Definitions Flashcards

Question

Dictionary attacks

Answer 1

Discover passwords for common words

Answer 2

Contains a massive number of hashes. Pre-calculated hash chains. Much faster especially with longe password lengths. Specific to an app or OS.

Answer 3

Little bit of extra random data added to the password before it is hashed. If two users happen to be using exactly the same password, the hash that’s stored in the password table is going to be different.

Answer 4

Can only be done with magnetic stripe cards. The chip can't be cloned!

Answer 5

if you can sit in the middle and influence that conversation, you could have the two sides downgrade to a type of encryption that might be very easy to break.

Answer 6

only data in executable areas can run.

Answer 7

involved in preventing exploitation of memory corruption vulnerabilities.[1] In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.

Answer 8

Information from 1 site could be shared with another.

Answer 9

website allows scripts to run in user input (search boxes). Script embedded in a URL. Usually through a phishing email targeting a single person

Answer 10

Attacker posts a message on a forum with malicious payload. Not a specific target, everyone who visits gets it.

Answer 11

1. SQL injection 2. XML injection - XML is a set of rules for data transfer and storage between 2 kinds of devices. 3. LDAP injection - LDAP used for storing info about authentication such as usernames, passwords, and other info about devices/users. 4. DLL injection - a way to execute some code into an application to have that application execute the code for us.

Answer 12

overwriting a buffer of memory - spills over into other memory areas. Can cause a program to exploit in a particular way. Could also crash the program. "EXCESSIVE" example in notes.

Answer 13

XSRF, CSRF - takes advantage of the trust that a web app has for the user. Requests are made without your consent or your knowledge. The application should have anti-forgery techniques added.

Answer 14

SSRF - vulnerable server - web server performs request on behalf of attacker.

Answer 15

filling the space between 2 objects (wood shim for a door and a wall). Windows has its own shim for backwards compatibility with previous versions of Windows for apps that need to run on a previous version. Malware authors write their own shims.

Answer 16

metamorphic malware - acts like a different program each time its downloaded. NOP (no-op— does nothing) or loops, or pointless code strings that make it look different and prevent antivirus/antimalware signatures from catching it.

Answer 17

forces downgrade in encryption. Forces client to fall back to SSL 3.0

Answer 18

When a program checks access permissions too far in advance of a resource request. (Ex - a person might have permissions cached in his active session until logged out, but if a permission is removed while still logged in, he will have those permissions indefinitely until he logs out).

Answer 19

1. Memory leak - unused memory not properly released. Can lead to DoS. 2. NULL Pointer reference - programming technique that references a portion of memory to nothing instead of the proper data. Can crash application. 3. Integer overflow - larger number into a smaller space.

Answer 20

Read files from a web server that are outside of the website's file directory. Shouldn't be able to browse the WINDOWS folder. Could be a software vulnerability.

Answer 21

similar to HTTP request. An application programming interface that asks web server and might go into the database.

Answer 22

1. Special DoS attack - 1 device on low bandwidth might be all that is needed. 2. ZIP bomb - a 42kb .zip file might be uncompressed to 4,500 terabytes! Easy for anti-virus to find these. 3. DHCP starvation - a single device cycles through lots of MAC addresses to try and assign IPs. Can be slowed down or stopped with switch configurations to limit the rate of DHCP requests.

Answer 23

You must authenticate to login, regardless of connection type.(like at work)

Answer 24

sending unsolicited messages to another device via Bluetooth

Answer 25

access a bluetooth-enabled device and transfer data - serious security issue.

Answer 26

Dissociate, deauthenticate, channel switch announcements, etc.

Answer 27

beacons, probes, authentication, association

Answer 28

a random number that can't be easily guessed. Initiation vectors are a type of nonce.

Answer 29

have to be on same network as the victim. Much harder to do. Data transfers still encrypted so attacker can't see login credentials.

Answer 30

You are on the same computer as the victim. All data can be seen in the clear.

Answer 31

The MAC table is only so big * Attacker starts sending traffic with different source MAC addresses – Force out the legitimate MAC addresses * The table fills up – Switch begins flooding traffic to all interfaces * This effectively turns the switch into a hub – All traffic is transmitted to all interfaces – No interruption in traffic flows * Attacker can easily capture all network traffic!

