Threats, Vulnerabilities, and Mitigations Flashcards

Question

# Types of Threat Vectors Voice Call Vectors

Answer 1

* Vishing - which is phishing but over the phone. * Spam over IP -large scale phone calls.

Answer 2

* USB device to get around the firewall * malicious software on the USB flash drives -infect air gapped networks, industrial systems, high security services. * USB devices can act as keyboards * Data Exfiltration

Answer 3

* client-based -infected executable - known (or unknown) vulnerabilties. may require constant updates. * Agentless -Not installed executable -compromised software on the server would affect all users -client runs a new instance each time.

Answer 4

* Patching is an important prevention tool -ongoing security fixes - Unsupported systems aren't patched -there may not even be an option - Outdated OS -eventually even the manufacturer wont helpo - A single system could be an entry -Keep your inventory and records current

Answer 5

* Network connects everything -ease of access for the attackers -view all (non-encrypted) data. - Wireless -outdated sec protocols (WEP, WPA, WPA2) -open or rogue wireless networks -NFC (near field communications) - short range connections. - Wired -Unsecure interfaces - No 802.1x ( authentication protocol- provide credentials) - Bluetooth -reconnaissance (see where it might be) -implementation vulnerablities

Answer 6

* allow threat actors to gain easy access to a network. - Most network-based services connect over TCP or UDP port (open port) - Ever application has their own open port -more services expand the attack surface.

Answer 7

* most devices have default credentials - the right credentials provide admin access

Answer 8

- involves all entities and protocols related to a company's supply chain or the products the company uses. - risks occur when the chain is insecure, such as when the host receives switches from a third party. while in transit, switches can be intercepted and injected with malware. - Tamper with the underlying infrastructure - example would be Managed service providers (MSP) -access many different customer networks from one location

Answer 9

* technique in which somone takes advantage of human nature, of human vector, to manipulate a person into revealing info or performing a task they would normally not do. * Social Engineering leverages human emotion to elicit a response by preying on human weaknesses to : authority, intimidation, consensus, scarcity, familiarity, trust, or/and urgency. * can be technological in nature / or physical interactions

Answer 10

* social engineering technique by email, sms, or text. * manipulates target into revealing info or completing desired task by fradulent means * NEEDS user interaction to be successful, which can involve click on embedded link. * targeted info can include: credentials, cc/bank info, PII.

Answer 11

* business email is compromised, can be used as social engineering to elicit a response. * May be tricked into trusting email due to its relationship with the business. * Spoofed email address *looks like the email address / spelled similar.

Answer 12

* taking advantage of common spelling mistakes. *misspelling a legitimate URL to redirect a target to a malicious site.

Answer 13

* lying to get info * using false info ot pretense to justify interaction with the target * often used with impersonation *"Hi, We are calling from Visa regarding an automted payment..."

Answer 14

* Voice Phishing is done over the phone or voicemail. * often uses VoIP (voice over internet protocol) services to bypass or spoof caller ID data *

Answer 15

* SMS phishing is done by text * forwards links or asks for personal info * spoofing is a problem here as well.

Answer 16

* fake check scam, phone verification code scam, BOSS/CEO scam, advance fee scam *

Answer 17

* attackers pretend to be someone they aren't * extracting info from the victim / hacking the human *often seen with vishing *identity fraud, cc fraud, banks fraud, load fraud, government benefits fraud.

Answer 18

* threat actor seeks out a specific website known to be frequented by the target and attacks vulnerabilities within the website to gain access to the target.

Answer 19

* Disseminate (spread something widely) factually incorrect information. * Used to elicit aresponse from the target to gain information or access.

Answer 20

* threat pretends to be a well-known, reputable brand. * Malware infection is almost guaranteed.

Answer 21

* This attack add malicious code into the memory of an existing process. *hides malware inside of the process * The malicious code gets access the the data in that process *and the same rights and permissions *perform a privledge escalation, or have higher rights and permissons than it would normally have on that system.

Answer 22

* most popular form of memory injection methods. * DLL *Windows Library containing code and data, many apps use this library * Attackers inject a patch to a malicious DLL *runs as party of the target process

Answer 23

* overwrite a buffer of memory *spills over into other memory areas * Developers need to perform bounds checking

Answer 24

* programming conundrum *when two events happen at nearly the same time with an application and the application doesn't take into account that these two conditions may be happening simaltaneously.

