Module 3: Network Security Concepts Flashcards

1
Q

Describe the Attack Type

Eavesdropping Attack

Also called sniffing or snooping

A

This is when a threat actor captures and “listens” to network traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Describe the Attack Type

Data Modification Attack

A

If threat actors have captured enterprise traffic, they can alter the data in the packet without the knowledge of the sender or receiver.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Describe the Attack Type

IP Address Spoofing Attack

A

A threat actor constructs an IP packet that appears to orginate from a valid address inside the corporate intranet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Describe the Attack Type

Password-based Attacks

Specifically what can be done with a valid user account password

A

Used the password of a valid user account, to obtain lists of other users, network information, change server and network configurations, and modify, reroute, or delete data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Describe the Attack Type

Denial of Service Attack

(DoS)

A

Prevents normal use of a computer or network by flooding traffic to either slow down or shut down systems and networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Describe the Attack Type

Man-in-the-Middle Attack

(MitM)

A

When a threat actor positions themselves between a source and destination. They can now actively monitor, capture, and control the communication transparently.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Describe the Attack Type

Compromised-key Attack

A

If a threat actor obtains a secret key, it becomes compromised. It can be used to gain access to secure communications without the sender or receiver being aware of the attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Describe the Penetration Testing Tool

Password Crackers

List some tools

A

Used to find or ‘recover’ a password, either by removing the original password or by discovery by repeated guessses (Brute Force Attack) or using lists of commonly used passwords (Dictionary Attacks)

e.g. John the Ripper, Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, Medusa

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Describe the Penetration Testing Tool

Wireless Hacking Tools

List some tools

A

Used to discover and hack wireless networks.

Aircrack-ng, Kismet, InSSIDer, KisMAC, Firesheep, NetStumbler

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Describe the Penetration Testing Tool

Network Scanning and Hacking Tools

List some tools

A

Used to probe network devices, servers, and hosts for open TCP or UDP ports.

Nmap, SuperScan, Angry IP Scanner, NetScan Tools

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Describe the Penetration Testing Tool

Packet Crafting Tools

List some tools

A

Used to probe and test a firewall’s robustness using specifically crafted forged packets.

Hping, Scapy, Socat, Yersinia, Netcat, Nping, Nemesis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Describe the Penetration Testing Tool

Packet Sniffers

List some tools

A

Used to capture and analyse packets within traditional Ethernet LANs or WLANs.

Wireshark, Tcpdump, Ettercap, Dsniff, EtherApe, Paros, Fiddler, Ratproxy, SSLstrip

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Describe the Penetration Testing Tool

Rootkit Detectors

List some tools

A

Directory and file integrity checker to detect root kits.

AIDE, Netfilter, PF: Open BSD Packet Filter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Describe the Penetration Testing Tool

Fuzzers

List some tools

A

Used by threat actors to discover a computer’s security vulnerabilities.

Skipfish, Wapiti, W3af

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Describe the Penetration Testing Tool

Forensic Tools

List some tools

A

Used to discover evidence existing on a computer.

Sleuth Kit, Helix, Maltego, Encase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Describe the Penetration Testing Tool

Debuggers

List some tools

A

Used to reverse engineer binary files when writing exploits.

GBD, WinDbg, IDA Pro, Immunity Debugger

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Describe the Penetration Testing Tool

Hacking Operating Systems

List some tools

A

Specially designed operating systems preloaded with tools optimised for hacking.

Kali Linux, Knoppix, BackBox Linux

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Describe the Penetration Testing Tool

Encryption Tools

List some tools

A

Used to encode data to prevent unauthorised access, whether for legitimate or malicious means.

VeraCrypt, CipherShed, OpenSSH, OpenSSL, Tor, OpenVPN, Stunnel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Describe the Penetration Testing Tool

Vulnerability Exploitation Tools

List some tools

A

Used to identify whether a remote host is vulnerable to a security attack.

Metasploit, Core Impact, Sqlmap, Social Engineer Toolkit, Netsparker

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Describe the Penetration Testing Tool

Vulnerability Scanners

List some tools

A

Used to scan a network or system to identify open ports or other weaknesses.

Nipper, Secunia PSI, Core Impact, Nessus, SAINT, Open VAS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Question

Which penetration testing tool uses algorithm schemes to encode the data, which then prevents access to the data.

Name the tool, not the attack type!

