General Knowledge Flashcards
What is GRC?
Governance, Risk Management, and Compliance
What tool should businesses use to track risks?
Risk Register
What role does Governance play in the approach to Cybersecurity?
Responsible for creating and maintaining organizational policies. Defines the organizations expectations of its employees and approach to cybersecurity.
What are SLO’s within cybersecurity and a Secure Operations Center
Serice Level Object which are the standards that organizations and their leadership must meet to ensure the security of their network.
What is MTTD and MTTR
Mean Time to Detect
Mean Time to Recover
What are the 4 Risk Responses
Avoid
Accept
Mitigate
Transfer
Briefly Describe Threat Modeling
Designed to identify the principal risks and tactics, Techniques and procedures (TPP) that a given system may be subject to by evaluating the system both from an attacker’s point of view and from the defender’s point of view.
Name some standard frameworks to help practitioners with controls
NIST 800-171 Protecting Controlled Unclassified Information in NonFederal Systems and Orgs
NIST 800-53 Security and Privacy Controls for Federal Systems
ISO27001 and CIS Top 18 ver 4
Name the 3 different classes of Control Types
Technical - Systems
Operational - People
Managerial - Oversight
Modern approach to security controls includes preventative but name the 4 additional ones.
Detective
Corrective
Compensating
Corrective
This control acts to eliminate or reduce the likelihood of an attack. ACL’s , File System object, AV, etc
Preventative
This control does not prevent but will identify and record any attempted our successful intrusion
Detective
This control acts to eliminate or reduce the impact of an intrusion attempt.
Corrective
This control serves as as substitute for a principal or control.
Compensating
Using a standard and afford better protection than existing control.
This control serves to direct corrective action.
Responsive
SOC response with well-defined procedures
The term for adopting a functional approach to security controls that maps to known adversary tools and tactics.
Course of Action Matrix (CoA)
Name two of the most popular hardening Guides
CIS Benchmarks - 1000 pages
Department of Defense Security Technical Guides (STIGs)
What is the attack surface analysis tools that uses MITRE ATT&CK Framework
Adversary Emulation - Red Team Engagement
Comparing Adversary vs Penetration Testing
Goal of the penetration test is to simulate an attack to identify the vulnerabilities and weakness. Prioritize based on findings.
Adversary emulation simulates a real-world cyber-attack by a red team to assess an organizations defense. Much more comprehensive than a pen test.
What is the attack surface analysis that offers rewards based on certain elements?
Bug Bounty
What is the difference between Threat Intelligence and Threat Hunting
They both encompass the strategies used to detect and protect against active threats.
Threat Intelligence describes gathering and analyzing data to help identify potential threats and determine most cost-effective way to mitigate them.
Threat Hunting is the active search for signs of malicious activity on a network. It uses tools and techniques to search for potential threats such as logs
Who published the Common Vulnerabilities and Exposures
MITRE.org
What is the common term for Command and Control
C&C or C2
Name a defining characteristic of an ATP
Adversary removes evidence of the attack.
What is OSINT
Open-Source Intelligence - using publicly available information such as web sites, blogs, chat forums, etc.
What are the two broad types of categories for Threat Intelligence
Strategic - High level of view of the threat landscape- trends, tactics, and techniques that threat actors use.
Operational - more granular about specific threats such as malware analysis and network forensics
What is an ISAC?
Information and Sharing Analytics Center - required by Government in 1990 to form private/public partnerships and industry associations to disseminate information sector-specific threat intelligence
What alliance do cybersecurity vendors openly share threat information with?
Cyber Threat Alliance (CTA)
What is CISA
US Cybersecurity and Infrastructure Security Agency
What are IoC’s and IoAs and describe
Indicators of a compromise
Indicators of an attack
Based on confidence levels provided by threat information
What is the attack data that describes TTP’s of current, active cyberattacks?
Crowdsourced attacks
What techniques plays a crucial role in identifying and analyzing IOC’s
Digital Forensics
What is the term of using offensive actions to outmaneuver an adversary to make an attack harder to execute?
