701 - Section 2 Flashcards
1
Q
What is the entity responsible for an event that has an impact on the safety of another entity called?
A
Threat actor or a malicious actor
2
Q
What are the three attributes of threat actors?
A
Internal or external, resources or funding, level of sophistication or capability
3
Q
Why is it important to find the motivation of a threat actor?
A
Because it identifies the purpose of the attack
4
Q
Name five or more motivations for attackers?
A
Data exfiltration, espionage, service disruption, blackmail, financial gain, philosophical or political beliefs, ethical, revenge, disruption or chaos, war
5
Q
Constant nation state attacks with massive resources are also known as
A
An advanced persistent threat
6
Q
What are the location, resources, sophistication attributes of a nation state threat actor?
A
External, extensive, very high
7
Q
What are the location, resources, sophistication attributes for an unskilled threat actor?
A
External, limited, very low
8
Q
What are the location, resources, sophistication attributes for a Hacktivist threat actor?
A
External, some funding, can be high
9
Q
What are the location, resources, sophistication attributes for an insider threat threat actor?
A
Internal, many resources, medium
10
Q
What are the location, resources, sophistication attributes for an organized crime thread actor?
A
External, often extensive, very high
11
Q
What are the location, resources, sophistication attributes for a shadow IT threat actor?
A
Internal, many resources, limited
12
Q
What are the possible motivations for a nation state thread actor?
A
Data filtration, philosophical, revenge, disruption, war
13
Q
What are the possible motivations for an unskilled threat actor?
A
Disruption, data, exfiltration, philosophical beliefs
14
Q
What are the possible motivation for a Hacktivist thread actor?
A
Philosophical beliefs, revenge, disruption chaos
15
Q
What are the possible motivations for an insider threat threat actor?
A
Revenge and financial gain
16
Q
What are the possible motivations for an organized crime thread actor?
A
Financial
17
Q
What are the possible motivations for shadow IT thread actor?
A
Philosophical beliefs and revenge
18
Q
What is the method used by an attacker to gain access or to infect a target?
A
A threat vector or an attack vector
19
Q
What are three types of message based attack vectors?
A
Fishing attacks for example, providing a link in an email or a text, delivering malware to a user for example and attachment within an email, social engineering attacks for example, invoice or cryptocurrency scams
20
Q
What image format is known as a threat?
A
The scalable vector graphic format, SVG
21
Q
What are two attack types of an image based attack?
A
HTML injection and JavaScript attack
22
Q
What can defend against an image based attack?
A
A web browser providing input validation
23
Q
What are three file based threat vectors?
A
Adobe PDF, zip or RAR files, Microsoft Office files
24
Q
What are the four types of voice call attack vectors?
A
Vishing which is fishing over the phone spam over IP, war dialing, call tampering
25
What does an attacker use for a removable device attack vector?
A USB drive
26
Which attack vector can infect an air gapped network?
A removable device attack vector
27
What are two types of software used for a vulnerable software attack vector?
Client and agentless
28
What are the differences between a client based vulnerability and an agent less software vector vulnerability?
For a client based, it is an infected executable that requires installation whereas agentless is not an installed executable, and the impact would affect all users using the service
29
What are two examples of unsupported system vectors?
A system that isn’t regularly patched and an outdated operating system
30
What is the best way to prevent an unsupported system attack vector?
Making sure every system is patched and has all the latest updates, as a single system could represent an entry point
31
What is the best way to prevent an open service port attack vector?
Adding firewall rules for every open port as each one represents a potential entry point for an attacker
32
What is the best way to prevent a default, credential attack vector?
Changing all default username and passwords, as it’s very easy to find the default credentials for every device.
33
Why is a supply chain attack vector difficult to defend against?
Because they provide many points of entry and some or most are out of an organizations control
34
What are two methods to defeat a fishing attack vector?
Check the URL of all links by hovering over them and usually there’s something not quite right with the spelling, the fonts or the graphics
35
What is at the root of a business email compromise attack vector?
