Module 1

1. Is system misconfiguration a threat or vulnerability? Justify your answer? (5M)

Answer: System misconfiguration is a vulnerability. This is because vulnerabilities are

weaknesses or flaws in a system that can be exploited by threats to cause harm.
Misconfigurations, such as improper security settings or incorrect setup of hardware and
software, create openings that attackers can exploit to gain unauthorized access or perform
malicious activities. Thus, while the misconfiguration itself is a vulnerability, the actual exploit
or attack that takes advantage of this misconfiguration represents the threat.

2. List and explain different vulnerabilities that occur due to authentication failures?
(5M)

Answer:

● Weak Passwords: Easily guessable or common passwords that can be cracked by

brute force attacks.
● Password Reuse: Using the same password across multiple systems, making
multiple systems vulnerable if one password is compromised.
● Lack of Multi-Factor Authentication (MFA): Absence of additional verification steps
beyond just the password, making systems more vulnerable if the password is
compromised.
● Unsecured Password Storage: Storing passwords in plaintext or using weak
hashing algorithms, making them easy to retrieve if the storage system is breached.
● Inadequate Account Lockout Mechanisms: Systems that do not lock out accounts
after multiple failed login attempts, allowing attackers to use brute force methods
without hindrance.

3. Differentiate between vulnerability assessment and penetration testing. (5M)

Answer:

Aspect Vulnerability Assessment Penetration Testing

Objective Identify and classify Exploit vulnerabilities to evaluate security

vulnerabilities defenses

Approach Automated scanning and Manual and automated techniques

analysis

Scope Broad, covers entire system or Narrower, focuses on specific targets or

network systems

Outcome List of vulnerabilities and their Proof of concept of exploits and detailed
severity analysis
 Frequenc Regularly (e.g., quarterly, Less frequent, often annually or as
y annually) needed

4. Describe vulnerability management components with a neat diagram. (5M)

Answer: Components of Vulnerability Management:

1. Identification: Scanning systems and networks to discover vulnerabilities.

2. Evaluation: Assessing the severity and potential impact of discovered vulnerabilities.
3. Prioritization: Ranking vulnerabilities based on risk, impact, and exploitability.
4. Remediation: Applying patches, updates, or configuration changes to fix
vulnerabilities.
5. Verification: Confirming that remediation actions have effectively resolved the
vulnerabilities.
6. Reporting and Monitoring: Documenting the vulnerabilities and actions taken, and
continuously monitoring for new vulnerabilities.

5. Illustrate reflected XSS vulnerability and its preventive measures. (5M)

Answer: Reflected XSS: Occurs when an attacker injects malicious scripts into a web
application, which are then reflected off a web server and executed in the user's browser.
This type of attack usually happens through user-supplied input, such as query parameters
in a URL.

Example:

1. Attacker sends a link with a malicious script:

http://example.com/search?q=<script>alert('XSS')</script>
2. User clicks the link, and the script executes in their browser.

Preventive Measures:

● Input Validation: Validate and sanitize all user inputs to ensure they do not contain
executable code.
● Output Encoding: Encode all output, especially when displaying user inputs, to
prevent execution of malicious scripts.
● Content Security Policy (CSP): Implement CSP headers to restrict the sources
from which scripts can be loaded and executed.

6. State cross-site scripting (XSS) with an example. What are types of XSS? (5M)

Answer: Cross-Site Scripting (XSS): A vulnerability that allows attackers to inject malicious
scripts into webpages viewed by other users.

Example:

1. An attacker submits a comment containing a script:

<script>alert('XSS')</script>.
2. When other users view the comment, the script executes in their browsers.
Types of XSS:

● Stored XSS: The malicious script is stored on the target server (e.g., in a database)
and executed when a user retrieves the stored information.
● Reflected XSS: The malicious script is reflected off a web server, typically through a
URL parameter, and executed in the user's browser.
● DOM-Based XSS: The vulnerability exists in the client-side script, where the
malicious input modifies the DOM environment and executes.

7. State information security and its components. (5M)

Answer: Information Security (InfoSec): Protecting information and information systems

from unauthorized access, use, disclosure, disruption, modification, or destruction.

Components:

1. Confidentiality: Ensuring that information is accessible only to those authorized to

access it.
2. Integrity: Protecting information from being altered by unauthorized parties, ensuring
its accuracy and completeness.
3. Availability: Ensuring that information and resources are available to authorized
users when needed.
4. Authentication: Verifying the identity of users, systems, or entities accessing the
information.
5. Non-repudiation: Ensuring that a party in a communication cannot deny the
authenticity of their signature on a document or a message that they sent.

8. How important is it to stay updated with changes in the vulnerability landscape?

(5M)

Answer: Staying updated with changes in the vulnerability landscape is crucial because:

1. Emerging Threats: New vulnerabilities and attack methods are constantly being
discovered.
2. Security Patches: Keeping systems and software up-to-date with the latest security
patches to prevent exploitation.
3. Compliance: Ensuring compliance with industry standards and regulations that
require up-to-date security measures.
4. Risk Mitigation: Proactively addressing vulnerabilities reduces the risk of data
breaches and other security incidents.
5. Awareness and Training: Keeping security teams informed about new
vulnerabilities and attack vectors improves their ability to defend against them
effectively.

