Threat, Vulnerabilities and Mitigations: Quiz Revision Flashcards

Question

Is Antivirus products a one stop shop against threat?

Answer 1

Antivirus products (and the antimalware products that encompass them) provide notifications when a threat has been detected, and what action was taken. On many occasions, the software will identify a potential threat, and prompt you for what action to take. Antivirus is not a centralized solution for security; it is only one part of the solution.

Answer 2

Patch management tools assist with the installation of patches, which can present a significant challenge to an enterprise environment. Their logs will contain successful and failed updates, incompatible patches, and unsuccessful patch installations, but no other security logging information.

Answer 3

Host-based firewalls include products that are installed as an application, or included in the OS, such as the Windows Firewall. In the case of Windows Firewall, it is possible to have the firewall activated, but not generating log entries. You can activate logging by going into the console, choosing Actions, then Properties. The logging can be set as seen below. It is important to review the documentation that accompanies the application to interpret the results. Firewall logs display traffic that has been allowed and denied passage through the firewall, but not logs from other security systems, such as antimalware tools.

Answer 4

For the Security+ exam, you also need to understand other security technologies and their output, including file integrity checks, application allow listing, removable media control, DEP, WAFs, DLP, UTM, and advanced malware tools.

Answer 5

File integrity checks examine selected files to see if there have been any changes, or attempted changes. It is important to review the logs to know when attempts have been made, even if the file integrity product returned the file to the original state.

Answer 6

Application allow list is the practice of denying all applications except for those that are approved. Those approved applications are designated as on the allow list. Several products are available that check for applications that are not on the allow list, including attempts to install those applications. The logs the allow list product generates would tell you if someone had attempted (for example) to install a keylogger. Removable media control (RMC) is important in many environments. USB drives, SD cards, CDs, DVDs and BluRay devices can all present dangers to the system. As an example, someone can use a USB drive to copy sensitive information and deliver it to someone outside the organization. Another example could be a CD that appears to be a music CD but is actually installation media for unauthorized software. Examine the RMC logs to determine attempts to violate removable media policies.

Answer 7

Advanced malware tools check for malicious code that would otherwise slip by standard antivirus and antimalware tools.

Answer 8

Data Loss Prevention (DLP) examines outbound traffic for sensitive data, keywords, and specific files leaving the organization.

Answer 9

Data execution prevention (DEP) forces the user to approve an application before it executes or launches. Logs will record execution attempts, including failed attempts. Notification of failed attempts is important, as it could tell you that your antimalware application successfully blocked an attempt to install malware.

Answer 10

A web application firewall uses a set of defined rules to manage incoming and outgoing web server traffic, as well as attack prevention. Organizations can define their own rules, based on their particular vulnerability.

Answer 11

An escalation of privileges attack occurs when an attacker has used a design flaw in an application to obtain unauthorized access to the application. Privilege escalation includes incidents where a user logs in with valid credentials and then takes over the privileges of another user, or where a user logs in with a standard account and uses a system flaw to obtain administrative privileges. There are two types of privilege escalation: vertical and horizontal. With vertical privilege escalation, the attacker obtains higher privileges by performing operations that allow the attacker to run unauthorized code. With horizontal privilege escalation, the attacker obtains the same level of permissions as he already has but uses a different user account to do so.

Answer 12

A backdoor is a term for lines of code that are inserted into an application to allow developers to enter the application and bypass the security mechanisms. Backdoors are also referred to as maintenance hooks.

Answer 13

A buffer overflow occurs when an application erroneously allows an invalid amount of input in the buffer. It can be used to perform a denial-of-service (DoS) attack or a Distributed Denial-of-Service (DDoS) attack.

Answer 14

Race condition – typically targets timing, mainly the delay between time of check (TOC) and time of use (TOU). To eliminate race conditions, application developers should create code that processes exclusive-lock resources in a certain sequence and unlocks them in reverse order.

Answer 15

Insecure direct object references – occurs when a developer exposes a reference to an internal object, such as a file, directory, database record, or key, as a URL or form parameter without implementing the appropriate security control. An attacker can manipulate direct object references to access other objects without authorization. Implementing an access control check helps to protect against these attacks.

Answer 16

Cross-site request forgery (CSRF) – occurs when a malicious site executes unauthorized commands from a user on a web site that trusts the user. It is also referred to as a one-click attack or session riding. Implementing anti-forgery tokens protect against this attack.

Answer 17

Improper storage of sensitive data – occurs when sensitive data is not properly secured when it is stored. Sensitive data should be encrypted and protected with the appropriate access control list. Also, when sensitive data is in memory, it should be locked.

Answer 18

Improper error and exception handling – occurs when developers do not design appropriate error or exception messages in an application. The most common problem because of this issue is the fail-open security check, which occurs when access is granted (instead of denied) by default. Other issues include system crashes and resource consumption. Error handling mechanisms should be properly designed, implemented, and logged for future reference and troubleshooting.

Answer 19

Secure cookie storage and transmission – Cookies store a user's web site data, often including confidential data, such as usernames, passwords, and financial information. A secure cookie has the secure attribute enabled and is only used via HTTPS, ensuring that the cookie is always encrypted during transmission.

Answer 20

Memory leaks – occur when an application does not release memory after it is finished working with it. Reviewing coding and designing best practices helps to prevent memory leaks.

Answer 21

Integer overflows – occurs when an operation attempts to input an integer that is too large for the register or variable. The best solution is to use a safe integer class that has been built to avoid these problems.

Answer 22

Geo-tagging – occurs when media, such as photos or videos, are tagged with geographical information. Turning off the geo-tagging feature on your device protects against releasing this type of information. It is also possible to remove geo-tagging information from media before using it in an application or web site.

Answer 23

Data remnants – occurs when applications are removed but data remnants, including registry entries, are left behind. Specialty tools and apps are available to ensure that applications have been completely removed from a device.

Answer 24

The purpose of MAC filtering is to restrict the clients that can access a wireless network. Access is restricted based on the client's media access control (MAC) address, which is the unique identifier that is encoded on the network interface card (NIC).MAC filtering is not used to restrict the clients that can access a Web site. This is most often done using access control lists (ACLs). 802.1X (or WPA2-Enterprise) provides port authentication for a wireless network using Extensible Authentication protocol (EAP). 802.1X can use Protected EAP (PEAP) or Lightweight EAP (LEAP). PEAP is the more secure of the two. Both of these implementations require a server certificate on the RADIUS server. If the RADIUS server certificate expires, then clients will be unable to connect until the RADIUS server obtains a new certificate. To ensure that unused ports are not accessible by clients, you should disable all unused ports.

