Quiz Questions from Lessons Flashcards
1
Q
Subnet Spoofing
A
Generate random addresses within
a given address space.
2
Q
Random Spoofing
A
Generate 32-bit numbers and stamp
packets with them.
3
Q
Fixed Spoofing
A
The spoofed address is the address
of the target.
4
Q
Server Application DOS attack
A
The attack is targeted to a specific
application on a server
5
Q
Network Access DOS attack
A
The attack is used to overload or
crash the communication mechanism of a
network.
6
Q
Infrastructure DOS attack
A
The motivation of this attack is a
crucial service of a global internet
operation, for example core router
7
Q
Random Scanning
A
Each compromised computer probes
random addresses
8
Q
Permutation Scanning
A
All compromised computers share a
common pseudo-random permutation of the
IP address space.
9
Q
Signpost Scanning
A
Uses the communication patterns of the
compromised computer to find new target.
10
Q
Hitlist Scanning
A
A portion of a list of targets is supplied to
a compromised computer.
11
Q
Which of these are reasons why the UDP-based NTP
protocol is particularly vulnerable to amplification attacks?
A
A small command can generate a large response.
Vulnerable to source IP spoofing.
It is difficult to ensure computers communicate only with legitimate NTP severs.
12
Q
The server must reject all TCP options because the server discards the SYN queue entry. T or F?
A
True
13
Q
With regards to a UDP flood attack, which of the
following statements are true:
A
Attackers can spoof the IP address of their UDP packets
Firewalls cannot stop a flood because the firewall is
susceptible to flooding.
14
Q
Client puzzles should be stateless
A
True
15
Q
Puzzle complexity should increase as the strength of the
attack increases.
A
True
16
Q
Which of the following are assumptions that can be
made about Traceback?
A
Attackers may work alone or in groups
17
Q
Select all the statements that are true for edge
sampling:
A
Multiple attackers can be identified since edge identifies splits in reverse path
Requires space in the IP packet header
18
Q
Self defense against reflector attacks should
incorporate:
A
Server redundancy - servers should be located in multiple networks and locations.
Traffic limiting - traffic from a name server should be limited
to reasonable thresholds.
19
Q
Deep web
A
It is not indexed by standard search
engines
20
Q
Dark web
A
Web content that exists on darknets
21
Q
Surface web
A
Readily available to the public, and
searchable with standard search engines
22
Q
Doorway pages
A
A webpage that lists many keywords, in
hopes of increasing search engine
ranking. Scripts on the page redirect to
the attackers page.
23
Q
Crypters
A
A program that hides malicious code
from anti-virus software
24
Q
Blackhat Search Engine Optimizer
A
It increases traffic to the attacker’s site
by manipulating search engines.
25
Trojan Download Manager
Software that allows an attacker to
update or install malware on a victim’s
computer.
26
What are the two defining characteristics of internet spam?
Inappropriate or irrelevant
| Large number of recipients
27
Name the top three countries where spam directed visitors
| added items to their shopping cart:
United States
Canada
Philippines
28
Which events should trigger a penetration test?
Applications are added or modified
End user policies are changed
Security patches are installed
Infrastructure is added or modified
29
List the steps attackers used to access RSA’s Adobe Flash software:
```
Identify employees that are
vulnerable
Craft an email subject line that
entices an employee to open it
Hide an executable file in the
email that will install onto the
victim's computer when the
email is opened
```
30
Flash or CD Autoplay Attack
A flash is created that has a program that
| creates a connection to the exploit server
31
Reverse Shell Applet Attack
A signed Java applet is sent to the user, if they
accept it, a shell is sent back to the exploit
server.
32
Click Logger Attack
Used to determine which users click on links in
| emails
33
Download Connection Attack
An email contains an attachment. When the
attachment is downloaded an connection is made
to the exploit server.
34
On this pie chart, what are the top three industries that were targets
of cyber attacks in 2016?
Defense contractor
Restaurant
Software
35
Tier One
A network can reach every other network
| through peering.
36
Tier Two
A network that peers some of its network
| access and purchases some of it.
37
Tier Three
A network that purchases all transit from
| other networks
38
IP provides only best effort delivery, it is not
| guaranteed.
True
39
Due the connectionless nature of IP, data
corruption, packet loss, duplication, and
out-of-order delivery can occur.
True
40
Network layer controls can protect the data within the
| packets as well as the IP information for each packet.
True
41
IP information cannot be protected by transport layer controls.
