ExamCram part 1
Describe Resident and nonresident virus
-Resident virus: This type of virus resides in memory, which means it is loaded each time the system starts and can infect other areas based on specific actions. This method allows a virus to remain active even after any host program terminates. ▶ Nonresident virus: Once executed, this type of virus looks for targets locally and even across the network. The virus then infects these areas and exits. Unlike a resident virus, it does not remain active.
A penetration test involves four primary phases: Attack: The following are the progressive steps during the attack phase: (4)
1. Initial exploitation 2. Escalation of privilege 3. Pivoting 4. Persistence
Network layer firewalls mainly function at Layer __(#) of the OSI model
3
With which of the following is a "low and slow" attack most associated? APT Ransomware OSINTScript kiddies
A
What type of vulnerability scan can greatly reduce false positives?
A credentialed vulnerability scan helps to reduce false positives.
Describe Multipartite virus:
A multipartite virus infects executable files and also attacks the master boot record of the system. If the boot sector is not cleaned along with the infected files, the files can easily be infected again.
Describe Polymorphic virus:
A polymorphic virus can change form or signature each time it is executed, to avoid detection. The prefix poly means "many";morphic means "shape." Thus, polymorphic malware is malicious code capa- ble of changing its shape. Each time a polymorphic virus infects a new file or system, for example, it changes its code. As a result, detecting the malware becomes difficult without an identifiable pattern or signature to match. Heuristic scanning is one example. Instead of looking for a specific signature, heuristic-based scanning examines the instructions running within a program.
From the results of a vulnerability scan, what types of items are identified? (3)
A vulnerability scan identifies vulnerabilities, misconfigurations, and lack of security controls.
(prowse) describe Previous Logon
Another great tool is the previous logon notification. This can be configured in a policy and shows the user the last time the account logged in successful- ly—generally during the logon process. If users suspect that their account was compromised, they could check the previous logon notification and compare that with when they remember logging in.
Comment on NIDS placement location
As with any network device, the placement of a NIDS determines the effec- tiveness of the technology. A NIDS can be placed outside the perimeter of the firewall as an early detection system or can be used internally as an added layer of security. Internally placed NIDSs that are near the local network switching nodes and near the access routers at the network boundary have lower false alarm rates because the NIDS doesn't have to monitor any traffic that the fire- wall blocks.
Your team is tasked with conducting a vulnerability assessment and reports back with a high number of false positives. Which of the following might you recom- mend to reduce the number of false positives? ❍A. Have the team run a vulnerability scan using noncredentialed access ❍B. Have the team run a vulnerability scan using credentialed access ❍C. Have the team run a port scan across all common ports ❍D. Have the team run a port scan across all ports
B
Which one of the following is a best practice to prevent code injection attacks? ❍ A.Session cookies ❍ B.Input validation ❍ C.Implementing the latest security patches ❍ D. Using unbound variables
B. Input validation is the one of the most important countermeasures to prevent code injection attacks. Answer A is incorrect because session cookies pertainto maintaining state within a visit to a website. Answer C is incorrect because, although ensuring that systems are patched is a good practice, it is not specifically a best practice to prevent code injection attacks. Answer D is incorrect because proper input validation to prevent code injection relies on bound variables.
How do relationship and capability pertain to understanding specific threat actors? They indicate the likelihood of vulnerabilities being discovered.They are characteristics associated with building a threat profile.They describe attributes that apply equally to all threats.They are the two most important attributes when analyzing threat actors.
B. Relationship and capability are characteristics that can be attributed to threat actors. Other common attributes include motive and intent, both of which are associated with building a threat profile. Answer D is incorrect because threat actors and overall risk are unique to each organization.
__ is an important component for RFID security. Otherwise, RFID tags are susceptible to an attacker writing or modifying data to the tag.
Cryptography
Which of the following are potential impacts of a race condition? ❍A. System malfunction ❍B. Denial of service ❍C. Escalated privileges ❍D. All of the above
D
After conducting a vulnerability assessment, which of the following is the best action to perform? Disable all vulnerable systems until mitigating controls can be implemented Contact the network team to shut down all identified open ports Immediately conduct a penetration test against identified vulnerabilities Organize and document the results based on severity
D.
