Cheat Sheet

Question 1

What is the main difference between a Virus and a Worm?

Answer 1

Virus: Requires a host file (e.g., an .exe or a document) and human interaction (e.g., opening the file) to spread.

Worm: Is self-replicating and spreads automatically across a network, often by exploiting vulnerabilities. It does not need a host file or human help.

Question 2

What is the term for a virus that mutates its code with each new infection? This is done specifically to ensure that its hash value (or signature) is different every time, allowing it to evade simple signature-based detection.

Answer 2

Polymorphic virus

Question 3

Q: A user calls the help desk, reporting that a large pop-up window has taken over their screen. The window, which looks like a system utility, is flashing red and warning that “128 viruses and 47 exploits” have been found. It is demanding a one-time $49.95 payment to “purchase the full security suite” and clean the computer.

What type of malware BEST describes this attack?

A. Adware
B. Scareware
C. Ransomware
D. Spyware

Answer 3

B. Scareware

Explanation: This is a classic example of scareware. It uses deception and social engineering (frightening pop-ups, fake scan results) to trick a user into paying for a fake or malicious “service.” It preys on the user’s fear.

It is not ransomware because the user’s files are not encrypted; they are just being tricked, not extorted.

It is not adware, which typically just displays unwanted (but not necessarily fake) advertisements.

Question 4

What is UPnP, what ports does it use, and what is its security risk?

Answer 4

Universal Plug and Play
Ports UDP/1900 for discovery, TCP/5000 for accepting incoming connections from other UPnP devices.

UPnP is a protocol that allows devices on a network to automatically discover each other and configure network settings (like opening ports).

Risk: It’s a major security flaw. Malware (especially worms) can exploit it to bypass the firewall and open ports for remote access

Question 5

A user downloads what they believe is a free “video codec” to watch a movie. After running the installer, their computer seems to work normally, but in the background, the program has installed a hidden tool that gives an attacker complete remote control of their system.

What type of malware BEST describes this?

Answer 5

RAT (Remote Access Trojan)

Question 6

What is the term for a type of malware designed to gain the highest level of privilege (root/administrator) and use its deep system access to hide itself and its malicious activity from the operating system and security software?

This malware can infect the OS kernel, the bootloader (a bootkit), or even the hardware firmware.

Answer 6

Rootkit

Question 7

A user reports their mouse and keyboard are acting “flaky.” A technician investigates and finds an unknown USB dongle plugged in between the keyboard cable and the desktop’s USB port.

What is this malicious device MOST LIKELY?

Answer 7

Hardware Keylogger

Question 8

Adware

Answer 8

uses popups

Question 9

Bots

Answer 9

infected machine used as an attack vector

Question 10

A user calls the help desk in a panic because their “mouse is moving on its own” and closing windows. The technician disconnects the network cable immediately. Later analysis shows a malware infection that established a reverse connection to an external IP, allowing the attacker to interactively control the desktop.

What specific type of malware is this?

Answer 10

RAT (Remote Access Trojan)

Explanation:
* Spyware/Keyloggers are passive; they hide and steal data silently.
* RATs are active; they provide a Command and Control (C2) channel that gives the attacker interactive remote control over the system. The “ghost in the machine” symptom (mouse moving) is the classic giveaway of a RAT.

Question 11

Logic bomb

Answer 11

needs a trigger, such as time

Question 12

Phishing

Answer 12

uses email; targets one person

Question 13

Spear phishing

Answer 13

attacks a group; look for plurals in the question

Question 14

Whaling

Answer 14

attacks CEO or high‐level executives

Question 15

Vishing

Answer 15

uses a telephone or leaves a voicemail

Question 16

Tailgating

Answer 16

follows someone through; does not use credentials

Question 17

Impersonating

Answer 17

pretends to be from the help desk or IT team

Question 18

Dumpster diving

Answer 18

pulls information from the trash bin

Question 19

Shoulder surfing

Answer 19

someone looks over an employee’s shoulder or uses a smartphone to video your bank transaction