True
42
Address Resolution Protocol (ARP)
protocol designed to map IP network
addresses to the hardware addresses
used by a data link protocol
43
Open Shortest Path First (OSPF)
protocol uses a link state routing
algorithm and falls into the group of
interior routing protocols
44
Border Gateway Protocol (BGP)
```
protocol designed to exchange routing
and reachability information among
autonomous systems (AS)
```
45
Denial of Service
Create a false route or kill a legitimate one.
46
Sniffing
The attacker must control a device along
| the victim’s communication path.
47
Routing to Endpoints in Malicious
| Networks
The first step is to hijack traffic from a
| legitimate host
48
Creating Route Instabilities
Not yet used by hackers because damage
cannot be contained. It can blowback to the
attacker.
49
Revelation of Network Topologies
Unmasking the AS relationships by hacking
| the routing table
50
Domain name
A name in the DNS format
51
DNS zone
A set of names under the same
| authority (ie “.com”)
52
Delegation
Transfer of authority for/to a subdomain
53
Changing a domain name into an IP address involves a large
number of steps. To save time, the records are <>
on a local server for reuse later
cached
54
Each record has a <> that states how long a record
| can be kept for future use.
TTL
55
All domain names and IP addresses are stored at the
| Central Registry.
True
56
It can take several days for information to propagate
| to all DNS servers.
True
57
The attacker’s server responds with a short TTL
record. The attacker needs to register a domain and
delegate it to a server under his control. The attacker exploits the same origin policy
True
58
Using Components with Known Vulnerabilities
Uses unpatched third party components.
59
Missing Function Level Access Control
Privilege functionality is hidden rather than
| enforced through access controls
60
Sensitive Data Exposure
Abuses lack of data encryption
61
Security Misconfiguration
Exploits misconfigured servers.
62
Insecure Direct Object References
Attackers modify file names
63
Cross Site Scripting
Inserts Javascript into trusted sites.
64
Broken Authentication and Session
Program flaws allow bypass of authentication
| methods.
65
Injection
Modifies back-end statement through user input
66
Given the list of attributes, which 2 should not be combined?
Put a check next to the 2 attributes that should not be combined in sandbox
allow-same-origin
| allow-scripts
67
CSP will allow third party widgets (e.g. Google
| +1 button) to be embedded on your site.
True
68
If you have third party forum software that has
| inline script, CSP cannot be used
false
69
CORS allows cross-domain communication from the browser
| CORS requires coordination between the server and client
true
70
CORS is not widely supported by browsers
The CORS header can be used to secure resources on a
website
false
71
The token must be stored somewhere
Tokens expire, but there should still be mechanisms to
revoke them if necessary
true
72
Active session hijacking involves disconnecting the
user from the server once that user is logged on.
Social engineering is required to perform this
type of hijacking.
true
73
Select all of the items that can be encrypted by HTTPS
Request URL
Query parameters
Headers
Cookies
74
Which of the following are real disadvantages
| to using HTTPS
You need to buy an SSL certificate
Mixed modes issue- loading insecure content on a
secure site
Proxy caching problems- public caching cannot occur
75
According to Wikipedia, which of these devices is a mobile device?
Smart phone held by person
Self Driving car
Robot
76
List the four areas of the C based toolchain where hardening
| can occur
Configuration
Preprocessor
Compiler
Linker
77
A Botnet is a of bots controlled by a
.
It is a key platform for and other
exploits.
network
Bot Master
fraud for-profit
More precisely, a coordinated group of malware
instances that are controlled via command and
control (C&C) channels. C&C architectures:
centralized (e.g., IRC, HTTP), distributed (e.g., P2P)
attacker
true
78
Which of these behaviors are indicative of botnets?
```
Linking to an established C&C server
Generating Internet Relay Chat (IRC) traffic using a
specific range of ports
Generating SMTP emails/traffic
Reducing
Generating SIMULTANEOUS
IDENTICAL DNS requests is suspicious
```
79
hat can botnets do to evade C-plane clustering?
Manipulate communication patterns.
Introduce noise (in the form of random packets) to reduce similarity
between C&C flows
80
What can botnets do to evade A-plane monitoring?
Perform slow spamming
Use undetectable activities (spam sent with Gmail, download exe
from HTTPS server)
81
Which of the information should be considered in order to identify the
source (perpetrator) of an APT attack?
Source IP address of TCP-based attack packets
Coding style of malware
Inclusion of special libraries with known authors
Motives of the attack
Language encoding
82
Footprinting (FP)
The attacker gathers information about a target.
The kind of information gathered is: DNS, email
servers, and the IP address range.
83
Scanning (S)
The attacker uses the internet to obtain information
on specific IP addresses. The kind of information
gathered is: O.S., services, and architecture of the
target system
84
Enumeration (E)
The attacker gathers information on network user
and group names, routing tables, and simple
network management protocol.