List some tools

A

Encryption Tools

VeraCrypt, CipherShed, OpenSSH, OpenSSL, Tor, OpenVPN, Stunnel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Question

Which penetration testing tools is used by black hats to reverse engineer binary files when writing exploits? They are also used by white hats when analysing malware.

List some tools

A

Debuggers

GBD, WinDbg, IDA Pro, Immunity Debugger

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Question

Which penetration testing tool is used to probe and test a firewall’s robustness?

List some tools

A

Packet Crafting Tools

Hping, Scapy, Socat, Yersinia, Netcat, Nping, Nemesis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Question

Which penetration testing tool is used by white hats to sniff out any trace of evidence existing on a computer?

List some tools

A

Forensic Tools

Sleuth Kit, Helix, Maltego, Encase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Question

Which penetration testing tool exploits a remote host susceptible to a security attack?

List some tools

A

Vulnerability Exploitation Tools

Metasploit, Core Impact, Sqlmap, Social Engineer Toolkit, Netsparker

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Question

What are the three most common types of malware

A
  • Virus
  • Worm
  • Trojan Horse
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Question

Describe a virus:
How does it infect a device?
What does it do?

A

A virus is a type of malware attached to a file, such as a piece of software. When opened it executes and infects the device.

A virus can:
* Alter, corrupt, or delete files, applications or drives.
* Cause boot issues.
* Capture and send sensitive information to threat actors.
* Access and use email or communication accounts to spread.
* Lay dormant until summoned by the threat actor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Question

Describe a Trojan horse:
How does it infect a device?
What does it do?

A

A Trojan is a program that looks useful but carries malicious code, such as free software or games. Unsuspecting users download and install the program and are infected by the Trojan horse.

A Trojan can:
* Provide remote-access to threat actors.
* Send sensitive data to threat actors, like passwords or credit card information.
* Destroy files or drives.
* Act as a proxy to launch attacks or illegal activities.
* Enable unauthorised file transfers via FTP.
* Disable security software or firewalls.
* Denial of Service attack the device, network or a remote network.
* Keylog to steal confidential information.

Remote-access, Data-sending, Destructive, Proxy, FTP, Security Disabler, DoS, Key Logger

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Question

Describe a worm:
How does it infect a device?
What does it do?

A

A worm is a self-replicating program that propagates automatically. It does so without user action, typically by exploiting vulnerabiltiies in legitimate software.
A worm can:
* Use networks to find other victims and propagate.
* Slow or disrupt networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Question

Which malware executes arbitrary code and installs copies of itself in the memory of the infected computer? The main purpose of this malware is to automatically replicate from system to system across the network.

A

Worm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Question

Which malware is non-self-replicating type of malware? It often contains malicious code that is designed to look like something else, such as a legitimate application or file. It attacks the device from within.

A

Trojan Horse

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Question

Which malware is used to gather information about a user and then, without the user’s consent, sends the information to another entity?

A

Spyware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Question

Which malware typically displays annoying pop-ups to generate revenue for its author?

A

Adware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Question

Which malware is installed on a compromised system and provides privileged access to the threat actor?

A

Rootkit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Question

Which malware denies access to the infected computer system and demands payment before the restriction is removed?

A

Ransomware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Question

What three types of attacks are networks susceptible to?

A
  • Reconnaissance Attacks
  • Access Attacks
  • Denial of Service (DoS) Attacks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Question

What is a Reconnaissance Attack?
What may be gained by carrying it out?

A

An attack designed to gather information.

Carried out to gain:
* Details on an organisation and its employees.
* Discover active IP addresses.
* Discover available ports.
* Discover vulnerable services.
* Discover vulnerabilities in the applications and operating systems in use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Question

What is an Access Attack?
What may be gained by carrying it out?

A

An attack designed to gain entry to accounts, databases and sensitive information.
Carried out to gain:
* Data that can be exfiltrated.
* Gain further access to ensure a foothold.
* Escalate access privileges to adminstrator accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Describe the Access Attack

Password Attack

A

Attempting to discover passwords using methods like Brute Force Attack (BFA) or Dictionary Attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Describe the Access Attack

Spoofing Attack

A

Attempting to pose as another device by falsifying data, such as MAC spoofing or DHCP spoofing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Describe the Access Attack

Trust Exploitation

A

Using unauthorised privileges on one system to gain access to a different system:
* System A trusts System B.
* Attack System B to gain access to it.
* Use System B to gain access to System A.

