Answer Description

In a watering hole attack the attacker infects a website that is known to be commonly used by an organisation or industry. For example a specific industry news site to attack a business in that industry or the entire industry in general. With the knowledge that users frequent the website the attackers are able to target them with malware and if the attack is successful to install malicious software.

Wikipedia

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.

Answer Description

When a wireless network broadcasts it includes the network name, called a Service Set Identifier (SSID). Most commonly the SSID will be a user-friendly name to help people identify which network they want to connect to (e.g. Smith WiFi, Friendly's Guest, etc.). Disabling SSID broadcast will still allow the network to be visible to nearby devices but in order to connect to the network they will need to know the SSID (as well as a password/key if configured).

Wikipedia

Answer Description

Based on the information you have the most likely attack (against the website) is a DNS hijacking. The attackers gained control of the company's domain name and are holding it for ransom.

Wikipedia

Domain hijacking or domain theft is the act of changing the registration of a domain name without the permission of its original registrant, or by abuse of privileges on domain hosting and registrar software systems.This can be devastating to the original domain name holder, not only financially as they may have derived commercial income from a website hosted at the domain or conducted business through that domain's e-mail accounts, but also in terms of readership and/or audience for non-profit or artistic web addresses. After a successful hijacking, the hijacker can use the domain name to facilitate other illegal activity such as phishing, where a website is replaced by an identical website that records private information such as log-in passwords, spam, or may distribute malware from the perceived "trusted" domain

Answer Description

An anomaly-based Network Intrusion Detection System (NIDS) detects unusual network traffic after first being 'trained' on normal network traffic. Theses systems use data mining and artificial intelligence to classify traffic as normal or anomaly/potentially malicious.

Wikipedia

An anomaly-based intrusion detection system, is an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created.In order to positively identify attack traffic, the system must be taught to recognize normal system activity. The two phases of a majority of anomaly detection systems consist of the training phase (where a profile of normal behaviors is built) and testing phase (where current traffic is compared with the profile created in the training phase). Anomalies are detected in several ways, most often with artificial intelligence type techniques. Systems using artificial neural networks have been used to great effect. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection. Other techniques used to detect anomalies include data mining methods, grammar based methods, and Artificial Immune System.Network-based anomalous intrusion detection systems often provide a second line of defense to detect anomalous traffic at the physical and network layers after it has passed through a firewall or other security appliance on the border of a network. Host-based anomalous intrusion detection

Answer Description

This type of WiFi network is called Guest WiFi. Guest WiFi's are intended for external users like subcontractors or 3rd party partners. It could also be permitted for employees personnel devices. In some cases the Guest WiFi may also allow restricted access to internal resources, but this needs to be properly secured to ensure access is limited as much as possible.

Answer Description

Network Address Translation (NAT) allows many devices to share an IP when accessing another network. Most commonly it is used to allow internal devices to share public IP addresses when accessing the internet. Benefits of NAT include minimizing the number of public IP addresses required (they cost money and for IPv4 there is a limited number available) as well as masking the origin of the request which provides security benefits. Generally NAT is used on a router or firewall.

Wikipedia

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.As network address translation modifies the IP address information in packets, NAT implementations may vary in their specific behavior in various addressing cases and their effect on network traffic. The specifics of NAT behavior are not commonly documented by vendors of equipment containing NAT implementations.

Answer Description

3DES or Triple DES applies the DES algorithm three times. DES uses 16 rounds so we can conclude that 3 DES performs 48 (3 * 16 = 48)

Wikipedia

In cryptography, Triple DES (3DES or TDES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The Data Encryption Standard's (DES) 56-bit key is no longer considered adequate in the face of modern cryptanalytic techniques and supercomputing power. A CVE released in 2016, CVE-2016-2183 disclosed a major security vulnerability in DES and 3DES encryption algorithms. This CVE, combined with the inadequate key size of DES and 3DES, NIST has deprecated DES and 3DES for new applications in 2017, and for all applications by 2023. It has been replaced with the more secure, more robust AES. While the government and industry standards abbreviate the algorithm's name as TDES (Triple DES) and TDEA (Triple Data Encryption Algorithm), RFC 1851 referred to it as 3DES from the time it first promulgated the idea, and this namesake has since come into wide use by most vendors, users, and cryptographers.

Answer Description

A SYN Flood sends a large number of SYN requests (the first step in creating a new TCP connection). After this the attacker ignores the ACK which is sent back from the server and simply sends another SYN. The goal is to overload the server with huge number of open TCP connections. By doing so the server will not be able to respond to valid traffic from normal users - thus resulting in a Denial of Service (DOS).