Because we trust the email source and the attacker takes advantage of this trust
36
Why are tricks and misdirection attack vectors difficult to defend against?
Because of how realistic that they are. There may be a slight typo in the URL known as typosquatting or they use a highly believable character in a realistic situation also known as pre-texting
37
What are two types of fishing that use voice and SMS messages?
Vishing known as voice phishing and Smishing known as SMS phishing
38
Why are impersonation attacks so successful?
Because they include a realistic pretext or story
39
What are some of the methods used in an impersonation attack?
They use pieces of information that they know about you, they will act as if they are higher in rank, they will throw many technical details around, they will act as if they are your friend
40
What is the result of a successful impersonation attack against a person?
They have enough information regarding your identity to commit fraud such as credit card for fraud, bank fraud, loan fraud, government benefits fraud
41
What are ways you can protect against impersonation?
Never volunteer any personal information or personal details and always verify through third parties
42
How does a watering hole attack work?
By infecting a website or system, which an organization is known to use.. these infections can impact just those in the organization or they can infect all visitors
43
How do you defend against a watering hole attack?
Using a lay defense known as defense in depth, firewalls, update to date antivirus and anti-malware software
44
How does a misinformation or disinformation attack work?
Attackers create fake users and fake content, they post on social media and amplify the message, real users begin to share the message, then the mass media picks up the story
45
What are the different types of processes that a memory injection attack can infect?
Malware can be hidden in all of these… DLLs, threads, buffers, memory management functions
46
What are the two types of memory injections?
Memory and DLL
47
How does a memory injection attack work?
By adding the malicious code into the memory of an existing process, which allows access and system privileges to the data in that process
48
How does a DLL injection attack work?
An attacker injects a path to the malicious DLL, which then runs as part of the target process
49
How does a buffer overflow attack work and what does it need to be successful?
By overwriting a buffer of memory which spills into other memory areas. This is not a simple exploit, and the buffer overflow needs to be repeatable.
50
How do you defend against a buffer overflow attack?
By having the developers perform bounds checking within their code
51
How does a race condition work?
It is a result of two conditions happening at the same time that can produce a vulnerability
52
What is another name for a race condition attack?
Time of check to time of use attack TOCTOU
53
What is the best defense against malicious updates?
Keeping your operating system and applications up-to-date
54
How do you prevent against a malicious update when downloading an update?
By having a good known backup , By confirming the source visiting the trusted download site directly and not disabling operating system security controls
55
How do you defend against an operating system vulnerability?
By having a good back up in case of an issue and always keeping the system up-to-date
56
How does a SQL injection attack work?
The attacker will add their own malicious bits of SQL code into a form field that is submitted to the server and executed within the DB
57
What is the best defense against a SQL injection attack?
Having the application properly validate and properly escape (using escape keys) all input and output
58
How does a cross site scripting attack work?
Attacker sends a link containing malicious script to a victim, the victim clicks the link and visits the legitimate site, the legitimate site loads in the victims browser and the malicious script is executed. the malicious script sends the victims information to the attacker. This includes credentials session IDs, and cookies.
59
What are the two types of cross scripting attacks?
A non-persistent or reflected attack and a persistent or stored attack
60
How does a non-persistent (aka reflected) cross scripting attack work?
An attacker emails a link that execute the script that sends credentials, session, IDs, cookies to the attacker…this script is embedded within a URL…
61
What is a common source of a cross site scripting attack? And why?
A website search box…Search boxes accept user input, which can be manipulated by attackers to inject malicious code. If the input is not properly sanitized or validated, it opens up the possibility for attacks like SQL injection or cross-site scripting (XSS).
62
What is a persistent or stored scripting attack?
When the attacker post a message to a social network that includes the malicious payload. It’s called persistent because everyone who views the page will get this malicious code.
63
How do you protect against a cross site scripting attack?
By avoiding clicking on untrusted links, disabling JavaScript in your browser, keeping your browser and applications properly updated and validating input fields
64
Why are hardware vulnerabilities so dangerous?
