Technical Security Controls Flashcards
Technical Security Controls
- Malware:
- Malware refers to malicious software designed to disrupt or damage computer systems.
- Types of malware include viruses, worms, Trojans, ransomware, spyware, and adware.
- Malware can cause various problems such as data loss, system instability, unauthorized access, and financial loss.
- Technical Control Measures:
- Antivirus Software: Install and regularly update antivirus software to detect and remove malware.
- Firewalls: Implement firewalls to monitor and control network traffic, preventing unauthorized access and blocking malicious activity.
- Intrusion Detection and Prevention Systems (IDS/IPS): Deploy IDS/IPS to detect and prevent unauthorized access and suspicious network activity.
- Patch Management: Keep software and operating systems up to date with the latest security patches to address known vulnerabilities.
- Secure Configurations: Configure systems, applications, and network devices securely, following best practices and guidelines.
Access Controls: Implement strong user authentication mechanisms, such as passwords, multi-factor authentication, and access privileges.
- Encryption: Use encryption techniques to protect sensitive data both at rest and during transmission.
- Backup and Recovery: Regularly back up critical data and establish a disaster recovery plan to ensure business continuity.
- Limitations and Layered Approach:
- Technical controls are not fool proof and can have limitations due to misconfiguration, lack of understanding, or misuse by users.
- To enhance security, multiple layers of technical controls should be implemented.
- Layered security involves combining different controls to create overlapping defence mechanisms, increasing the overall effectiveness of security measures.
- By utilizing a combination of controls, organizations can mitigate risks and provide a more robust security posture.
Virus
- Definition of a Virus:
- A virus is a piece of software code that attaches itself to executable programs.
- It carries a malicious payload and replicates when the infected program executes in memory.
- Virus Behaviour:
- Viruses replicate by attaching copies of themselves to other executable programs in memory.
- They rely on the execution of their host program to activate and spread.
- Viruses do not cause damage or replicate while sitting dormant on a hard disk.
- Spread and Replication:
- Viruses only replicate or spread on the machine where their host program resides.
- They do not spread automatically to other machines unless consciously transferred or shared through means like USB sticks or file sharing.
- Types of Viruses:
- File Infectors: These viruses infect executable files, modifying their code to include the virus.
- Boot Sector Viruses: These viruses infect the boot sector of a computer’s hard drive or other storage media.
- Macro Viruses: These viruses infect documents or files that support macro functionality, such as Microsoft Office files.
- Script Viruses: These viruses exploit scripting languages to infect and propagate through scripts, such as JavaScript or VBScript.
Note: Understanding the behaviour and characteristics of different types of viruses is essential for implementing effective countermeasures and mitigating their impact.
What is a virus?
A) A piece of software code that attaches itself to executable programs
B) A hardware component that stores data
C) A type of firewall used to protect networks
D) A physical disease that affects computers
A) A piece of software code that attaches itself to executable programs
A virus is a type of malicious software (malware) that infects executable programs by attaching its code to them. When an infected program is executed, the virus activates and can perform various malicious actions, such as replicating itself, altering or corrupting data, or causing damage to the system. Viruses rely on the execution of the host program to spread and carry out their intended actions. They do not function independently and require a host program to execute their code. This characteristic distinguishes viruses from other types of malware like worms or Trojans, which can operate on their own without needing a host program.
Which type of virus infects executable files by modifying their code?
A) File infector virus
B) Boot sector virus
C) Macro virus
D) Script virus
A) File infector virus
File infector viruses are a type of virus that infects executable files by modifying their code. When an infected program is executed, the virus replicates itself and attaches to other executable files, spreading the infection.
What triggers the activation and spread of a virus?
A) Dormant state on a hard disk
B) Replication through email attachments
C) Execution of its host program
D) Automatic propagation to other machines
C) Execution of its host program
The activation and spread of a virus are triggered when its host program is executed. The virus requires the host program to execute in order to function and replicate itself. Without the execution of the host program, the virus remains dormant and does not cause any damage or spread to other files or systems.
Which type of virus infects documents or files supporting macro functionality?
A) File infector virus
B) Boot sector virus
C) Macro virus
D) Script virus
C) Macro virus
Macro viruses are specifically designed to infect documents or files that support macro functionality, such as Word documents or Excel spreadsheets. They exploit the macro programming language to execute malicious code and spread the infection to other documents or files that are accessed or opened with macro support enabled.
Worms
- Characteristics of Worms:
- Worms are self-replicating malicious software that spread over a network without human intervention.
- Unlike viruses, worms do not require a host program to execute and can move independently across the network.
- Worm Propagation:
- Worms typically exploit vulnerabilities in computer systems or network protocols to gain unauthorized access.
- Once a worm infects a system, it scans the network for vulnerable devices or uses email addresses to spread copies of itself.
- Worms can rapidly spread and infect numerous systems, causing network congestion and performance degradation.
- Impact of Worms:
- Worms can consume significant network bandwidth as they propagate, leading to network slowdowns or even outages.
- They can also compromise the security and confidentiality of sensitive data stored on infected systems.
- Worms often have a payload that can cause further damage, such as installing backdoors, stealing information, or launching DDoS attacks.
- Containment and Prevention:
- Detecting and containing worms can be challenging since they can spread quickly before detection.
- Implementing strong network security measures, such as firewalls, intrusion detection systems (IDS), and antivirus software, can help prevent worm infections.
- Regularly patching and updating software and systems can address vulnerabilities and reduce the risk of worm attacks.
- Incident Response and Recovery:
- In the event of a worm outbreak, organizations should have an incident response plan in place to contain and mitigate the impact.
- Isolating infected systems, disconnecting from the network, and deploying patches and antivirus updates are crucial steps.
- After containing the worm, organizations should conduct a thorough analysis to understand the root cause and implement measures to prevent similar incidents in the future.
What is a worm?
A. A self-replicating program that spreads over a network without human intervention.
B. A type of computer virus that attaches itself to executable programs.
C. Malicious code that modifies the boot sector of a computer’s hard disk.
D. A program that automatically executes a sequence of commands or actions.
A) A self-replicating program that spreads over a network without human intervention.
