Security Concepts Quiz

Questions and Answers

Match the following security threats with their corresponding attack vectors.

SQL Injection = Exploiting vulnerabilities in SQL queries Vishing = Social engineering through fraudulent phone calls Golden Ticket = Exploiting vulnerabilities in Kerberos authentication Session Hijacking = Stealing session cookies to impersonate a user

Match the following security frameworks with their primary focus areas.

NIST Framework = Defining IT security principles SABSA = Enterprise security architecture ITIL = IT service management TOGAF = Enterprise architecture

Match the following attacks with their corresponding techniques and methods.

Smurf Attack = Flooding a network with ICMP requests Buffer Overflow = Overwriting memory buffers to crash systems ARP Spoofing = Exploiting ARP to redirect traffic SYN Flood = Flooding a server with SYN requests

Match the following security tools with their primary functions.

Nmap = Network scanning and port discovery Wireshark = Intercepting network traffic Rainbow Table = Password cracking with precomputed hashes Burp Suite = Exploiting web applications

Match the following malicious software with their corresponding characteristics.

Worm = Self-replicating malware Trojan Horse = Malware disguised as legitimate software Rootkit = Malware hiding in low-level system components Program Packers = Compressing malware to evade detection

Match the following security concepts with their corresponding descriptions.

Risk Exposure = Probability of a risk occurring multiplied by its impact Residual Risk = Risk remaining after controls are implemented Data Classification Policy = Standard for classifying data sensitivity Anti-Forensics = Techniques to erase forensic evidence

Match the following attack methods with their primary goals.

DNS Poisoning = Hijacking DNS responses to redirect traffic Coercive Parsing = Triggering DoS using XML-based requests Clickjacking = Tricking users into clicking hidden elements Decentralized C&C = Using P2P networks for command and control

Match the following security terms with their corresponding definitions.

Steganography = Hiding data in image metadata Tailgating = Social engineering by following someone into a secure area Malvertisement = Attack using malicious ads Qualitative Analysis = Risk assessment using words instead of numbers

Match the following social engineering techniques with their descriptions:

Phishing = Using email or websites to deceive victims into revealing sensitive information. Vishing = Using phone calls to deceive victims into revealing sensitive information. Tailgating = Gaining unauthorized access to a secure area by following someone else through the door.

Match the following password-cracking methods with their descriptions:

Brute-force = Trying every possible combination of characters until the correct password is found. Dictionary = Using a list of common words and phrases to guess passwords. Hybrid = Combining brute-force and dictionary attacks to increase the chances of success.

Match the following web services exploits with their descriptions:

Probing = Scanning web services for vulnerabilities using automated tools. Coercive Parsing = Exploiting vulnerabilities in web service parsers to gain unauthorized access. External References = Using external resources to bypass security measures and gain unauthorized access.

Match the following security control categories with their descriptions:

Technical = Using technology to implement security controls, such as firewalls and intrusion detection systems. Physical = Using physical measures to protect assets, such as locks, cameras, and security guards. Administrative = Using policies, procedures, and training to implement security controls.

Match the following C&C communication channels with their descriptions:

IRC = Using Internet Relay Chat (IRC) to communicate with infected systems. HTTP/S = Using Hypertext Transfer Protocol (HTTP) or HTTPS to communicate with infected systems. DNS = Using Domain Name System (DNS) to communicate with infected systems. ICMP = Using Internet Control Message Protocol (ICMP) to communicate with infected systems.

Match the following DoS attack techniques with their descriptions:

ICMP Flood = Sending a large number of ICMP packets to a target system to overload it. SYN Flood = Sending a large number of SYN packets to a target system to exhaust its available resources. UDP Flood = Sending a large number of UDP packets to a target system to overload it. Buffer Overflow = Exploiting a vulnerability in software to overwrite its memory and gain control of the system.

Match the following social engineering delivery media with their descriptions:

Email = Using email to deliver malicious content to victims. SMS = Using SMS messages to deliver malicious content to victims. Social Networks = Using social media platforms to deliver malicious content to victims.

Match the following file inclusion attacks with their descriptions:

Local (LFI) = Exploiting a vulnerability in a web application to include a local file in the application's execution flow. Remote (RFI) = Exploiting a vulnerability in a web application to include a remote file in the application's execution flow.

Flashcards

Risk Exposure

Formula quantifying risk as probability multiplied by impact.

SQL Injection

Attack exploiting SQL queries to manipulate databases.

Vishing

Social engineering via fraudulent phone calls.

Session Hijacking

Stealing session cookies to impersonate a user.

Buffer Overflow

Attack overwriting memory buffers to crash systems.

Trojan Horse

Malware disguised as legitimate software.

DNS Poisoning

Hijacking DNS responses to redirect traffic.

Anti-Forensics

Technique to erase forensic evidence.

Types of Social Engineering

Phishing, Vishing, Tailgating are tactics used to manipulate people.

Password-Cracking Methods

Brute-force, Dictionary, and Hybrid methods used to guess passwords.

Privilege Escalation Types

Vertical and Horizontal escalation methods to gain unauthorized access.

Categories of Security Controls

Technical, Physical, and Administrative measures to safeguard resources.

Elements of the Risk Equation

Threats, Vulnerabilities, and Consequences combined to assess risk.

