Security

Question 1

CIA triad

Answer 1

Confidentiality like encryption
Integrity like hashing
Availability like uptime or redundancy

Question 2

Non-compliant System

Answer 2

System that is not compliant with the configuration baseline of what is approved by the organization

Question 3

Configuration baseline

Answer 3

set of recommendations for deploying a computer in a hardened configuration

Question 4

Unprotected System

Answer 4

system not protected by any antivirus or firewall

Question 5

Unpatched System

Answer 5

system without patches or updates applied even though they are available

Question 6

What are some Windows releases that are EOL as of 2023?

Answer 6

Windows XP
Windows Vista
Windows 7

Question 7

Bring Your Own Device (BYOD)

Answer 7

Use of personal devices in an office environment

Question 8

Zero-day Exploit

Answer 8

unknown exploit that exposes previously unknown vulnerabilities

Question 9

Denial of Service (DOS)

Answer 9

attack that attempts to make a computer or server’s resources unavailable

Question 10

Flood Attack

Answer 10

type of DoS that attempts to send more packets to a server or host than it can handle

Question 11

Ping Flood

Answer 11

Flood attack that happens when too many pings (ICMP echo) are being sent

Question 12

SYN Flood

Answer 12

Attacker initiates multiple TCP sessions but never completes the three-way handshake

Question 13

Permanent Denial of Service (PDoS)

Answer 13

attack that exploits a security flaw to permanently break a networking device by reflashing its firmware

Question 14

Fork Bomb

Answer 14

attack that creates a large number of processes to use up the available processing power of a computer. It is not considered a “worm” because it does not infect the programs.

Question 15

Distributed Denial of Service (DDoS)

Answer 15

uses lots of machines to attack a server to create a DoS

Question 16

DNS Amplification

Answer 16

the attacker typically uses a botnet or a group of compromised computers to send a large number of DNS queries to open DNS resolvers. The source IP address of these queries is spoofed on the hackers machine to make it look like they are coming from the victim’s IP address. When the open DNS resolvers respond to these queries, the response is sent to the spoofed source IP address, which is the victim’s IP address. Because the response is typically much larger than the original query, this can overwhelm the victim’s network and cause a denial of service.

Question 17

Blackhole/Sinkhole

Answer 17

identifies attacking IP addresses and routes them to a non-existent server through the null interface

Question 18

Spoofing

Answer 18

occurs when an attacker masquerades as another person by falsifying their identity

Question 19

ARP Spoofing/”Poisoning”

Answer 19

sending fake ARP messages to a local netowkr in order to associate a fake MAC address with a legitimate IP address, thereby intercepting network traffic intended for the legitimate device.

Question 20

On-Path Attack

Answer 20

occurs when an attacker puts themself between the victim and the intended destination

Question 21

Replay

Answer 21

occurs when valid data is captured by the attacker and is then repeated immediately, or delayed, and then repeated. an example is capturing someone’s log-in credentials and storing it, and then logging into their account later on in the day.

Question 22

Relay attack

Answer 22

when the attacker inserts themself in between the two hosts and intercepts legitimate communication but relaying the information to a C2 or 3rd party.

Question 23

SSL Stripping

Answer 23

when an attacker tricks the encryption application into presenting the user with an HTTP connection instead of an HTTPS connection

Question 24

Downgrade Attack

Answer 24

when an attacker attempts to have a client or server abandon a higher security mode in favor of a lower security mode by intercepting the communication between two systems that are negotiating the protocol version to be used, and then modifying the negotiation messages to suggest an older and less secure protocol version.

Question 25

SQL injection

Answer 25

attack consisting of the insertion or injection of an SQL query via input data from the client to a web application

Question 26

Injection Attack

Answer 26

insertion of additional information or code through data input from a client to an application. Common types are SQL, HTML, XML, LDAP

Question 27

Cross-Site Scripting (XSS)

Answer 27

when an attacker embeds malicious scripting commands on a trusted website

Question 28

Stored/Persistent - XSS attack

Answer 28

attacker injects malicious code into a web application that is then stored on the server and served to all users who access the page. Like adding a comment with XSS injection of a JS alert that whenever someone else loads the page, it shows them that alert. Blind XSS is the same but you cannot see it, like adding XSS into a private report comment to an admin.

Question 29

Reflected - XSS attack

Answer 29

when an attacker injects malicious code into a website that is then reflected back to the user in a dynamic response, such as a search query or a form submission. The victim’s browser then executes the malicious code, allowing the attacker to steal sensitive information or perform other malicious actions on behalf of the victim.