A worm is a specific type of malware that is capable of independently spreading and replicating over a network without any human interaction. Unlike viruses, which require user actions or the execution of a host program, worms can move from one system to another automatically, infecting multiple computers along the way. This characteristic makes worms particularly dangerous and challenging to contain once they are unleashed on a network.
What is a characteristic feature of worms?
A. They require human intervention to spread.
B. They attach themselves to executable programs.
C. They replicate independently over a network.
D. They can only infect email attachments.
C. They replicate independently over a network.
Unlike viruses that require human intervention or the execution of a host program, worms have the ability to spread and replicate over a network without any human interaction. This characteristic sets them apart from other types of malware.
How do worms differ from viruses?
A. Worms spread over a network without human intervention.
B. Worms require a host program to execute and replicate.
C. Worms can only infect files in the boot sector.
D. Worms can only spread through email attachments.
A. Worms spread over a network without human intervention.
While viruses typically rely on user actions or the execution of a host program, worms can self-propagate and spread autonomously over a network, infecting multiple systems in a short amount of time.
What is a common impact of worm infections?
A. Slow network performance and congestion.
B. Corruption of data stored on infected systems.
C. Execution of malicious code on the host program.
D. Physical damage to computer hardware.
A. Slow network performance and congestion.
Worm infections can lead to significant network congestion and reduced performance due to the rapid replication and distribution of the worm across multiple systems. The sheer volume of network traffic generated by worm propagation can overwhelm network infrastructure and cause disruptions. While other options may also occur in some cases, network performance issues are a common and prominent consequence of worm infections.
Rootkits & Logic Bombs
Rootkits:
- A rootkit is malicious code that embeds itself into the core part of an operating system, such as the system kernel.
- It gets its name from the fact that it resides at the “root” or core of the system.
- Unlike viruses, rootkits do not replicate themselves.
- Rootkits often have functions like intercepting system calls, modifying them, or capturing keystrokes.
- Detecting rootkits can be extremely challenging due to their ability to evade traditional security measures.
- Once a rootkit is discovered, the recommended method of removal is a complete system rebuild from trusted sources.
Logic Bombs:
- A logic bomb is a malicious program that remains dormant until specific conditions or circumstances are met.
- Typically, logic bombs are time-based, set to activate at a certain time or date, such as an anniversary.
- The purpose of a logic bomb is to execute a destructive payload when triggered, often resulting in data loss or system damage.
- Logic bombs do not possess replication capabilities like viruses.
- Identifying a logic bomb can be difficult since it is often designed to blend in with legitimate system processes.
- Mitigating the impact of a logic bomb requires proactive measures, such as robust system monitoring and access controls.
What is the primary characteristic of a rootkit?
A) It replicates itself across multiple systems
B) It inserts itself into the core part of the operating system
C) It triggers destructive actions at a specific time
D) It intercepts network traffic and captures sensitive data
B) It inserts itself into the core part of the operating system
A rootkit is malicious code that embeds itself into the core part of an operating system, typically the system kernel.
How do rootkits differ from viruses?
A) Rootkits replicate themselves, while viruses do not
B) viruses attach themselves to executable files, while Rootkits target the system kernel
C) Rootkits can be easily detected by antivirus software, while viruses are difficult to detect
D) Rootkits are spread through email attachments, while viruses spread through network vulnerabilities
B) viruses attach themselves to executable files, while Rootkits target the system kernel
Rootkits embed themselves into the core part of the operating system, while viruses typically attach themselves to executable files.
What distinguishes a logic bomb from a virus or a rootkit?
A) Logic bombs can replicate themselves, while viruses and rootkits cannot
B) Logic bombs remain dormant until specific conditions are met, while viruses and rootkits are always active
C) Logic bombs intercept system calls and modify them, while viruses and rootkits capture keystrokes
D) Logic bombs require human intervention to spread, while viruses and rootkits spread automatically
B) Logic bombs remain dormant until specific conditions are met, while viruses and rootkits are always active
A logic bomb is a malicious program that remains inactive until specific circumstances or conditions occur, triggering its execution. In contrast, viruses and rootkits are active and can propagate without specific triggers.
What is a logic bomb?
A) Malicious code that replicates itself across multiple systems
B) Malware that inserts itself into the core part of the operating system
C) A program that remains dormant until specific conditions are met, then executes destructive actions
D) Malicious software that intercepts system calls and modifies them
C) A program that remains dormant until specific conditions are met, then executes destructive actions
A logic bomb is a type of malicious program that is designed to remain inactive until certain conditions are met, such as a specific date or event. Once those conditions are fulfilled, the logic bomb activates and executes its destructive payload, which can involve actions like deleting files or formatting disks.
What is a rootkit?
A) Malware that spreads through network connections
B) Malicious software that intercepts system calls and modifies them
C) A program that remains dormant until specific conditions are met, then executes destructive actions
D) Malicious code that inserts itself into the core part of the operating system
D) Malicious code that inserts itself into the core part of the operating system
A rootkit is a type of malicious code that infiltrates the core components of an operating system, typically the system kernel. It operates at a privileged level and can intercept system calls, modify their behaviour, and evade detection by security measures. Rootkits are designed to give unauthorized control and access to an attacker while remaining hidden from normal system operations and security mechanisms.
Code Injections
- Code injection is a technique used to insert malicious code into a program to exploit vulnerabilities and achieve unauthorized actions or undesired outcomes.
- It occurs due to poor programming practices that allow the program to accept and execute code without proper validation.
- If all programs implemented robust input validation measures, code injection vulnerabilities would be mitigated.
- Code injection is one of the most prevalent software flaws and has remained a significant threat for many years.
- Various forms of code injection exist, such as SQL injection, OS command injection, and cross-site scripting (XSS).
- SQL injection involves manipulating SQL queries to gain unauthorized access or retrieve sensitive information from a database.
