Chapter 21
True or False: Client-side input validation is an effective control against many attacks
False. It is not effective against any attack because the attacker can easily bypass the validation by altering the code on the client. Escaping and parameterization are effective controls against SQL injection attacks.
The _______ tag is used to indicate the beginning of an executable client-side script and is used in reflected input to create a cross-site scripting attack
"<SCRIPT"
________ are sophisticated adversaries with advanced technical skills and significant financial resources, likely affiliated with government agencies
Advanced persistent threats (APTs)
________ is software that is similar to spyware but displays advertisements on infected computers
Adware
An attacker posted a message to a public discussion forum that contains an embedded malicious scripts that is not displayed to a user but executes on the user's system when read. This is a ____________ - XSS attack? (1) Persistent, or (2) Non-persisent
(1) Persistent It is considered persistent since it remains on the forum until the administrator deletes it, giving it the ability to affect many users.
_________ vulnerabilities exist when a developer does not properly validate user input for an application to ensure that it is of appropriate size
Buffer overflow From this, an attacker can exploit the vulnerability to execute arbitrary commands on the server. Data in other memory can also be corrupted since space has ran out.
Symantec is known for making ________ software
Antivirus
__________ are undocumented command sequences that allow individuals to bypass normal access restrictions
Back doors
_________- based detection is becoming increasing common, with antivirus software monitoring target systems for unusual activity and either blocking it or flagging it for investigation
Behavior-based (heuristic) Even if the software does not match a known malware signature. This has now become a mainstay of the advanced endpoint protection solutions used by many organizations.
____________, which are a variation of the file infector virus, are self-contained executable files that escape detection by using a filename similar to, but slightly different from, a legitimate operating system file.
Companion virus
True or False: Back doors allow an attacker to modify the contents of a system's memory
False. Buffer overflow attacks would allow an attacker to modify the content's of a system's memory by writing beyond the space allocated for a variable.
_________ attacks are similar to XSS attacks but exploit a different trust relationship. They exploit the trust that a user has in a website to execute code on the user's computer.
Cross-site request forgery (XSRF) Happens when users are logged into many different websites at the same time. Create web applications that use secure tokens and only accept requests that originated from their own site.
__________ attacks occur when web applications contain some type of reflected input
Cross-site scripting (XSS) Used when it's possible to embed form input in a link. Input validation is the answer.
Password attackers use automated tools like John the Ripper to run automated _______ attacks that exploit a simple vulnerability when passwords are stored in a hashed format and can be viewed.
Dictionary attack Rainbow table attacks are a variant of a dictionary attack designed to reduce the amount of time required to conduct a brute-force attack against hashed passwords. In this instance, commonly used passwords are ran through the same hash function used by the system to create hashed versions.
________ viruses use cryptographic techniques to avoid detection
Encrypted viruses Similar to polymorphic viruses - each infected system has a virus with a different signature (to avoid detection). However, they do not generate these modified signatures by changing their code; instead they alter the way they are stored on the disk (they uses a very short segment of code called virus decryption routine).
The propagation routines of ________ viruses may slightly alter the code of an executable program, thereby implanting the technology the virus needs to replicate and damage the system.
File infector viruses This type of virus infects executable files and triggers when an OS attempts to execute them. These can be detected by compared file characteristics before and after infection or by comparing hash values.
In a ___________ attack, the malicious individual simply reconfigures their system so that it has the IP address of a trusted system and then attempts to gain access to other external resources
IP Spoofing attack
When designing firewall rules, the following principle should be followed to prevent ______: Packets with internal source IP addresses don't enter the network from the outside
IP spoofing Also: Packets with external source IP addresses don't exit the network from the inside. Also: Packets with private IP addresses don't pass through the router in either direction (unless specifically allowed as part of an intranet configuration).
Before launching an attack, attackers use __________ to search out active hosts on a network. Automated tools simply attempt to ping each address in a range. Systems that respond to the ping request are logged for further analysis.
IP sweeps (also called IP probes/ping seeps). These hosts are then subjected to port scans and other vulnerability probes to locate weak spots that might be attacked in an attempt to compromise the network. Nmap is one of the most common tools used to perform both IP probes and port scans.
________ is a tool that allows users to create unique, strong passwords for each service they use without the burden of memorizing them all
LastPass
_________ are malicious code objects that infect a system and lie dormant until they are triggered by the occurrence of one or more conditions such as time, program launch, website logon, and so on
Logic bombs Many viruses and trojan horses contain a logic bomb component.