Proper input validation does not prevent a code injection technique knownas (describe)
DLL injection. DLL injection inserts malicious code into a running process. This code injection technique takes advantage of dynamic link libraries (DLLs), which are designed for the running application to load at runtime. DLL injec- tion attacks thus result when the legitimate process hooks into the malicious DLLs and then runs them. The Windows operating system now includes a protected process system to prevent such attacks by ensuring that only trusted code gets loaded. Rootkits, covered in Chapter 1, "Indicators of Compromise and Malware Types," use DLL injection to hook themselves into the Windows operating system.
ARP poisoning can lead to attacks such as (3)
DoS, man-in-the-middle attacks, and MAC flooding.
A penetration test involves four primary phases: Attack:
During the attack phase, the tester tries to gain access or penetrate the system. This often is a result of exploiting an identified vulnerability during the previ- ous phase. The idea is to at least perform an initial exploitation, even if it does not reveal the ultimate goal or data of value. During this initial exploitation, the tester commonly has only regular user access and does not have access to high-value areas. However, this initial exploit provides the opportunity for the penetration tester to escalate privileges. The tester then can gain access at a From the Library of Jordan Marsters 65What Next? higher authorization and then conduct more advanced commands and routines. From here, the tester likely can begin to gain further access across the vari-ous systems, a process known as pivoting. Finally, the tester might try to install additional tools. Known as persistence, this enables the tester to gain additional compromising information. Achieving persistence also involves planting back doors to allow continued remote access into the systems. The following are the progressive steps during the attack phase: 1. Initial exploitation 2. Escalation of privilege 3. Pivoting 4. Persistence
Site-to-site VPNs are implemented based on
IPsec policies assigned to VPN topologies. These VPNs connect entire networks to each other. Individual hosts do not need VPN client software. They communicate using normal TCP/IP traffic via a VPN gateway. The VPN gateways are responsible for setting up and breaking down the encapsulation and encryption traffic.
Describe caching proxy servers
In a caching proxy server, when the proxy server receives a request for an Inter- net service (usually on port 80 or 443), it passes through filtering requirements and checks its local cache for previously downloaded web pages. Because web pages are stored locally, response times for web pages are faster, and traffic to the Internet is substantially reduced. The web cache can also be used to block content from websites that you do not want employees to access, such as pornography, social media, or peer-to-peer networks. You can use this type of server to rearrange web content to workfor mobile devices. This strategy also provides better utilization of bandwidth because it stores all your results from requests for a period of time. A caching server that does not require a client-side configuration is called a transparent proxy server. In this type of server, the client is unaware of a proxy server. Transparent proxies are also called inline, intercepting, or forced proxies. The proxy redirects client requests without modifying them. Transparent proxy servers are implemented primarily to reduce bandwidth usage and client configuration overhead in large networks. Transparent proxy servers are found in large enterprise organizations and ISPs. Because transparent proxies have no client overhead and can filter content, they are ideal for use in schools and libraries.
Describe ARP poisoning
In addition, an attacker can broadcast a fake or spoofed ARP reply to an entire network and poison all computers. This is known as ARP poisoning. Put sim- ply, the attacker deceives a device on your network, poisoning its table associa- tions of other devices.
Consider some examples of DoS attacks: ▶ Land:
In this attack, the attacker exploits a behavior in the operating systems of several versions of Windows, Linux, macOS, and Cisco IOS with respect to their TCP/IP stacks. The attacker spoofs a TCP/IP SYN packet to the victim system with the same source and destination IP address and the same source and destination ports. This confuses the sys- tem as it tries to respond to the packet.
Remote-access VPN con- nectivity is provided using either __ or __ for the VPN.
Internet Protocol Security (IPsec); Secure Sockets Layer (SSL)
(prowse)ActiveX controls are small program building blocks used to allow a web browser to execute a program. They are similar to Java applets; however,
Java applets can run on any platform, whereas ActiveX can run only on In- ternet Explorer (and Windows operating systems).You can see how a down- loadable, executable ActiveX control or Java applet from a suspect website could possibly contain viruses, spyware, or worse.
In a pass-the-hash attack, the attacker does not need access to a user's pass- word. Instead, the attacker needs only the hashed value of the password.This attack is performed against systems that accept specific implementations of authentication schemes known as __ or __.
