Threats, Vulnerabilities And Mitigation (Chapter 2)

Question 1

Advanced Persistent Threats

Answer 1

Is a sophisticated, well funded group that uses multiple attack vectors to gain access to a network and remain undetected for as long as possible with the end goal of steal data/assets

Question 2

Shadow IT

Answer 2

The use of unauthorized or unapproved IT resources within an organisation, that can unintentionally introduce vulnerabilities

Question 3

Threat Vector

Answer 3

Is the path in which a cyber criminal uses to attack a vulnerability

Question 4

Attack surface

Answer 4

The total number of all possible entry point (threat Vector) for unauthorized access into the network

Question 5

Social engineering

Answer 5

Is the psychological manipulation of people into divulging confidential information or performing actions they shouldn’t do

Question 6

Phishing

Answer 6

Sending fake emails to a large group of people with the intention of one of the recipients opening a malicious attachment or opening a malicious link

Question 7

Spear phishing

Answer 7

Is a phishing attack that is targeted to a specific group

Question 8

Whaling

Answer 8

A phishing attack that is targeting to a high value individual such as a CEO

Question 9

Vishing

Answer 9

A phishing attack that uses pre-recorded voice messages to pressure a user

Question 10

Tailgating

Answer 10

Is when an authorised individual follows someone into an area they are not authorised to be in without the consent of the authorised individual

Question 11

Piggybacking

Answer 11

Is when an unauthorized individual follows someone into an area with the consent of the authorised person

Question 12

Email account compromised

Answer 12

An attacker sends a email messages that appears to come from a known source and making a legitimate request, but instead hold malicious links/attachments

Question 13

Smishing

Answer 13

Is a phishing attack that uses SMS or social media

Question 14

Water-holing

Answer 14

An attack that entices users with a common interest to visit a malicious website

Question 15

Pharming

Answer 15

Redirects a user to a bogus website that mimics the appearance of a legitimate one

Question 16

Misinformation/disinformation

Answer 16

The spread of false information to deceive people used for political, military or commercial goals

Question 17

Typosquatting

Answer 17

Is a fake domain name that is very similar to a legitimate websites domain name, the fake domain will direct the user to a malicious site

Question 18

Baiting

Answer 18

An online attack that promises the victim a reward

Question 19

Shoulder surfing

Answer 19

An unauthorized person spies over the user shoulder to see what they are typing

Question 20

Dumpster diving

Answer 20

Going through someone’s trash

Question 21

Password Cracking

Answer 21

A local it remote password cracking attack that uses dictionary/brute force/rainbow table or pass the hash to gain access to a users account
-it targets security misconfiguration for authentication

Question 22

Remote Code Execution

Answer 22

Any conditions in which an attacker can execute arbitrary code across a network
- generally made possible due to lack of input validation/sanitisation or bounds checking

Question 23

Buffer/ heap overflow

Answer 23

A programming error which allows attackers to overwrite allocated memory addresses with malicious code
- made possible via lack of bounds checking, the memory that is allocated for the user input is overloaded resulting in memory “leaking” into other addresses where malicious code can be injected and executed

Question 24

Memory Corruption

Answer 24

A programming error that allows attackers to access a programs memory space and hijack the normal execution flow.
- made possible by programming errors

Question 25

Privilege escalation

Answer 25

Any conditions which allows attackers to gain elevated access to a compromise system - made possible by programming error/misconfiguration/insufficient access control

Question 26

Information disclosure

Answer 26

Any conditions that allows attackers to gain access to protected information - made possible by misconfiguration/insufficient access control

Question 27

Security feature bypass

Answer 27

A software weakness that allows attackers to circumvent policies, filters, input validation or other security safeguarding - made possible by programming error or lack of compensation controls

Question 28

Directory traversal

Answer 28

Any condition that allows attackers to access restricted areas of a file system - made possible by insufficient access control particularly on the file system

