1.0 - Threats, Attacks and Vulnerabilities Flashcards by Jim Young

Code is changing after each use, so that signature-based scanning does not always work.

Type of threat?

Polymorphic Malware

How well did you know this?

Not at all

Perfectly

Code is encrypted so that it cannot be decomplied or reverse engineered.

Type of threat?

Armored Virus

How well did you know this?

Not at all

Perfectly

Files are encrypted, either permanently or until a ransom is paid.

Type of threat?

Crypto-Malware

How well did you know this?

Not at all

Perfectly

Files are encrypted, and request for ransom is received.

Type of threat?

Ransomware

How well did you know this?

Not at all

Perfectly

Malicious code that attaches itself to another piece of executable code. It only runs when the executable it is attached to is run.

Type of threat?

Virus

How well did you know this?

Not at all

Perfectly

Malicious code that spreads across a network without being attached to another executable. Can also move via email, open network shares, IIS, SQL. Type of threat?

Worm

How well did you know this?

Not at all

Perfectly

Software that appears to do one thing, such as a game, but also has embedded malicious code.

Type of threat?

Trojan

How well did you know this?

Not at all

Perfectly

Threat that modifies the OS, often by re-writing the kernel.

Type of threat?

Rootkit

How well did you know this?

Not at all

Perfectly

Malicious code that records keystrokes.

Type of threat?

Keylogger

How well did you know this?

Not at all

Perfectly

Software that makes ads appear. Can be malicious or legitimate.

Type of software?

Adware

How well did you know this?

Not at all

Perfectly

Software that monitors a user’s activities, including: keylogging, browsing, cheating on games, software usage.

Type of software?

Spyware

How well did you know this?

Not at all

Perfectly

A large number of infected PCs that can be controlled by one malicious user.

Type of threat?

Botnet

How well did you know this?

Not at all

Perfectly

A hacker installs a toolkit on a remote PC that lets them record keystrokes, take screenshots, install software, see and change system settings.

What is this toolkit called?

RAT (Remote-Access Trojan)

How well did you know this?

Not at all

Perfectly

An administrator installs a piece of code that will delete files or do other damage if they are fired.

What is this called?

Logic Bomb (or Time Bomb if it will go off a specific number of days later)

How well did you know this?

Not at all

Perfectly

A developer is able to get back into a system even after new layers of security have been added.

What method did they use.

Backdoor / Trapdoor. Often a hard-coded password, which is difficult to remove.

How well did you know this?

Not at all

Perfectly

List common Indicators of Compromise (IOC)

Common IOCs are:

Network:

Unusual outbound network traffic
Geographical irregularities in network traffic
HTML response sizes
Mismatched port-application traffic
Unusual DNS requests
Signs of DDoS activity
Web traffic with nonhuman behavior

Accounts:

Anomalies in privileged user account activity
Account login red flags

OS & Applications:

Increase in database read volumes
Large number of requests for the same file
Suspicious registry or system file changes
Unexpected patching of systems
Mobile device profile changes
Bundles of data in the wrong place

How well did you know this?

Not at all

Perfectly

A threat returns even after the OS is wiped and reloaded while the system is air-gapped.

Likely type of threat?

Firmware Rootkit, possibly in a video card or expansion card firmware.

How well did you know this?

Not at all

Perfectly

This threat loads before the OS, as a virtualization layer for the OS. This allows it to intercept hardware calls to the OS.

Virtual Rootkit or Vitual Machine-Based Rootkit (VMBR).

How well did you know this?

Not at all

Perfectly

This type of threat operates at the OS level, giving it priviledged access to the system.

Kernal Rootkit

How well did you know this?

Not at all

Perfectly

This type of threat infects libraries, such as .DLL files, so they can execute inside a target process to spoof it, or overwrite the memory of the target application.

Library Rootkit

How well did you know this?

Not at all

Perfectly

Any threat will attack at least one of the three security requirements (the CIA of security). These are?

Confidentiality

Integrity

Availability

How well did you know this?

Not at all

Perfectly

A user receives an email indicating that they need to login to resolve an account issue at a website.

What type of threat is this?

Phishing

How well did you know this?

Not at all

Perfectly

Members of just the accounting team receive emails asking them to login to the corporate bank account, with an invalid link.

What type of attack is this?

Spear Phishing

How well did you know this?

Not at all

Perfectly

The CEO receives a ficticious email or phone call, which was tailored just for her. What type of attack is this?

Whaling

How well did you know this?

Not at all

Perfectly

A threat actor spoofs the company's HR phone number and calls users asking them for personal information. What kind of attack is this?

