Threat, Attacks, & Vulnerabilities: Comitias Security+ SY0-501 FedVTE Course 142 Questions with Answers
Rootkits - CORRECT ANSWER Programs that have
... [Show More] the ability to hide themselves and cover traces of a hacker's activities from the user and potentially the operating system.
Primary purpose of Rootkits - CORRECT ANSWER To provide repeated, undetected access to a system.
Allows hackers to continually use a system without the adminstrator's knowledge.
User Mode Rootkit - CORRECT ANSWER Runs with same permissions as user:
- If the user is administrator, rootkit is now running in a privileged mode
- If regular user, rootkit is limited in scope in what it can do
Kernel Mode Rootkit - CORRECT ANSWER Typically installs as a device driver...kernel-mode rootkits are usually more powerful and harder to detect and eradicate
Trojan Horse - CORRECT ANSWER A destructive program that presents itself to the user as a benign application (usually in conjunction with Social Engineering attack(
Unlike viruses/worms, Trojan Horses do not manually replicate themselves
RAT - CORRECT ANSWER Remote Administration Trojan
Remote Administration Trojan - CORRECT ANSWER - Allows an attacker to remotely control the victim host via GUI interface
- Victim host acts as the server
- Attacker accesses multiple victims via the "client" app
Botnets - CORRECT ANSWER networks of computers that have been appropriated by hackers without the knowledge of their owners
Bot - CORRECT ANSWER Zombie - Code that infects a host and forces it to act as a remote-controlled roBOT
Botherder / Botmaster - CORRECT ANSWER One who controls a botnet to perform malicious activities such as:
-Sending Spam
-Distributed Denial of Service
-Information Harvesting
-Bogus Advertising Calls
Spyware - CORRECT ANSWER Type of malware that collects personal information about users without their knowledge
Adware - CORRECT ANSWER Malware that generates "pop-ups" usually with advertising for sites or products
Scareware - CORRECT ANSWER Overarching class of scam software that uses malicious payloads to cause excessive "pop-ups" on a system replicating a virus and warns the user their system is infected, requiring them to pay for protection /cleaning.
Ransomware - CORRECT ANSWER Overt malware that restricts access to your data and demands a ransom be paid before the malware creator releases the restrictions on your data.
Hoaxes - CORRECT ANSWER Fraudulent threats/promises users receive via email asking them to perform a task to avoid consequence (i.e logic bomb, virus) or received reward (i.e. sweepstakes)
Can cause panic/damage if user is convinced they should install an application or delete file
Backdoors - CORRECT ANSWER Access mechanism deliberately planted in an application or system by the developer (or attacker) allowing them to circumvent security controls and lessen the burden on themselves during development.
Logic Bomb - CORRECT ANSWER Malicious code inserted into a legitimate application that will launch when specific conditions are met (i.e. event, date).
May be used to grant access, execute destructive code, disable functionality, or send alert back to code originator confirming execution.
Mobile Code - CORRECT ANSWER Generic Term
Code from one system that executes on another
- Active Web Content
-ActiveX, Javascript, Flash
Man in the middle attack (MITM) - CORRECT ANSWER Attacker intercepts traffic and has both originating parties believe they are communicating with each other.
May be software between client/server.
Common in Telnet, Wireless
MITM Tools - CORRECT ANSWER Juggernaut, T-Sight, Hunt
Denial of Service/Distributed Denial of Service (DoS/DDoS) - CORRECT ANSWER Disrupts legitimate use of services
Commonly accomplished by causing buffer overflow overwhelming the target system
May also block communications with TCP session overloads
DDoS intensifies the DoS activity by using multiple systems to launch attack.
Buffer Overflow - CORRECT ANSWER Sending more data than the buffer can handle
Ping Flood - CORRECT ANSWER Sending more ping requests than a target can manage
Ping of Death - CORRECT ANSWER Sending packets larger than a target can manage
SYN Flood - CORRECT ANSWER Takes advantage of 3-Way handshake
Teardrop - CORRECT ANSWER Attacks with fragmented UDP packets that cannot be reassembled
Smurf Attack - CORRECT ANSWER Ping request using victim's source address causing a flood with replies
Denial of Service (DoS) - CORRECT ANSWER An attack on the availability of a service
- Attempt to deny, degrade, disrupt, or otherwise interfere with the ability of a provider to keep services available
DoS Chokepoints - CORRECT ANSWER Bandwidth - by generating more traffic than routes can handle
Servers - either directly (e.g. OS) or indirectly through a supporting function (e.g. the power, A/C, etc)
Applications - attack the application's ability to process requests
End Users - attack the users to prevent them from accessing services
DoS Classifications - CORRECT ANSWER DoS - an attack that originates from a central point
Distributed DoS (DDoS) - attack originates from multiple points, usually geographically seperated
DoS Packet Flooding - CORRECT ANSWER Uses the network protocols against themselves and either saturates all the available bandwidth or overwhelms the operating system, device, or app that process all the incoming packets
Packet Flooding attack Vectors - CORRECT ANSWER Buffer Overflows
Ping of Death
Teardrop
DoS SYN-Flooding - CORRECT ANSWER Attacker generates SYN packets (the first part of the three way handshake) but never responds to the SYN-ACK sent by the recipient - leaving the victim with many "half-open" connections and unable to respond to new connections.
