Kingfisher Security+ SYO-501 Chapter 2: Computer System Security Part 1

Ace your homework & exams now with Quizwiz!

(Q)17.Which of the following would be considered detrimental effects of a virus hoax? (Select the two best answers.) A. Technical support resources are consumed by increased user calls. B. Users are at risk for identity theft. C. Users are tricked into changing the system configuration. D. The e-mail server capacity is consumed by message traffic.

A and C. Because a virus can affect many users, technical support resources can be consumed by an increase in user phone calls. This can be detrimental to the company because all companies have a limited number of technical support personnel. Another detrimental effect is that unwitting users may be tricked into changing some of their computer system configurations. The key term in the question is "virus hoax." The technical support team might also be inundated by support e-mails from users, but not to the point where the e-mail server capacity is consumed. If the e-mail server is consumed by message traffic, that would be a detrimental effect caused by the person who sent the virus and by the virus itself but not necessarily by the hoax. Although users may be at risk for identity theft, it is not one of the most detrimental effects of the virus hoax.

Logic Bombs

A code that, in some way, has been inserted into software and is meant to initiate one of many types of malicious functions when specific criteria are met. They blur the line between malware and a malware delivery system. They're intended to activate viruses, worms, or Trojans at a specific time (a Trojan set off on a certain date is a Time Bomb). There can also be other parameters set besides date and time. Possible actions upon discovery of a time bomb include: placing network disaster recovery processes on standby; notifying the software vendor; and closely managing usage of the software, including, perhaps, withdrawing it from service until the threat is mitigated.

Multipartite Viruses

A hybrid of boot and program viruses that attacks the boot sector or system files first and then attacks other files on the system.

Application Whitelisting

A list of approved applications created by an admin, that the user can work with. This can either be handled by a computer policy within the organization or a mobile device management system. Apps such as phone, email, contacts, and web browser should be the only ones necessary for users to utilize on their workplace mobile devices. Use of other apps would be denied or the user would be prompted for additional credentials. Admins must weigh the potential risks of any additional apps before adding them to the white list.

Trustworthy Computing

A newer concept; a set of standards for how software is designed, coded, and checked for quality control.

BIOS (Basic Input Output System)

A set of computer instructions in firmware that control input and output operations. Stored on a small memory chip on the motherboard. Controls things like booting and keyboard control, as well as identifying and configuring the hardware in a computer (hard drive, optical drive, floppy drive, CPU, memory, etc.)

Use a BIOS Password

A supervisor password (not to be confused with the user password or "power-on" password) can keep unwanted people from gaining access to the BIOS. Some computers have BIOS passwords that can be cleared by opening the computer and either removing the battery or changing the BIOS jumper. Some organizations use physical locking devices to keep this from happening. Many laptops come with "Drive Lock Tech" which might simply be referred to as an HDD password which, if enabled, prompts the user to enter a password for the hard drive when the computer is first booted. If the user doesn't know the password, the drive locks and the OS doesn't boot. If the password is set and forgotten, it can usually be reset within the BIOS.

Distributed Denial-of-Service Attacks

A synchronized attack against a network or server by simultaneously sending hundreds or thousands of connection requests, slowing down or crashing the network/servers.

Pop-Up Blocker

A tool that allows the user to block pop-up ads, text boxes, windows etc. Browsers with built-in pop-up blocking functionality and add-on pop up blocking tools include: IE, Firefox, Chrome, Safari, Google Toolbar, Adblock Plus etc. Pop-up blockers can also block pop-up windows that are integral to the function of a website.

Spyware

A type of malicious software either downloaded unwittingly from a website or installed with some third-party software. Usually collects information about the user without the user's consent. Sometimes related to malicious advertising or malvertising: the use of internet-based advertising (legitimate and illegitimate) to distribute malicious software. Can possibly change the computer configuration without any notification (ex. Forcing the browser to access website other than what the user intended).

(Q)1.A group of compromised computers that have software installed by a worm or Trojan is known as which of the following? A. Botnet B. Virus C. Rootkit D. Zombie

A. A botnet is a group of compromised computers, usually working together, with malware that was installed by a worm or a Trojan horse. An individual computer within a botnet is referred to as a zombie (among other things). A virus is code that can infect a computer's files. A rootkit is a type of software designed to gain administrator-level access to a system.

(Q)9.Which of these is a true statement concerning active interception? A. When a computer is put between a sender and receiver B. When a person overhears a conversation C. When a person looks through files D. When a person hardens an operating system

A. Active interception normally includes a computer placed between the sender and the receiver to capture information. All other statements concerning active interception are false. If a person overhears a conversation it can be considered eavesdropping. When a person looks through files it could be normal or malicious. When a person hardens an operating system, that person is making it more secure. We discuss these concepts as we progress through the book.