Vishing

How can users protect against phishing and vishing attacks?

Never use the link or phone number provided in the incoming message. Educate users about these threats.

Someone sparks up a conversation with an employee as they are heading into work, then follows them though the door without authenicating. What just happened and how can it be avoided?

The treat actor was Tailgating to gain entry to the building. Educating employees about proper entry procedures or a mantrap are possible solutions.

How might a threat actor avoid third-party authorization?

They may: 1. Arrive with knowledge of an existing project or issue 2. Use the guise of trouble to create a sense of urgency 3. Name drop someone important who is currently unavailable

What types of parties might a threat actor impersonate?

Help Desk / Support Contractors / Outside Parties

What is the best defense against impersonation attacks?

A standard process for verifying identity and user education.

An attacker goes through the organization trash looking for sensitive information. What is this technique called?

Dumpster Diving

An attacker watches the keypad on an ATM machine to get users' PIN numbers, possibily from afar with a telephoto lens. What type of attack is this?

Shoulder Surfing

What are some methods to prevent shoulder surfing?

Blinders around PIN keypads Keypads the move the numbers around User education

Users receive a viral email telling them to delete an important system file in order to prevent future attacks. What is this?

A Hoax, but a damaging one.

A website is altered to distribute malware, often just to users in a certain geographical area. What is this attack called?

Watering Hole These are difficult and time-consuming to setup, so they tend to use zero-day attacks, and are often backed by nation states.

A threat actor pretends to be calling from from the IRS. What social engineering principal are they using?

Authority

A threat actor implies that a user's job may be on the line if they do not cooperate. What social engineering principal are they using?

Intimidation

A threat actor works within a group to push the decision making process in a particular direction. What social engineering principal are they using?

Consensus

A phishing email says that user only has a few minutes to reset their account. What social engineering principal is being used?

Urgency

An advertisment says that only a few items are left for sale. What social engineering principal is being used?

Scarcity

A threat actor talks to a user about how they have been in similar situations or had similar feelings. What social engineering principal is being used?

Familiarity

A social engineer's goal is not to force someone to do something they don't want to do, but to create a perception in their mind that they are doing the right thing. What social engineering principal is this?

Trust

Describe a social engineer's primary goal and technique.

Their goal is to manipulate a person's perception in order to change their actions. They do this by preying on a person's beliefs, biases and stereotypes.

A system if flooded with TCP SYN requests that return back to a non-existent IP address. This causes the system to lock up. What type of attack is this?

DoS (Denial of Service)

A threat actor is able to send commands to a few master systems, which control hundreds or thousands of zombie PCs, which are infected with the correct malware. When the order is received these systems all flood one target with requests, bringing it down. What type of attack is this?

DDoS (Distributed Denial of Service)

What precautions can be taken against DDoS attacks?

Precautions against DDoS attacks include: 1. Consistent patching 2. Shorter timeouts for TCP connections 3. Distributed workloads 4. Block ICMP packets at the border 5. Scan your network for zombie systems (helps others more than you)

An attacker steals a cookie from a user and is able to hijack their session, by rerouting all communication through another PC. This allows the attacker to see the data being moved (if not encrypted) and see who the target is communicating with. What type of attack is this?

Man-in-the-Middle (session hijacking specifically)

Lack of input error-checking in programs is the root cause of this common attack where new commands are injected into a program through the input fields.

Buffer Overflow

Describe the 2014 Heartbleed attack.

It took advantage of a buffer overflow vulnerability in the OpenSSL library.

Describe some types of Injection attacks.

SQL injection - allows unauthorized SQL commands to run XML injection - allows access to data LDAP injection - allows access to data Command injection - gives privledged command-line access

What is the difference between XSS and SQL injection?

XSS is a client-side vulnerability that targets other application users, while SQL injection is a server-side vulnerability that targets the application's database.

Lack of input validation on a web site allows attackers to include a script and have it rendered. What is this method called?

Cross-Site Scripting (XSS)

How can Cross-Site Scripting (XSS) be migated?

Cross-Site Scripting (XSS) mitigation: * Use anti-XSS libraries to strip scripts from the input strings * Limit types of uploads, screen or whitelist uploads * Testing with encoded and unencoded inputs to find vulnerabilities

A user is logged into a banking site. Meanwhile code is executed in a separate browser tab to perform a transaction at the site without the user's knowledge. What type of attack is this?

Cross-Site Request Forgery (XSRF)

What methods can migate against Cross-Site Request Forgeries (XSRF)?