RST Injection - CORRECT ANSWER Sends RST packet to a client or server to reset connection
XMas Scan/Attack - CORRECT ANSWER Scan that uses Christmas Tree (XMas) Packets, or TCP packets with FIN, PSH, and URG flags set in the TCP header, to scan a fire wall for open ports while eluding detection.
Smurf Attack - CORRECT ANSWER generates a large amount of spoofed ICMP messages (appear to have come from victim), which the recipients to issue a ICMP echo reply to the victim
Fraggle Attack - CORRECT ANSWER Similar to the Smurf attack, uses UDP echo packets.
Generates spoofed packets to a host's chargen service, which in turn generates packets to the victim's ECHO service, which duplicates the packets and further amplifies the attack.
Amplification Attack - CORRECT ANSWER Attack that uses its unwitting hosts and victims to generate much more traffic than the original packets used to initiate the attack.
Back Door Attack Tools - CORRECT ANSWER Back Orifice, NetBus, SubSeven - allows an infected server to be remotely controlled by a client from the Internet
Privileged user creates "back door" user account with elevated privileges
Spoofing Attacks - CORRECT ANSWER Masquerading to appear to be something other than the true source by falsifying packet header information
- IP Address
- DNS
- User
- Data
- Mac Address
- Website
DNS Spoofing - CORRECT ANSWER the DNS server is given information about a name server that it thinks is legit when it isn't
Replay Attack - CORRECT ANSWER Info is extracted from packets captured over the network by attackers and "replayed" later.
Login information, banking transactions, Kerberos certs, and other sensitive data is susceptible.
Transitive Attack - CORRECT ANSWER An attack on the trust chain between machines: A trusts B, which trusts C, so C can attack A.
Client-Side Attack - CORRECT ANSWER Web-based attack that targets the user's browser such as cross-site scripting.
Brute Force Attack - CORRECT ANSWER Attacker uses every possible combination of characters for the password
Dictionary Attack - CORRECT ANSWER Attacker uses files containing common passwords (a "dictionary") and tries one password after the next until they find the password.
Faster than brute force, but still slow compared to other methods
Hybrid Attack - CORRECT ANSWER Combines dictionary and brute force attacks.
Takes dictionary words and add brute force elements onto them
Birthday Attack - CORRECT ANSWER Uses brute force attack with a hash function
If user's key is hashed, it is probable that another value can be created returning the same hash.
Tries to find two of the same cryptographic hash values
Defense: choose strong hashing algorithms (AES, SHA-256)
Rainbow Table - CORRECT ANSWER - An attacker uses a table that contains all possible passwords already in a hash format
-Sort by hash value to make searching by hash value incredibly fast
-Designed to crack hashed passwords files almost instantly
-Rainbow tables can be downloaded/generated
-Tables are specific to the cryptographic hash used on the password file (MD5, SHA-256)
-Processor and hard drive intensive
-Tools used: rcrack, Ophcrack
Crypto Attacks - CORRECT ANSWER Attack the Key
Attack the Algorithm
Gather in Transit
Weak Key Attack - CORRECT ANSWER Algorithm attack on weak choice in number of combinations during encryption
When used with a specific cypher, cypher may perform in an undesirable way
Typically in block cipher using 40 and 56 bit encryption
Mathematical Attack - CORRECT ANSWER Algorithm attack using the properties of that algorithm to run sophisticated computations in an attempt to break cryptographic scheme.
Brute force-like attack working through all possible keys to decrypt message.
Database Exploitation - CORRECT ANSWER Performed through advanced queries
-Attacker hijacks legitimate client to database server session
Application Exploit - CORRECT ANSWER An exploit that is designed to target an application as opposed to an operating system or hardware.
Application exploits have become increasingly popular, as client-side systems typically run a large number of applications, which makes them a potentially attractive target.
