types of attacks

Question 1

Social Engineering

Answer 1

Social engineering involves a hacker attempting to trick an employee into compromising security through social contract such as an email.

Question 2

Impersonation

Answer 2

A social engineering attack in which a hacker attempts to impersonate another employee in the organisation. For example, when a hacker impersonates a network administrator.

Question 3

Phishing

Answer 3

A social engineering attack in which a hacker typically sends e-meails to users pretending to be a representative form legitimate companies (Banks, Amazon). The email includes falsified information in an attempt to lure the user to click a link redirecting them to a false website in order to obtain/steal personal information

Question 4

Whaling and Vishing

Answer 4

Two types of phishing attacks. Whaling is a targeted phishing attack aimed at executive level employees. Vishing utilises phone calls as opposed to e-mails.

Question 5

Smishing

Answer 5

A type of phishing attack which the hacker sends text messages to victims, often impersonating official companies to steal sensitive information

Question 6

spIM

Answer 6

‘Spam over instant messaging’ is a type of social engineering attack in which bots are utilised to send users instant messages in an attempt to steal user data

Question 7

Spear Fishing

Answer 7

A type of phishing attack in which an email sent is spoofed and looks like it comes form a trusted source such as a fellow employee.

Question 8

SPAM

Answer 8

A type of social engineering attack in which unsolicited emails are sent to a number of people.

Question 9

Eliciting information

Answer 9

A social engineering technique to obtain information from a user that could be used in a future attack.

Question 10

Prepending

Answer 10

A social engineering technique in which information is added to the beginning of malicious data. For the attacker may get you
to click a link that is www.banksite.com@192.168.2.1, where the
browser would ignore everything to the left of the @ sign.

Question 11

Invoice Scams

Answer 11

is a type of social engineering attack in which an attacker sends out an email message notifying the victim that payment is overdue and immediate payment is required.

Question 12

Credential Harvesting

Answer 12

A type of social engineering attack in which hacker collects logon information and then uses that information later to access accounts

Question 13

Influence campaigns

Answer 13

Social engineering attack which utilises social media to create fake accounts as well as fake posts that are designed to sway opinion

Question 14

Shoulder Surfing

Answer 14

A type of social engineering attack in which a hacker tries to view confidential information that will assist in compromising security by looking over the shoulder of victims to see computer screens

Question 15

Tailgating

Answer 15

A type of social engineering attack in which a hacker walks through a secure area by closely following an authorised person who has unlocked the door using their swipe card or passcode. (someone tries to slip through doors behind you after you unlock it)

Question 16

Physical Attacks

Answer 16

Involve getting physical access to a system or device and gaining access to the device or performing malicious actions against it

Question 17

Malicious USB cable

Answer 17

A type of physical attack that utilises a malicious cable to connect to the system that can then receive commands form the hacker wirelessly

Question 18

Malicious flash drive

Answer 18

A physical attack which uses a malicious USB drive that contains malware that executes on the victim system once the flash drive is connected to the USB port of the system

Question 19

Card cloning

Answer 19

A physical attack that a hacker copies the card information of a magnetic strip

Question 20

Skimming

Answer 20

A physical attack in which a hacker extracts information from the magnetic strip on the card when you swipe you card

Question 21

Principles of Social Engineering

Answer 21

Authority, Intimidation, Consensus, Scarcity, Urgency, Familiarity, Trust

Question 22

DoS

Answer 22

Denial of Service is a network attack that involves a hacker overloading a system with requests so much that it is too busy and cannot service legitimate requests from other clients.

Question 23

DDoS

Answer 23

Distributed Denial of Service is a network attack that uses a number of systems to perform a larger scale DoS attack. With a DDoS attack, the hacker first compromises
and takes control of a number of systems and then uses those systems to
help with the attack. The compromised systems are known as zombie
systems because they have no mind of their own and will do whatever the
hacker tells them to do.

Question 24

Different Types of DDoS attacks

Answer 24

Network:
involves using up network
bandwidth or consuming the processing power of network devices so that the network becomes unresponsive or performs poorly
Application:
involves flooding a specific software application or service with requests to cause it to crash or become unresponsive
Operational technology:
DDoS attack against hardware or software that is required to run
industrial equipment

Question 25

Spoofing

Answer 25

A type of network attack where the hackers alters the source address of information to make it look like it is coming from a different person. Spoofing is sometimes referred to as refactoring

Question 26

IP Spoofing

Answer 26

When the source IP address of a packet is altered so that it appears as if the packet comes from a different source

Question 26

MAC Spoofing

Answer 26

When the source MAC address of a frame is altered so that it appears to have come from a different system or device

Question 27

Email Spoofing

Answer 27

When the ‘form’ address of an email message has been altered so that the email looks like to comes from someone else.

