Information Systems Security - C845 (PT. 3)
Retrovirus
A retrovirus directly attacks the antivirus program, potentially destroying the virus definition database file. The virus disables the antivirus program yet makes it appear as if it is working, thus providing a false sense of security.
Proof of Concept
A test case, or prototype, is used to prove the veracity of an idea. In the case of malware, proof of concept would be used to illustrate that a specific attack works. It may also be used in reverse engineering to test concepts.
(Anti-malware and Anti-spyware) Real-Time Scan
Most anti-malware and anti-spyware software can be enabled to scan files as they are opened, emails as they are received, and devices such as USB drives as they are attached. The downside is that real-time scan can add latency when software is opened and files are loaded.
(SDN model) Southbound API
allows information to be sent to the underlying hardware infrastructure with provisioning and deployment instructions.
ActiveX
is a technology implemented by Microsoft to customize controls, icons, and other features to increase the usability of web-enabled systems. It allows full access to the Windows operating system.
Anti-malware and Anti-spyware
software that must be installed on every network node, including host computers, mail servers, file servers, and detection and prevention devices. The software must be updated regularly and enabled to automatically receive the latest virus and spyware definitions. Anti-malware software should be tested regularly to ensure that a retrovirus has not corrected the application or deleted signature library files.
Which of the following is most accurate concerning virtualization security? A Virtual machine is developed under a hypervisor and utilizes the underlying physical hardware. B Virtual machines are only secured by securing the underlying hardware infrastructure. C Only hypervisors can be secured, not the underlying virtual machine. D Virtual machines by nature are always insecure.
A. In a virtual environment, the virtual machine is developed under a hypervisor and utilizes the underlying physical hardware. Security controls can be implemented at various levels and may be placed anywhere in a virtual environment. Security in depth is always the best practice when securing any environment.
Armored Virus
An armored virus is constructed in such a manner as to be highly resistant to removal by anti-malware software.
(TPM) Trusted Boot Protection
Provides system integrity during system boot by storing specific system metrics such as operating system hash values to detect changes to a system from previous configurations such as a the installation of a root kit malware. This ensures platform integrity.
SDN
Software defined network
Multipartite Virus
A multipartite virus attacks different parts of the host system, such as a boot sector, executable files, and application files. This type of virus will insert itself into so many places that, even if one instance of the virus is removed, many still remain.
Payload
A payload is the harmful code contained within any malware.
Stealth Virus
A stealth virus masks itself as another type of program to avoid detection, usually by changing the filename extension or modifying the filename. The stealth virus may also attempt to avoid detection by antivirus applications. When the system utility or program runs, the virus may redirect commands around itself in order to avoid detection. Stealth viruses modify file information by reporting a file size different from what the actual file size presently is in order to avoid detection.
(TPM) Device Identification
All TPMs feature an identification key that is burned in during the manufacturing process. This uniquely identifies the device, which can serve as the device integrity as well as authentication mechanism.
(Anti-malware and Anti-spyware) On-Demand Scan
All anti-malware and anti-spyware software allow you to perform a file scan at any time. It is standard for these applications to have both an extensive scan, which may require several hours to complete, and an expedited or targeted scan, which scans either a set group of previously selected files or files that have recently changed.
Rapid Elasticity
Any IT department that has managed a corporate "shared drive" knows how these can fill up very quickly. Also, it is usually very difficult to determine the owner of files and information stored on the shared drive. It's not unusual to find, for example, a series of PowerPoint presentations from 2002 with no information about whether they can be deleted or not. The same is absolutely true of cloud-based storage. Once storage space begins to expand, it is very difficult to contract it. Unlike the simple shared drive on an in-house network, cloud-based storage containing the same information will be incrementally more expensive.
What is a significant benefit of a HIDS installed on an endpoint system which is not generally possible with a NIDS?
Determine whether an attack was successful. Determining whether an attack was successful is a significant benefit of a HIDS installed on an endpoint system which is not generally possible with a NIDS. This benefit is possible because of the differences between a HIDS and a NIDS. A host intrusion detection system (HIDS) sees the result of network delivered payload attacks while a network intrusion detection system (NIDS) rarely notices the content of payload and does not know whether or not an attempted attack was successful. Only a HIDS running on the target of an attack will be able to notice if an attempted attack was successful. Both a HIDS and an NIDS can determine if a flooding attack, spoofing attack, and timing attack was attempted.
When using a cloud solution as a component of a backup strategy, what is the most important concern?
Encryption of transfer and storage. Encryption of transfer and storage is the most important concern when using a cloud solution as a component of a backup strategy. When one data leaves the security protection of a private environment, the only means to maintain any control over that data is encryption. Encryption should be used to protect the data while in transit to the cloud provider and while in storage on the cloud provider's systems. By retaining the encryption key, the cloud provider and any attacker are unable to view the contents of your stored files. At worst, they can be deleted or corrupted. Answer D is incorrect. Ownership is not usually a challenging issue as most cloud contracts dictate who retains ownership of data stored in a cloud solution. Furthermore, having a claim on file ownership in no way limits access to authorized entities once stored in a cloud system. Anyone can claim to own a file, but only encryption will enforce that ownership to prevent unauthorized access. Answer B is incorrect. The speed at which data can be uploaded to and downloaded from a cloud-based backup system is important, but not the most important concern. The security of your data is always the most important concern. Answer C is incorrect. The effort involved in restoring data is an important consideration when selecting a cloud backup provider and designing a backup and recovery solution. However, the security of your data is always the most important concern.