_________ viruses utilize vulnerabilities in scripting functionality (such as Visual Basic for Applications [VBA]) to infect documents.
Macro viruses They proliferate because of the ease of writing code in the scripting language used by modern productivity applications.
____________ viruses attack the portion of bootable media (such as hard disk, Universal Serial Bus [USB], or compact disc/digital versatile disc [CD/DVD]) that the computer uses to load the operating system during the boot process.
Master Boot Record (MBR). MBR viruses store the majority of their code on another portion of the storage media (since the MBR is extremely small). Once executed from the alternate location, the virus is loaded into memory and potentially triggering the delivery of the virus's payload. Most MBR viruses spread through the use of infected media inadvertently shared between users.
_________ viruses use more than one propagation technique in an attempt to penetrate systems that defend against only one method or the other
Multipartite viruses. For example, using both file infection and boot sector infection.
IP sweeps, host scans, and vulnerability scans are examples of ___________
Network reconnaissance techniques
The _________ reconnaissance attack provides attackers with useful information about the services running on a system
Port scans. They reveal the ports associated with services running on a machine and available to the public.
________ viruses actually modify their own code as they travel from system to system
Polymorphic viruses The virus's propagation and destruction techniques stay the same, but the signature of the virus is somewhat different each time it infects a new system.
What are the two main functions of a computer virus?
Propagation and destruction Propagation function defines how the virus will spread from system to system. A virus's payload delivers the destructive power by implementing whatever malicious activity the virus writer had in mind (anything that impacts CIA of systems or data).
________, which are freely available on the internet, are used to wage escalation-of-privilege attacks
Rootkits. This is done after an attacker gains a foothold on a system to obtain more comprehensive / administrative access
Using prepared statements, performing input validation, and limiting account privileges are techniques to protect web applications against __________ attacks
SQL injection attacks
__________ attacks are even riskier than XSS attacks from an organization's perspective. They use unexpected input to a web application, however instead of using the input to attempt to fool a user, these attacks use it to gain unauthorized access to an underlying database
SQL injection attacks
________ is used to limit the effectiveness of rainbow table attacks
Salting passwords This adds a random value to the password prior to hashing, making it impractical to construct a rainbow table of all possible values.
A ____________ is a malicious individual who doesn't understand the technology behind security vulnerabilities but downloads ready-to-use software (scripts) from the internet and uses them to launch attacks against remote systems
Script kiddie
__________ viruses inject themselves into trusted runtime processes of the operating system, such as svchost,exe, winlogin.exe, and explorer.exe
Service Injection Viruses By successfully compromising these trusted processes, the malicious code is able to bypass detection by any antivirus software running on the host. Ensure that all software allowing viewing of web content has current security patches.
_______________ attacks occur when a malicious individual intercepts part of the communication between an authorized user and a resource and then uses a technique to take over the session and assume the identity of the authorized user
Session hijacking Can be addressed with both administrative controls (such as anti-replay authentication techniques) and application controls (such as expiring cookies within a reasonable period of time).
Most antivirus programs use __________- based detection algorithms to look for telltale patterns of known viruses
Signature-based This makes it essential to periodically update virus definition files in order to maintain protection against newly authored viruses as they emerge.
_______ attacks are types of social engineering attacks specifically targeted a individuals based on research conducted by the attacker
Spear phishing
_______ is software that monitors your actions and transmits important details to a remote system and spies on your activity
Spyware
________ viruses hide themselves by actually tampering with the operating system to fool antivirus packages into thinking that everything is functioning normally
Stealth viruses
Developers of web applications should leverage database ___________ to limit the application's ability to execute arbitrary code
Stored procedures With these, the SQL statement resides on the database server and may only be modified by database administrators.
______ was a worm that was the first to cause major physical damage to a facility
Stuxnet. Caused damage to nuclear enrichment centrifuges attached to Siemens controllers
The _________ issue is a timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request
Time of Check to Time of Use (TOCTTOU) Access is granted for a session and then it is revoked afterwards, and a user retains access as long as they keep their session open.
_______ is a software program that appears benevolent but carries a malicious, behind-the-scenes payload
Trojan horse Rogue antivirus software and ransomware (which uses encryption) are variants. Rogue antivirus software tricks the user into installing it by claiming to be an antivirus package, often under the guise of a popup ad that mimics the look and feel of a security warning. Ransomware infects a target machine and then uses encryption technology to encrypt documents, spreadsheets, and other files stored on the system with a key known only to the malware creator.