Exploits permissions, not by bypassing firewalls like Port Redirection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Describe the Access Attack

Port Redirection

A

Using a compromised system’s ports to redirect data, often to bypass firewall restrictions.
* Attackers sets up SSH (port 22) to Server A that directs traffic from an external web traffic port (port 8080) to a sensitive internal Server B port (port 80).
* Normally any traffic sent from an external source to Server B on port 80 would be blocked by the firewall, but because it uses port 8080 on a trusted server, it is permitted.

Bypasses firewall, rather than exploits permissions like Trust Exploits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Describe the Access Attack

Man-in-the-Middle Attack

(MitM)

A

Positioning yourself between two legitimate entities to read or modify data that passes between them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Describe the Access Attack

Buffer Overflow Attack

A

Exploiting buffer memory and overwhelming it with unexpected values or quantities of data. Usually renders it inoperable (DoS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Question

What is an Social Engineering Attack?
What may be gained by carrying it out?

A

A type of access attack, designed to manipulate individuals into performing actions or divulging confidential information.
May gain:
* Personal data on an individual
* Account information
* Security system information
* A foothold for further attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Describe the Social Engineering Attack

Pretexting

A

Pretending to need personal or financial information to confirm the identity of a target.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Describe the Social Engineering Attack

Phishing

A

Sending fraudulent emails designed to appear legitimate from a trusted source. Designed to trick recipients into clicking links, opening attachments, or replying with confidential information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Describe the Social Engineering Attack

Spear Phishing

A

Phishing that targets specific individuals or organisations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Describe the Social Engineering Attack

Spam

A

Junk mail that is unsolicited, either to advertise, or contain harmful links or malware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Describe the Social Engineering Attack

Something for Something

“Quid pro quo”

A

Requesting confidential information in exchange for a gift.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Describe the Social Engineering Attack

Baiting

A

Leaving a malware infected device, such as a USB drive, in a public location. Victims who find the drive may then insert it into their device and infect their computer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Describe the Social Engineering Attack

Impersonation

A

Pretending to be someone they are not to gain the trust of a victim.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Describe the Social Engineering Attack

Tailgating

A

Following an authorised person into a secure location, to avoid authorisation checks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Describe the Social Engineering Attack

Shoulder surfing

A

Looking over someone’s shoulder to steal their password or confidential information as it is entered or displayed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Describe the Social Engineering Attack

Dumpster diving

A

Rummaging through bins or waste to discover confidential information, often to carry out identity theft or to steal financial information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Question

Name some Social Engineering Protection Practices

8 listed

A
  1. Never give your login details to anyone.
  2. Never leave your login details where they can easily be found.
  3. Never open email links or attachments from untrusted sources.
  4. Never release confidential work related information on social media sites.
  5. Never re-use work related passwords.
  6. Always lock or sign out of your unattended computer.
  7. Always report suspicious individuals and activity.
  8. Always destroy confidential information, according to your organisations policies.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Question

What is a Denial of Service Attack?
What is different about a Distributed Denial of Service attack?
What may be gained by carrying it out?

DoS and DDoS

A

An attack that creates interruption in network services. Typically achieved by sending an overwhelming quantity of traffic, but can also be achieved by using maliciously formatted packets.

DDoS attacks are similar, but are carried out from multiple, coordinated sources.

May gain:
* Interruption of services to users, devices or applications.
* Social prestige / fame.
* Bring attention to political issues (hacktivism).

58
Q

Describe the DDoS term

Zombie

A

An infected host that is part of a network controlled by a threat actor. Often self-propagating, they are used to coordinate a Distributed Denial of Service attack (DDoS)

59
Q

Describe the DDoS term

Command and Control System

CnC

A

A system that sends control messages to zombies.

60
Q

Describe the DDoS term

Botnet

A

A collection of zombies.

61
Q

Question

What type of attack is tailgating?

A

Social Engineering Attack

62
Q

Question

What type of attack is a password attack?

A

Access Attack

63
Q

Question

What type of attack is port scanning?

A

Reconnaissance Attack

64
Q

Question

What type of attack is man-in-the-middle?

A

Access Attack

65
Q

Question

What type of attack is address spoofing?