Wikipedia

A SYN flood is a form of denial-of-service attack in which an attacker rapidly initiates a connection to a server without finalizing the connection. The server has to spend resources waiting for half-opened connections, which can consume enough resources to make the system unresponsive to legitimate traffic.The packet that the attacker sends is the SYN packet, a part of TCP's three-way handshake used to establish a connection.

Answer Description

The attack described in the question is an Amplification attack using the DNS protocol. Amplification attacks are done by sending small requests to servers that will receive large responses. Add a spoofed IP to the mix and an attacker can send huge numbers of the requests (because they are small) which will result in large responses being sent to the victim. This is a type of DDOS attack. DNS and NTP are common protocols used to conduct an amplification attack.

Answer Description

Code signing can be used to digitally sign a program's executable or script files. This allows the person/computer running the application or script to verify it's authenticity as well as ensuring it has not been altered since the developer created it.

Wikipedia

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to validate authenticity and integrity.Code signing can provide several valuable features. The most common use of code signing is to provide security when deploying; in some programming languages, it can also be used to help prevent namespace conflicts. Almost every code signing implementation will provide some sort of digital signature mechanism to verify the identity of the author or build system, and a checksum to verify that the object has not been modified. It can also be used to provide versioning information about an object or to store other meta data about an object.The efficacy of code signing as an authentication mechanism for software depends on the security of underpinning signing keys. As with other public key infrastructure (PKI) technologies, the integrity of the system relies on publishers securing their private keys against unauthorized access. Keys stored in software on general-purpose computers are susceptible to compromise. Therefore, it is more secure, and best practice, to store keys in secure, tamper-proof, cryptographic hardware devices known as hardware security modules or HSMs.

Answer Description

A Virtual Local Area Network (VLAN) provides a logical or virtual way to separate areas of a network. This means devices can physically share the same network infrastructure (e.g. using a common switch) but remain separated from each other on the network.

Wikipedia

A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2). LAN is the abbreviation for local area network and in this context virtual refers to a physical object recreated and altered by additional logic. VLANs work by applying tags to network frames and handling these tags in networking systems – creating the appearance and functionality of network traffic that is physically on a single network but acts as if it is split between separate networks. In this way, VLANs can keep network applications separate despite being connected to the same physical network, and without requiring multiple sets of cabling and networking devices to be deployed. VLANs allow network administrators to group hosts together even if the hosts are not directly connected to the same network switch. Because VLAN membership can be configured through software, this can greatly simplify network design and deployment. Without VLANs, grouping hosts according to their resource needs the labor of relocating nodes or rewiring data links. VLANs allow devices that must be kept separate to share the cabling of a physical network and yet be prevented from directly interacting with one another. This managed sharing yields gains in simplicity, security, traffic management, and economy. For example, a VLAN can be used to separate traffic within a business based on individual users or groups of users or their roles (e.g. network administrators), or based on traffic characteristics (e.g. low-priority traffic prevented from impinging

Answer Description

Using a Hash or Hashing data converts information using a one way function. This means it cannot be converted back into it's original format. This is ideal for storing things like passwords so even if the list of hashed passwords is lost they cannot be easily "decrypted."

Wikipedia

A cryptographic hash function (CHF) is a mathematical algorithm that maps data of an arbitrary size (often called the "message") to a bit array of a fixed size (the "hash value", "hash", or "message digest"). It is a one-way function, that is, a function for which it is practically infeasible to invert or reverse the computation. Ideally, the only way to find a message that produces a given hash is to attempt a brute-force search of possible inputs to see if they produce a match, or use a rainbow table of matched hashes. Cryptographic hash functions are a basic tool of modern cryptography. A cryptographic hash function must be deterministic, meaning that the same message always results in the same hash. Ideally it should also have the following properties: it is quick to compute the hash value for any given message it is infeasible to generate a message that yields a given hash value (i.e. to reverse the process that generated the given hash value) it is infeasible to find two different messages with the same hash value a small change to a message should change the hash value so extensively that a new hash value appears uncorrelated with the old hash value (avalanche effect) Cryptographic hash functions have many information-security applications, notably in digital signatures, message authentication codes (MACs), and other forms of authentication. They can also be used as ordinary hash functions, to index data in hash tables, for fingerprinting, to detect duplicate data or uniquely identify files, and as checksums to detect accidental

Answer Description

This type of attack is known as an Evil Twin. The attacker sets up a wireless access point in the hopes of tricking users to use it instead of the valid one (for example by giving it the same or similar SSID). Users that fall for the trick may expose sensitive information like passwords by using evil twin access point.