(TPM) Encryption Key Storage
Full disk encryption software applications use the TPM technology to store and protect keys that may be used to encrypt the host hard disks.
What is the name of the software layer or component that enables the creation of virtual machines and may be installed on top of an existing OS or may be installed directly on the bare metal of the computer?
Hypervisor. Hypervisor is the name of the software layer or component which enables the creation of virtual machines and which may be installed on top of an existing OS or may be installed directly on the bare metal of the computer. The hypervisor manages the creation of the virtual machines, which are a software simulation of computer hardware. The virtual machines must be accurate enough to fool an operating system into functioning as if it was directly installed onto the bare metal of a computer. A hypervisor can be installed as a software add-on into an existing host operating system or a hypervisor can be used which installs directly onto the bare metal of a computer thus functioning as both the host OS and the hypervisor.
How can an IT environment be configured in order to limit user access to use resources exclusively on a server, prevent local processing and storage, but still offer mouse-based control of applications?
Implement thin clients. Thin clients provide an IT environment configuration that will limit user access to use resources exclusively on a server while preventing local processing and storage. A thin client is a system that allows a user to perform computing tasks, but all processing and storage is performed on a central server. The thin client is just a remote display and command-entry system, effectively a monitor, keyboard, and mouse, that is used to remotely control a client desktop-like environment on the main server. A thin client typically has no local storage that is user accessible and only enough computational power and memory capacity to support the remote control GUI interface. The modern thin client is a re-creation of the mainframe-terminal system from years ago, although with full color graphics instead of orange or green text-only interfaces. Answer C is incorrect. Using Remote Desktop is NOT the proper solution to this scenario. Remote Desktop is a remote-control feature built into Microsoft Windows, which allows a user to remotely access and control another computer system. However, it does not inherently prevent the use of the local machine for storage or processing. Instead, it is simply an additional feature to a fully capable local-client operating system. Answer B is incorrect. Employing a Telnet system is NOT the proper solution to this scenario. A Telnet system is command-line only and thus does not allow for mouse-based control of applications. Additionally, Telnet is a supported feature on most fully capable local-client operating systems, and thus does not limit local storage or processing. Answer D is incorrect. Using a VPN is NOT the proper solution to this scenario. A VPN is used to encrypt communications in order to protect against confidentiality and integrity violations. A VPN is an additional feature common to most fully capable local-client operating systems, and thus does not limit local storage or processing.
What is the benefit of endpoint device encryption for communications?
It provides confidentiality of network traffic. The benefit of endpoint device encryption for communications is that it provides the confidentiality of network traffic. Encryption can provide various security services, including confidentiality, authentication, and non-repudiation. The only benefit included in this list of options is confidentiality. Encryption provides confidentiality protection through the use of symmetric encryption. Authentication is provided by asymmetric cryptography. It either is used to ensure that only the intended recipient receives a secure transmission or it is used to verify the identity of the sender. Non-repudiation is provided by asymmetric public-key cryptography through a digital signature. A digital signature is created by a sender using a private key to encrypt the hash of a message. The recipient verifies the signature which, in turn, proves that the sender used a private key; thus, the sender cannot deny having sent the message. Encryption does not protect against availability exploitations, such as denial of service attacks. Encrypted communications can be interrupted and stopped.
Which of the following is the best security mechanism to minimize risk when browsing the Internet?
Minimize support of mobile code. Minimizing support of mobile code is the best security mechanism to minimize risk when browsing the Internet. The most significant risk when browsing the Internet is malicious mobile code. Any Web site could be hosting malicious code. Even Web sites which try to maintain security and control over their content often fail to prevent malicious mobile code due to the complexity of modern dynamic Web applications and the use of numerous linked content management systems and advertising platforms. The only effective strategy is to block the execution of mobile code. However, this is problematic as most Web sites depend upon client-side execution of Javascript. Thus, a viable strategy is to implement browser plugins which support per Web site configuration of permissions as to what elements will be allowed. Generally, you should block all mobile code by default and then enable mobile code sparingly on only those Web sites you perceive as trustworthy and secure. Answer D is incorrect. Phishing attacks and scams are only one of the many risks on the Internet. Most phishing scams are propagated through email, when then trick a victim into clicking on a URL that takes them to a false Web site in order to steal their credentials or identity. Blocking access to known phishing URLs would reduce phishing risks, but not the bigger risk of malicious mobile code. Answer B is incorrect. Enabling the Do-Not-Track feature and use private browsing mode is not the best way to minimize risk on the Internet. Blocking and limiting tracking may reduce some amount of information gathering by advertising and marketing firms and from time to time malicious entities. However, it is not a foolproof plan to avoid all forms of tracking. There are tracking methods that are effective even when using a browser's private browsing mode. Additionally, avoiding tracking does not reduce the risk of malicious mobile code. Answer C is incorrect. Keeping Java and Flash updated is not the best way to minimize risk on the Internet. While keeping software current with patches and updates is a good security strategy, some systems simply should be abandoned because their risk remains too high even when patches. Java and Flash are no longer trustable technologies on the Internet. Even patched systems have vulnerabilities which can be exploited. Java and Flash have been two of the most exploited technologies in the last few years. Many security experts suggest that Java and Flash be removed from your browser.
