Malware and Social Engineering

Question 1

What is the difference between a worm and a virus?

A. A worm is self-replicating but a virus isn’t self-replicating
B. A virus is self-replicating but a worm isn’t self-replicating
C. A virus runs in response to an event such as a date, but a worm runs on its own schedule D. A worm runs in response to an event such as a date, but a virus runs on its own schedule

Answer 1

A. A worm is self-replicating. Viruses are not self-replicating but require user interaction to run. A logic bomb runs in response to an event such as a date, but worms and viruses do not run in response to events.

Question 2

After downloading pirated software, a user notices the computer is running very slowly and antivirus software is detecting malware. What likely happened?

A. The user installed a Trojan
B. The user installed a worm
C. The user installed a logic bomb
D. The user installed a botnet

Answer 2

B. Users can unknowingly transfer and install Trojan horse malware onto their systems with USB thumb drives. Spam is unwanted e-mail filtered with anti-spam software. A buffer overflow occurs when a system receives unexpected data or more data than program can handle. A logic bomb is a program or code snippet that executes in response to an event, such as a specific time or date.

Question 3

What type of malware do users inadvertently install with USB thumb drives?

A. Spam
B. Trojans
C. Buffer overflow
D. Logic bomb

Answer 3

B. Users can unknowingly transfer and install Trojan horse malware onto their systems with USB thumb drives. Spam is unwanted e-mail filtered with anti-spam software. A buffer overflow occurs when a system receives unexpected data or more data than program can handle. A logic bomb is a program or code snippet that executes in response to an event, such as a specific time or date.

Question 4

At 9 a.m. on January 31, an administrator starts receiving alerts from monitoring systems indicating problems with servers in the datacenter. He discovers that all servers are unreachable. Of the following choices, what is the most likely cause?      
A. Logic bomb      
B. XSRF attack      
C. Buffer overflow      
D. Rootkit

Answer 4

A. A logic bomb is a program or code snippet that executes in response to an event, such as a specific time or date, and since all the servers are affected at the same time, this is the most likely cause. An XSRF occurs when an attacker tricks a user into performing an action on a website. A buffer overflow attack occurs when an attacker sends more data to a single system than it can handle and overwrites memory locations, and would not affect all servers at the same time. A rootkit provide attackers with system or kernel access on a single system and can modify file system operations for a single system.

Question 5

An employee has added malicious code into the company’s personnel system. The code verifies the employment status of the employee once a month. If the check shows the person is no longer an active employee, it launches attacks on internal servers. What type of code is this?

A. Botnet
B. Logic bomb
C. Trojan
D. Adware

Answer 5

B. A logic bomb is a program or code snippet that executes in response to an event and can execute after checking for a condition. A botnet is group of computers controlled through command and control software, and commonly launches DDoS attacks. A Trojan appears to be something useful but instead includes something malicious, but the code in this question is strictly malicious. Adware may open and close windows with advertisements and pop-up blockers can block it.

Question 6

A process running on a system has system level access to the operating system kernel. Investigation shows that it has modified system files. What best describes this behavior?  
    
A. Rootkit      
B. Worm      
C. Cross-site scripting      
D. Adware

Answer 6

A. Rootkits provide attackers with system level (or kernel) access and can modify file system operations. A worm is self-replicating malware but wouldn’t typically have system level access. Cross-site scripting allows an attacker to inject malicious code into a website’s HTML pages. Adware may open and close windows with advertisements, but wouldn’t modify administrative access.

Question 7

Where would a security specialist look for a hooked process?

A. Rootkit
B. Disk
C. RAM
D. Firewall log

Answer 7

C. Processes (including hooked processes) are stored and run from random access memory (RAM), so experts look in RAM for hooked processes. A rootkit commonly uses a hooked process, but examining files in the rootkit would not identify a hooked process. Rootkit files would be stored on the drive but not hooked processes. A firewall log can record firewall activity but it wouldn’t include information on hooked processes.