Question 30

Document Object Model (DOM) - XSS attack

Answer 30

attempt to exploit the victim’s web browser

Question 31

How to prevent SQL injections?

Answer 31

ensure your website has data validation and sanitizing user inputs

Question 32

How to prevent XSS attacks?

Answer 32

with output encoding and proper input validation

Question 33

Cross-Site Request Forgery (XSRF/CSRF)

Answer 33

when an attacker tricks a user into performing an action on a website that they did not intend to perform while they are already authenticated on the website. An example is an attacker sending a malicious link that when clicked, will have the victim go to their online banking app and transfer funds to the attackers account.

Question 34

How to prevent XSRF/CSRF?

Answer 34

with tokens, encryption, XML file scanning, and cookie verification

Question 35

Password Analysis Tool

Answer 35

Used to test the strength of passwords to ensure password policies are being followed

Question 36

Password Cracker

Answer 36

uses comparative analysis to break passwords and systematically continues guessing until the password is determined

Question 37

What are the different types of password cracking methods?

Answer 37

password guessing, dictionary attack, brute-force attack, cryptanalysis attack

Question 38

Password Guessing

Answer 38

occurs when a weak password is simply figured out by a person

Question 39

Dictionary Attack

Answer 39

method where a program attempts to guess the password by using a list of possible passwords

Question 40

Brute-Force Attack

Answer 40

method where a program attempts to try every possible combination until it cracks the password

Question 41

Cryptanalysis Attack

Answer 41

comparing a precomputed encrypted password to a value in a lookup table. Example is a rainbow attack - breaching the target machines password storage of hashes, and using a rainbow table to compare.

Question 42

Insider Threat

Answer 42

An employee or other trusted insider who uses their authorized network access in unauthorized ways to harm the company

Question 43

Logic Bomb

Answer 43

specific type of malware that is tied to either a logical event or a specific time

Question 44

Boot sector - Virus

Answer 44

virus that is stored in the first sector of a hard drive and is loaded into memory upon boot. Only targets MBR and is installed via removable media

Question 45

Macro - Virus

Answer 45

virus embedded into a document and is executed when the document is opened by the user

Question 46

Program - Virus

Answer 46

seeks out executables or application files to infect

Question 47

Multipartite - Virus

Answer 47

combines boot and program viruses to first attach itself to the boot sector and system files before attacking other files on the computer

Question 48

Encryption - Virus

Answer 48

uses a cipher to encrypt its contents to avoid any antivirus software

Question 49

Polymorphic - Virus

Answer 49

will encrypt its own code in a unique way so that is appears different each time it infects a new file or system in order to evade antivirus software

Question 50

Metamorphic - Virus

Answer 50

has the ability to rewrite itself entirely before attempting to infect a file

Question 51

Armored - Virus

Answer 51

has a layer of protection to confuse a program or a person who’s trying to analyze it

Question 52

Hoax Viruses

Answer 52

tries to trick a user to infect its own machine

Question 53

Worm

Answer 53

malicious software that can replicate itself without any user interaction

Question 54

Trojan

Answer 54

a piece of malicious software that is disguised as a piece of harmless or desirable software

Question 55

Remote Access Trojan (RAT)

Answer 55

provides the attacker with remote control of a victim computer

Question 56

Stealth Viruses

Answer 56

a category for any virus protecting itself

Question 57

Virus

Answer 57

malicious code that runs on a machine without the user’s knowledge and infects the computer when executed

Question 58

Ransomware

Answer 58

malware that restricts access to a victim’s computer system until a ransom is received

Question 59

Spyware

Answer 59

malware that secretly gather information about the user without their consent

Question 60

Adware

Answer 60

displays advertisements based on your activity. falls into the category of spyware

Question 61

Grayware

Answer 61

software that isn’t benign nor malicious and tends to behave improperly without serious consequences

Question 62

Rootkit

Answer 62

software designed to gain administrative level control over a system without detection. commonly installed thru a DLL injection or shim

Question 63

DLL injection

Answer 63

malicious code is inserted into a running process on a Windows machine by taking advantage of Dynamic Link Libraries that are loaded at runtime

Question 64

Driver Manipulation

Answer 64

attack that relies on compromising the kernel-mode device drivers that operate at a privileged or system level

