Chapter 2 - Computer Systems Security

Question 1

A group of compromised computers that have software installed by a worm is known as which of the following?
A.Botnet
B.Virus
C.Honeypot
D.Zombie

Answer 1

A.A botnet is a group of compromised computers, usually working together, with malware that was installed by a worm or a Trojan horse.

Question 2

What are some of the drawbacks to using HIDS instead of NIDS on a server? (Select the two best answers.)
A.A HIDS may use a lot of resources that can slow server performance.
B.A HIDS cannot detect operating system attacks.
C.A HIDS has a low level of detection of operating system attacks.
D.A HIDS cannot detect network attacks.

Answer 2

A and D.Host-based intrusion detection systems (HIDS) run within the operating system of a computer. Because of this, they can slow a computer’s performance. Most HIDS do not detect network attacks well (if at all). However, a HIDS can detect operating system attack and will usually have a high level of detection for those attacks.

Question 3

Which of the following computer security threats can be updated automatically and remotely? (Select the best answer.)
A.Virus
B.Worm
C.Zombie
D.Malware

Answer 3

C.Zombies (also known as zombie computers) are systems that have been compromised without the knowledge of the owner. A prerequisite is the computer must be connected to the Internet so that the hacker or malicious attack can make its way to the computer and be controlled remotely. Multiple zombies working in concert often form a botnet. See the section “Computer Systems Security Threats” earlier in this chapter for more information.

Question 4

Which of the following is the best mode to use when scanning for viruses?
A.Safe Mode
B.Last Known Good Configuration
C.Command Prompt only
D.Boot into Windows normally

Answer 4

A.Safe Mode should be used (if your AV software supports it) when scanning for viruses.

Question 5

Which of the following is a common symptom of spyware?
A.Infected files
B.Computer shuts down
C.Applications freeze
D.Pop-up windows

Answer 5

D.Pop-up windows are common to spyware. The rest of the answers are more common symptoms of viruses.

Question 6

What are two ways to secure the computer within the BIOS? (Select the two best answers.)
A.Configure a supervisor password.
B.Turn on BIOS shadowing.
C.Flash the BIOS.
D.Set the hard drive first in the boot order.

Answer 6

A and D.Configuring a supervisor password in the BIOS disallows any other user to enter the BIOS and make changes. Setting the hard drive first in the BIOS boot order disables any other devices from being booted off, including floppy drives, optical drives, and USB flash drives. BIOS shadowing doesn’t have anything to do with computer security, and although flashing the BIOS may include some security updates, it’s not the best answer.

Question 7

Dan is a network administrator. One day he notices that his DHCP server is flooded with information. He analyzes it and finds that the information is coming from more than 50 computers on the network. Which of the following is the most likely reason?
A.Virus
B.Worm
C.Zombie
D.PHP script

Answer 7

B.A worm is most likely the reason that the server is being bombarded with information by the clients; perhaps it is perpetuated by a botnet. Because worms self-replicate, the damage can quickly become critical.

Question 8

Which of the following is not an example of malicious software?
A.Rootkits
B.Spyware
C.Viruses
D.Browser

Answer 8

D.A web browser (for example, Internet Explorer) is the only one listed that is not an example of malicious software. Although a browser can be compromised in a variety of ways by malicious software, the application itself is not the malware.

Question 9

Which type of attack uses more than one computer?
A.Virus
B.DoS
C.Worm
D.DDoS

Answer 9

D.A DDoS, or distributed denial of service, attack uses multiple computers to make its attack, usually perpetuated on a server. None of the other answers use multiple computers.

Question 10

What are the two ways that you can stop employees from using USB flash drives? (Select the two best answers.)
A.Utilize RBAC.
B.Disable USB devices in the BIOS.
C.Disable the USB root hub.
D.Enable MAC filtering.

Answer 10

B and C.By disabling all USB devices in the BIOS, a user cannot use his flash drive. Also, the user cannot use the device if you disable the USB root hub within the operating system.

Question 11

Which of the following does not need updating?
A.HIDS
B.Antivirus software
C.Pop-up blockers
D.Antispyware

Answer 11

C.Pop-up blockers do not require updating to be accurate. However, host-based intrusion detection systems, antivirus software, and antispyware all need to be updated to be accurate.

Question 12

Which of the following are Bluetooth threats? (Select the two best answers.)
A.Bluesnarfing
B.Blue bearding
C.Bluejacking
D.Distributed denial of service

Answer 12

A and C.Bluesnarfing and bluejacking are the names of a couple Bluetooth threats. Another attack could be aimed at a Bluetooth device’s discovery mode. To date there is no such thing as blue bearding, and a distributed denial of service attack uses multiple computers attacking one host.