(Q)20.One of your users was not being careful when browsing the Internet. The user was redirected to a warez site where a number of pop-ups appeared. After clicking one pop-up by accident, a drive-by download of unwanted software occurred. What does the download most likely contain? A. Spyware B. DDoS C. Smurf D. Backdoor E. Logic bomb

A. Of the answers listed, the download most likely contains spyware. It could contain other types of malware as well, such as viruses, Trojans, worms, and so on. The rest of the answers are types of network attacks and methods of accessing the computer to drop a malware payload. A DDoS is a distributed denial-of-service attack, which uses many computers to attack a single target. Smurf is an example of a DDoS. We'll talk more about these in Chapter 7. Backdoors are vulnerabilities in code that can allow a hacker (or even the programmer) administrative access to an operating system. Logic bombs are ways of delivering malware; they are based on timing.

(Q)14.Which of the following defines the difference between a Trojan horse and a worm? (Select the best answer.) A. Worms self-replicate but Trojan horses do not. B. The two are the same. C. Worms are sent via e-mail; Trojan horses are not. D. Trojan horses are malicious attacks; worms are not.

A. The primary difference between a Trojan horse and a worm is that worms will self-replicate without any user intervention; Trojan horses do not self-replicate.

(Q)11.Which type of malware does not require a user to execute a program to distribute the software? A. Worm B. Virus C. Trojan horse D. Stealth

A. Worms self-replicate and do not require a user to execute a program to distribute the software across networks. All the other answers do require user intervention. Stealth refers to a type of virus.

(Q)3.You have been given the task of scanning for viruses on a PC. What is the best of the following methods? A. Recovery environment B. Dual-boot into Linux C. Command Prompt only D. Boot into Windows normally

A. You should use a recovery environment. Most often, this would be the one built into Windows. Many manufacturers suggest using this, and more specifically Safe Mode. However, it could also be a Linux rescue disc or flash drive. That's not a true dual-boot though. An actual dual-boot is when Windows and Linux are both installed to the hard drive. Command Prompt only is not enough, nor is it necessary for some virus scanning scenarios. Booting into Windows normally is tantamount to doing nothing. Remember to use a recovery environment when scanning for viruses.

Spim

Abuse of instant messaging systems, chat rooms and chat functions in games especially.

Geotagging

Adding of location data to content (photos, videos, websites, messages, etc.) in order to help users gain information, but can also be used by attackers as a way to gain information on users. Admins should disable this in corporate settings. Some users don't even know their data is being geotagged.

SIM Cloning

Allows two phones to utilize the same service and allows an attacker to gain access to all phone data. V1 SIM cards had a weak algorithm that made SIM cloning possible (with some expertise). However, V2 cards and higher are much more difficult (if not impossible) to clone due to a stronger algorithm on the chip. Users and admins should be aware of the type of SIM card the user has and update it (or the entire phone) if necessary.

Trojan Horses (Trojans)

Appear to perform wanted functions but are actually performing malicious functions behind the scenes. Not technically viruses and can be downloaded without being noticed. Can also be transferred with removable media (USB flash drives).

Grayware

Applications that are behaving improperly but without serious consequences. Associated with spyware, adware and joke programs.

Personal Firewalls/Host-Based Firewalls

Applications that protect an individual computer from unwanted Internet traffic by a way of set rules and policies. Some prompt the user for permission to enable apps to access the internet. Some can also detect and block intrusions to a computer (a basic form of HIDS).

(Q)5.Dan is a network administrator. One day he notices that his DHCP server is flooded with information. He analyzes it and finds that the information is coming from more than 50 computers on the network. Which of the following is the most likely reason? A. Virus B. Worm C. Zombie D. PHP script

B. A worm is most likely the reason that the server is being bombarded with information by the clients; perhaps it is perpetuated by a botnet. Because worms self-replicate, the damage can quickly become critical.

(Q)12.Whitelisting, blacklisting, and closing open relays are all mitigation techniques addressing what kind of threat? A. Spyware B. Spam C. Viruses D. Botnets

B. Closing open relays, whitelisting, and blacklisting are all mitigation techniques that address spam. Spam e-mail is a serious problem for all companies and must be filtered as much as possible.

(Q)13.How do most network-based viruses spread? A. By optical disc B. Through e-mail C. By USB flash drive D. By instant messages

B. E-mail is the number one reason why network-based viruses spread. All a person needs to do is double-click the attachment within the e-mail, and the virus will do its thing, which is most likely to spread through the user's address book. Removable media such as optical discs and USB flash drives can spread viruses but are not nearly as common as e-mail. A virus can also spread if it was incorporated into a link within an instant message, or as an attachment to the IM. This is definitely something to protect against, but not quite as common as e-mail-based viruses, especially in larger organizations' networks.