Active Defense
Honeypots
Honeynets
Active Decoys
What are the key differences between Serverless platforms
hardware abstraction. Based on time not hours
What are the 3 “planes” of Software Defined Networking
Control Plane - traffic prioritization and where it should be switched
Data Plane - handles the actual switching and routing including any ACL’s
Management Plane - monitoring of traffic conditions and network status
What is a networking and security architecture that provides secure access to cloud applications and services while reducing complexity
SASE
Secure Access Service Edge
SASE plays a key role in Zero Trust Architecture
The act or cooperation between multiple systems or companies to enable access via trusted accounts is called ___________
a Federation
What is the standard method companies use to authenticate between systems such as Google and Amazon and what protocol is involved?
OpenID and Oauth 2.0
What is the XML-Based language used to Exchange authentication information between a client and service provider
Security Assertion Markup Language (SAML)
What is the XML-Based web services protocol that is used to exchange messages between
Simple Object Access Protocol (SOAP)
In relationship to Transitive Trust if resource A trusts resource B and Resource B trust Resource C then T or F Resource A trust Resource C
True
trust models avoid single point of failure
What is the Enterprise Management software designed to mediate access to cloud services by users across all types of devices?
Cloud Access Security Broker (CASB)
What are the 3 CASB implementations
Forward Proxy - Appliance at client network edge. Can be bypassed and perf concerns
Reverse Proxy - At cloud network edge and does require cloud application support of this proxy
API - built into the Cloud app itself
What is SOAR and what function does it serve
Security, Orchestration, Automation and Response
a class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment
What is a SIEM and how does SOAR work with this type of system
Security Incident and Event Management
SOARS can bolt onto a SIEM and trigger after an alert is generated
Describe relationship between Regulations and Standards
regulations describe legal requirements and ramifications; the details of compliance are oftentimes provided in prescriptive form within a standard.
OWASP is _________
Open Web Application Security Project - Internationa non-profit providing unbiased about app security
Publishes top 10
Publishes ModSecurity Tool
What is Static Analysis in regard to Vulnerability Scanning?
Manual inspection of source code to identify vulnerabilities and weaknesses.
True of False - Fingerprinting in Vulnerability Analysis is the same as Mapping
False - fingerprinting is at the device level while Mapping is looking at the network as a whole
What is Dynamic Analysis in Vulnerability
A more rigorous approach typically using vulnerability scanning software and even Pen Testing
What is Fuzzing?
Formerly Black Box Testing using specialty software tools to identify problems and issues with an application by purposely inputting or injecting malformed data to it.
What is Operations Technology (OT)
Systems that operate separate from Corp IT and typically are comprised of PLC’s and SCADA Networks.
What type of system provides mechanisms for workflow and process automation in Industries
Industrial Control Systems (ICSs)
plant devices and equipment with embedded PLC’s
What is SCADA
A supervisory control and data acquisition (SCADA) . A system that takes the place of a control server in a multi-site ICS.
What type of control language does PLC’s utilize
Special Sequential Control Language called Ladder Logic
What is the command to change File and Folder Permissions in Linux
CHMOD
Owner, Group, Other
4 = Read
2 = Write
1 = Excecute
CHMOD
What is the most common scan type for NMAP
SYN Scan
T or F UDP scans in NMAP is the most unreliable
True
What is the numerical score assigned to a computer vulnerability called?
CVSS
Who developed the Cyber Kill Chain
Lockheed Martin
A NIST Framework that outlines various accepted practices for automating vulnerability scanning.
Security Content Automated Protocol (SCAP)
An XML Schema, maintained by Mitre, for describing system security state and querying vulnerability reports and information
Open Vulnerability and Assessment Language (OVAL)
Part of SCAP
Scheme for identifying hardware devices, operating systems, and applications developed by Mitre
Common Platform Enumeration (CPE)
Standardized naming format used to identify systems and software
Scheme for identifying vulnerabilities developed my Mitre and adopted by NIST
Common Vulnerability and Exposure (CVE)
a list of records where each contains a unique identifier used to describe public known vulnerabilities
Scheme for provisioning secure configuration checks across multiple sources developed by Mitre and adopted by NIST
Common Configuration Enumeration (CCE)
similar to CVE except focused on configuration issues which may result in an vulnerability.
