Cybersecurity Fundamentals Quiz

Questions and Answers

What is the primary goal of state-sponsored attackers?

• Promote social and political causes
• Engage in espionage and sabotage (correct)
• Perform research on security vulnerabilities
• Commit data theft for financial gain

Which of the following best describes an apprentice hacker?

• A hacker capable of sophisticated attacks
• An intermediate hacker with manual attack skills
• A beginner who relies on automated tools (correct)
• An individual using advanced exploitation techniques

During which stage of the attack methodology would a hacker exploit network vulnerabilities to gain access?

• Target Acquisition
• Initial Access (correct)
• Privilege Escalation
• Reconnaissance

What type of attackers are primarily driven by social, political, or ideological causes?

Activists (D)

What characterizes a journeyman hacker?

Intermediate with solid understanding of security (A)

What is an example of privilege escalation in the context of a cyber attack?

Capturing admin passwords with sniffers (B)

Which of the following activities is associated with the target acquisition stage of attack methodology?

Identifying target using publicly available information (A)

What can be a motive for 'other' intruders who do not fit into the common categories?

Gaining revenge or testing security as a researcher (A)

What type of intrusion involves an intruder pretending to be an authorized user?

Masquerader (A)

What is a significant limitation of firewalls in network security?

They cannot monitor external network traffic. (C)

Which of the following best describes the function of an Intrusion Prevention System (IPS)?

Blocks unauthorized access by filtering network traffic (C)

What motivates a cybercriminal to engage in illegal activities?

Financial gain or illegal activities (B)

Which requirement is crucial for an effective Intrusion Detection System (IDS)?

It needs to adapt to system/user changes. (D)

A misfeasor is typically characterized as which type of user?

An authorized user abusing their access (D)

Which of the following is NOT a common method of network intrusion?

Creating redundant user accounts (C)

What characteristic distinguishes a clandestine user from other intruders?

They have privileged access but use it covertly. (A)

Which technique is primarily used to maintain access after an initial attack?

Installing backdoors (C)

What is the primary purpose of using rootkits during an attack?

To hide installed files or malicious code (D)

What is the main function of an analyzer in an Intrusion Detection System?

Determines if an intrusion has occurred (A)

Which attack methodology stage involves targeting other servers for compromise?

Information Gathering (B)

Which of the following describes Network-based IDS (NIDS)?

Analyzes network traffic for specific segments (B)

What is a common motivation behind data exfiltration attacks?

To steal sensitive information for financial gain (C)

Which of these is NOT a characteristic targeted by Host-based IDS (HIDS)?

Network traffic patterns (C)

What is a key difference between distributed IDS and traditional IDS?

Distributed IDS integrates information from multiple sensors across various systems (C)

Flashcards

Cyber Attack Motivations

Reasons why attackers target computer systems, ranging from financial gain to political agendas.

Data Theft

Unauthorized acquisition of sensitive information from computer systems for financial gain.

State-sponsored Attack

Cyberattacks carried out by governments to gain intelligence or disrupt rival nations.

Apprentice Hacker

Beginner hackers who rely mostly on pre-made tools to perform attacks.

Initial Access

First stage in a cyberattack where attackers breach a system's security to gain entry.

Information Gathering

Gathering information about a target system to identify vulnerabilities and plan an attack.

Privilege Escalation

Gaining higher access levels within a system—like from a user to an administrator.

Hacktivism

Hacking used to promote social or political causes.

System Intrusion

Unauthorized access or actions within a system, such as unauthorized logins, account creation, log deletion, or unexpected behavior.

Network Intrusion

Unauthorized access or actions on a network, such as repeated login attempts, packet sniffing, or excessive bandwidth usage.

File Intrusion

Unauthorized modifications or access to files, including unknown files, file permission changes, or missing files.

Firewall purpose

Acts as a gatekeeper, controlling incoming and outgoing network traffic based on predefined rules.

IDS purpose

Monitors network activity and analyzes system and user behavior to detect suspicious activity.

IDS vs IPS

IDS passively detects threats and alerts, while IPS actively blocks or mitigates threats by manipulating network traffic.

Masquerader

An external attacker who pretends to be a legitimate user by falsifying credentials or exploiting vulnerabilities.

Misfeasor

An authorized user who abuses their access privileges for unauthorized purposes, often internally within a network.

Data Exfiltration

The act of stealing sensitive data from a compromised system or network.

Maintaining Access

Ensuring continued access to a compromised system after the initial attack, often by installing backdoors or disabling security software.

Covering Tracks

Removing evidence of an attack to avoid detection, often involving manipulating logs and hiding malicious code.

Intrusion Detection System (IDS)

A security system that monitors for suspicious activity and alerts administrators to potential threats.

IDS: Sensors

Components that collect data like network packets, logs, and system calls for analysis.

IDS: Analyzers

Components that analyze collected data to determine if an intrusion has occurred and provide recommendations for action.

IDS: User Interface

Allows viewing output and controlling the behavior of the IDS, providing an interface for human interaction.

Host-based IDS (HIDS)

Monitors a single host for suspicious activity by analyzing its logs, file integrity, and behavior.

Study Notes

Local DNS Attack

• DNS poisoning or cache poisoning redirects traffic from a legitimate website to a malicious one
• Carried out within a local network
• Steps of execution:
  • Compromise: Attacker gains access to local DNS servers
  • Cache Poisoning: Attacker injects false DNS records into the cache
  • Redirection: User's legitimate request triggers a DNS request which is intercepted
  • Traffic Diversion: User receives malicious IP and the traffic is redirected to the compromised website
  • Attack Execution: User is redirected to a malicious website, potentially allowing data theft, malware distribution, phishing, etc.