Question 27

Eavesdropping/Sniffing

Answer 27

A type of network attack that the hacker captures network traffic and is able to view the contents of the packets traveling along the network

Question 28

Replay

Answer 28

A network attack that starts as a sniffing attack in order to capture traffic. Then the hacker resubmits the traffic onto the network later. The hacker may alter the traffic
first and then replay it, or the hacker may simply be replaying traffic to generate more traffic.

Question 29

On-Path Attack (MitM attack)

Answer 29

A type of network attack in which a hacker inserts himself in the middle of tow systems that are communicating. The hacker can then pass information between the two.

Question 30

MITB attack

Answer 30

Man-in-the-browser attack is a network attack, where the browser contains a Trojan that was inserted via an add-in being loaded or a script executing within the browser. The Trojan at this point can intercept any data the user inputs into the browser and alter it before sending it to the destination server. Example is Zeus and SpyEye

Question 31

Layer 2 attacks

Answer 31

Layer-2 networking attacks affect layer-2 networking devices, such as switches, or layer-2 components
and protocols, such as MAC addresses and ARP

Question 32

ARP Poisening

Answer 32

Layer 2 attack that involves the hacker altering the ARP cache on a system, or group of systems, so that all systems have the wrong MAC address stored in the ARP cache for a specific IP address—maybe the address of the default gateway. Typically, the hacker will poison the ARP cache so that the default gateway IP address (your router’s IP address) points to the hacker’s MAC address. This will ensure that every time a system tries to send data to the router, it will retrieve the hacker’s MAC address from the local ARP cache and then send the data to the hacker’s system instead of to the router

Question 33

MAC Flooding

Answer 33

Layer 2 attack that n the attacker sends a large number of frames to the switch, causing it to fill the MAC address table and, as a
result, remove old, valid MAC addresses but add the new fake MAC addresses

Question 34

MAC cloning

Answer 34

Layer 2 attack in which the attacker copies the MAC address of another system and uses it for network communication. This could be used to bypass access control lists, where only traffic from specific MAC addresses is allowed on the network

Question 35

DNS Poisening

Answer 35

Is an attack against DNS which involves the hacker compromises a DNS server and poisoning the DNS entries by having the DNS names point to incorrect IP addresses. Often, the hacker will modify the DNS records to point to the
hacker’s system; this will force all traffic for that DNS name to the hacker’s system. DNS poisoning is also the altering of the DNS cache that is located on your company’s local DNS servers.

Question 36

Domain Hijacking

Answer 36

Domain hijacking is a type of attack that involves the hacker taking over a domain name from the original registrant. The hacker may hijack the domain by using social engineering techniques to gain
access to the domain name and then switch ownership, or the hacker could exploit a vulnerability on the systems that host the domain name to gain unauthorized access to the domain registration

Question 37

Uniform Resource Locator Redirection

Answer 37

Uniform Resource Locator
(URL) redirection is a DNS attack that involves the attacker sending a
request for a DNS name to a different location such as a malicious web site that the attacker is running.

Question 38

Domain Reputation

Answer 38

Domain reputation is a rating on your domain name
of whether or not the domain is known to send spam messages. If an employee in your company sends a lot of spam messages, your domain may be flagged as having a poor reputation due to the sending of those spam messages. Spam-filtering systems will block e-mail messages from systems with a poor domain reputation.

Question 39

Pass the Hash

Answer 39

Pass the hash is a hacking technique used to access networks that use Microsoft NT LAN Manager (NTLM) as their authentication protocol. With pass the hash, the hacker first compromises a Windows system and then
performs a hashdump of the SAM database. The hashdump contains all of the password hashes for each of the user accounts on that system. The hacker can then use those hashes in a pass-the-hash attack to move laterally
throughout the network and authenticate to the next system

Question 40

Amplification

Answer 40

Amplification is the process of increasing the strength of a signal so that communication can occur. A hacker may amplify the signal on their wireless card so that they can reach greater distances with wireless

Question 41

Privilege Escalation

Answer 41

Privilege escalation is a popular attack that involves someone who has userlevel access to a system being able to elevate their privileges to gain administrative access to the system. Privilege escalation normally occurs due to a vulnerability within software running on the system or within the
operating system itself

Question 42

Port Scanning Attacks

Answer 42

popular network attack is known as port scanning or a port
scanning attack. With a port scanning attack, the hacker runs software on the network that does a port scan against the system, which indicates to the hacker what ports are open. Once the hacker finds out what ports are open,
they can then try to exploit the ports to gain access to the system

Question 43

TCP connect scan

Answer 43

With a TCP connect scan, shown in Figure 4-9, the hacker performs a TCP three-way handshake with each port on the system. The concept is that if the hacker can do a three-way handshake with a port, then the port must be open

Question 44

SYN scan (half-open scan)

Answer 44

With the SYN scan, the hacker sends a SYN message but doesn’t
send the ACK as the third phase of the three-way handshake after
receiving an ACK/SYN from the victim’s system. The goal here is
to avoid detection by creating less traffic. This scan is also known as
a half-open scan or a stealth scan.