What are two key elements on how CVSS is scored
CVSS Score Calculation - formula based
CVSS Vector String - more context including identifiers, environmental and additional information
T or F CVSS is a measure of exploitablity
False
does not indicate where or not a vulnerability can be exploited.
When a Vulnerability Scan incorrectly indicates that a vulnerability or misconfiguration is present when it is not is called a
False Positive
When a vulnerability scan incorrectly identifies that a vulnerability does not exist
False negative
Most concerning since it points to issues with scanning engine or database
What are the 3 Categories of CVSS Scoring
Impact
Exploitability
Remediation
What are the Metrics of the CVSS Scoring
Scope—The number of systems and people affected by the vulnerability.
Confidentiality—The extent to which data is disclosed.
Integrity—The extent to which the system’s functionality is changed or impaired.
Availability—The extent to which a system is unavailable.
Privacy—The extent to which the system’s privacy is impacted.
Operations—The extent to which the system’s security is affected.
Other—Any other relevant or important factors.
What are the Payloads in a Wirehark Packet Capture that indicate which server OS
Windows - 32 bytes or string of letters in ASCII
Linux/Unix - 48 bytes or stings of letters and numbers in ASCII.
This term describes how many organizations’ networks no longer have a clearly defined “inside” and “outside” boundary.
Depermeterization
Data _______________ combines and analyzes data from disparate sources to gain a greater understanding of it
Enrichment
Physical (P), Local (L), Adjacent Network (A), or Network (N) are all values for which base metric
Attack Surface
When a vulnerability scan correctly identifies a vulnerability.
True Positive
For example, a true positive would be when a scan correctly identifies the presence of default credentials on network equipment.
A vulnerability scan that correctly indicates that a system or device does not have a vulnerability.
True Negative
What is the term for the type of control when systems do not support modern security features, or these features break business critical functions?
Compensating Controls
this control can provide protection when circumstances prevent the use of the primary security measure.
A legal document that outlines the terms and conditions of an agreement between two or more parties.
Memorandum of Understanding (MoU)
It might outline uptime, data access, response times and other performance characteristics that conflict with tasks identified in response to mitigating vulnerabilities.
Legally binding contract between two parties that defines the level of services to be provided?
Service Level Agreement
What is the system of rules, practices and processes an organization uses to control its operation and the strategic direction it pursues
Organizational Governance
can conflict with security measures.
Name the 3 CVSS Temporal Metrics Sub Components
Exploit Code
Maturation
Remediation Level
Report Confidence
What are the Rating Levels of CVSS and their corresponding Score Ranges
Rating CVSS Score
Critical 9.0 - 10.0
High 7.0 - 8.9
Medium 4.0 - 6.9
Low 0.1 - 3.9
None 0.0
What site holds the CVSS for a CVE Record
nvd.nist.gov
Which option in NMAP disables Port Scanning
-sn
Uses a ping sweep which is not an ideal option since many systems will not reply. Port scans would necessary
By Default scans how many ports
Top 1000
use -p option to select more ports such as -p 10000-16000
What does the -sV option enable during a NMAP Scan
Known as the version scan but is also a banner grabbing, server identification, and enumeration.
List the DoD STIGs vulnerability categories.
Category I—Any vulnerabilities that will immediately cause a breach of confidentiality, availability, or integrity. These exposures can grant unapproved access to confidential information, causing a disruption of service. These threats are the most dangerous and may result in death, damage to facilities, or a failure of a mission.
Category II—Any vulnerabilities resulting in loss of confidentiality, availability, or integrity and can lead to a Category I vulnerability, injury, damage to equipment, or degrade a mission.
Category III—Any vulnerabilities that degrade controls implemented to protect against the loss of confidentiality, availability, or integrity and can lead to a Category II vulnerability, delay recovering from an outage, or negatively affect the accuracy of data.