9. What are a threat, vulnerability, and risk in cybersecurity? (5M)

Answer:

● Threat: A potential cause of an unwanted impact to a system or organization.

Examples include hackers, malware, and natural disasters.
 ● Vulnerability: A weakness in a system that can be exploited by a threat. Examples
include unpatched software, misconfigurations, and weak passwords.
● Risk: The potential for loss or damage when a threat exploits a vulnerability. It is
often calculated as the product of the likelihood of the threat exploiting the
vulnerability and the impact of the exploit.

10. What’s a brute force attack? How are you able to prevent it? (5M)

Answer: Brute Force Attack: An attempt to gain access to a system by systematically

trying all possible passwords or keys until the correct one is found.

Prevention Measures:

● Strong Password Policies: Enforce the use of complex passwords that are difficult
to guess.
● Account Lockout Mechanisms: Lock accounts after a certain number of failed login
attempts to prevent unlimited tries.
● Rate Limiting: Limit the number of login attempts from a single IP address over a
specific period.
● Multi-Factor Authentication (MFA): Add an extra layer of security beyond just the
password, making it harder for attackers to gain access.
● CAPTCHA: Use CAPTCHA to distinguish between human users and automated
brute force attack scripts.

11. Explain different types of vulnerabilities. (5M)

Answer:

● Software Vulnerabilities: Bugs or flaws in software that can be exploited, such as

buffer overflows, SQL injection, and cross-site scripting (XSS).
● Hardware Vulnerabilities: Flaws in hardware components, such as Spectre and
Meltdown affecting CPUs.
● Configuration Vulnerabilities: Misconfigurations in systems or applications, like
default passwords, open ports, and unsecured services.
● Human Factors: Social engineering, phishing, and user errors that can lead to
security breaches.
● Network Vulnerabilities: Issues in network protocols or infrastructure, such as
unsecured Wi-Fi, man-in-the-middle attacks, and insufficient network segmentation.

12. When vulnerabilities become exploitable, explain with an example? (5M)

Answer: Vulnerabilities become exploitable when specific conditions allow an attacker to

take advantage of them. For example, the Heartbleed vulnerability in OpenSSL
(CVE-2014-0160) became exploitable under these conditions:

● Presence of the Vulnerability: The Heartbleed bug existed in OpenSSL versions

1.0.1 to 1.0.1f.
● Access to the Vulnerability: Attackers could send specially crafted heartbeat
requests to vulnerable servers over the internet.
 ● Exploitation Method: By sending malicious heartbeat requests, attackers could
retrieve up to 64KB of memory from the server, potentially containing sensitive
information.
● Absence of Mitigations: Servers that had not been patched to fix the Heartbleed
bug were susceptible to this exploit.

This combination of factors made the Heartbleed vulnerability highly exploitable, leading to
significant security risks for many organizations.

This set of questions and answers covers key concepts in cybersecurity and provides
comprehensive yet concise responses suitable for exam preparation.

Module 2

1. What are extensions used by attackers to exploit computer systems? (5M)

Answer: Attackers often use various file extensions to exploit computer systems. Here are
some commonly abused extensions:

● .exe: Executable files that can run malicious code when opened.
● .bat: Batch files that execute a series of commands in Windows.
● .vbs: VBScript files that can run scripts in Windows, often used in phishing attacks.
● .js: JavaScript files that can execute code within web browsers.
● .doc/.docx: Microsoft Word documents that can contain malicious macros.
● .xls/.xlsx: Microsoft Excel spreadsheets that can contain malicious macros.
● .pdf: PDF files that can exploit vulnerabilities in PDF readers.
● .zip/.rar: Compressed files that can contain and disguise malicious executables.

Attackers often use these extensions in social engineering attacks, where the user is tricked
into opening a file that appears legitimate but is actually malicious.

2. Describe the CIA triad. (5M)

Answer: The CIA triad is a fundamental concept in information security, representing three
core principles:

● Confidentiality: Ensuring that sensitive information is accessed only by authorized

individuals and kept secret from unauthorized users.
● Integrity: Maintaining the accuracy and completeness of information and protecting it
from unauthorized modification or deletion.
● Availability: Ensuring that information and resources are accessible to authorized
users whenever needed, preventing disruptions in access.

These principles help guide the design and implementation of security measures to protect
information systems.

3. Analyze OWASP Top 10 vulnerabilities. (5M)

Answer: The OWASP Top 10 is a list of the most critical security risks to web applications,
updated periodically. As of the latest version, the vulnerabilities include:
 1. Broken Access Control: Failures in enforcing user permissions can allow
unauthorized access.
2. Cryptographic Failures: Weak or improper use of cryptography can lead to
exposure of sensitive data.
3. Injection: Flaws such as SQL, NoSQL, and LDAP injection can allow attackers to
execute arbitrary code.
4. Insecure Design: Design flaws that create security vulnerabilities, even if correctly
implemented.
5. Security Misconfiguration: Incorrect or insufficient configuration of security settings.
6. Vulnerable and Outdated Components: Use of components with known
vulnerabilities.
7. Identification and Authentication Failures: Weak authentication mechanisms that
allow attackers to compromise user credentials.
8. Software and Data Integrity Failures: Issues with software integrity and data
validation.
9. Security Logging and Monitoring Failures: Lack of proper logging and monitoring,
allowing attacks to go undetected.
10. Server-Side Request Forgery (SSRF): Allows an attacker to induce the server-side
application to make requests to an unintended location.

