Attacks, Threats, and Vulnerabilities Flashcards

Question

Why are API calls use keys, made up of alphanumeric characters, used for?

Answer 1

to authorize requests to the web application. These keys are exposed over an unsecure connection such as HTTP. An attacker can use the key to perform other API calls.

Answer 2

will take advantage of this timing to modify data before finally using it. - it's a race condition.

Answer 3

It's when the execution processes are dependent on the timing of certain events, and those events fail to execute in the order and timing intended. Occurs when multiple threads are attempting to write at the same memory location. Attackers have used race conditions as an anti-virus evasion technique

Answer 4

the target software to calculate a value that exceeds the upper and lower bounds.

Answer 5

An object in memory. Attempting to access that memory address is called dereferencing. An integer is a positive or negative whole number.

Answer 6

Code library that intercepts and redirects calls to enable legacy mode on a system. The shim database represents a way that malware with local administrator privileges can run on reboot (persistence).

Answer 7

the problem of authorizing a request for a service that depends on an intermediate service.

Answer 8

The attacker gets access to a file outside the web server's root directory. The attack uses specific code to request for information from a web server's root directory by submitting the directory path.

Answer 9

An SQL query as part of user input, which allows an attacker to extract or insert information into the database or execute arbitrary code.

Answer 10

Intercepting a key or password hash, then reusing it to gain access to a resource. Using once-only session tokens or timestamping sessions prevents this type of attack. - Cookie Stealing An attacker with system access is able to obtain keys from system memory or pagefiles/scratch disks. Privilege escalation is the practice of exploiting flaws in an operating system or other application to gain a greater level of access than intended for the user or application.

Answer 11

The attacker steals hashed credentials and uses them to authenticate to the network. Using once-only session tokens or timestamping sessions prevents this type of attack.

Answer 12

Layer 3 firewall technology that compares packet headers against ACLs to determine which network traffic to accept.

Answer 13

A service at a given host to fail or to become unavailable to legitimate users. DoS attacks focus on overloading a service by using up CPU, system RAM, disk space, or network bandwidth (resource exhaustion). Reconfiguring default web settings to throttle or limit calls can prevent this. AKA resource exhaustion

Answer 14

A more powerful TCP SYN flood attack where the adversary spoofs the victim's IP address and attempts to open connections with multiple servers.

Answer 15

resource exhaustion on the host's processing requests, consuming CPU cycles, and memory. This delays the processing of legitimate traffic and could potentially crash the host system completely.

Answer 16

scripted trap that runs in the event an account gets deleted or disabled. Anti-virus software is unlikely to detect this kind of malicious script or program, so the security specialist would not be able to discover the script during an investigation. The security specialist would uncover the mine once it gets executed and causes damage.

Answer 17

does not write code to disk. The malware uses memory resident techniques to run in its own process. can be classified as using low observable characteristics (LOC) attacks which can make it less intrusive than other malware. uses "live off the land" techniques rather than compiled executables to evade detection. This means that the malware code uses legitimate scripting tools like Windows PowerShell.

Answer 18

backdoor malware that changes core system files and programming interfaces so that local shell processes no longer reveal their presence.

Answer 19

form of eavesdropping in which the attacker makes an independent connection between two victims and steals information to use fraudulently

Answer 20

if an attacker obtains the hash of a user's password, it is possible to authenticate with the hash, without cracking it

Answer 21

Is a type of Brute force attack aimed at exploiting collisions in hash functions. A collision is where a function produces the same hash value for two different plaintexts. This type of attack can forge a digital signature.

Answer 22

The programming features available in Microsoft Office file

Answer 23

Sequences of code insert themselves into another executable program. When executing the application, the virus code becomes active.

Answer 24

memory-resident viruses that replicate over network resources. The primary effect of a worm infestation is to rapidly consume network bandwidth as the worm replicates. A worm may also be able to perform a Denial of Service attack by crashing operating systems and servers.

Answer 25

Remote Access Trojan

Answer 26

Potentially unwanted program

Answer 27

like credit card skimming RFID attack where an attacker uses a fraudulent RFID reader to read the signals from a contactless bank card.