(Q)22.You are the security administrator for your organization and have just completed a routine server audit. You did not notice any abnormal activity. However, another network security analyst finds connections to unauthorized ports from outside the organization's network. Using security tools, the analyst finds hidden processes that are running on the server. Which of the following has most likely been installed on the server? A. Spam B. Rootkit C. Backdoor D. Logic bomb E. Ransomware

B. Most likely, a rootkit was installed. These can evade many routine scans, so there is no fault here. It's just that more in-depth analysis was required to find the rootkit. The hidden processes are the main indicator of the rootkit. Spam is simply harassment by e-mail (and other messaging systems), to put it nicely. Backdoors are programmed ways to bypass security of an operating system. A logic bomb is code that defines when a particular type of malware will execute. Ransomware is when a computer is operationally held hostage; files are not retrievable by the user (because they have been encrypted) until a ransom is paid. It's important to run in-depth scans periodically. They can be time consuming, but they can uncover many threats and vulnerabilities that would otherwise go unnoticed.

Content Filters

Block external files that use JavaScript or images from loading into the browser. Content filtering becomes more important as advertisers become more clever. Most newer internet browsers have built-in options for content filtering. Proxy-based programs such as Squid can filter content (among other things) for multiple computers.

Windows Firewall

Built into Windows. Advanced version (Windows Firewall with Advanced Security) can be accessed by typing wf.msc in the Run prompt or Command prompt. Other options for other OSes are ZoneAlarm, ipfirewall (ipfw; built into some versions of FreeBSD and OS X), and iptables (Built into Linux systems).

(Q)16.Which of the following types of malware appears to the user as legitimate but actually enables unauthorized access to the user's computer? A. Worm B. Virus C. Trojan D. Spam

C. A Trojan, or a Trojan horse, appears to be legitimate and looks like it'll perform desirable functions, but in reality is designed to enable unauthorized access to the user's computer.

(Q)10.Which of the following types of scanners can locate a rootkit on a computer? A. Image scanner B. Barcode scanner C. Malware scanner D. Adware scanner

C. Malware scanners can locate rootkits and other types of malware. These types of scanners are often found in anti-malware software from manufacturers such as McAfee, Symantec, and so on. Adware scanners (often free) can scan for only adware. Always have some kind of anti-malware software running on live client computers!

(Q)19.A user complains that they were browsing the Internet when the computer started acting erratically and crashed. You reboot the computer and notice that performance is very slow. In addition, after running a netstat command you notice literally hundreds of outbound connections to various websites, many of which are well-known sites. Which of the following has happened? A. The computer is infected with spyware. B. The computer is infected with a virus. C. The computer is now part of a botnet. D. The computer is now infected with a rootkit.

C. The computer is probably now part of a botnet. The reason the system is running slowly is probably due to the fact that there are hundreds of outbound connections to various websites. This is a solid sign of a computer that has become part of a botnet. Spyware, viruses, and rootkits might make the computer run slowly, but they will not create hundreds of outbound connections.

(Q)2.Which of the following computer security threats can be updated automatically and remotely? (Select the best answer.) A. Virus B. Worm C. Zombie D. Malware

C. Zombies (also known as zombie computers) are systems that have been compromised without the knowledge of the owner. A prerequisite is the computer must be connected to the Internet so that the hacker or malicious attack can make its way to the computer and be controlled remotely. Multiple zombies working in concert often form a botnet. See the section "Delivery of Malware" earlier in this chapter for more information.

Network-Based Intrusion Detection System (NIDS)

Can be loaded on a computer or be a standalone appliance. Checks all data packets that pass through the network interfaces, so it can "see" more than just one computer which causes it to be considered an "inline" device. Less expensive and less resource intensive and can scan an entire network for malicious activity as opposed to a single computer. Also can't monitor for things that happen within an OS.

Network DLP Systems

Can be software or hardware-based and are often installed on the perimeter of the network. They inspect data in motion.

Polymorphic Viruses

Can change every time it is executed in an effort to avoid antivirus software detection.

Mobile Device Management (MDM) Platforms

Centralized software solutions that can control, configure, update, and secure remote mobile devices such as Android, iOS, BlackBerry, and so on, all from one administrative console. The MDM software can be run from a server within the organization, or administered within the cloud.

Storage Segmentation

Clear separation of organizational and personal info, applications and other content. It must be unmistakeable where the data ownership line occurs. For networks with many users, consider third-party offerings from companies that make use of MDM platforms.

Viruses

Code that runs on a computer without the user's knowledge; it infects the computer when the code is accessed and executed. A virus also has the reproductive ability to spread copies of itself, but only after it's first accessed and executed by the user.

Attack Vector

Collectively, the means by which an attacker gains access to a target computer in order to deliver malicious software. The most common one is via software.