Question 45

XMAS scan

Answer 45

In an XMAS scan, a packet is sent to each port with the
PSH, URG, and FIN flags set in the packet. The term XMAS scan
comes from the fact that you have three of six flags enabled, which
is like turning on a bunch of lights on a Christmas tree. Note that
this is also called an XMAS attack

Question 46

Pharming

Answer 46

Pharming is a term some people
use for an attack on DNS or the hosts file that leads an individual to
the wrong web site.

Question 47

Antiquated protocols

Answer 47

Antiquated protocols are protocols that were
developed without security in mind and that typically now have a
secure version to replace it. Examples of antiquated protocols are most of the protocols in the TCP/IP protocol suite, such as HTTP,
FTP, SMTP, and POP3

Question 48

Session hijacking

Answer 48

Session hijacking is when the hacker kicks one of
the parties out of the communication and impersonates that person
in the conversation. The hacker typically disconnects one of the
parties via a denial of service attack.

Question 49

Null sessions

Answer 49

A null session is when someone connects to a
Windows system without providing any credentials. Once the
person connects to the system, they can enumerate the system if it
has not been secured. Through enumeration, the hacker may be able
to collect the users, groups, and shared folder list. The following
command is used to create a null session with a Windows system:

Question 50

Domain name kiting

Answer 50

In domain name kiting, the hacker obtains a
domain name for free by using the five-day grace period that is
allowed. At the end of the five-day grace period, they cancel the
name and then get it free again for another five days. They continue
doing this to get the name for free

Question 51

Malicious insider threat

Answer 51

A malicious insider threat is when
someone inside the company purposely destroys or discloses
company data. The malicious insider threat could also be someone
who performs fraudulent activities (deterrents against which include
leveraging the concepts of rotation of duties and least privilege).

Question 52

Transitive access (attack)

Answer 52

A transitive attack occurs when a user
receives a hyperlink to another Windows shared folder and clicks
the hyperlink. This forces the user’s system to pass the Windows
user account credentials to the remote system to try to authenticate.
The problem is that if the hacker is using a sniffer and password
cracker, they can then try to crack the account password.

Question 53

Client-side attacks

Answer 53

Client-side attacks are attacks on a system
through vulnerabilities within the software on a client system. Many
client-side attacks come from Internet applications such as web
browsers and messenger applications.

Question 54

Watering hole attack

Answer 54

A watering hole attack is when the hacker
determines sites you may want to visit and then compromises those
sites by planting viruses or malicious code on them. When you visit
the site (which you trust), you are then infected with the virus.

Question 55

Typo squatting/URL hijacking

Answer 55

Typo squatting is also known as
URL hijacking and takes advantage of the fact that some users will
make typos when typing a URL into the browser. The hacker sets up
a web site with a URL that is very similar to the URL of a popular
web site but includes an anticipated typo, leading unwary
misspellers to the hacker’s web site.

Question 56

Dictionary Attack

Answer 56

A dictionary attack involves the hacker using a program that has a list of
popular usernames in one text file and a list of words in a language
dictionary that are to be tried as passwords in another file. The dictionary
file normally contains all of the words in a language and can be downloaded
from the Internet

Question 57

Brute-Force Attack

Answer 57

A brute-force attack is a password attack that involves using the passwordcracking software to mathematically calculate every possible password.
Normally, the hacker would configure the password-cracking software with requirements such as the number of characters and whether to use letters,
numbers, and symbols.
The benefit of a brute-force attack from the hacker’s point of view is that it is very effective—it will crack the passwords on a system if it has enough time to do so. The disadvantage of a brute-force attack is the time it takes to
complete it. Due to the large number of possible passwords, it could take years for the password crack to complete!

Question 58

Hybrid Attack

Answer 58

Another type of password attack is known as a hybrid attack. A hybrid
attack involves the password-cracking software using a dictionary file, but after the software tries a word from the dictionary file, it then tries to modify the word. Examples of modifications that the cracking software will use are to place numbers after the word and possibly to replace characters.