A

Access Attack

66
Q

Describe the IP Attack

ICMP Attack

A

Threat actors use Internet Control MEssage Protocol (ICMP) echo packets (pings) to discover subnets and hosts on a network, generate a DoS flood attack, or to alter host routing tables

67
Q

Describe the IP Attack

Amplification and Reflection Attacks

A

Threat actors attempt to prevent legitimate users from accessing information or services using DoS and DDoS attacks.

68
Q

Describe the IP Attack

Address Spoofing Attacks

A

Threat actors spoof the source IP address in an IP packet to perform blind or non-blind spoofing.

69
Q

Describe the IP Attack

Man-in-the-Middle Attack

(MitM)

A

Threat actors position themsevles between a source and a destination to transparently monitor, capture, and control the communication. They could eavesdrop by inspecting captured packets, or alter packets and forward them on to their original destination.

70
Q

Describe the IP Attack

Session hijacking

A

Threat actors gain access to the physical network, and then use a MITM attack to hijack a session.

71
Q

Question

What does IPv4 and IPv6 not do that can be exploited by threat actors?

A

Validate the source address of the sender is legitimate.

72
Q

Question

What should be put in place to reduce the effectiveness of ICMP attacks?
What can be put in place to detect them?

A

Strict ICMP ACLs should filter traffic at the network edge to avoid ICMP probing from the internet or untrusted devices.

Security logging can be used to identify ICMP attacks, and security devices like firewalls and Intrustion Detection Systems (IDS) can detect them and generate alerts.

73
Q

Describe the ICMP Message type

ICMP Echo Request / Echo Reply

A

Used to perform host verification and DoS attacks.

74
Q

Describe the ICMP Message type

ICMP Unreachable

A

Used to perform network reconnaissance and scanning attacks.

75
Q

Describe the ICMP Message type

ICMP Mask Reply

A

Used to map an internal IP network, by sending a broadcast that is replied to with the subnet mask of the network by other devices. Often replaced by DHCP doing the same job.

76
Q

Describe the ICMP Message type

ICMP Redirects

A

Used to lure a target host into sending all traffic through a compromised device and create a MITM attack.

77
Q

Describe the ICMP Message type

ICMP Router Discovery

A

Responds with information about routers in use on the network. May be used by threat actors to inject bogus route entries into the routing table of a target host.

78
Q

Question

What is an Amplification and Reflection Attack?
What may be gained by carrying it out?

A

The threat actor forwards ICMP echo request messages to many hosts. These messages have a modified Source IP Address to match the victim.
May gain:
* All the hosts reply to the victim to unwittingly carry out a DDoS attack

Newer amplification attacks may use DNS or Network Time Protocol (NTP) based attacks

79
Q

Question

What is a Non-Blind Address Spoofing Attack?
What may be gained by carriying it out?

A

Changing the Source IP Address of packets, when the threat actor CAN see the traffic sent between the host and the target.
May gain:
* Authorisation to a session
* Firewall state
* Sequence-number predictcion

80
Q

Question

What is a Blind Address Spoofing Attack?
What may be gained by carrying it out?

A

Changing the Source IP Address of packets, when the threat actor CAN NOT see the traffic sent between the host and the target.
May gain:
* Denial of Service attack (DoS)

81
Q

Question

What is MAC Address Spoofing?
What may be gained by carrying it out?

A

Changing your device MAC address to match a target’s.
May gain:
* Updating CAM table entry on a switch, to make the port think the threat actors device is the new port for the target.

82
Q

Question

Which attack is being used when threat actors position themselves between a source and destination to transparently monitor, capture, and control the communication?

A

Man-in-the-Middle Attack

MITM

83
Q

Question

Which attack is being used when threat actors gain access to the physical network, and then use an MiTM attack to capture and manipulate a legitimate user’s traffic?

A

Session Hijacking

84
Q

Question

Which attack is being used when threat actors initiate a simultaneous, coordinated attack from multiple source machines?

It results in a DDoS but this is the specific attack technique name…

A

Amplification and Reflection Attack

85
Q

Question

Which attack is being used when threat actors use pings to discover subnets and hosts on a protected network, to generate flood attacks, and to alter host routing tables?

A

ICMP Attack

86
Q

Question

Which attack is being used is when a threat actor creates packets with false source IP address information to either hide the identity of the sender, or to pose as another legitimate user?

A

Address Spoofing Attack

87
Q

Question

What are the six control bits of the TCP segment?