Answer 28

Compared to using a familiarity/liking is riskier as there is a greater chance of arousing suspicion and the target reporting the attack attempt.

Answer 29

Compared to using a familiarity/liking approach is riskier as there is a greater chance of arousing suspicion and the target reporting the attack attempt.

Answer 30

is low risk. If the victim refuses the request, it is unlikely to cause suspicion and the social engineer can move to a different target without being detected.

Answer 31

Is low risk. If the victim refuses the request, it is unlikely to cause suspicion and the social engineer can move to a different target without being detected.

Answer 32

is a fake antivirus web pop-up that claims to have detected viruses on the computer and prompts the user to initiate a full scan, which installs the attacker's Trojan.

Answer 33

is a combination of social engineering and spoofing, where the attacker sets up a spoof website to imitate a trusted one.

Answer 34

is a program that monitors user activity and sends the information to someone else. This can occur with or without the user's knowledge.

Answer 35

an email alert or web pop-up will claim to have identified some sort of security problem, such as a virus infection, and offer a tool to fix the problem. The tool, of course, will be some sort of Trojan application.

Answer 36

Spam in Instant Messengers

Answer 37

System on Chip

Answer 38

is an attack that compromises the process by which clients query name servers to locate the IP address for a Fully Qualified Domain Name (FQDN).

Answer 39

Is an attack where an adversary acquires a domain such as the full.com address for a company's trading name or trademark.

Answer 40

uses disassociation packets to remove a known wireless access point (WAP) from a client’s list of available networks. This is a type of DoS on wireless networks.

Answer 41

sends a stream of spoofed frames to cause a client to deauthenticate. This is a type of DoS attack on wireless networks.

Answer 42

targets vulnerabilities in the headers and payloads of specific application protocols. For example, one type of amplification attack targets DNS services with bogus queries.

Answer 43

s a network attack that involves connections between embedded system devices. The term is "operational" because these systems monitor and control physical electromechanical components.

Answer 44

changes the hardware address configured on an adapter interface or asserts the use of an arbitrary MAC address.

Answer 45

is a type of hijacking attack where the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity. Brandjacking is another term for domain hijacking.

Answer 46

is the act of continually registering, deleting, and reregistering a name within the five-day grace period without having to pay for it.

Answer 47

is a Domain Name Server (DNS) exploit that involves registering a domain temporarily to see how many hits it generates within the five-day grace period.

Answer 48

Is a form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently.

Answer 49

consists of intercepting a key or password hash, then reusing it to gain access to a resource, such as the pass-the-hash attack.

Answer 50

refers to using an exploit in Bluetooth to steal information from someone else's phone. The exploit (now patched) allows attackers to circumvent the authentication mechanism.

Answer 51

Bluetooth-discoverable device is vulnerable, similar to spam, where someone sends an unsolicited text (or picture/video) message or vCard (contact details). This can be a vector for Trojan malware.

Answer 52

a rogue Access Point (AP) masquerading as a legitimate one.

Answer 53

occurs when the attacker compromises the web browser by installing malicious plug-ins, scripts, or intercepting API calls. Attackers can install vulnerability exploit kits on a website and will actively try to exploit vulnerabilities in clients browsing the site.

Answer 54

Occurs when the attacker would craft a malicious URL and convince the victim to submit it to the web server.

Answer 55

are data stored on a user's computer by websites that use Adobe Flash Player. A site may be able to track a user's browsing behavior through LSOs.

Answer 56

Is a network that connects two to three devices with cables.

Answer 57

Interference can disrupt a wireless network from other radio sources. One way to defeat a jamming attack is to locate the offending radio source and disable it. Another way to defeat a jamming attack is to boost the signal of the legitimate equipment.

Answer 58

Will only detect the source of interference but does not defeat or prevent it.

Answer 59

Does not provide encryption, so eavesdropping and Man-in-the-Middle attacks are possible if the attacker can find some way of intercepting the communication and other software services are not encrypting the data.

Answer 60

is a redirection attack, that aims to corrupt the records held by the DNS server itself. The intention is to redirect traffic for a legitimate domain to a malicious IP address.

Answer 61

The sensor attaches to a specially configured port on the switch that receives copies of frames addressed to nominated access ports (or all the other ports).

