Unit 3 - Practice Quiz

Cybersecurity is the field dedicated to defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks, damage, or unauthorized access.

Confidentiality is the principle that restricts access to information. It is equivalent to privacy and ensures that only authorized people can view sensitive data.

Integrity refers to the accuracy and trustworthiness of data. Unauthorized modification of data is a direct violation of data integrity.

An insider threat originates from within an organization, typically from an employee or contractor who has authorized access to systems and data.

Malware, short for 'malicious software,' is the umbrella term that encompasses viruses, worms, trojans, ransomware, spyware, and other harmful software.

Phishing is a type of social engineering attack that uses fraudulent emails, texts, or websites to trick individuals into revealing sensitive information like passwords and credit card numbers.

A brute-force attack is a trial-and-error method that uses automation to try all possible password combinations until the correct one is found.

The main objective of a DoS attack is to overwhelm a target with traffic, rendering it unable to respond to legitimate requests, thus violating the 'Availability' principle of the CIA triad.

It is called a 'zero-day' vulnerability because the software developer has had zero days to create a patch to fix the problem, making attacks highly effective until a fix is released.

HTTPS (Hypertext Transfer Protocol Secure) uses encryption to protect the data transmitted between your browser and the website, ensuring confidentiality and integrity.

2FA requires a second form of verification (like a code sent to your phone) in addition to your password, making it much harder for an attacker to gain unauthorized access.

Your digital footprint is the collection of your online activities, including websites visited, emails sent, and information shared on social media.

Wireshark is a network protocol analyzer, often called a 'packet sniffer,' used to see what is happening on a network at a microscopic level.

Nmap (Network Mapper) is a powerful tool used for network discovery and security auditing. It scans networks to identify what hosts are available and what services they are offering.

Compliance involves meeting the requirements of established standards, laws, and regulations, such as GDPR or HIPAA, to ensure data is protected according to legal mandates.

A Penetration Tester, or Ethical Hacker, is hired to simulate cyberattacks on an organization's systems to identify security weaknesses before malicious hackers can exploit them.

Availability ensures that systems, networks, and data are operational and accessible to authorized users whenever they are needed. A website being down is a failure of availability.

Social engineering attacks don't rely on technical exploits; instead, they prey on human trust, curiosity, and fear to manipulate victims into making security mistakes.

Ransomware is a malicious software that holds a victim's data hostage by encrypting it. The attackers then demand a ransom, usually in cryptocurrency, in exchange for the decryption key.

Privacy settings allow you to control who can see your information and how it is used. Regularly reviewing and adjusting these settings is a fundamental step in protecting your personal data.

The primary impact of the ransomware attack is that authorized users (doctors) cannot access the data when needed. This is a direct violation of Availability. While confidentiality and integrity might also be at risk, the immediate and intended impact described is the denial of access to the system.

This is a classic example of a malicious insider threat. The individual was a former employee with legitimate access credentials and intentionally caused harm to the organization. A passive or unintentional insider threat would involve accidental data exposure, not deliberate sabotage.

Spear phishing is a more sophisticated form of phishing that targets a specific individual or organization. The use of specific, personalized information (like details from a meeting) to make the request seem legitimate is a key characteristic of spear phishing, distinguishing it from general, non-targeted phishing campaigns.

A Trojan Horse is a type of malware that disguises itself as a legitimate program. In this case, the photo editor is the seemingly legitimate application that carries a malicious payload (the keylogger). While the keylogger itself is a form of spyware, the delivery vehicle (the photo editor) is a Trojan.

This is a dictionary attack, which is a subtype of a brute-force attack. A dictionary attack uses a predefined list of common words or passwords (a 'dictionary') rather than trying every possible combination of characters, which is a pure brute-force attack. Credential stuffing involves trying username/password pairs stolen from other breaches.

The key differentiator is the number of sources. A DoS attack comes from one machine or IP address. A DDoS attack leverages a network of compromised devices (a botnet) to launch a coordinated attack from many different sources, making it much harder to block.