Question 29

Denial of service

Answer 29

Any conditions that allows an attacker to consume system or network resources so that legitimate requests can't be served - made possible by insufficient network controls to block or divert malicious traffic or by unpatched/misconfigured systems

Question 30

Insider threats

Answer 30

Unintentional or malicious activity from users, administrator and advanced Persistent threats (APT) - made possible by insufficient administrative, technical or physical controls

Question 31

Physical attack

Answer 31

Booting the device from a different OS (such as on a usb drive) to access the targeted OS file system - made possible by insufficient physical controls protecting the device

Question 32

Windows unquoted service path

Answer 32

A form of privilege escalation attack that uses a vulnerability in the way windows searches for and starts application. It taking advantage of **windows file system paths that contain spaces** and **windows ability to launch executables without requiring file extensions** - a malicious executable would be created that uses the first word of a folders name that includes spaces. Windows would then go through the path to reach the end application but would end up running the malicious executable.

Question 33

Memory Injections

Answer 33

Is an attack that happens when unauthorized external code is executed within an authorized process by hijacking the memory that the authorized code is using, by **substituting a legitimate DLL with a malicious one, injecting shell code using a buffer overflow or process hollowing**

Question 34

Buffer

Answer 34

A temporary storage location in RAM allocated to an application.

Question 35

Buffer Overflow

Answer 35

A condition in which the incoming data exceeds the size of the space allocated for it in RAM (buffer) and the data is overflowed into buffers used for other apps. The overflow data can contain malicious code that could be run by other apps

Question 36

Buffer Overflow prevention

Answer 36

Programmers set an input limit (bounds checking) for functions that accepts incoming data

Question 37

Out of sequence Threads

Answer 37

Multiple CPU threads can be executed at the same time or scheduled to be executed after one another(thread scheduler), if a thread ends up finishing before the scheduler expected it to finish there is an opportunity for malicious code to hijack the remaining time and be executed

Question 38

Race conditions

Answer 38

A programming/application error that occurs when two or more processes/threads try to access and change shared data at the same time, typical caused by delays in Time-of-check (TOC) and Time-of-Use (TOU)

Question 39

Web Application

Answer 39

Is any executable that runs on the web server that dynamically builds, modified and populated web pages

Question 40

Unsanitized Input

Answer 40

Most common web app vulnerability that is caused due to not having an input filter for inappropriate user input. Not having an input filter can allow code to be slipped into the input field, which the interpreter would assume is just another line of code to be executed

Question 41

SQL Injections (SQLi)

Answer 41

Most common type of web app attack that takes advantage of insufficient input validation to enter malicious SQL commands for the database server Most common SQLi command: **' or 1=1--;**

Question 42

Cross-site Scripting (XSS)

Answer 42

An effective attack that exploits a client's trust in a server. Malicious code is injected into a webpage and is executed when the webpage is loaded. Occurs when we apps doesn't have sufficient user input validation, which would allow HTML code to be inputted and run

Question 43

Cross-site Request Forgery (CSRF)

Answer 43

Exploits a servers trust in a client by taking advantage of a browsers implicit authorization to perform tasks for an authenticated user. - The browser keeps a user authenticated to a website, an attacker sends a malicious link (via phishing) that the user opens, the link contains malicious code which accesses the users authenticated account for the webpage and executes unwanted action in the background

Question 44

Jailbreaking/Rooting

Answer 44

The process of removing restrictions imposed by the manufacturer on a mobile device to allow the user to sideload apps, modify system settings or access root privileges

Question 45

Man-in-the-Middle Attack

Answer 45

An attack that acts as a relay between the victim and the server that they are attempting to reach. Often stealing data. - ARP poisoning (multiple devices have same MAC address) - Poisoned MAC Address table on switch (making the switch forward data to the wrong device)

Question 46

Credentials Replay Attack

Answer 46

An attack that involves eavesdropping (Man in the middle) on a network to intercept data packets that contains cookie or session tokens, which would allow the attacker to start another session with the use of the stolen cookie or session token