* Re-validate the user on important transactions * Limit authentication time * Cookie expiration * Use anti-CSRF tokens in form submissions. These are sent to the user at authentication, then included in subsequent HTTP requests. This the most effective method.

An attacker gets standard access to a system, then duplicates an elevated token to run processes as an elevated user. What type of attack is this?

Privilege Escalation

What methods can mitigate privilege escalation attacks?

* Follow the least-privilege model * Regularly review administrative accounts * Monitor privileged accounts for unusual behavior * Reduce processes and services that run in elevated mode

An attacker sends incorrect ARP and RARP requests to a network, feeding incorrect data into system ARP tables. They then use this corruption to setup a man-in-the-middle attack. What is this method?

ARP Poisoning

An attacker sends ICMP Ping commands to a network address, with the reply aimed at a specific PC. This floods the target PC with ping requests. When an attacker is able to create a greater effect than would be possible with a single client, what is it called?

Amplification

Running nslookup shows that a system's local DNS cache is pointing certain DNS names to the wrong IP addresses. What type of attack has occurred?

DNS Poisoning

You login to GoDaddy to discover that you no longer own and control one of you domain names. What has occurred?

Domain Hijacking

A trojan element is added to a user's browser that intercepts and changes data as they browse certain websites. What is this attack called?

Man-in-the-Browser (MitB)

An attacker uses a vulnerability that is unknown to the developer, so even the latest patches will not protect systems. What is this called?

Zero Day attack

An attacker captures communication between two parties and retransmits them at a later time. What is this called?

Replay

What best defends against replay attacks?

Defenses against replay attacks: * Encryption * Short time frames for transactions

An attacker captures a hash file and injects it into a system. This allows them to authenticate without knowing the password. What is this called?

Pass the Hash. This is technically demanding attack, but tools have been developed to make it easier.

When a user clicks on a certain design element, their click is altered by a transparent overlay, causing them to click elsewhere and executing the attacker's code. What is this type of attack?

Clickjacking

A user receives a DoS attack, taking down their system. At the same time, the attacker takes over a Telnet or web session that the user was running. What is this called?

Session Hijacking

A peice of malware alters the URL a user is attempting to browse to, causing them to go to a fake website. What is this called?

URL Hijacking

A user receives an email from the bank asking them to login. The URL in the mail looks similar to their bank's, but the actual domain is different. What is this called?

URL Hijacking, Fake URL, Brandjacking, Typo Squatting

An attack puts a layer of code between a driver and the OS, changing hardware responses without altering the driver itself. What is this form of driver manipulation called?

Shimming

An attacker modifies internal code to add functionality without changing other external behavior of the code or driver. What is this called?

Refactoring

An attacker puts the IP of the target system into certain web traffic to facilitate an attack. What is this called?

IP Spoofing

A target system is flooded with ICMP requests after the attacker sent the ICMP request to the network address. What technique was used?

IP Spoofing - in the initial request to the network address. This called a Smurf attack.

What can mitigate IP spoofing attacks?

* Limit trust relationships between hosts * Configure firewalls to reject packets from outside that have an inside IP in the From address

Why are IP spoofing SYN/ACK attacks more difficult from outside the network?

The attacker will have to guess the sequence numbers for the SYN/ACK transaction.

Wireless networks are especially succeptible to this attack where conversations are recorded and sent later on.

Replay attacks

WEP wireless encryption was suseptible to this exploit where an initial key sequence was send in the plaintext part of the message.

Initialization Vector (IV). Software such as AirSnort can intercept each packet with weak IV and eventually crack the WEP encryption key for a WAP.

You discover a wireless access point hidden in a cupboard. It is configured to emulate a company WAP and intercept user data. What is this called?

Evil Twin

A non-company owned AP is allowing clients to authenticate to a real company AP. The attacker uses this to collect user credentials.

Rogue AP

A certain radio spectrum is targed by a rogue wireless device. What is this called?

Jamming

This easy to use wireless authentication system has the user enter an 8-digit code to authenticate and is susceptible to brute-force attacks.

WPS (Wi-Fi Protected Setup)

A user is in a crowded airport when they receive a text message or image via Bluetooth from an unknown and unauthorized user. What type of attack is this?

Bluejacking

What can be done to avoid bluejacking?

* Disable Bluetooth * Set Bluetooth devices to nondiscoverable

An attacker copies data from a target phone via Bluetooth. This can include emails, contacts, calendar, and media files. What is this attack called?

Bluesnarfing

What is the key difference between bluejacking and bluesnarfing?

