Quiz Questions from Lessons Flashcards
Subnet Spoofing
Generate random addresses within
a given address space.
Random Spoofing
Generate 32-bit numbers and stamp
packets with them.
Fixed Spoofing
The spoofed address is the address
of the target.
Server Application DOS attack
The attack is targeted to a specific
application on a server
Network Access DOS attack
The attack is used to overload or
crash the communication mechanism of a
network.
Infrastructure DOS attack
The motivation of this attack is a
crucial service of a global internet
operation, for example core router
Random Scanning
Each compromised computer probes
random addresses
Permutation Scanning
All compromised computers share a
common pseudo-random permutation of the
IP address space.
Signpost Scanning
Uses the communication patterns of the
compromised computer to find new target.
Hitlist Scanning
A portion of a list of targets is supplied to
a compromised computer.
Which of these are reasons why the UDP-based NTP
protocol is particularly vulnerable to amplification attacks?
A small command can generate a large response.
Vulnerable to source IP spoofing.
It is difficult to ensure computers communicate only with legitimate NTP severs.
The server must reject all TCP options because the server discards the SYN queue entry. T or F?
True
With regards to a UDP flood attack, which of the
following statements are true:
Attackers can spoof the IP address of their UDP packets
Firewalls cannot stop a flood because the firewall is
susceptible to flooding.
Client puzzles should be stateless
True
Puzzle complexity should increase as the strength of the
attack increases.
True
Which of the following are assumptions that can be
made about Traceback?
Attackers may work alone or in groups
Select all the statements that are true for edge
sampling:
Multiple attackers can be identified since edge identifies splits in reverse path
Requires space in the IP packet header
Self defense against reflector attacks should
incorporate:
Server redundancy - servers should be located in multiple networks and locations.
Traffic limiting - traffic from a name server should be limited
to reasonable thresholds.
Deep web
It is not indexed by standard search
engines
Dark web
Web content that exists on darknets
Surface web
Readily available to the public, and
searchable with standard search engines
Doorway pages
A webpage that lists many keywords, in
hopes of increasing search engine
ranking. Scripts on the page redirect to
the attackers page.
Crypters
A program that hides malicious code
from anti-virus software
Blackhat Search Engine Optimizer
It increases traffic to the attacker’s site
by manipulating search engines.
Trojan Download Manager
Software that allows an attacker to
update or install malware on a victim’s
computer.
What are the two defining characteristics of internet spam?
Inappropriate or irrelevant
Large number of recipients
Name the top three countries where spam directed visitors
added items to their shopping cart:
United States
Canada
Philippines
Which events should trigger a penetration test?
Applications are added or modified
End user policies are changed
Security patches are installed
Infrastructure is added or modified
List the steps attackers used to access RSA’s Adobe Flash software:
Identify employees that are vulnerable Craft an email subject line that entices an employee to open it Hide an executable file in the email that will install onto the victim's computer when the email is opened
Flash or CD Autoplay Attack
A flash is created that has a program that
creates a connection to the exploit server
Reverse Shell Applet Attack
A signed Java applet is sent to the user, if they
accept it, a shell is sent back to the exploit
server.
Click Logger Attack
Used to determine which users click on links in
emails
Download Connection Attack
An email contains an attachment. When the
attachment is downloaded an connection is made
to the exploit server.
On this pie chart, what are the top three industries that were targets
of cyber attacks in 2016?
Defense contractor
Restaurant
Software
Tier One
A network can reach every other network
through peering.
Tier Two
A network that peers some of its network
access and purchases some of it.
Tier Three
A network that purchases all transit from
other networks
IP provides only best effort delivery, it is not
guaranteed.
True
Due the connectionless nature of IP, data
corruption, packet loss, duplication, and
out-of-order delivery can occur.
True
Network layer controls can protect the data within the
packets as well as the IP information for each packet.
True
IP information cannot be protected by transport layer controls.
True
Address Resolution Protocol (ARP)
protocol designed to map IP network
addresses to the hardware addresses
used by a data link protocol
Open Shortest Path First (OSPF)
protocol uses a link state routing
algorithm and falls into the group of
interior routing protocols
Border Gateway Protocol (BGP)
protocol designed to exchange routing and reachability information among autonomous systems (AS)
Denial of Service
Create a false route or kill a legitimate one.
