38 Questions
What type of attack involves a hacker entering a company by impersonating a legitimate customer support executive?
Impersonation
What information security standard is most relevant to a penetration tester and cyber security auditor working for a credit card company?
PCI-DSS
What is the primary purpose of a cloud technology that provides PaaS through OS-level virtualization and promotes fast software delivery?
Docker
What is the goal of isolating applications from the underlying infrastructure in a cloud environment?
To enhance security
What type of attack involves targeting a user by pretending to be a legitimate customer support executive?
Phishing
What is the primary goal of Roma, a member of a security team?
To protect the internal network from external threats
What type of attack involves rummaging through bins to gather sensitive information?
Dumpster diving
What is the primary function of a penetration tester and cyber security auditor?
To conduct a penetration test
What is a type of fault injection attack?
Optical fault injection
What type of attack is used by Joel in the scenario?
Watering hole attack
What design flaw in the authentication mechanism is exploited by Calvin?
Verbose failure messages
What type of SQL injection attack extends the results returned by the original query?
Union SQL injection
What is a strong indication that a server is vulnerable to a Server-Side Includes attack?
The existence of an shtml file
What type of attack involves redirecting users from a web page and downloading malware?
Watering hole attack
What is the goal of Calvin's attack on the web application?
To exploit design flaws in the authentication mechanism
What type of fault injection attack is used to target a company's hardware?
Electromagnetic fault injection
What is the most effective way to prevent the exploitation of vulnerabilities in a web application?
Enforce least privileges
What type of injection attack is Calvin’s web application susceptible to?
Server-side includes injection
What type of vulnerability assessment did Martin perform on Janet’s system?
Host-based assessment
Which Metasploit post-exploitation module can be used to escalate privileges on Windows systems?
getsystem
Why is using a VPN important when using a public Wi-Fi network?
To prevent intruders from sniffing traffic
How can you identify an ARP spoofing attack on your laptop?
By using a network analyzer tool
What is the primary goal of enforcing least privileges?
To limit the attack surface
What is the primary objective of a host-based vulnerability assessment?
To examine system configuration and files
What type of hacker is Nicolas?
White hat
What is the primary goal of Gerard's attack?
To bring down the company's reputation
What is the file containing the compiled Android application code?
classes.dex
What type of information did Gerard gather during DNS footprinting?
All of the above
What type of attack is Sam using to compromise the AWS IAM credentials?
Social engineering
What tool did Gerard use to gather information about the target network?
ZANTI
What is the main characteristic of the Triple Data Encryption Standard (3DES) algorithm?
Uses three keys, each consisting of 56 bits
What type of encryption does the wireless network Brakeme-Internal use?
WPA3
What is the purpose of the code hidden behind the images on Judy's forum?
To execute cross-site scripting (XSS) attacks
What type of attack did Alice perform on the target organization's cloud services?
MSP supply chain attack
What is the primary goal of Sam's phishing emails?
To steal the employee's AWS IAM credentials
What did Alice do with the customer data after accessing the target's customer profiles?
Compressed and stored them in the MSP
What type of encryption algorithm is IDEA?
Block cipher algorithm
What was the purpose of Alice's spear-phishing emails?
To compromise user accounts and launch further attacks
Study Notes
Types of Attacks
- Optical, electromagnetic fault injection (EMFI), power/clock/reset glitching, frequency/voltage tampering, and temperature attack are types of attacks.
Watering Hole Attack
- Joel, a professional hacker, targeted a company by identifying frequently visited websites, searching for loopholes, and injecting a malicious script to redirect users and download malware.
Design Flaws in Authentication
- Calvin, a grey-hat hacker, targeted a web application with design flaws in its authentication mechanism, such as verbose failure messages, which he used to perform social engineering.
SQL Injection Attacks
- Union SQL injection attack extends the results returned by the original query, enabling attackers to run two or more statements with the same structure.
Server-Side Includes Attack
- A Server-Side Includes (SSI) attack refers to the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary code remotely, which is indicated by the presence of .shtml or .stm files on the web server.
Information Security Standards
- Bill, a penetration tester, is applicable to the PCI-DSS information security standard, which is relevant to the credit card industry.
Impersonation Attack
- Ralph, a professional hacker, targeted Jane by impersonating a legitimate customer support executive, gaining access to her company, and gathering sensitive information.
Cloud Technology
- Alex, a cloud security engineer, used Docker, an open-source technology that provides PaaS through OS-level virtualization, to isolate applications from the underlying infrastructure.
Security Measures
- Roma, a security team member, used whitelist validation to protect the internal network from imminent threats.
Injection Attacks
- Calvin's web application is susceptible to Server-Side Includes (SSI) injection attacks, which can lead to malicious activities such as modifying and erasing server files.
Vulnerability Assessment
- Martin, an administrator, performed a host-based vulnerability assessment on an existing system, identifying possibilities of compromise through user directories, registries, and system parameters.
Privilege Escalation
- The getsystem module can be used to escalate privileges on Windows systems using Metasploit.
VPN and ARP Spoofing
- Using a VPN can prevent intruders from sniffing traffic, and identifying ARP spoofing attacks can be done by checking for suspicious activity on the network.
DNS Footprinting
- Gerard, a disgruntled ex-employee, used DNS footprinting to gather information about DNS servers and identify hosts connected to the target network, and then exploited this information to launch other sophisticated attacks.
Wireless Network Attacks
- Breaking into a WPA3-encrypted wireless network can be done by exploiting the Dragonblood vulnerability.
Cloud Attacks
- Alice, a professional hacker, targeted an organization's cloud services by infiltrating the MSP provider, gaining remote access to the cloud service, and accessing customer profiles.
Social Engineering
- Sam, a professional hacker, targeted an organization by using social engineering to compromise AWS IAM credentials.
Encryption Algorithm
- Triple Data Encryption Standard (3DES) is an encryption algorithm that uses three keys, each consisting of 56 bits, and every individual block contains 64-bit data.
Hidden Code
- Judy, a forum creator, discovered a hidden code behind strange images posted by a user, which could be a potential security threat.
This quiz covers various types of cyber threats, including fault injection, glitching, and temperature attacks, as well as hacking techniques such as script injection and malware downloads.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free