Midterm Review

Question 1

Vulnerability

Answer 1

System weakness vulnerable to a threat

Question 2

Categories of vulnerabilities

Answer 2

• Corruption (Integrity)
• Leakiness (Confidentiality)
• Unavailability or very slow responsiveness (Availability)

Question 3

CIA Triad

Answer 3

• Confidentiality
• Integrity
• Availability

Question 4

Confidentiality

Answer 4

• Keeping data and resources hidden
• “Need to know”, personnel records, trade secrets
• Often, organizations want to protect system configuration and network topology info (resources) as well

Question 5

Integrity

Answer 5

• Data integrity (trustworthiness) - data protected against unauthorized change
• Origin integrity (authentication)
• Mechanisms fall into two classes
• • Prevention
• • Detection

Question 6

Availability

Answer 6

• Ability to use data and resources

- Denial of service attacks are designed to prevent access

Question 7

Prevention

Answer 7

• Prevent attackers from violating security policy
• Typically done by employing mechanisms users cannot override
• • Mechanisms can be cumbersome for users

Question 8

Detection

Answer 8

• Detect attackers’ violation of security policy

- Also an indicator of the effectiveness of prevention mechanisms

Question 9

Recovery

Answer 9

• Stop attack, assess and repair damage
• Continue to function correctly even if the attack succeeds
• • Difficult to implement
• • Typically only used in safety-critical systems

Question 10

Security Policy

Answer 10

A formal statement of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources

Question 11

Security Implementation

Answer 11

• Prevention
• Detection
• Response
• Recovery

Question 12

Assurance

Answer 12

The degree of confidence one has that the security measures, both technical and operational, work as intended to protect the system and the information it processes

Question 13

Evaluation

Answer 13

Process of examining a computer product or system with respect to certain criteria

Question 14

The ideal solution to malware

Answer 14

Prevention

Question 15

Main elements of prevention

Answer 15

• Policy
• Awareness
• Vulnerability
• Threat mitigation

Question 16

If prevention fails, what mechanisms can be used to mitigate the threat?

Answer 16

• Detection
• Identification
• Removal

Question 17

Worm defense approaches

Answer 17

• Signature-based worm scan filtering
• Filter-based worm containment
• Payload-classification-based worm containment
• Threshold random walk (TRW) scan detection
• Rate limiting
• Rate halting

Question 18

Policy

Answer 18

Says what is and is not allowed. Defines security for the site/system/etc.

Question 19

Security Mechanisms

Answer 19

Enforces policy

Question 20

Virus

Answer 20

Piece of software that infects programs

Question 21

Virus Actions

Answer 21

• Modifies them to include a copy of the virus
• Replicates and goes on to infect other content
• Easily spread through network environments

Question 22

Virus Components

Answer 22

• Infection mechanism
• Trigger
• Payload

Question 23

Infection Mechanism

Answer 23

• Means by which a virus spreads or propagates

- Also referred to as the infection vector

Question 24

Trigger

Answer 24

• Event or condition that determines when the payload is activated or delivered
• Sometimes known as a logic bomb

Question 25

Payload

Answer 25

• What the virus does (besides spreading)

- May involve damage or benign but noticeable activity

Question 26

Virus Phases

Answer 26

• Dormant phase
• Triggering phase
• Propagation phase
• Execution phase

Question 27

Dormant Phase

Answer 27

• Virus is idle
• Will eventually be activated by some event
• Not all viruses have this stage

Question 28

Triggering Phase

Answer 28

• Virus is activated to perform the function for which it was intended
• Can be caused by a variety of system events

Question 29

Propagation Phase

Answer 29

• Virus places a copy of itself into other programs or into certain system areas on the disk
• May not be identical to the propagation version
• Each infected program will now contain a clone of the virus which will itself enter a propagation phase

Question 30

Execution Phase

Answer 30

• Function is performed

- May be harmless or damaging

Question 31

Virus Classifications

Answer 31

• Classification by target

- Classification by concealment strategy

Question 32

Classification by Target

Answer 32

• Boot sector infector
• File infector
• Macro virus
• Multipartite virus

Question 33

Classification by Concealment Strategy

Answer 33

• Encrypted virus
• Stealth virus
• Polymorphic virus
• Metamorphic virus

Question 34

Boot sector infector

Answer 34

Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus

Question 35

File infector

Answer 35

Infects files that the operating system or shell considers to be executable

Question 36

Macro virus

Answer 36

Infects files with macro or scripting code that is interpreted by an application

Question 37

Multipartite virus

Answer 37

Infects files in multiple ways

Question 38

Encrypted virus

Answer 38

A portion of the virus creates a random encryption key and encrypts the remainder of the virus

Question 39

Stealth virus

Answer 39

A form of virus explicitly designed to hide from detection by anti-virus software

Question 40

Polymorphic virus

Answer 40

A virus that mutates with every infection

Question 41

Metamorphic virus

Answer 41

A virus that mutates and rewrites itself completely at each iteration and may change behavior as well as appearance

Question 42

Worm

Answer 42

A program that actively seeks out more machines to infect and each infected machine serves as an automated launching pad for attacks on other machines

Question 43

Worm Replication

Answer 43

• Electronic mail or instant messenger facility
• File sharing
• Remote execution capability
• Remote file access or transfer capability
• Remote login capability