URG, ACK, PSH, RST, SYN and FIN

A
  1. URG - Urgent pointed field significant
  2. ACK - Acknowledgement field significant
  3. PSH - Push function
  4. RST - Reset the connection
  5. SYN - Synchronise sequence numbers
  6. FIN - No more data from sender
88
Q

What is a UDP Flood Attack?

Name some tools that can cause UDP Flood Attacks

A

A threat actor usess a tool that sweeps through a network trying to find closed ports. It sends UDP packets to them, which makes them reply with “ICMP Port Unreachable” message, creating a lot of traffic on the segment and a DoS attack.

UDP Unicorn, Low Orbit Ion Cannon (LOIC)

89
Q

Question

Which attack exploits the three-way handshake?

A

TCP SYN Flood Attack

90
Q

Question

Two hosts have established a TCP connection and are exchanging data. A threat actor sends a TCP segment with the RST bit set to both hosts informing them to immediately stop using the TCP connection. Which attack is this?

A

TCP Reset Attack

91
Q

Question

Which attack is being used when the threat actor spoofs the IP address of one host, predicts the next sequence number, and sends an ACK to the other host?

A

TCP Session Hijacking

92
Q

Question

A program sends a flood of UDP packets from a spoofed host to a server on the subnet sweeping through all the known UDP ports looking for closed ports. This will cause the server to reply with an ICMP port unreachable message. Which attack is this?

A

UDP Flood Attack

93
Q

Describe the IP Service attack

What is ARP Cache Poisoning?
What may be gained by carrying it out?

A

ARP is used to identify devices devices on the subnet and associate them with an IP Address. By sending ‘spoofed gratuitous ARP replies’ a threat actor can pretend to be the default gateway.
* Implement a Man-in-the-Middle attack.
* Steal confidential information.
* Modify data in transit.
* Inject malicious data.

94
Q

Question

Name 4 different types of DNS Attacks

A
  1. DNS Open Resolver Atttacks
  2. DNS Stealth Attacks
  3. DNS Domain Shadowing Attacks
  4. DNS Tunneling Attacks
95
Q

Describe the DNS Attack type

DNS Open Resolver Attack

Name some techniques

A

Public DNS servers like GoogleDNS 8.8.8.8 respond to any queries.
This can be manipulated via the following techniques:
* DNS Cache Poisoning - To spoof Record Resource (RR) information to redirect users from legitimate sites to malicious ones.
* DNS Amplification and Redirection Attacks - Threat actors send messages to an open resolver using the IP address of a target host, flooding it with responses.
* DNS Resource Utilisation Attacks - DoS attacking the open resolver to consume its resources and impact any device that relies upon it.

96
Q

Describe the DNS Attack type

DNS Stealth Attacks

A

Changing your DNS information or rapidly generating domains to hide a threat actor’s identity for malicious use.

97
Q

Describe the DNS Attack type

DNS Domain Shadowing Attacks

A

Gathering domain account credentials to silently create multiple sub-domains to be used during attacks, without alerting the domain owner.

For example if access is gained to cisco.com and the threat actor creates subdomains like emails.microsoft.com and recovery.cisco.com they legitimise malicious uses of those domains.

98
Q

Name 3 different types of DHCP Attack

Think about what information DHCP provides

A
  1. Wrong default gateway
  2. Wrong DNS server
  3. Wrong IP address
99
Q

Describe the DHCP Attack type

Wrong Default Gateway
What might be gained by carrying it out?

A

Either redirects external network traffic to a non-existant IP, or to the IP address of the threat actor’s host.
* Non-existant gateway leads to DoS attack.
* Threat actors host as gateway leads to MITM attack.

100
Q

Describe the DHCP Attack type

Wrong DNS Server
What might be gained by carrying it out?

A

Threat actor points at their own DNS server.
* They can redirect traffic to their own malicious copies of websites

101
Q

Describe the DHCP Attack type

Wrong IP Address
What might be gained by carrying it out?

A

Threat actor serves clients with incorrect IP addresses.
* Creates a Denial of Service (DoS) attack

102
Q

Question

What are the 3 parts of the CIA Triad?

A
  • Confidentiality
  • Integrity
  • Availability
103
Q

Describe

What is Confidentiality?
How may it be achieved?

A

Ensuring that only authorised individuals, entities, or processes can access sensitive information.
* Typically achieved by permissions and encryption.

104
Q

Describe

What is Integrity?
How may it be achieved?

