Chapter 8 (Lecture 7) Flashcards
What is the major difference between a virus and a worm?
Viruses and worms both travel from system to system attempting to deliver their malicious payloads to as many machines as possible.
However, viruses require some sort of human intervention, such as sharing a file, network resource, or email message, to propagate.
Worms, on the other hand, seek out vulnerabilities and spread from system to system under their own power, thereby greatly magnifying their reproductive capability, especially in a well-connected network.
Explain the four propagation methods used by Robert Tappan Morris’s Internet Worm.
The Internet Worm used four propagation techniques.
First, it exploited a bug in the sendmail utility that allowed it to spread itself by sending a specially crafted email message that contained its code to the sendmail program on a remote system.
Second, it used a dictionary-based password attack to attempt to gain access to remote systems by utilizing the username and password of a valid system user.
Third, it exploited a buffer overflow vulnerability in the finger program to infect systems.
Fourth, it analyzed any existing trust relationships with other systems on the network and attempted to spread itself to those systems through the trusted path.
What are the actions an antivirus software package might take when it discovers an infected file?
If possible, antivirus software may try to disinfect an infected file, removing the virus’s malicious code.
If that fails, it might either quarantine the file for manual review or automatically delete it to prevent further infection.
Explain how a data integrity assurance package like Tripwire provides some secondary virus detection capabilities.
Data integrity assurance packages like Tripwire compute hash values for each file stored on a protected system.
If a file infector virus strikes the system, this would result in a change in the affected file’s hash value and would, therefore, trigger a file integrity alert.
- What is the most commonly used technique to protect against virus attacks?
A. Signature detection
B. Heuristic detection
C. Data integrity assurance
D. Automated reconstruction
- A. Signature detection mechanisms use known descriptions of viruses to identify malicious code resident on a system.
- You are the security administrator for an e-commerce company and are placing a new web server into production. What network zone should you use?
A. Internet
B. DMZ
C. Intranet
D. Sandbox
- B. The DMZ (demilitarized zone) is designed to house systems like web servers that must be accessible from both the internal and external networks.
- Which one of the following types of attacks relies upon the difference between the timing of two events?
A. Smurf
B. TOCTTOU
C. Land
D. Fraggle
- B. The time-of-check-to-time-of-use (TOCTTOU) attack relies upon the timing of the execution of two events.
- Which of the following techniques requires that administrators identify appropriate applications for an environment?
A. Sandboxing
B. Control signing
C. Integrity monitoring
D. Whitelisting
- D. Application whitelisting requires that administrators specify approved applications and then the operating system uses this list to allow only known good applications to run.
- What advanced virus technique modifies the malicious code of a virus on each system it infects?
A. Polymorphism
B. Stealth
C. Encryption
D. Multipartitism
- A. In an attempt to avoid detection by signature-based antivirus software packages, polymorphic viruses modify their own code each time they infect a system.
- Which one of the following tools provides a solution to the problem of users forgetting complex passwords?
A. LastPass
B. Crack
C. Shadow password files
D. Tripwire
- A. LastPass is a tool that allows users to create unique, strong passwords for each service they use without the burden of memorizing them all.
- What type of application vulnerability most directly allows an attacker to modify the contents of a system’s memory?
A. Rootkit
B. Back door
C. TOC/TOU
D. Buffer overflow
- D. Buffer overflow attacks allow an attacker to modify the contents of a system’s memory by writing beyond the space allocated for a variable.
- Which one of the following passwords is least likely to be compromised during a dictionary attack?
A. mike
B. elppa
C. dayorange
D. fsasoalg
- D. Except option D, the choices are forms of common words that might be found during a dictionary attack. mike is a name and would be easily detected. elppa is simply apple spelled backwards, and dayorange combines two dictionary words. Crack and other utilities can easily see through these “sneaky” techniques. Option D is simply a random string of characters that a dictionary attack would not uncover.
- What file is instrumental in preventing dictionary attacks against UNIX systems?
A. /etc/passwd
B. /etc/shadow
C. /etc/security
D. /etc/pwlog
- B. Shadow password files move encrypted password information from the publicly readable /etc/passwd file to the protected /etc/shadow file.
- What character should always be treated carefully when encountered as user input on a web form?
A. !
B. &
C. *
D. ‘
- D. The single quote character (‘) is used in SQL queries and must be handled carefully on web forms to protect against SQL injection attacks.
- What database technology, if implemented for web forms, can limit the potential for SQL injection attacks?
A. Triggers
B. Stored procedures
C. Column encryption
D. Concurrency control
- B. Developers of web applications should leverage database stored procedures to limit the application’s ability to execute arbitrary code. With stored procedures, the SQL statement resides on the database server and may only be modified by database administrators.
- What type of reconnaissance attack provides attackers with useful information about the services running on a system?
A. Session hijacking
B. Port scan
C. Dumpster diving
D. IP sweep
- B. Port scans reveal the ports associated with services running on a machine and available to the public.
- What condition is necessary on a web page for it to be used in a cross-site scripting attack?
A. Reflected input
B. Database-driven content
C. .NET technology
D. CGI scripts
- A. Cross-site scripting attacks are successful only against web applications that include reflected input.
- What type of virus utilizes more than one propagation technique to maximize the number of penetrated systems?
A. Stealth virus
B. Companion virus
C. Polymorphic virus
D. Multipartite virus
- D. Multipartite viruses use two or more propagation techniques (for example, file infection and boot sector infection) to maximize their reach.
- What is the most effective defense against cross-site scripting attacks?
A. Limiting account privileges
B. Input validation
C. User authentication
D. Encryption
- B. Input validation prevents cross-site scripting attacks by limiting user input to a predefined range. This prevents the attacker from including the HTML tag in the input.
- What worm was the first to cause major physical damage to a facility?
A. Stuxnet
B. Code Red
C. Melissa
D. rtm
- A. Stuxnet was a highly sophisticated worm designed to destroy nuclear enrichment centrifuges attached to Siemens controllers.
- Ben’s system was infected by malicious code that modified the operating system to allow the malicious code author to gain access to his files. What type of exploit did this attacker engage in?
A. Escalation of privilege
B. Back door
C. Rootkit
D. Buffer overflow
- B. Back doors are undocumented command sequences that allow individuals with knowledge of the back door to bypass normal access restrictions.
- What technology does the Java language use to minimize the threat posed by applets?
A. Confidentiality
B. Encryption
C. Stealth
D. Sandbox
- D. The Java sandbox isolates applets and allows them to run within a protected environment, limiting the effect they may have on the rest of the system.