Question 8

A file integrity checker on a database server detected several modified system files. What could cause this?

A. Spam
B. Buffer overflow
C. Logic bomb
D. Rootkit

Answer 8

D. Rootkits have system level (or kernel) access and can modify system files (detectable with host-based intrusion detection systems or antivirus software file integrity checkers). Spam is unwanted e-mail and doesn’t modify system files. A buffer overflow occurs when a vulnerable application receives unexpected data that it can’t handle, but it isn’t necessarily an attack. A logic bomb is a program or code snippet that executes in response to an event, such as a specific time or date.

Question 9

What can you use to block unsolicited e-mail?      
A. Spam filter      
B. Rootkit      
C. Spyware      
D. Antivirus software

Answer 9

A. A spam filter filters out, or blocks, unsolicited e-mail (spam). A rootkit is malicious software with kernel level access that hides its processes to prevent detection. Spyware is software installed on users’ systems without their awareness or consent. Antivirus software can detect viruses, worms, and Trojan horses.

Question 10

What can reduce unwanted e-mail that contains advertisements?

A. Anti-spam software
B. Antivirus software
C. File integrity checkers
D. Botnet software

Answer 10

A. Anti-spam software can filter out unwanted or unsolicited e-mail (also called spam). Antivirus software detects and blocks malware such as viruses, worms, and Trojans. File integrity checks can detect if a rootkit modified system files. A botnet is a network of multiple computers and attackers use them to send spam and attack other systems.

Question 11

A user’s system has spyware installed. What is the most likely result?

A. Loss of root level access
B. Loss of confidentiality
C. Loss of integrity
D. Loss of anonymity on the Internet

Answer 11

B. Spyware collects user data and results in the loss of confidentiality. A rootkit may remove a user’s root level access. Spyware rarely disables systems or modifies data, so integrity is not lost, though spyware may slow a system down. There is no such thing as anonymity on the Internet, with or without spyware.

Question 12

Additional windows are appearing when a user surfs the Internet. These aren’t malicious, but the user wants them to stop. What can stop this behavior?

A. Antivirus software
B. Host-based firewall
C. Pop-up blocker
D. Input validation

Answer 12

C. Pop-up windows are windows that appear while browsing, and a pop-up blocker blocks them. Antivirus software can detect and remove many types of malware but cannot block pop-ups. Firewalls can block intrusions but can’t block pop-ups. Input validation checks input data and can help mitigate buffer overflow, SQL injection, and cross-site scripting attacks.

Question 13

What type of signature-based monitoring can detect and remove known worms and Trojans?      
A. Anti-spyware      
B. NIDS      
C. NIPS      
D. Antivirus

Answer 13

D. Antivirus software monitors a system and can detect and remove known malware (including worms and Trojans) based on signatures. Anti-spyware detects spyware, and while it can detect some types of malware, it isn’t as reliable as antivirus software to detect malware. Intrusion detection and prevention systems do not remove malware such as worms and Trojans, though they may detect network activity from a worm.

Question 14

A user’s computer has recently been slower than normal and has been sending out e-mail without user interaction. Of the following choices, what is the best choice to resolve this issue?

A. Botnet software
B. Anti-spam software
C. Anti-spyware software
D. Antivirus software

Answer 14

D. Antivirus software can resolve many types of malware infections and this activity indicates an infection possibly related to a botnet. Botnet software is malware that joins a computer to a botnet and does not resolve problems, but causes them. Anti-spam software can block spam coming in but wouldn’t remove malware or block e-mails going out. Anti-spyware software detects spyware, and some malware but isn’t as good a choice as antivirus software.

Question 15

While surfing the Internet, a user sees a message indicating a malware infection and offering free antivirus software. The user downloads the free antivirus software but realizes it infected this system. Which of the following choices best explains what happened to the user?

