Ethical Hacking and CVSS Principles

Questions and Answers

What is the primary purpose of CVSS in organizations?

• To measure vulnerability severity accurately and consistently (correct)
• To encrypt sensitive data
• To ensure compliance with regulatory standards
• To monitor network traffic

Which of the following is listed as a common use of CVSS?

• Creating marketing strategies
• Prioritizing vulnerability remediation activities (correct)
• Developing new software systems
• Conducting employee training

What type of attack is represented by an unauthorized user accessing a secured network?

• Evil twin
• Social engineering
• Man-in-the-middle
• Piggybacking (correct)

How does an evil twin attack function?

Through a fraudulent Wi-Fi access point (C)

What is the primary risk when users log into unsecured accounts with an evil twin setup?

Interception of sensitive information (C)

Which action can attackers easily perform with a fake access point after gaining credentials?

Connect to other related networks (D)

What is a key characteristic of an evil twin access point?

It adopts the same SSID and BSSID of nearby Wi-Fi networks (D)

What makes evil twin attacks particularly challenging to detect?

The ability to shut down instantly (D)

What technique might ethical hackers use to bypass security systems during their testing?

Leaving USB drives with auto-start software in public areas (D)

Which of the following methods is NOT mentioned as a technique for ethical hackers?

Malware distribution (D)

Which tool is specifically mentioned as a security scanner used by ethical hackers?

Nessus (D)

What vulnerability related to WPA3 encryption allows attackers to gain access to networks?

Dragonblood (A)

What is a potential consequence of employing long-term infiltration tactics in ethical hacking?

Access to highly sensitive information over time (B)

Which of the following is an advantage of WPA3 over WPA2?

Protection against offline dictionary attacks (D)

What is the main purpose of frameworks like Metasploit in ethical hacking?

To provide a platform for vulnerability demonstration and exploitation (A)

Which of the following best describes a 'back-door' in the context of ethical hacking?

A hidden method to bypass normal authentication (C)

What potential issue occurs when file system permissions are improperly set?

Legitimate binaries can be replaced with malicious ones. (A)

What is the primary consequence of a process running under higher-level permissions after binary replacement?

The replaced binary executes under higher-level permissions. (B)

Which method of password cracking is known for requiring the least computational effort?

Dictionary attack (A)

What does a brute force attack require from the attacker?

A specific set of predefined values to test (A)

Which of the following vulnerabilities would allow an anonymous user to upload files to a Linux FTP server?

Improper file system permissions (A)

What is a disadvantage of using brute force attacks compared to other methods?

They can take an extensive amount of time for complex passwords. (A)

Which process command can demonstrate that a binary file is actively running on a system?

ps (D)

What could indicate that a system has been compromised via an FTP server?

Presence of unknown files in the root directory. (C)

What is one significant disadvantage of bug bounty programs for organizations?

They might generate a high volume of low-quality submissions. (D)

Why might organizations miss out on the benefits of a bug bounty program?

They are unable to quickly address known problems. (A)

Which statement accurately describes the majority focus of bug bounty participants?

72% are focused on web site vulnerabilities. (A)

What is a possible consequence of having an insufficient number of participants in a bug bounty program?

The program may not identify any vulnerabilities. (C)

What is a potential risk of allowing freelance researchers to test an organization's network?

It can lead to security breaches if not managed correctly. (A)

Why might organizations not achieve a significant return on investment (ROI) from bug bounties?

They are seeking vulnerabilities requiring specialized experience. (B)

What is a consideration for organizations regarding the timing of bug bounty reports?

There is no guarantee on the timing or receipt of reports. (C)

What happens if a bug bounty program doesn't lead to finding unknown issues for the company?

The program has little to no value for the organization. (C)

What is the primary function of an evil twin access point in a phishing scam?

To lure victims to a phishing site (A)

What term describes the risk that remains after all countermeasures have been applied?

Residual risk (D)

What is the main purpose of session splicing in an IDS evasion technique?

To make it hard for IDS to detect attacks (D)

Which tool is designed for performing session splicing attacks?

Whisker (D)

What might a hacker do after collecting sensitive data from a phishing site?

Disconnect the victim from the fake site (D)

What common misconception is associated with inherent risks?

They can be entirely eliminated with proper controls (B)

What characteristics define a phishing site created through an evil twin attack?

Lures victims for sensitive data (D)

When an IDS stops reassembling a packet stream, what can lead to this situation?

