1-Threats, Attacks and Vulnerabilities

Question 1

What is an Indicator of Compromise (IOC)?

Answer 1

Artifacts observed that indicate (with a high degree of confidence) a computer intrusion.

Question 2

What is a virus?

Answer 2

Malicious code that requires user interaction to install and replicate.

Question 3

What is Crypto-malware/Ransomware?

Answer 3

Malicious applications that scare or scam users into taking some type of action (i.e. paying for removal/decryption).

Question 4

What is a worm?

Answer 4

Self-replicating program that is usually self-contained and can execute and spread without user interaction.

Question 5

What are the two main types of worms?

Answer 5

Network Service Worm and Mass Mailing worms.

Question 6

What does a Network Service Worm exploit?

Answer 6

Network vulnerabilities.

Question 7

What is a Trojan?

Answer 7

Seemingly friendly software that contains hidden malicious software.

Question 8

What is a Rootkit?

Answer 8

Malicious code that installs itself at the OS or Kernel level to avoid detection.

Question 9

Why are Rootkits difficult to remove?

Answer 9

They load before the OS loads and can disable anti-virus and anti-malware software.

Question 10

What is a Keylogger?

Answer 10

Malicious application that once installed on a host can capture all keystrokes such as passwords.

Question 11

What is Adware?

Answer 11

Malware that is installed on an infected machine to deliver ads.

Question 12

What is Spyware?

Answer 12

Malicious software that captures user activity and reports back.

Question 13

What are Botnets?

Answer 13

Malicious code that infects large numbers of hosts for the purpose of launching large scale attacks on specific targets.

Question 14

What are the components of a Botnet?

Answer 14

Command & Control Servers

Bots (zombie) computers

Question 15

What is a Logic Bomb?

Answer 15

Malicious code that triggers after a period of time based on some date or specific activity.

Question 16

What is a Backdoor?

Answer 16

Software that installs for the purpose of opening ports and installing additional software.

Question 17

What is Social Engineering?

Answer 17

Taking advantage of people with the goal of collecting useful information i.e. preying on people’s natural willingness to be helpful.

Question 18

What is Vishing?

Answer 18

Social Engineering techniques designed to get the victim to divulge personal or sensitive information over the phone i.e. posing as a legitimate company or an employee.

Question 19

What is Tailgating?

Answer 19

Following someone into a building through a gated or badged access area.

Question 20

What is Impersonation?

Answer 20

Impersonating people or sniffing network packets and putting them back on the wire to execute a replay attack.

Question 21

What helps mitigate the effectiveness of replay attacks?

Answer 21

Packet sequencing.

Question 22

What is Dumpster Diving?

Answer 22

Removing trash from dumpsters that could reveal sensitive information.

Question 23

How do you mitigate dumpster diving?

Answer 23

Shred documents, lock waste cans, etc.

Question 24

What is Shoulder Surfing?

Answer 24

Watching over someone as they enter credentials into a site.

Question 25

What is a Hoax?

Answer 25

Social engineering technique using the phone and/or voicemail to trick the target into providing sensitive information.

Question 26

What is Phishing?

Answer 26

Attack usually via email where the attacker poses as someone else with the hopes that you will click a link, etc.

Question 27

What is Spear Phishing?

Answer 27

Phishing attack targeted at a specific target.

Question 28

What is Whale Phishing?

Answer 28

Phishing attack targeted at Execs.

Question 29

What is a Watering Hole attack?

Answer 29

Sophisticated attack that identifies less secure websites users in a particular company or organization are likely to visit.
Attackers then plant malware on the sites that infect users once they visit
May download additional software onto the computer, scan for other exploits, etc.

Question 30

What are Social Engineers good at?

Answer 30

Asking non-invasive or unimportant questions to gather info over time.

Question 31

What are the 6 Principles (Reasons for Effectiveness) behind Social Engineer?

Answer 31

Authority
Intimidation
Consensus/Social Proof
Familiarity/Liking
Trust
Scarcity/Urgency

Question 32

How is Authority used in Social Engineering?

Answer 32

Bad actor appears to know what they’re talking about or has special knowledge of the company, name drops, technical jargon, etc.

Question 33

How do Social Engineers use Intimidation?

Answer 33

Threaten negative action, threaten to release sensitive information, etc.

Question 34

What does Consensus/Social Proof mean with regards to Social Engineer?

Answer 34

People are more likely to act when they believe they are in alignment with the larger group.

Question 35

How is Familiarity/Liking abused by Social Engineers?