Answer 25

* Process of verifying a system's state/condition before performing an action/function.

Answer 26

* When the results of the TOC are actually used to perform the action/function requested in the TOC.

Answer 27

* When resource check occurs before the resource is actually used, resulting in a time lag between check and use during which the resource can be altered. * Example: User is logged in, admin revokes credentials, user will not be logged out of the system. User will still have access to the system for the remainder of that session.

Answer 28

* Malicious update is made to look like a legitimate software update.

Answer 29

* adding your own information into a data stream. * enabled because of bad programming *app should properly handle input and output * Different types of code injection attacks *HTML, SQL, XML, LDAP, etc

Answer 30

* Structured Query Language *most common relational database management system language * SQLi *put your own SQL request into an existion application *your app should not allow this. * Can often be executed in a web browser * **can be achieved by adding a second query to a valid query** * often indicated by the "or 1=1" structure

Answer 31

* called cross-site because of browser security flaws *info from one site could be shared with another. * One of the most common web app vulnerabilities. *takes advantage of the trust a user has for a site *complexe and varied. * XSS commonly uses JavaScript * **threat actor inserts their own HTML code into a website**

Answer 32

* threat actor inserts a reflected value into the HTML field to create a modified / flected page of the authentic page. * example: fake checkout page / reflected back to threat actor with cc details.

Answer 33

* No specific target. * this attack attemps to store the modified HTML code on the remote web server hosting (social media for example) the attacked site so the attack remains active even when the threat actor is not actively attacking. * Appearanace of a script tag is a common indicator of a XSS attack *Example: social media, sharing HTML link, somone else can view it and propogate it further.

Answer 34

* the software inside the hardware *the operating system of the hardware device * Vendors are the only ones who can fix their hardware *assuming they know about the problem and they care about fixing it.

Answer 35

* Manufacturer stops selling a product *may continue supporting the product *important for security patches and updates

Answer 36

* Manufacturer stops selling a product *support is no longer available for the product *no ongoing security patches or updates *may have a premiun-cost support option

Answer 37

* Some devices remain installed for a long time * **Legacy Platforms are older OS, apps, middleware** * may be running EOL sofware * may require additional security protections *additional firewall rules *IPS signatures for older OS

Answer 38

* allows one or many hots on a physical machine. * created using hypervisor, which creates, controls, and allocates resources to the different VMs on the hypervisor.

Answer 39

* threat actor is able to infiltrate one VM and find their way to connect to other VMs on that same hypervisor. * Huge exploit - full control of the virtual world.

Answer 40

* Hypervisor manages the relationship between physical and virtual resources *available RAM, storage space, CPU availability, etc. * The resources can be resused between VMs *Hyperviser host with 4gb ram *supports three VMs with 2gbs of RAM each *RAM is allocated and shared between VMs * Data can inadvertently be shared between VMs * **A misconfiguration / vulnerability could allow one VM to access data belonging to another**

Answer 41

* take advantage of weak of faulty authentication *

Answer 42

* faulty configurations put data at risk *ability for people to move around foldres and subfoldres

Answer 43

* take advantage of upatched systems *run remote code execution and run any app they like

Answer 44

* Write to unauthorized memory areas *data corruption, crashing, or code execution

Answer 45

* Provides third-party service to other entities. *network, utilities,office cleaning, payroll/accounting, cloud services, system admin, etc.

Answer 46

* Entity that supplies physical components required in the supply chain. *server, router, switch, firewall.

Answer 47

* Entity that supplies software required in the supply chain. *apps, OS, programs. * Initial installation *digital signature should be confirmed during installation *

Answer 48

* weak configs or misconfigs of apps, devices, or settings ar ethe most common security vulns that allow access to a system.

Answer 49

* leave info sitting in open area of internet. * increasingly common with cloud storage.