Question 65

Botnet

Answer 65

a collection of compromised computers under the control of a master node

Question 66

7 steps of removing malware

Answer 66

1. Identify the symptoms of a malware infection
2. Quarantine/isolate the infected systems
3. Disable System Restore
4. Remediate the infected system
5. Schedule automatic updates and scans
6. Enable System Restore and create a new restore point
7. Provide end user security awareness training

Question 67

Phishing

Answer 67

a social engineering attack where the malicious actor communicates with the victim from a supposedly reputable source to lure the victim into divulging sensitive information

Question 68

Spearphishing

Answer 68

uses the same technology and techniques but is a more targeted version of phishing

Question 69

Whaling - Phishing

Answer 69

focused on key executives within an organization or other key leaders, executives, and managers in the company

Question 70

Vishing

Answer 70

Occurs when the message is being communicated to the target using the voice functions of a telephone

Question 71

Business Email Compromise (BEC)

Answer 71

occurs when an attacker takes over a high-level executive’s email account and orders employees to conduct tasks

Question 72

Pharming

Answer 72

tricks users into divulging private information by redirecting a victim to a website controlled by the attacker or penetration tester

Question 73

Tailgating

Answer 73

when an attacker attempts to enter a secure portion of a building by following an authorized person into that area, without their knowledge

Question 74

Piggybacking

Answer 74

Similar to tailgating, but happens with the knowledge or consent of the employee

Question 75

Shoulder Surfing

Answer 75

using direct observation to obtain info from an employee

Question 76

Dumpster Diving

Answer 76

actually looking in garbage or recycling bins for personal or confidential information

Question 77

Evil Twin

Answer 77

a fraudulent Wi-Fi access point or web server that appears to be legitimate but is set up to eavesdrop on wireless communications

Question 78

Karma Attack

Answer 78

exploits the behavior of Wi-Fi devices due to a lack of access point authentication protocols being implemented

Question 79

Preferred Network List (PNL)

Answer 79

a list of the SSIDs of any access points the device has previously connected to and will automatically connect to when those networks are in range

Question 80

Captive Portal

Answer 80

a web page that the user of a public-access network is obligated to view and interact with before access is granted (sign in with google to access wifi)

Question 81

Personal Firewall

Answer 81

software application that protects a single computer form unwanted internet traffic

Question 82

Clean Desk Policy

Answer 82

by the end of the day, employees clean their desks and leave nothing out that may be takes as a password or a PIN

Question 83

Physical Controls

Answer 83

implemented to increase physical security posture

Question 84

Logical Controls

Answer 84

implemented through hardware or software to prevent or restrict access

Question 85

Managerial Controls

Answer 85

implemented to manage the organization’s personnel and assets

Question 86

Principle of Least Privilege

Answer 86

uses the lowest level of permissions needed to complete a job function

Question 87

Discretionary Access Control (DAC)

Answer 87

access control method where access is determined by the owner of the resource

Question 88

Mandatory Access Control (MAC)

Answer 88

access control policy where the computer system and administrator decides who gets access

Question 89

Role-based Access Control (RBAC)

Answer 89

access method that is combined by the system that focuses on a set of permissions versus an individual’s permissions. Based on roles such as a loan processor group who is allowed to view and modify certain documents.

Question 90

Power User

Answer 90

user who is not a normal user and also not a normal administrator

Question 91

Zero-Trust

Answer 91

security framework that requires the users to be authenticated, authorized, and validated

Question 92

Time-Based One-Time Password (TOTP)

Answer 92

generated by combining a secret key, known only to the user and the authentication system, with the current time. The result is a unique, one-time code that is valid for only a short period of time, typically 30 seconds

Question 93

HMAC-Based One-Time Password (HOTP)

Answer 93

2FA authentication mechanism that generates a one-time password based on a secret key and a counter value.

Question 94

In-Band Authentication

Answer 94

relies on an identity signal from the same system requesting the user authentication

Question 95

Out-of-Band Authentication

Answer 95

uses a separate communication channel to send the OTP or PIN

Question 96

Enterprise Mobility Management (EMM)

Answer 96

enables centralized management and control of corporate mobile devices. manages not only mobile devices, but also applications, content, and data in an enterprise environment.

