CS480 Chapter 16

Briefly explain what a zero-day attack is and why it is a problem.

A zero day attack - Undocumented attack; exploits a vulnerability that hasn't been discovered. It's a problem because nobody understands how it works.

Explain one or more of the following attacks: masquerading (or spoofing), replay attack, message modification, man-in-the-middle attack, session hijacking.

Masquerading/Spoofing - Some participant in a communication pretends to be someone else (a different host/user) to gain access to data they normally would barred from. Replay attack - Maliciously repeating a legitimate data transmission (for example, sending another request to transfer money). Message modification - Modifying the contents of a data transmission without the sender's knowledge. Man-in-the-middle - An intruder sits 'in the middle' of a data flow, pretending to be the receiver to the sender and vice versa. Session hijacking - An active communication session is intercepted.

Identify and explain the four levels of protection for a system, which include physical, human, operating system, and network.

Physical - Physical location around system ( building around system with data you're protecting ) Human - No dumb human errors! Making sure someone doesn't allow someone else to access sensitive information. Operating system - Apps on OS shouldn't be susceptible to attacks ( bugs or vulnerabilities ) Network - The network is secure from anyone ( unplugging from internet so no sensitive data can pass across a network )

Explain one or more of the following virus threats: file, boot, macro, source code, polymorphic, encrypted, stealth, tunneling, multipartite, armored, virus droppers

Viruses are code fragments embedded in legitimate programs that are self replicating and designed to 'infect' other programs. File - a standard file virus that infects a system by appending itself to files. It will also modify the file so computation will jump to the virus, execute it, then return control to the program so its execution is not noticed. Boot - a virus that infects the boot sector of the system, executing every time the system is booted and the OS is loaded. It looks for other bootable media and infects them. Macro - while most viruses are written in a low level language, macros are written in a high level language and triggered when a program capable of executing the macro is run. Rootkit - a virus that infects the OS itself, compromising the whole system and taking over all of the system's functions. Source code - a virus that looks for source code and inserts the virus into it to help spread the virus. Polymorphic - a virus that changes each time it is installed to avoid detection. These changes do not affect its functionality but rather it signature, the sequence of bytes antivirus software might look for to identify the virus. Encrypted - a virus that includes decryption code along with an encrypted virus to avoid detection. Stealth - a virus that modifies parts of the system that could be used to detect it. For example modifying the read call so that it will return the unmodified version of any file the virus has infected. Multipartite - a virus that can infect multiple parts of the system, including boot sectors, memory, and files. Armored - a virus that is written to be intentionally obtuse so that it is hard for antivirus researchers to understand. It might also be compressed to avoid detection and disinfection. Virus dropper - a program that inserts the virus into a computer system. Often a Trojan horse so it will be executed for a seemingly benign reason.

Explain how a worm might be used to attack computers, and how grappling hook code is used.

Write Once Read Many A worm is a self replicating piece of computer code. You put it on one system and it goes everywhere. It did not initially have malicious intent. It was meant for "going places". Although, you can put payloads on worms to do a lot more damage. Grappling hook code is associated with a trojan or virus. It is small, compact, and can be loaded onto the computer very easily. All it does it connect to an IP address and download the associated virus.

Explain the commonalities and differences between breach of confidentiality, breach of integrity, breach of availability, theft of service, denial of service (quiz question will likely just have two or three of these).

Breach of confidentiality - Unauthorized reading of data stored on the system. Breach of integrity - Unauthorized modification of data stored on the system. Breach of availability - Unauthorized destruction of data stored on the system. Theft of service - Unauthorized use of resources on the system. Denial of service - Preventing legitimate use of the system.

Briefly explain the defense in depth strategy of system defense; provide a non-computer-related example.

Defense in Depth is the idea that more layers of security are better than less. Grocery stores have cameras, security guards, theft detectors for liquor, ect..

Briefly explain a port scanning process and denial of service attack (or distributed DOS) and explain what a zombie computer is and how it is used for these attacks

Port scanning is the process of connecting to a system through a TCP/IP connection and sending UDP packets to deduce the type of operating system in use and what set of services it might have. This allows a malicious actor to "scout" a system and determine its vulnerabilities to plan an attack. A Denial Of Service attack is where an attack overwhelms a system to prevent legitimate use. It's performed over a large number of zombie computers. A zombie computer is a computer that has been compromised by a malicious actor but allowed to continue functioning. This computer can then be used to launch further attacks and serves to disguise the true origin of the attack.

Briefly explain the difference between risk assessment and penetration testing.

Risk assessment - Thought experiment. You go through and try to find problems with a system or weak links in security. Penetration testing - Trying to break into a system to see what's possible (white/grey hat hacking). Then you can try and patch any weaknesses you find.

Briefly but clearly explain the difference between protection and security; provide an example that distinguishes between the two.

Security - Maintains integrity of system. Protection - Keeps things from breaking. Ex: Security is the confidence in the integrity of the bank. Protection are the tools the bank uses to prevent your valuables from being stolen (keys, guards, security cameras, etc.)

Briefly explain how a secure by default strategy minimizes a system's attack surface.

This minimizes the system's attack surface by minimizing the number of functions the system is capable of.

Briefly explain the difference between a security threat and an attack.

Threat - Potential for a security violation. Attack - Actual attempt to break security.

Explain one or more of the following program threats: Trojan horse, trap door, back door, logic bomb, stack/buffer overflow.

Trojan horse - An application is designed to appear legitimate so that users will run it, providing the trojan with their access rights. The trojan will then use these rights for malicious purposes in the background. Trap door/ Back door - The designer of a system of software leaves a security breach only they are capable of using. For example, being given full access to a system when they give it a special password, or to transfer funds to themself with an intentional rounding error. Logic bomb - A trap door that is set to operate only under a specific set of logic conditions. For example, a network administrator leaves program that destroys his company's network when it detects that he is no longer employed at the company. Stack/buffer overflow - When a program's requirements 'overflow' the PCB's stack/buffer