Chapter 1

Question 1

What is a threat environment?

Answer 1

A threat environment consists of all the attacks and attackers that a company faces.

Question 2

What are the three goals of security?

Answer 2

It’s the CIA triad:
Confidentiality - No one else can read your information, either while it’s on a computer, or while it’s traveling across a network. Encryption is an example of this.
Integrity - The attacker cannot change or destroy information, or at the worst, the owner can detect the change or destruction.
Availability - Those that are authorized to use the information are not prevent from doing so. This might include failsafe servers and things like that.

Question 3

What is a compromise?

Answer 3

A compromise (also known as an incident or a breach), is basically a successful attack.

Question 4

What are countermeasures? What types of countermeasures are there?

Answer 4

A countermeasure is a tool that is used to thwart attacks. There are three main kinds of countermeasures: Preventative, detective, and corrective.

Question 5

What is a preventative countermeasure?

Answer 5

A preventative countermeasure is there to prevent a certain attack from working (like a firewall).

Question 6

What is a detective countermeasure?

Answer 6

A detective countermeasure detects (duh) that something is wrong. An anti-virus program is this, as well as a corrective.

Question 7

What is a corrective countermeasure?

Answer 7

A corrective countermeasure is a countermeasure that is deployed in order to actually correct a specific attack.

Question 8

Why are employees and ex-employees the most dangerous threats?

Answer 8

Employees and ex-employees are dangerous because they often have knowledge of internal systems, have permissions to access systems, often know how to avoid detection, and they’re generally trusted.
Who watches the watchmen, eh?

Question 9

What sort of things can employees do?

Answer 9

Sabotage - Destruction of hardware, software, or data, or worse, planting of a time bomb or logic bomb on a computer.
Hacking - Accessing things that they don’t have authorization to.
Financial Theft - Theft of assets or money, or the big one, Intellectual Property.
Extortion - Threatening to release information in order to manipulate someone.
Sexual or Racial Harassment of Other Employees - Displaying pornographic material, often via email.
Internet Abuse - Pornography, piracy, excessive personal use.
Carelessness - Loss of computers or media devices that contain sensitive information due to neglect or carelessness.
Contract Workers -

Question 10

What is hacking?

Answer 10

Hacking is defined as intentionally accessing a computer resource without authorization, or going beyond authorization. Authorization is the key here.

Question 11

What is separation of duties?

Answer 11

Separation of duties is the principle in which you only give each employee permissions necessary to complete their jobs.

Question 12

What is malware?

Answer 12

Malware (evil software) is a generic name for… well, “evil software”.

Question 13

What are some examples of malware?

Answer 13

Viruses - Programs that attach themselves to legitimate programs. When those programs are executed, it causes the “virus” to spread to other executables. Primarily, they’re spread by e-mail.
Worms - Programs that do not attach themselves to other programs. They can spread via “direct-propagation”, allowing them to jump between computers without human intervention on the receiving computer, provided it has a targeted vulnerability. They can spread fast.
Blended Threats - Malware that propagates in multiple ways. Think a blend between virus and worm.
Nonmobile malware - Malware that must be placed on the user’s computer through deception of the user.
Trojan Horse - Remote Access Trojan, allows for remote control of the victim’s PC. It masquerade as a good program, until the victim runs it, at which point the payload is delivered.

Question 14

What is a payload?

Answer 14

Payload is the term for the piece of code in malware that does the actual damage.

Question 15

What is spyware?

Answer 15

Spyware is a form of Trojan that gathers information about you and sends it back to someone. It’s subtle. Some only send rather benign information, others do things like logging keys.

Question 16

What is a rootkit?

Answer 16

A rootkit takes control of the super user account, and uses this authority to hide the malware in a far more effective way.

Question 17

What is mobile code?

Answer 17

Mobile code is code embedded in a webpage that is executed automatically (Javascript, Active-X, etc).

Question 18

What is social engineering?

Answer 18

Social engineering is an attempt to trick a user in order to do something that would normally go against security policies. Spam, phishing, hoaxes, that sort of thing.

Question 19

Who are traditional hackers?

Answer 19

Traditional hackers are people who are motivated to bypass security to get a thrill, validation, or a sense of power. Mostly motivated by reputation among their peers, but their crimes are petty at most. Not really relevant any longer.

Question 20

What are Reconnaissance probes?

Answer 20

Reconnaissance probes are the first step of a hack, scanning IP addresses and ports, looking for open ports and services are running. These packets, should they be received, will generate a response, signalling an opening.

Question 21

What is an exploit?

Answer 21

An exploit is the attack method used to break into a computer.

Question 22

What is IP address spoofing?

Answer 22

IP address spoofing is a method of hiding your identity; the catch is that you do not receive packets back.

Question 23

Chain of Attack Computers? What’s that?