_______ are the actions and guidelines for dealing with security events.
Incident Response Plans
What are the NIST 800-61r2 stages of incident response life cycle
- Preparation - hardening, policies and procedures
- Detection and Analysis - triage
- Containment - limit impact
- Eradication and Recovery - multiple phases
- Post-Incident Activity - Analyze and update procedures and policies
Name some of the typical components of an IRP
Incident Response Policies - statements of the organizations expectations and procedures
Incident Response Procedures - Ransomware, Data Exfiltration, Social Engineering Playbook
Incident Tools and Resources - SIEM, IDS, Vuln Scanners, Netflow, Monitoring, FW and Gateways
Identification of Potential Threats and Incident. - Threat modeling, risk Analisys and other threat identification
Assessment of Potential Impacts - using risk analysis and impact assessment to measure the scope of identified incidents.
Creation of Response Plans - detailed, concise and direct
What Technical Controls or Tools form the foundation of Incident Detection Capabilities
SIEM and IDS
T or F Incident Response Playbooks should be digitally stored as a best practice
Fales - they should be actual playbooks and not accessible digitally to keep malicious intent from getting this
Following an incident during Post Review what is the name of the report that should be compiled.
Lessons Learned Report (LLR) or After-Action Report (AAR)
The conclusion of the lessons learned is to continue to update the Incident Response Plan
T or F identifying IoC’s is the first step in incident response
True
this is a reactive process and the earlier the detection the better
Defacto method for sharing and matching threat intelligence against network traffice
Suricata Rules
passive and used within IDS
Data Acquisition as it related to evidence prioritizes collection based on the following
Evidence capture prioritizes collection activities based on order of volatility.
CPU Registers and Cache Memory
Contents of System RAM
Data on HDD
Remove Logging
Physical config data
Archive Data
Describe the requierments of the Legal Process
Evidence Preservation - labeled, tagged and bagged.
Ensure Chain of Custody is recorded for each piece of evidence
Apply Legal Holds when applicable. Preserving the data and ensuring no changes are made
e-Discovery to be applied of identifying, collecting and providing the information by a legal hold
What are the two classification Frameworks for an Impact Analysis (Triage)
Impact Based
Taxonomy Based - defines incident categories by types such as worm outbreaks. Phishing attempts. DDoS… Includes Sub Categories such as attack vectors, threat type, etc.
The process of assessing what costs are associated with an incident such as a data breach is ________
Impact Analysis
Describe the key difference between recovery and remediation.
Remediation describes the corrective actions to address a problem permanently vs recovery that would fix the issue but not get to the root cause.
Name the Forensic Tools and their functions
Fdisk - List Partitions
testdisk - detailed partitions and hidden
fiwalk - analyze drive image
Fsstat - more information on partitions - especially hidden partitions
fls to pull info from hidden partitions
istat - to pull inode information from hidden partitions
Incident Response Report (IRR) should have ________ words also know as the 5?
Interrogative Words
Who, What, When, Where and Why
Must have a timeline to support the 5W’s
What is the process called that gets to a foundational understanding of the event
Root Cause Analyss (RCA)
What is the site that I can go to for Digitial Forensics Tools Testing
dftt_sourceforge.net
What is the name of the command in Kali that hashes the file and adds that hash to the expected file
md5sum
What is the name of the Kali utility forensic tools set
Autopsy Forensics Browser
Name of Microsoft site and utiliteis to manage and diagnose troubleshoot a windows environment
SysInternals
T or F a playbook is designed to automate some the routine tasks ordinarily performed by security personnel in response to a security incident
False
What is the name of the command that extracts and displays viewable characters stored within a Binary
Strings Command
Wireshark can filter the output using the same expression syntax as _________. Which is a command line packet capture utility for Linux
tcpdump for Linuz
windump for Windows
tcdump -i eth (where eth represents the inerfact to listen on
tcpdump -i eth0 -w capture.pcap
This tool is invaluable for scripting scenarios.