Typical Symptoms of a Virus

Computer runs slower, locks up frequently or stops responding, restarts on its own or crashes frequently and hard drives, optical drives and applications are not accessible or don't work properly. Strange sounds occur, you receive unusual error messages, display or print distortion occurs, new icons appear or old icons and applications disappear, there's a double extension on a file attached to an e-mail that was opened (ex. A .txt.vbs or .txt.exe file), antivirus programs won't run or won't be installed, files have been corrupted or folders created automatically, and system restore capabilities are removed or disabled. Back up critical data and make sure the latest updates have been made to the OS and Antivirus before making any changes to the computer. Then perform a thorough scan using the AV's scan utility, possibly in safe mode. You can also move the drive to a "clean machine" (a computer not connected to any network and whose sole purpose is to scan for malware). This can be done via USB, removable drive system, or by slaving the affected drive to an SATA, eSATA, or IDE port of the clean computer. The antivirus on the clean machine can then scan and remove the virus. If that doesn't work, you can use free online scanners or Microsoft's Malicious Software Removal Tool. In rare cases, you may have to delete individual files and remove Registry entries. This might be the only option you're left with and instructions on how to remove a virus like this can be found on AV software manufacturer's websites. Boot sector viruses are still best dealt with via AV software, which might use a boot disc or bootable USB flash drive in order to scan the boot sector, or it might have boot shielding built in. Some BIOS programs allow you to scan the boot sector at start up, though it might need to be enable in the BIOS setup first. Windows allows you to use the command line to repair the boot sector (Vista Onward: "bootrec /fixmbr" from within the System Recovery Options Command Prompt)(Older Versions: FIXMBR command in Recovery Console) The free Linux-based tools (such as Knoppix) can also be used to boot and repair the computer. Command-line methods may fail though and render the hard drive inoperable. This is why it's best to stick to antivirus utilities.

(Q)18.One of your co-workers complains of very slow system performance and says that a lot of antivirus messages are being displayed. The user admits to recently installing pirated software and downloading and installing an illegal keygen to activate the software. What type of malware has affected the user's computer? A. Worm B. Logic bomb C. Spyware D. Trojan

D. A Trojan was probably installed (unknown to the user) as part of the keygen package. Illegal downloads often contain malware of this nature. At this point, the computer is compromised. Not only is it infected, but malicious individuals might be able to remotely access it.

(Q)6.Which of the following is not an example of malicious software? A. Rootkits B. Spyware C. Viruses D. Browser

D. A web browser (for example, Internet Explorer) is the only one listed that is not an example of malicious software. Although a browser can be compromised in a variety of ways by malicious software, the application itself is not the malware.

(Q)15.Which of the following types of viruses hides its code to mask itself? A. Stealth virus B. Polymorphic virus C. Worm D. Armored virus

D. An armored virus attempts to make disassembly difficult for an antivirus software program. It thwarts attempts at code examination. Stealth viruses attempt to avoid detection by antivirus software altogether. Polymorphic viruses change every time they run. Worms are not viruses.

(Q)4.Which of the following is a common symptom of spyware? A. Infected files B. Computer shuts down C. Applications freeze D. Pop-up windows

D. Pop-up windows are common to spyware. The rest of the answers are more common symptoms of viruses.

(Q)21.You are the network administrator for a small organization without much in the way of security policies. While analyzing your servers' performance you find various chain messages have been received by the company. Which type of security control should you implement to fix the problem? A. Antivirus B. Anti-spyware C. Host-based firewalls D. Anti-spam

D. The chain messages are e-mails (similar to the archaic chain letter) that are being spammed on the network. Therefore, anti-spam security controls need to be implemented. This would be a type of preventive control. Antivirus programs find and quarantine viruses, worms, and Trojans, but unless they are part of an AV suite of software, they will not check e-mail. Anti-spyware tools will attempt to prevent spyware from being installed on the computer. Host-based firewalls block attacks from coming through specific ports, but will not catch spam messages. However, a HIDS (host-based intrusion detection system) could possibly detect spam, and a HIPS (host-based intrusion prevention system) might even prevent or quarantine it.

Data in Transit

Data that is on the move between a client and a server.

Intrusion Prevention Systems (IPSs) and Intrusion Detection and Prevention Systems (IDPSs)

Developed to detect incidents and attacks, as well as to prevent them from doing any real damage to the computer or network.

Preventing and Troubleshooting Viruses

Every computer should have antivirus software running on it. Antivirus software should be kept up-to-date, probably renewed yearly. Be sure to update the antivirus engine and the definitions if you're doing it manually. Schedule regular full scans of your system with the antivirus software. Remember that antivirus software usually doesn't detect logic bombs, rootkits, and botnets. Make sure that your computer/network has the latest updates and service packs. This goes for the OS, as well as all applications. Have a firewall (closes all inbound ports to your computer or network in an attempt to block intruders) available, enabled and updated. Possibly include a hardware-based firewall (ex. An office router), though you might need to set exceptions for applications that connect to the internet. Use "separation of OS and data" (installing the OS on one hard drive and the data on another hard drive). This compartmentalizes data, making it harder for viruses to spread and easier to reinstall without backing up data. You can also use two partitions on the same drive to achieve the same effect. Encryption is another way to protect data from viruses. (ex. Windows Encrypting File System for individual files) Educate users as to how viruses could infect a system. Teach them to screen their emails and not to open unknown attachments. Show them how to scan removable media, or have the computer scan removable media automatically, before copying files to their computer.

Privilege Escalation

Exploiting a bug or design flaw in a software or firmware application in order to gain access to resources that normally would've been protected from an application or user.

Flash the BIOS

Flashing describes the updating of the BIOS. Updating the BIOS to the latest version allows you to avoid possible exploits and BIOS errors. All new motherboards issue at least one new BIOS version within the first six months of their release.