Understanding these vulnerabilities helps developers and security professionals mitigate

common risks in web applications.

4. Describe threat intelligence and explain threat assessment methods. (5M)

Answer: Threat Intelligence: The process of collecting, analyzing, and disseminating

information about potential or current attacks that threaten an organization. It helps in
understanding the threat landscape, identifying potential threats, and making informed
decisions to enhance security measures.

Threat Assessment Methods:

1. Strategic Assessment: Focuses on long-term threats and high-level analysis to

understand overall threat trends and patterns.
2. Tactical Assessment: Provides specific details about threats, including indicators of
compromise (IOCs) and tactics, techniques, and procedures (TTPs) used by
attackers.
3. Operational Assessment: Offers real-time insights and actionable intelligence to
respond to immediate threats.
4. Technical Assessment: Involves the analysis of data from technical sources, such
as logs and network traffic, to identify and understand threats.

These methods help organizations prioritize and address threats effectively.

5. Describe STRIDE threat modeling. (10M)

Answer: STRIDE is a threat modeling framework developed by Microsoft to identify security

threats in software and systems. STRIDE stands for:
 ● Spoofing: Impersonating another entity to gain unauthorized access.
● Tampering: Altering data or systems to perform unauthorized actions.
● Repudiation: Denying the occurrence of an action or transaction to avoid
accountability.
● Information Disclosure: Exposing sensitive information to unauthorized parties.
● Denial of Service (DoS): Disrupting services to make them unavailable to legitimate
users.
● Elevation of Privilege: Gaining higher access levels than authorized.

Steps in STRIDE Threat Modeling:

1. Define the System: Understand the system architecture, components, and data
flows.
2. Identify Assets: Determine what needs protection, such as data, services, and
infrastructure.
3. Decompose the System: Break down the system into smaller components to
identify potential threats.
4. Identify Threats: Use the STRIDE model to systematically identify threats for each
component.
5. Document Threats: Record the identified threats, including their potential impact
and likelihood.
6. Mitigate Threats: Develop and implement strategies to mitigate identified threats,
such as using encryption, access controls, and monitoring.

6. Explain broken authentication vulnerabilities of web applications. (5M)

Answer: Broken Authentication vulnerabilities occur when authentication mechanisms are

improperly implemented, allowing attackers to compromise user credentials and gain
unauthorized access. Common issues include:

● Weak Passwords: Users using easily guessable passwords.

● Credential Stuffing: Attackers using stolen credentials from other breaches to gain
access.
● Session Fixation: Attackers trick users into using a specific session ID, which the
attacker can then hijack.
● Insufficient Session Expiration: Sessions that do not expire or expire too slowly,
allowing attackers to reuse session tokens.
● Lack of Multi-Factor Authentication (MFA): Relying solely on passwords without
additional verification steps.

Mitigation Measures:

● Enforce strong password policies.

● Implement rate limiting to prevent brute force attacks.
● Use MFA to add an extra layer of security.
● Ensure session tokens are properly managed and expire after a period of inactivity.
● Regularly audit and update authentication mechanisms to adhere to best practices.

7. Explain different mitigation techniques used in STRIDE. (10M)

Answer: STRIDE threat modeling identifies specific threats, and corresponding mitigation
techniques include:

● Spoofing:
○ Mitigation: Use strong authentication mechanisms such as multi-factor
authentication (MFA) and secure token management to verify identities.
● Tampering:
○ Mitigation: Implement integrity checks, such as cryptographic hashes and
digital signatures, to detect and prevent unauthorized modifications.
● Repudiation:
○ Mitigation: Use logging and auditing mechanisms to record actions and
ensure accountability. Implement non-repudiation techniques like digital
signatures.
● Information Disclosure:
○ Mitigation: Encrypt sensitive data in transit and at rest. Use access controls
to limit data exposure to authorized users only.
● Denial of Service (DoS):
○ Mitigation: Employ rate limiting, load balancing, and resource throttling to
prevent overloading systems. Use network-level defenses like firewalls and
DDoS protection services.
● Elevation of Privilege:
○ Mitigation: Enforce the principle of least privilege, ensuring users and
processes have only the permissions they need. Use secure coding practices
to avoid vulnerabilities like buffer overflows.

By addressing each STRIDE threat with targeted mitigation techniques, systems can be
better protected against a wide range of security risks.

8. How insider threats exploit vulnerabilities in an organizational network? Explain

with an example. (5M)

Answer: Insider Threats exploit vulnerabilities within an organization's network by

leveraging their authorized access to perform malicious activities. These threats can come
from current or former employees, contractors, or business associates.

Example:

● Scenario: A disgruntled employee has access to sensitive customer data stored on

the company's database.
● Exploit: The employee uses their legitimate access to copy and exfiltrate the data,
selling it to competitors or using it for personal gain.
● Impact: The data breach can lead to financial loss, legal consequences, and
reputational damage for the organization.

Preventive Measures:

● Implement strict access controls and the principle of least privilege.

● Conduct regular audits and monitoring of user activities.
 ● Use data loss prevention (DLP) tools to detect and prevent unauthorized data
transfers.
● Provide training and awareness programs to employees about security policies and
the consequences of malicious actions.