How is a hybrid cloud implemented?
Part of the resources is hosted by a third-party, while the rest is hosted within the company environment. A hybrid cloud is implemented by having part of the resources hosted by a third-party, while the rest is hosted within the company environment. This is a hybrid because it combines the public (i.e., third-party) cloud with a private (i.e., internally hosted) cloud. The hybrid cloud can be an attractive option for some organizations because they can elect to retain the most sensitive data assets within the private elements and leave the less critical elements to the public elements. Furthermore, a hybrid cloud allows the organization to use more resources on demand from the public cloud provider as needed, without having to expand the physical equipment implemented for the private element. Answer A is incorrect. A hybrid cloud is not implemented when both public and private users are able to access resources in the cloud. The forms of cloud deployment do not strictly dictate the types of access or users. Private clouds can support public users and public clouds can be accessible to only private users. Answer D is incorrect. Two or more companies working together to establish a cloud solution is a description of a community cloud. A community cloud has the benefit of being more cost effective than a private cloud and provides more control than a public cloud. Answer B is incorrect. Cloud deployment options do not dictate the operating systems in use. Many third-party or public cloud providers may only offer specific OS options or limit which OSes can be installed by customers, but this would be a business decision of the provider, not any type of inherent limitation of cloud solutions in general.
When performing system hardening, what are the two primary phases or operations to be performed?
Remove what is unnecessary, and lock down whatever remains. When performing system hardening, the two primary phases or operations to be performed are remove what is unnecessary and lock down whatever remains. These two operations are the basis of all forms of hardening, whether labeled as system, software, network, organizational, or code. The goal is to strip down to only the essential mission critical elements of a system. If something is present that is not necessary to support an essential task or function, it should be removed or disabled. This will minimize the attack surface. Then, whatever remains should be secured as best as possible, based on knowledge, skill, and budget.
What form of social engineering tricks a victim into contacting the attacker to ask for technical support?
Reverse social engineering. Reverse social engineering is the form of social engineering which tricks a victim into contacting the attacker to ask for technical support. The concept of reverse social engineering is that it involves three steps or phases: advertisement, sabotage, and support. The advertisement is to inform the victim that the attacker is the person to contact when tech support is needed. This could be accomplished by meeting victims in the company parking lot as they leave work, and then the attacker would introduce himself as the technical support manager. The attacker would claim that the tech support system has been overlooking support requests and to contact him directly with on a personal phone number. If victims believe this false story, then when they need technical support, they would contact the attacker thinking he is the real technical support manager. The attacker then either waits for the victim to need technical support assistance or performs an act of sabotage to force the need for assistance.
Virtual Machine Rollback
Snapshots may be made of a virtual machine at any time. A snapshot is an exact copy of a virtual machine at a point in time and may be used to reload or repair a virtual machine. In the event the virtual machine is successfully attacked, the machine can be easily rolled back to a state prior to the attack.
Which term refers to the virtualization of networking which grants more control and flexibility over networking than using the traditional hardware-only means of network management?
Software-defined network. A software-defined network (SDN) refers to the virtualization of networking, which grants more control and flexibility over networking than using the traditional hardware-only means of network management. SDN separates traffic control from the hardware plane. It allows networks to use heterogeneous vendor devices without sacrificing features and capabilities. SDN also enables the crafting of networks independent of the physical devices and cables. This is especially important for virtualization and cloud computing.
File Extension Attack
The Windows New Technology File System (NTFS) allows filenames to extend up to 235 characters. These extremely long filenames are usually abbreviated on directory displays and in other presentations, thus hiding the fact that there may be a double file extension or other hidden filenames.
Double File Extension Attack
The double file extension attack features two extensions within a filename, but only the final file extension is operative. The previous file extensions will appear to the system as part of the filename. For instance, .../.../.jpg.exe could be a double extension filename.
Virus Payload
The harmful component of a virus. Some payloads include devastating properties that can erase entire hard drives or permanently harm hardware equipment.
Protocol Analyzers
The terms protocol analyzer and packet sniffer generally refer to the same technique or software application used to intercept packets flowing along the network. Data that is transmitted across the network may be intercepted by a personal computer with a network interface card set in promiscuous mode. Normally, network interface cards listen for only the traffic destined to them. Promiscuous mode allows the software to receive and monitor all traffic. Protocol analyzers may be simply attached to a network using a network tap. This is simply a three-way splitter that routes the traffic to the network interface card. Protocol analyzers can display real-time network traffic and feature various filtering capabilities to better visualize the vast amounts of traffic being received. These devices usually keep all of the created recordings or log files of network traffic analysis for a later time. Some well-known protocol analyzers are Wireshark, SAINT, SATIN, and Snort.