Preventing and Troubleshooting Worms and Trojans

Free online scanners and Antivirus scanners can usually deal with worms and trojans, just like viruses. Remote-Access Trojans can usually be found pretty easily by AV software by detecting the attacker's actual application or by detecting any .exe files that are part of the application and are used on the victim's computer. Keeping your AV software up to date and knowing how to avoid threats as a user is crucial. Same as viruses, these types of malware should be quarantined and/or removed with AV software or with the advanced techniques mentioned for viruses (clean machine, free online scanners, command-line methods etc.). The same methods usually apply to ransomware since it's sent as a Trojan.

Programs That Can Be Used to Detect Rootkits

GMER, TDSSKiller, Microsoft Sysinternals Rootkit Revealer, chkrootkit (for Linux/OS X) Sometimes rootkits hide in the MBR (Master Boot Record). OSes usually recommend scrubbing the MBR (rewriting it with System Recovery Options or Windows Recovery Console) then scanning it with AV software. This depends on the type of rootkit. Due to the difficulty of removing them, the best way to combat a rootkit is to reinstall all software (or re-image the system. Usually takes less time than fixing all the rootkit issues, and can verify it's been removed completely.

Easter Eggs

Historically a platonic extra that was added to an OS or application as a joke; often missed by quality control and subsequently by the manufacturer of the software. (ex. Forcing a win in Windows XP's version of Solitaire by holding Alt+Shift+2 at the same time) Usually intended to be harmless and not documented by programmers, but are nowadays not allowed by most software companies.

If A Computer Can't Be Saved from Malware

In the case that a computer can't be recovered, backup the data if possible and have the OS and applications reinstalled. Also, have the BIOS flashed. Thoroughly check the system after installation for residuals and proper performance.

Zombies

Individual computers being controlled by the master computer. Called zombies because they're unaware that they're even carrying malware.

Program Viruses

Infects executable files.

Boot Sector Viruses

Initially loads into the first sector of the hard drive. When the computer boots, the virus then loads into memory.

Ad-Filtering

Listing of applications and add ons that are deemed "adware" and are then blocked.

Ransomware

Malware that restricts access to a computer and demands that a ransom be paid before access can be given back to the user/owner. The system is usually locked in one of several ways and the attacker demands payment, usually to an overseas banking service. It often propagates as a Trojan or worm, and uses encryption to make the user's files inaccessible (known as cryptoviral extortion). ex. Cryptolocker: A ransomware Trojan that encrypts certain files on the computer's drives using an RSA public key (The counterpart private key is stored on the malware creator's private server.) The Trojan can easily be defeated by being either quarantined or removed, but the file encryption is almost impossible to decipher depending on the strength of the RSA key.

Summary of Mobile Device Security

Malware: Update device to latest version (or point release for the current version); Use security suites and AV software. Enable them if preloaded on the device and update regularly. Train users to carefully screen email and selectively access websites. Be careful of social networks and third-party apps. Botnets & DDoS: Download apps from a legitimate source. If BYOD is in place, use company-approved apps. Refrain from "rooting" or "jailbreaking" the device. Have data backed up in case the device becomes part of a botnet and has to be wiped. SIM Cloning: Use V2 and newer cards with strong encryption algorithms. Wireless Attacks: Use a strong password for the wireless network. Turn off unnecessary wireless features such as mobile-hotspot, tethering, and so on. Disable Bluetooth if not in use for long periods of time (also conserves battery) Set device to undiscoverable. Theft: Use data and voice encryption (especially in BYOD implementations). Implement lockout, remote locator, and remote wipe programs. Limit the amount of confidential info stored on the device. Use screen locks and complex passwords. App Security: Use encryption from reputable providers. Use non-transitive trusts between networks and apps. Whitelist applications. Disable geotagging. BYOD Concerns: Implement storage segmentation. Use an MDM solution. Create and implement clear policies that the organization and user must adhere to.

Threat Vector

Method that a threat uses to access a target.

Worms

Much like a virus except it has the ability to self-replicate without being accessed and executed by the user. They take advantage of security holes in operating systems and applications (including backdoors) and then look for other systems on the network or on the internet running those same applications and tries to replicate onto them. Unlike viruses, worms don't need carriers or explicit instructions from the user in order to activate. Even without a payload of other malware, worms can disrupt network traffic and computer operations just by their self-replicating abilities.

Hardware Security Modules (HSMs)

Physical devices that act as secure crypto processors, which means they're used for encryption during secure login/authentication processes, during digital signings of data, and for payment security systems. HSMs are faster than software-based encryption. HSMs can be found in adapter card form, as plug-in devices via USB, and as network-attached devices. They're generally tamper-proof, giving a high level of physical security. Also usable in high availability cluster environments because they work independently of other computer systems and are used solely to calculate data required for encryption keys. However, many require some kind of management software to be installed on the computer they're connected to. Some manufacturer's force the user to make the management software themselves. Due to this and the cost involved in general, HSMs and hardware-based drive encryption solutions have seen slower deployment with some organizations.