Failure to receive packets within a reasonable time (D)

Which advantage is associated with using both symmetric and asymmetric cryptography in SSL/TLS?

It allows less-powerful devices to utilize symmetric encryption. (A)

Calculate the Annual Loss Expectancy (ALE) if the Single Loss Expectancy (SLE) is $440 and the Annual Rate of Occurrence (ARO) is 0.33.

$145.2 (C)

What is the Annual Rate of Occurrence (ARO) if a hard drive failure happens once every three years?

0.33 (C)

Which of the following is true regarding recovery costs associated with a hard drive failure?

Restoring the OS and software requires additional labor costs. (A)

Which attack type is identified as a known plaintext attack against DES that shows no added security with double encryption?

Meet-in-the-middle attack (C)

What is the cost of recovering a database and restoring the OS if each task takes 10 hours and 4 hours respectively at a rate of $10/hour?

$440 (B)

If the exposure factor (EF) is set to 1 (100%), what impact does it have on Single Loss Expectancy (SLE)?

It increases SLE to the asset value. (C)

In the context of SSL/TLS, what typically characterizes asymmetric cryptography?

It is suitable for securely negotiating session keys. (C)

Flashcards

CVSS (Common Vulnerability Scoring System)

A system for measuring the severity of vulnerabilities, offering a standardized approach across industries, organizations, and governments. It provides consistent scoring based on factors like impact and exploitability.

Evil Twin Attack

A security attack where a fake Wi-Fi access point is created to mimic a legitimate network, often used to steal sensitive data.

Piggybacking

A process of gaining access to a wireless network without proper authorization, often done by exploiting vulnerabilities in the network's security settings or by leveraging a lack of password protection.

Wireless Sniffing

The act of monitoring wireless network traffic with the intention of intercepting sensitive information, such as passwords and data.

Wardriving

The practice of driving around with a device that scans for Wi-Fi networks, often to identify vulnerable or unprotected networks.

What is the purpose of CVSS?

A system to calculate the severity of vulnerabilities, combining factors like impact and exploitability to create objective scores.

How is CVSS used in security?

CVSS scores are used to help prioritize vulnerability remediation efforts, focusing on the vulnerabilities posing the highest risk to systems.

Where can you find CVSS scores?

The National Vulnerability Database (NVD) provides CVSS scores for known vulnerabilities, enabling organizations to assess risk and prioritize remediation actions efficiently.

Dragonblood vulnerability

A security vulnerability that allows attackers to exploit weaknesses in the WPA3 encryption protocol on Wi-Fi networks. This vulnerability could allow an attacker to gain access to the network and potentially steal sensitive information.

Social engineering

A type of attack where an attacker tricks a user into performing an unintended action, such as clicking a malicious link or providing sensitive information.

Penetration Testing

A technique used by ethical hackers to test the security of a system by attempting to break into it in a controlled way. This helps identify vulnerabilities before malicious actors can exploit them.

DoS attack

A type of denial-of-service attack that floods a network or server with traffic, making it unavailable to legitimate users. This can be used by ethical hackers to test the resilience of a network to traffic overload.

Reverse engineering

A technique used to analyze and understand the internal workings of software or hardware. Ethical hackers use this to find potential vulnerabilities that could be exploited.

Key Reinstallation Attack

A type of attack targeting wireless networks that uses vulnerabilities in the WPA2 encryption protocol. The attacker can exploit these vulnerabilities to gain unauthorized access to the network.

Metasploit

A set of tools and techniques used to identify and exploit vulnerabilities in software and systems. Ethical hackers use this to assess the security of a system and identify potential threats.

Network Security

The ability of a system or protocol to resist attacks and maintain its integrity and availability even when facing malicious attempts to disrupt it.

Residual Risk

The remaining risk after implementing security measures to mitigate vulnerabilities.

Evil Twin Access Point

A type of attack where an intruder creates a fake Wi-Fi access point that mimics a legitimate one, tricking users into connecting and stealing their data.

Session Splicing

An attack technique that divides data into small packets to bypass Intrusion Detection Systems (IDS).

Whisker

A tool used to perform session splicing attacks, making it difficult for IDS to detect malicious activity.

Inherent Risk

The inherent risk associated with a system or process before any security measures are implemented.

Phishing

A technique used to lure users into giving up their sensitive data by creating fake websites and emails.

Deferred Risk

A risk that is acknowledged but not addressed immediately.

Binary Overwriting

Exploiting vulnerabilities in file system permissions to replace legitimate binaries with malicious ones, allowing attackers to execute code with elevated privileges.