True or False: Developers of web applications should leverage prepared statements to limit the application's ability to execute arbitrary code. Prepared statements, including parameterized queries and stored procedures, store the SQL statement on the database server, where it may be modified only by database administrators and developers with appropriate access
True
True or False: In URL encoding, the . character is replaced by %252E and the / character is replaced by %252F.
True
True or False: In the most basic type of password attack, attackers simply attempt to guess a user's password
True
True or False: Modern antivirus software protections are able to provide protection against worms, Trojan horses, logic bombs, rootkits, spyware, and other forms of email or web-borne code
True
True or False: Multipartite viruses use multiple propagation mechanisms to defeat system security controls but do not necessarily include techniques designed to hide the malware from antivirus software
True
True or False: One of the most famous ransomware strains is a program known as Cryptolocker
True
True or False: One possibility for clean scan results may be that a virus is using stealth techniques, such as intercepting read requests from the antivirus software and returning a correct looking version of the infected file.
True
True or False: TLS provides the most effective defense against session hijacking because it encrypts all traffic between the client and server, preventing the attacker from stealing session credentials.
True
True or False: The DMZ is designed to house systems like web servers that must be accessible from both the internal and external networks
True
True or False: The Java sandbox isolates applets and allows them to run within a protected environment, limiting the effect they may have on the rest of the system
True
True or False: The code red worm received a good deal of media attention in the summer of 2001 when it rapidly spread among web servers running unpatched versions of Microsoft's Internet Information Server (IIS)
True
True or False: The necessary delay between the discovery of a new type of malicious code and the issuance of patches and antivirus updates is known as the window of vulnerability.
True
True or False: The single quote character (') is used in SQL queries and must be handled carefully on web forms to protect against SQL injection attacks
True
True or False: The two types of covert channels that are commonly exploited by attackers seeking to surreptitiously ex-filtrate information are (1) Timing, and (2) Storage
True
True or False: Tripwire data integrity assurance package is designed to alert administrators to unauthorized file modifications
True
True or False: Aggregation is a security issue that arises when a collection of facts has a higher classification than the classification of any of those facts standing alone. On the other hand, an inference problem occurs when an attacker can pull together pieces of less sensitive information and use them to derive information at greater sensitivity
True Aggregation is collection and summation of data. Inference is actually determining the WHAT from the aggregation.
True or False: A single quotation in an input field is a telltale sign that it is a SQL injection attack. The quotation mark is used to escape outside of the SQL code's input field, and the text following is used to directly manipulate the SQL command sent from the web application to the database.
True CARROT'&1=1;--
True or False: Computer viruses and Trojan horses depend on the irresponsible computer user by humans in order to spread from system to system with any success
True Worms are examples of malicious code objects that rapidly spread among vulnerable systems under their own power.
True or False: A directory traversal attack is where an attacker attempts to force the web application to navigate up the file hierarchy and retrieve the file that should not normally be provided to a web user, such as a password file.
True. A series of double dots is indicative of a directory traversal attack because it is the character string used to reference the directory one level up in a hierarchy.
True or False: Private IP addresses should never used used on the Internet, so packets containing private IP addresses should be blocked from leaving a network
True. Also, packets with public IP addresses will routinely be allowed to enter a network (thus should not be blocked). Packets with internal source addresses originating from outside the network should be blocked from entering the network. Also packets with external source addresses should never be found on the internal network, so they should be blocked from leaving the network.
True or False: When a system uses shadowed passwords, the hashed password value is stored in etc/shadow instead of etc/passwd.
True. The etc/passwd would not contain the password in plaintext or hashed form. Instead, it would contain an x to indicate that the password hash is in the shadow file. The * character is normally used to disable interactive logins to an account.
File infection, service injection, boot sector infection, and macro infection are the 4 main propagation techniques used for ________
Viruses Used to penetrate systems and spread their malicious payloads
Cross-site scripting (XSS) and SQL injection attacks are the two most common examples of attacks on ____________
Web applications
______ is malicious software that propagates themselves without requiring any human intervention
Worm
Sendmail debug mode, password attack, finger vulnerability, and trust relations were specific security holes in a UNIX operating system that were expoited due to ______
Worms
While an APT may leverage many attacks, they are most closely associated with ______________ attacks
Zero-day (exploits)
Many forms of malicious code take advantage of ___________ vulnerabilities, security flaws discovered by hackers that have not been thoroughly addressed by the security community
Zero-day vulnerabilities The existence of zero-day vulnerabilities makes it critical that you have a defense-in-depth approach to cybersecurity that incorporates a varied set of overlapping security controls.