A. Social engineering
B. Trojan
C. Vishing
D. Spim

Answer 15

A. The user was tricked by the website using a sophisticated form of social engineering. The system, not the user, was infected with a Trojan commonly known as rogueware or scareware. Vishing is a form of phishing that uses recorded voice over the telephone. Spim is a form of spam using instant messaging (IM).

Question 16

An attacker wants to obtain bank account information from a user. Which of the following methods do attackers use?

A. Tailgating
B. Fuzzing
C. Password masking
D. Phishing

Answer 16

D. Phishing is the practice of sending e-mail to users with the purpose of tricking them into revealing personal information (such as bank account information). Tailgating occurs when one user follows closely behind another user without using credentials, and mantraps help prevent tailgating. Fuzzing, or fuzz testing, sends invalid, unexpected, or random data to a system to detect buffer overflow vulnerabilities. Password masking displays a special character, such as an asterisk (*), instead of the password to prevent shoulder surfing.

Question 17

Of the following choices, what best represents an attack against specific employees of a company?      
A. Phishing      
B. Vishing      
C. Spim      
D. Spear phishing

Answer 17

D. A spear phishing attack targets a specific person or specific groups of people such as employees of a company. Phishing sends e-mail to users with the purpose of tricking them into revealing personal information, such as bank account information, but it doesn’t target specific employees of a company. Vishing is a form of phishing that uses recorded voice over the telephone. Spim is a form of spam using instant messaging

Question 18

Attackers sent a targeted e-mail attack to the president of a company. What best describes this attack?

A. Phishing
B. Spam
C. Whaling
D. Botnet

Answer 18

C. Whaling is a phishing attack that targets high-level executives. Phishing sends e-mail to users with the purpose of tricking them into revealing personal information (such as bank account information), but it doesn’t target users. Spam is unsolicited e-mail. Phishing and whaling attacks are sent as spam, but spam itself isn’t a targeted attack. A botnet is a group of computers joined to a network, and criminals control them with command and control servers.

Question 19

Bob reported receiving a message from his bank prompting him to call back about a credit card. When he called back, an automated recording prompted him to provide personal information to verify his identity and then provide details about his bank and credit card accounts. What type of attack is this?

A. Phishing
B. Whaling
C. Vishing
D. VoIP

Answer 19

C. Vishing is a form of phishing that uses recorded voice over the telephone. Phishing sends e-mail to users with the purpose of tricking them into revealing personal information (such as bank account information). Whaling is a phishing attack that targets high-level executives. Vishing attacks often use Voice over IP (VoIP), but VoIP isn’t an attack.

Question 20

An organization regularly shreds paper instead of throwing it away. What are they trying to prevent?
A. Losses due to dumpster diving
B. Losses due to data classification
C. Losses due to data classification labeling D. Losses due to P2P

Answer 20

A. Dumpster divers search through trash looking for information, and shredding mitigates the threat. Data classification helps protect sensitive data by ensuring users understand the value of data. Data labeling ensures that users know what data they are handling and processing. Peer-to-peer (P2P) and file sharing applications cause data leakage, and port scanners can detect P2P applications.

Question 21

21. A person is trying to gain unauthorized information through casual observation. What type of attack is this?   
   
A. Tailgating      
B. Whaling      
C. Dumpster diving      
D. Shoulder surfing

Answer 21

D. Shoulder surfing is an attempt to gain unauthorized information through casual observation, such as looking over someone’s shoulder, and password masking helps mitigate the risk. Tailgating is the practice of one person following closely behind another without showing credentials, and mantraps help prevent tailgating. Whaling is a phishing attack that targets high-level executives. Dumpster divers search through trash looking for information and shredding documents can mitigate their success.

Question 22

A web application developer is suggesting using password masking in the application. What is the developer trying to prevent?

A. Buffer overflow attacks
B. Shoulder surfing
C. SQL injection
D. Cross-site scripting

Answer 22

B. Password masking displays a special character, such as an asterisk (*), instead of the password to prevent shoulder surfing. Input validation checks input data and can help mitigate buffer overflow, SQL injection, and cross-site scripting attacks.