A

Integrity is ensuring that data is protected from unauthorised alterations.
* Typically achieved by hashing algorithms, such as SHA.

105
Q

Describe

What is Availability?
How may it be achieved?

A

Authroised users have uninterrupted access to resources.
* Typically achieved by implementing redundancy - redundant internet lines, routers, switches, servers and so forth.

106
Q

Describe

What is the Defence-in-Depth Approach?
What sort of systems are used to implement it?

A

A layered approach to security, requiring a combination of networking devices and services working together. These devices must be ‘hardened’ against access and tampering.
* VPN - To provide remote acess via secure encrypted tunnels.
* Firewall - Stateful awareness of traffic, to direct and block traffic.
* IDS/IPS - Intrusion Detection/Prevention Systems monitors traffic looking for malware, attack signatures etc. often raising alerts or automatically blocking them.
* Email Security Appliance - Checking and blocking of malicious emails.
* Web Security Appliance - Checking and blocking of malicious websites.
* AAA Servers - Servers that ensure ensure Authentication, Authorisation and Accounting. RADIUS, Network Policy Server, Active Directory etc.
* Secure network links - Ensuring that data in transit is also secure, especially to external sources.

107
Q

Describe the Network Security device

What is a Firewall?
What are the benefits of a firewall?
What are some limitations of firewalls?

A

A firewall is a network security device that permits certain traffic while denying others.

Benefits:
* Resistant to network attacks.
* Protect the flow of traffic between internal networks to other internal or external networks.
* Enforce access control policy.

Limitations:
* May become a single point of failure for the network.
* Complex to configure, often leading to insecure configurations for convenience.
* Can slow network performance.
* Users might take riskier behaviours to avoid the firewalls restrictions.
* Unauthorised traffic may still be hidden or tunneled, appearing legitimate.

108
Q

Describe the Network Security device

What are an IDS and an IPS?
How do they differ?

A

Intrusion Detection Systems and Intrusion Prevention Systems use sensors to inspect network traffic and match them against known malicious packet signatures, to stop threats.

  • IDS are passive and simply detect and alert on threats.
  • IPS are active and alters network traffic to respond to threats, such as dropping packets or blocking hosts.
109
Q

Describe the Network Security device

What are Content Security Appliances?

List some examples

A

Network security devices that give fine-grained control over specific network activities.
* ESA - Email Security Appliance that monitors for email-based threats.
* WSA - Web Security Appliance that monitors for web-based threats.

110
Q

Question

Which network security device ensures that internal traffic can go out and come back, but external traffic cannot initiate connections to inside hosts?

A

Firewall

111
Q

Question

Which network security device contains a secure database of who is authorized to access and manage network devices?

A

AAA Server

Authorisation, Authentication, and Auditing

112
Q

Question

Which network security device filters known and suspicious internet malware sites?

A

WSA, a type of CSA

Web Security Appliance, a type of Content Security Appliance

113
Q

Question

Which network security device is used to provide secure services with corporate sites and remote access support for remote users using secure encrypted tunnels?

A

VPN

Virtual Private Network

114
Q

Question

Which network security device monitors incoming and outgoing traffic looking for malware, network attack signatures, and if it recognizes a threat, it can immediately stop it?

A

IPS

Intrusion Prevention System

115
Q

Question

What are the 4 elements of secure communications?

A
  1. Data Integrity
  2. Origin Authentication
  3. Data Confidentiality
  4. Data Non-Repudiation
116
Q

Describe the element of Secure Communications

What is Data Integrity?

Name some methods

A

Guarantees that the message was not altered. Any changes to the data will change its hash value, from a ‘known good’ file.

SHA, MD5

117
Q

Describe the element of Secure Communications

Origin Authentication

Name some methods

A

Guarantees that the message is not a forgery and comes from whom it states.

HMAC, Digital Signatures, TLS/SSL certificates, Kerberos, IPSec, DMARC

118
Q

Describe the element of Secure Communications

Data Confidentiality

Name some methods

A

Guarantees that only authorised users can read the message, and any interception would take too long to decipher.

AES (symmetric encryption algorithm), RSA (asymmetric encryption algorithm)

119
Q

Describe the element of Secure Communications

Data Non-Repudiation

Name some methods

A

Guarantees that the sender cannot repudiate (refute) the validity of the sent message.