- OS command injection occurs when an attacker injects malicious commands to execute arbitrary system commands on the underlying operating system.
- XSS, or cross-site scripting, allows attackers to inject malicious scripts into web pages viewed by other users, leading to session hijacking or theft of sensitive information.
- Code injection attacks can result in serious consequences, including data breaches, unauthorized access, data manipulation, system compromise, and even remote code execution.
- Preventing code injection requires implementing secure coding practices, such as input validation, parameterized queries, and output encoding.
- Regular software updates and patching can help address known vulnerabilities and reduce the risk of code injection attacks.
- Web application firewalls (WAFs) and security testing, such as vulnerability scanning and penetration testing, can also aid in detecting and mitigating code injection vulnerabilities.
What is the primary cause of code injection vulnerabilities?
A) Weak network security measures
B) Insufficient hardware resources
C) Poor programming practices
D) Outdated antivirus software
C) Poor programming practices
Code injection vulnerabilities primarily occur due to poor programming practices that allow programs to accept and execute code without proper validation. This allows attackers to inject and execute malicious code, leading to unauthorized actions or undesired outcomes.
Which of the following is an example of code injection?
A) Denial of Service (DoS) attack
B) Cross-Site Scripting (XSS)
C) Man-in-the-Middle (MitM) attack
D) Social engineering attack
B) Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) is an example of code injection. It involves injecting malicious scripts into web pages viewed by other users. By doing so, attackers can manipulate the functionality of the web page and potentially steal sensitive information or perform unauthorized actions on behalf of the user.
How can code injection attacks be mitigated?
A) Implementing robust input validation
B) Increasing network bandwidth
C) Disabling firewalls
D) Ignoring software updates
A) Implementing robust input validation
Code injection attacks can be mitigated by implementing robust input validation practices. This involves validating and sanitizing all user input to ensure it meets the expected format and does not contain any malicious code. By properly validating input, the risk of code injection vulnerabilities can be significantly reduced. The other options, such as increasing network bandwidth, disabling firewalls, or ignoring software updates, are not effective measures for mitigating code injection attacks.
Adware and Spyware
- Adware refers to unwanted software that displays advertisements on a user’s device. It typically manifests as pop-up ads, banners, or other forms of intrusive advertising.
- Adware is designed to generate revenue for the developers by promoting products or services, often through deceptive or aggressive means.
- Adware can be annoying and disrupt the user experience, but it is generally not as malicious as other forms of malware.
- Spyware, on the other hand, is a type of malware that secretly collects user information without their consent or knowledge.
- Spyware is often installed without the user’s consent through deceptive methods such as bundled software, malicious downloads, or phishing emails.
- The purpose of spyware is to gather sensitive information like passwords, financial data, browsing habits, and personal details, which can be exploited for various malicious purposes.
- Spyware can also lead to identity theft, unauthorized access to accounts, and financial losses.
- Both adware and spyware can be distributed through malicious websites, free software downloads, or infected email attachments.
- To protect against adware and spyware:
- Use reputable antivirus and anti-malware software and keep them updated.
- Exercise caution when downloading software from unfamiliar sources.
- Be wary of clicking on suspicious ads or pop-ups and avoid visiting questionable websites.
- Regularly update your operating system and applications to patch security vulnerabilities.
- Enable firewalls and utilize pop-up blockers to reduce exposure to adware.
- Practice safe browsing habits and be cautious of email attachments, especially from unknown senders.
- If you suspect adware or spyware infection:
- Run a full system scan using antivirus or anti-malware software.
- Remove any detected threats and follow the software’s instructions.
- Monitor your accounts for any suspicious activity and consider changing passwords.
- If necessary, seek professional help to mitigate the impact and ensure the security of your system and personal information.
Which of the following best describes adware?
A) Malicious software that secretly collects user information
B) Unwanted software that displays intrusive advertisements
C) Software that encrypts files and demands a ransom for their release
D) Software that exploits vulnerabilities to gain unauthorized access
B) Unwanted software that displays intrusive advertisements
Adware refers to unwanted software that displays intrusive advertisements on a user’s device. It is designed to generate revenue for the developers by promoting products or services through aggressive or deceptive means. While adware can be annoying, it is generally not as malicious as software that secretly collects user information or exploits vulnerabilities.
How is spyware typically installed on a user’s device?
A) Through deceptive methods such as bundled software or malicious downloads
B) Via phishing emails that trick users into clicking on malicious links
C) By exploiting vulnerabilities in the device’s operating system
D) Through physical access to the device by an attacker
A) Through deceptive methods such as bundled software or malicious downloads
Spyware is typically installed on a user’s device through deceptive methods such as bundled software or malicious downloads. It may be included in software packages or downloads without the user’s knowledge or consent. It is important to exercise caution when downloading software from unfamiliar sources to avoid inadvertently installing spyware
What are the potential risks associated with adware and spyware?
A) Unauthorized access to user accounts
B) Loss of sensitive information and identity theft
C) Degraded system performance and unwanted advertisements
D) All of the above
D) All of the above
Zero Day
- Zero-day refers to vulnerabilities or exploits that are unknown to the software developers and antivirus companies.
- Zero-day exploits are called so, because there is zero-day between the discovery of the vulnerability and the release of a fix or patch.
- Zero-day vulnerabilities are highly valuable to attackers because they can target systems without being detected or protected against.
- A zero-day virus or malware does not have a known signature, making it difficult for antivirus software to detect and prevent its execution.
- Zero-day flaws are usually discovered by malicious actors or hackers who keep them secret to maximize their impact and exploit systems undetected.
- Without prior knowledge of zero-day vulnerabilities, there is no guaranteed fix or protection against them.
- To mitigate the risks associated with zero-day exploits:
- Keep systems up to date with the latest patches and updates provided by software vendors.
- Implement proactive monitoring systems to detect any unusual activity or indicators of compromise.
- Use Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to detect and prevent attacks targeting zero-day vulnerabilities.
- Employ network segmentation and access controls to limit the impact of a potential zero-day attack.