9. Illustrate the strategy of an email spoofing attack. How to prevent this attack? (10M)

Answer: Email Spoofing Attack:

● Strategy:
1. Attack Preparation: An attacker forges the email header to make it appear
as if it is sent from a trusted source.
2. Execution: The attacker sends the spoofed email to the target, often
containing a malicious link or attachment.
3. Exploitation: The target, believing the email is legitimate, clicks on the link or
opens the attachment, resulting in malware installation or credential theft.

Example:

● An attacker sends an email purportedly from the company's CEO, requesting

employees to click on a link to update their passwords.

Preventive Measures:

● SPF (Sender Policy Framework): Implement SPF to verify the sender's IP address
is authorized to send emails on behalf of the domain.
● DKIM (DomainKeys Identified Mail): Use DKIM to add a digital signature to emails,
ensuring they haven't been altered.
● DMARC (Domain-based Message Authentication, Reporting & Conformance):
Deploy DMARC to instruct email servers on how to handle emails that fail SPF or
DKIM checks.
● Employee Training: Educate employees on how to recognize and respond to
phishing and spoofed emails.
● Email Filtering: Use advanced email filtering solutions to detect and block spoofed
emails.
● Multi-Factor Authentication (MFA): Require MFA for sensitive actions requested
via email to verify the authenticity of the request.

10. Analyze different DoS attack scenarios in OSI layers and explain with an example.
(10M)

Answer: DoS Attacks at Different OSI Layers:

● Application Layer (Layer 7):

○ Attack Type: HTTP Flood.
○ Example: Sending a large number of HTTP GET or POST requests to
overwhelm a web server.
● Prevention: Use web application firewalls (WAFs) and rate limiting.
● Transport Layer (Layer 4):
 ○ Attack Type: SYN Flood.
○ Example: Exploiting the TCP handshake process by sending numerous SYN
requests and not responding to SYN-ACK replies.
● Prevention: Implement SYN cookies and increase backlog queue sizes.
● Network Layer (Layer 3):
○ Attack Type: ICMP Flood (Ping Flood).
○ Example: Sending a high volume of ICMP Echo Request (ping) packets to
saturate network bandwidth.
● Prevention: Configure firewalls to block or rate-limit ICMP traffic.
● Data Link Layer (Layer 2):
○ Attack Type: MAC Flooding.
○ Example: Overwhelming a network switch with fake MAC addresses to fill its
CAM table, causing legitimate traffic to be broadcasted to all ports.
● Prevention: Enable port security on switches to limit the number of MAC addresses
per port.

By understanding the specific DoS attack scenarios at various OSI layers, appropriate
defenses can be implemented to protect against such attacks.

11. Analyze the impact of different cybersecurity threats against the CIA triad. (5M)

Answer:

● Malware:
○ Confidentiality: Malware like keyloggers and spyware can steal sensitive
data.
○ Integrity: Ransomware can encrypt and corrupt files, affecting data integrity.
○ Availability: Worms and Trojans can disrupt system operations, reducing
availability.
● Phishing:
○ Confidentiality: Phishing attacks can trick users into revealing personal and
sensitive information.
○ Integrity: Successful phishing can lead to unauthorized actions that
compromise data integrity.
○ Availability: Compromised credentials can allow attackers to disable user
accounts and disrupt access.
● Denial of Service (DoS):
○ Confidentiality: Generally not affected directly by DoS attacks.
○ Integrity: Not typically impacted, but could indirectly affect data integrity if the
service disruption leads to data loss or corruption.
○ Availability: The primary target, as DoS attacks aim to make services
unavailable.
● Insider Threats:
○ Confidentiality: Insiders can access and leak sensitive information.
○ Integrity: Insiders can tamper with or delete critical data.
○ Availability: Insiders might disrupt services by modifying or disabling
systems.
By analyzing how different cybersecurity threats impact the CIA triad, organizations can
prioritize their security measures to address the most critical areas of risk.

Module 3

1. Explain different injection problems with an example. (5M)

Answer: Injection problems occur when untrusted data is sent to an interpreter as part of a
command or query, allowing an attacker to execute unintended commands or access
unauthorized data. Common types of injection problems include:

1. SQL Injection:
○ Example: An attacker enters '; DROP TABLE users; -- into a login form
that directly concatenates user input into an SQL query.
○ Effect: This can lead to data leakage, unauthorized data manipulation, or
deletion of database tables.
2. Command Injection:
○ Example: A web application takes user input to execute a system command,
such as ping. An attacker can input ; rm -rf / to execute arbitrary
system commands.
○ Effect: This can lead to complete system compromise, allowing the attacker
to delete files or execute further malicious commands.
3. LDAP Injection:
○ Example: If an application constructs LDAP queries using unvalidated user
input, such as (|(user={0})(user=*)), an attacker can manipulate the
input to gain unauthorized access.
○ Effect: This can result in unauthorized queries against the LDAP directory,
potentially exposing sensitive user information.
4. XPath Injection:
○ Example: When constructing XPath queries using user input without
validation, such as /Users/User[Name/text()='input'], an attacker
could input ' or '1'='1 to access all users.
○ Effect: This can expose sensitive XML data to unauthorized users.
5. NoSQL Injection:
○ Example: In applications using NoSQL databases, like MongoDB, an attacker
might input {"$ne": null} into a query filter, bypassing authentication.
○ Effect: This can lead to unauthorized data access or manipulation.

