Chapter 1. System Threats and Risks
Terms you need to understand
Techniques you need to master
Understanding and identifying common system security threats
Recognizing when an attack is happening and taking proper steps to end it
Learning to identify which types of attacks you might be subject to and how to implement proper security to protect your environment
Recognizing malicious code and knowing how to respond appropriately
Understanding security risks that threaten system hardware and peripherals
Learning the concepts of network attached storage
Securing your resources is a challenge in any working environment. It has become common for resources to be subject to myriad attacks through software, hardware, and peripherals.
The Security+ exam requires that you understand that minimizing system threats and risks can thwart many would-be attackers and that you understand the different types of attacks that can happen.
Systems Security Threats
Because networks today have become so complex and mobile, they have many points of entry. These various points can all be vulnerable, leaving an intruder many points of access. With so many ways of getting into the network, the components must be divided into separate elements so that the security process becomes easier to manage. Before you can begin to look at securing the environment, however, you must understand the threats and risks associated with the environment. This section explores those threats and risks to help you understand everyday potential dangers.
In today’s network environment, malicious code, or malware, has become a serious problem. The target is not only the information stored on local computers, but also other resources and computers. As a security professional, part of your responsibility is to recognize malicious code and know how to respond appropriately. This section covers the various types of malicious code you might encounter, including privilege escalation, viruses, worms, Trojans, spyware, spam, adware, rootkits, botnets, and logic bombs.
Privilege Escalation
Programming errors can result in system compromise, allowing someone to gain unauthorized privileges. Software exploitation takes advantage of a program’s flawed code, which then crashes the system and leaves it in a state where arbitrary code can be executed or an intruder can function as an administrator. This is known as privilege escalation.
Perhaps the most popular method of privilege escalation is a buffer overflow attack. Buffer overflows cause disruption of service and lost data. This condition occurs when the data presented to an application or service exceeds the storage-space allocation that has been reserved in memory for that application or service. Poor application design might allow the input of 100 characters into a field linked to a variable only capable of holding 50 characters. As a result, the application doesn’t know how to handle the extra data and becomes unstable. The overflow portion of the input data must be discarded or somehow handled by the application; otherwise, it could create undesirable results. Because no check is in place to screen out bad requests, the extra data overwrites some portions of memory used by other applications and causes failures and crashes. A buffer overflow can result in the following:
• Overwriting of data or memory storage.
• A denial of service due to overloading the input buffer’s ability to cope with the additional data.
• The originator can execute arbitrary code, often at a privileged level.
Services running on Internet-connected computers present an opportunity for compromise using privilege escalation. Some services require special privilege for their operation. A programming error could allow an attacker to obtain special privilege. In this situation, two possible types of privilege escalation exist: a programming error that allows a user to gain additional privilege after successful authentication and a user gaining privilege with no authentication. The following are examples of these types of buffer overflow issues:
• In the fall of 2002, the Linux Slapper worm infected about 7,000 servers. The worm exploited a flaw in Secure Sockets Layer (SSL) on Linux-based web servers. The premise behind this vulnerability is that the handshake process during an SSL server connection can be made to cause a buffer overflow when a client uses a malformed key.
• Flaws such as buffer overflows that cause execution stack overwriting in the Java Virtual Machine (JVM). The JVM is the client-side environment supporting Java applets. Improperly created applets can potentially generate a buffer overflow condition, crashing the client system.
In the case of buffer overflows, good quality assurance and secure programming practices could thwart this type of attack. Currently, the most effective way to prevent an attacker from exploiting software is to keep the manufacturer’s latest patches and service packs applied and to monitor the Web for newly discovered vulnerabilities. Patching operating systems and applications is discussed in Chapter 5, “Access Control and Authentication Basics.” Back doors and other types of privilege escalation that are not specifically buffer overflow-related are discussed in Chapter 2, “Online Vulnerabilities.”
Viruses
A virus is a program or piece of code that runs on your computer without your knowledge. It is designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. It then attaches to other files, adds its code to the application’s code, and continues to spread. Even a simple virus is dangerous because it can use all available resources and bring the system to a halt. Many viruses can replicate themselves across networks and bypass security systems.
Viruses are malicious programs that spread copies of themselves throughout a single machine. They infect other machines only if an infected object is accessed and the code is launched by a user on that machine. There are several types of viruses:
• Boot sector—This type of virus is placed into the first sector of the hard drive so that when the computer boots, the virus loads into memory.
• Polymorphic—This type of virus can change form each time it is executed. It was developed to avoid detection by antivirus software.
• Macro—This type of virus is inserted into a Microsoft Office document and emailed to unsuspecting users.