Macro is programming instructions (script) directing the app to perform some undesired action (used in Word, Excel, etc..)
Email Exploit - CORRECT ANSWER - Virus sent via email
- User features in email clients are what is usually exploited:
1) Access to users' address book
2) Ability to readily open attachments
-Once infected, virus will use users' address book to propagate to others
Typo Squatting - CORRECT ANSWER aka URL Hijacking
-Targets users by registering one-off domain names of recognized organizations
-Users who fat-finger entries will reach an unintended destination
Defense:
- Typo squatting is illegal
- Purchase common misspellings of your domain
Water Hole Attack - CORRECT ANSWER Attacker knows websites an organization visits often
Precision attack and not meant to infect as many people as possible (quality, not quantity)
Process:
- attack gains intel about your web patterns
- attacker infects common website victim visits often
- victim visits site, attacker attempts to exploit
Social engineering - CORRECT ANSWER techniques that trick a person into disclosing confidential information
Low cost, effective method of obtaining info from unsuspecting users
Principles of Social Engineering - CORRECT ANSWER Authority - perceived legitimacy, justification, right to exercise power
Intimidation - using implied authority and force of personality to gain access or achieve another outcome
Consensus/Social Proof - mirroring popular behavior in a social setting
Scarcity - sense of urgency is implied when people feel something is limited
Urgency - using time as a basis for performing an action
Familiarity/Liking - people draw closer to things they are familiar with and like
Trust - uniting principle of Social Engineering as the victim trusts what you are saying/conveying is accurate
Shoulder Surfing - CORRECT ANSWER Gaining compromising information through observation (as in looking over someone's shoulder).
Eavesdropping - CORRECT ANSWER listening secretly to a conversation, reading messages, or other info by audio, video, or read/written means
Dumpster Diving - CORRECT ANSWER Searching for sensitive information carelessly thrown out by the target.
Third Party Authorization - CORRECT ANSWER Using the name of a trusted third person, usually someone in authority, to add credibility to the social engineering attempt
Tailgating - CORRECT ANSWER Physically entering a secure area by following someone through a secure door
Piggybacking - CORRECT ANSWER Requesting an authorized person to provide access to a secure area
Reverse Social Engineering - CORRECT ANSWER Attacker appears to be in a position of authority, relying on his victims to give him the info he seeks instead of asking for it
Phishing - CORRECT ANSWER An attack that sends an email or displays a Web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information
Spear Phishing - CORRECT ANSWER Gathers detailed personal info to craft convincing emails that can trick people into opening tainted email attachments or visiting fake websites
-Narrowly focused variant of phishing
Whaling - CORRECT ANSWER Phishing attacks targeted towards senior executives
Pharming - CORRECT ANSWER Reroutes requests for legitimate websites to false websites
Vishing - CORRECT ANSWER Phishing attacks committed using telephone calls or VoIP systems.
Insider Threat - CORRECT ANSWER A malicious danger to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems.
Wireless Attack Methodology - CORRECT ANSWER 1) Find Networks to Attack
2) Choose Network to Attack
3) Analyze the Network
4) Crack the Security Key
5) Sniff the Network
War Walking - CORRECT ANSWER locating wireless networks by walking
War Driving - CORRECT ANSWER locating networks by driving
War Flying - CORRECT ANSWER locating wireless networks by airplane/helicopter
War Chalking - CORRECT ANSWER identifies location of wireless networks with chalk
Blue Jacking - CORRECT ANSWER The sending of unwanted messages to others over Bluetooth connections.
Blue Snarfing - CORRECT ANSWER of an attack against Bluetooth enabled devices where an unauthorized user can connect to an unprotected device and access any data stored on the device.
Rogue Access Point - CORRECT ANSWER unauthorized access point that allows easy access to underlying wired network
Default SSID - CORRECT ANSWER good indication that AP is not securely configured
MAC Spoofing - CORRECT ANSWER An attack that changes the source MAC address.
Replay Attack - CORRECT ANSWER A type of network attack where an attacker
captures network traffic and stores it for
retransmission at a later time to gain
unauthorized access to a network.
- Client A associates to a Server, however Client B is sniffing the communication
- Client B then sends the recorded association to the Server and obtains the same authentication as Client A
Evil Twin - CORRECT ANSWER A wireless network with the same name as another wireless access point. Users unknowingly connect to the evil twin; hackers monitor the traffic looking for useful information.