Which type of secure implementation of client devices has brought back a concept from the mainframe era where systems on a worker's desk have minimal storage and computational capacity?
Thin clients are a type of secure implementation of client devices that has brought back a concept from the mainframe era where systems on a worker's desk have minimal storage and computational capacity. A thin client is little more than a display, monitor, and mouse. A thin client has a minimal firmware-based operating system, granting it just enough capacity to access a central server to obtain its streamed or live transferred main operating system. However, even when fully booted, a thin client is simply an interface to remote virtual systems hosted on central server. A thin client will have no user-accessible local storage and will have minimal processor and RAM. This requires that all storage and processing take place on a central server. A thin client implementation is secure because it prevents the transfer of files to a user accessible local storage device, and it also prevents users from locally installing unapproved software.
Dynamic Threat Analysis Appliance
Threat analysis appliances have recently come on the market that dynamically detect malware and are described as an anti-malware protection system. A threat analysis appliance is used to monitor and protect network, email, endpoint, mobile, and content assets. A major benefit is the ability of the threat analysis appliance. To dynamically monitor the environment for recently changed malware signatures or previously unknown malware attacks referred to as zero-day exploits. Upon finding a zero day, exploit, or changed malware signature, the client may send information to the manufacturer's investigation laboratory. A sandbox is usually tested and studied to determine the harm that it could cause. This information is then shared with a global network of similar devices, thus immediately protecting those environments from the recently discovered attack.
What is a means to ensure that endpoint devices can interact with the Internet while minimizing risk of system compromise?
Use a virtualized OS. Use a virtualized OS to ensure than endpoint devices can interact with the Internet while minimizing risk of system compromise. A virtualized OS can be configured to reject any changes made during an operating session and revert to a fixed trusted image version each time the system is used. This tactic would allow for the risky activity of Internet access without placing the system at high risk of system compromise. Even if the virtual OS was breached by malware, the next session launch would revert back to a trusted and safe configuration. Answer A is incorrect. Strong authentication may limit the ability of impersonation attacks, but it does not protect an authenticated user against downloading malicious software. Answer B is incorrect. Encrypted communications protect against eavesdropping, session hijacking, and other forms of session attacks. However, encrypted communications do not protect against downloading malicious software, especially when distributed via a Trojan horse. Answer C is incorrect. A backup can be used to assist with restoring a system after a compromise, but it does not minimize the risk of actually being compromised. Additionally, a weekly backup places the system at risk of losing up to a full week of data if an attack occurs just before the next backup process starts. A daily backup would be a better solution, but a weekly backup is poor protection.
(TPM) Password Protection
Users authenticate by presenting a password to access encrypted data or systems. The password is quite often used to generate or access keys used in the encryption process. The TPM offers an authentication mechanism that is implemented on the hardware rather than the system software. Software key encryption is prone to dictionary attacks. A hardware implementation offers dictionary attack prevention.
Desktop Virtualization
Virtual desktop infrastructure, or VDI, is an implementation of a desktop display complete with running applications that is presented on the client computer or thin client device. The actual applications, stored data, and underlying computing infrastructure are operating in a central location, only the resulting images are sent to the client device. In a virtual desktop infrastructure (VDI) environment no applications or data is required to be loaded at the client location. This eliminates the risk of an attacker gaining access to applications or data stored on a client computer.
Vulnerability Scanners
Vulnerability scanners provide the ability to scan a network and search for weaknesses that may be exploited by an attacker. The vulnerability scanner software application looks for weaknesses in networks, computers, or even software applications. Vulnerability scanners can include port scanners and network enumerators, which conduct a series of tests on a target and search against an extensive list of known vulnerabilities
In the Wild
refers to anti-malware that has been released onto the Internet. Imagine that this malware is roaming free and is being exchanged through unsuspecting host relationships, indiscriminate clicking email links, and other types of actions that spread the malware through the Internet.
(Storage clustering) loose coupled cluster
starts small and grows larger as disks are added. The disadvantage of loose coupled cluster is the speed of the data interface. This limits the accessibility to the entire drive stack.
GDPR (General Data Protection Regulation)
unifies the data protection personal information rights within the 28 European Union member states. It is an EU law that is the successor to Directive 95/46 EC.
Covert Channel
Any means of communication other than the standard channel of communication is referred to as using a covert channel, such as, for instance, sending messages on a control channel of a device.
One of the security challenges for big data is controlling access to the data stored within the massive data structure. Efforts to apply traditional access control and authorization settings to individual options within the data store have produced lack-luster results or unsatisfactory performance. A new technique being applied which shows promise. What is the new technique of controlling access to the content of big data information collections?
Apply security controls to the output of data-mining operations. A new technique of controlling access to the content of big data information collections which may be more reliable and useful than traditional approaches is to apply security controls to the output of data-mining operations. Big data is often a collection of dissimilar data sets that is constantly growing. Setting per-data-object security settings is massively complicated. A possible solution is to only set security restrictions on any output from data-mining or data-extraction operations. This would provide sufficient control as the data would be secured as it was being accessed, viewed, or extracted.