Question 59

Birthday

Answer 59

A birthday attack is type of attack performed on hashing functions. it has been found that if you try enough date, you will find that two different data inputs generate the same hash value .

Question 60

Collision and Downgrade Attacks

Answer 60

Hashing protocols are know to crete collisions, which is when two different pieces of data create the same hash value. The higher number of bits the hash value is, the less chance of there is that two different pieces of data create the same hash value

Question 61

online vs offline password attacks

Answer 61

online attack: the hacker is trying to crack the password against the live system. There is a risk of detection
Offline attack: hacker is able to attempt to crack the password offline if they can get a copy of the user account database

Question 62

SQL injection attacks

Answer 62

SQL injection attacks, the hacker uses the SQL commands that are
executing behind the scene in order to manipulate the data in the database, so the hacker actually inserts some SQL code into the application, knowing the application will pass it to the database. The hacker inserts the SQL commands where you wouldn’t expect them—such as in the password field in the logon screen of the application.

To protect against an SQL injection attack, the developers of the application must validate the input before processing it.

Question 63

Buffer Overflow Attacks

Answer 63

A buffer is an area of memory used to store information sent to an application. A buffer overflow is when a hacker sends too much information to the application, causing the information to fill both the buffer and memory outside the buffer.
If the hacker can store information in memory beyond the buffer area,
the hacker can run whatever code they want with administrative privileges. The software that is susceptible to this attack could be an application or a background service loaded in the operating system.

Question 64

SSL Stripping

Answer 64

An SSL stripping attack is when the hacker is able to place themselves
between the victim and a secure HTTPS site that the victim uses. When the user sends a request to the secure site, the hacker intercepts the request and essentially creates their own secure connection with the target web site. The communication between the victim and the hacker is downgraded to unsecure HTTP communication (allowing the hacker to view all of the data), but the victim traffic is then sent to the secure site by the hacker using HTTPS.

Question 65

Race conditions

Answer 65

A race condition is a software programming issue where code executed by a thread (a thread is a unit of work) must complete in a specific order before another thread can execute that
same logic.

Question 66

Application programming interface (API) attacks

Answer 66

An API is a library of functions that a programmer creates that provides some form of functionality. An API attack is when a hacker tries to use
that API for malicious purposes—typically by making calls to the
functions and performing injection attacks on those functions.

Question 67

Why application vulnerabilities exist

Answer 67

• improper input handling
• improper error handling
• default configuration
• misconfiguration
• weak cipher suites and implementations
• zero day threats/exploits

Question 68

Software Development Life Cycle (SDLC)

Answer 68

Requirement gathering and analysis
Design
Implementation
Testing
Deployment
Maintenance

Question 69

Input Validation

Answer 69

Validating input means that the developer checks to ensure
that the information typed by the user into the application is appropriate for the type of input that is expected. Any input that does not pass the validation test should be discarded and not processed.

Question 70

Elasticity and Scalability

Answer 70

Elasticity is the fact that the
cloud environment can adjust the resources allocated to the application dynamically based on the workload. If there is a heavy load, the cloud environment can allocate more RAM or processing power, and then lower those resources when they are not needed. Scalability is the fact that the cloud provider can manually supply more servers in the background as demand increases over longer periods of time

Question 71

Host Security and application security

Answer 71

Host:
Allow list
Block list
secure coding practices

Application:
input validation
secure cookies
HTTP headers
code signing

Question 72

Fuzzing

Answer 72

The term for software testing that enters invalid or random data into input fields of an application is fuzzing.

Question 73

Types of Monitoring Systems

Answer 73

A signature-based system detects suspicious activity based on
the signatures in a file.

An anomaly-based system knows the normal activity (the baseline) and considers anything outside of the norm to be suspicious.

A heuristic-based system identifies
suspicious activity based on the manufacturer programming the
device for the types of activity that have caused security problems in
the past. Heuristic-based IDSs are great for monitoring for zero-day
exploits.

Question 74

windows commands

Answer 74

netstat:
- Used to show any protocol connection information. The following are useful:
netstat -n
netstat -na -o

net session
- The Windows net session command can be used to display the computers connected to your system through Windows file sharing. The list of sessions presents you with the IP address of clients connected to your system and the username they used to authenticate to the system.

tasklist
- Monitors the processes
running on the system.

taskkill
- When monitoring a system, if you notice a process running in memory that may be the cause of a performance or security issue, you can use the taskkill command to end the process.

whoami
- -If you ever need to know who you are logged in to the system as,
you can use the whoami command. This command will display the current username logged on.

net statistics
- This command will display
information such as the number of sessions accepted, the number of
password violations (failed login attempts), the number of permission violations (access failed due to no permissions), and print jobs spooled to
the system.