Note - PCAP file format has limitations and has been replaced with PCAPNG by default
When a playbook utilizes a high degree of Automation from a SOAR systems then it can be referred to as a Runbook - T or F
True
What is the free service designed to inspect files and URLs using over 70 antimalware scanners and domain blocklisting services
VirusTotal
What are two common Cloud Based Sandbox
Joe Sandbox
CrowdStrike’s Hybrid Analysis
2 of the big 3 threat frameworks are Mitre Attack and Lockheed Martin Kill chain. what is the 3rd one called
Diamond Model Framework
good for teaching and less technical than MITRE
used to develop automated threat intelligence analysis engines which are often integrated with various SIEM Platforms
Developed by the Institute for Security and Open Methodologies (ISECOM) this manual outlines every area an organization needs testing with detailed is called __________
Open-Source Security Testing Methodology (OSSTMM)
Operational, physical and Wireless security testing
Describe in technical terms the anatomy of SMTP
Mail User Agent (MUA) creates an initial header during email creation. Sent to Message Delivery Agent (MDA) which validates and if not locally sent appends its own header and then transmits message to Message Transfer Agent (MTA). MTA via DNS routes to the recipients MTA. Each MTA it passes through it gets another header.
Which email security framework uses DNS Text records that identifies the hosts authorized to send email for that domain?
Sender Policy Framework (SPF)
What email security provides a cryptographic authentication method for DNS records and supplements the other framework?
DomainKeys Identified Mail (DKIM)
Uses a public key uploaded as a text record in DNS Server. when outgoing email is processed the domain MTA calculates a hash value on selected message and signs it using its private key. Hash value is added to the message as a DKIM Signature .
How does DMARC (Domain-Based Messaging Authentication, Reporting and Conformance apply to email security
DMARC Framework ensures that SPF and DKIM are being utilized effectively.
DMARC policy is published as a DNS Record and specifies an alignment method using one or both SPF and DKIM.
What is another name for Doppelganger Domains
Cousin Domains
What is the type of system utility that makes the victim system connect back to the attackers’ machines to establish shell access
Reverse Shells
netcat Listener
Bash Shells
Python
These would not be considered normal activity and should be heavily scrutinized.
This security product offering scans indicators from multiple intrusion detection and log sources to identify anomalies and are often integrated in SIEM Platforms
User and Entity Behavior Analytics (UEBA).
Tracks user account behavior across different devices and cloud services.
A ________ _________ attack allows a small DNS request with a spoofed source IP to generate a very large response.
DNS Reflection
reflection or amplification attack uses spoofing
What type of devices does Worm Activity typically saturate
Switches and Routers
What is the command that Network Time Protocol can be used to abuse that generates vast amounts of traffic
MonList
T or F Beaconing is always associated with an intrusion?
False.
Beaconing is a legitimate process where nodes such as AP’s advertise their presence. But it can also be associated with Remote Access Trojans communicating with C&C.
What is the name of the technique used by C&C to avoid being pinned down
Domain Name Generation Algorithm (DGA)
and
Fast Flux DNS
What are the common Channels that C&C communicate over
Internet Relay Chat (IRC)
HTTP/HTTPS
DNS - common since it does not require internet and DNS Server can forward requests.
Social Media Website
Media and Doc files - using their metadata which is no inspected typically.
What tool from Sysinternals is the reliable method that hackers will use to move laterally through your network
PsExec
Uses a simple pattern
1. Establish a SMB connection to target system
2. Pushes a copy of a receiver process PSEXESVC.exe to target systems ADMIN$ share
3. Launces PSEXESVC.exe which sends an output to a named pipeline
What is the name of the attack when an attacker redirects an IP Address to a MAC Address not associated with its proper destination
ARP Spoofing or ARP Poisoning
Malware can use any port to communicate but what is the term when it initiates over a standard port then communicates over a different port
Mismatched Port/Application Traffic
Describe Shell and Reverse Shell
Shell - opening up a command windows on a remote host
Reverse Shell - opens a listening port on remote host and cause the infected host to connect to it
Which open source tool native to Linux that is used by hackers to perform a Reverse Shell
Netcat
produced by Nmap
What are the Linux commands that output a summary of memory and processes
Free and Top
htop utility is similar with mouse support and more easily readable output
what is the Linux command that can aid in analyzing the file sysem
lsof - retrieves a list of all files currently open.