Answer 32

An attacker changes their MAC address to match the MAC address of an existing device – A clone / a spoof * Circumvent filters – Wireless or wired MAC filters – Identify a valid MAC address and copy it * Create a DoS – Disrupt communication to the legitimate MAC

Answer 33

* Modify the DNS server – Requires some crafty hacking * Modify the client host file – The host file takes precedent over DNS queries * Send a fake response to a valid DNS request – Requires a redirection of the original request or the resulting response

Answer 34

* Get access to the domain registration, and you have control where the traffic flows – You don’t need to touch the actual servers – Determines the DNS names and DNS IP addresses * Many ways to get into the account – Brute force – Social engineer the password – Gain access to the email address that manages the account – The usual things

Answer 35

Sell the badly spelled domain to the actual owner – Sell a mistake * Redirect to a competitor – Not as common, legal issues * Phishing site – Looks like the real site, please login * Infect with a drive-by download – You’ve got malware!

Answer 36

* Turn your small attack into a big attack – Often reflected off another device or service * An increasingly common DDoS technique – Turn Internet services against the victim * Uses protocols with little (if any) authentication or checks – NTP, DNS, ICMP – A common example of protocol abuse

Answer 37

* Make the application break or work harder – Increase downtime and costs * Fill the disk space – A 42 kilobyte .zip compressed file – Uncompresses to 4.5 petabytes (4,500 terabytes) – Anti-virus will identify these * Overuse a measured cloud resource – More CPU/memory/network is more money * Increase the cloud server response time – Victim deploys a new application instance - repeat

Answer 38

* The hardware and software for industrial equipment – Electric grids, traffic control, manufacturing plants, etc. * This is more than a web server failing – Power grid drops offline – All traffic lights are green – Manufacturing plant shuts down * Requires a different approach – A much more critical security posture

Answer 39

* Command line for system administrators – .ps1 file extension – Included with Windows 8/8.1 and 10 * Extend command-line functions – Uses cmdlets (command-lets) – PowerShell scripts and functions – Standalone executables * Attack Windows systems – System administration – Active Domain administration – File share access

Answer 40

* General-purpose scripting language – .py file extension * Popular in many technologies – Broad appeal and support * Commonly used for cloud orchestration – Create and tear down application instances * Attack the infrastructure – Routers, servers, switches

Answer 41

* Scripting the Unix/Linux shell – Automate and extend the command line – Bash, Bourne, Korn, C * Starts with a shebang or hash-bang #! – Often has a .sh file extension * Attack the Linux/Unix environment – Web, database, virtualization servers * Control the OS from the command line – Malware has a lot of options

Answer 42

* Automates processes within Windows applications – Common in Microsoft Office * A powerful programming language – Interacts with the operating system * CVE-2010-0815 / MS10-031 – VBA does not properly search for ActiveX controls in a document – Run arbitrary code embedded in a document – Easy to infect a computer

Answer 43

Going rogue – Working around the internal IT organization * Information Technology can put up roadblocks – Shadow IT is unencumbered – Use the cloud – Might also be able to innovate * Not always a good thing – Wasted time and money – Security risks – Compliance issues – Dysfunctional organization

Answer 44

Going rogue – Working around the internal IT organization * Information Technology can put up roadblocks – Shadow IT is unencumbered – Use the cloud – Might also be able to innovate * Not always a good thing – Wasted time and money – Security risks – Compliance issues – Dysfunctional organization

Answer 45

* There’s a reason we lock the data center – Physical access to a system is a significant attack vector * Modify the operating system – Reset the administrator password in a few minutes * Attach a keylogger – Collect usernames and passwords * Transfer files – Take it with you * Denial of service – This power cable is in the way

Answer 46

* Default login credentials * Modify the access point configuration * Rogue access point * A less-secure entry point to the network * Evil twin * Attacker collects authentication details * On-path attacks * Protocol vulnerabilities * 2017 - WPA2 Key Reinstallation Attack (KRACK) * Older encryption protocols (WEP, WPA) *WPA-2 or later on wireless networks is the standard.