- Maintain regular backups of critical data to minimize the impact of data loss or system compromise.
- Stay informed about emerging threats and vulnerabilities by following security news, advisories, and information from trusted sources.
- Collaboration and information sharing within the cybersecurity community can help identify and address zero-day vulnerabilities effectively.
- Responsible disclosure of zero-day vulnerabilities to software vendors and relevant authorities can facilitate the development of patches or mitigations to protect systems.
What characterizes a zero-day exploit?
A) An exploit that has been widely known for a long time
B) An exploit that targets zero-day-old systems only
C) An exploit that is unknown to software developers and antivirus companies
D) An exploit that requires zero technical expertise to execute
C) An exploit that is unknown to software developers and antivirus companies
A zero-day exploit refers to an exploit or vulnerability that is unknown to software developers and antivirus companies. It is called a “zero-day” because there is no prior knowledge or fix available for it. Attackers leverage these unknown vulnerabilities to launch attacks, taking advantage of the fact that there is no immediate defence or patch against them.
Why are zero-day vulnerabilities highly valuable to attackers?
A) They have already been patched by software developers
B) They are well-documented and widely known in the cybersecurity community
C) They allow attackers to target systems without detection or protection
D) They only affect outdated software with no active user base
C) They allow attackers to target systems without detection or protection
Zero-day vulnerabilities are highly valuable to attackers because they are unknown to software developers and antivirus companies. This means that systems are not protected against these vulnerabilities, allowing attackers to exploit them without detection. By leveraging zero-day vulnerabilities, attackers can infiltrate systems, steal data, or carry out other malicious activities without being stopped by existing security measures.
How can organizations mitigate the risks associated with zero-day exploits?
A) Regularly update systems with the latest patches and updates
B) Maintain backups of critical data
C) Implement proactive monitoring systems
D) All of the above
D) All of the above
Organizations can mitigate the risks associated with zero-day exploits by implementing a combination of measures. Regularly updating systems with the latest patches and updates ensures that known vulnerabilities are addressed. Maintaining backups of critical data helps in the event of a successful attack. Implementing proactive monitoring systems allows for the detection of unusual activities or indicators of compromise. Employing all of these measures together enhances an organization’s ability to detect and respond to zero-day exploits effectively.
Ransomware
Ransomware is a type of malicious software that encrypts files on a victim’s computer or network, rendering them inaccessible until a ransom is paid.
- Ransomware is typically delivered through email attachments, malicious links, or exploit kits that target software vulnerabilities.
- Once the ransomware infects a system, it encrypts files such as documents, spreadsheets, images, and more, making them unusable without the encryption key.
- Attackers demand a ransom payment, often in cryptocurrencies like Bitcoin, in exchange for providing the decryption key to unlock the encrypted files.
- Ransomware attacks can have severe consequences for businesses and individuals, causing financial losses, data breaches, and disruption of operations.
- Some organizations choose to pay the ransom as a quick solution to restore their business operations, while others resist paying and seek alternative recovery methods.
- It’s crucial to have robust and regular backups of system files and critical data to mitigate the impact of ransomware attacks.
- Regularly test backups to ensure they are functioning correctly and can be restored if needed.
- Implement a layered defence approach to prevent ransomware infections, including:
- Up-to-date antivirus and anti-malware software.
- Firewalls and network segmentation to restrict unauthorized access.
- Regular software updates and patch management to address vulnerabilities.
- User awareness training to educate employees about phishing emails and suspicious attachments or links.
- Employ email and web filtering to block known malicious sources and prevent the delivery of ransomware.
- Maintain strong password practices and enable multi-factor authentication to protect against unauthorized access.
- Implement and regularly test incident response plans to ensure a timely and effective response in the event of a ransomware attack.
- Engage in threat intelligence sharing to stay updated on the latest ransomware variants and tactics used by attackers.
- Reporting ransomware incidents to law enforcement authorities can contribute to tracking and preventing future attacks.
How does ransomware typically encrypt files on a victim’s computer?
A) By exploiting software vulnerabilities in the operating system
B) Through unauthorized access to the victim’s network shares
C) By encrypting files stored in cloud storage services
D) Via malicious email attachments or links
D) Via malicious email attachments or links
Ransomware typically encrypts files on a victim’s computer by using malicious email attachments or links. Victims are often tricked into opening an infected attachment or clicking on a malicious link, which then initiates the encryption process and renders the files inaccessible until a ransom is paid.
What is the common demand made by attackers in a ransomware attack?
A) Immediate removal of the infected computer from the network
B) Public disclosure of the breach and payment of a fine
C) Payment of a ransom in cryptocurrencies to provide a decryption key
D) Surrendering control of the affected system to the attacker
C) Payment of a ransom in cryptocurrencies to provide a decryption key.
In a ransomware attack, the common demand made by attackers is the payment of a ransom in cryptocurrencies (such as Bitcoin) in exchange for a decryption key. Attackers leverage the encrypted files as leverage, demanding payment to unlock and restore access to the victim’s data.
What is a key measure to protect against ransomware attacks?
A) Regularly updating antivirus and anti-malware software
B) Implementing strong password policies for user accounts
C) Training employees on email phishing awareness
D) All of the above
D) All of the above
All the mentioned measures are key to protecting against ransomware attacks. Regularly updating antivirus and anti-malware software helps defend against known malware strains, including ransomware. Implementing strong password policies helps prevent unauthorized access to systems and network shares. Training employees on email phishing awareness educates them about recognizing and avoiding malicious email attachments or links, which are common ransomware infection vectors. Employing all these measures together strengthens the organization’s defence against ransomware attacks.
Trojans
Trojan:
- A trojan is a type of malicious software that disguises itself as harmless software.
- It typically carries hidden malicious software inside and executes it when the user runs the seemingly harmless software.
- Trojans do not replicate like viruses; they are single instances of malicious code.
- Trojans run in the background and perform various malicious activities without the user’s knowledge.
- They can be discovered as running processes if properly identified.
- Botnet Trojan:
- A botnet trojan infects a computer, giving remote control to a handler.
- The infected computer becomes part of a botnet, a network of compromised computers controlled by the handler.
- Botnets can range from a few computers to tens of thousands under centralized control.
- Computers in a botnet, known as bots, can be used for launching Distributed Denial of Service (DDoS) attacks.
- Bots function normally until instructed by the handler to launch attacks against specific targets.
- RAT: Remote Access Trojan:
- RAT is a trojan that installs software on a computer, allowing unauthorized remote access.
- It creates a backdoor or listens for connections from specific sources.
- Once remote access is established, the attacker can launch attacks or repeatedly access the compromised system.
- RATs can be used as a launchpad for attacks on other systems or for stealing/compromising data.
- Intrusions by RATs often go undetected for a significant duration, with an average discovery time of approximately 200 days.
- Proxy Trojan:
- A proxy trojan uses a compromised computer as a proxy, acting on behalf of another computer.
- Similar to how an ISP’s proxy connects to websites on behalf of a user, a proxy trojan makes connections to servers.
- The destination server sees the connection as coming from the compromised computer, not the true source.
- This can be used to hide the true source of malicious activity, making it appear as if the compromised computer is responsible.
What differentiates a trojan from other types of malware?
A) It replicates and spreads autonomously
B) It disguises itself as harmless software
C) It targets vulnerabilities in the operating system
D) It uses social engineering techniques to trick users
B) It disguises itself as harmless software
What sets trojans apart from other types of malware is their ability to disguise themselves as harmless software. Trojans often masquerade as legitimate or desirable programs to trick users into executing them. Once executed, the trojan carries out its hidden malicious activities.
What is the primary characteristic of a botnet trojan?
A) It encrypts files on the victim’s computer
B) It grants unauthorized remote access to the attacker
C) It forms a network of compromised computers under remote control
D) It steals sensitive information from the victim’s system
C) It forms a network of compromised computers under
remote control
The primary characteristic of a botnet trojan is its ability to create a network of compromised computers under remote control. Once infected, the computers become part of a botnet, which is then directed by a remote handler. The compromised computers, known as bots, can be used collectively to launch coordinated attacks, such as Distributed Denial of Service (DDoS) attacks.
What is the purpose of a remote access trojan (RAT)?
A) To launch Distributed Denial of Service (DDoS) attacks
B) To act as a proxy server for internet connections
C) To provide unauthorized remote access to a compromised computer
D) To replicate and spread across multiple systems
C) To provide unauthorized remote access to a compromised computer
The purpose of a remote access trojan (RAT) is to provide unauthorized remote access to a compromised computer. Once installed, the RAT allows an attacker to control the compromised system remotely. This can enable the attacker to perform various malicious activities, such as exfiltrating data, launching additional attacks, or maintaining persistent access to the compromised system.
What is the main purpose of a proxy trojan?
A) To encrypt sensitive files on the victim’s computer
B) To act as a communication intermediary between the user and the destination server
C) To replicate itself and spread across multiple computers
D) To disable antivirus software and firewall protection on the victim’s computer
B) To act as a communication intermediary between the user and the destination server
The main purpose of a proxy trojan is to act as a communication intermediary between the user and the destination server. When a computer is compromised by a proxy trojan, it sits between the user’s computer and the destination server, intercepting and relaying communications. The destination server sees the connection as originating from the compromised computer, rather than the true source. This allows the malicious actor to hide their identity and potentially engage in illicit activities, as the connection appears to come from the compromised computer.
Active Content
- Active content refers to the code downloaded from the web that is executed locally by the browser, allowing for dynamic and interactive elements on websites.
- Previously, web content was primarily static, consisting of text and graphics, but modern websites utilize active content to deliver animations, audio, video, and other dynamic features.
- Technologies enabling active content include Java Applets, ActiveX, JavaScript, and Flash.
- Active content raises concerns regarding the source and trustworthiness of the code, its intended actions, and potential access to other parts of the computer.
- Instances of active content containing trojan software with malicious activities have been observed.
- Browsers offer controls to restrict active content, such as warning prompts or blocking execution, but limiting active content can impact the browsing experience.
Which of the following technologies enables the execution of code locally within a web browser, allowing for dynamic and interactive content?
A) Cascading Style Sheets (CSS)
B) Hypertext Markup Language (HTML)
C) Java Applets
D) Secure Socket Layer (SSL)
C) Java Applets
Java Applets are one of the technologies that enable the execution of code locally within a web browser, allowing for dynamic and interactive content. Java Applets are small programs written in the Java programming language that can be embedded into web pages and run within a browser’s Java Virtual Machine (JVM). They provide enhanced functionality and interactivity on websites. However, it’s important to note that Java Applets have become less prevalent in modern web development due to security concerns and compatibility issues.
Which technology enables client-side scripting and interactivity in web browsers?
A) Cascading Style Sheets (CSS)
B) Hypertext Markup Language (HTML)
C) JavaScript
D) Secure Socket Layer (SSL)
C) JavaScript
JavaScript is the technology that enables client-side scripting and interactivity in web browsers. It is a programming language that runs on the client side, meaning it is executed by the user’s web browser rather than on the server. JavaScript allows developers to add dynamic behaviour to web pages, manipulate DOM elements, handle events, and interact with server-side data. It is widely used in modern web development for creating interactive and responsive user interfaces.
- Threat vectors are the various ways through which malware can enter a computer system.
- Drive-by downloads occur when a user visits an infected website, leading to unintentional malware downloads onto their computer.
- Downloading or installing software from the internet, especially from unknown or untrusted sources, can introduce malware onto a computer.
- Infected media, such as USB sticks, can easily transport malware to a computer when plugged in.
- Malware can also enter a system through network connections, taking advantage of vulnerabilities in the network.
- Email attachments are a common method for malware dissemination, with users being tricked into opening attachments containing malware.
- Email attachments are particularly notorious for spreading ransomware, a type of malware that encrypts files and demands a ransom for their release.
Which of the following is a common threat vector for disseminating ransomware?