Question 13

What is a malicious attack that executes at the same time every week?
A.Virus
B.Worm
C.Bluejacking
D.Logic bomb

Answer 13

D.A logic bomb is a malicious attack that executes at a specific time. Viruses normally execute when a user inadvertently runs them. Worms can self-replicate at will. And bluejacking deals with Bluetooth devices.

Question 14

Which of these is true for active inception?
A.When a computer is put between a sender and receiver
B.When a person overhears a conversation
C.When a person looks through files
D.When a person hardens an operating system

Answer 14

A.Active inception (aka active interception) normally includes a computer placed between the sender and the receiver to capture information.

Question 15

Tim believes that his computer has a worm. What is the best tool to use to remove that worm? 
A.Antivirus software
B.Antispyware software
C.HIDS
D.NIDS

Answer 15

A.Antivirus software is the best option when removing a worm. It may be necessary to boot into Safe Mode to remove this worm when using antivirus software.

Question 16

Which of the following types of scanners can locate a rootkit on a computer?
A.Image scanner
B.Barcode scanner
C.Malware scanner
D.Adware scanner

Answer 16

C.Malware scanners can locate rootkits and other types of malware. These types of scanners are often found in antimalware software from manufacturers such as McAfee, Norton, Vipre, and so on. Adware scanners (often free) can scan for only adware. Always have some kind of antimalware software running on live client computers!

Question 17

Which type of malware does not require a user to execute a program to distribute the software?
A.Worm
B.Virus
C.Trojan horse
D.Stealth

Answer 17

A.Worms self-replicate and do not require a user to execute a program to distribute the software across networks. All the other answers do require user intervention. Stealth refers to a type of virus.

Question 18

Which of these is not considered to be an inline device?
A.Firewall
B.Router
C.CSU/DSU
D.HIDS

Answer 18

D.HIDS or host-based intrusion detection systems are not considered to be an inline device. This is because they run on an individual computer. Firewalls, routers, and CSU/DSUs are inline devices.

Question 19

Whitelisting, blacklisting, and closing open relays are all mitigation techniques addressing what kind of threat?
A.Spyware
B.Spam
C.Viruses
D.Botnets

Answer 19

B.Closing open relays, whitelisting, and blacklisting are all mitigation techniques that address spam. Spam e-mail is a serious problem for all companies and must be filtered as much as possible.

Question 20

How do most network-based viruses spread?
A.By CD and DVD
B.Through e-mail
C.By USB flash drive
D.By floppy disk

Answer 20

B.E-mail is the number one reason why network-based viruses spread. All a person needs to do is double-click the attachment within the e-mail, and the virus will do its thing, which is most likely to spread through the user’s address book. Removable media such as CDs, DVDs, USB flash drives, and floppy disks can spread viruses but are not nearly as common as e-mail.

Question 21

Which of the following defines the difference between a Trojan horse and a worm? (Select the best answer.)
A.Worms self-replicate but Trojan horses do not.
B.The two are the same.
C.Worms are sent via e-mail; Trojan horses are not.
D.Trojan horses are malicious attacks; worms are not.

Answer 21

A.The primary difference between a Trojan horse and a worm is that worms will self-replicate without any user intervention; Trojan horses do not self-replicate.

Question 22

Which of the following types of viruses hides its code to mask itself?
A.Stealth virus
B.Polymorphic virus
C.Worm
D.Armored virus

Answer 22

D.An armored virus attempts to make disassembly difficult for an antivirus software program. It thwarts attempts at code examination. Stealth viruses attempt to avoid detection by antivirus software altogether. Polymorphic viruses change every time they run. Worms are not viruses.

Question 23

Which of the following types of malware appears to the user as legitimate but actually enables unauthorized access to the user’s computer?
A.Worm
B.Virus
C.Trojan
D.Spam

Answer 23

C.A Trojan, or a Trojan horse, appears to be legitimate and looks like it’ll perform desirable functions, but in reality it is designed to enable unauthorized access to the user’s computer.

Question 24

Which of the following would be considered detrimental effects of a virus hoax? (Select the two best answers.)
A.Technical support resources are consumed by increased user calls.
B.Users are at risk for identity theft.
C.Users are tricked into changing the system configuration.
D.The e-mail server capacity is consumed by message traffic.