Rogue Software
This type of Trojan software is loaded by the user, either willingly or through other practices, and once installed, functions as ransomware. Functionality is typified by frequent pop-ups, changing of desktop or application appearance, or difficult-to-remove screens.
What is the prime objective of code signing?
To verify the author and integrity of downloadable code that is signed using a private key. A private key is owned by the author and is used to encrypt the message digest or hash value of the code. The hash value provides the integrity, and the private key provides a digital signature and nonrepudiation by the author. The author's public key, usually provided in a digital certificate, is the only key that will decrypt the hash value.
Virus Hoax
Typically email warnings concerning potential virus attacks. The spread of the email warnings actually creates a denial-of-service attack among many users. Virus hoax notifications should always be referred to help desk or IT departments for verification prior to distribution.
How can someone new to the concept of virtualization quickly get a working guest OS running within a hypervisor?
Use an appliance. The most efficient way for someone new to the concept of virtualization to quickly get a working guest OS running within a hypervisor is to use an appliance. An appliance or a virtual appliance is a pre-configured, pre-installed, ready-to-use guest OS. This is the best way for someone new to virtualization to get up and running quickly with minimal difficulty. Answer B is incorrect. Cloning an existing OS into a guest OS image is not the quickest way to get a working guest OS running within a hypervisor. This is another advanced concept of virtualization. It is often possible to clone an existing system and its installed software and configuration into a guest OS. However, this is a complex process requiring precise configuration of key settings. This is another concept that should be learned eventually, but it is not a task for someone new to the technology. Answer C is incorrect. Replacing the host OS with a bare metal hypervisor is not the quickest way to get a working guest OS running within a hypervisor. Bare metal hypervisors are typically used in server configurations where a host OS is irrelevant or too much of a risk. Those new to virtualization should start off with a host OS hosted virtualization hypervisor and appliances. Answer D is incorrect. Performing a complete new OS install into a virtual machine is not the quickest way to get a working guest OS running within a hypervisor. This process is the complex process which someone new to virtualization would not yet fully understand. There are numerous configuration settings which must be made correctly during initial configuration of the virtual machine, otherwise the OS install will fail or the system will be unstable or unusable. Some of the initial settings can be difficult to change later. Eventually, anyone working with virtualization should learn the proper configurations for the OSes they virtualize, but that is too much to ask for someone new to the technology.
Virtual Machine Isolation
Virtual machines run in isolated VM environments under a hypervisor running on a host machine. Should the operating system or application running on a virtual machine be attacked, only one virtual machine and not the entire environment is affected.
When working with big data, the storage location where all of the raw data is housed until it is needed for mining or processing is known as?
Data lake. A data lake is the big data storage location where all of the raw data is housed until it is needed for mining or processing. The concept is that a data lake holds raw unprocessed and unrefined data. Big data is a massive collection of heterogeneous data sets, but some forms of big data are more raw and unorganized compared to others. A data lake brings to mind a massive storage container into which new unfiltered information sets are being dumped, often at an alarming rate. Answer A is incorrect. A data warehouse is used to store homogeneous data sets. It is similar to a data lake in that it is a repository of data. But a data warehouse is distinct because the data it holds has been processed, normalized, and/or refined in some way. Answer C is incorrect. A data mart is used to house the results of data mining. The results of data mining may be called metadata, which can be summaries, generalities, condensed data sets, or extracted valuable or relevant data from the bulk of a data lake or data warehouse. The results of data mining are more valuable than the general data collection from which they were derived or extracted. A data mart provides a secure storage compartment to protect metadata from being accessed by those without authorization. Answer D is incorrect. A database is an organized collection of interrelated information sorted into records and entries. A database is not a random collection of raw data and is not heterogeneous.
Selecting a cloud provider can be a challenge. Often, it is not possible to determine whether a provider's services are sufficient for your needs until you have started using its service. If you determine that an initial cloud system is insufficient and you need to move your data and custom code to a different cloud provider, what is needed as a feature of the initial cloud provider that did not work out for you?
Data portability. Data portability is an important feature to consider when selecting a cloud provider. If you need to change cloud systems, being able to extract your data from one system and import it into another can be extremely important, especially if you generate new business data while using the initial cloud provider and there is no other copy of that data. Before using any cloud provider, be sure to review all of the features, offerings, parameters, and limitations of its service and compare its characteristics to other cloud providers. Don't get locked into a cloud provider just because you can't extract your own data from it. Answer B is incorrect. Detailed auditing and monitoring of business processing is important to efficient operation, troubleshooting, and security management. But when switching between cloud providers, data portability is more important. Answer D is incorrect. Storage encryption should not be a problem with changing cloud providers assuming that the encryption keys are still accessible. Thus, the more important concern is data portability. Answer C is incorrect. Having a secure VPN connection to a cloud service is an important element of use of a provider. However, when switching between cloud providers, data portability is more important.
SCA (Stored Communications Act)
addresses the disclosure of electronic conversations and data held by Internet Service Providers (ISPs). It was enacted into law as Title II of the ECPA (Electronic Communications Privacy Act of 1986).
(SDN model) SDN controller
allows network administrators to design the virtualized network system using underlying hardware infrastructure. It is the central operational application.