LM; NTLM
Describe MITB
MITM attacks have declined because of the prevalence of such prevention techniques. As a result, a newer type of MITM, known as man-in-the-browser (MITB), has increased. A MITB attack is a Trojan that infects web browser components such as browser plug-ins and other browser helper objects. MITB attacks are particularly dangerous because everything occurs at the application level on the user's system. These attacks are capable of avoiding web application controls that might otherwise be alerted to a traditional MITM attack at the network layer. MITB can also go beyond mere interception, to inject web code and perform other functions to interact with the user.
(prowse) PGP uses a symmetric session key (also referred to as a preshared key, or PSK), and as such, you might hear PGP referred to as a program that uses symmetric en- cryption, but it also uses asymmetric __(protocol) for digital signatures and for send- ing the session key.
RSA
A penetration test involves four primary phases: Reporting
Reporting is an important component of the penetration test. Specifically, as activity is documented, and depending on the plan, reporting might be required within the actual discovery and attack phases. After any penetration test, a com- prehensive report should be delivered that includes, at a minimum, vulnerabili- ties identified, actions taken and the results, mitigation techniques, and some sort of quantification of the risk.
__ use DLL injection to hook themselves into the Windows operating system.
Rootkits
__ are the main element in compliance regulations such as SOX, GLBA, PCI, FISMA, and HIPAA.
SIEMs
Describe session hijacking
Session hijacking is another common attack. Browser cookies, known as session cookies, are often used to maintain an open session for users interacting within a site. These cookies ensure authentication to the remote site and are a target of attackers. With a stolen session cookie, the attacker can gain access to that site.
A penetration test involves four primary phases: Discovery: With planning complete, penetration testing begins with the discovery stages. Discovery consists of two fundamental areas:
The first includes information gathering and scanning; the second includes vulnerability analysis.
(prowse) An organization can defend against a replay attack in several ways: (3)
The first is to use session tokens that are transmitted to people the first time they attempt to connect, and identify them subsequently. They are handed out randomly so that attackers cannot guess at token numbers. The second way is to imple- ment timestamping and synchronization as in a Kerberos environment. A third way would be to use a timestamped nonce, a random number issued by an authentication protocol that can be used only one time.
Firewalls: The more restrictive rules should be placed where?
The more restrictive rules should be listed first and the least restrictive rules should fol- low; otherwise, if a less restrictive rule is placed before a more restrictive rule, checking stops at the first rule.
A penetration test involves four primary phases: Planning:
The planning phase does not involve actual tests. Its purpose is to set expecta- tions and provide clarity regarding the plan and goals. This phase is an impor- tant part of the overall process because of the risks of penetration tests. An important output of this phase is a documented plan that includes rules and expectations.
Intrusion detection software is reactive or passive. (describe)
This means that the system detects a potential security breach, logs the information, and signals an alert after the event occurs. By the time an alert has been issued, the attack has usu- ally occurred and has damaged the network or desktop.
Describe Stealth virus:
This memory-resident virus also uses techniques to avoid detection, such as temporarily removing itself from an infected file or masking a file's size. For example, a stealth virus removes itself from an infected file and places a copy of itself in a different location.
Describe Pharming:
This term is a combination of farming and phishing. Pharm- ing does not require the user to be tricked into clicking a link. Instead, pharming redirects victims to a bogus website, even if the user correctly entered the intended site. To accomplish this, the attacker employs another attack, such as DNS cache poisoning.
Load balancing strategies work by scheduling via algorithms. Scheduling strat- egies are based on which tasks can be executed in parallel and where to execute these tasks. These common algorithms are used: Round-robin:
Traffic is sent in a sequential, circular pattern to each node of a load balancer.
IPsec can be run in either tunnel mode or transport mode. (describe where used)
Transport mode is used between endpoints such as a client and a server. It can also be used between a gateway and an endpoint when the gateway is being treated as an endpoint, such as in a Remote Desktop (RDP) or Telnet session. IPsec default mode is tunnel mode. Tunnel mode is most often used between gateways such as a router and a firewall. When tunnel mode is used, the gateway acts as a proxy for the hosts. In tunnel mode, an AH or ESP header is used.