85
Which protocol is used to break data into packets?
| Which protocol reassembles the data packets?
TCP
86
Which protocol is used to move packets from router to
| router?
IP
87
Why does ZMap find more hosts than Nmap?
Statelessness leads to both
higher performance and
increased coverage
88
With regards to computing, what is entropy?
Randomness for use in cryptography or other applications that
require random data.
What are the two sources of entropy?
Hardware sources and randomness generators
A lack of entropy will have a negative impact on performance
and security.
True
89
NoBL DNSBL level
This IP address does not send spam, and should not
| be blacklisted. But it is not fully trustworthy.
90
Grey DNSBL level
This IP address is not directly involved in spamming
| but is associated with spam-like behaviors
91
Yellow DNSBL level
This IP address is known to produce spam and nonspam
| email
92
```
C Botnets(B),
A Spyware(S),
B Adware(A)
```
A. Anonymously registered domains
B. Disposable domains
C. Short lived domains
93
List the types of characters a malicious domain name detection
program should look for in a domain name.
Number of characters
Number of hyphens
Number of digits
94
C Network-based features(N),
B Zone-based features(Z),
A Evidence-based features (E)
A. The number of distinct malware samples
that connected to any of the IPs.
B. The average length of domain names,
the occurrence frequency of different
characters, etc.
C. Quantities such as the total number of
IPs historically associated with the
diversity of their geographical locations,
the number of distinct autonomous
systems, etc.
95
A dynamic malware-related domain
| detection system should
Have global visibility into DNS request and response
messages
Not require data from other networks
Be able to detect malware-related domains even if there is
no reputation data
96
A proven method to stop botnets requires isolating the C&C
domain from the botnet
true
97
Hash functions do not have a key
Hash functions are also called one-way encryption
Hash functions are primarily used for message integrity
True
98
The security of crypto currency ledgers depends on
| the honesty of its miners.
True
99
With regards to Bitcoin, which of the following statements
| are true?
Proof of work is costly and time consuming to
produce
Changing a block requires regenerating all
successors and redoing the work they contain.
100
With regards to Sybil attacks, check all true statements
The attacker creates a lot of fake identities and
uses them to change voting outcomes or control the
network
A Sybil attack is designed to attack reputation
systems in a peer-to-peer network
Sybil attack can be stopped if users are willing to
give up anonymity.
101
Two Merkle trees can be compared if they have the same
.
If two Merkle trees have the same root hashes, then their
data blocks can be considered to be .
In a bitcoin block, the is stored in the block
header.
hash depth
the same
Merkle root
True
102
A time-stamping service prevents people from
| double spending Bitcoins
True
103
the main task is to find patterns, structures, or knowledge in
unlabeled data
Unsupervised
104
the task is to find a function or model that explains the data
Supervised
105
some of the data is labeled during acquisition
Semi-supervised
106
Select the true statements with regards to decision tree based
detection models:
Can supplement honeypot analysis
Can supplement penetration testing
Can detect previously unknown network anomalies
107
A polymorphic attack can change its appearance with
every instance.
A polymorphic attack has no predictable signature for
the attack.
True
108
Each instance of polymorphic code has different, but
| normal, appearance.
false
109
Which of the following are true statements with regards to a
| polymorphic blending attack?
The process should not result in an abnormally large
attack size
The blending needs to be economical in time and space
110
List the goals of a successful poison attack:
Is undetected
• Continues for a period of time
• Cause damage to data
111
If we can completely control the process of generating or
collecting the training data and ascertain the authenticity
and integrity of the dataset, we don’t have to worry
about data poisoning attacks
true
112
If the training data is obtained in an open environment,
e.g., the Web, there is always the potential of poisoning
attacks (i.e., such attacks can’t be eliminated)
true
113
List some of the characteristics that all four cloud models share:
```
Massive scale
Homogeneity
Virtualization
Resilient computing
Low cost software
Geographic distribution
Service orientation
Advanced security technologies
```
114
```
Broad Network Access
Rapid Elasticity
Measured Service
On Demand Self-Service
Resource Pooling
```
True for cloud
115
Most data in transit is encrypted
true
116
Disconnect the VM from the internet when opening
| questionable files.
true
117
Select the statements that are true with regards to ORAM
Client must have a private source of randomness
Each access to the remote storage must have a read
and a write
118
What is a major weakness of the Naive Secret Sharing scheme?
The major weakness of naive secret sharing is the more shares
you have of the secret, the less work you have to do to guess the
secret.
