Threats, Attacks, and Vulnerabilities
Match the social engineering description on the left with the appropriate attack type on the right. Phishing Whaling Spear phishing Dumpster diving Piggybacking Vishing
-An attacker uses a telephone to convince target individuals to reveal their credit card information. -An attacker gathers personal information about the target individual in an organization. -An attacker pretending to be from a trusted organization sends an email asking users to access a website to verify personal information. -An attacker searches through an organization's trash looking for sensitive information. -An attacker gathers personal information about the target individual, who is a CEO. -An attacker enters a secured building by following an authorized employee through a secure door without providing identification.
Identify and label the following attacks by dragging the term on the left to the definition on the right. Not all terms are used. Masquerading Whaling Vishing Spear phishing Spim Phishing Piggybacking Spam Tailgating
-Attackers send emails with specific information about the victim (such as which online banks they use) that ask them to verify personal information or send money. -Attackers use Voice over IP (VoIP) to pretend to be from a trusted organization and ask victims to verify personal information or send money. -Attackers send unwanted and unsolicited text messages to many people with the intent to sell products or services. -An attacker convinces personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access. -An attacker pretending to be from a trusted organization sends emails to senior executives and high-profile personnel asking them to verify personal information or send money.
Which of the following describes a logic bomb? - A program that has no useful purpose, but attempts to spread itself to other systems and often damages resources on the systems where it is found. - A program that appears to be a legitimate application, utility, game, or screensaver that performs malicious activities surreptitiously - A program that performs a malicious activity at a specific time or after a triggering event. - A type of malicious code similar to a virus whose primary purpose is to duplicate itself and spread, while not necessarily intentionally damaging or destroying resources.
A program that performs a malicious activity at a specific time or after a triggering event. Explanation A logic bomb is a program that performs a malicious activity at a specific time or after a triggering event. Logic bombs can be planted by a virus, a Trojan horse, or an intruder. Logic bombs may perform their malicious activity at a specific time and date or when a specific event occurs on the system, such as logging in, accessing an online bank account, or encrypting a file. A type of malicious code similar to a virus whose primary purpose is to duplicate itself and spread while not necessarily intentionally damaging or destroying resources is a wormworm. A program that appears to be a legitimate application, utility, game, or screensaver that performs malicious activities surreptitiously is a Trojan horseTrojan horse. A program that has no useful purpose but attempts to spread itself to other systems and often damages resources on the systems where it is found is a virusvirus.
Which of the following is an example of an internal threat?
A user accidentally deleted the new product designs.
What is the main difference between a worm and a virus? - A worm is restricted to one system, while a virus can spread from system to system - A worm can replicate itself, while a virus requires a host for distribution - A worm requires an execution mechanism to start, while a virus can start itself - A worm tries to gather information, while a virus tries to destroy data
A worm can replicate itself, while a virus requires a host for distribution. Explanation A wormworm is a self-replicating program that uses the network to replicate itself to other systems. A worm does not require a host system to replicate. Both viruses and worms can cause damage to data and systems, and both spread from system to system, although a worm can spread itself while a virus attaches itself to a host for distribution
A SYN attack or SYN flood exploits or alters which element of the TCP three-way handshake?
ACK
While browsing the Internet, you notice that the browser displays ads that are targeted towards recent keyword searches you have performed. What is this an example of?
Adware
Which of the following measures are you most likely to implement to protect against a worm or Trojan horse?
Anti-virus software
Which of the following statements about the use of anti-virus software is correct?
Anti-virus software should be configured to download updates virus definition files as soon as they become available.
What is another name for a logic bomb?
Asynchronous attack
The receptionist received a phone call from an individual claiming to be a partner in a high-level project and requesting sensitive information. The individual is engaging in which type of social engineering?
Authority
A collection of zombie computers have been set up to collect personal information. What type of malware do the zombie computers represent? - Trojan horse - Botnet - Logic bomb - Spyware
Botnet Explanation A botnetbotnet is a collection of zombie computers that are commanded from a central control infrastructure and propagate spam or to collect usernames and passwords to access secure information. A logic bomblogic bomb is malware that lies dormant until triggered. A Trojan horseTrojan horse is a malicious program that is disguised as legitimate software. SpywareSpyware monitors the actions performed on a machine and then sends the information back to its originating source.
An attacker is conducting passive reconnaissance on a targeted company. Which of the following could he be doing?
Browsing the organization's website
As the victim of a Smurf attack, what protection measure is the most effective during the attack?
