Chapter 8 (Lecture 7) Flashcards

1
Q

What is the major difference between a virus and a worm?

A

Viruses and worms both travel from system to system attempting to deliver their malicious payloads to as many machines as possible.

However, viruses require some sort of human intervention, such as sharing a file, network resource, or email message, to propagate.

Worms, on the other hand, seek out vulnerabilities and spread from system to system under their own power, thereby greatly magnifying their reproductive capability, especially in a well-connected network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Explain the four propagation methods used by Robert Tappan Morris’s Internet Worm.

A

The Internet Worm used four propagation techniques.

First, it exploited a bug in the sendmail utility that allowed it to spread itself by sending a specially crafted email message that contained its code to the sendmail program on a remote system.

Second, it used a dictionary-based password attack to attempt to gain access to remote systems by utilizing the username and password of a valid system user.

Third, it exploited a buffer overflow vulnerability in the finger program to infect systems.

Fourth, it analyzed any existing trust relationships with other systems on the network and attempted to spread itself to those systems through the trusted path.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the actions an antivirus software package might take when it discovers an infected file?

A

If possible, antivirus software may try to disinfect an infected file, removing the virus’s malicious code.
If that fails, it might either quarantine the file for manual review or automatically delete it to prevent further infection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Explain how a data integrity assurance package like Tripwire provides some secondary virus detection capabilities.

A

Data integrity assurance packages like Tripwire compute hash values for each file stored on a protected system.
If a file infector virus strikes the system, this would result in a change in the affected file’s hash value and would, therefore, trigger a file integrity alert.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. What is the most commonly used technique to protect against virus attacks?

A. Signature detection

B. Heuristic detection

C. Data integrity assurance

D. Automated reconstruction

A
  1. A. Signature detection mechanisms use known descriptions of viruses to identify malicious code resident on a system.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. You are the security administrator for an e-commerce company and are placing a new web server into production. What network zone should you use?

A. Internet

B. DMZ

C. Intranet

D. Sandbox

A
  1. B. The DMZ (demilitarized zone) is designed to house systems like web servers that must be accessible from both the internal and external networks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. Which one of the following types of attacks relies upon the difference between the timing of two events?

A. Smurf

B. TOCTTOU

C. Land

D. Fraggle

A
  1. B. The time-of-check-to-time-of-use (TOCTTOU) attack relies upon the timing of the execution of two events.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. Which of the following techniques requires that administrators identify appropriate applications for an environment?

A. Sandboxing

B. Control signing

C. Integrity monitoring

D. Whitelisting

A
  1. D. Application whitelisting requires that administrators specify approved applications and then the operating system uses this list to allow only known good applications to run.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. What advanced virus technique modifies the malicious code of a virus on each system it infects?

A. Polymorphism

B. Stealth

C. Encryption

D. Multipartitism

A
  1. A. In an attempt to avoid detection by signature-based antivirus software packages, polymorphic viruses modify their own code each time they infect a system.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. Which one of the following tools provides a solution to the problem of users forgetting complex passwords?

A. LastPass

B. Crack

C. Shadow password files

D. Tripwire

A
  1. A. LastPass is a tool that allows users to create unique, strong passwords for each service they use without the burden of memorizing them all.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. What type of application vulnerability most directly allows an attacker to modify the contents of a system’s memory?

A. Rootkit

B. Back door

C. TOC/TOU

D. Buffer overflow

A
  1. D. Buffer overflow attacks allow an attacker to modify the contents of a system’s memory by writing beyond the space allocated for a variable.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. Which one of the following passwords is least likely to be compromised during a dictionary attack?

A. mike

B. elppa

C. dayorange

D. fsasoalg

A
  1. D. Except option D, the choices are forms of common words that might be found during a dictionary attack. mike is a name and would be easily detected. elppa is simply apple spelled backwards, and dayorange combines two dictionary words. Crack and other utilities can easily see through these “sneaky” techniques. Option D is simply a random string of characters that a dictionary attack would not uncover.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. What file is instrumental in preventing dictionary attacks against UNIX systems?

A. /etc/passwd

B. /etc/shadow

C. /etc/security

D. /etc/pwlog

A
  1. B. Shadow password files move encrypted password information from the publicly readable /etc/passwd file to the protected /etc/shadow file.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. What character should always be treated carefully when encountered as user input on a web form?

A. !

B. &

C. *

D. ‘

A
  1. D. The single quote character (‘) is used in SQL queries and must be handled carefully on web forms to protect against SQL injection attacks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. What database technology, if implemented for web forms, can limit the potential for SQL injection attacks?

A. Triggers

B. Stored procedures

C. Column encryption

D. Concurrency control

A
  1. B. Developers of web applications should leverage database stored procedures to limit the application’s ability to execute arbitrary code. With stored procedures, the SQL statement resides on the database server and may only be modified by database administrators.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. What type of reconnaissance attack provides attackers with useful information about the services running on a system?

A. Session hijacking

B. Port scan

C. Dumpster diving

D. IP sweep

A
  1. B. Port scans reveal the ports associated with services running on a machine and available to the public.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
  1. What condition is necessary on a web page for it to be used in a cross-site scripting attack?

