Which of the following best describes a reverse proxy method for protecting a system from DoS attacks?

The basis for this attack often targets applications like Web Servers (i.e., Windows IIS, Apache, etc…); however, application layer attacks have been evolving to application platforms like WordPress, Joomla, Drupal, Magento, and others.

The goal of application layer attacks is to take out an application, an online service, or a website.

These attacks are usually smaller than the ones we have seen before. Nevertheless, the consequence of an application layer attack can be nefarious, since they can go unnoticed until it is too late to react. That is why they are called “low and slow attacks” or even “slow-rate attacks”. They can be silent and small, especially when compared to network-layer attacks, but they can be just as disruptive.

For example, a small VPS on Linode, Digital Ocean or AWS (Amazon) can easily handle a 100,000 to 200,000 packets per second SYN flood. However, the same server running on a WordPress or Joomla CMS can barely break 500 HTTP requests per second without shutting down. That is why application layer attacks can cause as much damage as a network application attack.

When you think about the amplification effect that we discussed in Section 1.4, even one HTTP request (which an attacker can perform without spending much money or resources) can cause a server to execute a large number of internal requests and load numerous files to create the page.

Note

When application layer attacks start, they look very similar to legitimate requests from users and can escalate. The reason for that is that these attacks focus on the web application layer, which generally includes:

Hitting the web server
Running PHP scripts and
Contacting the database just to load one web page.

Application-layer attacks (mostly known as Layer 7 attacks) can be part of attacks which not only target the application, but also the bandwidth and network.

One of the reasons why these attacks are on the rise is that they tend to be less expensive to implement by malicious actors. On an application-layer attack, the amplification is CPU, memory or resource based, not network based.

These attacks are also harder to detect than network-layer attacks.

Pro Tip: Sucuri has developed a robust Website Application Firewall (WAF) solution that impedes DDoS attacks from shutting down your website. We will explain more about the Sucuri Firewall later.

Your devices, such as home routers, can be compromised and act as a botnet for DDoS attacks. We have discovered a number of large-scale DDoS attacks related to IoT devices.

Application Layer Attacks include:

The Domain Name System (DNS) is vital to the website infrastructure. DNS associates information with domain names and they can also be a target of DDoS attacks.

These attacks use spoofing, reflection, and amplification, which means that a tiny query can be largely amplified in order to result in a much larger response in bytes.

Botnets are used to send DNS requests. If the attacker wanted to target a DNS server, it would use all the botnet zombies in his network to issue DNS request messages for an amplification record from open recursive DNS servers that translate domain names into IP addresses. When it is a new request, the server promptly issues its own request to an infected server with a view to obtain the amplification record. This attack is completed using spoofing so that even though the server has never sent a request, it has been overburdened with responses.

These attacks are very popular today. They occur at Layers 3 / 4, using publicly accessible DNS servers around the world to overwhelm your web server with DNS response traffic. Your web server is overwhelmed by the influx of responses in turn making it difficult to function as its resources are depleted, making it impossible to respond to legitimate DNS traffic.

A Layer 3 DNS Amplification is a type of DDoS attack where the attacker hides the origin of the attack from the targeted site by reflecting the attack off of a third party. It uses amplification, meaning that the victim receives more byte counts than what is being sent from the attacker, increasing the power of the attack.

If these attacks are successful, the targeted site will go down and be unavailable.

Layer 7 HTTP Flood – Cache Bypass is the smartest type of attack. The attackers try to use URLs that cause the most damage making the site use up all of its resources without being cached. For example, an attack can do random dictionary searches for “news”, “gov”, “faith”, which will consume a lot from the site and will not easily be detected since it looks like a normal user’s search habits.

A Layer 7 HTTP Flood Attack is a type of DDoS attack made to overload specific parts of a site or server. They are complex and hard to detect because the sent requests look like legitimate traffic. These requests consume the server’s resources causing the site to go down. These requests can also be sent by bots, increasing the attack’s power.

An interesting point about layer 7 DDOS attacks, aka HTTP flood attacks, is that they have little dependency on bandwidth allowing them to easily take down a server by overloading its resources. Depending on the web server and application stack, even a low number of requests per second can choke the application and backend databases. On average, attacks greater than 100 requests per second have the potential to bring down most mid-sized websites.