Answer 25

To increase network security, you should use the following mitigation and deterrent techniques: MAC limiting and filtering 802.1X Disable unused interfaces, applications, and services. Rogue machine detection You should always monitor system logs, including the audit logs, event logs, security logs, and access logs. Often by monitoring these logs, a security professional can discover issues or attacks and can take measures to prevent the issues. Security professionals should understand an organization's security posture. Security professionals should perform certain mitigation and deterrent activities including recording an initial baseline configuration, continually monitoring security, and performing remediation as necessary. You should also ensure that a good reporting system is set up to notify appropriate personnel if certain actions occur. This reporting system should include alarms and alerts. Security professionals should also perform periodic trending analysis to identify any new organizational trends. Mitigation controls help to mitigate security issues. Deterrent controls help to deter attacks. Prevention controls help to prevent attacks. Detective controls help to detect any attack when it occurs. Any security policy should employ all of these types of controls to be most effective. Cameras and intrusion detection systems (IDSs) are detective controls. Intrusion prevention systems (IPSs) and guards are preventive controls.

Answer 26

Out-of-cycle logging is when an event that normally occurs and is recorded at a regular time or interval shows up in the log as having occurred at an odd time or off-cycle. While it’s normal to see the event, it appears at a strange time, signaling that an attack may be underway.

Answer 27

Resource inaccessibility is an indicator of malicious activity. For example, if a web server goes down and is suddenly inaccessible, it might be the victim of a Denial of Service (DoS) attack.

Answer 28

Published/documented indicators are those that have been recently discovered and subsequently published by threat feed organizations such as the Cybersecurity and Infrastructure Security Agency (CISA). These indicators may include things like IP addresses, file hashes like MD5, and domain names. By knowing what to look for, this information can be used to uncover and respond to attacks.

Answer 29

Missing logs may be a sign that an attack has been attempted or has occurred, and the attacker has erased the log to cover up their tracks. Log files are a critical tool in monitoring activities, investigating problems, storing information about the health of the system and the network. Consequently, many organizations will store the log files on a separate device or server in a protected area of the network.

Answer 30

Configuration enforcement includes establishing, deploying, and then maintaining a standard configuration, such as a naming convention or even a system image. You could have an image based on a device/OS pair, an image for each of several user groups, or images for departments throughout the organization. Once the proper configuration has been established and preserved as a system image, configuration enforcement looks for changes to that configuration and, in some cases, even reverts the system to the proper configuration.

Answer 31

Decommissioning is a mitigation technique that is used when a system or device is no longer of use to the organization. Contrary to what many users feel as adequate, deleting files into the recycle bin is not a secure process. When a system or device has reached the end of its service life, storage media and drives must be sanitized, either through destruction or using tools to erase all traces of data on the device. Such as degaussing

Answer 32

Removal of unnecessary software is associated with system hardening. System hardening increases the security of a server or a computer system by reducing vulnerabilities and the attack surface. Other examples of system hardening activities include closing down ports and adjusting permissions.

Answer 33

Endpoint security is the practice of protecting the endpoints (workstations, printers, etc.) in the network. Endpoint protection includes protecting them from other endpoints that spend at least some of the time outside the LAN. This is done by verifying patches and updates before the device is allowed access to the network. Endpoint security also includes the hardening process of endpoints. It cannot route traffic from a device being flooded to a location where the traffic can be studied

Answer 34

Trusted Platform Module (TPM) is not a supply chain vulnerability. TPM and Hardware Security Module (HSM) are both chips that implement hardware-based encryption. The main difference between the two is that a TPM chip is usually mounted on the motherboard and HSM chips are PCI adapter cards. Supply chain vulnerabilities include the service provider, the hardware provider, and the software provider. Hardware provider vulnerabilities occur in device manufacturers and suppliers. A classic example is the Target breach in 2013. Target’s HVAC hardware provider was compromised, and through the HVAC provider, attackers accessed Target’s payment system and stole millions of credit card numbers from Target’s customers. Software provider vulnerabilities occur in third-party companies that provide software to other companies (customers). Attackers will look for a vulnerability within the software that the attacker can exploit. Then, when the customer installs the software, the customer Service provider vulnerabilities can occur with a company that provides you with services, such as when you outsource your payroll processing or billing. If the service provider is compromised, the attacker can access and exploit the customer data.

Answer 35

Unskilled attackers (sometimes referred to as script kiddies) typically rely on tools that are widely available on the Internet. These unskilled attackers are often motivated by the thrill of the chase and by the need to prove that they can do it. For the most part, they have limited time and financial resources.

Answer 36

Shadow IT are IT applications, systems, and resources (such as cloud services) that are installed or used by internal staff without the knowledge or consent of the IT department. Shadow IT is neither authorized nor approved, and therefore poses a risk to the organization's security posture, risk management, data integrity, and regulatory compliance.

Answer 37

Hacktivists are activists who use hacking techniques to promote their own political or social agenda. Their activities can cause DoS and DDoS attacks, or place embarrassing posts on the web sites or social media sites of an organization with opposing views. They often believe they are engaging in a righteous and morally correct cause, even if their activities are illegal. As with unskilled attackers, hacktivists often have limited time and financial resources. However, a hacktivist within a sophisticated or large organization may have access to significant resources.

Answer 38

Insider attacks are perpetrated by people within the organization. Insider threats have many possible motives, including promotion of an activist agenda, monetary reward, retaliation for not being selected for a promotion, or some other situation that caused the insider to become disgruntled with the organization. They typically have limited resources but given that they may already have substantial knowledge of the organization and network, they are particularly dangerous.

Answer 39

Competition attacks are the modern version of industrial espionage. Theft of intellectual property, marketing plans, and customer lists are all examples that can have devastating effects on the targeted organization. Even stealing the victim company's credit card list can have a severe economic impact on that company. Often, the attacking company will find a disgruntled individual in the subject company to carry out the attack.

Answer 40

Organized crime attacks are carried out by criminal groups for the sole purpose of monetary gain. Organizations like the Mafia, Russian organized crime, and drug cartels have significant resources in terms of time and money to recruit hackers to carry out their agenda.

Answer 41

Nation-state / Advanced Persistent Threat (APT) attacks are conducted by one nation upon another or upon a significant entity within the target country with large coordinated attacks. APTs have attackers who have very significant time and financial resources. Motives could be financial, political, disruption of the economy, or theft of intellectual property, such as military secrets.

Answer 42

Malicious update is when an attacker first creates a fake software update, containing malware, that appears to be legitimate, and then gets users to download and install the update. Upon installation, the malware is activated on the system.

Answer 43

Memory injection is the primary goal of buffer overflow attacks. Buffer overflows attempt to put more information than can fit into an allocated area of memory. With memory injection, the attacker inserts malicious code into program memory. The computer then executes that malicious code as part of the program.