Eavesdropping Wireless Attack - CORRECT ANSWER attacker sniffs wireless network traffic looking for insecure protocols like HTTP, POP, IMAP, FTP, TELNET and compromises usernames and passwords that are sent in the clear
Manipulation Wireless Attack - CORRECT ANSWER attacker intercepts and modifies a victim's packets and replaces them for transmission
DoS Attacks (wireless) - CORRECT ANSWER Physical - use radio signals in the same frequency band as the AP to disrupt traffic
Data-Link - use disassociation frames and spoofed access points to disrupt traffic on the wireless network
Network - use regular network traffic to saturate the bandwidth of the AP, including its upstream bandwidth, to preclude normal network traffic
NFC Attack - CORRECT ANSWER Data Corruption - using antenna, attacker can inject packets into the transmission, corrupting the transfer
Spoofing - attacker makes malicious NFC tag appear legitimate and entices person to place phone near it
Cross Site Scripting (XSS) - CORRECT ANSWER An attack that leverages scripts, served by a malicious or compromised server or web application, to access the site visitor's computer
Javascript - CORRECT ANSWER Self-contained program that can be downloaded and executed to control or manipulate browser settings
Vulnerabilities include unauthorized file access, cache access, uploads, and potential for email exposure
ActiveX - CORRECT ANSWER Pre-compiled executables implemented by Microsoft to customize client usability
-Executes w/ permissions of logged user
Auto-accepting ActiveX components may cause malicious code to be executed or other system vulnerability exploitation
SQL Injection - CORRECT ANSWER Server side attack in which SQL statements are used to map out the entire database and possibly modify entries
XML Injection - CORRECT ANSWER An attack that injects XLM tags and data into a database.
LDAP Vulnerabilites - CORRECT ANSWER Buffer overflows may make LDAP server vulnerable to execution of malicious code
Unauthorized access may be achieved by exploiting format string vulnerabilities
DoS attacks may be initiated by illicitly formatted requests
Directory Traversal Attacks - CORRECT ANSWER Occurs when an attacker is able to browse directories and files outside the web application itself.
Attacks of this nature often expose the directory structure of the application, web server, and underlying operating system, providing the attacker access to potentially secure or restricted pages, files, source code, and information.
Arbitrary / Remote Code Execution - CORRECT ANSWER weakness in program or service allows the running of code not intended by the programmer
Allows the attacker to run their code locally or remotely, often with same permission as the exploited program
- Privilege escalation
Buffer Overflow - CORRECT ANSWER Causes system to crash by sending more data than memory buffer can handle
Integer Overflow - CORRECT ANSWER errors that occur when a number is too large to be stored in a variable
Zero Day Exploit - CORRECT ANSWER Target vulnerabilities in applications or OS for which the developer does not yet know about
Cookies - CORRECT ANSWER Tex file sent to a web browser from a server, and sent back to the server each time it is accessed
- "maintains state"
Used for tracking client history, authentication, tracking, and other user information
Allowing cookies may reveal personal info
Cookie Poisoning - CORRECT ANSWER An attack where an attacker modifies the contents of a cookie to exploit web app vulnerabilities.
Local Shared Object (LSO) - CORRECT ANSWER Flash Cookies
Similar to http cookies but associated with Adobe Flash
Associated with games, stores more than user info:
-Large amounts of data
-Applications
-User Files
Session Hijacking - CORRECT ANSWER An attack in which an attacker attempts to impersonate the user by using his session token.
Intruder takes control of a legitimate TCP/IP session by spoofing the source address
SMTP Relay - CORRECT ANSWER Simple Mail Transfer Protocol (SMTP) Relay
Feature that allows email servers to forward email to other email servers
Protects actual email servers from direct attacks
May be target of DoS caused by Spam
Advanced Persistent Threat (APT) - CORRECT ANSWER a sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organizations such as governments.
APT adversaries have both ______ and ______, are skilled, organized and well funded. - CORRECT ANSWER Capability and Intent
Examples of APT adversaries - CORRECT ANSWER -Competitors, Hacktivsts
-State Sponsored/Commercial Espionage
-Organized Crime
-State Sponsored Entities
Hackers - CORRECT ANSWER People who try to get access to your computer without your permission in order to steal information which they could use for malicious or criminal purposes.
white hat hackers - CORRECT ANSWER ethical hackers that break into the systems for non malicious reasons such as to test the system security vulnerabilities or to expose undisclosed weaknesses.
Gray Hat Hackers - CORRECT ANSWER Use their skills for both offensive and defensive purposes that are not illegal or malicious and have approval to operate
Types of Gray Hat Hackers - CORRECT ANSWER Penetration Tester - Take a holistic look at an organization in identifying vulnerabilities to a network and systems
Red Teams - Team of experts acting as an adversary (hacker) to penetrate an organization just as a Black Hat would but with the intention of stressing and/or training the organizations security programs and processes.
