CSS 1011 Final Review Recycled Questions

Alexandria works at a secure installation that requires a special ID card with her picture to gain access. An officer at the gate needs to scan the ID card before allowing employees to enter the installation. One day she forgets her card. However, since the officer recognizes her, the officer lets her pass through the gate. Which of the following elements, if any, did the officer violate (not enforce)?

A. Something you have

B. Something you present

C. Someone you know

D. Something you exhibit

E. The officer did not violate any of these.

A. Something you have

Divya logs in to her online bank account using a username and password, then proceeds to transfer money from one bank account to another. What likely safeguards has the bank implemented to secure her login credentials?

A digest of the current password Divya set is stored for comparison

Hash

Creates a unique "digital fingerprint" of a set of data with a process called hashing.

What is the fingerprint from the result of hashing called, which represents the contents?

A digest

Personal Identification Number (PIN)

A Strong Authentication that can be comprised only numbers.

Key

A mathematical value entered into the algorithm (cipher) to produce the ciphertext.

Symmetric Cryptographic Algorithm (Private Key Cryptography)

Uses the same key to encrypt and decrypt the data.

Data is encrypted by Bob with a key that can only be decrypted by Alice using that same key.

What are the steps in Symmetric (private key) Cryptography

Bob (Sender) writes the plain text and encrypts it with private key to transform it into a ciphertext

The Ciphertext is transmitted to a remote user, that user puts the cipher text through a decryption algorithm.

Alice (Receiver) will get that message in Plain text

Assymmetric Cryptogrtaphic Algorithm (Public Key Cryptography)

Uses two keys instead of one, and are mathematically related and known as the public and private key.

The public key is known to everyone and can be freely distributed while the private key is known only to the individual to whom it belongs.

In Asymmetric Cryptographic Algorithm, when Bob wants to send a secure message to Alice, which key do they use to encrypt and decrypt the message?

He uses Alice's public key to encrypt the message

Alice uses her private key to decrypt it

What are the steps in an Asymmetric (Public Key) Cryptography

Bob (Sender) takes the plaintext to send, and encrypts it through Alice's Public Key to turn it into a cipher text

The ciphertext is transmitted to a remote user, the ciphertext is then put through a decryption algorithm, Alice's Private Key.

Alice (reciever) will get the plaintext message

A calculating attacker manages to obtain the password digest from a department store. The attacker then proceeds to engage in a type of attack known as credential stuffing. How can you protect yourself against this type of attack?

Do not use the same password on multiple accounts

Credential Stuffing

The injection of stolen username and password credentials across multiple websites

This occurs when someone knows where the password digest was stolen which gives a threat actor the ability to log into accounts on that site.

If the password came from a website, attackers could crack passwords to use on accounts on the website

Since most users repeat their passwords, an attacker could inject the username and password on any site.

Shivo's login credentials to log into work have been stolen. As a result, he is continuously receiving SMS text messages from the MFA app on his phone. Shivo thinks it might be an MFA fatigue attack but is not sure. What should he do?

Contact the help desk

MFA (Multifactor Authentication)

Combining more than one type of authentication

MFA Fatigue

An SMS attack where a threat actor runs a script that attempts to log in repeatedly with stolen credentials which generates a seemingly endless stream of MFA push notifications sent to the user's smart phone.

Navana is responsible for implementing a cognitive biometric system to authenticate users at her company. Which one of the following elements will employees need to possess to log in successfully?

Something you have

Something you are

Something you know

Something you can do

Something you are

An experienced threat actor manages to steal a password digest with 4 million entries. Their plan is to use a methodical series of password attack tools to try to crack as many passwords as possible but none of the passwords are available in plaintext. Which of the following will most likely be the next attack tool they will use?

Dictionary Attack

Brute Force Attack

Every possible combination of letters, numbers, and characters is combined to attempt to determine the user's password.

Dictionary Attack

Uses common dictionary words and phrases as candidates and then compares them against those in a stolen digest file.

Successful when users often create passwords from simple dictionary words

Hybrid Attack

Performs a focused dictionary attack with a mask attack

Mask Attack

A targeted brute force attack that can bring the problem space down to specific patterns of characters.

A security engineer needs to implement password authentication on a highly specialized system. A requirement is that if two different users specify the same password, the stored digests will not be the same. How can this be accomplished?

Implement salting to make dictionary and brute-force attacks more difficult.