A zero-day attack exploits a vulnerability that is unknown to the developers of the software. Because the vendor is unaware of the flaw, they have had 'zero days' to develop a patch, making these attacks particularly dangerous.

Wireshark is a network protocol analyzer that allows users to capture and interactively browse the traffic running on a computer network. It is the ideal tool for deep packet inspection. Nmap is for network discovery and port scanning, Metasploit is for penetration testing, and John the Ripper is for password cracking.

HTTPS (Hypertext Transfer Protocol Secure) uses SSL/TLS to encrypt the communication channel between the client (your browser) and the server. This ensures the confidentiality and integrity of the data in transit, preventing eavesdroppers from reading sensitive information like passwords or financial details.

A passive digital footprint is a data trail you unintentionally leave online. In this case, tracking cookies are placed on the user's browser by the e-commerce site and advertising networks, which then track their activity across the web to serve targeted ads. The user did not actively share this information for advertising purposes.

PCI-DSS is the specific security standard that applies to all organizations that handle branded credit cards from the major card schemes. It is designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.

A Penetration Tester, or Ethical Hacker, is a cybersecurity professional who performs authorized simulated attacks on computer systems to evaluate their security. Their goal is to identify and report vulnerabilities so they can be fixed.

Integrity ensures that data is accurate and has not been tampered with or altered by unauthorized parties. By changing the shipping address, the attacker has directly violated the integrity of the customer's data. Confidentiality was also violated by the unauthorized access, but the act of altering the data is a specific breach of integrity.

A botnet is a network of private computers infected with malicious software and controlled as a group without the owners' knowledge, e.g., to send spam or participate in DDoS attacks. The symptoms described—unexplained network traffic and participation in a coordinated attack—are characteristic of a machine being part of a botnet.

This is a key characteristic of modern, AI-based or anomaly-based threat detection systems. They use machine learning to establish a baseline of normal activity and then identify deviations, which allows them to detect novel or zero-day threats that a signature-based system (which looks for known patterns) would miss.

While all other options are good practices, 2FA is the most effective against password theft. With 2FA, an attacker who has your password would still need a second factor (like a code from your phone) to log in, providing a critical additional layer of security.

The root cause of the Equifax breach was the failure to patch a critical vulnerability in the Apache Struts web framework. A patch was available for months, but Equifax did not apply it to their systems, allowing attackers to exploit the known flaw and gain access to sensitive data. This highlights the critical importance of timely patch management.

A rainbow table attack uses a pre-computed table to reverse cryptographic hash functions, allowing an attacker to quickly look up the plain text password corresponding to a given hash. This is much faster than a brute-force or dictionary attack, which must compute the hash for each guess during the attack.

The Internet of Things (IoT) refers to the vast network of physical devices (like smart thermostats, cameras, and appliances) that are connected to the internet. These devices often have weak security, making them prime targets for attackers who can use them to launch further attacks on more valuable targets within a network.

A drive-by download is an attack where malware is installed on a user's computer without their consent or knowledge, simply by visiting a compromised website. The user does not have to click on anything or explicitly approve a download for the attack to succeed. It exploits vulnerabilities in the browser or its plugins.

The core trade-off is between Availability (high speed, constant uptime) and Integrity (the accuracy and correctness of data). By allowing a brief window for stale data, the system is accepting a minor, temporary loss of data integrity to ensure maximum performance. This is a common architectural decision in high-frequency systems. Confidentiality is not directly affected, and the trade-off actually improves availability. Authenticity relates to the identity of users, which is not the issue here.

This question requires synthesis of information. While all open ports are a concern, the key is the context provided: "Apache Struts 2 is used by one of the applications running on Tomcat." Historical vulnerabilities like CVE-2017-5638 (Equifax breach) in Apache Struts, which allow for Remote Code Execution (RCE), are extremely severe. The Nmap scan doesn't explicitly state a Struts vulnerability, but a security analyst must infer the highest risk based on the technology stack. The Apache and SSH versions listed are less likely to have trivial RCEs compared to an un-versioned application server known to host a framework with a history of critical vulnerabilities.

