless access point (WAP) from a client’s list of available networks. This is a type of DoS on wireless networks.
A deauthentication attack sends a stream of spoofed frames to cause a client to deauthenticate. This is a type of DoS attack on wireless networks.
A Linux systems admin reported a suspicious .py file that ran on a daily schedule after business hours. The file included shellcode that would automate Application Programming Interface (API) calls to a web application to get information. What type of script is this shellcode most likely running?
Python script
Python is a popular language for development projects. Codes that have multiple logic and looping statements found in a .py file can indicate a python scripting attempt.
By modifying query traffic, an attacker compromised a legitimate site’s web server via a Denial of Service (DoS) attack and redirected traffic intended for the legitimate domain, to go instead, to the attacker’s malicious IP address. What type of attack did the hacker perform?
A hacker corrupted the name:IP records held on the HOSTS file on a server, to divert traffic for a legitimate domain to a malicious IP address. What type of attack did the hacker perform? This is ARP
Domain Name System server cache poisoning
DNS Server Cache poisoning is a redirection attack, that aims to corrupt the records held by the DNS server itself. The intention is to redirect traffic for a legitimate domain to a malicious IP address.
A hacker corrupted the name:IP records held on the HOSTS file on a server, to divert traffic for a legitimate domain to a malicious IP address. What type of attack did the hacker perform?
ARP poisoning
Which of the following defeats a jamming attack and prevents disruption of a wireless network when a hacker uses an illegal access point (AP) with a very strong signal in close proximity? (Select all that apply.)
Boost signal of the legitimate device and locate the offending radio source and disable it.
Interference can disrupt a wireless network from other radio sources. One way to defeat a jamming attack is to locate the offending radio source and disable it.
Interference can disrupt a wireless network from other radio sources. One way to defeat a jamming attack is to boost the signal of the legitimate equipment.
Which of the following attacks do security professionals expose themselves to if they turn the power output down on a wireless access point (AP)?
Evil Twin attacks
Security professionals expose themselves to “evil twin” attacks, as users may expect to find the network at a given location and assume that the rogue AP is legitimate.
A group of people lost their jobs after their company filed for bankruptcy. These employees formed a closed hacktivist group to fashion a zero-day exploit that will target specific Windows operating systems (OS) on the company network. They will use internal influences to get the exploit onto the network. Which of the following factors will greatly influence the success of this attack? (Select all that apply.)
Former Colleague assistance and REvenge for hardship
Performing an act of revenge for personal hardship after being fired is a great motivation for carrying out an attack and seeing it through to the end. Revenge is a common motivator for insider threats.
Former colleagues, who are still working for the company, are a good resource to influence and insert a zero-day exploit onto the network. These colleagues (or insider threats) may want to help because they are sympathetic towards those employees who lost their jobs.