Question 47

DNS attack (as a victim)

Answer 47

- **DNS Flood Attack** -- an attack that deploys valid DNS request at an extremely high packet rate from a massive group of IP address (DDoS) - **NXDOMAIN Attack** -- an attack that overwhelmed the DNS server by using large volume of request for invalid records

Question 48

DNS Amplification

Answer 48

- type of DDoS attack that request multiple DNS servers to send **all DNS records** to a target. A simple DNS request is about 60 Bytes a request for all records from a single DNS server can be 4000+ bytes (70:1 amplification)

Question 49

Reflection Attack

Answer 49

A type of DDoS attack that an attacker spoofs a victims IP address, using their IP address to send query or pings to multiple intermediary machines (DNS server) that all response at the same time to the victims machine, overwhelming it

Question 50

DNS Cache Poisoning

Answer 50

False DNS Records are inserted into a DNS servers Cache, thus clients get redirected to malicious sites. - DNS server share information with eachother to resolve host names which could result in multiple DNS servers recieving false records

Question 51

Evil Twin

Answer 51

Is a malicious wireless access point that is set up with the same BISS name as a legitimate access point with the intention of having users connect to the malicious access point that can then be used to eavesdrop on the sessions

Question 52

Bluetooth Attack types

Answer 52

**Bluesmacking** - denial of service against devices **Bluejacking** - sending unsolicited messages **Bluesniffing** - attempting to discover Bluetooth devices **Bluebugging** - Remotely using a devices features **Bluesnarfing** - theft of data from a devices **Blueprinting** - collecting device info over Bluetooth **HelloMoto** - attacker connects to headset of a Motorola device without authentication **Car whisperer** - connecting to Bluetooth radio of nearby car using default pins **BLUFFS** - exposes device to adversary-in-the-middle attack

Question 53

Birthday attack

Answer 53

A common implementation of a collision attack that is based on the 'birthday paradox' (in a room of 23 people there is a 50% chance that two share the same birthday), birthday attack takes advantage of the statistical property by trying to find two different input messages that produces the same hash value. MD5 takes about 10000 hashes to find a collision

Question 54

Hash Collision

Answer 54

Occurs when a hashing algorithm produces the same hash for different input values, which could allow an attacker to pass either of the hash inputs as the authorized one

Question 56

Physical Password Attack

Answer 56

Password cracking by having physical access to the device can be done by booting up an OS via a USB and accessing the password file of the original OS, or by overwriting the area that stores the passwords.

Question 57

Where are password store?

Answer 57

**windows** - Security Account Manager (SAM) C:\Windows\System32\config - BitLocker disk encryption **Active Directory** - C:\Windows\NTDS\ **Linux** -root\etc\shadow - contains only password hash - \etc\password file contains associated usernames

Question 58

Password Hash cracking

Answer 58

1) Obtain password hashes 2) Determine Hash algorithm 3) hash each expected password (password dictionary) with the same algorithm 4) compared results to the stored hash 5) if hashes match you found password

Question 59

Dictionary Attack

Answer 59

Is a password attack that uses a large list of words that are commonly used as passwords to attempt to brute force the password credentials of a user. - User name needs to be known - potential system lock out from multiple attempts

Question 60

Rainbow Table

Answer 60

A password attack that uses a list of pre-hashed common password in multiple algorithm.

Question 61

Password Spraying

Answer 61

A variant of brute forcing that uses the same password for multiple different user names. - used to circumvent account lockout

Question 62

Credentials Stuffing

Answer 62

A variant of brute forcing that uses known-good credentials to attempt login as the user across multiple sites

Question 63

Pass-the-hash

Answer 63

A network based attack that grabs the hash of a user by performing a hash dump on the network. Once the password hash and the user name is obtained then both can be passed to a tool to attempt login