Answer 50

* This in the linux world is the root account. * In Windows it's the admin account *referred to as super user in both. * Methods built into OS to prevent creating a superuser account without password. * Best method is to diable direct login to root account *use su or sudo option after logging in to elevate admin privileges. * Ideally have very few root/admin accounts

Answer 51

* some protocols aren't encrypted. *telnet, FTP, SMTP, IMAP *all traffic sent in the clear * Use packet capturing *to tell if data sending across network is secure or insecure. * Encyrpted versions *SSH, SFTP, IMPAS, HTTPS

Answer 52

* list of unsecured protocols being used. *lists emails, part of passwords, IP, and the unsecured app that was used.

Answer 53

* every app and network device has default login * Mirai botnet *takes advantage of default configs *can gain access to devices and provide info to attacker.

Answer 54

* each time you enable inbound service on server you are opening a port *gives little bit of access into a section of your server. * Limit number of open ports accessible by others. *often managed with firewall - manages traffic flow, allow or deny based on port number or app. * Firewall rulseset can be complex - easy to make mistakes. *always test and audit firewall rulebase.

Answer 55

* Challenging to secure *often needs additional security polices and systems. * Relatively Small * Almost always in motion * Packed with sensitive data *personal and organizational * Constantly connected to the internet

Answer 56

* Mobile devices are purpose built systems *You do not have access to the OS * Gaining access to OS would be *Rooting - android *Jailbreaking - Apple iOS * Install custom firmware *replaces the exisiting OS * Uncontrolled access *MDM (Mobile Device Manager) becomes useless *Circumvent (find a way around obstacle or difficulty in illegal way) security features

Answer 57

* Malicious apps can be a significant security concern. *one trojan horse can create breach. * Manage installation sources *Global or app store * installing apps outside of app store is referred to as sideloading. *sideloading circumvents security.

Answer 58

* many apps have vulns *we just haven't found them yet * Someone is working hard to find the next big vulnerability *the good guys share these with devs. * Attackers keep these yet-to-be-discovered holes to themselves *they use vulns for personal gain.

Answer 59

* attacker exploits vulnerability with no patch or method of mitigation * Difficult to defend against the unknown * Vendor has no idea vuln exists - they don't have a fix for an unknown problem. * Until patch is created, attacker can continue to take advantage of this vulnerability. * CVE (Commons Vulnerabilties and Exposures)

Answer 60

* any type of software that is doing bad things to your system. * Malicious Software *Gather info - keystrokes *Show you advertising - big money for them if you view the advertisement. *Viruses and Worms - encrypt your data, infect your systems.

Answer 61

* Computer must run a program *can get from a malicious email link *Web page pop-up *Drive-by DL *self installing worm * Computer is vulnerable *keeps OS and all software up-to-date.

Answer 62

* very nasty malware - infect machine and encrypt ALL data and then request money to reverse malware. * Must pay the attackers to obtain the decryption key *untraceable payment system *unfortunate use of public-key cryptography.

Answer 63

* Always have an offline backup * Keep OS up-to-date, patch all vulnerabilities. * Keep apps up-to-date with security patches. * Keep anti-virus/anti-malware signatures up-to-date *signatures identify malicous code

Answer 64

* malware that can reproduce itself *needs you to execute a program / needs user intervention * once running, it reproduces itself through file systems or the network * May or may not cause problems *some viruses are invisible * Anti-vrius is very common *thousands of viruses every week

Answer 65

* Program Virus *part of the application - clicking a link or executable.

Answer 66

* Boot Sector Virus *sits at the boot sector of the computer - when systems is booted, the virus automatically - who needs an OS?

Answer 67

* Script Virus *OS and browser-based *Browser and OS and many apps run scripts which can contain malicious software.

Answer 68

* Macro Virus *common in Microsfot Office *viruses written in macro language to take advantage of vulnerabilites in that software.

Answer 69

* stealth attack *does a good job at avoiding anti-virus detection. * does not use any files that are stored on your storage system - does not write any software or malious code to storage drives. * Operates in memory *runs scripts and executables in memory, exfiltrates data, and damages files. *adds an auto-start to registry - since fileless virus is not saving any malicious software to the file system, it needs someway to restart if the system is rebooted.

Answer 70

* Malware that self-replicates *runs without any user intervention *uses the network as a transmission medium *self-propagates and spreads quickly. * Can attack at anytime and move freely about the network. * Firewalls and IDS/IPS can mitigate mahy worms infestations.