We categorize the HTTP Floods (Layer 7 DDoS attempts) into 4 major categories:

Basic HTTP Floods: Common and simple attacks that try to access the same page over and over. They generally use the same range of IP addresses, user agents, and referrers.

Randomized HTTP Floods: Complex attacks that leverage a large pool of IP addresses and randomized the URLs, useragents and referers used.

Cache-bypass HTTP Floods: A sub-category of the randomized HTTP Floods that also try to bypass web application caching.

WordPress XMLRPC Floods: A sub-category that uses WordPress pingback as a reflection for the attacks.

Any WordPress site with pingback enabled, which is on by default, can be used in DDoS attacks against other sites.

XMLRPC is used for pingbacks, trackbacks, remote access via mobile devices and many other features. However, it can also be heavily misused by attackers.

What can happen is that other WordPress sites can send random requests at a very large scale and bring a website down.

One attacker can use thousands of clean WordPress installations to perform a DDoS attack with a simple pingback request to the XML-RPC file. In other words, a simple command in Linux can start a mammoth attack.

If you are interested in learning more about legitimate WordPress websites being abused in order to perform a DDoS attack, read this blog article: More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack.

Explanation: An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations.

Quizlet

Q5. Packet sniffer is also called _.

Q6. Which option tests code while it is in operation?

Q7. Which option describes testing that individual software developers can conduct on their own code?

Q8. In black box penetration testing, what information is provided to the tester about the target environment?

Q9. Which security control can best protect against shadow IT by identifying and preventing use of unsanctioned cloud apps and services?

Q10. Which option describes the best defense against collusion?

Stack Exchange

Q11. During a penetration test, you find a file containing hashed passwords for the system you are attempting to breach. Which type of attack is most likely to succeed in accessing the hashed passwords in a reasonable amount of time?

Explanation: A rainbow table attack is a more efficient and effective way of cracking many hashed passwords, whereas brute-forcing would take much longer and may not complete in a reasonable amount of time.

Professor Messer.

Q12. Which area is DMZ?

Q13. You configure an encrypted USB drive for a user who needs to deliver a sensitive file at an in-person meeting. What type of encryption is typically used to encrypt the file?

Q14. What is the difference between DRP and BCP

Q15. Which aspect of cybersecurity do Distributed Denial of Service (DDoS) attacks affect the most?

Q16. You need to recommend a solution to automatically assess your cloud-hosted VMs against CIS benchmarks to identify deviations from security best practices. What type of solution should you recommend?

Q17. _ validates the integrity of data files.

Q18. Which is an example of privacy regulation at the state government level in the U.S.?

Q19. what is the term for the policies and technologies implemented to protect, limit, monitor, audit, and govern identities with access to sensitive data and resources?

Q20. You have configured audit settings in your organization's cloud services in the event of a security incident. What type of security control is an audit trail?

Q21. What is the name for a short-term interruption in electrical power supply?

Q22. Your security team recommends adding a layer of defense against emerging persistent threats and zero-day exploits for all endpoints on your network. The solution should offer protection from external threats for network-connected devices, regardless of operating system. Which solution is best suited to meet this requirement?

Q23. Which is not a threat modeling methodology?

Q24. You organization is conducting a pilot deployment of a new e-commerce application being considered for purchase. You need to recommend a strategy to evaluate the security of the new software. Your organization does not have access to the application's source code.

Which strategy should you choose?

Q25. You need to disable the camera on corporate devices to prevent screen capture and recording of sensitive documents, meetings, and conversations. Which solution would be be suited to the task?

Q26. How many keys would be necessary to accomodate 100 users in an asymmetric cryptography system?

Explanation: The formula for asymmetric encryption is 2n; where n is the number of communicating parties.

Q27. Two competing online retailers process credit card transactions for customers in countries on every continent. One organization is based in the United States. The other is based in the Netherlands. With which regulation must both countries comply while ensuring the security of these transactions?

Explanation: The Payment Card Industry Data Security Standard (PCI DSS) is the global card industry security standard that is required of all entities that store, process, or transmit cardholder data, including financial institutions, online retailers and service providers.

PCI Security Overview

Q28. What provides a common language for describing security incidents in a structures and repeatable manner?

Explanation: The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.

Q29. Which type of application can intercept sensative information such as passwoprds on a network segment?

