Exam Prep

Question 1

What does the term ‘Something you know’ mean in the context of Authentication in Security?

Answer 1

Something you know - A secret, memorised piece of information like a password or PIN

Question 2

What does the term ‘Something you have’ mean in the context of Authentication in Security?

Answer 2

Something you have - A material possession such as a device or physical object, which can be used to prove your identity

Question 3

What does ‘Something you are’ mean in the context of Authentication in Security?

Answer 3

Something you are - A biologically inherent feature that is unique to the individual

Question 4

How does DNS Spoofing work?

Answer 4

A DNS resolver is tricked into caching a false IP address for a given domain name.
This redirects future queries for that domain to a malicious server controlled by the attacker.

Question 5

What additional attacks can be performed after a successful DNS Spoofing attack?

Answer 5

Man-in-the-middle attack: Forwards requests from the malicious server to the real server whilst intercepting data such as usernames and passwords

Phishing:
Users may be redirected to a fake website where they unknowingly enter sensitive credentials

Question 6

What is an example attack that could affect Confidentiality in terms of Security?

Answer 6

Brute-force password attacks attempting to guess user credentials so that the attacker may access private information

Question 7

What is an example attack that targets Integrity in terms of Security?

Answer 7

An attacker altering database entries to manipulate financial records

Question 8

What is an example attack that could affect Availability in terms of Security?

Answer 8

A Denial-of-Service attack which aims to make a service unavailable

Question 9

What is an issue that could occur regarding TOCTTOU (Time of Check to Time of Use)?

Answer 9

Issue occurs when a program checks a resource for a certain condition, and then later uses it based on that check. If an attacker is able to change that resource between the initial check and use, then they could exploit the timing window to bypass security controls

Question 10

What is an example of a possible problem that could arise from the issue that occurs with TOCTTOU (Time of Check to Time of Use)?

Answer 10

Program checks a file to see if the user owns it and if it is writeable. If the attacker replaces the link to myfile with a pointer to another sensitive file e.g. password file, between the check and the use, then the program may inadvertently allow unauthorised access or modification.

Question 11

What is Controlled Invocation?

Answer 11

Used by Operating Systems to allow user-mode programs (Ring 3) to safely execute privileged operations that exist in kernel mode (Ring 0). This is done through system calls, which are pre-defined, tightly controlled entry points that switch the CPU into kernel mode temporarily.

Question 12

How does Controlled Invocation make it hard for attackers to circumvent?

Answer 12

Direct access to kernel functions is blocked, the CPU enforces privilege levels
System calls are audited and validated
Transition is mediated by the OS, involving interrupts or exceptions, which cannot be forged by standard user-mode processes

Question 13

What is an SQL Injection attack?

Answer 13

It occurs when a webpage constructs SQL queries by concatenating unsanitised user input directly into the query string. This allows attackers to inject malicious SQL code, potentially gaining unauthorised access, modifying data or deleting database content.

Question 14

How can you prevent an SQL Injection attack?

Answer 14

• Parameterised queries to bind input values rather than concatenate them
• Sanitise user inputs to filter or escape special SQL characters
• Using established libraries that abstract query construction and enforce secure practices

Question 15

How does Signature-based Detection work in regards to viruses?

Answer 15

Signature-based Detection relies on maintaining a database of known malware signatures. When a file is scanned, signature-based detection will compare it to the database.

Question 16

How does Heuristic-based Detection work in regards to viruses?

Answer 16

Heuristic-based detection will scan a program for suspicious patterns or behaviours that are indicative of malware, such as self-modifying code or attempts to access system areas.

Question 17

How are Digital Signatures defined?

Answer 17

Digital Signatures are cryptographic values created by hashing a message and then encrypting the hash with the sender’s private key.

Question 18

How can you verify a digital signature?

Answer 18

To verify:
- Decrypt the signature using the sender’s public key
- Re-hash the message
- If the hashes match, then the signature is valid. Else, it is invalid

Question 19

How do you secure passwords stored in a password database?

Answer 19

• Use salting for the passwords before the hashing process, and ensure it’s a unique salt each time
• Hash the passwords with a computationally expensive hashing algorithm, in order to slow down brute-force attacks and make them impractical.

Question 20

How could you defend a network from any outside threats? List as many as you can remember

Answer 20

DMZ - Increases resilience of the internal network by placing external-facing services in a DMZ, and limiting direct access. It also contains multiple firewalls
Segmented Network - Divide the network into smaller segments to prevent viruses from spreading freely across the network
Using anti-virus/anti-malware to prevent viruses from entering the system/being run on the network
Maintain regular back-ups - If a virus does compromise the network, you can purge the network and reinstantiate it with a previous state

Question 21

What is a Denial of Service Amplification attack?

Answer 21

This type of attack sends a small request to a 3rd party server that generates a much larger response. By using the victim’s IP, the attacker redirects that response to be sent to the victim instead, overwhelming the network.

Question 22

What is an example of a DoS Amplification attack scenario?

Answer 22

Attacker sends a small DNS query to an open DNS resolver. The resolver returns a response that is significantly larger, which is then redirected to the victim’s IP.

Question 23

What is the formal definition of a packet filter?

Answer 23

A packet filter makes decisions based on IP addresses, ports and protocol types. It specifies what types of packets are allowed or are dropped depending on these factors.

Question 24

What is the formal definition of an Application Gateway?