Remote DNS Attack

• Similar end goal to local DNS attacks, but the process differs significantly.
• Attacker is outside the internal network.
• DNS queries and other traffic packets cannot be sniffed by the attacker.
• This makes the attack much more difficult.
• Challenges: Spoofing DNS replies is more complex for attackers who are not on the same network as the local DNS server.

Why DNS Attacks Are Difficult

• Attackers cannot directly see DNS queries
• They must guess two key values:
  • Source Port Number (16-bit random number)
  • Transaction ID (16-bit random number)
• The probability of guessing both values correctly is 1 in 2³² for each attempt.
• A single attacker needs approximately 50 days to exhaust all combinations if sending 1000 spoofed packets per second.
• Using a botnet with 1000 hosts reduces the time to approximately 1.2 hours.
• Key obstacles include timing of spoofing and cache effect.

Kaminsky Attack

• Dan Kaminsky developed a solution by addressing a caching effect vulnerability.
• It allowed continuous spoofing attacks without cache expiration
• Kaminsky's solution involves not triggering the DNS server to send out a query for the hostname.
• This prevents the cache from storing the answer in the case of failure, saving the attacker from waiting for timeout.
• The alternative method looks away from the answer section to query the authoritative section instead.
• In an example of authoritative section targeting, in the authoritative part, there is information about the name servers, thus, any sub domain of it would point to the authoritative section, which the attacker could then spoof.
• This means the attacker can spoof a reply with the malicious name server and, thus, modify the response through the DNS response.

DNSSEC

• A set of extensions to DNS that strengthens authentication and ensures data integrity using digital signatures.
• Digital signatures: DNS data is signed by the data owner and all DNSSEC-protected zones return digitally signed answers.
• Chain of Trust: Validates DNS responses by verifying signatures through a hierarchy of trusted zones.
• Example: If "example.com" is DNSSEC enabled, the resolver retrieves the zone's public key, verifies the signature on the DNS data then if valid, the resolver considers the response authentic.
• Benefits: Prevents DNS poisoning by rejecting forged data and protects against attackers injecting false records.

TLS/SSL

• Used for secure communication between a client and a server
• Encrypts data in transit
• Prevents man-in-the-middle attacks
• Uses public key encryption for secure communication.
• Establishes a connection with a handshake request
• The server provides its certificate signed by a trusted CA
• The client verifies the certificate, and an encrypted session is established.

Firewalls

• Security systems monitoring incoming and outgoing traffic to prevent unauthorized access.
• Firewall decisions based on rules (firewall policy or ruleset) to specify criteria of packet behavior for actions of accepting, discarding, etc.
• Source and destination IP address, ports, and protocol are examples of factors analyzed.
• Various actions possible dependent on the rule, like accept, deny, drop, or rejected.
• Types of firewalls
  • Network-based: Placed in-path on the network for protection of multiple devices independently from hardware devices.
  • Host-based: Works on the individual device before interacting with applications on the host.
  • Demilitarized Zone (DMZ)-A small, isolated network between the internet and private network containing web services like web servers, mail servers, and FTP servers.

Stateful vs. Stateless Firewalls

• Stateless firewalls inspect each packet independently without considering the context of previous packets.
• Stateful firewalls track the state of network connections to analyze each packet based on the connection.

Application/Proxy Firewalls

• Inspect packet headers and application data for malicious content to block or allow traffic based on security criteria.

Next-Generation Firewalls (NGFWs)

• Combines multiple security features into one single device.
• Functions:
  • Deep packet inspection (DPI): Analyzes the content of network traffic to identify malicious payloads and suspicious activity.
  • Application awareness: Identifies and controls specific applications.
  • Intrusion prevention system (IPS): Analyzes network traffic for malicious patterns and prevents attacks.
  • VPN functionality: Enables secure remote access to the network.
  • URL Filtering: Blocks access to malicious websites and unwanted content.

Network Address Translation (NAT)

• Technique to map one IP address space to another, conserving public IP addresses.
• NAT devices map internal IP addresses to a single public IP address.
• Basic NAT maps one-to-one, while NAPT maps multiple internal addresses to a single public address using different port numbers.
• Address pairing: NAT assigns the same public IP address to multiple connections initiated by the same internal host.

Intrusion Detection Systems (IDS)

• System which monitors and analyzes system/network events to detect suspicious activity.
• Can be used to monitor
  • Network traffic, system logs, file integrity, and system behavior
• Types
  • Host-based (HIDS): Monitors host activities
  • Network-based (NIDS): Monitors network traffic
• Approaches
  • Anomaly detection: Detect deviations from normal activity patterns
  • Signature detection: Matches patterns to database of known malicious activities.

Intrusion Prevention Systems (IPS), Host-Based Intrusion Prevention

• Proactive security technology that identifies, blocks, and prevents malicious activity in real time.

Honeypots

• Decoy systems or a virtual network that attracts attackers
• Used to gather intelligence on malicious activities and distract them from critical infrastructure.
• Types
  • Host traps
  • Network traps
  • Malware honeypots

Snort

• Open-source network intrusion detection system (IDS) and prevention system (IPS).
• Uses rules to detect and classify malicious activities.
• Offers options for capturing and logging data.

Port Forwarding

• Technique to route incoming traffic destined for a specific internal server to that specific server through a NAT device.
• Configure the public and private IP addresses and port information for routing to successfully forward traffic.

VPN

• Virtual private network: A secure tunnel between a computer inside a network to another outside a network.
• Encrypts data from the internal network, making it impossible for firewalls to filter or analyze data.