Answer 35

Attacker will establish a common contact or friend to gain more trust.

Question 36

How is Trust abused by Social Engineers?

Answer 36

Try to name drop, use authority, etc. to make themselves appear more trustworthy.

Question 37

How do Social Engineers use Scarcity/Urgency?

Answer 37

Make the target think they have to act quickly to take advantage or something or respond to a situation.

Question 38

What id a DDoS attack?

Answer 38

Distributed Denial of Service

Larger scale than typical DoS attack.

Question 39

What is a Replay Attack?

Answer 39

Attacker sniffs network to capture packets, modifies the packets, and re transmits them to look like legitimate packets.

Question 40

What is a DDoSmurf attack?

Answer 40

Type of DDos attack where the victim’s IP is spoofed and ICMP messages are broadcast to a computer network. Recipients will respond with reply to victim’s IP, resulting in flooding.

Question 41

How can you mitigate Smurf attacks?

Answer 41

Configure routers not to forward broadcast packets

Don’t allow computers to respond to ICMP or broadcasts

Question 42

What is a Man in the Middle attack?

Answer 42

Attacker captures packets on the network between user and application/website, etc.
Attacker can use the packets to obtain information if not encrypted or use it in a replay attack

Question 43

What is a Buffer Overflow attack?

Answer 43

Attack that causes a system or app to crash or behave unexpectedly by writing more data than the buffer can handle

Question 44

What is SQL Injection?

Answer 44

Modifying input to include SQL language that is then passed to the server which can cause the site to crash and open up remote access.

Question 45

What is LDAP Injection?

Answer 45

Similar to SQL Injection but is passed to a web server running LDAP.

Question 46

What is XML Injection?

Answer 46

Attack technique that manipulates the logic of an XML application or service
Could be used to inject XML into a statement that alters a path to a file to disclose sensitive info

Question 47

What is Cross-Site Scripting (XSS)?

Answer 47

Technique used to hijack sessions
Can be non-persistent (emails, blog posts)
Persistent (server based) where attacker doesn’t need to actively target users

Question 48

What is Cross Site Request Forgery (XSRF)?

Answer 48

Exploiting a website’s trust in a user (application, IP address, etc.)
Often referred to as a one-click attack or session riding
CSRF or “See-Surf”
Requires victim to have recently visited the target website and have a valid cookie (not expired)
Complicated and more targeted type of attack

Question 49

What is Privilege Escalation?

Answer 49

Obtaining elevated privileges i.e. admin/root on the target system.

Question 50

What is ARP poisoning?

Answer 50

Also known as ARP cache poisoning
Attacker sends spoofed ARP message onto LAN to associate their machine with another host IP
Allows attacker to intercept data intended for another recipient
Can be used for DoS, MiTM, or session hijacking

Question 51

What is DNS poisoning?

Answer 51

Manipulating data in DNS server’s cache to point to a different IP address
Attacker can direct traffic from legit site to malicious site
Malicious site looks like the real one to avoid detection

Question 52

What is a Zero-day?

Answer 52

Vulnerability that is discovered and exploited before the developer has a chance to issue a patch or fix
Hackers, private companies, and even government agencies buy (and horde) zero-day exploits
One of many tools in cyber army’s arsenal

Question 53

What is a Pass the Hash attack?

Answer 53

Harvesting a user’s password hash to authenticate to a remote server or a remote service
Hacker enters username and stolen hash value when responding to server’s auth challenge

Question 54

What is Clickjacking?

Answer 54

Tricks a user into performing undesired/unintended actions by clicking on a concealed link
Attacker loads another page on top of the website in a transparent layer
Action is performed on hidden page

Question 55

What is Session Hijacking?

Answer 55

Items used to validate a user’s session are compromised and reused by a malicious person
MiTM type of attack
Mitigated by logging out of sessions, using encryption on public wifi

Question 56

What is Typo Squatting/URL Hijacking?

Answer 56

Setting up domain names to capitalize on the fact that users make typos
Make it look like the legitimate site and can be used to capture credentials, etc.
Could also be an Ad Portal hoping to create ad revenue

Question 57

What is Shimming?

Answer 57

Shim databases are part of MS Window’s application compatibility infrastructure
Used to maintain compatibility with legacy applications
Can be used for malicious purposes by custom shim databases to install code, patches, etc.

Question 58

What is Refactoring?

Answer 58

Modifying an application’s source code without changing the underlying functionality.

Question 59

What is a Replay attack?

Answer 59

Sniff and capture packets, putting them back on the wire to impersonate
Packets can be modified

Question 60

What is an IV attack?