Because we are surrounded by intelligent hardware devices, many of which do not have an accessible operating system. Each of these pose an entry point for an attack
65
What are main security risks with hardware vulnerabilities?
The vendors are the only ones who can fix their issues, assuming they know about the problem, or care about fixing it… The end of life or the technological end of service life, which is the time when the product stops being sold and or stops being supported.
66
What is a legacy platform?
A device that has been running for a length of time and no longer is receiving updates to its software
67
What does a virtualization vulnerability pertain to?
A virtual machine
68
What are the different vulnerabilities associated with a virtualization vulnerability?
Local privilege escalations, command injection, information disclosure
69
What is VM escape mean?
An issue where an attacker is able to break out of the VM and interact with the host operating system or hardware… this will allow an attacker to potentially gain full control of the virtual environment…
70
Why does a VM escape happen?
Because the hyper visor manages the VM‘s on a server, and those resources can be reused between VMs allowing data to be in advertently shared between the VM’s
71
What is the best way to mitigate the risk of a virtualization vulnerability?
By properly updating your VM software
72
What are some of the reasons why we have cloud specific vulnerabilities?
Cloud adoption has been nearly universal, much sensitive data is in the cloud, the right protections are not being utilized by organizations including simple, best practices
73
What are some of the ways that a cloud service can be attacked?
Denial of service, taking advantage of week or faulty authentication, faulty directory traversal
configurations, remote code execution and taking advantage of unpatched cloud systems
74
What are some of the ways to mitigate a supply chain vulnerability?
Contractual ongoing security audits of all providers, using a small trusted supplier base, confirming digital signatures from updates provided by software vendors
75
What makes a supply chain so vulnerable to attack?
The chain contains many moving parts and an attacker can affect any step along the way which can infect the entire chain
76
What are the different types of misconfiguration vulnerabilities?
Open permissions which are easy for a hacker to find, unsecured administrator accounts, using insecure protocols vice their encrypted counterparts, using default settings, and ports opened by services that are not configured properly
77
What does MDM stand for?
Mobile device manager
78
What does jailbreaking or rooting mean?
When a mobile devices operating system is replaced by a different operating system
79
What makes jailbreaking or rooting dangerous?
Uncontrolled access to the device that circumvent security features and the MDM becoming relatively useless with a jailbreak or rooted device
80
What is sideloading?
Apps that are loaded onto a mobile device that do not come from an approved App Store
81
What is a zero day vulnerability?
It is a vulnerability that the vendor has no awareness of… applications have vulnerabilities, they just have not yet been identified…
82
What is a zero day attack?
An attack on an unknown vulnerability for which the vendor has no fix for this unknown problem…
83
What is an IDS?
Intrusion detection system
84
What is an IPS?
Intrusion prevention system
85
What is an SIEM?
Security information and event manager system, think SPLUNK
86
What is another name for malicious software?
Malware
87
Name three things that malware can do to your system
Gather information such as your keystrokes, show you advertising, encrypt your system
88
Name five malware types and methods?
Viruses, worms, ransomware, Trojan horse, root kit, key logger, spyware, bloatware, logic bomb
89
What are the ways your system get malware?
A link in an email, a webpage pop-up, a drive-by download, a worm
90
What is the name of malware that makes your data unavailable until you provide cash? And how does it work?
RansomWare… With malware, your system will run, but because everything is encrypted it will effectively not work upon payment. A description key will be provided to you.
91
How do you protect against ransomware?
Always have a good off-line backup, keep your system up-to-date with security patches, keep your antivirus anti-malware signature up-to-date
92
What type of malware can reproduce itself?
A virus
93
What are the four types of viruses?
A program virus which is part of an application, a boot sector virus, a script virus, a macro virus which are common in Microsoft Office
94
What type of virus is good at avoiding detection, is never installed in any file or application and operates in memory?
A file less virus
95
What type of virus self replicates, spreads quickly and uses a network as a transmission medium
A worm
96
What can mitigate many worm infestations?
A firewall, an IDS, and IPS
97
What does a fireless virus use to be restarted?