Answer 24

An application gateway analyses the protocols currently being used by the application, and operates at the application layer. It aims to block certain protocols being used when unexpected commands or abnormal behaviour starts to appear.

Question 25

How does Transport Mode in IP Security affect packets?

Answer 25

Transport Mode encrypts only the payload of the IP packet, leaving the original IP header intact. As the header is not encrypted, metadata like source and destination IPs are available.

Question 26

How does Tunnel Mode affect packets in IP Security?

Answer 26

It encrypts the entire IP packet, including the header, and then wraps it in a new outer IP header. It uses gateways to encrypt and forward packets between networks, providing full packet encapsulation and privacy.

Question 27

How does a client check the validity of a machine using a digital signature and a public key certificate?

Answer 27

Client receives digital signature and certificate Client verifies the signature by using the Certificate Authority's public key, stored in the local machine, to verify the Certificate Authority's digital signature on the certificate. It also checks the certificate has not expired, matches the domain and has a valid trust chain. If all of the above succeeds, then the machine is trustworthy and is who they say they are. If not, then reject the connection.

Question 28

How does the OS elevate privileges in regards to executing software?

Answer 28

When user-mode needs to perform a privileged operation, it invokes a system call. This system call is then used as a controlled entry point into Ring 0 (kernel mode) from Ring 3 (user mode) The CPU then swaps from user-mode execution to kernel space execution to execute the requested system function. After execution is complete, the CPU returns to user-mode, resuming execution.

Question 29

What kind of defensive software can be put in place to prevent/mitigate zero-day exploits?

Answer 29

Machine learning-based anti-virus - Detects behaviour that is anomalous compared to the original behaviour expected of the system. Behaviour-based Intrusion Detection Systems behave in a similar way to the above option, but they focus on detection of the exploit rather than detection and prevention.

Question 30

How are cookies used to track data regarding users across multiple websites?

Answer 30

When a user visits a website with third-party domain content, that party can then store a cookie in the user's browser. If the user then visits another site with the same third party domain service, the cookie is then read again, thereby slowly building up a profile of the user's habits and browsing history.

Question 31

How can you avoid cookies tracking your data?

Answer 31

Block third-party cookies in browser settings Use privacy-focused browsers Enable private browsing modes Use browser features that delete cookies automatically after each session.

Question 32

What's an example service that affects availability? Also give an example of further security measures that could be implemented to this service that may inadvertently affect availability

Answer 32

SSH - Handles remote server administration Adding rate limiting, to reduce the amount of maximum requests in a time period, may inadvertently affect availability if it is too aggressive.

Question 33

What is Discretionary Access Control?

Answer 33

Discretionary Access Control states that the owner of a resource has control over who can access it. This means that the owner of a file or resource controls its access permissions for everyone else.

Question 34

How does Discretionary Access Control work in regards to the OS?

Answer 34

Identifies the user ID of the requesting process Retrieves the owner, group and permission bits of the target file. OS compares the UID with the file owner If they match, the owner permissions are used, if they don't, they then check the user's corresponding access regarding the object. Based on these checks, the OS determines whether to grant or deny the operation

Question 35

What can be deployed to prevent a Buffer Overflow from causing issues by the OS?

Answer 35

Stack canaries Data Execution Prevention/non-executable stack Address Space Layout Randomisation

Question 36

How can an attacker use persistent cookies to attack other websites?

Answer 36

Attackers can use persistent cookies to impersonate a different user without requiring the use of their password. This is typically known as session hijacking. The attacker can then send these cookies to a website and gain unauthorised access to the victim's account.

Question 37

How do you protect against compromised persistent cookies?

Answer 37

Cookies should be marked as HttpOnly to prevent JavaScript access. Secure flag should be used to ensure they are only sent over HTTPS Server-side mechanisms, like token rotation and IP/session binding, can detect and block suspicious reuse of session cookies.

Question 38

How does encryption affect the performance of a signature-based detection system?

Answer 38

It hinders it drastically, as it hides the contents of traffic/files, preventing possible pattern matches.

Question 39

In Linux's version of DAC, what limitations are there in a high-security environment?

Answer 39

Typically, these systems provide stronger controls by applying system-enforced policies that cannot be changed by users, even if they own the files. If the owner account is compromised, then they can change the access for all users associated with the object.

Question 40

What is the concept of least privilege?

Answer 40

It states that users and processes should have only the minimum access rights necessary to perform their tasks.

Question 41

What is an example of how the principle of least privilege protects the system?

Answer 41

If a user account has no administrative rights, then running malware under that account cannot install drivers or alter system files.

Question 42

What is a stateless firewall?

Answer 42

A stateless firewall inspects each packet in isolation, using fixed rules.

Question 43

What is a stateful firewall?

Answer 43

A stateful firewall tracks the state of connections and applies rules based on the context of the session.

Question 44

What can stateful firewalls protect that stateless firewalls cannot?

Answer 44

TCP Connection hijacking - Detects invalid packets outside of expected states Spoofed responses - Can verify if a packet matches an existing connection

Question 45

What is a short definition of User Account Control in Windows?

Answer 45

UAC prompts users for confirmation before allowing privilege escalation. It is inherently a privilege elevation mechanism.

Question 46

What are two other systems that Windows contains to protect Integrity?

Answer 46

BitLocker - Encrypts the entire disk to prevent data access if the device is lost or stolen Secure Boot - Ensures that only trusted, signed software runs during system start up, preventing rootkits or boot-time malware