Explanation: A protocol analyzer is a tool used to capture and analyze signals and data traffic over a communication channel.

WireShark is a protocol analyzer.

Q30. An attacker has discovered that they can deduce a sensitive piece of confidential information by analyzing multiple pieces of less sensitive public data. What type of security issue exists?

Explanation: An Inference Attack is a data mining technique performed by analyzing data in order to illegitimately gain knowledge about a subject or database. A subject's sensitive information can be considered as leaked if an adversary can infer its real value with a high confidence. Source: (Wikipedia).

Q31. What act grants an authenticated party permission to perform an action or access a resource?

Okata.com

Q32. According to GDPR, a data _ is the person about whom data is being collected.

Intersoft Consulting

Q33. Which is not a principle of zero trust security?

Explanation: zero trust assumes that the system will be breached and designs security as if there is no perimeter. Hence, don’t trust anything by default.

NIST

Q34. Which attack exploits input validation vulnerabilities?

White Hat Sec

Q35. You are a security analyst, and you receive a text message alerting you of a possible attack. Which security control is the least likely to produce this type of alert?

Q36. SQL injection inserts a code fragment that makes a database statement universally true, like _.

Q37. Which type of security assessment requires access to source code?

Q38. Which option is an open-source solution to scanning a network for active hosts and open ports?

Explanation: nmap is a port scanner https://en.wikipedia.org/wiki/Nmap wireshark is a traffic analyzer snort is an IDS autopsy is for forensic analysis

Q39. When implementing a data loss prevention (DLP) strategy, what is the first step in the process?

Q40. Which malware changes an operating system and conceals its tracks?

Q41. Virtual Private Networks (VPNs) use _ to create a secure connection between two networks.

Q42. What is the process of challenging a user to prove their identity?

Q43. Which cyberattack aims to exhaust an application's resources, making the application unavailable to legitimate users?

Q44. You are a recent cybersecurity hire, and your first assignment is to present on the possible threats to your organization. Which of the following best describes the task?

Q45. You are at a coffee shop and connect to a public wireless access point (WAP). What a type of cybersecurity attack are you most likely to experience?

Q46. You have been tasked with recommending a solution to centrally manage mobile devices used throughout your organization. Which technology would best meet this need?

Q47. Which type of vulnerability cannot be discovered in the course of a typical vulnerability assessment?

Q48. The DLP project team is about to classify your organization's data. Whats is the primary purpose of classifying data?

Q49. You are responsible for managing security of your organization's public cloud infrastructure. You need to implement security to protect the data and applications running in a variety of IaaS and PaaS services, including a new Kubernetes cluster. What type of solution is best suited to this requirement?

Q50. Sharing account credentials violates the _ aspect of access control.

Q51. You have recovered a server that was compromised in a malware attack to its previous state. What is the final step in the incident response process?

Q52. Which encryption type uses a public and private key pair for encrypting and decrypting data?

Q53. You have just identified and mitigated an active malware attack on a user's computer, in which command and control was established. What is the next step in the process?

Explanation: Pages 29 to 31 ->

Q54. Which programming language is most susceptible to buffer overflow attacks?

Q55. Which list correctly describes risk management techniques?

risk acceptance, risk mitigation, risk containment, and risk qualification
risk avoidance, risk transference, risk containment, and risk quantification
risk avoidance, risk mitigation, risk containment, and risk acceptance
risk avoidance, risk transference, risk mitigation, and risk acceptance

Q56. To implement encryption in transit, such as with the HTTPS protocol for secure web browsing, which type(s) of encryption is/are used?

Q57. Which type of program uses Windows Hooks to capture keystrokes typed by the user, hides in the process list, and can compromise their system as well as their online access codes and password?

Q58. How does ransomware affect a victim's files?

Q59. Your computer has been infected, and is sending out traffic to a targeted system upon receiving a command from a botmaster. What condition is your computer currently in?

Q60. You choose a cybersecurity framework for your financial organization that implements an effective and auditable set of governance and management processes for IT. Which framework are you choosing?

Q61. NIST issued a revision to SP 800-37 in December 2018. It provides a disciplined, structured, and flexible process for managing security and privacy risk. Which type of document is SP 800-37?

Q62. The most notorious military-grade advanced persistent threat was deployed in 2010, and targeted centrifuges in Iran. What was this APT call?