Answer 71

* propagates automatically * installs ransomware - encrypts and makes user files unavailable. * starts with computer that is infected - that computer looks across network and infects other systems that are vulneratble. * Once infected, vulnerable computer is exploited with EternalBlue *EternalBlue installs backdoor, pull down ransomware code, and infects machine with ransomware software. *Worm continues to propagate itself and find all vulnerable systems on network and infect those with same ransomware.

Answer 72

* malware that spies on you. *can put advertising on your screen, identity theft, affiliate fraud- earns money from purchases you make online. * similar to virus - spyware needs to be installed on your system *peer to peer software, fake security software, links in email * Browser monitoring *capture surfing habits * Keyloggers *capture every keystroke - sends back to attacker. Usernames / passwords, etc.

Answer 73

* Mantain anti-virus / anti-malware *always have the latest signatures. * Always know what you are installing *and watch options during installation * Keep a known good backup * Runs some scans

Answer 74

* unwanted apps that come pre-installed on a device or OS. * Uses valuable storage space *may also add to overall resource usage *System may be slower than expected. *any of these apps could be susceptible to a known or unknown vulnerability making this a security concern.

Answer 75

* identify and remove manually * use the built-in uninstaller *works with most apps * Some apps have their own uninstaller * Third-party uninstallers and cleaners *not first option *always have a backup

Answer 76

* keystrokes contain valuable info *website login URLS, passwords, email messages, etc. * Stays resident on your system, capture all keystrokes to a file, and once or more a day, file is sent to attackers. * Circumvents encryption protections *attacks know that if you're typing something into keyboard - that is not encrypted. * Other data logging *capture info stored in clipboard, take screenshots of your screen and store it, may be IMs and messages that could be stores, anything you search in search engine query.

Answer 77

* malicious software that waits for particular event to occur, when it occurs, the bomb it detonated on that system. *often left by someone with a grudge. * Time Bomb *might be waiting for date/time - system can reboot, erases data, or make changes to that system * User Event *waiting for particular user to log in and then bomb executes. * Difficult to identify *usually created with a particular goal in mind *difficult to recover if it goes off.

Answer 78

* Difficult to recognize *each is unique, no predefined signatures. * Process and Procedures *formal change control - limit change of any core system operating files * Electronic Monitoring *alert on any changes or if something has been modified ^. *host-based intrusion detection, Tripwire, etc. * Constant Auditing *admin can circumvent exisiting systems

Answer 79

* Root comes from Unix super user of root, similar to admin in windows. * Hides itself in the kernel of the OS *this makes it apart of the OS itself, makes it difficult to identify with traditional anti-virus / anti-malware software. * aims to create backdoor for the threat actor. *backdoor can be used to access target device without target's knowledge. * Can be invisible to the OS - often hidden in the MBR (master boot record) to maintain privilege and avoid detection. *won't see it in task manager - it's running as part of the OS - anything OS is doing will include malicious code that's part of this rootkit *has full run of your computer since it's invisible to anti-virus / anti-malware.

Answer 80

* Look for unusual activity *anti-malware scans * Use remover specific to the rootkit *usually built after the rootkit is discovered * Secure boot with UEFI *security in the BIOS

Answer 81

* old-school security *no keyboard, mouse, or command line * many different ways to circumvent digital security *physical approach must be considered * If you have physical access to a server, you have full control *OS can't stop an in-person attack * Door locks keep out the honest people *there's always a way in.

Answer 82

* physical version *no password required. * push through the obstruction *brute force through locked door or window * Check your physical security * Attackers will try anything

Answer 83

* RFID is everywhere *access badges, key fobs * Duplicators are on Amazon *less than 50$ * Happens very quickly *read on one card and copy to another in seconds * Another reason why we have MFA *use another factor with the card

Answer 84

* attack everything supporting the technology *the operating environment * Common attack to turn off all power in the data center *can be done outside of the building * HVAC systems have lower priority for security *if access is gained, cooling can be turned off and systems can heat up and automatically turn off - large data centers must be properly cooled * Fire Suppresion System *if gained access to, attack would be able to cause a DOS (denial of service)

Answer 85

* take advantage of vulnerabilities in a network * can target the network directly or through access points within the network.