Prevention Measures:

● Use parameterized queries and prepared statements.

● Validate and sanitize all user inputs.
● Employ web application firewalls (WAFs).

2. What are vulnerabilities found in unencrypted sensitive data at rest and in motion?
(5M)

Answer: Vulnerabilities in Unencrypted Data at Rest:

 1. Data Breaches: Unauthorized access to databases or storage devices can lead to
the exposure of sensitive information.
2. Theft or Loss: Physical theft of unencrypted devices like laptops, USB drives, or
servers can result in data compromise.
3. Insider Threats: Employees with access to unencrypted data can misuse it for
malicious purposes.

Vulnerabilities in Unencrypted Data in Motion:

1. Man-in-the-Middle (MitM) Attacks: Attackers intercept data transmitted over

networks, capturing sensitive information such as login credentials or personal data.
2. Eavesdropping: Unauthorized parties listen in on network communications,
accessing unencrypted data.
3. Session Hijacking: Attackers intercept session tokens or cookies during
transmission, taking control of user sessions.

Prevention Measures:

● Implement strong encryption protocols (e.g., AES for data at rest, TLS for data in
motion).
● Use secure communication channels (e.g., VPNs, HTTPS).
● Regularly audit and monitor access to sensitive data.

3. Define SQL injection problem and explain categories of the same. (5M)

Answer: SQL Injection is a code injection technique that exploits vulnerabilities in an

application’s software by inserting malicious SQL statements into an entry field for execution
by the backend database.

Categories of SQL Injection:

1. In-Band SQL Injection:

○ Union-Based: Uses the UNION SQL operator to combine results of two
queries, enabling attackers to retrieve data from other database tables.
○ Error-Based: Relies on detailed error messages from the database to gain
insight into the database structure.
2. Inferential (Blind) SQL Injection:
○ Boolean-Based: Sends a query to the database, which forces the application
to return different results based on a true or false condition, helping attackers
infer information.
○ Time-Based: Sends SQL queries that cause delays in database responses,
allowing attackers to infer information based on the time taken for the
response.
3. Out-of-Band SQL Injection:
○ Relies on the database server's ability to make DNS or HTTP requests to
deliver data to an attacker, used when in-band or inferential techniques are
not possible.

Prevention Measures:
 ● Use prepared statements and parameterized queries.
● Employ input validation and sanitation.
● Use ORM (Object-Relational Mapping) frameworks to abstract and sanitize database
interactions.

4. Distinguish between reflected and stored cross-site scripting with respect to

programming vulnerabilities in web-based applications. (5M)

Answer: Cross-Site Scripting (XSS) is a type of security vulnerability found in web

applications that allows attackers to inject malicious scripts into web pages viewed by other
users.

Reflected XSS:

● Description: Occurs when malicious scripts are reflected off a web server and
executed in the user’s browser. This typically happens when an attacker sends a
crafted link to the victim, and the server includes the user input in the response.
● Example: A search form that returns user input directly in the search results page
without sanitization, allowing an attacker to inject a script into the URL.
● Impact: Limited to users who click on the malicious link; typically a one-time
execution.

Stored XSS:

● Description: Occurs when malicious scripts are stored on the server (e.g., in a
database) and then displayed to users when they visit the affected page.
● Example: A comment section where user input is not sanitized before being stored,
allowing an attacker to inject a script that is executed whenever any user views the
comment.
● Impact: More severe as it affects all users who visit the affected page, leading to
persistent execution of malicious scripts.

Prevention Measures:

● Reflected XSS: Sanitize and encode user inputs before reflecting them back in
HTTP responses.
● Stored XSS: Validate and sanitize user inputs before storing them in databases, and
encode outputs before displaying them in web pages.

5. Illustrate the strategy of a heap-based buffer overflow privilege attack with an

example. (5M)

Answer: Heap-Based Buffer Overflow:

● Description: Occurs when data is written outside the bounds of a dynamically

allocated heap buffer, potentially overwriting adjacent memory and leading to
unpredictable behavior or exploitation.

Strategy:
 1. Identify Vulnerability: Find a function that allocates memory on the heap and fails to
perform proper bounds checking on user input.
2. Craft Exploit: Create an input that overflows the buffer, overwriting critical control
data such as function pointers, virtual table pointers, or other heap management
structures.
3. Execute Payload: Redirect execution flow to attacker-controlled code by
manipulating overwritten control data.

Example:

c
Copy code
#include <stdlib.h>
#include <string.h>
#include <stdio.h>

void vulnerable_function(char *user_input) {

char *heap_buffer = (char *)malloc(20); // Allocates 20 bytes on
the heap
strcpy(heap_buffer, user_input); // No bounds checking
printf("Buffer: %s\n", heap_buffer);
free(heap_buffer);
}

int main(int argc, char *argv[]) {

if (argc > 1) {
vulnerable_function(argv[1]);
}
return 0;
}

Explanation:

● Vulnerability: strcpy(heap_buffer, user_input) copies data without

checking if user_input exceeds the allocated 20 bytes.
● Exploit: An attacker provides an input larger than 20 bytes, potentially overwriting
adjacent heap structures or control data.
● Impact: By overwriting function pointers or other critical data, an attacker can redirect
the program’s execution flow to execute arbitrary code, potentially gaining higher
privileges.