Answer 23

A chain of attack computers is when an attacker sends his probes through layers of remote computers.

Question 24

What is piggybacking?

Answer 24

Piggybacking is a form of social engineering whereupon someone “holds the door” into a secured area for someone who has no authorization to be there.

Question 25

What is shoulder surfing?

Answer 25

Shoulder surfing is the simple act of watching someone type their password over their shoulder, or otherwise hidden.

Question 26

What is a Denial-of-Service attack?

Answer 26

A Denial-of-Service attack is when a server or network is made unavailable to legitimate users by sending a flood of attack messages to the victim. An alternate method is the Distributed DoS attack, where the victim is flooded by bots. The packets sent don’t even have to be malicious; there just have to be a lot of them.

Question 27

What is a bot?

Answer 27

A bot is a machine that has been compromised by an attacker, allowing the attacker to remotely control the machine and direct it to send attack packets, spam, etc.

Question 28

What is click fraud?

Answer 28

Click fraud is when a company pays for ads, and then uses a bot to click that ad to generate revenue.

Question 29

What is SCADA?

Answer 29

Systems Control and Data Acquisition - Things like the infrastructure of an area; water treatment plants, power plants, that sort of thing. These are targets of cyberwar and cyberterror.

Question 30

What are the four reasons that employees are especially dangerous?

Answer 30

1. They usually have extensive knowledge of the system.
2. They often have access to sensitive parts of systems.
3. They know how to avoid detection.
4. They are trusted by their employer.

Question 31

What type of employee is the most dangerous?

Answer 31

IT employees are the most dangerous, due to their extraordinary knowledge and access.

Question 32

Define sabotage.

Answer 32

Sabotage is the destruction of hardware, software, or data.

Question 33

What is intellectual property?

Answer 33

Intellectual property is information that is owned by the company and protected by law.

Question 34

What are the two things employees primarily like to steal?

Answer 34

Employees primarily like to steal finances, and intellectual property.

Question 35

What’s the difference between intellectual property and trade secrets?

Answer 35

Intellectual property is owned by the company and are protected by law. Trade secrets are not protected by law.

Question 36

What is extortion?

Answer 36

Extortion occurs when the perpetrator attempts to control the victim by threatening to take actions that would harm the victim.

Question 37

Who, besides employees, constitute potential “internal” threats.

Answer 37

Contract workers are an internal threat, and are not full employees of the company.

Question 38

What is a RAT?

Answer 38

A RAT, or Remote Access Trojan, is a Trojan that gives the attacker remote control of the computer.

Question 39

What are some ways non-mobile malware can infect a computer?

Answer 39

Non-mobile malware can infect a computer by:
Being placed there by a hacker.
Being deposited as “payload” by a virus or worm.
Enticing the user to download it.
Being executed as mobile code within a website.

Question 40

What’s the difference between a virus and a worm?

Answer 40

A virus infects files and executables and relies on the user for propagation. A worm is a stand-alone program, and does not require the user to propagate, and can do things on its own.

Question 41

How do worms spread?

Answer 41

Worms spread by looking for specific weaknesses in connected systems and exploiting them.

Question 42

What are downloaders?

Answer 42

Downloaders are a form of Trojan horse that are generally small programs, and hard to detect, which then download much larger Trojans.

Question 43

Why can cookies be dangerous?

Answer 43

Cookies are dangerous because cookies can, at times, keep private information such as passwords. Sometimes, when they keep too much personal information, they become spyware.

Question 44

What’s the difference between a Trojan horse and a rootkit?

Answer 44

A Trojan horse replaces a legitimate program. A rootkit takes over the root account of a Unix computer and uses the admin privileges to hide itself.

Question 45

What is a Trojan horse?

Answer 45

A Trojan horse is a program that deletes a legitimate existing system program, and takes its place.

Question 46

What’s the difference between phishing and spear phishing?

Answer 46

Phishing normally targets wide swaths of people. Spear phishing is targeted at one or a few individuals, for a specific purpose.

Question 47

What’s the difference between IP address scanning and port scanning?

Answer 47

IP address uses an ICMP echo on all IP addresses within a range, and listens for echoes back. Port scanning uses the “live” addresses from an IP address scan and sends scanning probes to request connections on specific ports, to determine what is running.

Question 48

What does “owning” a computer mean?

Answer 48

Owning a computer means that the attacker is able to do whatever he or she wishes.

Question 49

When can an attacker not use IP address spoofing?

Answer 49

An attacker cannot use IP address spoofing for reconnaissance probes, as their replies would be lost, and that’s the whole point of the thing.

Question 50

What is pretexting?

Answer 50

Pretexting occurs when an attacker calls and claims to be a specific customer, hoping to get information that is private to that customer.

Question 51

Define fraud.

Answer 51

Fraud occurs when the attacker deceives the victim into doing something that goes against the victim’s financial self-interest.