The key elements are 'fully patched version' and 'patching all systems within 24 hours'. This implies that the vulnerability exploited by the malicious PDF was unknown to the vendor (Adobe) and the security community at the time of the attack. Therefore, no patch existed. This is the definition of a zero-day vulnerability. While social engineering was used for delivery, the technical mechanism of compromise was the exploit itself. A configuration error or N-day exploit is explicitly contradicted by the scenario's description of the target's security posture.

This question tests knowledge of the specifics and extraterritorial scope of major regulations. Because the company serves EU citizens, it is subject to GDPR regardless of its own location. GDPR's 72-hour notification requirement to the data protection authority is one of the strictest and most specific timelines in major privacy laws. HIPAA's 60-day limit and CCPA's 'unreasonable delay' clause are significantly less stringent.

This question requires understanding the core differences between hashing algorithms. First, a rainbow table for SHA-256 is useless against bcrypt hashes as they are different algorithms. Second, and more importantly, bcrypt is a modern password hashing function that automatically generates and incorporates a random salt into each hash. This means that even if two users have the same password, their hashes will be different. Salting renders pre-computed tables (rainbow tables) useless because an attacker would need to generate a separate table for every possible salt value, which is computationally infeasible. The attacker's only option is a slow, offline brute-force or dictionary attack against each individual hash.

The key symptoms described perfectly match a TCP SYN Flood. The attack exploits the TCP three-way handshake. The attacker sends a high volume of TCP SYN packets (the first step of the handshake) with spoofed source IPs. The server responds with a SYN-ACK and waits for the final ACK, moving the connection to the SYN_RCVD state. Since the source IPs are fake, the final ACK never arrives. This leaves a large number of half-open connections, exhausting the server's connection state table (backlog queue) and preventing it from accepting new, legitimate connections. Low CPU/memory usage is characteristic because the server isn't processing application-layer requests.

This scenario is deliberately ambiguous. While a malicious insider is a strong possibility, it's hard to prove intent. An unintentional leak or a malware infection could potentially be identified through forensic analysis of the workstation. However, proving or disproving that a skilled external attacker is using stolen credentials from a non-suspicious IP address is extremely difficult. The attacker's actions would look identical to the legitimate user's actions in the network logs, making it a classic and challenging 'compromised insider' vs. 'malicious insider' investigation.

This describes a bootkit, which is an advanced type of rootkit that infects the startup process of a computer. Specifically, by targeting firmware (like on a hard drive or UEFI/BIOS), it gains control before the operating system even begins to load. This makes it extremely difficult to detect and remove, as it can survive OS reinstallation and formatting. A standard rootkit operates within the OS, fileless malware resides in memory, and a polymorphic virus changes its own code to avoid signature detection, but none of these inherently involve firmware modification for persistence.

The scenario describes the exact mechanism of an ARP Poisoning attack, a common Man-in-the-Middle (MITM) technique. The Address Resolution Protocol (ARP) maps IP addresses to MAC addresses on a local network. The attacker (192.168.1.50) sends forged ARP messages to the victim (192.168.1.10) to associate the gateway's IP address with the attacker's own MAC address (BB:...). This tricks the victim into sending all its traffic through the attacker's machine, allowing the attacker to intercept or modify it.

UEBA systems excel at detecting deviations from an established baseline. A 'smash-and-grab' would create a massive, easily detectable anomaly. Disabling the agent or flooding logs are also noisy activities that would likely trigger alerts. The most sophisticated evasion technique is to operate 'below the radar'. By mimicking the legitimate user's behavior (e.g., accessing files they normally access, at times they normally work, from their usual location) and exfiltrating data in small chunks that look like normal network traffic, the attacker can avoid creating the statistical anomalies that the AI is designed to detect.

While browser sync offers convenience, its primary security implication is the creation of a single point of failure. It consolidates a vast amount of sensitive data (passwords, history, etc.) from multiple devices and protects it with a single set of credentials (the browser account password, possibly with 2FA). If an attacker compromises this one account, they gain access to the user's entire synchronized digital life, dramatically increasing the impact of a single breach. The other options are incorrect: while the data is encrypted in transit, it's accessible with the credentials; it doesn't necessarily ensure patch consistency; and it certainly does not anonymize the data.