Communicate with your upstream provider
To tightly control the anti-malware settings on your computer, you elect to update the signature file manually. Even though you vigilantly update the signature file, the machine becomes infected with a new type of malware. Which of the following actions would best prevent this scenario from occurring again?
Configure the software to automatically download the virus definition file as soon as they become available
An attacker sets up 100 drone computers that flood a DNS server with invalid requests. This is an example of which kind of attack?
DDoS
Which attack form either exploits a software flaw or floods a system with traffic in order to prevent legitimate activities or transactions from occurring?
Denial of service attack
Which of the following is a common social engineering attack?
Distributing hoax virus information emails
Dumpster diving is a low-tech way to gathering information that may be useful in gaining unauthorized access or as a starting point for more advanced attacks. How can a company reduce the risk associated with dumpster diving?
Establish and enforce a document destruction policy
Which of the following are denial of service attacks? (Select two.)
Fraggle Smurf
Which of the following is not a form of social engineering?
Impersonating a user by logging on with stolen credentials
You have installed anti-malware software that checks for viruses in email attachments. You configure the software to quarantine any files with problems. You receive an email with an important attachment, but the attachment is not there. Instead, you see a message that the file has been quarantined by the anti-malware software. What has happened to the file?
It has been moved to a secure folder on your computer.
Which of the following best describes spyware?
It monitors the actions you take on your machine and sends the information back to its originating source.
A SYN packet is received by a server. The SYN packet has the exact same address for both the sender and receiver addresses, which is the address of the server. This is an example of what type of attack?
Land attack
When a SYN flood is altered so that the SYN packets are spoofed in order to define the source and destination address as a single victim IP address, the attack is now called what?
Land attack
Which type of active scan turns off all flags in a TCP header?
Null
What is the weakest point in an organization's security infrastructure?
People
Which of the following attacks tricks victims into providing confidential information (such as identity information or login credentials) through emails or websites that impersonate an online entity that the victim trusts?
Phishing
Which of the following denial of service (DoS) attacks uses ICMP packets and is only successful if the victim has less bandwidth than the attacker?
Ping flood
Which of the following are characteristics of a rootkit? (Select two) - Requires administrator-level privileges for installation - Uses cookies saved on the hard drive to track user preferences - Monitors user actions and opens pop-ups based on user preferences - Hides itself from detection
Requires administrator-level privileges for installation Hides itself from detection Explanation A rootkitrootkit is a set of programs that allows attackers to maintain hidden, permanent, administratorlevel access to a computer. A rootkit: • Is almost invisible software • Resides below regular antivirus software detection • Requires administrator privileges for installation, then maintains those privileges to allow subsequent access • Might not be malicious • Often replaces operating system files with alternate versions that allow hidden access SpywareSpyware collects various types of personal information, such as internet surfing habits and passwords, and sends the information back to its originating source. AdwareAdware monitors actions that denote personal preferences, then sends pop-ups and ads that match those preferences. Both Spyware and adware can use cookies to collect and report a user's activities
Which of the following is a characteristic of a virus? - Requires an activation mechanism to run - Requires administrative privileges to install - Capable of replicating itself - Is remotely controlled by a central command
Requires an activation mechanism to run Explanation A virus has the following characteristics: • A virus requires a replicationreplication mechanism, which is a file that it uses as a host. When the host file is distributed, the virus is also distributed. Viruses typically attach to files with execution capabilities such as .doc, .exe, and .bat extensions. Many viruses are distributed to everyone in your email address book. • The virus only replicates when an activationactivation mechanism is triggered. For example, each time the infected file or program is executed, the virus is activated. • The virus is programmed with an objectiveobjective, which is usually to destroy, compromise, or corrupt data
You recently discovered several key files of your antivirus program have been deleted. You suspect that a virus has deleted the files. Which type of virus deletes key antivirus program files?
Retro
You have heard about a new malware program that presents itself to user as a virus scanner. When users run the software, it installs itself as a hidden program that has administrator access to various system components. The program then tracks system activity and allows an attacker to remotely gain administrator access to the computer. Which of the following terms best describes this software?