Answer 60

Initialization Vector attack
Weaker encryption had short IVs that would repeat fairly quickly
Attacker could flood the network, sniff the packets, and see the IVs being sent

Question 61

What is a Rogue Access Point?

Answer 61

○ Unauthorized access points put in place to steal data by having people connect to it instead of legit AP
○ Can jam/interfere with legit AP
Evil Twin is rogue AP that impersonates real one with same SSID

Question 62

What is a WPS attack?

Answer 62

Brute forcing WPS PIN as it only uses 7 digits and 9,999,999 possible combinations.

Question 63

What is Bluejacking?

Answer 63

Sending of unauthorized messages or data to a victim’s device via Bluetooth technology.

Question 64

What is Bluesnarfing?

Answer 64

Opposite of Bluejacking in that data is pulled from the victim device such as contact lists, pictures, etc.

Question 65

What is Dissociation?

Answer 65

Attacker creates DOS scenario on wireless network by sending a spoofed disassociation frame with source mac address as that of the AP

Question 66

What is a Birthday attack?

Answer 66

Brute-force attack that works on the cryptographic phenomenon of hash collissions.

Question 67

Which encryption standard is not vulnerable to known plain text/cipher text attacks?

Answer 67

AES

Question 68

What is a Collision attack?

Answer 68

Attack tries to find two hash inputs that have the same output which could be used to bypass security.

Question 69

What is a downgrade attack?

Answer 69

Attack that forces a system to negotiate down to a lower quality method of communication.

Question 70

What are the types of Actors?

Answer 70

Script Kiddies
Hacktivists
Organized Crime
Nation States/APT
Insiders
Competitors

Question 71

Which type of Actor is motivated by financial gain/competitive advantage?

Answer 71

Competitors

Question 72

Which threat Actor is motivated by curiousity?

Answer 72

Script Kiddie

Question 73

Which threat Actor(s) is motivated by Financial gain?

Answer 73

Organized crime, insiders, competitors.

Question 74

What is Penetration Testing?

Answer 74

Practice of testing a computer system, network or web app to find vulnerabilities that an attacker could exploit.

Question 75

What are the steps to Pentesting?

Answer 75

Establish Goal/Set Parameters
Reconnaissance/Discovery
Exploitation/Brute Force
Take Control/Escalate Privilege
Pivoting
Data Collection/Reporting

Question 76

What is Passive Reconnaissance?

Answer 76

No direct contact with target

use public records, google search, company website, etc.

Question 77

What is Active Reconnaissance?

Answer 77

Direct access to target company
Asking questions of employees, management, etc.
Entering facilities and walking the site.
Active scanning/fingerprinting of network.

Question 78

What is Pivoting?

Answer 78

Technique that allows lateral movement from a compromised host after gaining foothold on target system.

Question 79

What is Persistence?

Answer 79

Installing backdoors or methods to maintain access to a host or network.

Question 80

What is the primary goal when access a host?

Answer 80

Escalating privilege

Question 81

What methods can be used to escalate privilege?

Answer 81

Hack local admin/root account
Exploit a vulnerability
Social engineering
Use tools/brute force

Question 82

What is Black Box testing?

Answer 82

Tester has little to no info about the target

More like real world but more time consuming and expensive

Question 83

What is White Box Testing

Answer 83

Tester is given full disclosure about the target

Question 84

What is grey box testing?

Answer 84

Combo of black and white box in that tester is given partial information about the target.

Question 85

What is the difference between Pentesting and Vulnerability scanning?

Answer 85

Vulnerability scanning looks for security vulnerabilities within the network while Pentesting assesses the potential damages that can result and the actual likelihood the vulnerabilities can be exploited.

Question 86

What is a Red Team?

Answer 86

Pentesting team (aggressor) with limited access to target. May launch exploits with/without notice.

Question 87

What is a Blue team?

Answer 87

(Defensive team) access to all internal/external resources with goal being to defend against red team.

Question 88

What should you always obtain prior to performing a vulnerability scan?

Answer 88

Consent

Question 89

What should vulnerability scanning be performed in tandem with?

Answer 89

Pentesting

Question 90

What types of weakness can vulnerability scans identify?

Answer 90

Missing security controls
Missing patches
Security misconfigurations
Known exploits

Question 91

What is the difference between credentialed and non-credentialed vulnerability scanning?

Answer 91

Credentialed has easier access and less impact on tested systems as well as more accurate results
Non-credentialed access requires more resources as a system may try to brute-force access