(SDN model) Northbound API
allows operators to monitor network operations. It communicates network operation data volume information from the hardware layer to the applications and business logic.
Hypervisor
allows virtual machines to communicate between them. This creates a channel of communication that is no longer monitored by standard monitoring and threat mitigation methods. The data is virtually invisible to the standard hardwired network environment. If a hypervisor is compromised, the attached virtual machines will also be compromised.
What are the 5 major benefits of the cloud?
broad network access, on-demand self-service, rapid elasticity, pooling of resources, and measured service.
Patriot Act
changes prior laws and strengthens the security of the United States against the threats of terrorism. It was enacted in direct response to the actions of terrorists on September 11, 2001.
Polymorphic Virus
changes slightly as it replicates throughout the system. This makes it difficult for scanners to detect this type of virus because of different variations. This type of virus most often attacks data types and data functions used in many programming languages. The virus will usually manage to hide from your antivirus software. Very often a polymorphic virus will encrypt parts of itself to avoid detection. When the virus does this, it's referred to as a mutation virus.
GLBA (Gramm-Leach-Bliley Act)
concerns banking regulations, banking mergers and acquisitions, and consumer privacy regulations. It includes the protection of personal financial information as well as notification to the consumer of the collection and dissemination of information.
Which of the following most accurately describes eDiscovery?
eDiscovery is a legal tool used by opposing counsel to obtain requested information that may contain evidence or other useful information for a lawsuit. eDiscovery is not the information itself. It is the process of obtaining the information.
What is the legal process by which law enforcement officials, including attorneys, can make formal requests to obtain digital information in relation to a legal action, investigation, or court proceeding?
eDiscovery. eDiscovery is the legal process by which law enforcement officials, including attorneys, can make formal requests, sometimes with a search warrant, to obtain digital information in relation to a legal action, investigation, or court proceeding. While there has been legal precedent about eDiscovery for data in the possession of service providers, there are questions on whether those precedents should apply to cloud services. As cloud services may be operated by third-parties, but often the content of the resources in the cloud is for private use of the customer only.
Hacktivist
exploits a weakness in technology to draw attention to a personal message or agenda.
Directive 95/46 EC
governs the protection of privacy in transborder flows of personal data. It is a highly developed area of law in Europe involves the right to privacy.
Trusted Platform Module (TPM)
is a dedicated microprocessor that is mounted on a device's main circuit board and serves as a cryptoprocessor. The TPM offers many advantages, such as offloading cryptographic processing of the main CPU to a dedicated microprocessor. TPMs offer many services, such as providing a random number generator and the generation and storage of cryptographic keys. Beginning in 2006, most laptop computers targeted at the business market have been produced with a TPM chip. Use of a Trusted Platform Module has spread to other devices such as cellular phones, personal digital assistants, and even dedicated gaming devices.
Cross-Site Request Forgery (CSRF)
is a malicious attack that tricks the user's web browser, by issuing unauthorized commands, to perform undesired actions so that they appear as if an authorized user is performing them.
Java applet
is a small, self-contained program downloaded from the server to a client and then runs in the browser of the client computer. It enhances the user experience by controlling various functionalities and visuals presented to the end user.
Cross Site Scripting (XSS)
is based on inserting a client-side script into a genuine website. This is possible due to poor application or website design, such as limited data validation in websites. Scripts are then executed on other hosts that access the same website.
Storage clustering
is the use of several storage servers managed and interconnected together to increase performance, capacity, or reliability. Storage clustering distributes workloads to each storage server and manages access to all files and data stores from any server regardless of the physical location of the files and data stores. Storage clustering should have the ability to meet the required service levels (specified in SLAs), keep all client data separate, and adequately safeguard and protect the stored data
CPS
A certificate practice statement (CPS) is a document crafted and published by certificate authorities (CAs) which detail the standards, process, practices, and algorithms they use in their certificate operations.
Pointer Overflow
A pointer overflow attack is similar to a buffer overflow attack. The pointer is used to index the process within a process stack. The attacker attacks the pointer through buffer overflow techniques to change it to point at the malicious code.
What is a benefit of a host-based firewall?
Block attacks originating from the local network. A benefit of a host-based firewall is its ability to block attacks originating from the local network. A host-based firewall is a supplement to a hardware or appliance firewall deployed at the network boundary. A host-based firewall provides additional protection which is not provided by the company network's primary firewall. These additional benefits include blocking attacks from the local network attempting to harm the endpoint system as well as blocking endpoint system originating attacks attempting to harm the local network. A host-based firewall will limit inbound initiations of connections, especially on a client device, as most endpoint systems do not host resources for other network devices to consume. A host-based firewall also limits outbound initiations of connections if software attempts to use destination ports which are not already approved for use. A local software tool that attempts to reach out to the network on a new port will either be rejected or will trigger a pop-up query from the host-based firewall asking for an Allow or Deny response to the outbound request. Answer D is incorrect. A host-based firewall does not prevent malware installation. A host-based firewall may limit the ease by which malware can communicate into or out of the endpoint device, but a host-based firewall does not prevent the installation of the malware itself. There are many means by which malware can make its way onto an endpoint system which are not filtered by a host-based firewall, such as being downloaded via a Trojan horse and being brought to the machine on a USB storage device.