A. Reflected input

B. Database-driven content

C. .NET technology

D. CGI scripts

A
  1. A. Cross-site scripting attacks are successful only against web applications that include reflected input.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
  1. What type of virus utilizes more than one propagation technique to maximize the number of penetrated systems?

A. Stealth virus

B. Companion virus

C. Polymorphic virus

D. Multipartite virus

A
  1. D. Multipartite viruses use two or more propagation techniques (for example, file infection and boot sector infection) to maximize their reach.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
  1. What is the most effective defense against cross-site scripting attacks?

A. Limiting account privileges

B. Input validation

C. User authentication

D. Encryption

A
  1. B. Input validation prevents cross-site scripting attacks by limiting user input to a predefined range. This prevents the attacker from including the HTML tag in the input.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
  1. What worm was the first to cause major physical damage to a facility?

A. Stuxnet

B. Code Red

C. Melissa

D. rtm

A
  1. A. Stuxnet was a highly sophisticated worm designed to destroy nuclear enrichment centrifuges attached to Siemens controllers.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q
  1. Ben’s system was infected by malicious code that modified the operating system to allow the malicious code author to gain access to his files. What type of exploit did this attacker engage in?

A. Escalation of privilege

B. Back door

C. Rootkit

D. Buffer overflow

A
  1. B. Back doors are undocumented command sequences that allow individuals with knowledge of the back door to bypass normal access restrictions.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q
  1. What technology does the Java language use to minimize the threat posed by applets?

A. Confidentiality

B. Encryption

C. Stealth

D. Sandbox

A
  1. D. The Java sandbox isolates applets and allows them to run within a protected environment, limiting the effect they may have on the rest of the system.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q
  1. What HTML tag is often used as part of a cross-site scripting (XSS) attack?

A. “H1”

B. “HEAD”

C. “XSS”

D. “SCRIPT”

A
  1. D. The SCRIPT tag is used to indicate the beginning of an executable client-side script and is used in reflected input to create a cross-site scripting attack.
24
Q
  1. When designing firewall rules to prevent IP spoofing, which of the following principles should you follow?

A. Packets with internal source IP addresses don’t enter the network from the outside.

B. Packets with internal source IP addresses don’t exit the network from the inside.

C. Packets with public IP addresses don’t pass through the router in either direction.

D. Packets with external source IP addresses don’t enter the network from the outside.

A
  1. A. Packets with internal source IP addresses should not be allowed to enter the network from the outside because they are likely spoofed.
25
Q

Virus propagation techniques

A
  1. Macro virus
  2. MBR virus
  3. File infector virus
26
Q

What is a Macro virus

A

Many common software applications implement some sort of scripting functionality to assist with the automation of repetitive tasks (Like VBA)

Macro viruses first appeared in the mid-1990s, and infected documents created in the popular Microsoft Word environment

Although they were relatively unsophisticated, these viruses spread rapidly because the antivirus community didn’t anticipate them

27
Q

Master Boot Record (MBR virus)

A

A master boot record virus (or MBR virus) attacks the MBR, the portion of bootable media (e.g., hard drive) that the computer uses to load the operating system during the boot process

The virus stores most of its code on another portion of the media
When the system reads the infected MBR, the virus instructs it to read and execute the code stored in the alternate location

28
Q

File infector virus (File Injector)

A

A file infector virus infects different types of executable files and triggers when the operating system attempts to execute them
Example: .exe and .com files in Windows-based systems

Easily Detectable comparing Hashes.

29
Q

What are the Main Virus Technologies?

A
  1. Multipartite
  2. Stealth
  3. Polymorphic
  4. Encrypted
30
Q

What is a Multipartite Virus?

A

Multipartite viruses use more than one propagation technique in an attempt to penetrate systems that defend against only one method

For example, a virus may infect both executable files and the MBR

31
Q

What is a Stealth Virus?

A

Stealth viruses hide themselves by tampering with the operating system

For example, a stealth MBR virus might infect the system’s MBR and also modify the operating system’s file access functionality to cover its tracks

When the antivirus requests a copy of the MBR, the modified operating system code provides it with a clean version of the MBR

However, when the system boots, it reads the infected MBR and loads the virus into memory

32
Q

What is a Polymorphic Virus?

A

Polymorphic viruses modify their code as they move from system to system,
The signature of the virus is different each time it infects a new system

Constantly changing signature should render signature-based antivirus packages useless

However, current antivirus packages are able to detect known polymorphic viruses

33
Q

What is Encrypted Virus?

A

Encrypted viruses use cryptographic techniques to avoid detection

As with polymorphic viruses, each infected system has a virus with a different signature
However, encrypted viruses generate these different signatures by encrypting their code with different cryptographic keys
Encrypted viruses use a decryption routine, which contains the cryptographic information necessary to load and decrypt the main virus code

This routine often contains signatures that render it vulnerable to antivirus software

34
Q

What are Logic Bombs?

A

Logic bombs are malicious code objects that infect a system and lie dormant until they are triggered by the occurrence of one or more conditions

35
Q

What are Trojan Horses?