Answer 44

An SQL injection is an example of improper input handling, and the impact can include data destruction or unfettered access to the database. Inputs should be checked for common SQL injection symbols. Other examples of improper input handling include failure to validate the type of data in an input field, the length of the data, and proper date ranges.

Answer 45

A cross-site scripting (XSS) attack occurs when an attacker locates a vulnerability on a website that allows the attacker to inject malicious code into a web application. A persistent XSS attack occurs when data provided to the web application is first stored persistently on the server and later displayed to users without being encoded using HTML on the web client. A non-persistent XSS attack occurs when data provided by a web client is used immediately by server-side scripts to generate results for that user. XSS flaws occur every time an application takes user-supplied data and sends it to a web browser without first confirming or encoding the data.

Answer 46

Cloud access security brokers would alleviate your concern because they enforce security policies, whether on-premises or cloud-based. They often sit between the cloud service users and providers, merging the security policies of the user and the provider. Virtual desktop infrastructure (VDI) creates a user desktop on a virtual machine that is hosted on a data center server. Desktops can be personalized while still having centralized management and security.

Answer 47

The virtual desktop environment (VDE) maintains everything related to the user desktop and deploys them to the host. Virtual desktop infrastructure can make your desktops either more secure or less so. Storing data on VDI servers in the data center is more secure than storing it locally on the user's machine. Also, administrators have greater control over desktop and app distribution in a VDI environment. VM escape protection can be accomplished by sandboxing. If the virtual application crashes, sandboxing allows you to contain the data and not allow the information to "escape" into another application. VM escape occurs when a vulnerability in the operating system running in the virtual machine is exploited. When this occurs, it allows an attacker to run malicious code and escape the boundaries of the VM.

Answer 48

Stress testing puts a load on the system much higher than what is normally expected. For example, testing a website with 100x the normal amount of traffic would identify how the system will respond to the stress. Stress testing does not reveal security weaknesses between the interactions of your security policies with those of the hosting provider.

Answer 49

Choosing between an on-premises solution versus a hosted solution versus a cloud solution are all virtualization decisions. On-premises virtual machines (VMs) are stored at your physical location. The hosted model allows you to contract with a third party for virtual access, and the responsibilities of the third party are detailed in a service level agreement (SLA). Cloud systems, while closely related to hosted models, have requirements such as on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service, as defined by NIST.

Answer 50

Geotagging is the process of attaching location information in the form of geographical metadata to digital media like web sites, videos, and photographs. Geotagging is a security concern because it can reveal location information. This feature embeds unseen code into a picture that records the longitude/latitude information of where the picture was taken. Geotags may also be applied to digital output and communications such as tweets or status updates on social media. The information included in a geotag may include place coordinates (latitude and longitude), bearings, altitude, distances, or even place names. This feature becomes a serious concern when it comes to protecting your privacy and data. Geotagging can give enough information about your current whereabouts (and where you’re not) which can allow thieves to target your home or workplace in your absence.

Answer 51

When considering applications that can be installed on mobile devices, you need to understand the following concepts for the Security+ exam: Key management – You should take measures to ensure that all keys are protected. Measures that you can use include implementing device encryption to protect the keys while stored and using IPSec to protect the keys during transmission. Credential management – You should implement solutions that allow you to manage credentials for users to ensure that mobile devices are only accessed by valid users. In addition, you should ensure that the protocols that you use do not transmit credential information in plaintext. Authentication – If possible, you should require your mobile applications to authenticate users before allowing access. This ensures that applications are only accessed by valid users. Encryption – Applications often request personally identifiable information (PII) that should be protected. In addition, they often transmit PII and other confidential information. Therefore, you should employ encryption to protect the data in storage and in transmission. Transitive trust/authentication – Transitive trust occurs when federated user identities allow users to access multiple applications, devices, and resources using a single authentication. A trusted computing base is established as the basis of federated user identity. Enterprises should ensure that any entities allowed into the trusted computing base are fully protected. When deploying mobile devices securely, security professionals need to set policies and enforce them through monitoring all of the following features or practices: Third-party app stores, rooting/jailbreaking, sideloading, custom firmware, carrier unlocking, firmware over-the-air (OTA) updates, camera use, SMS/MMS, external media, USB on-the-go (OTG), recording microphones, GPS tagging, Wi-Fi direct/ad hoc, tethering, and payment methods. Management should set the policy for each of these mobile device components. Policies are only effective if a plan for enforcement and monitoring is also established.

Answer 52

The malware types should be matched with the descriptions in the following manner: Backdoor – a developer hook in a system or application that allows developers to circumvent normal authentication Logic bomb – a program that executes when a certain predefined event occurs Spyware – a program that monitors and tracks user activities Trojan horse – a program that infects a system under the guise of another legitimate program

Answer 53

NIST defines cybersecurity risks throughout the supply chain as “the potential for harm or compromise that may arise from suppliers, their supply chains, their products, or their services” (NIST SP 800-161r1). Among the recommended techniques for minimizing adversarial threats from hardware purchases, you should: Only purchase hardware from authorized vendors or resellers Integrate supply chain management into the overall risk management framework Inspect hardware for signs of tampering Request proof of equipment certification from hardware vendors Conduct a supply chain analysis and audit the existing supply chain Have an inventory management system that includes asset tracking and secure disposal Natural disasters are a threat to the supply chain, but they are not an adversarial threat. Adversarial threats arise from a human vector, such as malicious insiders, organized crime, and nation-states. A legally enforceable purchase order with a hardware vendor will not protect your organization from hardware that has been tampered with once it left the vendor’s direct control. Hardware should be inspected for missing or broken seals, opened boxes, refurbished components, or counterfeit components.

Answer 54

Impossible travel is when a user logs in from one location, and then moments later logs in from another location, but it would have been impossible for the user to have traveled between the two locations in that time frame. An example would be a user who logs on in New York, then 20 seconds later the same user logs on in Tokyo. Blocked content can be an IoC. If, for example, a filter on a firewall could result from a filter on a firewall finding malicious code, or it could be Resource consumption occurs with events like filling all the space on a drive or using all the bandwidth on a network.

Answer 55

Concurrent session usage happens when you have two or more instances of a user account logged in at the same time, when there should be only one instance of that user login. This could happen with the same system or different systems. The key factor here is that it would be unexpected for the user to login multiple times. A user with a Gmail account open on several devices simultaneously would not be a concurrent session usage IoC.