How does a Trojan horse get past security mechanisms to harm a victim?
By seeming to be a benign item. A Trojan horse is able to get past security mechanisms to harm a victim by seeming to be a benign item. A Trojan horse is a combination of a technological attack as well as a social engineering attack. The technological attack component is the integration of a malicious payload with an otherwise benign host. The host could be a utility, game, screensaver, browser plug-in, document, or even an image file. When the host is accessed or used, the malicious payload is delivered to the system. The social engineering component is tricking the victim into believing that the file being offered to them is just the obvious host item. A Trojan horse is a very effective mechanism because it causes human victims to bring the malware into their environment, often bypassing any security filters that otherwise would have prevented an externally initiated attack or intrusion. Answer C is incorrect. A Trojan horse does NOT get past security by attaching itself to an existing file. This is the operation of a virus. A virus attaches itself to an existing file in order to be activated into memory when the host file is accessed by a user. Answer D is incorrect. A Trojan horse does NOT get past security by using system resources to distribute itself to other networked devices. This is the operation of a worm. A worm attempts to replicate and duplicate itself, often consuming significant system resources, as it attempts to spread to other networked devices. Answer B is incorrect. A Trojan horse does NOT get past security by displaying advertisements for intriguing applications. This is the operation of Web pop-ups. They often advertise fake security programs or phishing attack scams. When a user clicks to accept or reject an offer, the malicious code is installed anyway. This is because the standard browser control frame and operation buttons have been disabled and only a graphic is actually being displayed. However, the graphic includes re-creations of control frame and standard buttons so they visually look real, but all pixels on the graphic are programmed to trigger malware installation.
On-Demand Self-Service
Cloud providers are in the business of selling services. They will gladly grant additional capabilities upon request. The organization must put into place corporate policies and organizational structures such as a change control board, a cloud services request control board, or a services request procedure that controls the allocation of cloud services to requesting corporate individuals, departments, and entities. This mitigates the risk of individual departments requesting additional services directly from the cloud service provider without prior authorization.
Pooling of Resources
Cloud providers have an ability to pool resources as previously discussed. Some very serious security implications exist with this concept. First, cloud resources are shared among a huge number of tenants. This means that other users are on the same server equipment at the same time. The possibility that data may be written into another tenant's area exists. Second, in the event of another tenant conducting illegal activities, the entire server might be seized along with your data. Third, unscrupulous cloud provider personnel may access and exfiltrate your data. Fourth, investigations are complicated through the jurisdictional location of data on cloud service provider equipment. Five, information security is totally within the control of the service provider. If penetrated, corporate information, plus the information of many other clients, may be compromised. These are just a few of the security concerns for the security practitioner concerning cloud services.
Broad Network Access
Clouds may be accessed from a broad number of devices. This greatly expands the requirements for cloud-based access control as well as remote authentication techniques. Since clouds may be accessed from devices directly without them being connected to the organization's LAN, proper access and authentication controls must be provided at the cloud edge rather than in the business network. These controls must also be able to provide correct authentication across a number of personally owned devices and a variety of platforms.
Which type of cloud deployment involves several businesses working together to create a cloud system which they can each use?
Community. Community is a type of cloud deployment which involves several businesses working together to create a cloud system which each of them can use. Two or more companies working together to establish a cloud solution is a community cloud deployment. A community cloud has the benefit of being more cost effective than a private cloud and provides more control than a public cloud. Answer B is incorrect. A hybrid cloud is implemented by having part of the resources hosted by a third-party, while the rest is hosted within the company environment. A hybrid cloud combines a public (i.e., third-party) cloud component with a private (i.e., internally hosted) cloud. The hybrid cloud can be an attractive option for some organizations because they can elect to retain the most sensitive data assets within the private elements and leave the less critical elements to the public elements. Furthermore, a hybrid cloud allows the organization to use more resources on demand from the public cloud provider as needed, without having to expand the physical equipment implemented for the private element. Answer A is incorrect. A public cloud is a cloud solution hosted by a third-party provider. Answer D is incorrect. A private cloud is a cloud solution hosted internally by the organization for its own use.
iSCSI
IP Small Computer System Interface (iSCSI) is a means to encapsulate SCSI signaling into an IP packet in order to traverse a standard IP network rather than a traditional SCSI ribbon cable. iSCSI is to SCSI as VoIP is to telephones.
Measured Service
It's not unusual in some countries to run a wire over to a neighbor's electrical meter. In fact, even in our country, theft of cable television services was quite a fad years ago. Theft of any measured service is possible if the attacker is determined. It is incumbent upon the cloud client to thoroughly check billing statements against authorized and requested services to mitigate the possibility of service theft.
Which type of client-side program always runs in a sandbox?
Java applet. By design, Java always creates a sandbox in which to execute an applet on a client machine. This prohibits the applet from being able to attack either the host machine or an application.
Which attack attempts to steal information from victims by tricking them into visiting false or fake Web sites using a spoofed email communication that seems to originate from a legitimate source?