Q63. Where would you record risks that have been identified and their details, such as their ID and name, classification of information, and the risk owner?

Q64. To prevent an incident from overwhelming resources, _ is necessary.

Q65. FUD is expensive and often causes high drama over low risk. Which computer chip exploits were reported by CNN as needing to be completely replaced, but were later fixed with firmware updates?

Q66. The ASD Top Four are application whitelisting, patching of applications, patching of operating systems, and limiting administrative privileges. What percent of breaches do these account for?

Q67. You are working in the security operations center analyzing traffic on your network. You detect what you believe to be a port scan. What does this mean?

Q68. How often is the ISF Standard of Good Practice updated?

Q69. Your incident response team is unable to contain an incident because they lack authority to take action without management approval. Which critical step in the preparation phase did your team skip?

Q70. NIST SP 800-53 is one of two important control frameworks used in cybersecurity. What is the other one?

Q71. Which organization, established by NIST in 1990, runs workshops to foster coordination in incident prevention, stimulate rapid reaction to incidents, and allow experts to share information?

Q72. You have implemented controls to mitigate the threats, vulnerabilities, and impact to your business. Which type of risk is left over?

Explanation

Q73. There are four possible treatments once an assessment has identified a risk. Which risk treatment implements controls to reduce risk?

Q74. Which security control scheme do vendors often submit their products to for evaluation, to provide an independent view of product assurance?

Q75. Which organization has published the most comprehensive set of controls in its security guideline for the Internet of Things?

Q76. Which main reference coupled with the Cloud Security Alliance Guidance comprise the Security Guidance for Critical Areas of Focus in Cloud Computing?

Explanation

Q77. What are the essential characteristics of the reference monitor?

Q78. According to NIST, what is the first action required to take advantage of the cybersecurity framework?

Explanation

Q79. You are implementing a cybersecurity program in your organization and want to use the "de facto standard" cybersecurity framework. Which option would you choose?

Q80. In 2014, 4,278 IP addresses of zombie computers were used to flood a business with over one million packets per minute for about one hour. What is this type of attack called?

Explanation

Q81. The regulatory requirements for notifications of data breaches, particularly the European General Data Protection Regulations, have had what sort of effect on business?

Q82. Which compliance framework governs requirements for the U.S. healthcare industry?

Explanation

Q83. What is the difference between DevOps and DevSecOps?

Explanation

Q84. When does static application security testing require access to source code?

Explanation:

Q85. Your organization service customer orders with a custom ordering system developed in-hose. You are responsible for recommending a cloud model to meet the following requirements:

Control of security required for regulatory compliance Legacy application and database support Scalability to meet seasonal increases in demand

Which cloud model is the best option for these requirements?

Q86. You have just conducted a port scan of a network. There is no well-known port active. How do you find a webserver running on a host, which uses a random port number?

Q87. Executives in your organization exchange emails with external business partners when negotiating valuable business contracts. To ensure that these communications are legally defensible, the security team has recommended that a digital signature be added to these message.

What are the primary goals of the digital signature in this scenario? (Choose the best answer.)

Q88. Which option is a mechanism to ensure non-repudiation?

Explanation:

Q89. Which software development lifecycle approach is most compatible with DevSecOps?

Q90. Which information security principle states that organizations should defend systems against any particular attack using several independent methods?

Explanation:

Q91. Which option describes a core principle of DevSecOps?

Q92. You need to implement a solution to protect internet-facing applications from common attacks like XSSm CSRF, and SQL injection. Which option is best suited to the task?

Q93. Which phase of the incident response process happens immediately following identification?

Q94. How can a data retention policy reduce your organization's legal liability?

Q95. You believe a recent service outage due to a denial-of-service attack from a disgruntled inside source. What is the name for the malicious act this employee has committed?

Q96. Which option is a framework widely utilized by organizations in the development of security governance standards?

Q97. There are connection-oriented and connectionless protocols in networking. What do web browsers use to ensure the integrity of the data it sends and receives?

Q98. Which type of attack targets vulnerabilities associated with translating MAC addresses into IP addresses in computer networking?

Q99. You are part of an incident response team at your company. While sifting through log files collected by a SIEM, you discover some suspicious log entries that you want to investigate further. Which type of the following best refers to those recorded activities demanding additional scrutiny?