Answer 24

A and C.Because a virus can affect many users, technical support resources can be consumed by an increase in user phone calls and e-mails. This can be detrimental to the company because all companies have a limited amount of technical support personnel. Another detrimental effect is that unwitting users may be tricked into changing some of their computer system configurations. The key term in the question is “virus hoax.” If the e-mail server is consumed by message traffic, that would be a detrimental effect caused by the person who sent the virus and by the virus itself but not necessarily by the hoax. Although users may be at risk for identity theft, it is not one of the most detrimental effects of the virus hoax.

Question 25

To mitigate risks when users accesses company e-mail with their cell phone, what security policy should be implemented on the cell phone?
A.Data connection capabilities should be disabled.
B.A password should be set on the phone.
C.Cell phone data should be encrypted.
D.Cell phone should be only for company use.

Answer 25

B.A password should be set on the phone, and the phone should lock after a set period of time. When the user wants to use the phone again, the user should be prompted for a password. Disabling the data connection altogether would make access to e-mail impossible on the cell phone. Cell phone encryption of data is possible, but it could use a lot of processing power that may make it unfeasible. Whether the cell phone is used only for company use is up to the policies of the company.

Question 26

Your manager wants you to implement a type of intrusion detection system (IDS) that can be matched to certain types of traffic patterns. What kind of IDS is this?
A.Anomaly-based IDS
B.Signature-based IDS
C.Behavior-based IDS
D.Heuristic-based IDS

Answer 26

B.When using an IDS, particular types of traffic patterns refer to signature-based IDS.

Question 27

You are the security administrator for your organization. You want to ensure the confidentiality of data on mobile devices. What is the best solution?
A.Device encryption
B.Remote wipe
C.Screen locks
D.AV software

Answer 27

A.Device encryption is the best solution listed to protect the confidentiality of data. By encrypting the data, it makes it much more difficult for a malicious person to make use of the data. Screen locks are a good idea but are much easier to get past than encryption. Antivirus software will not stop an attacker from getting to the data once the mobile device has been stolen. Remote sanitization doesn’t keep the data confidential, it removes it altogether! While this could be considered a type of confidentiality, it would only be so if a good backup plan was instituted. Regardless, the best answer with confidentiality in mind is encryption. For example, if the device was simply lost, and was later found, it could be reused (as long as it wasn’t tampered with). But if the device was sanitized, it would have to be reloaded and reconfigured before being used again.

Question 28

You are tasked with implementing a solution that encrypts the CEO’s laptop. However, you are not allowed to purchase additional hardware or software. Which of the following solutions should you implement?
A.HSM
B.TPM
C.HIDS
D.USB encryption

Answer 28

B.A TPM or trusted platform module is a chip that resides on the motherboard of the laptop. It generates cryptographic keys that allow the entire disk to be encrypted, as in full disk encryption (FDE). Hardware security modules (HSMs) and USB encryption require additional hardware. A host-based intrusion detection system requires either additional software or hardware.

Question 29

One of your co-workers complains of very slow system performance and says that a lot of antivirus messages are being displayed. The user admits to recently installing pirated software and downloading and installing an illegal keygen to activate the software. What type of malware has affected the user’s computer?
A.Worm
B.Logic bomb
C.Spyware
D.Trojan

Answer 29

D.A Trojan was probably installed (unknown to the user) as part of the keygen package. Illegal downloads often contain malware of this nature. At this point, the computer is compromised. Not only is it infected, but malicious individuals might be able to remotely access it.

Question 30

A smartphone has been lost. You need to ensure 100% that no data can be retrieved from it. What should you do?
A.Remote wipe
B.GPS tracking
C.Implement encryption
D.Turn on screen loc

Answer 30

A.If the device has been lost and you need to be 100% sure that data cannot be retrieved from it, then you should remotely sanitize (or remotely “wipe”) the device. This removes all data to the point where it cannot be reconstructed by normal means. GPS tracking might find the device, but as time is spent tracking and acquiring the device, the data could be stolen. Encryption is a good idea, but over time encryption can be deciphered. Screen locks can be easily circumvented.

Question 31

A user complains that they were browsing the Internet when the computer started acting erratically and crashed. You reboot the computer and notice that performance is very slow. In addition, after running a netstat command you notice literally hundreds of outbound connections to various websites, many of which are well-known sites. Which of the following has happened?
A.The computer is infected with spyware.
B.The computer is infected with a virus.
C.The computer is now part of a botnet.
D.The computer is now infected with a rootkit.

Answer 31

C.The computer is probably now part of a botnet. The reason the system is running slowly is probably due to the fact that there are hundreds of outbound connections to various websites. This is a solid sign of a computer that has become part of a botnet. Spyware, viruses, and rootkits might make the computer run slowly, but they will not create hundreds of outbound connections.