Prevention Measures:

● Use functions like strncpy that perform bounds checking.

 ● Implement heap protections such as heap canaries, address space layout
randomization (ASLR), and position-independent executables (PIE).
● Regularly audit and test code for memory-related vulnerabilities using static and
dynamic analysis tools.
●

Module 5

1. What is meant by DNS Reconnaissance in penetration testing?

Answer: DNS Reconnaissance is the process of gathering information about a target

domain using DNS queries and related tools. It is an initial step in penetration testing to
discover domain-related data such as IP addresses, subdomains, mail servers, and other
relevant details.

Common Techniques:

● DNS Zone Transfer: Attempting to get a copy of the DNS zone file from the DNS
server.
● Reverse DNS Lookup: Resolving IP addresses to domain names to identify
connected domains.
● Subdomain Enumeration: Identifying subdomains using tools like Sublist3r or
dnsrecon.
● WHOIS Lookup: Gathering registration information about the domain.

2. What are porting public exploits?

Answer: Porting public exploits involves adapting existing exploits to target specific systems
or environments during penetration testing. This may include modifying exploit code to work
with different software versions, configurations, or adding specific payloads relevant to the
target.

Common Tools:

● Metasploit Framework: Provides a vast library of public exploits that can be adapted
for different targets.
● Exploit-DB: A repository of public exploits where penetration testers can find and
modify exploit code.

3. What is John the Ripper tool and how penetration testers are using it?

Answer: John the Ripper is a popular open-source password cracking tool used in
penetration testing to identify weak passwords. It works by performing dictionary attacks,
brute force attacks, and custom wordlist attacks on password hashes.

Usage:

● Password Auditing: Testing the strength of passwords in an organization.

 ● Cracking Hashes: Penetration testers use it to crack password hashes obtained
from compromised systems to access further credentials or systems.

4. Explain How Data is Protected During and after Penetration Testing?

Answer: During Penetration Testing:

● Data Encryption: Encrypt sensitive data in transit and at rest.

● Non-Disclosure Agreements (NDAs): Ensure all parties involved understand their
responsibilities and confidentiality requirements.
● Controlled Environment: Use secure, isolated environments to conduct tests,
preventing accidental exposure.

After Penetration Testing:

● Data Retention Policies: Define and follow policies for securely storing or destroying
test data.
● Report Encryption: Secure penetration testing reports and related documents with
encryption.
● Access Controls: Restrict access to sensitive test data to authorized personnel only.

5. What are the commonly targeted ports during penetration testing?

Answer: Commonly targeted ports include:

● TCP 21 (FTP): For file transfer vulnerabilities.

● TCP 22 (SSH): For secure shell access and potential weak authentication.
● TCP 23 (Telnet): For insecure remote access.
● TCP 25 (SMTP): For email server vulnerabilities.
● TCP 80 (HTTP): For web application vulnerabilities.
● TCP 443 (HTTPS): For secure web application vulnerabilities.
● TCP 3306 (MySQL): For database vulnerabilities.
● TCP 3389 (RDP): For remote desktop protocol vulnerabilities.

6. Explain the risk involved in not designating HTTP cookies with the security tokens
as secure.

Answer: Not designating HTTP cookies with the Secure attribute means that cookies can
be transmitted over unencrypted HTTP connections, making them susceptible to interception
by attackers. This can lead to:

● Session Hijacking: Attackers can steal session cookies and impersonate users.
● Man-in-the-Middle (MitM) Attacks: Intercepting and modifying cookies in transit.
● Data Exposure: Sensitive information stored in cookies can be accessed.

7. How to diminish SQL Injection risks?

Answer: Prevention Measures:

 ● Parameterized Queries: Use prepared statements with bound parameters to
separate data from code.
● Input Validation: Validate and sanitize all user inputs.
● Stored Procedures: Use stored procedures that encapsulate SQL code on the
database side.
● Least Privilege: Ensure database accounts have the minimum necessary
permissions.
● Web Application Firewalls (WAFs): Deploy WAFs to detect and block SQL injection
attempts.

8. How can the danger of weak session management and authentication be reduced?

Answer: Mitigation Techniques:

● Strong Password Policies: Enforce the use of strong, complex passwords.

● Multi-Factor Authentication (MFA): Require multiple forms of authentication.
● Secure Session Tokens: Use secure, randomly generated session tokens.
● Session Expiry: Implement session timeouts to reduce the risk of session hijacking.
● Secure Cookie Attributes: Use Secure and HttpOnly attributes for cookies.
● Regular Audits: Regularly audit and update authentication and session
management mechanisms.

9. How Can the Risks of SQL Injection Be Reduced?

Answer: This question is similar to question 7. Please refer to the previous answer for
detailed measures to diminish SQL Injection risks.

10. What are OWASP security principles?

Answer: OWASP (Open Web Application Security Project) security principles provide
guidelines to enhance the security of web applications. Key principles include:

1. Principle of Least Privilege: Grant minimum necessary permissions to users and

applications.
2. Defense in Depth: Implement multiple layers of security controls.
3. Fail Securely: Ensure that systems fail in a secure manner.
4. Don't Trust User Input: Validate and sanitize all user inputs.
5. Separation of Duties: Divide tasks and privileges among multiple entities.
6. Security by Design: Integrate security considerations into the design and
development process.
7. Security Through Obscurity is Not Enough: Do not rely solely on hiding security
mechanisms.
8. Keep Security Simple: Avoid unnecessary complexity that could introduce
vulnerabilities.

