Threats, Attacks, and Vulnerabilities (4) Flashcards
Farès is the CISO of a bank. He has received an email that is encouraging him to click on a link and fill out a survey. Being security conscious, he normally does not click on links. However, this email calls him by name and claims to be a follow-up to a recent conference he attended. Which of the following best describes this attack?
Clickjacking
Spear phishing
Whaling
Whaling
This is a classic example of whaling, phishing that targets a specific individual
You are responsible for technical support at your company. Users are all complaining of very slow Internet connectivity. When you examine the firewall, you find a large number of incoming connections that are not completed, all packets coming from a single IP address. What best describes this attack?
DDoS
SYN flood
Buffer overflow
SYN flood
Large, half-open connections are the hallmark of a SYN flood
An attacker is trying to get malformed queries sent to the backend database to circumvent the web page’s security. What type of attack depends on the attacker entering text into text boxes on a web page that is not normal text, but rather odd-looking commands that are designed to be inserted into database queries?
SQL injection
Clickjacking
Cross-site scripting
SQL injection
SQL injection places malformed SQL into text boxes
Tyrell is responsible for selecting cryptographic products for his company. The company wants to encrypt the drives of all laptops. The product they have selected uses 128-bit AES encryption for full disk encryption, and users select a password to decrypt the drive. What, if any, would be the major weakness in this system?
None; this is a good system.
The 128-bit AES key is too short.
The passwords users select are the weak link.
The passwords users select are the weak link.
The user-selected password is always a weak link in hard drive encryption
Valerie is responsible for security testing applications in her company. She has discovered that a web application, under certain conditions, can generate a memory leak. What, type of attack would this leave the application vulnerable to?
DoS
Backdoor
SQL injection
DoS
If an attacker can induce the web application to generate the memory leak, then eventually the web application will consume all memory on the web server and the web server will freeze up
When a multithreaded application does not properly handle various threads accessing a common value, what flaw is this?
Memory leak
Integer overflow
Race condition
Race condition
This is the definition of a race condition
Acme Company is using smart cards that use near-field communication (NFC) rather than needing to be swiped. This is meant to make physical access to secure areas more secure. What vulnerability might this also create?
Tailgating
Eavesdropping
IP spoofing
Eavesdropping
Near-field communication (NFC) is susceptible to an attacker eavesdropping on the signal
John is responsible for physical security at a large manufacturing plant. Employees all use a smart card in order to open the front door and enter the facility. Which of the following is a common way attackers would circumvent this system?
Phishing
Tailgating
Spoofing the smart card
Tailgating
Tailgating involves simply following a legitimate user through the door once he or she has opened it
Which of the following is the term for an attack wherein malware inserts itself as a library, such as a DLL, between an application and the real system library the application is attempting to communicate with?
Jamming
Evil twin
Shimming
Shimming
This is the definition of shimming
You are responsible for incident response at Acme Corporation. You have discovered that someone has been able to circumvent the Windows authentication process for a specific network application. It appears that the attacker took the stored hash of the password and sent it directly to the backend authentication service, bypassing the application. What type of attack is this?
Hash spoofing
Shimming
Pass the hash
Pass the hash
This scenario is the definition of passing the hash
A user in your company reports that she received a call from someone claiming to be from the company technical support team. The caller stated that there was a virus spreading through the company and he needed immediate access to the employee’s computer to stop it from being infected. What social-engineering principles did the caller use to try to trick the employee?
Urgency and intimidation
Urgency and authority
Authority and trust
Urgency and authority
Claiming to be from tech support is claiming authority, and the story the caller gave indicates urgency
Ahmed has discovered that someone has manipulated tables in one of the company’s switches. The manipulation has changed the tables so that data destined for one specific MAC address will now be routed elsewhere. What type of attack is this?
ARP poisoning
DNS poisoning
Man-in-the-middle
ARP poisoning
This is the definition of ARP poisoning
You are investigating incidents at Acme Corporation and have discovered malware on several machines. It appears that this malware infects system files in the Windows/System32/ directory and also affects the boot sector. What type of malware is this?
Multipartite
Boot sector
Macro virus
Multipartite
This is a classic multipartite virus. It infects the boot sector, as well as an operating system file
What type of attack uses Bluetooth to access the data from a cell phone when in range?
Phonejacking
Bluejacking
Bluesnarfing
Bluesnarfing
Bluesnarfing accesses data on the cell phone
An attacker is using a table of precomputed hashes in order to try to get a Windows password. What type of technique is being used?
Dictionary
Brute force
Rainbow table
Rainbow table
A rainbow table is a table of precomputed hashes
Carlos works in incident response for a mid-sized bank. Users inform him that internal network connections are fine, but connecting to the outside world is very slow. Carlos reviews logs on the external firewall and discovers tens of thousands of ICMP packets coming from a wide range of different IP addresses. What type of attack is occurring?