df and du
What are the Windows Scheduled Task Event ID for Creation and Modification and Event ID for enabling or disabling scheduled tasks
4698 - New or modified
4700- enabled or disabled
What are the core Process in Windows
Windows Kernel (systems.exe)
Session Manager Subsystem (smss.exe)
Client Server Runtime Subsystem (csrss.exe)
Windows Initialization Process (wininit.exe)
Service Control Manager
(services.exe)
Local Security Authority Subsystem Services (Isass.exe)
What is the practice of exploiting flaws in an OS or other App to gain a greater level of access than was intended for the user of the application
Privilege Escalation
What are the common types of NMAP Scanning and their flags
TCP SYN (-sS)
TCP Connect (-sT)
TCP Flags (-sN, -sF, -sX)
UPD Scan (-sU)
Port Range (-p)
NMAP can also be used for Fingerprinting on hosts?
True
Using -sV or -A NMAP can get
Protocol
App Name and Version
OS Type and Version
Host Name
Device Type
Which free tool can be used for quickly scanning a network to identify connected devices and services
Angry IP Scanner
What is the name of the sophisticated visualization tool that helps investigators quickly identify relationships among entity types
Maltego
_________ is a very powerful collection of tools designed to exploit vulnerabilities in a wide range of systems and software
Metasploit Framework
_________ has a syntax and use that parallels Metasploit but focused on performing web based reconnaissance.
Recon-ng
best for reconnaissance in the information gathering phase of exploitation.
What is the open-source security platform built on OSSEC providing a range of features for monitoring threat detection and compliance management
Wazuh
Can be integrated with Elastic Stack and is highly scaleable
Name of the password guessing/stuffing attack in Linux
Hydra
Wazuh Level scales are
Info - 0-3
Low - 4-7
Medium - 8-11
High - 12-15
Emergency 16
What is the type of attack that requires a theft of a token from a valid client which is then used from a different system to fool the authentication services
Pass the Hash
What is the primary reason to avoid the use of MD5
Propensity for collisions
What European Org was setup in 90’s for Computer Antivirus Research
EICAR
European Institute for Computer Antivirus Research
What is the project of NIST for software library called
National Software Reference Library.
What is the very popular tool for analyzing and exploiting web applications and what category is it.
Burp Suite
Intercepting Proxy
Zed Attack Proxy (ZAP) is another similar tool to Burp Suite and what organization produced it.
OWASP
Open World Application Security Project
Name a popular web app scanner that uses the command line.
Nikto
Name some of the common Debuggers and Reverse Engineering Tools
Immunity Debugger - Open source and very popular
GNU Debugger - open source and focuses on programs wrriten in C, C++ and Fortran
Name the poplular tools for App and Cloud Penetration Testing
ScoutSuite - open source and works with all 3 of the major public clouds
Prowler - same but only AWS
PACU - AWS only and would require permission for CSP’s acceptable use policy
______ is a CLI web vulnerability scanner that can detect over 6700 potentially dangerous files and CGI Scripts
Nikto
________ is a CLI Web vulnerability scanner that focuses on problematic web scripts
Wapiti
Who owns SSL Labs and what does this service prform
Qualys
website/web and web browsing testing service
What is a name of a excellent online web vulnerability scanner
PentTest Tools
What tool can automatically perform reconnaissance and scanning of website using NMPA, Shodan, Whatweb, Nikto, Vulners, Hydra and more
Legion
what service scans sites and provides in HTML format findings into different service categories such as Good, Warning, Danger
ScoutSuite
Command Line Cloud Security Auditing Tool that generates a report summarizing the security posture of a company’s cloud architecture.
Prowler
What is a common password cracking tool that performs dictionary attacks?
John the Ripper (JrT or John)
T or F a Dictionary attack and Brute Force is a form of offline password cracking.