Answer 47

* Tamper with the underlying infrastructure – Or manufacturing process * Gain access to a network using a vendor – 2013 Target credit card breach * Malware can modify the manufacturing process – 2010 - Stuxnet disrupts Iran’s uranium enrichment program * Counterfeit networking equipment – Install backdoors, substandard performance and availability – 2020 - Fake Cisco Catalyst 2960-X and WS-2960X-48TS-L

Answer 48

* Common Vulnerabilities and Exposures (CVE) – A community managed list of vulnerabilities – Sponsored by the U.S. Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA) * U.S. National Vulnerability Database (NVD) – A summary of CVEs – Also sponsored by DHS and CISA * NVD provides additional details over the CVE list – Patch availability and severity scoring

Answer 49

– Members upload specifically formatted threat intelligence – CTA scores each submission and validates across other submissions – Other members can extract the validated data

Answer 50

* Intelligence industry needs a standard way to share important threat data – Share information freely * Structured Threat Information eXpression (STIX) – Describes cyber threat information – Includes motivations, abilities, capabilities, and response information * Trusted Automated eXchange of Indicator Information (TAXII)

Answer 51

* An event that indicates an intrusion – Confidence is high – He’s calling from inside the house * Indicators – Unusual amount of network activity – Change to file hash values – Irregular international traffic – Changes to DNS data – Uncommon login patterns – Spikes of read requests to certain files

Answer 52

* Automated vulnerability notifications * National Vulnerability Database (https://nvd.nist.gov) * CVE Data Feeds (https://cve.mitre.org) * Third-party feeds * Additional vulnerability coverage * Roll-up to a vulnerability management system * Coverage across teams * Consolidated view of security issues

Answer 53

* Published by the Internet Society (ISOC) – Often written by the Internet Engineering Task Force (IETF) – Internet Society description is RFC 1602 * Not all RFCs are standards documents – Experimental, Best Current Practice, Standard Track, and Historic * Many informational RFCs analyze threats – RFC 3833 - Threat Analysis of the Domain Name System – RFC 7624 - Confidentiality in the Face of Pervasive Surveillance: – A Threat Model and Problem Statement

Answer 54

* Tactics, techniques, and procedures – What are adversaries doing and how are they doing it? * Search through data and networks – Proactively look for threats – Signatures and firewall rules can’t catch everything

Answer 55

* The Linux root account – The Administrator or superuser account * Can be a misconfiguration – Intentionally configuring an easy-to-hack password – 123456, ninja, football * Disable direct login to the root account – Use the su or sudo option * Protect accounts with root or administrator access – There should not be a lot of these

Answer 56

* Encryption protocol (AES, 3DES, etc.) – Length of the encryption key (40 bits, 128 bits, 256 bits, etc.) – Hash used for the integrity check (SHA, MD5, etc.) – Wireless encryption (WEP, WPA) * Some cipher suites are easier to break than others – Stay updated with the latest best practices * TLS is one of the most common issues: Over 300 cipher suites * Which are good and which are bad? – Weak or null encryption (less than 128 bit key sizes), outdated hashes (MD5)

Answer 57

* Some protocols aren’t encrypted – All traffic sent in the clear - Telnet, FTP, SMTP, IMAP * Verify with a packet capture – View everything sent over the network * Use the encrypted versions- SSH, SFTP, IMAPS, etc.

Answer 58

* Accessing the code base – Internal access over a VPN – Cloud-based access * Verify security to other systems – The development systems should be isolated : the production services should be on a separate, isolated part of the network, and the development team should not have access to the production * Test the code security – Check for backdoors – Validate data protection and encryption

Answer 59

Gather information, don’t try to exploit a vulnerability

Answer 60

Think of this as someone who is out on the internet, who doesn’t have any access to your network, & this would be a scan run from their perspective. But of course, there is the perspective of someone who is on the inside of your network & trying to exploit a system. So you might want to run these types of vulnerability scans as a user who has rights & permissions to log in. This is a credential scan & it’s a way to tell how much of a vulnerability might exist if you were someone who had a little bit of access to these systems.