Question 97

Remote Wipe

Answer 97

used to send remote commands to a mobile device from a MDM solution to delete its data settings

Question 98

Active Directory (AD)

Answer 98

allows to get information from the network about all of your systems, users, and computers

Question 99

Security Group

Answer 99

allows to easily assign permissions to a set of users or workstations

Question 100

Organizational Unit (OU)

Answer 100

way of dividing the domain into different administrative realms

Question 101

Folder Redirection

Answer 101

allows to change the target of a personal folder

Question 102

Pre-Shared Key

Answer 102

same encryption key is used by the access point and the client. Only used in symmetric encryption algorithms

Question 103

Wired Equivalent Privacy (WEP)

Answer 103

original 802.11 wireless security standard that claims to be as secure as a wired network. Uses IV

Question 104

Wi-Fi Protected Access (WPA)

Answer 104

replacement for WEP, which uses TKIP, Message Integrity Check (MIC), and RC4 encryption

Question 105

Wi-Fi Protected Access version 2 (WPA2)

Answer 105

802.11i standard to provide better wireless security featuring AES with a 128-bit key, CCMP, and integrity checking

Question 106

Wi-Fi Protected Setup (WPS)

Answer 106

automated encryption setup for wireless networks at a push of a button, but is severely flawed and vulnerable. Always disable it

Question 107

Wi-Fi Protected Access 3 (WPA3)

Answer 107

Latest and most secure version of wireless network encryption currently available. 192-bit or 128-bit key. Uses AES with GCMP

Question 108

Simultaneous Authentication of Equals (SAE)

Answer 108

a secure password-based authentication and password authenticated key agreement that relies on forward secrecy

Question 109

Forward Secrecy

Answer 109

assures the session keys will not be compromised even if the long-term secrets used in the session key exchange have been compromised. Generates a new session key for each connection.

Question 110

Remote Authentication Dial-In User Service (RADIUS)

Answer 110

cross-platform protocol that authenticates and authorizes users to services, and accounts for their usage

Question 111

Terminal Access Controller Access Control System Plus (TACACS+)

Answer 111

Cisco-proprietary protocol that provides separate authentication, authorization, and accounting services

Question 112

Diameter

Answer 112

peer-to-peer (meaning Diameter node can communicate with each-other without a central controller) protocol created as a next-generation version of RADIUS

Question 113

Lightweight Directory Access Protocol (LDAP)

Answer 113

cross-platform protocol that centralizes info about clients and objects on the network

Question 114

Single Sign-On (SSO)

Answer 114

enables users to authenticate once and receive authorizations for multiple services across the network. In an Active Directory environment, Kerberos is used as the authentication protocol for SSO.

Question 115

Kerberos

Answer 115

uses symmetric encryption and the Key Distribution Center to conduct authentication and authorization functions

Question 116

What are the steps for Kerberos authentication?

Answer 116

1. The user sends a request to the Authentication Server (AS) for a Ticket-Granting Ticket (TGT).
2. The AS verifies the user’s identity and sends back a TGT encrypted with a secret key shared between the client and the Kerberos server.
3. The user sends a request to the Ticket-Granting Server (TGS) with the TGT for a service ticket for a specific resource.
4. The TGS verifies the TGT’s authenticity and checks the user’s authorization to access the requested resource.
   5 If the TGT is valid and the user is authorized, the TGS creates a service ticket encrypted with a secret key shared between the TGS and the resource server and sends it back to the user.
5. The user sends the service ticket to the resource server.
6. The resource server verifies the service ticket by decrypting it with its secret key, and grants access to the requested resource if the ticket is valid.

Question 117

802.1x framework

Answer 117

used for port-based authentication on both wired and wireless networks. uses RADIUS or TACACS+

Question 118

Extensible Authentication Protocol (EAP) and what are the different types?

Answer 118

allows for numerous different mechanisms of authentication. EAP-MD5, EAP-TLS, EAP-TTLS, EAP-FAST, PEAP.

Question 119

EAP-MD5

Answer 119

utilizes simple passwords and the challenge handshake authentication process to provide remote access authentication

Question 120

EAP-TLS

Answer 120

during authentication, the client and server exchange digital certificates without the need for a username and password but instead the client needs to provide a private key that matches the public key in the digital certificate. TLS is used to establish a secure channel before authentication.

Question 121

EAP-TTLS

Answer 121

requires a digital certificate on the server and a password on the client for its authentication. TLS tunnel is established before username and password are provided to prevent eavesdropping.

Question 122

EAP Flexible Authentication via Secure Tunneling (EAP-FAST)

Answer 122

uses certificates, credentials, and a TLS tunnel to encrypt traffic between client and server. first client and server exchange credentials, then a TLS tunnel is established, then the client provides credentials and is authenticated. the TLS tunnel remains until the end of the connection.