A penetration test involves four primary phases: Discovery:
With planning complete, penetration testing begins with the discovery stages. Discovery consists of two fundamental areas. The first includes information gathering and scanning; the second includes vulnerability analysis. Information gathering and scanning involves conducting reconnaissance of the target through observation and other outside discovery tools. Many techniques and tools are available for potentially gaining important information; those resources will later serve as intelligence needed for executing the attack, which is the next phase in the penetration test. While gathering information, reconnaissance is considered either passive or active. Passive techniques are less risky because they do not require actively engaging with the targeted systems. This is similar to a burglar first staking out a neighborhood to find unoccupied homes, or even surveilling a specific home to understand when the residents come and go. A penetration test could well use similar techniques in physically observing a data center. OSINT tools, dis- cussed in the previous chapter, are an ideal resource for passive reconnaissance. For example, an organization's website and public user directory potentially provide a great deal of pertinent information. Online tools such as WHOIS can easily gather technical contacts, host name, and IP address information. Active reconnaissance, on the other hand, requires engaging with the target. An example includes port scanning and service identification. At a minimum, port scanners identify one of two states for a port on a host system: open or closed. These scanners also identify the associated service and, potentially, the applica- tion name being run. For example, this can include the specific FTP application name running on port 21 on a specific host. Such information reveals potential targets for penetration testing.
WHOIS is
a free and publicly accessible directory from which domain names can be queried to discover contact and technical information behind registered domain names.
A dictionary attack might not be successful against a common word with numbers included. Yet a brute-force attack might take too long for a lengthy word with numbers included. Another attack, known as (describe)
a hybrid attack, provides a compromise and is also a useful tool to help identify weak pass- words and controls for audit purposes. A hybrid attack uses the dictionary attack method and then builds upon this by adding numbers to the end of the words, substituting certain letters for numbers, and capitalizing the first letter of each word.
Application layer firewalls integrate the functions of other network devices such as
a proxy, IDS, and IPS. Many application layer firewalls use an IPS engine to provide application support. As a result, various blended techniques are used to identify applications and formulate policies based on business rules.
Viruses are malicious programs that spread copies of themselves throughout a single machine. They infect other machines only if
a user on another machine accesses an infected object and launches the code.
MITM: After you have secured the physical environment, protect the services and resources that allow a system to be inserted into a session. DNS can be com- promised and used to redirect the initial request for service, providing an opportunity to execute a man-in-the-middle attack. You should restrict DNS
access to read only for everyone except the administrator. The best way to pre- vent these types of attacks is to use encryption, secure protocols, and methods for keeping track of the user's session or device.
Two types of RFID tags include (describe)
active and passive tags. Active tags can broadcast a signal over a larger distance because they contain a power source. Passive tags, on the other hand, aren't powered and are activated by a signal sent from the reader.
OVAL is intended to be an international language for representing vulnerability information. It uses __ for expression, allowing tools to be developed to test for identified vulnerabilities in the OVAL repository.
an Extensible Markup Language (XML) schema
Most proxy servers today are web application proxies that support protocols such as HTTP and HTTPS. When clients and the server cannot directly con- nect because of some type of incompatibility issue, such as security authenti- cation,
an application proxy server is used. Application proxies must support the application for which they are performing the proxy function and do not typically encrypt data. On the other hand, multipurpose proxy servers, also known as universal application level gateways, are capable of running various operating systems (such as UNIX, Windows, and Macintosh) and allowing multiple protocols to pass through (such as HTTP, FTP, NNTP, SMTP, IMAP, LDAP, and DNS). They also can convert between IPv4 and IPv6 addresses. These proxies can be used for caching, converting pass-through traffic, and handling access control. They are not restricted to a certain application or protocol.
A virus replicates when
an infected file executes or launches. It then attaches to other files, adds its code to the application's code, and continues to spread.
(prowse) Statistical-based monitoring is another name for
anomaly-based monitoring.
(prowse) Programs that are designed to exploit software bugs or other vulnerabilities are often called __. These types of exploits inject "shellcode" to allow the at- tacker to run arbitrary commands on the remote computer. This type of at- tack is also known as remote code execution (RCE) and can potentially allow the attacker to take full control of the remote computer and turn it into a zombie.
arbitrary code execution exploits
Trojans are often classified by their payload or function. The most common include (4)
backdoor, downloader, infostealer, and keylogger Trojans.
Stateless firewalls tend to work as a
basic ACL filter. Stateful firewalls are a deeper inspection firewall type that analyzes traffic patterns and data flows.