Phishing. Phishing attempts to steal information from victims by tricking them into visiting false or fake Web sites using a spoofed email communication that seems to originate from a legitimate source. A phishing attack is a form of social engineering. It is effective because many Internet users are too trusting of what they receive in email (or through any online communication method). If users can be fooled into believing a message is real, they are likely to follow instructions to visit a Web site and login. The attack is based on the attacker running a duplicated version of the real Web site on a different URL. The site may superficially look the same as the real site, but it will record the provided logon credentials and display an access unavailable message or other distraction. Never blindly trust any unsolicited communications. Answer D is incorrect. A pharming attack is often a DNS attack in which attempts to resolve a fully qualified domain name (FQDN) result in receiving an invalid IP address. The goal of pharming attacks is to redirect victims to an alternate site. Pharming could be used as an element in a phishing attack, but pharming is not as correct an answer as phishing itself. Answer B is incorrect. A hijack occurs when an attacker eavesdrops on a plaintext communication to learn the details of the connection, and then the attacker launches a denial of service disconnect attack against the client while taking on the client's identity and injecting packets into the datastream. If successful, the client loses a connection as the attacker takes over control of the session. Answer A is incorrect. A botnet is the collection of infected computers which follow commands sent to them by the hacker. A botnet is constructed by infecting systems with remote control bots or malware agents. Hackers send commands to their botnets which, in turn, can be used to launch flooding attacks, corrupt DNS resolutions, send SPAM, or any number of other malicious activities.
Code signing
accomplished by the software author using a cryptographic hash algorithm to process the software code to obtain a hash value or message digest.
Which of the following is NOT a means to implement a Denial of Service (DoS) attack?
Sending dozens of email solicitation messages to an organization is NOT a means to implement a DoS attack. This is a description of SPAM transmission or possibly a phishing attack. Dozens of email messages is not a significant amount of traffic and should not cause any noticeable increase in resource consumption. SPAM may be unwanted communication and can be a hassle, but SPAM on its own does not constitute a DoS. Answer C is incorrect. Initiating a firmware update and then interrupting the process is an example of a form of DoS. This is known as a permanent DoS as it continues to be in effect after the attack has concluded. Once a flooding attack or a resource-consumption attack cease, the DoS also ends, and the victim can go back to normal operation. When a permanent DoS attack is waged, it alters the victim so that it does not automatically return to normal operations. This form, which wipes the firmware, will result in a system unable to be used until its firmware is replaced or the hardware is replaced. Some hardware can be recovered from a firmware failure, while other hardware is permanently broken and must be replaced by new hardware. Answer A is incorrect. Transmitting significant volumes of random traffic to a target is an example of a form of DoS. This is a flooding DoS. A target system will end up consuming significant resources in the attempt to discard all worthless traffic in order to process strictly legitimate traffic. However, if enough volume is delivered to the target, the entire capacity of the network connection may be consumed by the garbage traffic so that no legitimate communications actually reach the system. Answer D is incorrect. Making numerous repeated requests for bulky resources is an example of a form of DoS. This is a resource-consumption DoS. It is distinct from the flooding DoS as it makes multiple resource requests rather than sending garbage. The goal is to cause the resource host to use up all of its system resources in an attempt to serve requests. Once every possible session is open by the attacker, then no remaining resources exist for legitimate connection requests, so they get dropped and ignored.
(Vulnerability Scanners) Retina
a commercially available network security scanner that provides advanced vulnerability scanning across the network, the Web, and virtual and database environments. Used to continually monitor the network environment, it may be used to detect vulnerabilities on a real-time basis and recommend remediation based on risk analysis of critical assets.
(Storage clustering) tight coupled cluster
a drive array which includes a proprietary physical backplane to maintain connectivity to both drives and controller nodes. It has an initial fixed drive size and delivers very high-performance interconnect between servers for load-balanced performance.
Air Gap
a networking term that describes how an internal network can be totally isolated from the outside world. With no connections in or out of it, the network is said to be air gaped, meaning that there is a complete isolation zone around the network perimeter.
(Vulnerability Scanners) Nessus
a popular vulnerability scanner that checks for misconfigurations, default passwords, and the possibility of hidden denials of service. In operation, Nessus determines which ports are open on the target and then tries various exploits on the open ports.
(Vulnerability Scanners) Nmap
a software application for probing computer networks, providing detection and discovery of hosts and services running on ports, and determining operating systems. In operation, Nmap sends special packets to target nodes and analyzes the response.
(Vulnerability Scanners) Microsoft Baseline Security Analyzer
a tool that can scan a system and find missing updates and security misconfigurations. It can be used to determine the security state of a PC in accordance with Microsoft security recommendations and offers specific remediation guidance. It can be used to scan one or more computers at the same time and can use a computer's name or IP address to schedule a scan.
Pharming
a type of social engineering attack to obtain access credentials, such as usernames and passwords. In practice, it's a type of attack that redirects the user to an unexpected website destination. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploiting a vulnerability in DNS server software.
Directory Traversal
a type of web attack using HTTP in which the attacker escalates their privileges to climb to a parent directory, or higher-level directory, out of the original website directory. Transversal refers to crossing the boundary between the website directory and higher directories, referred to as root directories.