14.11 Security Trobuleshooting

Which type of file is commonly used by trusted websites to create installation software for mobile devices? - SYS file - APK file - EXE file - BAT file

- APK file Trusted websites that create installation software for handheld devices use APK files. These files have signatures on them that only allow the vendor to install software on the manufacturers' devices. A BAT file is a DOS batch file used to execute commands within Windows Command Prompt (cmd.exe). A BAT file is not used for mobile devices. An EXE file is an executable program that you can run in Microsoft Windows. It includes either Windows applications or application installers. It is not used for mobile devices. A SYS file is a system file used by Windows to store system settings, variables, and functions to run the operating system.

Symptoms of a Compromised Device

- Connectivity - Increased data usage - False security warnings

Which of the following are the FIRST settings you should check if you suspect that a malware attack has impacted your internet connection? (Select two.) - BIOS settings - DNS settings - VPN settings - Proxy settings - Internet Connection Sharing settings

- DNS settings - Proxy settings The two recommended settings you should check first are proxy and DNS settings. Adjusting the proxy settings can redirect the user to another location where the attacker can then integrate penetration tools to find vulnerabilities. A DNS server can be reconfigured to take a user outside the network and on to a similar web page. BIOS, VPN, and Internet Connection Sharing settings are much less likely to be altered by a malware attack.

You are an IT technician for your company. Vivian, an employee, has been receiving error messages, indicating that some of her Windows system files are corrupt or missing. To fix this issue, you ran the Windows System File Checker tool (SFC.exe). Shortly after the files were repaired, Vivian called again because she is still having the same issue. You now suspect that a corruption or a renaming of the system files is being caused by malware. Which of the following is the FIRST step you should take to remove any malware on the system? - Disable System Restore. - Disconnect Vivian's computer from the network. - Back up Vivian's critical files and perform a clean install of Windows. - Perform a scan using anti-malware software.

- Disconnect Vivian's computer from the network. When you suspect that a computer may be infected with malware, you should immediately disconnect (quarantine) the computer from the network to prevent propagation of the malware. After the computer is isolated, you can back up the computer and begin to remove the malware by using a virus removal program (anti-malware software) in Safe Mode. Disabling System Restore does not further any removal of malware. Backing up an infected computer and performing a clean install of Windows does not resolve any issues with Vivian's critical files, and it does not prevent any future issues with malware.

You have just visited a website on your mobile device when your web browser locks up, and you receive a warning that your device has a virus. You are given a phone number to call to remove the virus. Which of the following describes the type of malware symptom that you are MOST likely experiencing? - Spoofed application - Increased data usage - False security warning - Connectivity issue

- False security warning Just like a normal desktop system, a mobile device can be the victim of a site that falsely purports to know that a virus was installed (the site might even lock your browser). These are false security warnings that will have address links or a phone number to call. Connectivity is another malware symptom that results in sluggish performance. It may be because an application is leaking data and using all of its bandwidth to constantly transmit its own signal. But there is usually no warning message displayed like the one described in the scenario. If you are experiencing an increased amount of data, this could be a telltale sign that there is an application broadcasting data without permission. But there is usually no warning message displayed like the one described in the scenario. Spoofed applications are a type of malicious software that appears to be a real program, but is actually a security threat.

Which of the following are common symptoms of a compromised mobile device? (Select two.) - Increased data usage - Wi-Fi spoofing - Connectivity issues - An increase in junk email - Screen flickering

- Increased data usage - Connectivity issues Two of the most common symptoms of a compromised mobile device are: 1) Connectivity issues - If a device seems sluggish, it may be because an application is leaking data and using bandwidth to constantly transmit its own signal. 2) Increased data usage - If you are experiencing an increased amount of data usage, this could be a telltale sign that there is an application broadcasting data without permission. While a flickering screen or an increase in junk email might be symptoms of a compromised device, they are more commonly associated with hardware failure (flickering screen) or your email account being more widely distributed among online businesses (increase in junk email). Wi-Fi spoofing occurs when someone sets up a wireless access point in a public area (such as a store) and broadcasts the same ID as the Wi-Fi that is being provided by the establishment. Wi-Fi spoofing is not a symptom of a compromised mobile device.

Which mobile device vulnerability results in a user unlocking all of a mobile device's features and capabilities? - Jailbreaking - An APK signature - Developer Mode - Spoofed application

- Jailbreaking Jailbreaking a handheld device unlocks all the features and capabilities of that device. Once a mobile device is jailbroken, large holes in the operating system can be exploited, including the system files. Developer Mode is made for software companies and manufacturers to be able to create and test applications and features on mobile devices. Turning on this feature can lead to the unlocking of system files on the operating system. However, Developer Mode does not unlock all the features and capabilities of a mobile device. A spoofed application looks like a real program, but is actually an infected version of a real application. A spoofed application is not designed to unlock all the features and capabilities of a mobile device. Trusted websites that create installation software for handheld devices use APK files. These files have APK signatures on them that only allow the vendor to install software on the manufacturers' devices. APK files are not designed to unlock all the features and capabilities of a mobile device.