ExamAlert: An exposed server that provides public access to a critical service, such as a proxy, web, or email server, can be configured to isolate it from an organization's internal network and to report attack attempts to the network administrator. Such an isolated server is usually located in the DMZ and is often referred to as a
bastion host.
Boot sector virus: This type of virus is placed into the first sector of the hard drive so that when the computer boots, the virus loads into memory. As a result, the virus loads (when?)
before the operating system even starts.
A __ server that does not require a client-side configuration is called a transparent proxy server.
caching
Instead of depending on the user to establish a VPN connection, the always-on VPN client immediately and automatically establishes a VPN connection when an Internet connection is made. Network authentication occurs through
cer- tificates or other enterprise solutions because the connection is transparent to the user. Examples of always-on VPN solutions include Microsoft DirectAccess and Cisco AnyConnect Secure Mobility.
To minimize the effects of DNS poisoning,
check the DNS setup if you are hosting your own DNS. Be sure the DNS server is not open-recursive. An From the Library of Jordan Marsters 37Application/Service Attacks open-recursive DNS server responds to any lookup request without check-ing where it originates. Disable recursive access for other networks to resolve names that are not in your zone files. You can also use different servers for authoritative and recursive lookups and require that caches discard information except from the com servers and the root servers. From the user perspective, education works best. However, it is becoming more difficult to spot a prob- lem by watching the address bar on the Internet browser. Therefore, operating system vendors are adding more protection. Microsoft Windows User Account Control (UAC) notifies the user that a program is attempting to change the system's DNS settings, thus preventing the DNS cache from being poisoned.
ExamAlert: Routers can also be configured to help prevent IP spoofing through antispoofing techniques. These can include
creating a set of access lists that deny access to private IP addresses and local host ranges from the Internet and also using strong protocol authentication.
Although DDoS attacks generally come from outside the network to deny ser- vices, you must also consider the effect of DDoS attacks mounted from inside the network. Internal DDoS attacks allow disgruntled or malicious users to dis- rupt services without any outside influence. To help protect your network, you can set up filters on external routers to drop packets involved in these types of attacks. You should also set up another filter that
denies traffic originating from the Internet that shows an internal network address. When you do this, you incur the loss of ping and some services and utilities for testing network connectivity, but this is a small price to pay for net- work protection.
ssentially, an implicit deny works the same as finishing the ACL with
deny ip any any.
(prowse) The Directory Services log file shows
events, warnings, and errors that occur on a domain controller.
. In active/active configuration, two or more servers work together to distribute the load to network servers. Because all load balancers are active, they run almost at full capacity. If one of the load balancers fails, network traffic runs slow and user sessions time out. Virtual IPs (VIPs) are often implemented in the active/active configuration. A VIP ...
has at least one physical server assigned but more than one virtual IP address assigned, usually through a TCP or UDP port number. Using VIPs spreads traffic among the load balancing servers. VIPs are a connection-based workload balancing solution, so if the interface cannot handle the load, traffic bottlenecks and becomes slow.
ExamAlert: Rootkits can be (3)
included as part of software packages, can be installed through an unpatched vulnerability, or can be downloaded and installed by users.
Although router placement is primarily determined by the need to segment different networks or subnets, routers also have some good security features. One of the best features of a router is
its capability to filter packets by source address, destination address, protocol, or port. These filters are actually access control lists (ACLs).
ARP poisoning is limited to attacks that are
locally based, so an intruder needs either physical access to your network or control of a device on your local network.
If a rootkit has been installed, traditional antivirus software cannot always detect it because many rootkits run in the background. You can usually spot it by (3)
looking for memory processes, monitor- ing outbound communications, and checking for newly installed programs.
Race conditions can result in
malfunction and unexpected results. Race conditions also can cause denial of service. In fact, a race condition can cause null pointer errors in which an application dereferences a pointer that it expects to be valid but is really null, resulting in a system crash. Race conditions are also associated with allowing attackers to escalate their privileges.
(prowse) ActiveX controls are small program building blocks used to allow a web browser to execute a program. They are similar to Java applets; however, Java applets can run on any platform, whereas ActiveX can run only on In- ternet Explorer (and Windows operating systems). You can see how a down- loadable, executable ActiveX control or Java applet from a suspect website could possibly contain viruses, spyware, or worse. These are known as
mali- cious add-ons—Flash scripts especially can be a security threat. Generally, you can disable undesirable scripts from either the advanced settings or by creating a custom security level or zone. If a particular script technology can- not be disabled within the browser, consider using a different browser, or a content filtering solution.