SHA (Secure Hash Algorithm) is a family of hashes with different variations of it, what are they?

SHA-1 - no longer considered suitable for use.

SHA-2 - Has six variations, most common SHA-256, SHA-384 and SHA-512 (numbers represent length in bits of the digest)

SHA-3 - made to be dissimilar to previous hash algorithms to prevent threat actors from building upon any earlier work of compromising algorithms.

RipeMD (RACE Integrity Primitives Evaluation Message Digest)

Primary design for this is two different and independent parallel chains of computations where the results of which are then combined at the end process.

Whirl Pool

Uses a block cipher and takes a message of any length less than 2256 bits and returns a 512-bit message digest.

True or False: MD5 is no longer considered suitable for use due to serious weaknesses that have been identified

True

Salting

Consists of a random string ("salt") that is used in hash algorithms.

Protects passwords when this is added to the user's plaintext password before it is hashed.

Makes dictionary attacks and brute force attacks for cracking a large number of passwords more difficult

Peppering

Creating the message digest as normal but then also encrypting it with a symmetrical encryption key before storing it. (DOES NOT AFFECT PASSWORD HASHING FUNCTION)

Conrad stores multiple passwords in a user vault file that is protected by one strong password. Features include enhanced encryption and requiring a secret key file to be present when entering the master password to open the vault. Which of the following is Conrad using?

Password manager

Password crypt

Password key

Password vault

Password Vault

Password Valuting

Stores user password credentials in a highly protected database (vault) that is stored on the organization's network

Password Manager

A software application or online website that stores user passwords along with login information

Users create and store multiple strong passwords in a single user "vault" file that is protected by one strong master password, and can retrieve individual passwords as needed from the vault.

Besides storing and retrieving passwords, what other roles do password managers have?

Drag-and-drop Capabilities

Enhanced Encryption

In-memory protection to prevent OS cache from being exposed to reveal retrieved passwords

Timed clipboard clearing

Password Key

More secure hardware-based solutions avalible to store passwords

Can be used as a separate storage facility for passwords.

A threat actor decides to engage in a type of attack that involves placing themself between two devices that have frequent communication. From the threat actor's perspective, what is an advantage of this type of attack?

The two devices are not aware an attacker is present.

Two online companies sell similar products and are competing for increased market share. One of the companies is less honorable so they hire an attacker who launches an attack to make the other company appear less trustworthy and thus a less favorable option from which to buy. What type of attack did the malicious actor most likely launch?

Domain Reputation Attack

Domain Reputation Attack

Where a competitor could hire an attacker to use a DNS attack to cause a competitor's domain to earn a low domain reputation score to impact sales

DNS (Domain Name System) Attack

DNS is the basis for domain name resolution of names to IP addresses used today

A DNS attack substitutes a DNS address so the computer is solently redirected to a different device.

DNS Poisoning

Modifies a local host file on a device to point to a different domain.

The DNS server will contain all the attacker's malicious mappings.

DNS Hijacking

Intended to infect an external DNS server with IP address that points to malicious sites

DNS Replay Attack

occurs when an attacker buys old IP addresses, sets up fake servers on those addresses, and forges DNS responses for a domain to point to those addresses

DNS Reflection Attack

a two-step process that involves:

1. The attacker sends a large number of requests to DNS servers using a spoofed IP address

2. The DNS server responds to the request, creating an attack on the target

DDoS (Distributed denial of service)

DOS attacks today but instead of only one source making a bogus request, it involves hundred, thousands, or millions of sources producing a torrent of fake requests.

DoS (Denial of Service) Attack

bombards a system with an extremely high number of "bogus" (fake) requests so that the system is overwhelmed and cannot respond to legitimate requests.

Which of the following actions will help mitigate the effects of malicious code attacks?

A. Consider using PowerShell to invoke VBA apps because it uses a trusted framework.

B. Only download vetted Bash libraries to minimize potential exploits when they are invoked.

C. Disable support for macros across the Microsoft Office suite because they are a key attack vector.

D. Ensure Python programs are compiled in a controlled environment to prevent malware injections.

Disable support for macros across the Microsoft Office suite because they are a key attack vector.

Powershell

A task automation and configuration management framework from Microsoft

The providers of this give access to data located in different data repositories.

Provides a hosting application program interface (API) so the PowerShell runtime can be embedded inside other applications.

How does the power and reach of Powershell make it a prime target for threat actors?