Settings an attacker might change

- Proxy settings: Adjusting the proxy settings can redirect the user to a location where the attacker can integrate penetration tools for finding vulnerabilities. To avoid this, ensure that a user who is part of the proxy server has the IP address and ports correctly configured. - DNS settings: An attacker can configure the DNS server to take the user outside the network and onto a similar web page. To avoid this, make sure that the internet properties for DNS are correctly set up. - Host files: Check host files to ensure that the name of the user is correctly configured with the server.

Which of the following are likely symptoms of a malware infection? (Select two.) - Renamed system files. - Operating system updates that were installed without your knowledge. - Cookies placed by a recently visited website. - Changed file permissions. - Receipts of phishing emails in your inbox.

- Renamed system files. - Changed file permissions. Common symptoms of a malware infection include the following: - Slow computer performance Internet connectivity issues - Operating system lockups - Windows update failures - Renamed system files - Disappearing files - Changed file permissions - Access denied errors Cookies are commonly placed by legitimate websites and aren't considered a major security threat. Windows automatically installs updates by default. Phishing emails don't necessarily indicate that a system is infected with malware. It is more likely that your email address has been picked up and included on a list.4

An employee calls to complain that their browser keeps opening up to a strange search engine page, and a toolbar has been added to their browser. Which of the following malware issues are MOST likely causing the problem? - Altered file issues - Internet setting issues - Internet connectivity issues - Software issues

- Software issues Software issues can result in a browser opening to a strange search engine page and unwanted toolbars. Internet settings and connectivity issues result from a malware attack changing settings in your system. These problems do not normally result in an unwanted search engine page or toolbar. Altered file issues normally deal with an attacker moving, copying, and deleting files or changing file permissions. These alterations do not normally result in an unwanted search engine page or toolbar.

Your company is creating a financial application that you want to first test on mobile devices. Several customers have asked to be part of the beta testing process. What do the employees need to do on their mobile devices in order to be able to participate in the beta test? - Enable authentication on their mobile devices. - Jailbreak their mobile devices. - Install and use a password manager. - Turn on Developer Mode.

- Turn on Developer Mode. Developer Mode is made for software companies and manufacturers to be able to create and test applications and features on mobile devices. Jailbreaking a mobile device unlocks all the features and capabilities of that device. Doing this is not required for testing an application from a trusted source. While enabling authentication and having a password manager on your mobile device are both good practices, they are not normally required to participate in a beta test of an application.

While browsing the internet, a pop-up browser window comes up, warning you that your system is infected with a virus. You are directed to click a link to remove the virus. Which of the following are the BEST next actions to take? (Select two.) - Update the virus definitions for your locally installed anti-malware software. - Run a full system scan using the anti-malware software installed on your system. - Use an online search engine to learn how to manually remove the virus. - Close the pop-up window and ignore the warning. - Click on the link provided to scan for and remove the virus.

- Update the virus definitions for your locally installed anti-malware software. - Run a full system scan using the anti-malware software installed on your system. This scenario is an example of a rogue antivirus attack. As such, you should assume that your system has been infected by some kind of malware, possibly by one of the sites you visited recently. You should first close your browser window and then update the virus definitions for your locally installed antivirus software. Next, you should run a full system scan using the antivirus software installed on your system. Clicking on the link provided would be the worst choice, as it will most likely install a host of other malware on your system. Ignoring the message is unwise, as your system has probably been infected with malware at that point. You should not try to manually remove the virus, as the message displayed by the rogue antivirus attack is probably fictitious.

Jailbreaking

Jailbreaking a mobile device disables security features of the device. Manufacturers enable these functions to protect the device from malicious programs. Once the mobile device is unlocked (jailbroken) operating system files, can be exploited. If a user has problems with a device, determine if the security features have been unlocked and determine the apps that were installed before the issues began. This may narrow the search down to finding malicious software.

Android Package Kit (APK) files

Trusted websites that create installation software for handheld devices use APK files. These files have signatures that allow only the vendor to install software on the manufacturer's devices. This means that a handheld device must recognize the application as being from a trusted source. The only way to download applications from an untrusted site is to allow installations of non-market applications in the settings menu. If a user experiences slow performance and connectivity issues, check the device's applications and settings to see if the user has downloaded malicious software.