Is RFID one way or two way?
one way
A penetration test involves four primary phases:
planning, discovery, attack, and reporting
Overflows present an opportunity for compromise using (and identify two types)
privilege escalation. Services require special privileges for their operation. A programming error could allow an attacker to obtain special privileges. In this situation, two pos- sible types of privilege escalation exist: a programming error enabling a user to gain additional privileges after successful authentication, and a user gaining privileges with no authentication.
A __ exploits a small window of time in which one action impacts another. These out-of-sequence actions can result in a system crash, loss of data, or unauthorized access.
race condition
(prowse) Arbitrary code execution is when an attacker obtains control of a target com- puter through some sort of vulnerability, thus gaining the power to execute commands on that remote computer at will. Programs that are designed to exploit software bugs or other vulnerabilities are often called arbitrary code execution exploits. These types of exploits inject "shellcode" to allow the at- tacker to run arbitrary commands on the remote computer. This type of at- tack is also known as __ and can potentially allow the attacker to take full control of the remote computer and turn it into a zombie.
remote code execution (RCE)
Network load balancers are
reverse proxy servers configured in a cluster to provide scalability and high availability.
IDS: ExamAlert: Similar to anomaly-based methods, heuristic-based methods are typically
rule-based and look for abnormal behavior. Heuristic rules tend to categorize activity into one of the following types: benign, suspicious, or unknown.
The main advantage SSL and TLS VPNs have over IPsec VPNs is
simple end-user implementation because they function via a browser and an Internet connection. The workforce has become very mobile, allowing employees to work anytime and anywhere. This shift has caused organizations to replace traditional IPsec VPNs with SSL/TLS VPNs that include an always-on solution.
ExamAlert: A logic bomb is also referred to as
slag code. The malicious code is usually planted by a disgruntled employee.
Some Wi-Fi technologies have been shown to be easily susceptible to an IV attack. This attack uses passive statistical analysis. An IV is an input to a cryp- tographic algorithm, which is essentially a random number. Ideally, an IV should be unique and unpredictable. An IV attack can occur when
the IV is too short, predictable, or not unique. The attack is possible when the IV is not long enough, which means it had a high probability of repeating itself after only a small number of packets. Modern wireless encryption algorithms use a longer IV, and newer protocols also use a mechanism to dynamically change keys as the system is used.
Note: Within U.S. governmental agencies, vulnerability is discussed using
the Open Vulnerability Assessment Language (OVAL), sponsored by the Department of Homeland Security's National Cyber Security Division (NCSD). OVAL is intended to be an international language for representing vulnerability information. It uses an Extensible Markup Language (XML) schema for expression, allowing tools to be developed to test for identified vulnerabilities in the OVAL repository.
(prowse) Penetration testing is the method most closely associated with DLL injection, which is a technique used to run code within the address space of another process by forcing it to load a dynamic link library. It is used to influence the behavior of a program in a way that the creator of the program did not intend. This type of injection can be incorporated into
the Registry in Windows.
After con- ducting a vulnerability assessment, the results should be organized based on
the severity of the risks to the organization.
Unlike a system that tests for open ports, which tests only for the availability of services, vulnerability scanners can check for
the version or patch level of a service to determine its level of vulnerability.
Another exploit is the race condition. This is a difficult exploit to perform because it takes advantage of the small window of time between when a ser- vice is used and its corresponding security control is executed in an applica- tion or OS, or when temporary files are created. It can be defined as anom- alous behavior due to a dependence on
timing of events. Race conditions are also known as time-of-check (TOC) or time-of-use (TOU) attacks. Imagine that you are tasked with changing the permissions to a folder, or changing the rights in an ACL. If you remove all of the permissions and apply new per- missions, then there will be a short period of time where the resource (and system) might be vulnerable.
The primary purpose of a reverse proxy is
to increase the effi- ciency and scalability of the web server by providing load balancing services. Full reverse proxies are capable of deep content inspection and often are implemented as a method for enforcing web application security and mitigating data leaks.
(prowse) The best way to prevent IV attacks is
to use stronger wireless protocols such as WPA2 and AES instead of WPA or WEP which are vulnerable.
HIDSs monitor communications on a host-by-host basis and try to filter malicious data. These types of IDSs are good at detecting (2)
unauthorized file modifications and user activity.
