Attacks, Threats, and Vulnerabilities
Confidentiality and integrity are two important properties of information stored in a secure retrieval system. What is the third property?
Click to show answer
Availability—information that is inaccessible is not of much use to authorized users. For example, a secure system must protect against denial of service (DoS) attacks.
True or false? The level of risk from zero-day attacks is only significant with respect to EOL systems.
Click to show answer
False. A zero-day is a vulnerability that is unknown to the product vendor and means that no patch is available to mitigate it. This can affect currently supported as well as unsupported end-of-life (EOL) systems. The main difference is that there is a good chance of a patch being developed if the system is still supported, but almost no chance if it is EOL.
A threat actor crafts an email addressed to a senior support technician inviting him to register for free football coaching advice. The website contains password-stealing malware. What is the name of this type of attack?
Click to show answer
A phishing attack tries to make users authenticate with a fake resource, such as a website. Phishing emails are often sent in mass as spam. This is a variant of phishing called spear phishing because it is specifically targeted at a single person, using personal information known about the subject (his or her football-coaching volunteer work).
You are assisting with the development of end-user security awareness documentation. What is the difference between tailgating and shoulder surfing?
Click to show answer
Tailgating means following someone else through a door or gateway to enter premises without authorization. Shoulder surfing means covertly observing someone type a PIN or password or other confidential data.
You discover that a threat actor has been able to harvest credentials from some visitors connecting to the company’s wireless network from the lobby. The visitors had connected to a network named “Internet” and were presented with a web page requesting an email address and password to enable guest access. The company’s access point had been disconnected from the cabled network. What type of attack has been perpetrated?
Click to show answer
This is an evil twin attack where the threat actor uses social engineering techniques to persuade users to connect to an access point that spoofs a legitimate guest network service.
A threat actor recovers some documents via dumpster diving and learns that the system policy causes passwords to be configured with a random mix of different characters that are only five characters in length. To what type of password cracking attack is this vulnerable?
Click to show answer
Brute force attacks are effective against short passwords. Dictionary attacks depend on users choosing ordinary words or phrases in a password.
What type of cryptographic key is delivered in a digital certificate?
Click to show answer
A digital certificate is a wrapper for a subject’s public key. The public and private keys in an asymmetric cipher are paired. If one key is used to encrypt a message, only the other key can then decrypt it.