Bluejacking sends unauthorized data. Bluesnaring uses an authorized connection to steal data.

What types of attacks are RFID readers succeptible to?

* Replay - the attacker intercepts signals and replays them later to authenticate. * Cloning - a dupilcate RFID card can be created using eavesdropping data.

An attacker sends deauthentication frames to a WAP to remove it from the network. What is this called?

Disassociation

Why would an attacker disassociate a WAP?

* To sniff the reconnect, including the WPA four-way handshake. This provides initial information needed in a brute-force or dictionary-based WPA attack. * It forces users to reconnect, which is a chance to mount a man-in-the-middle attack.

This brute-force cryptographic attack looks for collisions within hash functions, or duplicate hash functions.

Birthday attack

An attacker gathers the original plaintext and the ciphertext for that message, then uses them to key through brute-force attemptes. What is this attack called?

Known Plaintext/Ciphertext

What can be done to mitigate Known Plaintext/Ciphertext attacks?

Large keyspace, so that a brute-force attack is no longer feasible.

These lists of hash values associated with passwords make password cracking easier.

Rainbow tables

What method makes rainbow tables useless?

Salted Hashes, where an additional salt value makes the precomputing process not replicable.

A list of common words is used to crack a password.

Dictionary attack

Every possible password is attemted against a system or hash file, in this computing-intensive attack.

Brute Force

Which type of brute force attack is easy to notice?

Online Brute Force attacks are often detected as the system sees many authentication attempts on the same account.

This type of brute force attack requries that the attacker first steal the hash file.

Offline Brute Force attack

What types of methods are often part of a hybrid password attack?

Hybrid password attack may start with a dictionary attack, the move on to brute force methods.

When two different inputs produce the same output of a hash function, what type of attack is possible?

Collision attack. Many versions of the hash file are produced, then a birthday attack is used to find collisions between them.

An attacker take acvantage of a backword compatibility feature in the protocol and forces a TSL/SSL conversation to use a lesser form of encryption. What is this method?

Downgrade

If developers do not follow best practices, attackers can record and use conversations to break even encrypted systems with this relatively simple technique.

Replay

This common web security protocol has been hacked in all of its version but is still commonly used. What is it, and what should it be replaced with.

SSL has been cracked. It should be replace with TLS. Unfortunately, weak implementations are one of the main issues in IT security.

This type of threat actor has little technical knowledge and relies on pre-fab tools.

Script Kiddies

When hackers work collectively, usually on the behalf if a cause, they are what?

Hacktivists

These type of hackers work to monetize their efforts and work in large, organized units.

Organized Crime. Criminal cybersecurity is now larger in dollar terms and the international drug trade.

Often the most skilled of hackers work for these organizations, useing highly structured attacks and defenses.

Nation States. They often use Advanced Persistent Threats (APT) against other nation states or economic interests.

With this method, hackers achieve a presense on a target network over a long period of time to gather as much data as possible.

Advanced Persistent Threat (APT)

This group of intruders are especially difficult to protect against since they already have some access and understanding of the systems.

Insiders

This type of attack is used sparingly - only when other methods are not available - because it usually cannot be used more than once.

Zero Day

List the common attributes of threat actors.

Attributes of threat actors include: * Resources * Level of sophistication * Location * Motivation

A cooperative group of government and non-government, sharing and analyzing threat data is an example of what?

Open Source Intelligence

Would a penetration test use a zero day attack? Why or why not?

Pen Tests look for common and known vulnerabilities, so they can be mitigated.

What goals would a pen tester set?

To hack the system with the same objectives as a likely threat actor. Try to get to the data or system that is most valued to a hacker.

Pen testers use tools to directly interract with the target network and learn about it. What is this called?

Active Reconnaissance

Pen testers may use publicly-available sources to gather information about a target network. What is this called?

Passive Reconnaissance

Pen testers use passive and active tools. What is the difference?

Passive tools scan a network without detection. Active tools can be detected.

An attacker establishes a presence on a PC, uploads tools to it, and uses it to scan that portion of the network. They repeat this process to gain information about larger portions of the network. What is the process called?

Pivoting or network traversal

This step in the pen testing process shows that a network vulnerability exists, but stops short of damaging any systems.

Initial Exploitation

List some common techinques used by pen testers.

Common pen testing techniques include: * Initial exploitation * Pivoting / network traversal * Escalation of privilege * Perstence

This testing technique exposes the program, system or network to malformed input data and looks for flaws in the output data. The tester has no knowledge of how the syhstem works.

Black Box Testing. This is a common testing technique for web-based applications.