• Program—This type of virus infects executable program files and becomes active in memory.
• Stealth—This type of virus uses techniques to avoid detection, such as temporarily removing itself from an infected file or masking a file’s size.
• Multipartite—This type of virus is a hybrid of boot and program viruses. It first attacks a boot sector then attacks system files or vice versa.
Here are a few of the most popular viruses:
• Love Bug—The virus originated in an email titled “I love you.” When the attachment was launched, the virus sent copies of the same email to everybody listed in the user’s address book. The virus came as a (Visual Basic Scripting Edition, VBScript, attachment and deleted files, including MP3s, MP2s, and JPGs). It also sent usernames and passwords to the virus author. It infected about 15 million computers and crashed servers around the world.
• Melissa—Melissa first appeared in March 1999. It is a macro virus, embedded in a Microsoft Word document. When the recipient receives the Word document as an attachment to an email message and opens the document, the virus sends email to the first 50 addresses in the victim’s email address book and attaches itself to each message.
• Michelangelo—Michelangelo is a master boot record virus. It is based on an older virus called Stoned. The Michelangelo virus erases the contents of the infected drive on March 6 (its namesake’s birthday) of the current year.
Since 2000, the majority of viruses released are actually worms, which are discussed in the following section.
Worms
Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. A worm is built to take advantage of a security hole in an existing application or operating system and then find other systems running the same software and automatically replicate itself to the new host. This process repeats with no user intervention. After the worm is running on a system, it checks for Internet connectivity. If it finds connectivity, the worm then tries to replicate from one system to the next.
Examples of worms include the following:
• Morris—This famous worm took advantage of a Sendmail vulnerability and shut down the entire Internet in 1988.
• Badtrans—This mass-mailing worm attempts to send itself using Microsoft Outlook by replying to unread email messages. It also drops a remote access Trojan horse.
• Nimda—This worm infects using several methods, including mass mailing, network share propagation, and several Microsoft vulnerabilities. Its name is admin spelled backward.
• Code Red—A buffer overflow exploit is used to spread this worm. This threat affects only web servers running Microsoft Windows 2000.
Worms propagate by using email, instant messaging, file sharing (P2P), and IRC channels. Packet worms spread as network packets and directly infiltrate the RAM of the victim machine, where the code is then executed.
Trojans
Trojans are programs disguised as useful applications. Trojans do not replicate themselves like viruses, but they can be just as destructive. Code hidden inside the application can attack your system directly or allow the system to be compromised by the code’s originator. The Trojan is typically hidden, so its ability to spread depends on the popularity of the software and a user’s willingness to download and install the software. Trojans can perform actions without the user’s knowledge or consent, such as collecting and sending data or causing the computer to malfunction.
Examples of Trojan horses include the following:
• Acid Rain—This is an old DOS Trojan that, when run, deletes system files, renames folders, and creates many empty folders.
• Trojan.W32.Nuker—This Trojan was designed to function as a denial-of-service (DoS) attack against a workstation connected to the Internet.
• Mocmex—This Trojan is found in digital photo frames and collects online game passwords.
Trojans can download other Trojans, which is part of how botnets are controlled, as discussed later in this chapter.
Spyware
Undesirable code sometimes arrives with commercial software distributions. Spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user.
Like a Trojan, spyware sends information out across the Internet to some unknown entity. In this case, however, spyware monitors user activity on the system, and in some instances include the keystrokes typed. This logged information is then sent to the originator. The information, including passwords, account numbers, and other private information, will no longer be private.
Here are some indications that a computer may contain spyware:
• The system is slow, especially when browsing the Internet.
• It takes a long time for the Windows desktop to come up.
• Clicking a link does nothing or goes to an unexpected website.
• The browser home page changes, and you might not be able to reset it.
• Web pages are automatically added to your favorites list.
Many spyware eliminator programs are available. These programs scan your machine, similarly to how antivirus software scans for viruses; and just as with antivirus software, you should keep spyware eliminator programs updated and regularly run scans.
Spam
Just like junk mail clogs our regular mailbox, spam clogs our email box. Spam is a term that refers to the sending of unsolicited commercial email. Email spam targets individual users with direct mail messages. Most spam is commercial advertising, often for products such as “get rich quick” schemes, physical enhancements, and cheap medications. Spam costs the sender little to send because the actual costs are paid for by the carriers rather than by the sender. Email spam lists are often created by scanning newsgroup postings, stealing Internet mailing lists, or searching the Web for addresses. Spammers use automated tools to subscribe to as many mailing lists as possible. From those lists, they capture addresses or use the mailing list as a direct target for their attacks. State, federal, and international laws regulate spam.