Wikipedia

An evil twin is a fraudulent Wi-Fi access point that appears to be legitimate but is set up to eavesdrop on wireless communications. The evil twin is the wireless LAN equivalent of the phishing scam. This type of attack may be used to steal the passwords of unsuspecting users, either by monitoring their connections or by phishing, which involves setting up a fraudulent web site and luring people there.

Answer Description

A credentialed vulnerability scan was done. While the other answers could also be correct (e.g. it could have been an intrusive and credentialed scan) but with the information given in the question you could not know this. When a credentialed scan is used the scanner has valid user credentials while in a non-credentialed attack they do not.

Answer Description

The Health Insurance Portability and Accountability Act (HIPAA) is a regulatory act in the United States that sets requirements for companies that store sensitive health data. It applies to hospitals, insurance companies, etc. as well as any companies that store health related data in HR systems (one example could be if an employee in a warehouse cannot lift above a certain weight).

Wikipedia

The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy–Kassebaum Act) is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. It modernized the flow of healthcare information, stipulates how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and addressed some limitations on healthcare insurance coverage. It generally prohibits healthcare providers and healthcare businesses, called covered entities, from disclosing protected information to anyone other than a patient and the patient's authorized representatives without their consent. With limited exceptions, it does not restrict patients from receiving information about themselves. It does not prohibit patients from voluntarily sharing their health information however they choose, nor does it require confidentiality where a patient discloses medical information to family members, friends, or other individuals not a part of a covered entity. The act consists of five titles. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Title III sets guidelines for pre-tax medical spending accounts, Title IV sets guidelines for group health plans, and Title V governs company-owned life insurance policies.

Answer Description

This type of network setup is called an Extranet. An extranet is a private network that allows access to certain authorized parties. Most commonly this would be to share systems like a file server between two companies that have created a long-term partnership.

Wikipedia

An extranet is a controlled private network that allows access to partners, vendors and suppliers or an authorized set of customers – normally to a subset of the information accessible from an organization's intranet. An extranet is similar to a DMZ in that it provides access to needed services for authorized parties, without granting access to an organization's entire network. Historically, the term was occasionally also used in the sense of two organizations sharing their internal networks over a virtual private network (VPN).

Answer Description

Trusted Platform Module (TPM) is a chip embedded into a device's motherboard. TPM's provide a way for the device to securely store certain important artifacts like passwords and cryptographic keys.

Wikipedia

Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a chip conforming to the standard. TPM is used for digital rights management (DRM), Windows Defender, Windows Domain logon, protection and enforcement of software licenses, and prevention of cheating in online games.One of Windows 11's system requirements is TPM 2.0. Microsoft has stated that this is to help increase security against firmware and ransomware attacks.

Answer Description

A generator is the best option here because it can operate for as long as there is fuel and can power entire buildings at once. It is also the most expensive solution. An Uninterruptible Power Supply (UPS) will provide temporary power (a few minutes to a few hours) to electronic devices in the event of a power outage, so while helpful it is not enough to meet the 24 hour requirement.

Answer Description

Online Certificate Status Protocol (OCSP) is used for obtaining the status of X.509 digital certs.

Wikipedia

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI). Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders. Some web browsers (Firefox) use OCSP to validate HTTPS certificates, while others have disabled it. Most OCSP revocation statuses on the Internet disappear soon after certificate expiration.

Answer Description

Mean time to recovery (MTTR) is the estimated amount of time between a failure and recovery of a device. Mean time between failures (MTBF) is the average amount of time between failures of a device (generally provided by the manufacturer). Mean time to failure (MTTF) is the length of time a device lasts in operation. MRTR is something we made up.

Wikipedia

Mean time to recovery (MTTR) is the average time that a device will take to recover from any failure. Examples of such devices range from self-resetting fuses (where the MTTR would be very short, probably seconds), to whole systems which have to be repaired or replaced. The MTTR would usually be part of a maintenance contract, where the user would pay more for a system MTTR of which was 24 hours, than for one of, say, 7 days. This does not mean the supplier is guaranteeing to have the system up and running again within 24 hours (or 7 days) of being notified of the failure. It does mean the average repair time will tend towards 24 hours (or 7 days). A more useful maintenance contract measure is the maximum time to recovery which can be easily measured and the supplier held accountably. Note that some suppliers will interpret MTTR to mean 'mean time to respond' and others will take it to mean 'mean time to replace/repair/recover/resolve'. The former indicates that the supplier will acknowledge a problem and initiate mitigation within a certain timeframe. Some systems may have an MTTR of zero, which means that they have redundant components which can take over the instant the primary one fails, see RAID for example. However, the failed device involved in this redundant configuration still needs to be returned to service and hence the device itself has a non-zero MTTR even if the system as a whole (through redundancy) has an MTTR of zero.