It allows attackers to inject code from the PowerShell enviornment into processes without storing any malicious code to the hard drive.

VBA (Visual Basic for Applications)

An event-driven Microsoft programming language that allows both developers and users to automate processes that normally would take multiple steps or levels of steps.

Can be used to control many tasks of the host application.

What is VBA often used to create that is a series of instructions that can be grouped together as a single command?

Macros

What are Macros used for?

To automate a complex task or repeated series of tasks.

Bash

Command Interpreter for the Linux/UNIX OS

How have exploits taken advantage of vulnerabilities in Bash?

They have remotely attatched a malicious executable file to a variable that gets executed when Bash is invoked.

A threat actor manages to spoof the MAC address in the cache of a computer with the goal of redirecting traffic. What type of attack is the threat actor launching?

ARP poisoning

What is a defense for ARP poisioning?

Use an ARP detection Appliance

The TCP/IP protocol suite requires that logical IP addresses be assigned to each device on a network, and these address can be changed as necessary. However, an Ethernet LAN uses the physical media access (MAC) address that is permanently "burned" into a network interface card (NIC) to communicate. An Ethernet LAN uses the physical media How can a physical MAC Address be mapped to a logical and temporary IP address?

by using an ARP (Address Resolution Protocol)

ARP (Address Resolution Protocol) Poisoning

Where a Threat actor takes advantage of a MAC address stored in a software ARP cache to change the data so that an IP address points to a different device.

Uses "spoofing" which decieves otherds by impersonating another's identity.

MAC (Media Access Control) Cloning Attack

Where a threat actor discovers a valid MAC address of a device connected to a switch.

They spoof the MAC address on their device and send a packet onto the network.

The switch changes its MAC address table to reflect this new association of that MAC address with the port to which the attackers device is connected.

Cybersecurity asset management (CAM)

Identifies assets on a continuous and real-time basis.

Identifies the potential security date listing of assets that can immediately be referenced.

MAC Flooding

A threat actor will overflow the switch with Ethernet packets that have been spoofed so every packet contains a different source MAC address, and each appears to come from a different endpoint.

MAC Flooding Security defense

Use a switch that can close ports with too many MAC addresses.

A MAC cloning attack is most likely to affect what type of device and how?

A switch with the purpose of redirecting traffic

Which of the following represents a disadvantage of signature-based monitoring?

A. It is effective at monitoring network traffic and activity but not transactions.

B. The corresponding database must be constantly updated.

C. It can take up to two weeks to generate a trustworthy baseline.

D. It generates more alerts than the other types of monitoring methodologies.

B. The corresponding database must be constantly updated

A security consulting firm is recommending you implement a system that will help protect critical data within your organization. It will require you to create rules to determine what data should be examined, as well as specific items within the data such as Social Security and credit card numbers. What type of system should you implement?

DLP (Data Loss Prevention)

DLP

A system of security tools used to recognize and identify data that is critical to the organization and ensure it is protected.

Monitors who is using the data, how it is being accessed, and sounding an alert and blocking the export of restricted data.

SIEM (Security Information and Event Management)

Consolidated real-time security monitoring and management of security information with analysis and reporting of security events.

SOAR (Security, Orchestration, Automation, and Response)

Designed to help security teams manage and respond to security warnings and alarms, and combines more comprehensive data gathering and analytics in order to automate incident response.

SCAP (Security Content Automation Protocols)

Made up of several security standards that are considered security benchmarks or a standard or point of reference against which they may be compared or assessed.

Can help automate vulnerability management and determine whether the enterprise is compiant with required policies.

A rogue employee had been coordinating via email with an outside threat actor to compromise an internal system containing sensitive information. Fortunately, the company has a system in place that allowed them to identify the individual and their intentions and released the individual before they were able to launch the attack. What type of system does the company have in place?

SIEM

DMARC (Domain-Based Message Authentication, Reporting and Conformance)

Allows the administrative owner of a domain to publish a policy in their DNS records to specify which mechanism is used when sending email from that domain.

An associate is hired by a close friend to learn information technology (IT) administration skills on the job. The associate finds a 24-port hub in a cabinet and is considering using it in a small network setting for a lab environment that will be accessed using Telnet. If the associate uses the hub, which mitigation principle would be violated?

Segmentation

Segmentation

First identifies the classification of data elements

then tags those data elements with that classification

separates the most sensitive data from the rest of the data.