Types of Phishing

Spear Phishing targets individuals, while Whaling targets high-profile targets.

Types of XSS Attacks

Stored XSS persists on the site, while Reflected XSS executes instantly.

Mobile Platform Threats

Threats include vulnerabilities specific to Android, iOS, and Windows Mobile.

Study Notes

Security Concepts

• Risk Exposure: Calculated as Probability × Impact.
• NIST Framework: Defines IT security principles (NIST SP 800-14).
• SQL Injection: Attack exploiting SQL queries to alter databases.
• Vishing: Fraudulent phone calls for social engineering.
• IRC: Protocol for C&C via private messages and file sharing.
• Worm: Malware that self-replicates without user interaction.
• Golden Ticket: Technique bypassing authentication using stolen Kerberos tickets.
• Session Hijacking: Stealing session cookies to impersonate users.
• SABSA: Framework for enterprise security architecture, based on Zachman.
• Transfer (Risk Response): Responsibility transfer to a third party in handling risk.
• Smurf Attack: Network flooding with ICMP requests.
• Rainbow Table: Tool for password cracking using precomputed hashes.
• Rootkit: Malware hiding within low-level system components.
• ISO/IEC 27001: ISO standard for information security management.
• DNS Poisoning: Hijacking DNS responses to redirect traffic.
• Steganography: Hiding data within image metadata.
• Coercive Parsing: XML-based attack vector triggering denial-of-service (DoS).
• ITIL: Framework for IT service management (UK Government).
• Nmap: Tool for network scanning and port discovery.
• Tailgating: Social engineering using physical access following someone.
• Residual Risk: Risk remaining after all security controls applied.
• Buffer Overflow: Attack overwriting memory buffers to crash systems.
• Decentralized C&C: Post-attack technique using P2P networks for command and control.
• Data Classification Policy: Standard for classifying data sensitivity.
• Trojan Horse: Malware disguised as legitimate software.
• Wireshark: Tool for intercepting network traffic.
• ARP Spoofing: Exploiting ARP for traffic redirection.
• Program Packers: Compressing malware to evade detection.
• SYN Flood: Attack flooding a server with SYN requests.
• TOGAF: Framework for enterprise architecture (DoD’s TAFIM).
• Qualitative Analysis: Risk assessment using descriptive words instead of numerical values.
• Malvertisement: Attack utilizing malicious advertisements for code delivery.
• Anti-Forensics: Techniques employed to erase forensic evidence.
• Burp Suite: Tool for web application exploitation.
• Clickjacking: Attack tricking users into clicking hidden elements via iframes.

Enumeration

• CIA Triad: Confidentiality, Integrity, Availability.
• Risk Response Techniques: Avoid, Transfer, Mitigate, Accept.
• Social Engineering Types: Phishing, Vishing, Tailgating.
• Password Cracking Methods: Brute-force, Dictionary, Hybrid.
• Privilege Escalation Types: Vertical, Horizontal.
• Web Services Exploits: Probing, Coercive Parsing, External References.
• Security Control Categories: Technical, Physical, Administrative.
• Risk Equation Elements: Threats, Vulnerabilities, Consequences.
• Malware Categories: Virus, Worm, Ransomware, Spyware.
• C&C Communication Channels: IRC, HTTP/S, DNS, ICMP.
• ESA Framework Assessment Phases: Baseline, Internal Network, External Network.
• BYOD Threats: Unpatched Devices, Lost Devices, Forensic Complications.
• Systems Hacking Phases: Reconnaissance, Exploitation.
• DNS Record Types: A, MX, CNAME.
• DoS Attack Techniques: ICMP Flood, SYN Flood, UDP Flood, Buffer Overflow.
• Social Engineering Delivery Media: Email, SMS, Social Networks.
• File Inclusion Attacks: Local (LFI), Remote (RFI).
• Aggregate CIA Score Components: Confidentiality, Integrity, Availability.
• Wireless Threats: Password Cracking, WPS Exploits, Signal Leakage.
• Cloud Infrastructure Threats: VM Escape, Privilege Escalation, Data Remnants.
• Anti-Forensic Techniques: Log Erasure, Program Packers, Memory Residents, Steganography.
• Lateral Movement Tools: PsExec, WMIC, SSH Pivoting.
• XSS Attacks: Stored, Reflected.
• Mobile Platform Threats: Android, iOS, Windows Mobile.
• ERM Objectives: Confidentiality, Legal Compliance, Continuity, Stakeholder Trust.
• Reconnaissance Evasion Techniques: Packet Fragmentation, Encryption, NIDS DoS.
• VPN Pivoting Types: Host-to-Network, Network-to-Network.
• Policy Development Phases: Initiation, Concept, Planning.
• CVSS Base Metrics: Access Vector, Access Complexity, Authentication, Impact.
• Big Data Security Challenges: Privacy Breach, Privilege Escalation, Forensic Complexity.
• Phishing Types: Spear Phishing, Whaling.
• NIST Framework Functions: Identify, Protect, Detect.
• COBIT Principles: Stakeholder Needs, Holistic Approach, Governance/Management Separation
• Session Hijacking Types: Cookie Hijacking, MITM
• Data Exfiltration Methods: Covert Channels, Steganography, Cloud Services