Active Interception

Placing a computer between the sender and the receiver in order to receive and modify information.

Data Loss Prevention (DLP)

Refers to the monitoring of data in use, data in motion and data at rest. DLP systems perform content inspection and are designed to prevent unauthorized use of data as well as prevent leakage of data outside the computer or network it resides in. They can be hardware or software-based and come in three varieties.

Preventing and Troubleshooting Rootkits

Rootkits are copied to a computer as a binary file, which can be detected by signature-based and heuristic-based antivirus programs. After the rootkit is executed, however, it can be difficult to detect, because most of them are collections of programs working together that can make modifications to the system. The best way to identify a rootkit is to use removable media (USB drives or a special rescue CD-ROM) to boot the computer. This way, the OS isn't running and the rootkit isn't running, making it much easier to detect by the external media.

Endpoint DLP Systems

Run on an individual computer and are usually software-based. Monitor data in use, such as email communications, and can control what info flows between users. Endpoint DLP systems can also be used to inspect the content of USB-based mass storage devices.

Configure the BIOS

Set up the BIOS to reduce the risk of infiltration. (ex. Change the BIOS boot order (boot device priority) so that it looks for a hard drive first and not any type of removable media). Also, if a company policy requires it disable removable media including optical drives, floppy drives, eSATA ports and USB ports.

Rootkits

Software designed to gain admin level control over a computer system without being detected. (root = Root user in Unix/Linux or an admin in Windows; kit = software kit). Purpose is usually to perform malicious actions on a target computer at a later date.without the knowledge of admins and users. Basically a variation of viruses that dig into the lower levels of the OS that get booted first, before any anti-malware services can detect them. Rootkits can target the BIOS, boot loader, kernel and more. Rootkits are difficult to detect because they are activated before the OS has fully booted. They might install hidden files, hidden processes and hidden user accounts. Because they can be installed in hardware or software, rootkits can intercept data from network connections, keyboards and so on.

Malicious Software (Malware)

Software designed to infiltrate a computer system and possibly damage it without the user's knowledge or consent. (ex. Viruses, worms, trojan horses, spyware, rootkits, adware and other types of undesirable software.) In recent years the emphasis has shifted from viruses to spyware and ransomware.

Badware

Software that does things you don't want it to do, without your consent. The best way to protect against it is to be wary of what you install/download. Viruses, spyware and other types of malware are sometimes lumped into this term. Some types of badware are not malicious, but the user loses a certain amount of control when using them (ex. Shopping toolbars that collect information without the user's consent, software that installs another program upon installation without the user's consent).

Intrusion Detection System (IDS)

Software that monitors and analyzes the system in an attempt to detect malicious activities.

Further Details About HIDSs

Some Anti-Virus softwares have basic HIDS functionality, but true HIDS solutions are individual and separate apps that monitor log files, check for file integrity, monitor policies, detect rootkits, and alert the admin in real time of any changes to the host. All done to detect malicious activity such as spamming, zombie/botnet activity, ID theft, keystroke logging, etc. Some HIDS apps are: Trend Micro OSSEC: A free solution for Windows, OS X, Linux and Unix. Verisys: A commercial HIDS solution for Windows. Tripwire: Another commercial HIDS solution. When selecting an HIDS, make sure it meets the compliance regulations that your organization must adhere to (PCI DSS, NIST 800-53, etc.). It's important to protect the HIDS database because it can be targeted for attack, and should either be encrypted, stored on read-only memory, or stored outside the system. Intrusion Prevention Systems (IPSs) and Intrusion Detection and Prevention Systems (IDPSs): were developed to detect incidents and attacks, as well as to prevent them from doing any real damage to the computer or network. McAfee and Norton offer host-based intrusion prevention systems and there are downloadable implementations for Linux such as Security-Enhanced Linux (SE-Linux) which is a set of kernel modifications originally developed by the NSA to stop malicious code from executing. Security admins can review the logs of an HIDS at any time, but if the computer has been shut down the admin won't be able to review info pertaining to system processes and network processes, nor info stored in memory, all of which are considered volatile. HIDS logs that refer to archived storage, the MBR (Master Boot Record), system disk, email and so on will still be reviewable and by reviewing the logs of the HIDS, security admins can find out if the computer's been compromised by malware or if it's communicating with a botnet.

Adware

Spyware (usually) that pops up advertisements based on spying on the user's interests.

Network Attached Storage (NAS)

Storage device that connects directly to your ethernet network. Basic home and office NAS devices usually contain two hard drives, enabling you to set up RAID 1 mirroring, which protects your data if one drive fails. A more advanced NAS device might house up to 32 drives and contain dozens of terabytes of data, with possibly hot-swappable drives (can be physically replaced and the data can be rebuilt quickly).

Statistical Anomaly Monitoring

The IDS establishes a performance baseline based on normal network traffic evaluations, then compares current network traffic activity with the baseline to detect whether it's within baseline parameters. If not, an alarm is triggered and sent to the admin.