Smurf
DoS
DDoS
DDoS
The fact that the attack is coming from multiple sources makes this a distributed denial of service
What type of attack is it when the attacker attempts to get the victim’s communication to abandon a high-quality/secure mode in favor of a lower-quality/less secure mode?
Downgrade
Brute force
Rainbow table
Downgrade
A downgrade attack is often used against secure communications such as TLS in an attempt to get the user to shift to less secure modes
What type of penetration test is being done when the tester is given extensive knowledge of the target network?
White-box
Full disclosure
Black-box
White-box
In a white-box test, the tester is given extensive knowledge of the target network
Your company is instituting a new security awareness program. You are responsible for educating end users on a variety of threats, including social engineering. Which of the following best defines social engineering?
Illegal copying of software
Gathering information from discarded manuals and printouts
Using people skills to obtain proprietary information
Using people skills to obtain proprietary information
Social engineering is about using people skills to get information you would not otherwise have access to
Which of the following attacks can be caused by a user being unaware of their physical surroundings?
ARP poisoning
Phishing
Shoulder surfing
Shoulder surfing
Shoulder surfing involves literally looking over someone’s shoulder in a public place and gathering information, perhaps login passwords
Francine is a network administrator for Acme Corporation. She has noticed that one of the servers is now unreachable. After carefully reviewing various logs, she discovers that a large number of broadcast packets were sent to the network router, spoofing the server’s IP address. What type of attack is this?
SYN flood
Buffer overflow
Smurf attack
Smurf attack
The sending of spoofed broadcast messages to the target network router is a Smurf attack
An attacker enters code into a text box on a website. That text box is used for product reviews. The attacker wants his code to execute the next time a visitor visits that page. What is this attack called?
SQL injection
Logic bomb
Cross-site scripting
Cross-site scripting
Cross-site scripting involves entering code (script) into a text field that will be displayed to other users
A user is redirected to a different website when the user requests the DNS record www.xyz.com. Which of the following is this an example of?
DNS poisoning
DoS
DNS caching
DNS poisoning
Putting false entries into the DNS records of a DNS server is DNS poisoning
Tom is the network administrator for a small accounting firm. As soon as he comes in to work, users report to him that they cannot connect to the network. After investigating, Tom discovers that none of the workstations can connect to the network and all have an IP address in the form of 169.254.x.x. What has occurred?
Man-in-the-middle attack
DDoS
DHCP starvation
DHCP starvation
IP addresses in the range of 169.254 are automatic private IP addresses (APIPA) and indicate the system could not get a dynamic IP address from the DHCP server. This is a typical symptom of DHCP starvation
Which of the following would most likely use a group of bots to stop a web server from accepting new requests?
DoS
DDoS
Buffer overflow
DDoS
Distributed denial-of-service (DDoS) attacks often use bots in a botnet to perform the attack
Which of the following would a former employee most likely plant on a server before leaving to cause disruption to the network?
Worm
Logic bomb
Trojan
Logic bomb
A logic bomb will perform its malicious activity when some condition is met, often a date or time. This is commonly done by disgruntled exiting employees
A SYN flood is a DoS attack in which an attacker deliberately violates the three-way handshake and opens a large number of half-open TCP connections. The signature of a SYN flood attack is:
The source and destination port numbers having the same value
A large number of SYN packets appearing on a network without the corresponding ACK packets
A large number of SYN packets appearing on a network with the corresponding reply RST
A large number of SYN packets appearing on a network without the corresponding ACK packets
A correct three-way handshake involves the client sending a SYN packet, the server responding with SYN and ACK, and the client completing the handshake with an ACK. If you see a large number SYN packets without the corresponding ACK, that is likely to be a SYN flood
What does white-box testing mean?
The tester has full knowledge of the environment.
The tester has no knowledge of the environment.
The tester has permission to access the system.
The tester has full knowledge of the environment.
In a white-box test, the tester has full or very nearly full knowledge of the system
Ahmed has been hired to perform a penetration test of Acme Corporation. He begins by looking at IP address ranges owned by the company and details of domain name registration. He also visits social media and newsgroups to see if they contain any sensitive information or have any technical details online. Within the context of penetration-examining methodology, what phase is Ahmed conducting?
Passive information gathering
Active information gathering
Initial exploitation
Passive information gathering
Passive information gathering involves using methods other than directly accessing the network to gather information. Social media and newsgroups are commonly used
Mary works for a large insurance company, on their cybersecurity team. She is investigating a recent incident and discovers that a server was breached using an authorized user’s account. After investigating the incident further, Mary believes that the authorized user logged on, and then someone else took over their session. What best describes this attack?
Man-in-the-middle
Session hijacking
Backdoor
Session hijacking
This is the definition of session hijacking