Digital Signatures, PKI, Timestamping, Audit trails

120
Q

Question

Why is Data Hashing vulnerable to MITM attacks?

(Man-in-the-Middle)

A

Because without Origin Authentication a threat actor can intercept the data, change it and generate a new hash which matches the changes.

121
Q

How does HMAC provide Origin Authentication?

(Keyed-Hash Message Authentication Code)

A

It adds a Secret Key to the hashing process known by only authorised entities. Without the secret key, such as a password, a threat actor cannot make a hash that will match.

122
Q

Question

What are some differences between Symmetric Encryption and Asymmetric Encryption?

Why might you use one over the other?

A

Symmetric Encryption uses the same key to both encrypt and decrypt data.
Asymmetric Encryption uses a different key to encrypt the data (public key) than it does to decrypt the data (private key).

Symmetric encryption is faster, which is useful for bulk data like VPNs. Asymmetric encryption is more secure as it uses longer key lengths, and allows for sharing the public key without worrying about who has access to it.

123
Q

Describe the Symmetric Encryption method

Block Ciphers

List some Block Ciphers

A

Encrypt data in fixed-size blocks, usually 64-bit or 128-bit.

AES, 3DES

123
Q

Describe the Symmetric Encryption method

Stream Ciphers

List some Stream Ciphers

A

Encrypts data one bit or byte at a time in a continuous string.

ChaCha20, RC4 (deprecated)

124
Q

Describe the Asymmetric Encryption method

Diffie-Hellman

(DH)

Where is DH commonly used?

A

Allows two parties to create an indentical shared key, without having communicated before - and without communicating it.

  1. Alice and Bob publically declare an ‘Agreed Number = 10’
  2. Alice adds her own secret number 3 to it and gets ‘Public Number = 13’
  3. Bob adds his own secret number 8 to it and gets ‘Public Number = 18’
  4. Both share their public numbers.
  5. Alice adds her secret number to Bob’s Public Number ‘3 + 18 = 21’
  6. Bob adds his secret number to Alice’s Public Number ‘8 + 13 = 21’
  7. Both have the same Shared Secret number of 21.

In reality the maths is way more complicated!

IPsec VPN, TLS VPN, SSH

125
Q

Question

Which encryption method repeats an algorithm process three times and is considered very trustworthy when implemented using very short key lifetimes?

A

Triple DES

126
Q

Question

Which encryption method encrypts plaintext one byte or one bit at a time?

A

Stream Cipher

127
Q

Question

Which encryption method uses the same key to encrypt and decrypt data?

A

Symmetric Encryption

128
Q

Question

Which encryption method is a stream cipher and is used to secure web traffic in SSL and TLS?

A

Rivest Cipher (RC4)

RC is depreciated and replaced by things like AES-GCM and ChatCha20-Poly1305

129
Q

Question

The IT department is reporting that a company web server is receiving an abnormally high number of web page requests from different locations simultaneously. Which type of security attack is occurring?

A

DDOS Attack

Distributed Denial of Service

130
Q

Question

What causes a buffer overflow?

A

Attempting to write more data to a memory location than it can hold.

131
Q

Question

Which objective of secure communications is achieved by encrypting data?

A

Confidentiality

132
Q

Question

What type of malware has the primary objective of spreading across the network?

A

Worm

133
Q

Question

What three items are components of the CIA triad?

A
  1. Confidentiality
  2. Integrity
  3. Availability
134
Q

Question

Which cyber attack involves a coordinated attack from a botnet of zombie computers?

A

DDoS Attack

135
Q

Question

What specialized network device is responsible for enforcing access control policies between networks?

A

Firewall

136
Q

Question

To which category of security attacks does man-in-the-middle belong?

A

Access Attack

137
Q

Question

What is the role of an IPS?

A

To detect patterns of malicious traffic by the use of signature files.

138
Q

Question

Which type of DNS attack involves the cybercriminal compromising a parent domain and creating multiple subdomains to be used during the attacks?

A

DNS Shadowing Attack

139
Q

Question

Which two types of hackers are typically classified as grey hat hackers?

A
  1. Hacktivists
  2. Vulnerability brokers
140
Q

Question

What is a significant characteristic of virus malware?

A

A virus is triggered by an even on the host system

141
Q

Question

A cleaner attempts to enter a computer lab but is denied entry by the receptionist because there is no scheduled cleaning for that day. What type of attack was just prevented?

A

Social Engineering Attack