Question 75

Linux commands

Answer 75

ps command
- Is used to view a list of
processes running on the system. It is the Linux equivalent to the tasklist command in Windows.

ls command:
- To see a list of files that exist in a directory in Linux, use the ls command for “list.” A good switch to use with the ls command

Question 76

SNMP

Answer 76

The Simple Network Management Protocol (SNMP) has been the standard management and monitoring protocol for devices for many years. It can be used to collect detailed information about a device’s running status, such as
memory utilization, processor utilization, and the number of users
connected

Question 77

Syslog

Answer 77

Syslog is an industry-standard protocol that allows you to have any
systems, devices, and applications that support syslog send log messages to a central syslog server so that you can centrally review and manage your logs. Syslog can be configured on your switches, routers, servers, firewalls, and intrusion detection systems (IDSs) to send logged events to the syslog
server.

Question 78

Consideration for Monitoring Tools

Answer 78

Review reports
packet capture
data inputs
user behavior analysis
sentiment analysis
security monitoring
log aggregation
log collectors

Question 79

Implementing Logging and Auditing

Answer 79

Auditing:
- Typically refers to actions that you wish to monitor on a system or application for security purposes. For example, you may wish to audit the management of user accounts on a system or the deletion of a customer record in an application.

Logging:
- Typically refers to logging all activity that occurs in an application or on a system. For example, you can log all requests to a web site and review the logs later.

Question 80

popular areas to audit

Answer 80

security applications
DNS
performance
access
firewall
antivirus
wireless access point

Question 81

Assesment types

Answer 81

• Risk assessment
• Threat assessment
• Vulnerability Assessment (passive assessments)
• Penetration testing
  (verifying a threat exists, bypassing security controls, actively testing security controls, exploiting vulnerabilities)
• Baseline reporting
• Code review
• Determining the attack surface
• Ring architecture
• Design reviews

Question 82

Security assessment standard methodologies

Answer 82

OVAL:
- Open Vulnerability and Assessment Language is an international standard for assessing vulnerabilities to a system.
OVAL has three stages to the assessment: represent system
information, assess vulnerabilities, and report on the vulnerabilities.

OCTAVE:
- Operationally Critical Threat, Asset, and Vulnerability Evaluation is a self-directed security assessment methodology.

OWASP:
- Open Web Application Security Project is a project that standardizes web application security testing procedures.

Question 83

CVE and CVSS

Answer 83

Common Vulnerabilities and Exposures (CVE):
- Is a listing of publicly disclosed vulnerabilities for different operating systems and products. Each vulnerability is assigned a CVE ID, a description, date, and any related comments for the vulnerability.

Common Vulnerability Scoring System (CVSS):
- Is a standard scoring system used to report the severity level of a vulnerability. For example, a vulnerability with a CVSS score of 1 or 2 is not considered severe, but a CVSS score of 9 is considered a severe vulnerability that should be fixed or patched right away.

Question 84

Types of testing (pen-testing)

Answer 84

Unknown environment test:
Formerly known as a black box test.
When an unknown environment test is being performed, or a pentester (penetration tester) is hired to perform the test, the goal is
for the tester to have no information on the organization or its network configuration.

Known environment test:
- Formerly known as a white box test. With a known environment test, you (or the consultants you hire to do the test) are given all the details about the organization’s assets and configuration.

Partially known environment test:
- Formerly known as a gray box
test. A partially known environment test is in the middle: the tester
gets some details about the organization and its configuration, but only limited details.

Question 85

Hacking Process

Answer 85

Profiling:
- (web site, google, whois database, DNS profiling

Scanning and Enumeration :
- (enumerate = collect more information on the system)

Gaining access/initial exploitation
Maintaining access/persistence
covering tracks/ cleanupst

Question 86

steps to perform pentest

Answer 86

initial meeting
draft legal document
create a plan
test plan
perform pentest
create report on findings
present results
destroy any copies of report

Question 87

FIle manipulation in Linux

Answer 87

head:
- A Linux command used to report back the beginning content
of a file (by default the first ten lines).
tail:
- Similar to the head command, but this Linux command is used
to print the last ten lines on the screen.
cat:
- Used to display the contents of one or more text files in Linux.
grep:
- Used to search for a specific string within a file.
chmod:
- Used to change the permissions on a file.
logger:
- Allows you to add log entries to the /var/log/syslog file.