A

Trojans differ very widely in functionality
Some are fairly innocuous
Some will destroy all the data stored on a system in an attempt to cause a large amount of damage in a short time frame

ex in 2002 program to run xbox
When users ran these program, they simply didn’t work
However, they inserted a value into the Windows Registry that caused a specific web page to open each time the computer booted

36
Q

How Worms Work?

A

Worms pose a significant risk to network security
They contain the same destructive potential as other malicious code objects, but they can also propagate without requiring any human intervention

37
Q

What is a Spyware?

A

Spyware monitors your actions and transmits important details to a remote system that spies on your activity

38
Q

Adware

A

Adware is quite similar to spyware in form, but has a different purpose
It uses a variety of techniques to display advertisements on infected computers

39
Q

Name 5 types of Attacks

A
  1. Denial-of-Service Attacks
  2. Distributed DoS Toolkits
  3. Smurf Attacks
  4. DNS Amplification Attacks
  5. Teardrop
  6. Land Attack
  7. Ping of Death
  8. Buffer Overflows
  9. Time-of-Check-to-Time-of-Use
  10. Trap Doors
  11. Rootkits
40
Q

DOS attacks

A

DoS attacks prevent legitimate users from accessing resources

In some attacks, a brute-force approach is used, simply overwhelming a targeted system with many requests

Others include elegantly crafted commands that cause vulnerable systems to crash or hang indefinitely

41
Q

Classes of DOS Attacks

A
  • SYN Flood
  • Distributed DoS Toolkits
  • Smurf
  • DNS Amplification Attacks
  • Teardrop
  • Land
  • DNS Poisoning
  • Ping of Death
42
Q

Distributed DoS Toolkits

A

Distributed denial-of-service (DDoS) attacks allow attackers to harness the power of many third-party systems to attack the target

Trinoo and Tribe Flood Network (TFN) are two commonly used DDoS toolkits

43
Q

Smurf Attacks

A

The smurf attack is a distributed reflective denial-of-service (DRDoS) attack
Attacks are amplified using one or more third-party networks

44
Q

DNS Amplification Attacks

A

Causes flooding similar to Smurf

An attacker tricks unwitting participants into sending unwanted traffic to a third party

45
Q

Teardrop Attack

A

A teardrop attack is a fragmentation attack (a DoS attack)

Fragmentation attacks exploit vulnerabilities in the fragment reassembly functionality of the TCP/IP protocol stack

System administrators can configure the maximum size allowed for TCP/IP packets on each network

When a network receives a packet larger than its maximum allowable size, it breaks it up into two or more fragments
These fragments are each assigned a size and an offset

In the teardrop attack, attackers use software that sends out packet fragments that do not conform to the protocol specification

Specifically, they send two or more overlapping fragments

When the receiving system tries to reassemble the fragmented packet, it doesn’t know how to handle the fragments and freezes or crashes

46
Q

Land Attack

A

The land denial-of-service attack causes many older operating systems to freeze and behave in an unpredictable manner

47
Q

Ping Of Death

A

The largest permissible ICMP packet is 65,536 bytes
Many early OS developers relied upon the assumption that the protocol stack of sending machines would never exceed this value and did not build in error-handling routines to monitor for packets exceeding this limit

48
Q

Buffer Overflow

A

Buffer overflow vulnerabilities exist when a developer does not properly validate user input to ensure that it is of an appropriate size

User data can overwrite system commands

Buffer-overflow vulnerabilities are especially prevalent in code developed rapidly for the Web using CGI or other languages

49
Q

Time-of-Check-to-Time-of-Use (TOCTTOU)

A

is a timing vulnerability that occurs when a program checks access permissions too far in advance of a resource use

50
Q

RootKits

A

Rootkits are specialized software packages that allow attackers to gain expanded access to a system

51
Q

Trap doors (or back doors)

A

undocumented access mechanisms that allow software developers to bypass normal access restrictions

52
Q

What is Cross-site Scripting (XSS)

A

Cross-site scripting (XSS) is a security vulnerability typically found in Web applications
Enables attackers to leverage some type of reflected input to inject client-side scripts into web pages viewed by other users

53
Q

What is SQL Injection

A

SQL injection attacks allow a malicious individual to directly perform SQL transactions against the underlying database

54
Q

How IP Probes Work

A

IP probes (aka IP sweeps or ping sweeps) are often the first type of network reconnaissance carried out against a target system

  • Automated tools simply attempt to ping each address in a range
  • Systems that respond to the ping request are logged for further analysis
  • Addresses that do not prod/uce a response are assumed to be unused and are ignored

disabling ping helps.

55
Q

How Port Scans work

A

After performing an IP probe, attackers have a list of active systems on a network

The next step is to select one or more systems to target with additional attacks

Often, attackers have a type of target in mind, such as a web server or other servers supporting critical operations

56
Q

Vulnerability Scans

A

Once the attacker determines a specific system to target, they need to discover a specific vulnerability that can be exploited

Vulnerability scanners are highly automated tools
They can probe an entire network for any exploitable weaknesses

57
Q

Dumpster Diving

A

Dumpster diving consists in analyzing waste to gain intelligence that might help launch an attack