Question 123

Protected EAP (PEAP)

Answer 123

uses server certificates and Microsoft’s Active Directory databases to authenticate a client’s password. also sets up a TLS tunnel for encryption. first establishes a TLS tunnel, then the client verifies the server certificate, then the client gives username and password.

Question 124

Lightweight EAP (LEAP)

Answer 124

a proprietary protocol that only works on Cisco-based devices

Question 125

Corporate Owned/Business Only (COBO) - Devices

Answer 125

purchased by the company and only used by the employee for work-related purposes

Question 126

Corporate Owned/Personally Enabled (COPE) - Devices

Answer 126

company provides a device used for work and/or personal use by employees

Question 127

Choose Your Own Device (CYOD)

Answer 127

allows employees to choose a device from an approved list of vendors or devices

Question 128

Storage Segmentation - Devices

Answer 128

creates a clear separation between work and personal data on a device into separate partitions.

Question 129

Mobile Device Hardening

Answer 129

1. Update your device to the latest software
2. Install Antivirus
3. Train users on proper security and use of their device
4. Only install apps from the official app stores
5. Do not jailbreak or root your device
6. Only use version 2 SIM cards for your devices
7. Turn off all unnecessary features on your device
8. Turn on encryption for voice and data
9. Use strong passwords or biometrics
10. Don’t allow BYOD

Question 130

What are some vulnerabilities of IoT devices?

Answer 130

1. Insecure Defaults
2. Hard-coded configurations
3. Cleartext communication
4. Data leakage

Question 131

Local Sign-in

Answer 131

uses Local Security Authority (LSA) to compare the submitted credentials to the SAM database

Question 132

Network Sign-in

Answer 132

uses Kerberos to perform network authentication

Question 133

Remote Sign-in

Answer 133

allows users to access the local network by using a VPN or a web portal (SSL/TLS)

Question 134

Account Management

Answer 134

set of policies that determine what rights and privileges each user has on a given computer or network

Question 135

What are some encryption methods for data in motion?

Answer 135

TLS or SSL, IPSec or L2TP, WPA2 with AES

Question 136

What are some encryption methods for data at rest?

Answer 136

Full disk encryption, folder encryption, file encryption, database encryption

Question 137

Degaussing - data destruction

Answer 137

exposes the hard drive to a powerful magnetic field which in turn causes previously-written data to be wiped from the drive

Question 138

Purging (Sanitizing) - data destruction

Answer 138

act of removing data in such a way that it cannot be reconstructed using any know forensic techniques. Typically involves overwriting the entire drive with zeros multiple times.

Question 139

Erasing or Wiping data - data destruction

Answer 139

the process of destroying old data by writing over the location on the hard drive or solid state device with new data

Question 140

Low-level Format - data destruction

Answer 140

procedure provided by the manufacturer which will reset the data back to its factory condition

Question 141

Self-Encrypting Drive - data destruction

Answer 141

a particular type of hardware that will encrypt the entire disk. getting rid of the key after.

Question 142

Incident Response

Answer 142

a set of procedures an investigator follows when examining a computer security incident

Question 143

Incident Management Program

Answer 143

consists of monitoring and detection of security events on a computer network and the use of proper responses to those security events

Question 144

Chain of Custody

Answer 144

the record of evidence history from collection to court presentation and disposal

Question 145

Faraday Bag

Answer 145

shields devices from outside signals to prevent data from being altered, deleted, or added to a new device.

Question 146

Legal Hold

Answer 146

preserves all relevant information when litigation is reasonably expected to occur

Question 147

.bat file

Answer 147

text-based file containing Windows commands and is interpreted from the command line environment

Question 148

.ps1 file

Answer 148

used within windows inside the PowerShell environment. more complex scripts than a batch file

Question 149

.vbs file

Answer 149

scripting language based on the Visual Basic programming language

Question 150

.sh file

Answer 150

bash script used within linux

Question 151

.py file

Answer 151

python language file used in Windows, Linux, and Mac

Question 152

Pseudocode

Answer 152

generic language used to teach new learners how to program a computer

Question 153

.js file

Answer 153

JavaScript used for automations in webpages and macOS systems

Question 154

What is a dropper?

Answer 154

type of malware that is designed to deliver and install other malicious programs. Stage 1 dropper, delivers the Stage 2 payload.