True
Uses stolen password hashes and does not interact with a live authentication system
Name of the command line utility for cracking Wireless Networks
Aircrack
What is the widely used tool for LInux Apps for debugging, inspecting runtime status, and modifying the programs execution flow.
GNU Debugger
What is the open source, feature rich modular web application security testing framework
Arachni
Windows Powershell uses what type of extension and what type of command syntax
.PS1
easily reconnizable by using cmdlets that use a Verb-Noun such as a Invoke-Command
Get-Content
Add-Content
What is the command language that is part of Windows WMI and what is it used for
Windows Management Instrumentation Command-Line
Performing administrative tasks and well suited to scripting and automation
What is the interpreted , high level, general purpose programming language used for a wide variety of purposes and what is its extension
read pointer position
Python
.py
print(‘The current pointer position is {0}.format(mouse.position))
What is the object orientated, event driven programming language that enables website interaction.
JavaScript Object Notation (JSON)
as opposed to HMTL which simply display’s information.
Similar to XML
uses curly bracket syntax and allows for the use of arrays (lists)
{ “product info” :
{
“product name” : “adjustable race”, “product number” : “AR-5381”,
{
What is the primary difference between HML and XML
HMTL displays data and XML transfer it
note the syntax
<Prodcuts> and /
</Prodcuts>
What is the name of the web security flaw that enables an attacker to read various files on the web server when an application is running.
Directory or File Path Traversal
What is the attack that takes advantage of a website’s weakness in allowing submitted code and commands to execute
Cross-site Scripting (XSS)
It also uses hex coding to obfuscate characters:
Common ones are:
%20 space
%2F /
%3c <
Predecessor to Bourne Shell
BASH (Bourne-again shell)
an improved version of sh and very common.
Supports full programatic structure and looks like
Tux@ubuntu:~$ cat boolean_loop.sh
#/bin/bash
mynum=100
While :
Do
Echo “enter a number or CTRL-C to quit”
Read num1
If [ $num1 -gt $mynum]; then
echo “your number is smaller”
echo
Else
echo “We picked the same number!”
Echo
fi
done
To redirect output data to other locations such as a file or program what are is the redirection characters
> for basic redirection
> for appending to existing
What is the method of system development that incorporates security controls in every phase of the systems lifecycle
Secure Software Development Life Cycle (SSDLC)
What is a comprehensive guide for testing the security of web applications
OWASP Testing Guide
provides a structured approach to web app security testing
- Info Gathering
2, Config and Deployment management testing
3, Identity management testing - Input validate……
This password attack describes when an attacker chooses predetermined passwords and tries them for multiple accounts
Password Spraying
a brute force attack which multiple user account are tested with a dictionary of common passwords
This password attack describes the use of credentials stolen from one source and trying them agains multiple sources
Credential Stuffing
a brute force attack in which stolen user account names and passwords are tested against multiple websites
A software vulnerability where the authentication mechanism allows an attacker to gain entry
Broken Authentication
eg. cleartext credentials, weak session tokens, or permit brute force login requests
__________ is a software vulnerability where a program attempts to write more data to a temporary storage area in memory than it can hold. causing data to overflow into adjacent memory. What is a widely used vulnerability discovered called
Buffer Overflow
Heartbleed - OpenSSL Implementations of TLS. In vulnerable versions of OpenSSL an attacker can send a malformed heartbeat request that causes the server to leak up to 64 KB of memory data.
What is the area of memory allocated by the application during execution to store a variable called _______. _______ _______ can overwrite those variables and possibly allow arbitrary code excecution
Heap
Heap Overflow -
_______ type of software vulnerability that occurs when a program tries to store an integer value larger than the maximum value that the data type can hold. this causes the value to wrap around to a lower value or overflow into adjacent memory space.
Integer Overflow - can cause a buffer overflow
Fun Fact: Famous Integer Overflow occurred during NASA’s Mars Climate Orbiter in 1999 - force of thrusters exceeded max value and it went negative resulting incorrect trajectory.