This is a classic BEC scenario. The attacker leverages Authority by impersonating a high-ranking and trusted figure (the legal counsel), making the request seem legitimate and important. They create a powerful sense of Scarcity/Urgency by claiming the deal is 'time-sensitive' and 'confidential'. This combination is designed to make the target act quickly and bypass normal verification procedures, which is the primary goal of the attack. The other principles are less relevant in this specific context.

The SolarWinds incident is the archetypal example of a modern software supply chain attack. The attackers didn't target the end victims directly; they targeted a less-secure element 'upstream' in the supply chain—the vendor's build process. By compromising this single point, they were able to distribute their malware to a massive number of high-value targets who trusted the software and its updates. While a zero-day may have been used at some stage, the overall strategy and primary vector was the compromise of the supply chain.

A 'Purple Team' exercise is a collaborative effort where the Red Team (offensive security, emulating attackers) and the Blue Team (defensive security, monitoring and responding) work together to improve overall security. The Red Team's actions test the Blue Team's detection and response capabilities in a controlled environment, allowing the Blue Team to immediately learn from the simulated attacks and enhance their defenses. This continuous feedback loop is the essence of a purple team engagement.

This question requires analyzing defenses for two distinct scenarios. Offline attacks (when the hash database is stolen) are best mitigated by a slow, memory-hard hashing algorithm like Argon2 or bcrypt. This makes it computationally expensive for attackers to guess passwords even with the hashes. Online attacks (where attackers guess passwords against a live login form) are best mitigated by rate-limiting measures like account lockout policies, which prevent an attacker from making millions of guesses. The combination of Argon2 (for offline) and account lockout (for online) provides robust protection against both.

HTTPS/TLS provides three main guarantees: Confidentiality (encryption prevents sniffing), Integrity (prevents in-transit modification), and Authentication (the certificate proves you are talking to the server named in the certificate). However, TLS authentication only proves you are securely connected to the domain in the certificate; it does not prove that the domain itself is trustworthy or legitimate. Attackers can easily obtain valid TLS certificates for malicious domains (like 'examp1e.com'). Therefore, while TLS prevents network-level MITM attacks, it does not, by itself, protect against sophisticated phishing attacks that use look-alike domains.

This scenario precisely describes a Cross-Site Request Forgery (CSRF) attack. The attack works by tricking a user's authenticated browser into sending a forged HTTP request to a trusted site where the user is already logged in. The malicious link or script from the attacker's site (e.g., the email) forges a request that the target site (the bank) trusts because it comes from the user's authenticated browser session. It is an attack on the site's trust in the user, not an injection of script into the site (which would be XSS).

This technique is the hallmark of fileless malware. It 'lives off the land' by using legitimate system tools (LOLBins - Living Off the Land Binaries) to carry out its malicious activities. By avoiding writing traditional executable files to the filesystem, it evades security products that primarily scan files for malicious signatures. Instead, detection requires more advanced techniques like behavioral analysis, memory forensics, and monitoring of command-line and script execution.

This is a critical failure of cryptographic security and a direct violation of PCI DSS requirements. Proper key management mandates that cryptographic keys be stored separately and securely from the data they encrypt. Storing the key on the same server as the encrypted data is like locking a door and leaving the key in the lock. If an attacker compromises the server, they get both the encrypted data (the 'safe') and the keys to decrypt it (the 'combination'), making the encryption completely useless. This violates the fundamental security principle of separating the protection mechanism (the key) from the asset (the data).

Cyber resilience is a strategic shift from a prevention-centric mindset to one that assumes breaches will happen. Its primary focus is on business continuity and rapid recovery. It's about designing systems and processes that can withstand, adapt to, and quickly recover from cyber incidents, minimizing the impact on core business operations. The other options describe goals of traditional security (prevention, prediction) or compliance, but not the 'assume breach' and 'recoverability' focus that defines resilience.