This testing technique looks at the internal structures and data processing of an application. The tester has detailed knowledge of the application.

White Box Testing

This testing technique is efficient becuase the testers have some knowledge of the software, network or system they are testing. This is efficient becuase entire paths can be eliminated from the test.

Grey Box Testing

What is the difference between Pen Testing and Vulnerablility Scanning?

Vulnerability Scanning will find vulnerabilities, whether they can be exploited or not. Pen Testing will determine which vulnerabilities can be exploitated.

What is the difference between credential and non-credentialed vulnerability scans? Why are both scans important?

The difference is whether the vulnerability scan tool was given valid account credentials to use. Both tests should be run, as a real attacker may not have credentials initially, but might later on in the process.

List the common steps in a vulnerability scan.

Common steps in the vulnerability scan are: * Identify vulnerability * Identify missing or ineffective security contols * Identify common misconfigurations

What is the difference between intrusive and non-intrusive vulnerability tests?

Intrusive tests will make a change to the system state. This is more accurate at detecting vulnerabilities but it can cause system disruption.

An attacker sends similar commands in fast sequence. The data is not received in the expected order, allowing the attacker to gain access. This is an example of what?

Race Conditions

What methods can be used to prevent race conditions?

Race conditions can be prevented by: * Reference counters * Kernal locks * Thread syncronization

An organization chooses to continue using a server that is running and older OS, which no longer receives updates. What type of vulnerability is this?

End of Life System

The primary software on a server receives patches from the vendor, but some of the lesser components from a third party are not patched. What are these vulnerable components called?

Embedded Systems

Your organization is using a software that is many versions old, so the vendor support contract has run out. What vulnerability is this?

Lack of Vendor Support

This is the most common general type of software vulnerabilty, and can be mitigated with input validation.

Improper Input Handling

List types of Improper Input Handling

Types of Improper Input Handing include: * Buffer Overflows * Cross-Site Scripting (XSS) * Cross-Site Request Forgery (XSRF) * Injection attacks * Canonical Structure Errors

Which is a better error handling method? Report error to user, or write it to a log file.

Writing errors to a log file is safer, if it is stored where access can be limited by an ACL.

A hacker forces errors in a system and records each error message to learn more about the system. What vulnerability is this?

Improper Error Handling

A new system is configured with older, less secure, protocols enabled even though they are not needed. What vulnerability is this?

Misconfiguration or Weak Configuration

New access points are installed without changing the factory-set admin password. What vulnerability is this?

Default Configuration

An attacker floods a target sytem with requests until it runs out of memory or bandwidth and it crashes. What is this technique?

Resource Exhaustion

Someone in marketing clicks on the URL in a phishing email, causing a system failure. What would have best prevented this event?

User training

A user is able to get into an advanced system because IT Security didn't realize that one of his group memberships also grants the extra access. What type of vulnerability is this?

Improperly Configured Account

The accounting software is confgured to pay on invoices without matching them to purchase orders. What type of vulnerabilty is this?

Vulnerable Business Process

The security team would like to build their own custom cryptographic algorithm and implementation. Is this a good idea?

No. Custom cipher suites are not considered secure because they are very difficult to create and implement effectively. It is better to choose an existing cypher system that has been proven to be effective.

SSL or TLS?

SSL bad TLS good

A program crashes after a certain amount of time, after mis-written memory overwrites parts of the program's memory space. What is this called?

Memory Leak

An attacker crashes a system by sending it numerical values that are larger than the programmers intended. What is this technique called?

Integer Overflow

An attacker enters 150 digits into the phone number field of a form, causing the program to crash or execute an unintended command. What is this called?

Buffer Overflow

An attacker inputs invalid data designed to prompt the program to reference the wrong area a memory. What is this called?

Pointer Dereference

You discover that a copy of MS Office now has extra functions, including dangerous tools that could be used by a hacker. What is the likely type of attack?

DLL Injection

Your organization has acquired numerous smaller companies. As a result, some of the system are not documented or accounted for. This is an example of what?

System Sprawl and Undocumented Assets

Your large network has no subnets or VLANs. This is what type of vulnerability?

Architecture / Design Weakness

Your organization receives a successful targeted attack, despite all of the latest patches being applied. What is the likely type of attack?

Zero Day

Compensating Controls can block the path of an attack without directly addressing the underlying vulnerability. What type of attack are they especially effective against?

Zero Day

The employee who updates the certificate server got a job in Florida last year and has not been replaced. What vulnerabilty does your network likely have now?

Improper Certificate and Key Management