A) Drive-by downloads from infected websites
B) Software downloaded from reputable sources
C) Infected media during production
D) Email attachments
D) Email attachments
Email attachments are particularly notorious for spreading ransomware, a type of malware that encrypts files and demands a ransom for their release.
Protective Measures
- Firewalls: Personal firewalls on end-point computers and network firewalls can be configured to block certain types of traffic or traffic from specific sites or IP addresses.
- Network Controls: Network filters, access lists on routers, gateway devices, and proxy servers can be implemented to control and filter traffic, including email attachments and web-based traffic.
- Antivirus/Antimalware Solutions: Antivirus or antimalware software helps detect and block known malware by identifying unique signatures. However, they may not be effective against zero-day attacks.
- Manual Controls: Measures such as using a sheep dip computer to scan external media, implementing Data Loss Prevention (DLP) systems to track data movement, and controlling software and file entry into the organization.
- Intrusion Detection Systems (IDS): IDS detects patterns of malicious network activity based on a database of known signatures and raises alerts for further investigation.
- Intrusion Prevention Systems (IPS): IPS, similar to a firewall, can dynamically block potentially malicious traffic based on signatures, providing more proactive protection than IDS.
- Application Whitelisting: Also known as allow lists, application whitelisting allows only approved applications to run on a computer, preventing the execution of unauthorized software.
- System Hardening: System hardening involves configuring a computer to eliminate unnecessary applications, network connections, and services that are not required, reducing potential attack surfaces.
Note: IDS and IPS can be implemented at the network level (NIDS/NIPS) to protect a segment of the network or at the host level (HIDS/HIPS) to protect individual computers. Host-based systems can provide additional protection by monitoring activities on specific hosts.
Which protective measure is designed to filter and block specific types of traffic based on defined rules?
a) Firewalls
b) Antivirus solutions
c) Intrusion Detection Systems (IDS)
d) Application whitelisting
a) Firewalls
Firewalls can be configured to deny certain types of traffic or block traffic from specific sites or IP addresses, providing network-level filtering and protection.
What is the primary purpose of antivirus or antimalware solutions?
a) Blocking unauthorized access to the network
b) Preventing Distributed Denial of Service (DDoS) attacks
c) Detecting and blocking known malware based on unique signatures
d) Monitoring and logging network traffic for analysis
c) Detecting and blocking known malware based on unique signatures
Antivirus or antimalware solutions are designed to identify and block known malware by recognizing their unique signatures, providing protection against viruses, worms, trojans, and other identified threats.
Which protective measure involves scanning external media on an isolated computer before authorizing its installation into an internal network?
a) Intrusion Detection Systems (IDS)
b) Network controls
c) Manual controls
d) Application whitelisting
c) Manual controls
Manual controls include measures such as scanning external media on an isolated computer (sheep dip) before allowing installation into the internal network, ensuring the files are certified as clean.
Which protective measure monitors network traffic patterns for known malicious activities and raises alerts for further investigation?
a) Intrusion Prevention Systems (IPS)
b) Application whitelisting
c) Intrusion Detection Systems (IDS)
d) System hardening
c) Intrusion Detection Systems (IDS)
IDS examines network traffic for patterns that match known malicious signatures, raising alerts to indicate potential security incidents that require investigation.
What is the key difference between Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)?
a) IDS blocks potentially malicious traffic, while IPS raises alerts for further investigation.
b) IDS raises alerts for potentially malicious traffic, while IPS blocks the traffic.
c) IDS and IPS are the same, just different names for the same technology.
d) IDS and IPS both block and raise alerts for potentially malicious traffic.
b) IDS raises alerts for potentially malicious traffic, while IPS blocks the traffic.
IDS detects and raises alerts for suspicious network activity, while IPS goes a step further and actively blocks potentially malicious traffic to prevent it from reaching its destination.
Which protective measure restricts the execution of unauthorized software by allowing only approved applications to run on a particular computer?
a) Firewalls
b) Antivirus solutions
c) Application whitelisting
d) System hardening
c) Application whitelisting
Application whitelisting allows administrators to specify which applications are allowed to run on a computer, preventing the execution of unauthorized software and reducing the risk of malware infections.
Which protective measure involves configuring a computer to eliminate unnecessary applications, network connections, and services?
a) Intrusion Prevention Systems (IPS)
b) Application whitelisting
c) System hardening
d) Manual controls
c) System hardening
System hardening involves optimizing the configuration of a computer by removing unnecessary applications, network connections, and services, reducing potential vulnerabilities and attack surfaces.
Additional Preventative Measures
- Additional Preventative Measures:
- Patching: Implement a robust patching regime to keep systems up to date and remediate vulnerabilities.
- Operational Policies: Follow best practices in system operation, use code from reliable sources, and adhere to safe coding practices.
- User Awareness: Conduct comprehensive user awareness training programs to educate users about Internet risks, safe practices, and the importance of avoiding opening suspicious attachments.
- Technical Controls:
- IDS and IPS: Intrusion Detection Systems (IDS) detect and raise alerts for suspicious network activity, while Intrusion Prevention Systems (IPS) actively block potentially malicious traffic.
- Defence-in-Depth: Implement multiple layers of controls to ensure security, with each layer complementing the others and providing a backup in case of control failure.
- Network Connectivity: With the expansion of networks, including the Internet, remote working, VPN connections, and various devices, it is crucial to secure multiple entry points and authorize only authorized connections.
- Physical, Administrative, and Technical Layers: Defence-in-depth strategy includes physical security measures, administrative policies, and technical controls to provide comprehensive protection against malware threats.
Note: It’s important to have a holistic approach to security by combining technical measures with operational and user awareness practices to effectively mitigate the risks posed by malware.
What is the purpose of implementing a robust patching regime?
a) To improve network connectivity
b) To remediate vulnerabilities
c) To enhance user awareness
d) To install antivirus software
b) To remediate vulnerabilities
A robust patching regime ensures that all systems are kept up to date with the latest patches, which helps in addressing vulnerabilities and reducing the risk of malware exploitation.