Black Hat Hackers - CORRECT ANSWER use their technical skills to break into computer systems, without the owner's permission, to steal information or cause damage.
Types of Black Hats - CORRECT ANSWER Script Kiddies - individuals who download and use scripts/exploit tools with no real understanding of the concepts being employed
Hacktivissts - Non-violent use of illegal/legally ambiquous digital tools in pursuit of political ends.
Crackers - Reference for hackers who use their skills for malicious purposes.
Vulnerability Assessment - CORRECT ANSWER Scanning of a network/domain to identify and report on known vulnerabilities
Penetration Test - CORRECT ANSWER Scanning of a network/domain to identify and verify known vulnerabilities by actively exploiting each identified vulnerability
Risk Assessment - CORRECT ANSWER Analyzing the potential impact to an organization if a threat were to exploit a vulnerability to an Information System
3 Types of Assessment Approaches - CORRECT ANSWER Black Box
White Box
Grey Box
Black Box Assessment - CORRECT ANSWER No prior knowledge of the system or network to be assessed
White Box Assessment - CORRECT ANSWER Full knowledge of the system or network to be assessed
Grey Box Assessment - CORRECT ANSWER Assessment performed by the system or network administrator
Banner Grabbing - CORRECT ANSWER Connecting to an open port on a host, emulating the service to receive header information.
Port Scanner - CORRECT ANSWER Tool that probes system for open ports and reports back which ports are closed, filtered, and/or open.
Vulnerability Scanners - CORRECT ANSWER Program that probes hosts for weaknesses, misconfigurations, patch versions, etc.
intrusive vulnerability scan - CORRECT ANSWER Cause network/service disruptions
-Agressive port scans
-Non-credentialed
-Attempt to exploit a system
-Attemp to DoS a system
non-intrusive vulnerability scan - CORRECT ANSWER Do not cause service diruptions
-Slow/Non-aggressive port scans
-Credentialed - Uses privileged accounts to access and scan for missing patches (NESSUS)
Code Scanning Tools - CORRECT ANSWER Security Tools designed to find SECURITY bugs in the source code
Protocol Analyzer - CORRECT ANSWER Hardware or software that captures packets to decode and analyze their contents.
Network Enumerator - CORRECT ANSWER Tool that scans the network collecting information on users, groups, shares and services that are visible.
Useful for discovering how much network information is available to outsiders, and which systems and services need to be secured.
Single Loss Expectancy (SLE) - CORRECT ANSWER Cost due to the occurrence of a risk on an asset
SLE = AV x EF
Asset Value (AV) - CORRECT ANSWER Value of the asset in dollars
Exposure Factor (EF) - CORRECT ANSWER Percentage of asset lost due to the occurrence of a risk on an asset.
Annualized Rate of Occurrence (ARO) - CORRECT ANSWER An estimate of how often a threat will be successful in exploiting a vulnerability over the period of a year.
Annual Loss Expectancy (ALE) - CORRECT ANSWER Expected annual loss due to the occurrence of risk on an asset
SLE x ARO = ALE
Passive Reconnaissance - CORRECT ANSWER Gathering information on a target without their knowledge of your actions
Active Reconnaissance - CORRECT ANSWER Gathering information on a target where the potential exists that your actions will be seen by the target.
Information Gathering - CORRECT ANSWER Open-source intelligence
the action of searching for publicly available information via the Internet to build a map/understanding of the organization, its people/employees, and relationships to other organizations.
Footprinting - CORRECT ANSWER Process of gathering information to create a blueprint or map of an organization's network and systems
Security Testing - CORRECT ANSWER Process of exercising specific security objectives under specified conditions to compare actual and expected behavious
Internal Security Testing - CORRECT ANSWER Security testing conducted from inside the organization's security perimeter.
Conducted from the internal network and assumes the identity of a trusted insider or an attacker who has penetrated the perimeter defenses.
External Security Testing - CORRECT ANSWER Conducted from outside the organization's security perimeter.
Overt Security Testing - CORRECT ANSWER White hat testing
involves testing with the knowledge and consent of the organization's IT staff.
Covert Security Testing - CORRECT ANSWER Black hat testing
Testing without the knowledge of the organization's IT staff but with the full knowledge and permission of upper management.
Test technical security controls, IT staff response to perceived security incidents, and staff knowledge and implementation of the organization's security policies. [Show Less]