It adds an auto start to the registry
98
What is malware that spies on you by monitoring your browser, and capturing your key strokes?
Spyware
99
How do you protect against spyware?
Keeping your antivirus and anti-malware software up-to-date, watch additional options during installation of software, having an offsite back up
100
What do you call applications that are preinstalled on a system but are not needed and can cause a system to run slower?
Bloatware
101
To remove bloatware, what do you need to do?
Identify and remove it
102
To remove bloatware, what do you need to do?
Identify and remove it
103
What is the malware that captures your key strokes, including such things as login, IDs, passwords, etc.?
Keyloggers
104
What is the type of malware that waits for a predefined event whether it be a date or time, or a user event?
A logic bomb
105
How do you prevent against a logic bomb even though it is difficult to recognize?
Have a formal change control procedure and process, electronic monitoring of the system that alerts on any changes, constant auditing by the administrator
106
What is a root kit? And why is it difficult to deal with?
Malware that modifies core system files in other words, part of the kernel… It is not a separate task so it won’t be seen in task manager, and it is also invisible to traditional antivirus utilities
107
How do you find and remove a root kit?
Look for anything unusual with anti-malware, scans, use a remover specific to the root kit, which are usually built after the root kit is discovered
108
What does secure boot with UEFI provide
It provides security in the bios, which helps protect against a root kit
109
Name four types of physical attacks?
Brute force to gain access to the server, RFID cloning, environmental attacks.
110
Which type of physical attack would use a counterfeit badge or fob?
RFID Cloning
111
Which type of physical attack would attack everything supporting the technology, the power, HVAC or any other structure/device supporting the system
An environmental attack
112
What kind of attack forces a service to fail by overloading it?
Denial of service
113
What are the different types of denial of service?
A friendly one, a DDOS, a DDOS reflection and amplification
114
Which denial of service will turn a small attack into a big one by reflecting off of another device or service?
DDOS reflection and amplification
115
What does a DDOS reflection and amplification attack use?
It uses protocols with Lil if any authentication or checks… NTS, DNS, ICMP are examples
116
Which denial of service relies on an army of computers using all the bandwidth or sources? And what is the name given to this army of computers?
A distributed denial of service attack… a botnet
117
How can a friendly denial of service attack happen?
By performing network intensive operations or by using a lot of bandwidth, for example, by downloading a large file
118
What are three ways that DNS poisoning can occur?
By modifying the DNS server, modifying the client host file or by sending a fake response to a valid request (on path attack)
119
What is it called when an attacker gets access to the domain registration, which controls where all of the traffic flows?
Domain hijacking
120
What kind of attack relies on a slight change to a URL to confuse users?
URL hijacking
121
Using typo, squatting/brand jacking, outright misspellings or using different top level domains are all examples of what?
Types of URL hijacking
122
What wireless standard includes a number of management features that protect against attackers?
802.11
123
Which standard protects against wireless deauth attacks? And how does it protect?
802.11W… By encrypting certain important management frames that are used in a deauth attack…
124
What kind of wireless attack prevents wireless communication by transmitting, interfering wireless signals?
Radio, frequency, RF jamming, it is effectively a denial of service attack
125
What type of wireless attack is similar to RF jamming but instead is sending #DATA to jam the communications?
Wireless jamming
126
What does ARP stand for?
Address resolution protocol
127
Which attack passes the communication through the attacker who redirects the traffic and then passes it to the destination?
And on path network attack formally known as a man in the middle attack
128
Which attack is similar to an on path network attack, but the attacker, using malware, proxies all of the network traffic from the same computer as the victim
On path, browser attack, formally known as man in the browser
129
Which attack takes advantage of the useful information from a user that is transferred over the network, including things such as cookies and session IDs?
A replay attack
130
Which type of replay attack is where the attacker captures the username and password hash and uses it to send their own request from the captured credentials?
Pass the hash
131
Which type of replay attack is where the attacker intercepts the session ID and uses it to access the server with the victims credentials
Session hijacking also known as side jacking
132
Which type of replay attack modifies the headers and or the cookies?