11. Describe sensitive data exposure with an example. How to effectively reduce the
risk of sensitive data exposure?
Answer: Sensitive Data Exposure: Occurs when applications inadvertently expose
sensitive information such as credit card numbers, personal information, or authentication
credentials.

Example:

● A web application transmits credit card information over an unencrypted HTTP

connection, which can be intercepted by attackers.

Mitigation Strategies:

● Encryption: Use strong encryption (e.g., TLS) for data in transit and at rest.
● Access Controls: Implement strict access controls to limit data exposure.
● Data Minimization: Store only the necessary data and for the shortest duration
needed.
● Regular Audits: Conduct regular security audits and vulnerability assessments.
● Security Headers: Use HTTP security headers like
Strict-Transport-Security (HSTS) to enforce secure communication
channels.

12. Explain Five Phases of Penetration Testing

Answer: The five phases of penetration testing include:

1. Planning and Reconnaissance:

○ Define the scope and objectives of the test.
○ Gather information about the target through open-source intelligence
(OSINT), DNS queries, and network scanning.
2. Scanning:
○ Identify open ports and services using tools like Nmap.
○ Perform vulnerability scanning to identify potential weaknesses.
3. Gaining Access:
○ Exploit identified vulnerabilities to gain unauthorized access.
○ Use techniques like SQL injection, buffer overflows, or credential attacks.
4. Maintaining Access:
○ Establish a persistent presence within the target system.
○ Use techniques like installing backdoors or creating user accounts.
5. Analysis and Reporting:
○ Document the findings, including vulnerabilities, exploits used, and data
accessed.
○ Provide recommendations for remediation and improving security.

13. Elaborate five phases of penetration testing and explain penetration testing
mistakes with an example.

Answer: The five phases of penetration testing have been described in the previous answer.
Now, let's discuss common penetration testing mistakes with examples.

Common Mistakes:
 1. Improper Scope Definition:
○ Example: Failing to include critical systems in the scope, leading to missed
vulnerabilities.
○ Mitigation: Clearly define and agree on the scope with the client.
2. Lack of Permission:
○ Example: Testing systems without proper authorization, resulting in legal
issues.
○ Mitigation: Obtain written authorization from stakeholders.
3. Insufficient Reconnaissance:
○ Example: Missing critical information during reconnaissance that could lead
to a successful exploit.
○ Mitigation: Perform thorough reconnaissance using various techniques and
tools.
4. Overlooking Social Engineering:
○ Example: Ignoring social engineering attacks, which can be a significant
vector for compromise.
○ Mitigation: Include social engineering tests, like phishing, in the penetration
testing plan.
5. Poor Reporting:
○ Example: Providing unclear or overly technical reports that stakeholders
cannot understand.
○ Mitigation: Deliver clear, concise, and actionable reports tailored to the
audience, including technical and executive summaries.

By understanding and avoiding these common mistakes, penetration testers can enhance
the effectiveness and value of their assessments.

Module 6

1. Explain Cyber Kill Chain (5M)

Answer: The Cyber Kill Chain is a framework developed by Lockheed Martin to understand
and combat cyber threats. It outlines the stages of a cyber attack, helping organizations to
detect and respond to malicious activities.

Stages of the Cyber Kill Chain:

1. Reconnaissance:
○ Attackers gather information about the target using tools and techniques like
scanning and social engineering.
○ Example: Using Google dorking to find sensitive information about a
company.
2. Weaponization:
○ Attackers create a deliverable payload using exploits and malware.
○ Example: Combining an exploit with a malware payload to create a phishing
email attachment.
3. Delivery:
 ○ The payload is transmitted to the target via email, USB drive, or other
methods.
○ Example: Sending a phishing email with a malicious attachment.
4. Exploitation:
○ The payload exploits a vulnerability on the target system to execute the
attack.
○ Example: A malicious attachment exploiting a zero-day vulnerability in a PDF
reader.
5. Installation:
○ The malware is installed on the target system to establish a foothold.
○ Example: Installing a backdoor on the compromised system.
6. Command and Control (C2):
○ The attacker establishes a communication channel to control the
compromised system.
○ Example: Using a remote access tool (RAT) to communicate with the infected
machine.
7. Actions on Objectives:
○ The attacker takes steps to achieve their goals, such as data exfiltration,
encryption (ransomware), or sabotage.
○ Example: Stealing sensitive data from the target’s database.

2. Privileged Identity Management in SIEM (5M)

Answer: Privileged Identity Management (PIM) within a Security Information and Event
Management (SIEM) system involves monitoring and managing privileged accounts to
prevent unauthorized access and mitigate insider threats.

Key Components:

● Account Management: Automate the provisioning, de-provisioning, and

management of privileged accounts.
● Access Control: Implement strict access controls and policies for privileged
accounts.
● Activity Monitoring: Continuously monitor the activities of privileged accounts for
suspicious behavior.
● Session Recording: Record sessions of privileged users to review and audit their
actions.
● Alerting and Reporting: Generate alerts and reports on abnormal activities or policy
violations by privileged users.