Q100. You are responsible for forensic investigations in your organization.You have been tasked with investigating a compromised virtual application server. Becase a revenue generating application runs on the server, the server needs to be returned to service as quickly as possible.

What is the next step you should take to best fulfill your responsibilities and meet the needs of the business?

Q101. Site-to-site VPN provides access from one network address space (192.168.0.0/24) to another network address space _ site-to-site VPN provides access from one network address space (192.168.0.0/24) to another network address space _.

Q102. You are researching probable threats to your company’s internet-facing web applications. Which organization should you reference as an authoritative source for information on web-based attack vectors?

Explanation:

Q103. Which action is most likely to simplify security staff training, improve integration between security components, and reduce risk to the business? (Choose the best answer.)Which action is most likely to simplify security staff training, improve integration between security components, and reduce risk to the business? (Choose the best answer.)

Explanation:

Q104. _ attacks can execute the code injected by attackers as part of user inputs.

Q105. Which activity is not part of risk assessment?

Q106. In response to an alert regarding a possible security incident, you are analyzing the logs for a web application. In the process, you see the following string: ./../../../var/secrets What type of attack was most likely attempted against the application?

Q107. Which quadrant should be the focus of risk management?

Q108. Which option will not actively identify a secuirty incident?

Q109. A website is asking for a password and also sending an authentication code to your phone. What factors are used in this multi-factor authentication scenario?

Explanation:

Q110. Which option is a list of publicly disclosed information security defects?

Explanation: Common Weakness Enumeration (CWE) is a universal online dictionary of security defects that have been found in computer software.

Q111. What is cryptovirology?

Q112. What does a metamorphic virus do?

Explanation:

Q113. What is the most common cause of cyber incidents in organisations?

Explanation: Social Engineering and human error are the most common cause of cyber incidents as it is easier for attackers to convince employees to give up passwords or accept MFA prompts than it is to breach & exploit the system. See Recent Uber and Cisco hack

Q114. Which of the following terms is used to describe a collection of unrelated patches?

Q115. How often should security teams conduct a review of the privileged access that a user has to sensitive systems?

Explanation: Privilaged access reviews are one of the most critical components of an organisations security program as they ensure only autherised users have access to the most sensitive systems. They should occur on a fixed periodic basis as well as when ever a privileged user leaves the organisation or changes roles within the organisation

Q116. What Term is used to descrbe the defualt set of privileges assigned to a user when a new account is created?

Explanation: Entitlement refers to the privileges granted to a user when their account is first provisioned

Q117. Who is the father of computer security??

Explanation: August Kerckhoffs, a linguist and German professor at HEC, wrote an essay in the Journal of Military Science in February 1883. Kerckhoff had unwittingly established the foundations for contemporary encryption, earning him the title of "Father of Computer Security."

Q118. Which type of attack uses formal emails to entice specific individuals into signing in and changing their passwords?

Q119. A data asset register should contain which of the following?

Q120. Once you have confirmed that Burpsuite is intercepting website requests, where can you check to see if you have credentials in cleartext to access the target webpage?

Q121. Threat actors will attempt to find an attack vector on their target by mapping the attack _.

Q122. How would an organisation ensure software product support in the event a supplier goes out of business or is sold to a competitor?

Q123. Which of the following is the security standard that applies to the certification of security controls within products?

Q124. What is the main role of the board member known as the information security manager?

Q125. What are the two main approaches used to determine the likelihood of a threat occurring?

Q126. Which type of hackers are often organized and funded by a nation's military intelligence or security services, and attempt to gain access to a foreign adversary's state secrets or military intelligence?

Q127. Which of the following methods combines two binary streams to create one new stream that contains hidden information that cannot be retrieved without the other stream that was used to create it?

Q128. What is Drupalgeddon?

Q129. The algorithm used by an encryption technique to hide information is known as the _.

Q130. Which of these is not an issue that could arise as a result of outsourcing software development?

Q131. A _ hat is a hacker who may not operate according to ethical testing standards, but does not have malicious intent.

Q132. Understanding that multifactor authentication (MFA) is a best practice, which option should be avoided as a secondary authentication factor in MFA whenever possible?.

Reference "(...)All in all, MFA is still very effective at preventing most mass and automated attacks; however, users should be aware that there are ways to bypass some MFA solutions, such as those relying on SMS-based verification."