False Negative Misidentification

The IDS identifies an attack as legitimate activity. (ex. If the particular attack's signature isn't in the IDS's database, the IDS won't warn you.)

False Positive Misidentification

The IDS identifies legitimate activity as something malicious.

Spam

The abuse of electronic messaging systems (email, text messaging, social media, broadcast media etc.) Spammers send unsolicited bulk messages indiscriminately, usually without benefit to the actual spammer since most of it is either deflected or ignored.

Crimeware

The automation of malware and web-based software kits that caused a boom in malware distribution between 2008 and 2013. Ex. One web attack kit is the Blackhole exploit kit. This is used (and purchased) by potential attackers in order to distribute malware to computers that meet particular criteria, while the entire process is logged and documented. Kits such as this one account for the largest percentage of web threats, and are the most common software-based method of distributing malware.

Remote Access Trojans (RATs)

The most common type of trojan (ex. Back Orifice, NetBus, SubSeven). Their capability to give an attacker higher administration privileges than the owner of the system makes them very dangerous. Effectively acts as a remote administration tool (another name for RAT). Can scan for unprotected hosts and make all kinds of changes to a host when connected. Perhaps not originally designed to be used maliciously. RATs can also be coded with PHP and other languages to allow remote access to websites. (ex. Web shell: Allows the attacker to remotely configure a web server without the user's consent. Often the attacker will have cracked the FTP password in order to upload the RAT.) RATs and other malicious software used to persistently target a specific entity such as a business or government agency are known as an Advanced Persistent Threat (APT).

Bluejacking

The sending of unsolicited messages to Bluetooth-enabled devices as mobile phones. This can be stopped by setting the affected Bluetooth devices to "undiscoverable" or by turning off Bluetooth altogether.

Host-Based Intrusion Detection System (HIDS)

The type of IDS that a client computer would have. Loaded on a single computer, analyzes and monitors what happens inside that computer. (ex. Changes to file integrity). Installed directly in an OS so it's not an "inline" device unlike other network-based IDS solutions. Can interpret encrypted traffic. Also expensive, resource-intensive, and due to its default local storage of the HIDS object database if something happens to the computer the database will be unavailable.

Common Symptoms of Spyware

The web browser's default home page has been modified/changed. A particular website comes up every time you perform a search. Excessive pop-up windows appear. Network Adapter's activity LED blinks frequently when the computer shouldn't be transmitting data. The firewall and AV software turn off automatically. New programs, icons, and favorites appear. Odd problems occur within windows (slow system, applications behaving strangely and such) The Java console appears randomly.

Whole Disk Encryption

To encrypt an entire hard drive, you need full disk encryption software. ("Disk," though not accurate in some cases, is the commonly used term here.) Microsoft's BitLocker can encrypt the entire disk, which becomes transparent to the user after completion. To do this, you need somewhere to store the encrypted keys (Trusted Platform Module (TPM): a chip on the motherboard that stores the encrypted keys; or an external USB key; or a hard drive with two volumes, preferably created during the installation of Windows. One volume for the OS (likely C:) that will be encrypted and the other (the active volume) remains unencrypted so the computer can boot. If a second volume needs to be created BitLocker's Drive Preparation Tool can help. *Drives encrypted with BitLocker (both 128-bit and 256-bit keys) usually suffer in performance compared to a non-encrypted drive and could have a shorter shelf life as well. *Double encryption (ex. BitLocker to encrypt a drive and EFS (Encrypting File System on Windows) to encrypt individual files) can be a very effective security technique. This way folders copied to external media will remain encrypted even though they're no longer on the encrypted drive.

Armored Viruses

Tricks antivirus programs by making them think it's located in a different place than it actually is. Essentially, it has a layer of protection that it uses against the person trying to analyze it; it will thwart attempts by analysts to examine it.

Storage DLP Systems

Typically installed in data centers or server rooms as software that inspects data at rest.

Bluesnarfing

Unauthorized access of info from a wireless device through a Bluetooth connection. Bluesnarfing is theft of data (calendar info, phonebook contacts, etc.). Ways of discouraging bluesnarfing include using a pairing key that's not easy to guess or setting your device to "Undiscoverable" (only after legitimate Bluetooth devices have been set up, of course.) or turning off Bluetooth altogether.

Preventing and Troubleshooting Spyware

Updating the OS and using a firewall AV software companies and OS manufacturers usually add antispyware utilities to their software. You can download and update built-in anti-spyware programs such as Windows Defender or Microsoft Security Essentials. Adjust web browser security settings (ex. Disable or limit cookies, configure trusted zones/sites, turn on phishing filters, restrict unwanted websites, turn on automatic web checking, disable scripting (such as JavaScript and Active X), and have the browser clear all cache on exit. All of these can help filter out fraudulent online requests for usernames, passwords, and credit card info. Higher security settings can also help fend off session hijacking (the act of taking control of a user session after obtaining or generating an authentication ID). Uninstall unnecessary applications and turn off superfluous services. Educate users on how to surf the web safely. (Use Alt+F4 to close a window, to avoid fake browser windows that are actually ads) Use tech that is resistant to spyware (certain browsers, running a browser within a virtual machine, or running an entire OS within a virtual machine).