Question 20

Watering hole

Answer 20

infects a trusted website

Question 21

Authority

Answer 21

email from CEO or HR; asks you to fill in a form

Question 22

Urgency

Answer 22

letting a fireman into the server room

Question 23

DoS

Answer 23

one host taking out another

Question 24

DDoS

Answer 24

multiple hosts taking out one host

Question 25

Man‐in‐the middle

Answer 25

interception attack data in real time

Question 26

Replay

Answer 26

interception attack data replayed at a later date

Question 27

Kerberos

Answer 27

prevents replay and pass‐the‐hash attacks

Question 28

Buffer overflow

Answer 28

too much data in a field

Question 29

Integer overflow

Answer 29

too large a number in a data field

Question 30

XSS

Answer 30

uses HTML tags/JavaScript; no authentication

Question 31

XSRF/CSRF

Answer 31

asks you to click on an icon and provide authentication

Question 32

Privilege escalation

Answer 32

tries to get admin rights

Question 33

ARP poisoning

Answer 33

prevented by using static entries in the arp cache—for example, arp ‐s

Question 34

DNS poisoning

Answer 34

prevented by using DNSSEC that produces RRSIG records

Question 35

ARP

Answer 35

local LAN attack

Question 36

Man‐in‐the‐browser

Answer 36

trojan already installed; after bank transactions; URL does not change

Question 37

Zero‐day virus

Answer 37

cannot be detected other than baseline; takes more time to get antidote.

Question 38

Pass‐the‐hash

Answer 38

attacks NTLM authentication; prevented by disabling NTLM or using Kerberos

Question 39

Session hijacking

Answer 39

steals your cookies

Question 40

Evil twin

Answer 40

looks like a legitimate WAP

Question 41

Rogue AP

Answer 41

free; steals information; prevented by using 802.1x

Question 42

Jamming

Answer 42

interference attack

Question 43

WPS

Answer 43

push the button; brute-force attacks underlying password

Question 44

Bluejacking

Answer 44

hijacks Bluetooth phone; sends text messages

Question 45

Bluesnarfing

Answer 45

steals contacts from Bluetooth phone

Question 46

RFID

Answer 46

prevents theft of small devices

Question 47

NFC

Answer 47

wireless payment; short range

Question 48

Birthday

Answer 48

hash-collision attack; digital signatures vulnerable

Question 49

Disassociation attacks

Answer 49

prevents access to the WAP

Question 50

Rainbow tables

Answer 50

precomputed list of passwords and hashes; used for hash-collision attacks

Question 51

Dictionary

Answer 51

password; prevented by using a random character in your password or misspelling your password

Question 52

Brute force

Answer 52

every available combination; prevents account lockout low value or salt password

Question 53

Collison

Answer 53

matches hashes

Question 54

Downgrade

Answer 54

uses legacy SSL rather than TLS; POODLE is a classic example

Question 55

Script kiddie

Answer 55

purchases scripts and programs, probably from the dark web

Question 56

Hacktivist

Answer 56

politically motivated agent

Question 57

Nation state/APT

Answer 57

foreign government agent

Question 58

Organized crime

Answer 58

profit-driven agent who will blackmail you

Question 59

Insider

Answer 59

known as a malicious insider; hardest to detect

Question 60

Intrusive

Answer 60

can cause damage

Question 61

Black box

Answer 61

knows nothing

Question 62

White box

Answer 62

knows everything

Question 63

Gray box

Answer 63

has at least one piece of information—for example, a password or diagram

Question 64

Fuzzing

Answer 64

enters random characters into an application for spurious results; black-/white-box pen testers use it

Question 65

Pivot

Answer 65

accesses a network through a vulnerable host, then attacks a secondary, more important host

Question 66

Initial exploitation

Answer 66

where pen testing starts

Question 67

Escalation of privileges

Answer 67

obtains admin rights

Question 68

Intrusive scan

Answer 68

used in pen testing; can cause damage to your system

Question 69

Passive

Answer 69

no damage

Question 70

Credentialed

Answer 70

admin rights; more information; audit files; account and certificate information

Question 71

Non‐credentialed

Answer 71

low level; finds missing patches

Question 72

Race condition

Answer 72

two threads accessing data at the same time

Question 73

End‐of‐life systems

Answer 73

lack of vendor support; no patches

Question 74

Error handling

Answer 74

customer side makes error small; IT support error needs all information

Question 75

Default configuration

Answer 75

changes username or passwords

Question 76

Resource exhaustion

Answer 76

running CPU at 100% or running out of memory

Question 77

Key management

Answer 77

ensures keys signed in and out each day

Question 78

Untrained users

Answer 78

not complying with policies

Question 79

Competitors

Answer 79

steals your trade secrets; beats you to market with your product

Question 80

Weak implementation

Answer 80

uses WEP; better to use WPA2‐CCMP as it is the strongest