Sniffing
The attacker must control a device along
the victim’s communication path.
Routing to Endpoints in Malicious
Networks
The first step is to hijack traffic from a
legitimate host
Creating Route Instabilities
Not yet used by hackers because damage
cannot be contained. It can blowback to the
attacker.
Revelation of Network Topologies
Unmasking the AS relationships by hacking
the routing table
Domain name
A name in the DNS format
DNS zone
A set of names under the same
authority (ie “.com”)
Delegation
Transfer of authority for/to a subdomain
Changing a domain name into an IP address involves a large
number of steps. To save time, the records are <>
on a local server for reuse later
cached
Each record has a <> that states how long a record
can be kept for future use.
TTL
All domain names and IP addresses are stored at the
Central Registry.
True
It can take several days for information to propagate
to all DNS servers.
True
The attacker’s server responds with a short TTL
record. The attacker needs to register a domain and
delegate it to a server under his control. The attacker exploits the same origin policy
True
Using Components with Known Vulnerabilities
Uses unpatched third party components.
Missing Function Level Access Control
Privilege functionality is hidden rather than
enforced through access controls
Sensitive Data Exposure
Abuses lack of data encryption
Security Misconfiguration
Exploits misconfigured servers.
Insecure Direct Object References
Attackers modify file names
Cross Site Scripting
Inserts Javascript into trusted sites.
Broken Authentication and Session
Program flaws allow bypass of authentication
methods.
Injection
Modifies back-end statement through user input
Given the list of attributes, which 2 should not be combined?
Put a check next to the 2 attributes that should not be combined in sandbox
allow-same-origin
allow-scripts
CSP will allow third party widgets (e.g. Google
+1 button) to be embedded on your site.
True
If you have third party forum software that has
inline script, CSP cannot be used
false
CORS allows cross-domain communication from the browser
CORS requires coordination between the server and client
true
CORS is not widely supported by browsers
The CORS header can be used to secure resources on a
website
false
The token must be stored somewhere
Tokens expire, but there should still be mechanisms to
revoke them if necessary
true
Active session hijacking involves disconnecting the
user from the server once that user is logged on.
Social engineering is required to perform this
type of hijacking.
true
Select all of the items that can be encrypted by HTTPS
Request URL
Query parameters
Headers
Cookies
Which of the following are real disadvantages
to using HTTPS
You need to buy an SSL certificate
Mixed modes issue- loading insecure content on a
secure site
Proxy caching problems- public caching cannot occur
According to Wikipedia, which of these devices is a mobile device?
Smart phone held by person
Self Driving car
Robot
List the four areas of the C based toolchain where hardening
can occur
Configuration
Preprocessor
Compiler
Linker
A Botnet is a of bots controlled by a
.
It is a key platform for and other
exploits.
network
Bot Master
fraud for-profit
More precisely, a coordinated group of malware
instances that are controlled via command and
control (C&C) channels. C&C architectures:
centralized (e.g., IRC, HTTP), distributed (e.g., P2P)
attacker
true
Which of these behaviors are indicative of botnets?
Linking to an established C&C server Generating Internet Relay Chat (IRC) traffic using a specific range of ports Generating SMTP emails/traffic Reducing Generating SIMULTANEOUS IDENTICAL DNS requests is suspicious
hat can botnets do to evade C-plane clustering?
Manipulate communication patterns.
Introduce noise (in the form of random packets) to reduce similarity
between C&C flows
What can botnets do to evade A-plane monitoring?
Perform slow spamming
Use undetectable activities (spam sent with Gmail, download exe
from HTTPS server)
Which of the information should be considered in order to identify the
source (perpetrator) of an APT attack?
Source IP address of TCP-based attack packets
Coding style of malware
Inclusion of special libraries with known authors
Motives of the attack
Language encoding
Footprinting (FP)
The attacker gathers information about a target.
The kind of information gathered is: DNS, email
servers, and the IP address range.
Scanning (S)
The attacker uses the internet to obtain information
on specific IP addresses. The kind of information
gathered is: O.S., services, and architecture of the
target system
Enumeration (E)
The attacker gathers information on network user
and group names, routing tables, and simple
network management protocol.