What is the name of the region of memory that hold temporary data created by a program during runtime. What is the vulnerability when a program tries to store more data in the _____
Stack
Stack Overflow
some programming language such as C and C++ contain built in function such as strcpy
What is the technique that randomize where components in a running application are placed in memory to protect against buffer overflows
Address Space Layout Randomization (ASLR)
Which exploit is more difficult versus Local File Inclusion or Remote File Inclusion
Remote File Inclusion is easier to perform but less likely to be exploitable.
T or F HTTP is a stateless Protocol
True
It uses Cookies to preserve info on users
Nonpersistent Cookies or session cookies which are stored in memory and deleted when browsers are closed.
Persistent Cookies are stored in browser cache until deleted by user or expire on its own.
Local cookies if not encrypted can hold confidential information.
What are the ways you can protect against Session Hijacking that exploit Cookies
Deliver a new cookie upon each connection.
Session tokens must use a non-predictable algorithm
What is the attack that uses a malicious script on the Attackers site that can exploit a session started on another site in the same browser called
Cross-Site Request Forgery (XSRF)/(CSRF)
Prevention is difficult since requests tend to look similar to those made by a user of a web application performing normal actions.
Use of user-specific tokens in all form submissions to prevent this
An attack that injects a database query into the input data directed at a server by accessing the client side of the application.
SQL Injection
most common method is to submit a single apostrophe and then look for errors.
common to use a true statement to illicit a response. This allows hacker to start to inject queries for malicious intent
Which vulnerability can pose signficant risks to chat bots and language Model
Prompt Injection
exampe of MS Tay Chatbot and racial input caused a stir
The vulnerability where a hacker using SQL Injection to reference an actual name of a system Object
Insecure Object Reference
An application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory
Directory Traversal
A malicious script hosted on the attacker’s site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser’s security model of trusted zones.
Cross-Site Scripting (XSS)
Reflected and Persistent
A web application vulnerability that allows an attacker either to download a file from an arbitrary location on the host file system or to upload an executable or script file to open a backdoor.
File Inclusion
Broken Access Controls is defined as when ______
User Controls are not seutp correctly and have access they should not
An attack where an attacker takes advantage of the trust established between the server and the resources it can access, including itself.
Server-Side Request Forgery (SSRF)
reference Capital One Attack via AWS improper configured firewall
_____ _____is an attack that involves deliberately manipulating or corrupting data used in machine learning (ML) models or artificial intelligence (AI) systems
Data Poisoning
Discovering errors messages when attempting SQL Injection is known as ________
error-based SQLi
Note - most sql injection statements start with a single quote
A method used by malware to evade block lists by dynamically generating domain names for C2 networks
Domain Generation Algorithm (DGA)
Fast Flux Network - continually changing the host IP address in domain records using DGA
if you get a high rate of NXDOMAIN errors while resolving the DNS it could be an indicator of a DGA
Which MAC, Linux or Unix command is the same as Windows NSLooksup
Dig
Used for DNS Harvesting
What is the condition that occurs when a firewall is under-resources and cannot log data fast enough and there some data is missed
Blinding Attack
What is one method of stopping DDoS using routers
Blackholing which sends traffic to null interface
or
SinkHole - instead of dropping it sends to separate network for analysis
uses less resources than ACL.
CloudFlare and Akamaia
Name the two types of Proxies
Non-Transparent -
Transparent - forced and not known to client
Reverse - protects server from client. Great source of logs
Open Sources IDS _______
Zeek Monitoring Tool
What tool for Security Analyst for Defenders
Security Onion
What is the name of Malware that is designed to install or run other types of maloware embedded in a payload on an infected hosts
Dropper is at Stage 1
Downloader is stage 2
Any lightweight code designed to run an exploit on an target
Shell Code
What is the Windows Services that Hosts nonboot drivers and should only have one instance but is commonly used for Malware infections
Services.exe
child of Winnit.exe
What is the multi-platform program that runs on Windows, Linux and Mac OS X for identifying, classifying and describing malware samples
Yara
