Threats, Attacks, and Vulnerabilities (3) Flashcards
You are performing a penetration test of your company’s network. As part of the test, you will be given a login with minimal access and will attempt to gain administrative access with this account. What is this called?
Privilege escalation
Session hijacking
Root grabbing
Privilege escalation
The term for attempting to gain any privileges beyond what you have is privilege escalation
Mary has discovered that a web application used by her company does not always handle multithreading properly, particularly when multiple threads access the same variable. This could allow an attacker who discovered this vulnerability to exploit it and crash the server. What type of error has Mary discovered?
Buffer overflow
Logic bomb
Race conditions
Race conditions
This is a classic definition of a race condition: when multiple threads in an application are using the same variable and the situation is not properly handled
An attacker is trying to get access to your network. He is sending users on your network a link to a freeware stock-monitoring program. However, that stock-monitoring program has attached to it software that will give the attacker access to any machine that it is installed on. What type of attack is this?
Rootkit
Trojan horse
Spyware
Trojan horse
This is a classic example of a Trojan horse
Acme Company uses its own internal certificate server for all internal encryption. However, their certificate authority only publishes a CRL once per week. Does this pose a danger, and if so what?
Yes, this means a revoked certificate could be used for up to seven days.
No, this is standard for all certificate authorities.
Yes, this means it would be easy to fake a certificate.
Yes, this means a revoked certificate could be used for up to seven days.
If a certificate is revoked, it can be used until the new certificate revocation list is published
When a program has variables, especially arrays, and does not check the boundary values before inputting data, what attack is the program vulnerable to?
XSS
CRSF
Buffer overflow
Buffer overflow
A buffer overflow is possible when boundaries are not checked and the attacker tries to put in more data than the variable can hold
Which of the following best describes malware that will execute some malicious activity when a particular condition is met (i.e., if condition is met, then execute)?
Boot sector virus
Logic bomb
Buffer overflow
Logic bomb
This is the definition of a logic bomb
Gerald is a network administrator for Acme Company. Users are reporting odd behavior on their computers. He believes this may be due to malware, but the behavior is different on different computers. What might best explain this?
It is a boot sector virus.
It is a macro virus.
It is a polymorphic virus.
It is a polymorphic virus.
A polymorphic virus changes from time to time, and that would explain the different behavior on different computers
eresa is a security officer at ACME Inc. She has discovered an attack where the attacker sent multiple broadcast messages to the network routers, spoofing an IP address of one of the network servers. This caused the network to send a flood of packets to that server and it is no longer responding. What is this attack called?
Smurf attack
DDoS attack
TCP hijacking attack
Smurf attack
This is the definition of a Smurf attack
Which type of virus is able to alter its own code to avoid being detected by antivirus software?
Boot sector
Hoax
Polymorphic
Polymorphic
Polymorphic viruses periodically change their signature or even their code
Gerald is a network administrator for a small financial services company. Users are reporting odd behavior that appears to be caused by a virus on their machines. After isolating the machines that he believes are infected, Gerald analyzes them. He finds that all the infected machines received an email purporting to be from accounting, with an Excel spreadsheet, and the users opened the spreadsheet. What is the most likely issue on these machines?
A macro virus
A boot sector virus
A Trojan horse
A macro virus
This is the definition of a macro virus
Fred is on the incident response team for a major insurance company. His specialty is malware analysis. He is studying a file that is suspected of being a virus that infected the company network last month. The file seems to intermittently have bursts of malicious activity, interspersed with periods of being dormant. What best describes this malware?
A macro virus
A logic bomb
A sparse infector virus
A sparse infector virus
The intermittent burst of malicious activity is the definition of a sparse infector virus
What is the term used to describe a virus that can infect both program files and boot sectors?
Polymorphic
Multipartite
Stealth
Multipartite
Multipartite viruses combine boot sector with file infection
our company has hired an outside security firm to perform various tests of your network. During the vulnerability scan you will provide that company with logins for various systems (i.e., database server, application server, web server, etc.) to aid in their scan. What best describes this?
A white-box test
A privileged scan
An authenticated user scan
A privileged scan
By giving the tester logins, you are allowing him to conduct a privileged scan (i.e., a scan with some privileges)
Which of the following is commonly used in a distributed denial of service (DDoS) attack?
Phishing
Adware
Botnet
Botnet
Botnets are often used to launch DDoS attacks, with the attack coming from all the computers in the botnet simultaneously
You are investigating a recent breach at Acme Company. You discover that the attacker used an old account of someone no longer at the company. The account was still active. Which of the following best describes what caused this vulnerability to exist?
Improperly configured accounts
Untrained users
Using default configuration
Improperly configured accounts
Accounts should be configured to expire. If this had occurred, then the account would no longer be active
Juan is responsible for incident response at a large financial institution. He discovers that the company WiFi has been breached. The attacker used the same login credentials that ship with the wireless access point (WAP). The attacker was able to use those credentials to access the WAP administrative console and make changes. Which of the following best describes what caused this vulnerability to exist?