Main purpose is to divide a network into multiple subnets or segments with each acting as its own small network to improve monitoring and enhancing security

Isolation

Keeps multiple instances of an attack surface separate so that each instance can only see and affect itself.

Device Placement

Physically locates important devices in secure locations

Selection of Effective Controls

Choosing productive safeguards or countermeasures to limit the exposure of an asset to a danger.

Budgetary constraints are preventing a small company from upgrading their faulty wireless access points until the following month. An employee needs to synchronize the password on their company-issued laptop, so they disconnect the Ethernet cable from the desktop computer and plug it into the laptop. However, no connectivity is established with the laptop. What is the most likely reason?

The switch port has port security enabled.

Switch

A device that connects network devices and has a degree of "intelligence"

Can learn which device is connected to each of its ports.

Port Mirroring

Where an attacker connects their devices to the switch's port

What is a security defense against port mirroring?

Secure the switch in a locked room

DHCP (Dynamic Host Configuration Protocol)

Its server logs can identify new systems that mysteriously appear and then dissappear as part of the network.

Shows what hardware device had which IP address at a specific time

You are responsible for ensuring the company's servers are secure. Which of the following policies should you implement?

A. Apply patches.

B. All of these.

C. Remove unnecessary software.

D. Monitor the server.

E. Physically secure the server.

B. All of these

A network administrator specifies a statement that reads "Deny management traffic from untrusted networks to Network B." What type of firewall is the network administrator most likely configuring?

A rule-based firewall

Firewall

Limits the spread of malware by using bidirectional inspection of examining both outgoing and incoming network packets.

Allows approved packets through, but takes different approaches when a suspicious packet comes.

Rulebased-firewall

Base their actions based on specific criteria to accept or deny packets; they contain parameters such as:

Source Address

Destination Address

Source Port

Destination Port

Protocol

Direction

Priority

Time

Context

Action

can be shown as The policy statement Allow management traffic from trusted networks

What are the typical Firewall Rule Actions?

Allow - Allows traffic that matches rule

Bypass - Allows traffic to bypass firewall

Deny - Blocks all traffic that matches the rule

Force Allow - Allows traffic that would normally be denied by other rules

Log Only - Traffic is logged but no other action is taken

Policy-based Firewall

Allows a more generic statement to be used instead of specific rules.

ex. 192.2.0.0/24 to TCP Port 22

NGFW (Next-generation firewall)

Can filter packets based on applications, has visibility of application by using deep packet inspection.

Layer 7 Firewall

Can investigate the contents of tehj packets to determine whether they contain malware.

WAF (web application Firewall)

Looks at the applications using HTTP

Can separate the hardware appliance or a software plug-in, and can block specific websites or attacks that attempt to exploit known vulnerabilities in specific client software and can block cross-site scripting and SQL injection attacks.

Content/URL filtering

Where the firewall can be used to monitor websites accessed through HTTP to create custom filtering profiles

A security company deliberately creates an Internet-facing network containing some servers with a few vulnerabilities. Why would the company do this?

To study the methods used by attackers

A cyberthreat agency concludes traffic is being sent to an attacker's server based on the characteristics of the traffic. They notify the authorities who then orchestrate a plan to redirect the traffic away from the attacker's server for further analysis. Which of the following most likely represents the strategy the authorities implemented to redirect traffic?

Sinkhole

Sinkhole

Designed to steer unwanted ttaffic away from its intended destination to another device

Deceives the threat actor into thinking the attack is successful when the sinkhole i actually providing information about the attack.

Lure

Serves as bait to attract threat actors.

Honeypot

A lure that is a computer located in an area with low security that serves as bait to threat actors.

Intentionally configured with security vulnerabilities so that it is open to attacks.

Honeyflies

Data files that appear to be authentic but are imitations of real data files.

Reveals how threat actors exploit this data that defenses can be created.

Honeynet

A network set up with intentional vulnerabilities where its purpose is to invite attacks so the attacker's methods can be studied.

What lure provides more specific information on threat actors?

Honeytoken

A company implements a web filtering solution. However, they notice that some websites contain suspicious pages that are not being blocked. As a result, they adopt a solution that blocks all the pages for a given website. What solution did the company most likely implement?

Website Filtering

Web Filtering

Monitors the websites users that are browsing so that organizations can allow or block web traffic to protect against potential threats and enforce corporate policies.

DNS filtering

Blocks harmful or inappropriate content

Blocks entire domains