Preventing and Troubleshooting Spam

Use a spam firewall/filter: Admins can block emails with certain types of attachments, and many popular email clients and AV softwares have options for spam filtering. Close Open Mail Relays or SMTP Open Relays: SMTP servers can be configured as open mail relays (enables anyone on the internet to send e-mail through the SMTP server, which is desirable to customers of the company that has the server but not the company itself. Open mail relays should be either closed or configured so only customers and authenticated users can use them. Remove E-mail Address Links From The Company Website: Replace them with online forms (secure PHP or CGI forms) enabling people to contact the company without seeing company email addresses. Separate advertising email for any literature or ads. Use Whitelists and Blacklists: Whitelists (lists of e-mail addresses or email domains that are trusted) Blacklists (Lists of e-mail addresses or e-mail domains that are not trusted. Can be set up on e-mail servers, e-mail appliances and mail client programs (Outlook, Gmail etc.) Train Your Users: Use separate e-mail addresses instead of company email when posting to forums, tech support portals, and newsgroups. Also screen your emails carefully (email vetting) to make sure there are no suspicious attachments or links. Advocate for using blind carbon copy when sending out emails to multiple users.

Summary of Malware Prevention Techniques

Virus: Run and update AV software, Scan entire system periodically, Update OS, Use a firewall Worm: Run and update AV software, Scan entire system periodically Trojan Horse: Run and update AV software, Scan entire system periodically, Run a Trojan scan periodically. Spyware: Run and update anti-spyware software, Scan entire system periodically, Adjust web browser settings, Consider tech that discourages spyware. Rootkit: Run and update AV software, Use rootkit detector programs. Spam: Use spam filter, Configure whitelists and blacklists, Close open mail relays, Train your users.

Typosquatting or URL Hacking

When domain names are created based on minor typos of established websites in order to trick users into going to an unwanted website that may contain malware. Some browsers defend against this with anti-phishing tools and the ability to auto-check websites entered.

Securing Smaller/Portable Devices

When smaller, portable devices are not in use the best way to protect them is to lock them in a cabinet/safe/etc. There are other ways to protect them (encryption, proper handling, GPS tracking etc.) but the simple physical solution is usually overlooked today.

On-Boarding

When the security admin takes control of the device temporarily to configure it, update it, and perhaps monitor it. *Many employees are suspicious of BYOD MDM solutions, believing that their employer is spying on their personal info. Organizations should write clear privacy policies to assuage these concerns (ex. Selective wipes of secure corporate data while personal info is left untouched). *There are also concerns about cameras found in devices being used to remotely observe and record employees/users. Organizations should consider cameras to fall under the "Personal" side of mobile device data.

Signature-Based Monitoring

Network traffic is analyzed for predetermined attack patterns, known as signatures. Signatures are stored in a database that must be updated regularly to have effect. Many attacks have their own distinct signatures and malicious activity with a slightly different signature might be missed.

Botnets

A group of compromised computers controlled by a master computer, where the attacker resides, that can be used to distribute malware.

(Q)7.Which type of attack uses more than one computer? A. Virus B. DoS C. Worm D. DDoS

D. A DDoS, or distributed denial-of-service, attack uses multiple computers to make its attack, usually perpetuated on a server. None of the other answers use multiple computers.

(Q)8.What is a malicious attack that executes at the same time every week? A. Virus B. Worm C. Ransomware D. Logic bomb

D. A logic bomb is a malicious attack that executes at a specific time. Viruses normally execute when a user inadvertently runs them. Worms can self-replicate at will. Ransomware is a type of malware that restricts access to files (or entire systems) and demands a ransom be paid.

Backdoors

Used in computer programs to bypass normal authentication and other security mechanisms in place.

Non-Transitive Trust

Users need to be authenticated to each network separately, and therefore are limited to the apps (and data) they have access to on a per-network basis.

Stealth Viruses

Uses various techniques to go unnoticed by antivirus programs.

Macro Viruses

Usually placed in documents and emailed to users in the hopes that the user will open the document, thus executing the virus.

Off-Boarding

When a security admin relinquishes control of the device when finished.

Transitive Trust

When two networks (or more) have a relationship such that users logging into one network get access to data on the other/s.


Related study sets

Biological Anthropology 196 Part 1

View Set

Political Science T/F questions (ch.1-3)

View Set

Wordly Wise Book 9 Lesson 10 (definitions)

View Set

Tools of the Trade: Linux and SQL

View Set

InQuizitive: Chapter 15: Bacteria and Archaea: Navel Gazing *ANSWERS*

View Set

IDENTIFYING HAZARDOUS MATERIALS Objectives: Lesson 3

View Set

MATERNAL CHILD TEST 2 CHAPTER 10 FETAL DEVEOPMENT AND GENETICS

View Set