Answer 56

Your organization experienced a cross-site scripting (XSS) attack. An XSS attack occurs when an attacker locates a vulnerability on a website that allows the attacker to inject malicious code into a web application. A persistent XSS attack occurs when data provided to the web application is first stored persistently on the server and later displayed to users without being encoded using HTML on the web client. A non-persistent XSS attack occurs when data provided by a web client is used immediately by server-side scripts to generate results for that user. XSS flaws occur every time an application takes user-supplied data and sends it to a web browser without first confirming or encoding the data. To locate XSS attacks, you should look for lines in the web server log that contain JavaScript or other scripting languages that forward a user's session cookie to an external location or web page.

Answer 57

A buffer overflow occurs when an invalid amount of input is written to the buffer area.

Answer 58

A SQL injection occurs when an attacker inputs actual database commands into the database input fields instead of the valid input. You should include input validation to prevent SQL injection attacks.

Answer 59

Path traversal occurs when the ../ characters are entered into the URL to traverse directories that are not supposed to be available from the web.

Answer 60

Some possible countermeasures to input validation attacks include the following: Filter out all known malicious requests. Validate all information coming from the client, both at the client level and at the server level. Implement a security policy that includes parameter checking in all web applications.

Answer 61

Another application issue that you need to understand is click-jacking. Click-jacking is a technique that is used to trick users into revealing confidential information or taking over the user's computer when clicking links.

Answer 62

Often you will need to determine the attack vector used. Reverse engineering is the best way to do this.

Answer 63

When designing a web application, security should be one of the facets that you should always keep in mind. An application should be secure by design, by default, and by deployment. Secure by design means that the application is designed with security in mind. Secure by default means that the application defaults to being secure without changing application settings. Secure by deployment means that the environment into which the application is deployed is taken into consideration from a security standpoint.

Answer 64

You also need to understand exploits that will cause security issues with identity and access management: Impersonation – Attackers may try to impersonate a legitimate user to obtain access credentials. Identity proofing is mitigation for this type of attack. Man-in-the-middle (MITM) – This attack occurs when an attacker intercepts messages between two devices and eavesdrops on the communication. The attacker attempts to impersonate each party. Using one-time-passwords and mutual authentication are mitigations for this attack. Session hijack – This attack occurs when an attacker attempts to take over a session that is already occurring. Encryption is a mitigation for this attack. Rootkit – A rootkit is a set of software tools that allow an attacker to gain control of a device. The best mitigation is to remove all rootkits.

Answer 65

Vishing is a special type of phishing that uses VoIP. Often these types of attacks involve receiving telephone calls that appear to come from a trusted source, such as your financial institution. The telephone call asks you to disclose confidential information that can be used to access your account. An Xmas attack is an attack that looks for open ports. Nmap is the most popular application that is used to carry out this type of attack. Spear phishing is a special type of phishing that appears to come from a trusted individual. Digital Signatures can help protect against spear phishing attacks, and improve the overall security posture, by assuring employees that an email originated from the CEO. Whaling is a special type of phishing that targets a single power user, such as a Chief Executive Officer (CEO). Whaling is used to gain confidential information about the company, and usually occurs via email.

Answer 66

Some threat actors simply want to cause disruption and chaos. A threat actor might be motivated by this technique to gain notoriety by claiming responsibility for the event. Whatever the event, their goal is to upset normal operations in an attention-getting way.

Answer 67

Service disruption is meant to damage an organization’s reputation, or cause loss of public confidence in the organization. If an airline had a disruption where you could not access their services, such as booking a flight, that person would likely do business with another airline. It may have any motivation, including revenge or financial gain. The purpose of service disruption is to harm a specific organization, while attackers who are motivated to create disruption and chaos will choose any random, vulnerable target.

Answer 68

Ethical hackers want to prevent an event, not cause one and take credit for it. Ethical hackers (sometimes called white-hat hackers or penetration testers) are individuals hired by the company to test the company’s security infrastructure. Their purpose is to conduct activities to find weaknesses and “break in”. The ethical hacker will prepare a report detailing the weaknesses so that the client company can address those issues and make corrections.

Answer 69

Militaries and civilians can be motivated by war. Civilians and nation-states can use cyberspace to advance wartime agendas. Each may be engaged in activities that disrupt a target’s communications, services, and infrastructure, or to spread propaganda, misinformation, and fear. Nation-states want cyber-attacks that advance wartime agendas to remain secret so that the target states are unaware of their actions.

Answer 70

Espionage – Competition attacks are the modern version of industrial espionage. Theft of intellectual property, marketing plans, and customer lists are all examples that can have devastating effects on the targeted organization. Even stealing the victim company's credit card list can have a severe economic impact on that company. Often, the attacking company will find a disgruntled individual in the subject company to carry out the attack. Blackmail – Blackmail is the threat to release sensitive PII or incriminating evidence regarding an individual who has access to certain company assets, such as data, systems, or processes. The cyber-criminal threatens to expose the individual unless they take some action against a company asset on the criminal’s behalf. Data exfiltration – Data exfiltration is the act of sending sensitive or proprietary information to unauthorized recipients external to the organization. Data loss prevention is designed to detect and stop data exfiltration behavior by users. If DLP software is not present, data exfiltration might only be discovered after the event. When it occurs, the best course of action is to identify the source of the disclosure, if possible, and then take disciplinary action. Philosophical or political beliefs – Philosophical beliefs and political beliefs are used by extremist groups to recruit members to their cause. One nation might attempt to convince citizens of another nation to perform cyberterrorist activities. Hacktivists are the typical actor here. Revenge – threat actors can be motivated by revenge. Revenge and retaliation result from the perception that the threat actor has been slighted by a person or organization. The threat actor wants to “teach them a lesson” or extract revenge.

Answer 71

Organized crime most commonly conducts cyber-attacks for their personal financial gain. This is exemplified by activities such as fraud, ransom attacks, and theft of credit card data. Once the threat actor has your information, they can sell it or use it for fraudulent purposes.

Answer 72

A smurf attack is a combination of Internet Protocol (IP) spoofing and the saturation of a network with Internet Control Message Protocol (ICMP) messages. To initiate a smurf attack, a hacker sends ICMP messages from a computer outside a network with a spoofed IP address of a computer inside the network. The ICMP message is broadcast on the network, and the hosts on the network attempt to reply to the spurious ICMP message. A smurf attack causes a denial-of-service (DoS) on a network because computers are busy responding to the ICMP messages. The IP spoofing part of a smurf attack can be countered by configuring a router to ensure that messages with IP addresses inside the network originate on the private network side of the router.

Answer 73

A SYN flood attack occurs when an attacker exploits the three-packet Transmission Control Protocol (TCP) handshake. A SYN flood attack is a type of denial-of-service (DoS) attack.