Answer 86

* attack forces a service to fail *overload the service * attacker takes advantage of a known vulnerability or design failure with that particular system *keep systems up to date with latest patches * Cause a system to be unavailable *competitive advantage * Create a smokescreen (distraction) for some other exploit *Preccursor to a DNS spoofing attack * DoS's do not have to be complicated *can just be turning off the power.

Answer 87

* unintentional DoS'ing *can be done by ourselves to ourselves * Network DoS *plugging in two switches to eachother, then plugging them into eachother, creating a loop - Layer 2 loop without STP * Bandwidth DoS *dling multi-gig Linux distribution over a DSL line. Uses all of the bandwitdth that would normally be associated with productive apps. * Water line breaks that's above ceiling of the data center

Answer 88

* attackers use multiple devices all around the world *use all the bandwidth or resources associated with a webserver to cause denial of service issue. * Attackers are not physically at these computers - they put malware on these devices and have created a series of botnets *botnets are robot networks that are under the control of the attacker, can tell in a single command to attack a web server. * Asymmetric Threat *attacker has few resources and they can easily bring down organizations that have many more systems and bandwitdth than they do.

Answer 89

* reflected DDoS attack uses single protocol on both the sending an dreceiving sides to distrupt a system. * These attacks commonly use the target's spoofed IP address to create excessive traffic. * *

Answer 90

* volume-based attack that leverages protocols that return large volumes of results to small queries. *request info from NTP server, you receive more information than requested. *NTP, DNS, ICMP, etc. * Common example of protocol abuse.

Answer 91

* DNS is an internet protocol that allows for translating domain names into corresponding IP addresses. * DNS attack targets the DNS system to send traffic to an alternate IP.

Answer 92

* manipulates the domain system to redirect users to a malicious website. * Hackers inserts false info into DNS server's cache. *this means when a user tries to visit a legitimate website, the DNS server providess them with the wrong IP address, sending them to a fake malicious website instead. *this fake website can steal sensitive info, passwords or cc details, or infect user's computer with malware.

Answer 93

* intercepts traffic as it is sent from one host to another. * Intercepted traffic packets can be altered, delayed, or blocked by the interceptor. * Known as a man-in-the-middle attack * Real-time redirection of the original request. Attacker sits in the middle.

Answer 94

* occurs when data packet is intercepted by threat actor, who delays or misdirects the packet. * Attacker needs access to the raw network data *network tap, ARP poisoning, malware on the victim computer. * information gathered can be used for an on-path attack.

Answer 95

* form of replay attack * attacker intercepts hashed password and username, copies that information and sends it to the server, gains access posing as the victim. * Pass the hash attack can be avoided with salted or encrypted password (each time authentication occurs, unique hash is created.)

Answer 96

* occurs when data packet containing authentication data is intercepted and used in an attempt to impersonate the credentialed user. * This is a type of replay attack.

Answer 97

* when ARP cache is intercepted by attacker * instead of pc communicating directly with the network, it communicates with the attacker in the middle and then to the network *attacker is then able to modify info sent to user, shut off connection, and monitor traffic. * ARP has no form of authentication or identification *

Answer 98

* when the attacker, or middleman, is on the same computer as the vitim. * malware/trojan does all of the proxy work, it redirects traffic before and after it's sent to the network. * even if network traffic is encrypted, attacker can see everything since it's running off the same device as the victim. * malware waits for you to login to something important, and then steals info.

Answer 99

* attacker gets ahold of your session ID, poses as you for subsequent web session to the server. * Attacker then has access to everything the victim machine would have access to on that web server. * To prevent - encrypt everyting.

Answer 100

* Get access to the domain registration, and you have control where the traffic flows. *Don't need to touch the actual servers *Determines the DNS names and DNS IP addresses. * Many ways to get into the account *Brute force, social engineering the password, gain access to the email address that manages the account, etc.

Answer 101

* another way attackers redirect users to a malicious site. *redirect users to a site with advertsing - which would create revenue stream for attacker. * Attacker may have domain name that is very similar/close to the legitimate domain and sell it to the actual owner. *could be mispelled * Redirect to a competitior *use similar domain name to redirect traffic from legitimate site to the competitor of that legitimate site. * Create a Phishing website *looks exactly like the legitimate website, asks for login credentials. * Infect wiht a drive-by dl *can install ransomware or turn your computer into a botnet. * **TypoSquatting/BrandJacking**

Answer 102

* Wireless Deauthentication *significant wireless DoS attack. * Wireless network attacks attempt to take advantage of vulnerabilities in the wireless protocols as well as interfere with the wireless network or create false wireless access points to gain entry to a network or steal info.