Header manipulation
133
What are two ways to prevent session hijacking?
Encrypt end to end using HTTPS and encrypt end to somewhere using a VPN
134
What might a layered defense use to protect against malicious code attacks?
Firewall, anti-malware and anti-virus, continuous updates and patches, using secure computing habits
135
Which type of attack allows an attacker to gain a higher access level to a system by exploiting a vulnerability within an application?
Privilege escalation
136
Which attack takes advantage of the trust that a web application has for a user? And what can be used to prevent such an attack?
Cross site request forgery, aka XSRF or CSRF… anti-CSRF tokens
137
How does a cross site request forgery attack work?
An attacker creates a funds transfer request, that request is sent as a hyperlink to a user who may be already logged into the website, the user click the link which unknowingly sends the transfer request to the bank website, the bank validates the transfer and sends the funds to the attacker
138
Which type of cryptographic attack Requires an attacker to generate many versions of plain text in an attempt to find a collision? And how do you protect yourself against a birthday attack?
A birthday attack By using a large hash output size
139
What is the type of an on path attack, which rewrites the URL by removing the S on the request? And why is it dangerous?
SSL stripping because the attacker reverts the original HTTPS request to HTTP and the user unknowingly communicates via HTTP and all of their subsequent requests are sent clear text
140
What form of a password attack is when the attacker might use a few common passwords against each account?
A spraying attack
141
What type of password attack would attempt to match every password or password against a users password?
A brute force attack
142
What is an event that indicates an intrusion?
An indicator of compromise
143
What are five indicators of compromise?
Unusual amount of network activity, changes to file hash values, irregular international traffic, uncommon login patterns, spikes of read request to certain files, DNS data changes
144
This indicator of compromise locks a users account from a brute force attack?
Account lockout
145
This indicator of compromise shows up as an account logging in from multiple locations at the same time?
Concurrent session usage
146
This indicator of compromise shows up as a user logging into system from two locations that is not physically possible within the timeframe of each login?
Impossible travel
147
This indicator of compromise may show up as activity at an unusual time?
Resource consumption
148
This indicator of compromise shows up when these are no where to be found?
System logs
149
What are the two lists that are used by an operating system to limit usage? And what are they also known as? And which one is more restrictive?
Allow or Whitelist, Deny or Blacklist…the allow list is more restrictive
150
What is another name for separating the physical logical or virtual devices on a network?
Segmenting the network
151
What is a mitigation technique that requires prompt updating of systems?
Regular Patching or updating
152
Name five mitigation techniques?
Patching, encryption, monitoring, least privilege, configuration enforcement, decommissioning
153
Which medical mitigation technique requires a physical device to be formatted or destroyed after initial usage?
Decommissioning
154
Which mitigation technique performs a security posture assessment upon each device connection?
Configuration enforcement
155
Which mitigation technique, assigns rights, and permissions to the bare minimum of what’s needed to execute the system?
Least privilege
156
Which mitigation technique aggregates logging information from all the sensors (IPS, firewall logs, web servers logs, DB logs, email logs, etc?
Monitoring
157
What does an SIEM do?
It aggregates and collects all types of sensor/logging data and provides an engine in which a user can compare and query the data… Think spunk
158
What mitigation technique prevents easy viewing of system data? And what are some of the types?
Encryption… file system, full disk (bit locker or FileVault), file level (Windows EFS) , application data
159
What is it when you apply best practices to a system across all defense layers?
Hardening techniques
160
What does EDR stand for and what is it?
Endpoint detection and response…it is software that continuously monitors for threats and provides the ability to detect, investigate and respond to threats
161
What is software that allows or disallows, incoming or outgoing application traffic and can identify and block unknown processes?
Host based firewall
162
What is a prevention system that recognizes and blocks known attacks and validates incoming service request?
Host based intrusion and prevention system a.k.a. HIPS
163
Name three other best practice hardening techniques?
Closing of all ports except for those that are required, require default password changes, removal of unnecessary software
164
What is another name for a layered defense?
Defense in depth