Improperly configured accounts
Untrained users
Using default configuration
Using default configuration
This is a classic example of the problem with default configurations.
Elizabeth is investigating a network breach at her company. She discovers a program that was able to execute code within the address space of another process by using the target process to load a specific library. What best describes this attack?
Logic bomb
Buffer overflow
DLL injection
DLL injection
In a DLL injection, the malware attempts to inject code into the process of some library. This is a rather advanced attack
Zackary is a malware investigator with a cybersecurity firm. He is investigating malware that is able to compromise a target program by finding null references in the target program and dereferencing them, causing an exception to be generated. What best describes this type of attack?
Buffer overflow
Memory leak
Pointer dereference
Pointer dereference
This is the definition of pointer dereferencing. It is a somewhat obscure and sophisticated attack on a target program
Frank has just taken over as CIO of a mid-sized insurance company. One of the first things he does is order a thorough inventory of all network equipment. He discovers two routers that are not documented. He is concerned that if they are not documented, they might not be securely configured, tested, and safe. What best describes this situation?
Poor user training
System sprawl
Failure to patch systems
System sprawl
System sprawl occurs when a system grows and there are devices on the system that are not documented
What is the primary difference between an intrusive and a nonintrusive vulnerability scan?
An intrusive scan is a penetration test.
A nonintrusive scan is just a document check.
An intrusive scan could potentially disrupt operations.
An intrusive scan could potentially disrupt operations.
An intrusive scan could possibly cause some disruption of operations. For this reason, it should be conducted outside normal business hours
Daryl is investigating a recent breach of his company’s web server. The attacker used sophisticated techniques and then defaced the website, leaving messages that were denouncing the company’s public policies. He and his team are trying to determine the type of actor who most likely committed the breach. Based on the information provided, who was the most likely threat actor?
A nation-state
Organized crime
Hacktivists
Hacktivists
The fact that the website is defaced in a manner related to the company’s public policies is the definition of hacktivism
When investigating breaches and attempting to attribute them to specific threat actors, which of the following is not one of the indicators of an APT?
Long-term access to the target
Sophisticated attacks
The attack comes from a foreign IP address.
The attack comes from a foreign IP address.
While you might suppose that a nation-state attacker (the usual attacker behind an advanced persistent threat) would attack from a foreign IP address, they often use a compromised address in the target country as a base for attacks
What type of attack uses a second wireless access point (WAP) that broadcasts the same SSID as a legitimate access point, in an attempt to get users to connect to the attacker’s WAP?
Evil twin
IP spoofing
Trojan horse
Evil twin
The terms evil twin and rogue access point both refer to fake access points that broadcast what appear to be legitimate SSIDs
You are investigating a breach of a large technical company. You discover that there have been several different attacks over a period of a year. The attacks were sustained, each lasting several weeks of continuous attack. The attacks were somewhat sophisticated and originated from a variety of IP addresses, but all the IP addresses are within your country. Which threat actor would you most suspect of being involved in this attack?
Nation-state
Hacktivist
Script kiddie
Nation-state
The fact that the IP addresses are within your country might make you discard the nation-state attacker, but it is common for nation-state attackers to use compromised IP addresses in the target country from which to attack. The other symptoms—a sophisticated attack, over time—are hallmarks of nation-state attackers
Which of the following best describes a zero-day vulnerability?
A vulnerability that has been known to the vendor for zero days
A vulnerability that has not yet been breached
A vulnerability that can be quickly exploited (i.e., in zero days)
A vulnerability that has been known to the vendor for zero days
This is the definition of a zero-day attack
You have discovered that there are entries in your network’s domain name server that point legitimate domains to unknown and potentially harmful IP addresses. What best describes this type of attack?
A backdoor
An APT
DNS poisoning
DNS poisoning
This is the definition of DNS poisoning
What best describes an attack that attaches some malware to a legitimate program so that when the user installs the legitimate program, they inadvertently install the malware?
Backdoor
Trojan horse
RAT
Trojan horse
This is, in fact, the definition of a Trojan horse
Which of the following best describes software that will provide the attacker with remote access to the victim’s machine, but that is wrapped with a legitimate program in an attempt to trick the victim into installing it?
RAT
Backdoor
Trojan horse
RAT
A remote access Trojan (RAT) is malware that gives the attacker remote access to the victim machine
Which of the following is an attack that seeks to attack a website, based on the website’s trust of an authenticated user?
XSS
CSRF
Buffer overflow
CSRF
Cross-site request forgery sends forged requests to a website, supposedly from a trusted user
John is analyzing what he believes is a malware outbreak on his network. Many users report their machines are behaving strangely. The anomalous behavior seems to occur sporadically and John cannot find a pattern. What is the most likely cause?
APT
Boot sector virus
Sparse infector virus
Sparse infector virus
Sparse infector viruses perform their malicious activity sporadically