Kernel rootkits modify the kernel component of an operating system. These newer rootkits can intercept system calls passed to the kernel and can filter out queries that the rootkit software generates. Rootkits have also been known to __ and __ to communicate without interrupting other applications.
use encryption to protect outbound communications; piggyback on commonly used ports
(prowse) Arbitrary code execution is
when an attacker obtains control of a target com- puter through some sort of vulnerability, thus gaining the power to execute commands on that remote computer at will. Programs that are designed to exploit software bugs or other vulnerabilities are often called arbitrary code execution exploits. These types of exploits inject "shellcode" to allow the at- tacker to run arbitrary commands on the remote computer. This type of at- tack is also known as remote code execution (RCE) and can potentially allow the attacker to take full control of the remote computer and turn it into a zombie.
Keep in mind that the key difference between a virus and a worm is that
worms do not need to attach themselves to files and programs and are capable of reproducing on their own.
To mitigate ARP poisoning on a small network, __ For large networks, __(2)
you can use static or script-based mappings for IP addresses and ARP tables.; use equipment that offers port security. By doing so, you can permit only one MAC address for each physical port on the switch. In addition, you can deploy moni- toring tools or an intrusion detection system (IDS) to alert you when suspect activity occurs.
You should be familiar with two specific spoofing methods:
▶ Blind spoofing: The attacker sends data and only makes assumptions of responses. ▶ Informed spoofing: The attacker can participate in a session and can monitor the bidirectional communications.
Given NFC's limited range, the types and practicality of attacks become limited by distance. Regardless, the following list highlights potential risks of NFC: (4)
▶ Confidentiality: Attacks can take advantage of the risk posed by any communications methods. This includes eavesdropping. Any sensitive data must be encrypted to mitigate such concerns. ▶ Denial of service: NFC could be subject to such jamming and interfer- ence disruptions causing loss of service. ▶ Man-in-the-middle (MITM) attacks: Theoretically, MITM attacks are possible. But again, given the limitations of proximity, such attacks pres- ent their own challenges. ▶ Malicious code: As with any client device, malware prevention and user awareness are key controls.
A buffer overflow can result in the following: (3)
▶ Data or memory storage is overwritten. ▶ The attack overloaded the input buffer's capability to cope with the addi- tional data, resulting in denial of service. ▶ The originator can execute arbitrary code, often at a privileged level.
Vulnerability assessment tools are specialized systems used to test systems for known vulnerabilities, misconfigurations, bugs, or weaknesses. The output of these tools requires careful interpretation. In many cases, several factors need to be considered. Interpretation of the results typically leads to one of three approaches:
▶ Doing nothing, either because of a false positive or because the organization faces no significant risk ▶ Fixing or eliminating the vulnerability or security gap ▶ Accepting the security gap but implementing mitigating controls
Endpoint protection technologies defend against malware by identifyingand remediating security threats. Such software often provides the first line of defense by identifying that a machine has been targeted or compromised. Other symptoms of infection include unexpected system behavior and system instability. To further determine whether a system has been infected, examine the following critical areas: (3) (describe)
▶ Memory: After malware is executed, it might reside in memory. Tools such as Windows Task Manager or Activity Monitor for Macs provide insight into all running processes in memory and can help identify rogue processes. ▶ Registries: The Windows registry, for example, provides various system settings that malware often targets. Specifically, Windows contains various entries that enable software to automatically start upon login. Malware can take advantage of these entries to ensure that malicious executables are run each time the computer starts up. ▶ Macros: Office applications such as Microsoft Word provide a powerful function to automate procedures. However, these macros also give malware the opportunity to automatically generate instructions when such documents launch. Office software offers an option to generate alerts when macros are being run.
SIEM: To create EOIs (event of interest), the cor- relation engine uses data that was aggregated by the following techniques: (4)
▶ Pattern matching ▶ Anomaly detection ▶ Boolean logic ▶ A combination of Boolean logic and context-relevant data
Some clues indicate that a computer might contain spyware: (5)
▶ The system is slow, especially when browsing the Internet. ▶ The Windows desktop is slow in coming up. ▶ Clicking a link does nothing or takes you to an unexpected website. ▶ The browser home page changes, and you might not be able to reset it. ▶ Web pages are automatically added to your favorites list.