Question 44

Electronic mail or instant messenger facility

Answer 44

• Worm emails a copy of itself to other systems

- Sends itself as an attachment via an instant message service

Question 45

File sharing

Answer 45

Creates a copy of itself or infects a file as a virus on removable media

Question 46

Remote execution capability

Answer 46

Worm executes a copy of itself on another system

Question 47

Remote file access or transfer capability

Answer 47

The worm uses remote file access or transfer service to copy itself from one system to the other

Question 48

Remote login capability

Answer 48

Worm logs onto a remote system as a user and then sues commands to copy itself from one system to the other

Question 49

Scanning (or fingerprinting)

Answer 49

• First function in the propagation phase for a network worm

- Searches for other systems to infect

Question 50

Worm Scanning Strategies

Answer 50

• Random
• Hit-list
• Topological
• Local subnet

Question 51

Random Scanning

Answer 51

• Each compromised host probes random addresses in the IP address space using a different seed
• This produces a high volume of Internet traffic which may cause generalized disruption even before the actual attack is launched

Question 52

Hit-list

Answer 52

The attacker first compiles a long list of potentially vulnerable machines. Once the list is compiled the attacker begins infecting machines on the list. Each infected machine is provided with a portion of the list to scan. This results in a very short scanning period which may make it difficult to detect that infection is taking place.

Question 53

Topological

Answer 53

This method uses information contained on an infected victim machine to find more hosts to scan

Question 54

Local subnet

Answer 54

• If a host can be infected behind a firewall that host then looks for targets in its own local network
• The host uses the subnet address structure to find other hosts that would otherwise be protected by the firewall

Question 55

Botnet

Answer 55

Collection of bots capable of acting in a coordinated manner

Question 56

Attack Agent Bots (AAB)

Answer 56

Takes over another Internet attached computer and uses that computer to launch or manage attacks

Question 57

AAB Uses

Answer 57

• Distributed denial of service (DDoS) attacks
• Spamming
• Sniffing traffic
• Keylogging
• Spreading new malware
• Installing advertisement add-ons and browser helper objects (BHOs)
• Attacking IRC chat networks
• Manipulating online polls/games

Question 58

Remote Control Facility (RCF)

Answer 58

RCF is what distinguishes a bot from a worm

Question 59

DDoS

Answer 59

An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space.

Question 60

DDoS Attack Resource Categories

Answer 60

• Network bandwidth
• System resources
• Application resources

Question 61

Flooding ping command

Answer 61

• Classic DoS Attack

- Aim of this attack is to overwhelm the capacity of the network connection to the target organization

Question 62

Distributed Denial of Services DDoS Attacks

Answer 62

• Use of multiple systems to generate attacks
• Attacker uses a flaw in the operating system or in a common application to gain access and installs their program on it (zombie)
• Large collections of such systems under the control of one attacker’s can be created, forming a botnet

Question 63

DoS Attack Defenses

Answer 63

• These attacks cannot be prevented entirely

- High traffic volumes may be legitimate

Question 64

Four lines of defense against DDoS attacks

Answer 64

• Attack prevention and preemption (before the attack)
• Attack detection and filtering (during the attack)
• Attack source traceback and identification (during and after the attack)
• Attack reaction (after the attack)

Question 65

IP - Internet Protocol

Answer 65

IP has the task of delivering packets from the source host to the destination host solely based on the IP addresses in the packet headers.

Question 66

TCP - Transmission Control Protocol

Answer 66

TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network.

Question 67

UDP - User Datagram Protocol

Answer 67

With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an IP network. Prior communications are not required in order to set up communication channels or data paths.

Question 68

Virtualization

Answer 68

A technology that provides an abstraction of the resources used by some software which runs in a simulated environment called a virtual machine (VM)

Question 69

Virtualization Benefits

Answer 69

Better efficiency in the use of the physical system resources

Question 70

Virtualization Security Issues

Answer 70

• Guest OS Isolation
• Guest OS monitoring by the hypervisor
• Virtualized environment security

Question 71

Access Control Principles

Answer 71

Measures that implement and assure security services in a computer system, particularly those that assure access control service.

Question 72

Access Control Policies

Answer 72

• Discretionary access control (DAC)
• Mandatory access control (MAC)
• Role-based access control (RBAC)
• Attribute-based access control (ABAC)

Question 73

Discretionary access control (DAC)

Answer 73

Controls access based on the identity of the requestor and on access rules (authorization) stating what requestors are (or are not) allowed to do

Question 74

Mandatory access control (MAC)

Answer 74

Controls access based on comparing security labels with security clearances

Question 75

Role-based access control (RBAC)

Answer 75

Controls access based on the rules that users have within the system and on rules stating what accesses are allowed to users in given rules

Question 76

Attribute-based access control (ABAC)

Answer 76

Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions

Question 77

Subject

Answer 77

• An entity capable of accessing objects
• Three classes
• • Owner
• • Group
• • World

Question 78

Object

Answer 78

• A resource to which access is controlled

- Entity used to contain and/or receive information

Question 79

Access right

Answer 79

• Describes the way in which a subject may access an object
• Could include:
• • Read
• • Write
• • Execute
• • Delete
• • Create
• • Search
• • …