What is the primary goal of user awareness training programs?
a) To enforce operational policies
b) To implement technical controls
c) To educate users about safe practices
d) To manage network connectivity
c) To educate users about safe practices
User awareness training programs aim to educate users about the risks associated with Internet usage, opening suspicious attachments, and following best practices to minimize the likelihood of malware entering the organization’s systems.
How can operational policies contribute to malware prevention?
a) By securing physical entry points
b) By establishing defence-in-depth strategies
c) By following safe coding practices
d) By implementing intrusion detection system
c) By following safe coding practices
Operational policies that promote safe coding practices, such as using code from reliable sources and adhering to industry best practices, can help prevent the introduction of malware into the organization’s systems by ensuring the integrity and security of the software being developed and deployed.
Network Intrusion Detection System (NIDS)
A Network Intrusion Detection System (NIDS) is a computer software application that can detect and report network security problems by monitoring network or system activities for malicious or anomalous behaviour.
Network Intrusion Preventions System (NIPS)
A network intrusion protection system (NIPS) is an umbrella term for a combination of hardware and software systems that protect computer networks from unauthorized access and malicious activity.
Host Intrusion Detection System (HIDS)
A host-based intrusion detection system (HIDS) is an intrusion detection system that is capable of monitoring and analysing the internals of a computing system as well as the network packets on its network interfaces, similar to the way a network-based intrusion detection system (NIDS) operates.
Host Intrusion Prevention System (HIPS)
The Host-based Intrusion Prevention System (HIPS) protects your system from malware and unwanted activity attempting to negatively affect your computer. HIPS utilizes advanced behavioural analysis coupled with the detection capabilities of network filtering to monitor running processes, files and registry keys.
What is the purpose of an Intrusion Detection System (IDS)?
a) To prevent unauthorized access to the network
b) To detect and raise alerts on malicious network activity
c) To encrypt data transmissions over the network
d) To filter and control web-based traffic
b) To detect and raise alerts on malicious network activity
An IDS is designed to monitor network traffic and identify patterns of potentially malicious activity. It detects known signatures of malicious traffic and raises alerts for further investigation and response.
What is the main difference between a Network Intrusion Detection System (NIDS) and a Host Intrusion Detection System (HIDS)?
a) NIDS is deployed on individual hosts, while HIDS covers the entire network.
b) NIDS can block malicious traffic, while HIDS can only raise alerts.
c) NIDS is signature-based, while HIDS is behaviour-based.
d) NIDS protects against external threats, while HIDS focuses on internal threats.
d) NIDS protects against external threats, while HIDS focuses on internal threats.
NIDS is deployed at the network level to monitor and detect external threats targeting the network. HIDS, on the other hand, is installed on individual hosts to monitor and detect internal threats originating from within the network.
What is the function of an Intrusion Prevention System (IPS)?
a) To encrypt data transmissions over the network
b) To block potentially malicious network traffic
c) To detect and raise alerts on unauthorized access attempts
d) To filter and control web-based traffic
b) To block potentially malicious network traffic
An IPS is designed to actively block or prevent potentially malicious network traffic based on known signatures or patterns. It goes beyond detection (like an IDS) and can dynamically block or restrict traffic to prevent security breaches.
What is the purpose of application whitelisting?
a) To encrypt data transmissions over the network
b) To block all applications except those on an approved list
c) To detect and raise alerts on malicious applications
d) To filter and control web-based traffic
b) To block all applications except those on an approved list
Application whitelisting allows only authorized or approved applications to run on a computer or network. It restricts the execution of unapproved applications, reducing the risk of malware infiltration by allowing only known and trusted applications to operate.
Defence in Depth
Defence in depth is a strategy that leverages multiple security measures to protect an organization’s assets. The thinking is that if one line of defence is compromised, additional layers exist as a backup to ensure that threats are stopped along the way. Defence in depth addresses the security vulnerabilities inherent not only with hardware and software but also with people, as negligence or human error are often the cause of a security breach.
What is the primary concept behind Defence in Depth?
A) Deploying a single layer of security controls to protect the organization.
B) Creating multiple layers of security controls to provide overlapping defence.
C) Focusing solely on physical security measures to protect the perimeter.
D) Implementing strong encryption algorithms to secure network traffic.
B) Creating multiple layers of security controls to provide overlapping defence.
Defence in Depth is a strategy that involves implementing multiple layers of security controls to provide overlapping protection. This approach recognizes that no single security measure can provide complete security. By deploying a combination of physical, technical, and administrative controls, organizations create multiple barriers that make it more difficult for attackers to penetrate their systems. This multi-layered approach enhances the overall security posture and helps mitigate risks associated with single points of failure.
Protecting the Perimeter
An organization has both a physical perimeter and a technical perimeter that require defence.
Physical Perimeter: Secured using physical measures like locks, fences, and access control.
Technical Perimeter: The entry point to the network from the outside.
Firewall
The primary defence mechanism for the technical perimeter is a firewall. Firewall provides separation between two or more networks.
It acts as a barrier that filters and controls incoming and outgoing network traffic.
A firewall is a security device that can be either a physical hardware device or a software-based application. Its primary function is to protect the network by filtering and blocking traffic.
- Two-way protection: A firewall performs filtering in both directions. It not only blocks inbound traffic to prevent unauthorized access to the internal network but also prevents unauthorized data leakage or loss by blocking certain outbound traffic.
- Blocking unwanted traffic: Firewalls can block unwanted traffic and help prevent malicious software from entering the network. They can provide different levels of protection, ranging from blocking traffic from specific sources to blocking traffic based on content.
- Gatekeeper function: Firewalls act as gatekeepers by controlling the flow of traffic through the firewall. They analyse the traffic and make forwarding decisions based on manually configured rules.
