Chapter 16

o Briefly explain a port scanning process

An automated tool meant to identify known vulnerabilities. This can help figure out what OS is being used. It can provide much more information as well such as what firewalls are defending the target Find a free port to get access!

o Briefly explain what a zero-day attack is and why it is a problem

Attacks that not have been seen before and therefore cannot be detected via their signatures.

o Briefly explain how a secure by default strategy minimizes a system's attack surface

Basing it off of Solaris 10, they disable many services when it is installed and have to be specifically enabled by the system admins. They reduce attack surface because the more "open" a system is, the more likely there is to be a bug to exploit it.

o Explain the commonalities and differences between breach of confidentiality, breach of integrity, breach of availability, theft of service, denial of service (quiz question will likely just have two or three of these)

Confidentiality: unauthorized reading of data or theft of information. Capturing secret data from a system or a data stream. Integrity: unauthorized modification of data. Result in passing of liability to an innocent party or modification of code. Availability: unauthorized destruction data. Website defacement is an example Theft of service: unauthorized use of resources. An intruder or intrusion program (think of bit coin miners using up resources to mine) Denial of service: preventing legitimate use of the system.

o Briefly explain a denial of service attack (or distributed DOS) and explain what a zombie computer is and how it is used for these attacks

DDOS: attacking a server so that it gets slowed down and is overwhelmed with requests that it can not be accessed. Zombie computer: The malicious party will use an unsuspecting persons computer to launch the attack so that they will not have a trace leading back to them and will make it harder.

o Briefly explain the difference between a digital signature authentication algorithm and a digital certificate strategy

Digital signature authentication algo: enable anyone to verify the authenticity of the message. It is not possible to get a private key from a public key Digital certificate strategy: public key digitally signed by a trusted party. Trusted party receives proof of identification from some entity and certifies that the public key belongs to that entity

o Explain one or more of the following virus threats: file, boot, macro, source code, polymorphic, encrypted, stealth, tunneling, multipartite, armored, virus droppers

File: appends itself to a file. Changes the start of the program so that execution jumps to its code. It can be unnoticed since it returns control to the program once it is finished executing. Boot: affects the boot sector of the system, executing every time the system is booted and before the operating system is loaded. Macro: these are designed in high level languages. Triggered when a program capable of executing the macro is run. Source code: looks for source code and modifies it to include the virus and helps to spread the virus Polymorphic: changes each time it is installed to avoid detection by anti-virus software. It changes the virus signature rather than the functionality. Encrypted: includes decryption code along with the encrypted virus to avoid detection. It will decrypt then execute Stealth: tries modifying parts of the system that could be used to detect it. Example: it could modify the read system call so that if the file it has modified is read, the og form is returned rather than the infected Tunneling: any virus that gets installed before an antivirus can detect it Multipartite: infect multiple parts of the system, including boot sectors, memory and files. Difficult to detect and detain Armored: hard for researchers to unravel and understand. Virus droppers: inserts a virus into the system. It is usually a trojan horse, executed for other reason but installing the virus as its core activity.

o Explain one or more of the following attacks: masquerading (or spoofing), replay attack, message modification, man-in-the-middle attack, session hijacking

Masquerading (spoofing): one participant in a communication pretends to be someone else (breach authentication). Can gain access that they would not normally be allowed Replay attack: malicious or fraudulent repeat of a valid data transmission (example: someone could have a machine that reads the signal of a garage opener and the replays it to the garage to open it themselves) Message modification: attacker changes data in a communication without the sender's knowledge. (is it possible to intercept an email, change it, then have it continue to the recipient) Man-in-the-middle attack: sits in the data flow of a communication, masquerading as the sender to the receiver, and vice versa. You could have the legitimate A and B sending messages to each other but then C will come in with B's key and get that information from A and sending it to B themselves. A thinks it is giving its message to B, and B thinks it's getting its message directly from A but really C is an intruder facilitating the messages. Session hijacking: active communication session is intercepted

o Identify and explain the four levels of protection for a system, which include physical, human, operating system, and network

Physical: Sites containing the computer systems must be secured. Machine rooms, terminals, or computers that have access must be secured. I.e making a room with such systems only allowed in with a keycode only those allowed in know. Human: Any person that has access to such systems must be trusted to not expose the systems to unauthorized parties OS: Must be kept up to date so that any vulnerabilities get patched to decrease the attack surface and avoid penetration Network: Must make sure that communications will not be interception or interrupted (DOS).

o Briefly but clearly explain the difference between protection and security; provide an example that distinguishes between the two

Protection: set of mechanisms that control the access of processes and users to the resources defined by the computer system Example: People need a password to log into their bank account and manage their finances Security: measure of confidence that the integrity of a system and its data will be preserved Example: Banks insure that users will be able to have access to their finances and wont lose money

o Briefly explain the difference between risk assessment and penetration testing

Risk assessment: attempts to value the assets of the entity in question and determine the odds that a security incident will affect the entity and decrease its value Penetration testing: entity is scanned for known vulnerabilities.

o Briefly explain the difference between a security threat and an attack

Security threat: there is the potential for a security violation Attack: an attempt to break security

o Briefly explain the defense in depth strategy of system defense; provide a non-computer-related example

System defense: Non computer example:

o Explain one or more of the following program threats: Trojan horse, trap door, back door, logic bomb, stack/buffer overflow

Trojan horse: A program that acts in a malicious manner, rather than simply performing its stated function. An mobile app is meant to function as only a flashlight but it also is tracking a users input and sending it to a malicious party Trap door/back door: designer leaves a hole in the software that only they are capable of using. Example: embezzling from banks by including rounding errors in their code and having the occasional half cent credited to their account . Logic bomb: back door that can only operate under a specific set of logic conditions. Example, one network admin had a destruction reconfiguration of his company's network execute when his program detected that he was no longer employed at the company. Stack/buffer overflow: When something is trying to access or allocate outside a set of bounds. Examples: infinite recursion, trying to reach an index out of bounds of an array

o Explain how a worm might be used to attack computers, and how grappling hook code is used

Worm: use a network to replicate without any help from humans Grappling hook code: