Threats, Attacks and Vulnerabilities

Question 1

Malware

Answer 1

includes a wide variety of malicious code, including viruses, worms, Trojans, ransomware, and more.

Question 2

Logic Bomb

Answer 2

string of code embedded into an application or script, executes in response to an event, such as when a specific application is executed or a specific time arrives

Question 3

Torjan

Answer 3

appears to be something useful but includes a malicious component, such as installing a backdoor on a user’s system. Something that entice you to download such as a game, software free antivirus etc

Question 4

Ransomware

Answer 4

is a type of malware that takes control of a user’s system or data. Criminals then attempt to extort payment from the victim

Question 5

Rootkits

Answer 5

have system-level or kernel access and can modify system files and system access. Rootkits hide their running processes to avoid detection with hooking techniques. Tools that can inspect RAM can discover these hidden hooked processes.

Question 6

Watering Hole Attack

Answer 6

attempts to discover which web sites a group of people are likely to visit and then infects those web sites with malware that can infect the visitors. The attacker’s goal is to infect a web site that users trust already, making them more likely to download infected files

Question 7

Spear Phishing

Answer 7

attack targets specific groups of users. It could target employees within a company or customers of a company

Question 8

Whaling

Answer 8

phishing attempts that targets high-level executives.

Question 9

Vishing

Answer 9

a form of phishing that uses the phone system or VoIP. Some vishing attempts are fully automated. Others start automated but an attacker takes over at some point during the call

Question 10

Privilege Escalation

Answer 10

use various privilege escalation techniques to gain more and more privileges.

Question 11

IP Spoofing

Answer 11

the attacker changes the source address so that it looks like the IP packet originated from a different source.

Question 12

ARP poisoning

Answer 12

attacks attempt to mislead systems about the actual MAC address of a system. ARP poisoning is sometimes used in man-in-the-middle attacks.

Question 13

SYN flood attack

Answer 13

is a common attack used against servers on the Internet. They are easy for attackers to launch, difficult to stop, and can cause significant problems. The SYN flood attack disrupts the TCP handshake process and can prevent legitimate clients from connecting.

TCP sessions use a three-way handshake when establishing a session. As a reminder, two systems normally start a TCP session by exchanging three packets in a TCP handshake. For example, when a client establishes a session with a server, it takes the following steps: 1. The client sends a SYN (synchronize) packet to the server. 2. The server responds with a SYN/ ACK (synchronize/ acknowledge) packet. 3. The client completes the handshake by sending an ACK (acknowledge) packet. After establishing the session, the two systems exchange data.

However, in a SYN flood attack, the attacker never completes the handshake by sending the ACK packet. Additionally, the attacker sends a barrage of SYN packets, leaving the server with multiple half-open connections. Figure 7.1 compares a normal TCP handshake with the start of a SYN flood attack

Question 14

DNS Poisoning

Answer 14

attack attempts to modify or corrupt DNS results. For example, a successful DNS poisoning attack can modify the IP address associated with google.com and replace it with the IP address of a malicious web site. Each time a user queries DNS for the IP address of google.com, the DNS server responds with the IP address of the malicious web site.

Question 15

Smurf Attack

Answer 15

A ping is normally unicast—one computer to one computer. A ping sends ICMP echo requests to one computer, and the receiving computer responds with ICMP echo responses.

• The smurf attack sends the ping out as a broadcast. In a broadcast, one computer sends the packet to all other computers in the subnet.
• The smurf attack spoofs the source IP. If the source IP address isn’t changed, the computer sending out the broadcast ping will get flooded with the ICMP replies. Instead, the smurf attack substitutes the source IP with the IP address of the victim, and the victim gets flooded with these

Question 16

Replay Attacks

Answer 16

apture data in a session with the intent of later impersonating one of the parties in the session. Timestamps and sequence numbers are effective counter measures against replay attacks.

Question 17

Typo Squatting

Answer 17

Users visit the typo squatting domain when they enter the URL incorrectly with a common typo

Question 18

Domain Hijacking Attack

Answer 18

an attacker changes the registration of a domain name without permission from the owner

Question 19

Zero-day exploits

Answer 19

are undocumented and unknown to the public. The vendor might know about it, but has not yet released a patch to address it

Question 20

Buffer overflows

Answer 20

occur when an application receives more data than it can handle, or receives unexpected data that exposes system memory. Buffer overflow attacks often include NOP instructions (such as x90) followed by malicious code. When successful, the attack causes the system to execute the malicious code. Input validation helps prevent buffer overflow attacks.

Question 21

Disassociation Attack

Answer 21

effectively removes a wireless client from a wireless network. To understand the attack, it’s valuable to first understand the normal operation

Question 22

Rogue Access Points

Answer 22

Access oints attached to companies network to capture and exfiltrate data.

Question 23

Evil Twin

Answer 23

is a rogue access point using the same SSID as a legitimate access point

Question 24

Bluejacking

Answer 24

is the practice of sending unsolicited messages to nearby Bluetooth devices. Bluejacking messages are typically text, but can also be images or sounds

Question 25

Bluesnarfing

Answer 25

refers to the unauthorized access to, or theft of information from, a Bluetooth device. A bluesnarfing attack can access information, such as email, contact lists, calendars, and text messages. Attackers use tools such as hcitool and obexftp

Question 26

Script Kiddie

Answer 26

is an attacker who uses existing computer scripts or code to launch attacks. Script kiddies typically have very little expertise, sophistication, and funding.

Question 27

Hacktivist

Answer 27

launches attacks as part of an activist movement or to further a cause. Hacktivists typically aren’t launching these attacks for their own benefit, but instead to increase awareness about a cause

Question 28

Organized crime elements

Answer 28

are typically motivated by greed and money but often use sophisticated techniques

Question 29

Passive Reconnaissance

Answer 29

uses open-source intelligence methods, such as social media and an organization’s web site

Question 30

Active reconnaissance

Answer 30

includes using tools to send data to systems and analyzing the responses. It typically starts by using various scanning tools such as network scanners and vulnerability scanners

Question 31

Pivoting

Answer 31

is the process of using various tools to gain additional information. For example, imagine a tester gains access to Homer’s computer within a company’s network. The tester can then pivot and use Homer’s computer to gather information on other computers

Question 32

Black Box Testing

Answer 32

Testers have zero knowledge of the environment prior to starting a black box test. Instead, they approach the test with the same knowledge as an attacker

Question 33

White Box Testing

Answer 33

Testers have full knowledge of the environment before starting a white box test. For example, they would have access to product documentation, source code, and possibly even logon details

Question 34

Gray Box testing

Answer 34

Testers have some knowledge of the environment prior to starting a gray box test. For example, they might have access to some network documentation, but not know the full network layout.

Question 35

Salting

Answer 35

adds random text to passwords before hashing them and thwarts many password attacks, including rainbow table attacks

Question 36

Pass the Hash

Answer 36

attempts to use an intercepted hash to access an account. Passwords are typically stored as Hashes

Question 37

Session Hijacking

Answer 37

the attacker utilizes the user’s session ID to impersonate the user.