- Rule-based configuration: Firewall rules define what traffic is allowed to pass through the firewall, while denying all other traffic. These rules can be configured based on the following criteria:
- Source address of the traffic
- Destination address of the traffic
- Protocols being used (e.g., web, file transfer, email)
- Content of the traffic
- Effective firewall configuration: To ensure an effective firewall, it is important to determine what traffic needs to be controlled and in which direction. This requires proper configuration of rules and settings to align with the organization’s security policies and requirements.
- Regular review and updates: Firewalls should be regularly reviewed and updated to adapt to changing security threats and to ensure they remain effective in protecting the network. This includes reviewing and modifying firewall rules as needed and keeping the firewall software up to date with the latest patches and firmware.
- Integration with other security measures: Firewalls are an integral part of a layered security approach. They should be integrated with other security measures, such as intrusion detection and prevention systems (IDS/IPS), antivirus software, and access control mechanisms, to provide comprehensive network protection.
- Ongoing monitoring and logging: Firewalls should be monitored and logged to track network traffic, detect anomalies, and investigate security incidents. Monitoring and logging data can be analysed to identify potential security breaches or policy violations.
- Regular security audits: Periodic security audits should be conducted to assess the effectiveness of the firewall configuration and ensure compliance with security standards and regulations.
- User awareness: Users should be educated about the role of firewalls and the importance of following security policies and best practices. User awareness training can help prevent unauthorized access attempts and ensure responsible use of network resources.
What is the primary function of a firewall? (select two)
a) Filtering and blocking outbound traffic
b) Filtering and blocking inbound traffic
c) Encrypting network communications
d) Authenticating network users
a) Filtering and blocking outbound traffic
b) Filtering and blocking inbound traffic
At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet. A firewall’s main purpose is to allow non-threatening traffic in and to keep dangerous traffic out.
Which of the following criteria can be used to configure firewall rules?
a) Source address of the traffic
b) Destination address of the traffic
c) Protocols being used
d) All of the above
d) All of the above
Firewall rules can be configured based on the source address, destination address, and protocols being used to control the traffic flow.
What is the purpose of a two-way protection in a firewall?
a) To prevent unauthorized access to the internal network
b) To prevent unauthorized data leakage or loss
c) To block inbound traffic only
d) To block outbound traffic only
b) To prevent unauthorized data leakage or loss
Two-way protection in a firewall ensures that not only inbound traffic is blocked but also unauthorized outbound traffic to prevent data leakage or loss.
How does a firewall act as a gatekeeper?
a) By physically securing the network perimeter
b) By analysing and controlling the flow of traffic
c) By encrypting network communications
d) By monitoring user activities on the network
b) By analysing and controlling the flow of traffic
Firewalls act as gatekeepers by analysing network traffic and making decisions based on configured rules to control the flow of traffic.
Which of the following security measures should be integrated with a firewall?
a) Intrusion Detection and Prevention Systems (IDS/IPS)
b) Antivirus software
c) Access control mechanisms
d) All of the above
d) All of the above
A firewall should be integrated with other security measures like IDS/IPS, antivirus software, and access control mechanisms to provide comprehensive network protection.
Type of Firewall
- Packet Filter Firewall:
- Most common type of firewall.
- Filters traffic based on addresses and protocols.
- Determines the source and destination addresses of packets and the protocol used.
- Can allow or deny traffic based on predefined rules.
- Primarily focuses on the form and type of traffic. - Web Application Firewall (WAF):
- Specifically designed for web traffic.
- Examines the content of data packets to and from web applications.
- Prevents undesirable content from being downloaded or uploaded.
- Protects web applications from common web-based attacks. - Proxy Firewall:
- Acts as an intermediary between client browsers and web servers.
- Analyses traffic passing through the proxy.
- Can provide additional security measures and control over network traffic.
- Offers enhanced privacy and anonymity by masking the client’s IP address. - Multi-Layer Stateful Inspection Firewall:
- Combines various functionalities in one firewall.
- Performs packet filtering, content inspection, and connection analysis.
- Verifies the integrity and state of network connections.
- Provides advanced security features and comprehensive protection.
- Ensures traffic is in the correct direction and meets specific criteria. - Next-Generation Firewall (NGFW):
- Incorporates features of multi-layer firewalls and adds advanced capabilities.
- Includes antivirus scanning for incoming traffic.
- Integrates identity and access management solutions.
- Responds to advanced attacks with enhanced threat intelligence.
- Offers comprehensive security controls and features.
Summary of Firewall Functions:
- Intercepts and controls traffic between two points.
- Uses rule sets to define allowed or denied traffic.
- Protects the technical perimeter of the network.
- Filters content to prevent undesirable or malicious data.
- Helps enforce the organization’s security policy.
- Generates an audit trail by logging all firewall activity.
Which type of firewall is primarily based on addresses and protocols and filters traffic between two points?
a) Packet Filter Firewall
b) Web Application Firewall
c) Proxy Firewall
d) Next-Generation Firewall
a) Packet Filter Firewall
Packet Filter Firewall:
- Most common type of firewall.
- Filters traffic based on addresses and protocols.
- Determines the source and destination addresses of packets and the protocol used.
- Can allow or deny traffic based on predefined rules.
- Primarily focuses on the form and type of traffic.
A firewall that specifically examines web traffic and prevents undesirable content from being downloaded or uploaded is known as:
a) Packet Filter Firewall
b) Web Application Firewall
c) Proxy Firewall
d) Next-Generation Firewall
b) Web Application Firewall
Web Application Firewall (WAF):
- Specifically designed for web traffic.
- Examines the content of data packets to and from web applications.
- Prevents undesirable content from being downloaded or uploaded.
- Protects web applications from common web-based attacks.
Which type of firewall acts as an intermediary between client browsers and web servers, providing enhanced security measures and control over network traffic?
a) Packet Filter Firewall
b) Web Application Firewall
c) Proxy Firewall
d) Next-Generation Firewall
c) Proxy Firewall
Proxy Firewall:
- Acts as an intermediary between client browsers and web servers.
- Analyses traffic passing through the proxy.
- Can provide additional security measures and control over network traffic.
- Offers enhanced privacy and anonymity by masking the client’s IP address.