Answer 74

A rootkit is a collection of programs that grants a hacker administrative access to a computer or network. The hacker first gains access to a single system, and then uploads the rootkit to the hacked system. An example of a rootkit is a system-level kernel module that modifies file system operations. If a server dedicated to the storage and processing of sensitive information is compromised with a rootkit and sensitive data was exfiltrated, you should wipe the storage, reinstall the OS from original media, and restore the data from the last known good backup.

Answer 75

Authentication refers to the process of verifying the identity of users. Authentication technologies that you need to understand include the following: Tokens – a small device that generates time-sensitive passwords Common access cards – similar to smart cards and are used by the U.S. federal government for active-duty military personnel Smart cards – small plastic cards that contains authentication information Multifactor authentication – when multiple authentication factors are used to authenticate a user.

Answer 76

For the Security+ exam, you must understand the following authentication factors: something you are, something you have, and something you know. You also need to understand two additional authentication attributes: somewhere you are and something you do.

Answer 77

TOTP – A time-based one-time password is an extension of the HOTP that is modified to support a time-based moving factor. If an organization introduces token-based authentication to system administrators due to risk of password compromise, and the tokens have a set of numbers that automatically change every 30 seconds, TOTP is being used.

Answer 78

HOTP – An HMAC one-time password is an algorithm that is used to generate a password that is used once. HOTP stands for HMAC-based One-Time Password. It is a one-time password (OTP) algorithm based on HMAC (Hash-based Message Authentication Code). HOTP is used for generating a short-lived password that is valid for only one authentication session or transaction, enhancing security by ensuring that passwords cannot be reused or intercepted for future use.

Answer 79

CHAP – Challenge Handshake Authentication protocol is an authentication protocol that validates the identity of the remote user.

Answer 80

PAP – Password Authentication protocol is an authentication protocol that uses a password.

Answer 81

Single sign-on – an authentication technology that allows a user to log in once and be granted access to different systems configured as part of the network

Answer 82

Implicit deny – when a user inherits a deny permission based on his membership is a group or role

Answer 83

Authorization allows users to access resources. Authorization is typically applied to a user account after a user is authenticated on a network.

Answer 84

Trusted OS – an operating system that provides support for multilevel security

Answer 85

Least privilege – This principle ensures that users are granted only those permissions they need to do their work

Answer 86

Separation of duties – This principle ensures that tasks are divided between users to ensure that one user cannot commit fraud.

Answer 87

Access Control List (ACL) – Access control lists are configured to control permissions to resources.

Answer 88

Time of day restrictions – This method configures the time(s) and day(s) that users are allowed to access resources. In some cases, this policy also allows administrators to configure the location from which the user can log in.

Answer 89

Authentication, authorization, and accounting (AAA) is a term for controlling access to computer resources using authentication, enforcing policies using authorization, and auditing usage and providing the information necessary to bill for services using accounting.

Answer 90

Resource reuse vulnerability is often associated with cloud computing. In cloud computing, a resource such as memory, a file or an application may be used by multiple customers. When the customer is finished with the item they are using, such as memory, the cloud provider should sanitize it by writing all zeroes to the memory. Doing so ensures that when the next customer uses the memory, that memory does not have any trace data from the previous customer. Failure to sanitize the memory during the transition from one customer to another introduces the possibility of a resource reuse vulnerability.

Answer 91

Email is estimated to be responsible for more than 90% of all attacks. All it takes is one unsuspecting user to open the wrong attachment, or click on a bogus link, to compromise the organization. There are several varieties of email attacks, such as phishing, spear phishing, whaling, and others. Spear phishing targets a specific individual, while whaling targets a high-level person (typically C-level) in the organization. Some methods of preventing email attacks include blocking messages from senders with bad domain reputations, throttling or blocking messages from known bad IP addresses, using email authentication to ensure that senders are authorized, and bulk filtering of user mailboxes.

Answer 92

Typo-squatting, also known as URL hijacking, relies on mistakes made by users when they input web addresses. Another type of URL hijacking involves replacing the source behind a link in a search engine index and redirecting to a false URL.

Answer 93

A URL hijacking, or typo-squatting, attack relies on mistakes made by users when they input Web addresses. Another type of URL hijacking involves replacing the source behind a link in a search engine index and redirecting to a false URL.

Answer 94

A watering hole attack occurs when an attacker profiles victims to discover the sites they visit. The attacker then accesses the most commonly accessed sites for vulnerabilities. Once a vulnerability is discovered, the attacker then compromises the site and redirects users to an alternative site that will infect the computers of users who access this alternative site. This attack may also be called a waterhole attack.

Answer 95

You should deploy a virtual local area network (VLAN). This type of network can be used to ensure that Internal access to other parts of the network is controlled and restricted. A VLAN is usually created using a switch. VLAN segregation protects each individual segment by isolating the segments. VLAN segregation is best used to prevent ARP poisoning attacks across a network. VLANs provide a layer of protection against sniffers and can decrease broadcast traffic. Creating a VLAN is much simpler than using firewalls or implementing a virtual private network (VPN). A VLAN is a good solution if you need to separate two departments into separate networks. VLAN management is implemented at the switch to configure the VLANs and the nodes that are allowed to participate in a particular VLAN. You can configure a switch to allow only traffic from computers based upon their physical (MAC) address.

Answer 96

Intranet – a network connection within an organization that is designed for business-to-employee communication. Wireless – a network connection that allows personnel and guests to connect without using wires. Guest – a network that is set aside for guest usage that is usually isolated from the Internal network and given limited connection capabilities. Honeynet – a set of honeypots that appear to be attractive targets but are actually traps for attackers. Network address translation (NAT) – a technology that allows resources that are using private IP addresses to communicate with the Internet through the NAT device and using a single public IP address. Ad hoc – a network that consists of a group of devices communicating wirelessly without a wireless access point.

Answer 97

Physical – a type of segmentation whereby different segments of the network are separated by physical devices, such as routers and firewalls. Logical (VLAN) – a type of segmentation whereby different segments of the network are virtually separated using a switch. Virtualization – a type of isolation whereby multiple guest machines reside on a single physical computer. Air gaps – an isolation technique whereby a computer is not connected to any network to prevent security issues, or an IoT device is prevented from connecting to external networks.

Answer 98

Nation-state / Advanced Persistent Threat (APT) attacks would most likely have the most resources available. These attacks are conducted by one nation upon another, or upon a significant entity within the target country, with large sophisticated attacks. APTs have attackers who have very significant amounts of time and funding resources. Motives could be financial, political, disruption of the economy, or theft of intellectual property, such as military secrets. They are a highly skilled group of attackers that keep their presence hidden so that they can continually exploit their targets and launch layered attacks, known as establishing a foothold.