Brute Force Attack

A type of attack that tries every possible combination of characters to guess a password. This method is very time-consuming but can be effective against weak passwords.

File System Permissions Vulnerability

An attack where an attacker exploits vulnerabilities in file system permissions to gain access to unauthorized files or directories.

Dictionary Attack

A technique used to guess passwords by trying commonly used words and phrases from a list.

Rainbow Table Attack

A method of password cracking that uses pre-computed tables of password hashes, allowing for faster password retrieval.

Rainbow Table

A technique that uses pre-calculated tables of password hashes and their corresponding plain text passwords. This is faster than brute force attack but requires pre-calculation of hashes and can be less effective against strong passwords.

Privilege Escalation

An attack where an attacker gains unauthorized access to a system by exploiting vulnerabilities that allow the execution of code with elevated privileges.

Shoulder Surfing

An attack that occurs when an attacker observes someone entering their password or other sensitive information.

SSL/TLS hybrid cryptography advantage

Combining symmetric and asymmetric cryptography in SSL/TLS allows devices with limited processing power, like mobile phones, to utilize symmetric encryption effectively, while still benefiting from the security of asymmetric cryptography for key negotiation.

Meet-in-the-middle attack on DES

The known plaintext attack exploits a weakness in the double encryption of DES, demonstrating that encrypting data with two separate DES keys is equivalent to using a single key, making the encryption less secure.

Single Loss Expectancy (SLE)

The Single Loss Expectancy (SLE) quantifies the potential financial loss from a single occurrence of a specific risk. It's calculated by multiplying the Asset Value (AV) by the Exposure Factor (EF).

Annual Rate of Occurrence (ARO)

The Annual Rate of Occurrence (ARO) represents the frequency of a specific risk event occurring within a year. It's expressed as a probability or a proportion.

Annual Loss Expectancy (ALE)

The Annual Loss Expectancy (ALE) calculates the expected financial loss from a specific risk over a year. It's calculated by multiplying the Single Loss Expectancy (SLE) by the Annual Rate of Occurrence (ARO).

Asset Value (AV)

The Asset Value (AV) refers to the estimated monetary worth of an asset, representing its cost for replacement or recovery. It includes factors like the cost of hardware, software, and any associated restoration efforts.

Exposure Factor (EF)

The Exposure Factor (EF) expresses the percentage of an asset's value that would be lost due to a specific risk event. It quantifies the potential impact of the risk.

Hard drive failure ALE calculation

A hard drive failure is estimated to occur every three years. The cost to replace the drive is $300, and the restoration process takes 14 hours at a labor rate of $10 per hour. The annual loss expectancy (ALE) for this scenario is approximately $145.2.

What is a bug bounty program?

Bug bounty programs encourage ethical hackers to find and report vulnerabilities in a company's systems which might be missed by internal security teams.

When are bug bounty programs not the right solution?

Bug bounty programs might not be suitable for companies that lack the capacity to quickly fix discovered vulnerabilities, resulting in a backlog of unaddressed issues.

What's a challenge of managing bug bounty reports?

A large influx of bug reports, including many that might not be valuable, can overwhelm a company's security team, making it difficult to prioritize and address the most critical issues.

What happens if a bug bounty program fails to attract the right participants?

If a bug bounty program doesn't attract enough skilled participants, it might not be effective in uncovering significant security flaws.

What's the typical focus of bug bounty participants?

Most bug bounty participants focus on web application vulnerabilities, while fewer specialize in finding vulnerabilities in operating systems or network hardware that require specialized expertise.

Where do bug bounties typically see a better return on investment?

Companies might see a better return on investment for bug bounties related to web applications, since fewer participants have the specialized skills needed to assess vulnerabilities in other areas.

Why are bug bounty timelines uncertain?

Bug bounty programs lack guaranteed timelines for discovering issues, meaning a company might not receive reports within a specific timeframe, potentially hindering critical projects.

What's a potential security risk with bug bounty programs?

Allowing freelance researchers to potentially penetrate a company's network can pose security risks, requiring careful consideration and risk assessment.

Study Notes

General Information

• No specific information was provided to create study notes. Please provide more details.

Description

Test your knowledge on the primary purposes and uses of the Common Vulnerability Scoring System (CVSS) within organizations. This quiz covers various aspects of ethical hacking, including techniques, types of attacks, and specific tools used by ethical hackers. Delve into the concepts surrounding evil twin attacks and their implications in network security.