Which protocol is used to break data into packets?
Which protocol reassembles the data packets?
TCP
Which protocol is used to move packets from router to
router?
IP
Why does ZMap find more hosts than Nmap?
Statelessness leads to both
higher performance and
increased coverage
With regards to computing, what is entropy?
Randomness for use in cryptography or other applications that
require random data.
What are the two sources of entropy?
Hardware sources and randomness generators
A lack of entropy will have a negative impact on performance
and security.
True
NoBL DNSBL level
This IP address does not send spam, and should not
be blacklisted. But it is not fully trustworthy.
Grey DNSBL level
This IP address is not directly involved in spamming
but is associated with spam-like behaviors
Yellow DNSBL level
This IP address is known to produce spam and nonspam
C Botnets(B), A Spyware(S), B Adware(A)
A. Anonymously registered domains
B. Disposable domains
C. Short lived domains
List the types of characters a malicious domain name detection
program should look for in a domain name.
Number of characters
Number of hyphens
Number of digits
C Network-based features(N),
B Zone-based features(Z),
A Evidence-based features (E)
A. The number of distinct malware samples
that connected to any of the IPs.
B. The average length of domain names,
the occurrence frequency of different
characters, etc.
C. Quantities such as the total number of
IPs historically associated with the
diversity of their geographical locations,
the number of distinct autonomous
systems, etc.
A dynamic malware-related domain
detection system should
Have global visibility into DNS request and response
messages
Not require data from other networks
Be able to detect malware-related domains even if there is
no reputation data
A proven method to stop botnets requires isolating the C&C
domain from the botnet
true
Hash functions do not have a key
Hash functions are also called one-way encryption
Hash functions are primarily used for message integrity
True
The security of crypto currency ledgers depends on
the honesty of its miners.
True
With regards to Bitcoin, which of the following statements
are true?
Proof of work is costly and time consuming to
produce
Changing a block requires regenerating all
successors and redoing the work they contain.
With regards to Sybil attacks, check all true statements
The attacker creates a lot of fake identities and
uses them to change voting outcomes or control the
network
A Sybil attack is designed to attack reputation
systems in a peer-to-peer network
Sybil attack can be stopped if users are willing to
give up anonymity.
Two Merkle trees can be compared if they have the same
.
If two Merkle trees have the same root hashes, then their
data blocks can be considered to be .
In a bitcoin block, the is stored in the block
header.
hash depth
the same
Merkle root
True
A time-stamping service prevents people from
double spending Bitcoins
True
the main task is to find patterns, structures, or knowledge in
unlabeled data
Unsupervised
the task is to find a function or model that explains the data
Supervised
some of the data is labeled during acquisition
Semi-supervised
Select the true statements with regards to decision tree based
detection models:
Can supplement honeypot analysis
Can supplement penetration testing
Can detect previously unknown network anomalies
A polymorphic attack can change its appearance with
every instance.
A polymorphic attack has no predictable signature for
the attack.
True
Each instance of polymorphic code has different, but
normal, appearance.
false
Which of the following are true statements with regards to a
polymorphic blending attack?
The process should not result in an abnormally large
attack size
The blending needs to be economical in time and space
List the goals of a successful poison attack:
Is undetected
• Continues for a period of time
• Cause damage to data
If we can completely control the process of generating or
collecting the training data and ascertain the authenticity
and integrity of the dataset, we don’t have to worry
about data poisoning attacks
true
If the training data is obtained in an open environment,
e.g., the Web, there is always the potential of poisoning
attacks (i.e., such attacks can’t be eliminated)
true
List some of the characteristics that all four cloud models share:
Massive scale Homogeneity Virtualization Resilient computing Low cost software Geographic distribution Service orientation Advanced security technologies
Broad Network Access Rapid Elasticity Measured Service On Demand Self-Service Resource Pooling
True for cloud
Most data in transit is encrypted
true
Disconnect the VM from the internet when opening
questionable files.
true
Select the statements that are true with regards to ORAM
Client must have a private source of randomness
Each access to the remote storage must have a read
and a write
What is a major weakness of the Naive Secret Sharing scheme?
The major weakness of naive secret sharing is the more shares
you have of the secret, the less work you have to do to guess the
secret.