Answer 99

Unskilled attackers (sometimes referred to as script kiddies) typically rely on tools that are widely available on the Internet. They are often motivated by the thrill of the chase and by the need to prove that they can do it. For the most part, they have limited time and financial resources.

Answer 100

Another way to detect a threat actor attribute is to use open-source intelligence. There are several websites and tools available to assist you. One is ThreatCrowd (www.threatcrowd.org), which allows you to examine several types of attacks. Another website is https://openphish.com, which gives you the most current information on phishing attacks. To summarize the attributes of the various threat actors that you should know for the SY0-701 exam: Internal or external – Attackers can come from within a target organization, making the threat actor Internal. Nation/states, by contrast, would be external threat actors. Level of sophistication – Script kiddies are typically the least sophisticated, whereas nation/states would be the most sophisticated. Resources and funding – Nation/states would have the most time, resources, and funding, followed by organized crime. Script kiddies would have the least resources available. Intent and motivation – The intent of a script kiddie might be to simply prove that they can do it, whereas the intent and motivation of a hacktivist could be a moral or political issue.

Answer 101

A terrorist attack is most likely a politically motivated threat. A terrorist attack is usually an attack against a particular country’s view from a group that opposes the philosophical or political beliefs of that country. Often, a particular group takes credit for a terrorist attack. Politically motivated threats include strikes, riots, civil disobedience, and terrorist attacks.

Answer 102

Supply system threats include power outages, communications interruptions, and water and gas interruption.

Answer 103

Buffer overflow – an attack that occurs when an application receives more data than it is programmed to accept Cross-site scripting (XSS) – an attack that allows code injection by hackers into the Web pages viewed by other users Session hijacking – an attack that occurs when user validation information is stolen and used to establish a connection Zero-day attack – an attack that occurs on the day when an application vulnerability has been discovered

Answer 104

The attacker used pretexting and impersonation to commit physical social engineering. Pretexting (when referring to social engineering) is inventing a scenario that will engage the victim and provide the attacker with an excuse to be in the area. Impersonation is pretending to be an employee, vendor, IT help desk staff, delivery driver, or other individual with some level of legitimate access. Impersonation can occur on the phone or in person. In this scenario, the guard should have asked an employee inside the building to verify that an authorized work crew was on the grounds. While this was an impersonation, it was not identity fraud. Identity fraud is stealing a specific individual’s PII or credentials to commit financial fraud, elicit information, gain access to confidential records, or penetrate a network. Impersonation is generic, while identity fraud is specific. The attacker did not elicit information. Eliciting information is tricking the victim into revealing sensitive information, like shift times and manned desk hours, through friendly conversation. An influence campaign is a multi-actor attack that uses social media accounts to post inflammatory rhetoric and unsubstantiated or fake news stories. The goal of the disinformation is to cause political, social, and economic instability in the target. Influence campaigns are usually conducted by APTs and hostile nation-states. Physical social engineering uses in-person techniques to gather confidential information or gain access. Other human vector or physical social engineering tricks are dumpster diving, shoulder surfing, tailgating / piggybacking, and reconnaissance. Remember that in the CompTIA objectives, reconnaissance can mean visiting a target to observe security controls in person, but it can also refer to digital and remote intelligence gathering techniques using OSINT and automated tools.

Answer 105

The file server has become the victim of a denial-of-service (DoS) attack. Because multiple routers and servers are involved in the attack, a distributed DoS (DDoS) attack has actually occurred. A DDoS attack usually involves the hijacking of several computers and routers to use as agents of the attack. Multiple servers and routers involved in the attack often overwhelm the bandwidth of the attack victim. For example, if a server has intermittent connection issues, the logs show repeated connection attempts from the same IP addresses, and the attempts are overloading the server to the point it cannot respond to traffic, then the server is experiencing a DDoS attack.

Answer 106

Privilege escalation usually occurs by logging in to a system using your valid user account and then finding a way to access files that you do not have permission to access. This often involves invoking a program that can change your permissions, such as Set User ID (SUID) or Set Group ID (SGID) or invoking a program that runs in an administrative context. There are several methods of dealing with privilege escalation, including using least privilege accounts, privilege separation, and so on. Privilege escalation can lead to denial-of-service (DoS) attacks. An example of privilege escalation is gaining access to a file you should not access by changing the permissions of your valid account. Privilege escalation is also a concern for users with administrative-level accounts. If a user needs administrative-level access, the user should be given two user accounts: one administrative-level account and one regular user account. The user should use the regular user account for most activities and use the administrative-level account only to perform administrative duties.

Answer 107

Backdoors are hidden applications that vendors create to ensure that they are able to access their devices. After installing new devices or operating systems, you need to ensure that all backdoors and default passwords are either disabled or reset. Often, hackers first attempt to use such backdoors and default passwords to access new devices.

Answer 108

A man-in-the-middle attack occurs when a hacker intercepts messages from a sender, modifies those messages, and sends them to a legitimate receiver.

Answer 109

An evil twin is an access point with the same SSID as the legitimate access point. It is a special type of unauthorized access point.

Answer 110

A rogue access point is an unauthorized access point that allows access to a secure network. Performing a site survey is the best way to discover rogue access points. Discovering a large number of unauthorized wireless connections in a particular area is a sign of a rogue access point.

Answer 111

An IV attack is cracking the WEP secret key using the initialization vector (IV). An IV attack involves interception of authentication traffic in an attempt to gain unauthorized access to a wireless network.

Answer 112

Another consideration in wireless networks is interference or jamming. If an organization implements multiple wireless access points, the organization must ensure that the access points do not interfere with each other. This can be accomplished in one of two ways: deploy the access points on different channels within the frequency or decrease the power level of the access point. Also, some electronic devices can cause interference with access points. Often, just moving the wireless access point can fix the issue.

Answer 113

Business email compromise is an attack that exploits the name and/or position of a high-ranking executive within the organization. The attacker will impersonate the executive in an email to the victim, typically an employee in the organization, asking them to perform tasks. One of the most common examples asks an employee to purchase dozens of gift cards.

Answer 114

Brand impersonation, also known as brand spoofing, is a type of phishing attack. Attackers will use a legitimate company’s assets, such as logos, banners, and images, to make it appear as though the email is coming from the legitimate company. The attackers may also create a fake website that mimics the legitimate website. As an example, the attacker creates a fake website that looks like a legitimate banking website. The attacker then sends an email to users asking them to log in to their account by clicking on the link to the fraudulent website. When the user enters their login credentials, the attacker can steal their information and use it for fraudulent purposes.

Answer 115

Misinformation and disinformation are types of influence campaigns designed to swing public opinion in a certain direction. Misinformation is the spread of incorrect information, usually because the initial facts were incorrect or misunderstood, without the intent to deceive. Disinformation is crafting and spreading deliberately inaccurate or false information with the intent to deceive.