Rootkit
Which of the following is undetectable software that allows administrator-level access? - Trojan horse - Rootkit - Logic bomb - Spyware - Worm
Rootkit Explanation A rootkitrootkit is a set of programs that allows attackers to maintain permanent, administrator-level, hidden access to a computer. A rootkit: • Is almost invisible software • Resides below regular antivirus software detection • Requires administrator privileges for installation, then maintains those privileges to allow subsequent access • Might not be malicious • Often replaces operating system files with alternate versions that allow hidden access A wormworm is a self-replicating virus. A Trojan horseTrojan horse is a malicious program that is disguised as legitimate or desirable software. A logic bomblogic bomb is designed to execute only under predefined conditions and lays dormant until the predefined condition is met. SpywareSpyware is software that is installed without the user's consent or knowledge and designed to intercept or take partial control over the user's interaction with the computer.
Which of the following is a denial of service attack that: • Subverts the TCP three-way handshake process by attempting to open numerous sessions on a victim server • Intentionally fails to complete the session by not sending the final required packet
SYN flood
You have installed anti-virus software on the computers on your network. You update the definition and engine files and configure the software to update those files every day. What else should you do to protect your systems from malware?
Schedule regular full system scans Educate users about malware
What is the primary distinguishing characteristic between a worm and a logic bomb?
Self-replication
Which of the following are examples of social engineering? (Select two.)
Shoulder surfing Dumpster diving
Which of the following is a form of denial of service attack that uses spoofed ICMP packets to flood a victim with echo requests using a bounce/amplification network?
Smurf
What type of malware monitors your actions? - Trojan horse - Worm - Spyware - Virus
Spyware Explanation SpywareSpyware monitors the actions performed on a machine and then sends the information back to its originating source. A virusvirus is a program that attempts to damage a computer system and replicate itself to other computer systems. A wormworm is a self-replicating program that can be designed to do any number of things, such as negatively impacting network traffic. A Trojan horseTrojan horse is a malicious program that is disguised as legitimate software.
Which type of virus conceals its presence by intercepting system requests and altering service outputs?
Stealth
In which of the following denial of service (DoS) attacks does the victim's system rebuild invalid UDP packets, causing the system to crash or reboot?
Teardrop
Which of the following is the main difference between a DoS attack and a DDoS attack?
The DDoS attack uses zombie computers.
You suspect that an Xmas tree attack is occurring on a system. Which of the following could result if you do not stop the attack? (Select two.) The system will become a zombie
The system will be unavailable to respond to legitimate requests. The threat agent will obtain information about open ports on the system
Which is a program that appears to be a legitimate application, utility, game, or screensaver and performs malicious activities surreptitiously? - Trojan horse - Outlook Express - ActiveX control - Worm
Trojan horse Explanation A Trojan horse is a program that appears to be a legitimate application, utility, game, or screensaver, but performs malicious activities surreptitiously. Trojan horses are very common on the internet. To keep your systems secure and free from such malicious code, you need to take extreme caution when downloading any type of file from just about any site on the internet. If you don't fully trust the site or service that is offering a file, don't download it. Outlook Express is an email client found on Windows. A worm is a type of malicious code similar to a virus. A worm's primary purpose is to duplicate itself and spread, while not necessarily intentionally damaging or destroying resources. ActiveX controls are web applications written in the framework of ActiveX.
What is the greatest threat to the confidentiality of data in most secure organizations?
USB devices
If your anti-virus software does not detect and remove a virus, what should you try first?
Update you virus detection software.
You have just received a generic-looking email that is addressed as coming from the administrator of your company. The email says that, as part of a system upgrade, you are to go to a website and enter your user name and password at a new website so you can manage your email and spam using the new service. What should you do?
Verify that the email was sent by the administrator and that this new service is legitimate.
You've just received an email message explaining that a new and serious malicious code threat is ravaging across the internet. The message contains detailed information about the threat, its source code, and the damage it can inflict. The message states that you can easily detect whether or not you have already been a victim of this threat by the presence of three files in the \Windows\System32 folder. As a countermeasure, the message suggests that you delete these three files from your system. In response to this message, which action should you take first?
Verify the information on well-known malicious code threat management websites
What is the common name for a program that has no useful purpose, but attempts to spread itself to other systems and often damages resources on the systems where it is found?
Virus
Which of the following social engineering attacks use Voice over IP (VoIP) to gain sensitive information?
Vishing
A senior executive reports that she received a suspicious email concerning a sensitive internal project that is behind production. The email was sent from someone she doesn't know, and he is asking for immediate clarification on several of the project's details so the project can get back on schedule. Which type of an attack best describes the scenario?
Whaling
Which of the following is privilege escalation?
creeping privileges
You need to enumerate the devices on your network and display the network's configuration details. Which of the following utilities should you use?
nmap