Answer 103

* main vulnerability to wireless DoS attack are the management frames sent and received by the access point. * frames you don't see happening, all going between your device and access point behind the scenes. *they are used to connect your devices to the network, manage it's connection, and disconnect from the network when you're done. * each time you bring up a list of access points you want to connect to, or authenticate and deauthenticate from an access point, it uses these management frames to provide that functionality. * Earlier versions of 802.11specifications did not provide any sercurity for these management frames. *they are sent across the network in the clear, with no encryption, attacker can manipulate these frames in order to cause problems for people on that network.

Answer 104

* DoS Attack that effects everyone trying to communicate over wireless frequencies. * RF Jamming decreases the signal to noise ratio at the receiving device - receiving device can't hear the signal good, not able to send of receive traffic over that network. * Sometimes it's not intentional *interference, not jamming *Microwave oven, fluorescent lights * Jamming is intentional *someone wants your network not to work.

Answer 105

* There are many different ways for an attacker to cause this type of jamming. *can send constant amount of info *can send random data *or they might send a large amount of legitimate frames over the network * All of these would cause noise and problems for people trying to communicate with this access point * Attacker may also send data and random times to make troubleshooting of this problem more difficult. * Needs to be somewhere close *difficult to be effective from a distance.

Answer 106

* **Reactive Jamming** - normally when the network is quiet, there's no jam signal to see, but as soon as someone tries to communicate with the access point, attacker turns up the volume and makes it impossible to communicate on this wireless network.

Answer 107

* **Fox hunt** - hunting down the attacker causing the jammed signal *uses direction antenna to narrow down the location *uses attenuator to lower the signal strength and make it easier to tell what direction any signal might be coming from.

Answer 108

* a code that can be inserted or used for malicoius means. * many different methods that can be used to gain access to a system. *executable, scripts, macro viruses, worms, trojan horse, etc. * B/c so many differnt methods can be used ^, need to have strong defense. *anti-malware, firewall, continuous updates/patches, secure computing habits.

Answer 109

* an attack aimed at Layer 7, or the application layer of the OSI model

Answer 110

* code injection - adding your own info into a data stream. * Enabled because of bad programming -0 application should properly handle input and output. * SQL injections, command injetions, LDAP injections, HTML, XML.

Answer 111

* occurs when more data is written into a memory area than is allowed. * Results in the overwriting of data in the memory with new data that can be used to execcute malicious processes on the target network. * very difficult exploit - takes time to avoid crashing and to make it do what you want. *

Answer 112

* hacker takes advantage of useful info that is transmitted over the network. * Need access to the raw network data *network tap, ARP poisoning, malware on the victim computer. * Gathered info may help the attacker - they replay the data to apppear as someone else. * Not an on - path attack - actual replay does not require the original workstation.

Answer 113

* gain higher level access to systems *exploit a vulnerability, might be a bug of flaw design. * attemps to find vulnerabilities in the sytem to increase their privillege status to a high status, such as root user or admin. *

Answer 114

* patch quickly *fix the vulnerability * Updated anti-virus / anti-malware software *block known vulnerabilities. * Data Execution Prevention - only data in executable areas can run. * Address space layout randomization *prevent a buffer overrun at a known memory address.

Answer 115

* cross site request are common and legitimate *visiting a website and text, pictures, or videos are loading on it

Answer 116

* is an attack that attempts to exploit the relationship between a user and a server to get the user to execute commands against the server or vice versa.

Answer 117

* sometimes referred to as One-Click Attack or Session Riding *usually written as XSRF or CSRF (sea surf) * takes advantage of the trust that a web application has for the user. *website trusts your browser *request are made without your consent / knowledge. * With a CSRF/XSRF, the server has a malicious URL embedded in a website that executes when the user visits the infected URL. * Application should have anti-forgery techniques added, usually a cryptographic token to prevent forgery. * originates on the server side.

Answer 118

* with this attack, the client tricks the server into visiting a malicouis URL by entering the malicious URL into a user-input value. * originates on the client side.