Answer 116

Competition attacks are the modern version of industrial espionage. Theft of intellectual property, marketing plans, and customer lists are all examples that can have devastating effects on the targeted organization. Even stealing the victim company's credit card list can have a severe economic impact on that company. Often, the attacking company will find a disgruntled individual in the subject company to carry out the attack.

Answer 117

A cloud access security broker (CASB) enforces proper security measures between a cloud solution and a customer organization. A CASB monitors user activities, notifies administrators about significant events, performs malware prevention and detection, and enforces compliance with security policies.

Answer 118

A secure web gateway (SWG) is a cloud-based web gateway that combines features of a Next-generation Firewall (NGFW) and a Web Application Firewall (WAF). SWG provides an ongoing update to filters and detection databases and is designed to provide filtering services between cloud-based resources and on-premises resources. SWG uses standard WAF functions, TLS decryption, CASB functions, sandboxing features, and threat detection functions to protect enterprises from the ever-evolving cloud-based risks and attacks.

Answer 119

Pharming – Web browser Phishing – Email Spimming – Social networks Vishing, Smishing – Mobile phone

Answer 120

A spraying attack is not a cryptographic attack, but rather a type of brute-force password attack. A spraying attack has a couple of different forms. It may use a common or default password for an organization and test that against multiple accounts. “P@$$w0rd” is often used as a secure password, and in a larger organization, you are likely to find an account that uses this password. Another form would be to use a variation of a company’s slogan against a user list.

Answer 121

A collision attack is a cryptographic attack that combines brute force attacks, each with a different input, to produce the same hash value.

Answer 122

A downgrade attack is a cryptographic attack that causes the system to use less-stringent security controls. When these less-stringent (downgraded) security controls, typically insecure protocols, are activated, the attacker takes advantage of those less-than-secure settings. An example would be an attack that disables HTTPS port 443. In order for web traffic to go through, HTTP port 80 is enabled. HTTP is less secure protocol than HTTPS, and the attacker exploits HTTP.

Answer 123

A birthday attack is a type of cryptographic attack. A birthday attack is named after the mathematical probability that two people in the same network have the same birthday.

Answer 124

RFID cloning is the process of creating a copy of an RFID card or key fob that grants access to a facility. RFID cards contain a small chip that contains data about the holder of the card, such as their name, company role, and authorization to enter facilities. These cards use short-range radio waves to send this data to readers, which then use the card as a “key” to open doors. Hackers can clone these cards by using a card reader within reading distance of a card, and they can snag the data that is loaded on the chip remotely. This data can then be copied over to a blank card, and the hacker can essentially pose as a legitimate actor and use their RFID copy to go anywhere the real employee can. A practical example of RFID cloning is when a hacker gains access to a facility by cloning an employee's RFID card. The hacker can then move around the facility undetected and access sensitive areas. To prevent such attacks, businesses can leverage other forms of security hardware to fully protect their premises and maintain authorized access control. For example, a CCTV camera pointed at the card reader can detect and record any tampering by a hacker trying to install a skimmer. Likewise, cameras that have a field of vision over the approach to the front door reader can pick up on suspicious behavior, like a person with a bag trying to get within RFID-reading distance of employees and linger there.

Answer 125

The attacks and their mitigations should be matched in the following manner: Cross-site request forgery (CSRF) – Validate both the client and server side. Cross-site scripting (XSS) – Implement input validation. Session hijacking – Encrypt communications between the two parties. Malicious add-ons – Implement application allow lists. It is important that you understand application attacks and how to prevent them.

Answer 126

DNS poisoning is the practice of dispensing IP addresses and host names with the goal of traffic diversion. Properly configured DNS security (DNSSEC) on the DNS server can provide message validation, which, in turn, would prevent DNS poisoning.

Answer 127

ARP poisoning is similar to DNS poisoning. In this attack, a malicious actor sends falsified ARP messages over a local area network. In a domain hijacking attack, the registration of a domain name is changed without the permission of the original registrant.

Answer 128

A collision attack or a birthday attack combines brute force attacks, each with a different input, to produce the same hash value. When two separate inputs create the same hash value, it is called a collision. A birthday attack is named after the mathematical probability that two people in the same network have the same birthday.

Answer 129

In a replay attack, the attacker sends the victim a previously accepted frame, such as one that includes a cryptographic key that has been sniffed by the attacker. The victim believes he is still in a valid communication, but the communication has been intercepted and exploited.

Answer 130

Memory injection is the primary goal of buffer overflow attacks. Buffer overflows attempt to put more information than can fit into an allocated area of memory. With memory injection, the attacker inserts malicious code into program memory. The computer then executes that malicious code as part of the program.

Answer 131

An SQL injection is an example of improper input handling, and the impact can include data destruction or unfettered access to the database. Inputs should be checked for common SQL injection symbols. Other examples of improper input handling include failure to validate the type of data in an input field, the length of the data, and proper date ranges.

Answer 132

A cross-site scripting (XSS) attack occurs when an attacker locates a vulnerability on a website that allows the attacker to inject malicious code into a web application. A persistent XSS attack occurs when data provided to the web application is first stored persistently on the server and later displayed to users without being encoded using HTML on the web client. A non-persistent XSS attack occurs when data provided by a web client is used immediately by server-side scripts to generate results for that user. XSS flaws occur every time an application takes user-supplied data and sends it to a web browser without first confirming or encoding the data.

Answer 133

You could use a sinkhole. A sinkhole is a routing mechanism that can route traffic from a device being flooded to a location where the traffic can be studied.

Answer 134

In a directory or path traversal attack, an attacker uses the application to access the file system below. Usually, this means figuring out where the application has access and then jumping out of that folder into other folders on the system using commands. ../

Answer 135

Steganography is typically used in image-based attacks, but can also be used with audio and video files. Steganography works by embedding messages or malicious code within images. The large size of these files makes it difficult to find the embedded data, unless you know exactly where to look and what to look for. This allows the attacker to transmit while “hiding in plain sight.”

Answer 136

A file-based threat vector is a type of cyberattack conducted via executable files on a computer or network. Attackers can use this method to gain unauthorized access to sensitive data, install malware, or cause other types of damage. For example, an attacker might send an email with an attachment that contains malicious code. When the user opens the attachment, the code executes and infects the computer with malware. Other examples of file-based threat vectors include downloading files from untrusted sources, using outdated software, and opening files from unknown sources. File-based threat vectors inject malicious code into what would seem to be a harmless file. Typical targets are spreadsheets and document files. One example of this type of malicious code is a macro.