Answer 61

Security Information and Event Management – Logging of security events and information * Log collection of security alerts – Real-time information * Log aggregation and long-term storage – Usually includes advanced reporting features * Data correlation - Link diverse data types * Forensic analysis - Gather details after an event

Answer 62

Standard for message logging – Diverse systems, consolidated log * Usually a central log collector – Integrated into the SIEM * You’re going to need a lot of disk space – No, more. More than that. – Data storage from many devices over an extended timeframe

Answer 63

Data inputs – Server authentication attempts – VPN connections – Firewall session logs – Denied outbound traffic flows – Network utilizations Packet captures – Network packets – Often associated with a critical alert – Some organizations capture everything

Answer 64

– Detect insider threats – Identify targeted attacks – Catches what the SIEM and DLP systems might miss

Answer 65

– Public discourse correlates to real-world behavior – If they hate you, they hack you – Social media can be a barometer

Answer 66

Security orchestration, automation, and response – Automate routine, tedious, and time intensive activities Orchestration – Connect many different tools together – Firewalls, account management, email filters Automation - Handle security tasks automatically Response - Make changes immediately

Answer 67

Similar to vulnerability scanning – Except we actually try to exploit the vulnerabilities Often a compliance mandate – Regular penetration testing by a 3rd-party National Institute of Standards and Technology Technical Guide to Information Security Testing and Assessment (PDF link)

Answer 68

Initial exploitation - Get into the network Lateral movement – Move from system to system – The inside of the network is relatively unprotected Persistence – Once you’re there, you need to make sure there’s a way back in – Set up a backdoor, build user accounts, change or verify default passwords The pivot – Gain access to systems that would normally not be accessible – Use a vulnerable system as a proxy or relay

Answer 69

Combine WiFi monitoring and a GPS to know where a wireless network might be. – Search from your car or plane – Search from a drone Huge amount of intel in a short period of time – And often some surprising results All of this is free – Kismet, inSSIDer – Wireless Geographic – Logging Engine – http://wigle.net

Answer 70

Trying the doors – Maybe one is unlocked – Don’t open it yet – Relatively easy to be seen Visible on network traffic and logs Ping scans, port scans, DNS queries, OS scans, OS fingerprinting, Service scans, version scans **actively send information into this network or the devices on this network in order to gain more information about what might be there. If someone is monitoring network communication or capturing the packets on this network they will see us perform these active footprinting tasks.**

Answer 71

* Offensive security team - The hired attackers * Ethical hacking - Find security holes * Exploit vulnerabilities -Gain access * Social engineering - Constant vigilance * Web application scanning - Test and test again

Answer 72

* Defensive security - Protecting the data * Operational security - Daily security tasks * Incident response - Damage control * Threat hunting - Find and fix the holes * Digital forensics - Find data everywhere

Answer 73

* Not on a side – Manages the interactions between red teams and blue teams * The referees in a security exercise – Enforces the rules – Resolves any issues – Determines the score * Manages the post-event assessments – Lessons learned – Results

Answer 74

* Data sovereignty – Data that resides in a country is subject to the laws of that country – Legal monitoring, court orders, etc. * Laws may prohibit where data is stored – GDPR (General Data Protection Regulation) – Data collected on EU citizens must be stored in the EU – A complex mesh of technology and legalities * Where is your data stored? – Your compliance laws may prohibit moving data out of the country

Answer 75

* Data obfuscation – Hide some of the original data * Protects PII – And other sensitive data * May only be hidden from view – The data may still be intact in storage – Control the view based on permissions * Many different techniques – Substituting, shuffling, encrypting, masking out, etc.

Answer 76

* Encode information into unreadable data – Original information is plaintext, encrypted form is ciphertext * This is a two-way street – Convert between one and the other – If you have the proper key * Confusion – The encrypted data is drastically different than the plaintext * Diffusion – Change one character of the input, and many characters change of the output. Cipher for "hello world" and "hello world!" are drastically different.

Definitions Flashcards

(102 cards)