Common Software Vulnerabilities Quiz

Questions and Answers

PDF Questions PDF Answers

What is one common method to mitigate buffer overflow vulnerabilities?

Increasing buffer size to accept more data

Using database encryption methods

Disabling user input altogether

Implementing input validation and boundary checks (correct)

Which coding practice is recommended to prevent SQL injection?

Allowing unrestricted access to the database

Directly including user input in SQL statements

Escaping all user input without validation

Using parameterized queries (prepared statements) (correct)

Which vulnerability allows attackers to inject malicious scripts into web pages?

Cross-Site Scripting (XSS) (correct)

Privilege Escalation

SQL Injection

Buffer Overflow

What security measure is utilized to combat Cross-Site Request Forgery (CSRF)?

CSRF Tokens

In which scenario would privilege escalation likely occur?

A user tries to increase their own access level

What does Remote Code Execution (RCE) specifically allow attackers to do?

Execute arbitrary code on a remote system

What is a recommended practice for mitigating security vulnerabilities?

Perform security testing regularly

Which of the following describes horizontal privilege escalation?

An authenticated user attempts to access another user's account at the same privilege level

What is the primary purpose of web caching in browsers?

To improve load times for repeat visits

Which type of malware is specifically designed to lock users out of their systems and demand payment for restoration?

Ransomware

What is a common tactic used in phishing attacks to trick victims?

Impersonating legitimate entities

Which of the following is NOT a typical characteristic of a phishing email?

Personalized content

What is a primary weakness of the Caesar cipher?

It can be easily broken using frequency analysis.

How do worms differ from viruses in their method of propagation?

Worms can replicate without user intervention

How does data travel through fiber optic cables?

As pulses of light transmitted through glass fibers.

What psychological technique is commonly used in social engineering attacks?

Imposing deadlines for actions

What type of infrastructure allows users to access information instantly?

Data centers

Which type of malware monitors user activity and gathers sensitive information without consent?

Spyware

Which of the following actions is NOT effective in identifying a fake email?

Reviewing attachment sizes

What is a characteristic of cloud computing services?

They allow renting computing power and storage space.

Which statement is true regarding the Caesar cipher's decryption method?

Decryption is performed by shifting letters in reverse.

What is a notable feature of submarine cables?

They connect continents by being laid under oceans.

Which of the following best describes the role of fiber optic cables in the Internet?

They are used for data transmission at high speeds.

What can an attacker do if they know a Caesar cipher is being used?

Conduct a brute force attack on the cipher.

What is the primary purpose of authorization in computer security?

To determine user access levels to resources

Which of the following is an important characteristic of a strong password?

At least 12 characters long

How can users recognize secure websites?

By looking for HTTPS in the URL and a padlock icon

What is the primary purpose of using the Windows Registry Editor (regedit)?

To access and modify configuration settings of applications and services.

What role do password managers like LastPass or Bitwarden serve?

To generate and store strong passwords securely

Which tool allows administrators to manage different user accounts on a Windows computer?

Local Users and Groups (lusrmgr.msc)

Why is it crucial to regularly update software?

To patch known security vulnerabilities

What is a significant risk when using public Wi-Fi?

Data can be intercepted by attackers

Before editing the Windows Registry, what precaution should be taken?

Create a backup of the Registry.

What is the purpose of Multifactor Authentication (MFA)?

To enhance security by requiring additional verification

Which of the following tools would you use to recover deleted files on a Windows system?

EaseUS Data Recovery Wizard

What is a common indicator of a phishing attempt?

Spelling errors in legitimate emails

What is the functionality of the Task Scheduler in Windows?

To schedule automated tasks and scripts.

Study Notes

Common Software Vulnerabilities

• Buffer Overflow: When a program writes more data to a buffer than it can handle, an attacker can overwrite adjacent memory and execute malicious code.
• Mitigation: Input validation, boundary checks, using safer programming languages with built-in safeguards, regular security audits, code reviews, and penetration testing.
• SQL Injection: Exploits improper handling of user input in SQL queries, allowing attackers to manipulate databases and gain unauthorized access.
• Coding Practices: Parameterized queries, input validation and sanitization, least privilege, escaping special characters, Web Application Firewalls (WAF), and regular security testing.
• Cross-Site Scripting (XSS): Attackers inject malicious scripts into web pages viewed by others, often leading to data theft or session hijacking.
• Coding Practices: Input validation and output encoding, HTTPS only, secure cookies, Content Security Policy (CSP), HTTP headers, avoiding inline scripts, and regular security testing.
• Cross-Site Request Forgery (CSRF): Allows attackers to perform unauthorized actions on behalf of a victim user, tricking the browser into making unintended requests that the attacker can manipulate.
• Security Measures: CSRF Tokens, SameSite Attribute, HTTP Referrer Header, Logout After Inactivity, HTTP Headers, and regular security testing.
• Privilege Escalation: Vulnerabilities that allow attackers to gain higher access levels within a system than they should have, leading to increased control.
  • Vertical Privilege Escalation: When a standard user attempts to gain the privileges of a higher-level user.
  • Horizontal Privilege Escalation: An authenticated user (standard/privileged) attempts to gain access to another user’s account within the same privilege level.
• Coding Practices: Principle of least privilege, regular updates and patching, secure configuration, strong authentication and authorization, auditing and monitoring, and regular security testing.
• Remote Code Execution (RCE): Enables attackers to execute arbitrary code on a remote system, often through network services.
• Best Practices: Input Validation and Sanitization, Secure Coding Practices, Least privilege, Use Sage APIs, Patch Management, Web Application Firewall (WAF), and Security Testing.