Answer 137

Removable device exploitation can occur with USB drives or external hard drives. Attackers can use this method to load malware onto systems to launch cyber-attacks, with the aim of stealing sensitive information and causing system failures. For example, an attacker might leave a USB drive in an organization’s parking lot or send it as a gift to a target. Once the user inserts the device into their computer, the malware on the device can spread to other removable media or network drives, infecting the entire system.

Answer 138

Client-based attacks and agentless attacks are used against vulnerable software. Client-based attacks exploit vulnerabilities within software running on a computer or mobile device. An example could be a vulnerability within a web browser that allows an attacker to install malware on the computer. Agentless attacks use web applications and services to acquire information from a computer or mobile device. The acquisition can occur without the need of a software installation on the device.

Answer 139

Default credentials are a common threat vector, but it primarily targets hardware devices like routers and wireless access points. Someone will configure a device, such as a new router, and forget to change the default credentials used for setup. These credentials rarely change by brand, and a list of default credentials for many devices can be found at https://www.softwaretestinghelp.com/default-router-username-and-password-list/.

Answer 140

A SQL injection affects a database. In this type of attack, the interface is expecting a user to enter data, but the interface is not properly designed to only allow a specific data type. A malicious user can enter SQL code.

Answer 141

Command injection allows users to gain access to restricted directories. If an operating system command, such as rm -rf /etc/password, is submitted in an HTML string, a command injection (or directory traversal) attack has occurred. Command injection is also referred to as directory traversal.

Answer 142

XML injection occurs when a user enters values in an XML query that takes advantage of security loopholes.

Answer 143

LDAP injection occurs when a user enters values in an LDAP query that takes advantage of security loopholes.

Answer 144

Header manipulation – This attack occurs when a hacker is able to manipulate a packet header to deface, hijack, or poison the packet.

Answer 145

Malicious add-ons – This is an application add-on that a user adds for a particular functionality, but in reality serves as a way for a hacker to create a security breach.

Answer 146

Clickjacking involves putting a transparent button over an existing button (or image) on a web page. When the victim clicks the button, instead of going to the website they intended, they are routed to a different site where the attacker captures personal information. Amplification attacks are often part of a DDoS attack, usually associated with UDP protocols. The goal of this attack is to turn a simple query, such as DNS or NTP, into a flood of responses that overwhelms the victim's network resources.

Answer 147

Pass the hash attacks exploit authentication protocol weaknesses, where the password hash remains the same between sessions until the password value changes.

Answer 148

Driver manipulation attacks change the information provided to a device driver. This results in the driver not being used at all or performing with unexpected results.

Answer 149

Shimming is a form of driver manipulation. An API library is created that changes the arguments (parameters) passed to the driver, bypasses the driver, or has the API deal with the driver operation.

Answer 150

Refactoring identifies the flow within an application's code and changes the code without changing how the code appears to function. This is often used to identify exploitation opportunities in a weak area of an application's code.

Answer 151

An SQL injection is an example of improper input handling, and the impact can include data destruction or unfettered access to the database. Inputs should be checked for common SQL injection symbols. Other examples of improper input handling include failure to validate the type of data in an input field, the length of the data, and proper date ranges. Improper error handling could allow an attacker to crash a program. Error checking should be built into every module or code function. An error should not result in a crashed application, but rather generate an error message. Misconfiguration or weak configuration can have a severe impact. For example, a user who (for convenience) selects weak or minimal security settings on a browser may impact the security of the entire organization. Misconfiguration, such as not changing the administrative username or password, can also have a significant impact. Systems and components, such as routers, should never be deployed with the default configuration enabled. As an example, many SOHO users are thrilled that they got their new wireless network to finally communicate "out of the box." As a result, they do not change the default administrator information, leaving their network wide open for attack.

Answer 152

Wearable technology transmits data via Wi-Fi or Bluetooth to a host device, and as such is subject to data interception and attack. In addition to being subject to attack, wearable devices such as voice recorders, video recorders, and hidden cameras can also be used by an attacker to gain information. UAVs operate far beyond the range of Wi-Fi and Bluetooth. Unmanned Aerial Vehicles (UAVs) or drones are controlled remotely, which is an inherent security risk. Aircraft/UAVs have multiple embedded systems, ranging from navigation to fuel control and ordnance delivery. Significant security systems must be incorporated to prevent these airborne vehicles from being compromised. Medical devices transmit via wired connections, Wi-Fi, Bluetooth, or radio frequency (RF) signals established by the Wireless Medical Telemetry Service (WMTS) within the specific frequency bands allocated to medical devices. Medical devices can be manipulated to report false data, resulting in harm to the patient. They can also be manipulated to provide the wrong level of service to a patient, such as the flaw that was announced by the FDA with pacemakers whereby unauthorized users could manipulate the heartbeat rate or cause the battery to drain at a faster rate. Automobiles with embedded technology are susceptible to hackers, but they usually use satellite or cellular communication. As an example, an air pressure sensor on a tire can be manipulated to show a low-pressure alert. When the consumer fills the tire sufficiently so that the alert stops, the tire is now overinflated. This can cause the tire to explode at highway speeds. Recently, security professionals have even demonstrated hacking into an automobile and driving it.

Answer 153

System processes provide well-defined operational guidelines for processes such as incident response, security policy, vulnerability management, and security awareness, to name a few. A Security Operations Center (SOC) operates 24x7 to maintain the organization’s security posture. The abovementioned system processes provide the guidelines that the SOC uses for its operations. The Windows registry is a database that contains all the application settings and current configuration parameters for the hardware and software on a Windows system. Each machine running a Windows OS has a registry that contains keys (which identify applications, processes, hardware) and values (specific configuration data related to the key). For example, if a key was related to a printer, values associated with the key could include printing orientation, print history, default paper tray, and default paper size. Logging levels are classifications that indicate the severity or urgency of the logged event. Common logging levels include Emergency, Alert, Critical, Error, Warning, Notice, and Debug. System hardening increases the security of a server or a computer system by reducing vulnerabilities and the attack surface. Examples of system hardening activities include removing unnecessary software, closing down ports, and adjusting permissions. Other important operating system (OS) concepts include the location of configuration files and hardware architecture in Windows and Linux. The Windows OS uses the registry database for storing all configuration settings. In Linux, each application and process have its own configuration file. The Linux file structure uses the /etc/ directory for configuration file locations. Hardware architecture is also an important concept. If the hardware is not secure, it would be very difficult to build secure applications and databases and to have high availability. Physical access to critical hardware, such as servers, routers, wireless access points, and network switches, is often overlooked. It is not uncommon that administrative passwords are set to the default, firmware does not get updated, and encryption is not adequate for the device.