Answer 62

Uses Open Source Intelligence (OSINT) to gather information about a domain (subdomains, hosting provider, administrative contacts, and so on).

Answer 63

on an internetwork (a network of routed IP subnets), the attacker will want to discover how the routers connect the subnets, and whether any misconfigured gateways between subnets exist.

Answer 64

The ping command can detect the presence of a host on a particular IP address or one that responds to a particular host name. Users can apply a simple script to perform a ping sweep.

Answer 65

Security Information and Event Management (SIEM)

Answer 66

Data Loss Protection System - They can log policy violations, like the use of a USB thumb drive from a client computer. The DLP system can forward that data to a SIEM for further analysis and reporting. I can also examine mail gateways and determine if email content can be sent.

Answer 67

Security content automation protocol (SCAP) determines whether a computer meets a configuration baseline. Perform configuration reviews to ensure the system is secure and ready for production

Answer 68

A web application scanner, searches for known web exploits, such as SQL injection and cross-site scripting (XSS).

Answer 69

It's a network vulnerability scanner, tests network hosts, including client computers, and compares them with known vulnerabilities.

Answer 70

The overall analysis report which may showcase a number of incidents in the past week, or how many systems are currently on an old version of Windows.

Answer 71

Configuring appropriate data inputs, so they analyze and report an accurate account of the security of the network.

Answer 72

Is a machine learning technique of log analysis to identity intent. This can be used, for example, to monitor social media for brand "incidents," such as a customer complaining on Twitter about poor service.

Answer 73

Is a solution to the volume of alerts overwhelming an analyst's ability to respond. It analyzes an organization's store of security intelligence and uses deep learning techniques to: • automate and provide data enrichment to • improve incident response. • improve threat hunting workflows.

Answer 74

is a collector tool that allows for a centralized collection of events from multiple sources. It is an open format for event logging messages.

Answer 75

Determines whether a computer meets a configuration baseline. Perform configuration reviews to ensure the system is secure and ready for production.

Answer 76

Is a metric score between 0 to 10 based on the characteristic of the vulnerability, such as whether it can be triggered remotely or if it requires user intervention.

Answer 77

Techniques applied with security information, event management (SIEM), and threat analytics platforms. Analysts can develop queries and filters to correlate threat data from these systems.

Answer 78

Is a military doctrine term relating to obtaining positional advantage. In a defensive maneuver, an analyst can perform passive discovery techniques so that threat actors have no hint that the analyst has discovered an intrusion.

Answer 79

may initiate updates to security policies and even signatures, to ensure security administrators can monitor those threats.

Answer 80

Using the network mapper (Nmap) tool to obtain information about a host or network topology - Non-intrusive footprinting is limited to packet sniffing.

Answer 81

the consultant has complete access to information about the network. Sometimes the consultant will conduct this type of test, as a follow-up to a black box test, to fully evaluate flaws discovered during the black box test. - No Recon Needed!!!

Answer 82

The white team is responsible for setting the rules of engagement and monitors the penetration testing exercise.

Answer 83

The purple team members act as facilitators during a purple team exercise. This type of exercise involves collaboration between red and blue teams during breaks throughout the exercise.

Answer 84

War flying is war driving, but in the air with a drone or unmanned aerial vehicle (UAV). This maps the location and type of wireless networks operated by the target.

Answer 85

Persistence followed by further reconnaissance, occurs when the pen tester attempts to map out the internal network and discover the services running on it and accounts configured to access it.

Answer 86

During a black box pen test, the consultant has no privileged information about the network, its security systems, and its configuration. Black box tests are useful for simulating the behavior of an external threat.

Answer 87

Action on objectives is the very last step of a penetration test after establishing a pivot point and escalating privileges. This step is basically data exfiltration.

Answer 88

Log aggregation refers to normalizing data from different sources so that it is consistent and searchable. This makes it easier to integrate with dynamic reporting engines.

Answer 89

If the pointer is set to a null value by a malicious process, this creates a null pointer exception, and the process will crash. Programmers can use logic statements to test that a pointer is not null before trying to use it.

Attacks, Threats, and Vulnerabilities Flashcards

(113 cards)