Benefits:

● Enhanced Security: Reduces the risk of unauthorized access and data breaches.
● Compliance: Helps organizations comply with regulatory requirements by providing
detailed logs and reports.
● Incident Response: Improves the ability to detect and respond to potential security
incidents involving privileged accounts.

3. Illustrate End Point Security (5M)

Answer: Endpoint Security refers to the practice of securing endpoints or entry points of
end-user devices such as desktops, laptops, and mobile devices from malicious activities
and threats.

Key Components:

● Antivirus and Antimalware: Protects against various types of malware by detecting

and removing malicious software.
● Endpoint Detection and Response (EDR): Provides continuous monitoring and
response capabilities to detect and mitigate threats.
● Firewalls: Filters network traffic to and from the endpoint to block unauthorized
access.
● Data Encryption: Ensures data stored on and transmitted from endpoints is
encrypted to prevent unauthorized access.
● Patch Management: Keeps endpoint software up-to-date with the latest security
patches to fix vulnerabilities.
● Access Controls: Enforces policies to control who can access the endpoint and
what actions they can perform.

Illustration:

● A company deploys antivirus software on all employee laptops to scan for and
remove malware.
● EDR solutions are installed to monitor real-time activities and respond to suspicious
behaviors.
● Personal firewalls are configured to block unauthorized network traffic.
● Sensitive data on the devices is encrypted, and access is restricted to authorized
personnel only.

4. Indicators of Compromise (5M)

Answer: Indicators of Compromise (IOCs) are pieces of evidence that suggest a system has
been compromised by unauthorized activities, such as malware infections, data breaches, or
network intrusions.

Examples of IOCs:

● Unusual Network Traffic: Unexpected spikes or patterns in network traffic that

indicate data exfiltration or communication with malicious servers.
● File Changes: Unexplained modifications or new files, especially in critical
directories, suggesting malware presence.
● Unusual Account Activity: Unauthorized logins, especially from foreign locations or
outside normal business hours.
● Error Messages: Increased system or application errors indicating potential
tampering or misconfiguration.
● Suspicious Processes: Unknown or abnormal processes running on a system.

Detection and Use:

 ● Monitoring Tools: Use SIEM and EDR tools to continuously monitor for IOCs.
● Incident Response: Quickly identify and respond to incidents by analyzing IOCs.
● Threat Intelligence: Share and consume IOCs from threat intelligence feeds to stay
updated on emerging threats.

5. Attack Vectors and Observed Activity (5M)

Answer: Attack Vectors are methods or pathways that attackers use to exploit
vulnerabilities in a system.

Common Attack Vectors:

● Phishing: Sending deceptive emails to trick users into revealing sensitive information
or installing malware.
● Malware: Using malicious software to infiltrate systems and execute unauthorized
actions.
● Exploiting Vulnerabilities: Taking advantage of software or hardware vulnerabilities
to gain unauthorized access.
● Brute Force Attacks: Attempting to gain access by trying many combinations of
passwords.
● Social Engineering: Manipulating individuals to divulge confidential information.

Observed Activities:

● Phishing: Employees receiving suspicious emails with malicious attachments or

links.
● Malware: Unexpected system behavior or alerts from antivirus software detecting
malicious files.
● Exploiting Vulnerabilities: Network logs showing attempts to exploit known
vulnerabilities.
● Brute Force Attacks: Repeated failed login attempts in authentication logs.
● Social Engineering: Reports from employees about unusual requests for
information or actions.

6. What are the different steps of the SIEM process?

Answer: The SIEM (Security Information and Event Management) process includes several
steps to collect, analyze, and respond to security events.

Steps:

1. Data Collection: Aggregating logs and event data from various sources such as
firewalls, intrusion detection systems, and endpoint devices.
2. Normalization: Converting different log formats into a common format for easier
analysis.
3. Correlation: Analyzing the normalized data to identify patterns and correlate events
across different systems to detect potential threats.
4. Alerting: Generating alerts for identified security incidents based on predefined rules
and thresholds.
 5. Analysis: Investigating alerts to determine the nature and scope of the incident.
6. Response: Taking appropriate actions to mitigate and remediate the detected
threats.
7. Reporting: Creating reports for compliance, auditing, and management review.

7. Which are the types of attack vectors in cybersecurity? Differentiate between an

attack vector and an attack surface.

Answer:

Types of Attack Vectors:

1. Phishing: Deceptive emails to steal sensitive information or deliver malware.

2. Malware: Software designed to damage or gain unauthorized access to systems.
3. Social Engineering: Manipulating individuals to divulge confidential information.
4. Exploiting Vulnerabilities: Leveraging software or hardware flaws to gain access.
5. Brute Force: Attempting to crack passwords or encryption keys by trying numerous
combinations.
6. Man-in-the-Middle (MitM): Intercepting and altering communication between two
parties.
7. SQL Injection: Injecting malicious SQL queries to manipulate databases.
8. Denial of Service (DoS): Overloading systems to make them unavailable to users.

Difference Between Attack Vector and Attack Surface:

Aspect Attack Vector Attack Surface

Definitio The method or pathway used to The total of all possible points where an
n exploit a vulnerability. attacker can try to enter or extract data.

Scope Specific method of attack. Overall landscape of possible

vulnerabilities.

Example Phishing email, malware, SQL Open ports, unpatched software, user
injection. interfaces.

Focus How the attack is carried out. Where the attack can occur.