Internet Infrastructure

• Internet: A vast, global network of computers and devices that communicate using standardized protocols.
• Building Blocks:
  • Fiber Optic Cables: High-speed cables made of glass fibers that transmit data as light.
  • Submarine Cables: Fiber optic cables laid under oceans to connect continents.
  • Data Centers: Massive facilities filled with servers and networking equipment, hosting websites, applications, and user data.
  • Cloud Computing: Cloud services like AWS, Google Cloud, and Microsoft Azure, renting computing power and storage space in data centers.
• Popular Web Servers: Apache, Nginx, Microsoft IIS (Internet Information Services).

Search Engines

• Search Engines: Help users find specific information on the web by indexing web pages and ranking them according to relevance.

Caching and Cookies

• Caching: Browsers store copies of web data (e.g., images, CSS files) in temporary storage to improve loading times for repeat visits.
• Cookies: Small text files stored on the user's computer by websites to remember session information or user preferences.

Cybersecurity

• Cybersecurity: The practice of protecting systems, networks, and data from unauthorized access, attacks, or damage.

Common Cyber Threats and Vulnerabilities

• Malware: Malicious software designed to infiltrate, damage, or exploit a system without the user's consent.
  • Viruses: Attach themselves to legitimate software and replicate when the infected software is run.
  • Worms: Standalone programs that replicate themselves and spread through networks without needing a host program, causing extensive damage quickly.
  • Trojan Horses: Disguised as legitimate software, they trick users into installing them and then exploit or compromise the system.
  • Ransomware: Locks users out of their systems or encrypts their data, demanding payment for restoration or access.
  • Spyware: Secretly monitors user activity, gathering sensitive data like passwords and credit card details.
  • Adware: Unwanted software that displays intrusive ads on devices, sometimes leading to other types of malware.
• Phishing: Attackers impersonate legitimate entities through deceptive emails, messages, or websites to trick users into revealing sensitive information.
• Social Engineering: The manipulation of people into divulging confidential information or performing actions that compromise security, often using psychological techniques.

Authorization and Encryption:

• Authorization: Determines what users are allowed to do, specifying their level of access to resources (files, databases, etc.).
• Encryption: The process of encoding data to prevent unauthorized access, ensuring that only authorized parties with the correct decryption key can read it.

Security Best Practices:

• Strong Password: Use a long, complex, and unique password for every account.
• Password Managers: Tools like LastPass or Bitwarden store and manage complex passwords securely.
• Multifactor Authentication (MFA): Requires additional verification (fingerprint, one-time code) beyond just a password.

Safe Browsing Practices:

• Secure Websites: Recognize secure websites by looking for HTTPS instead of HTTP and a padlock icon in the address bar.
• Suspicious Links: Avoid downloading unknown files or clicking on unsolicited ads or links.

Software Updates:

• Importance of Updates: Outdated software often contains vulnerabilities that hackers can exploit. Keeping software up-to-date ensures known security flaws are patched.

Phishing Awareness:

• Recognizing Phishing Attempts: Phishing attacks often use fake emails or websites that appear legitimate but are designed to steal sensitive information.
• Key Indicators of Phishing: Look for misspellings, unusual senders, urgent or threatening language, or suspicious URLs.

Public Wi-Fi Safety:

• Risks of Public Wi-Fi: Public Wi-Fi networks are often unencrypted, making it easier for attackers to intercept data.
• VPNs (Virtual Private Networks): Encrypt internet traffic, providing a secure connection even on public Wi-Fi.

Remote PC Access and Windows Administrative Tools:

• Remote PC: Technology that allows you to access and control your computer from a different location using another device.
• Windows Administrative Tools:
  • Task Scheduler
  • Event Viewer
  • Shared Folders
  • Performance
  • Device Manager
  • Disk Management
  • Services Manager

Windows Registry Editor (regedit)

• Enables administrators to keep the registry operational and make root-level and administrative-level changes.
• A database of configurations used by applications, services, and all other aspects of Windows.

Control Userpasswords2

• Access user accounts, grant/deny access, change passwords, and manage advanced settings.

Local Users and Groups ( lusrmgr.msc )

• Find all user accounts and groups configured on a Windows computer or device.

Best Data Recovery Software:

• Disk Drill Data Recovery
• EaseUS Data Recovery Wizard
• TestDisk Data Recovery
• Recuva
• R-Studio
• Stellar Data Recovery Professional
• DM Disk Editor and Data Recovery Software
• DiskInternals Uneraser

Caesar Cipher

• A simple substitution cipher that shifts each letter of the alphabet a fixed number of positions.
• Encryption formula: En(x) = (x+n) mod 26
• Decryption formula: Dn(x) = (x-n) mod 26

Caesar Cipher Weaknesses

• Can be easily broken even in a ciphertext-only scenario.
• Techniques to Break: Frequency Analysis, Pattern Words, Brute Force Attack.
• Solution to Weakness: Use multiple shift keys for encryption.

Description

Test your knowledge on common software vulnerabilities such as Buffer Overflow, SQL Injection, and Cross-Site Scripting (XSS). This quiz covers essential mitigation strategies and best coding practices to enhance application security. Understand how to protect against these threats effectively.