When dealing with spam, follow this advice:
• Never make a purchase from an unsolicited email.
• If you do not know the sender of an unsolicited email message, delete it. (Don’t be curious and open it.)
• Do not respond to spam messages and do not click any links within the message (even to “unsubscribe”).
• Do not use the preview function of your email software because if you do the email message will automatically show as read.
• When sending email messages to a number of people, use the blind carbon copy (BCC) field to hide their email addresses.
• Be careful about giving out your email address on websites and newsgroups.
• Use more than one email address, keeping your personal email address private.
In addition, use software that filters spam. Approximately 75% of the email organizations receive is spam. It is best to filter it before it gets to the users.
Adware
Advertising-supported software, or adware, is another form of spyware. It is an online way for advertisers to make a sale. Companies offer to place banner ads in their products for other companies. In exchange for the ad, a portion of the revenue from banner sales goes to the company that places the ad. However, this novel concept presents some issues for users. These companies also install tracking software on your system, which keeps in contact with the company through your Internet connection. It reports data to the company, such as your general surfing habits and which sites you have visited. And although the company might state that they will not collect sensitive or identifying data from your system, the fact remains that you have software on your PC that is sending information about you and your surfing habits to a remote location.
U.S. federal law prohibits secretly installing software that forces consumers to receive pop-ups that disrupt their computer use. Adware is legitimate only when users are informed up front that they will receive ads. In addition, if the adware gathers information about users, it must inform them. Even though legitimate adware is not illegal, certain privacy issues arise. For instance, although legitimate adware discloses the nature of data collected and transmitted, users have little or no control over what data is being collected and dispersed. Remember, this technology can send more than just banner statistics.
Rootkits
Rootkits were first documented in the early 1990s. Today, rootkits are more widely used and are increasingly difficult to detect on networks. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges, such as administrative rights. A rootkit is usually installed on a computer by first obtaining user-level access. After a rootkit has been installed, it allows the attacker to gain root or privileged access to the computer. Root or privileged access could also allow the compromise of other machines on the network.
A rootkit may consist of programs that view traffic and keystrokes, alter existing files to escape detection, or create a back door on the system.
Attackers are creating more sophisticated programs that update themselves, which makes them that much harder to detect. If a rootkit has been installed, traditional antivirus software can’t always detect the malicious programs. Many rootkits run in the background. Therefore, you can usually easily spot them by looking for memory processes, monitoring outbound communications, and checking for newly installed programs.
Kernel rootkits modify the kernel component of an operating system. These newer rootkits can intercept system calls passed to the kernel and can filter out queries generated by the rootkit software. Rootkits have also been known to use encryption to protect outbound communications and piggyback on commonly used ports to communicate without interrupting other applications that use that port. These “tricks” invalidate the usual detection methods because they make the rootkits invisible to administrators and to detection tools.
Many vendors offer applications that can detect rootkits, such as RootkitRevealer. Removing rootkits can be a bit complex because you have to remove the rootkit itself and the malware that the rootkit is using. Often, rootkits change the Windows operating system itself. Such a change might cause the system to function improperly. When a system is infected, the only definitive way to get rid of a rootkit is to completely format the computer’s hard drive and reinstall the operating system.
Most rootkits use global hooks for stealth activity. So if you use security tools that can prevent programs from installing global hooks and stop process injection, you can prevent rootkit functioning. In addition, rootkit functionality requires full administrator rights. Therefore, you can avoid rootkit infection by running Windows from an account with lesser privileges.
Botnets
A bot, short for robot, is an automated computer program that needs no user interaction. Bots are systems that outside sources can control. A bot provides a spam or virus originator with the venue to propagate. Many computers compromised in this way are unprotected home computers (although many computers in the corporate world are bots, as well). A botnet is a large number of computers that forward transmissions to other computers on the Internet. You might also hear a botnet referred to as a zombie army.
A system is usually compromised by a virus or other malicious code that gives the attacker access. A bot can be created through a port that has been left open or an unpatched vulnerability. A small program is left on the machine for future activation. The bot master can then unleash the effects of the army by sending a single command to all the compromised machines. A computer can be part of a botnet even though it appears to be operating normally. This is because bots are hidden and usually go undetected unless you are specifically looking for certain activity. The computers that form a botnet can be programmed to conduct a distributed denial-of-service (DDoS) attack, distribute spam, or to do other malicious acts.
Botnets have flooded the Internet. It is estimated that on typical day 40% of the computers connected to the Internet are bots. This problem shows no sign of easing. For example, Storm started out as an email that began circulating on January 19, 2007. It contained a link to a news story about a deadly storm. Fourteen months later, Storm remained the largest, most active botnet on the Internet. Storm was the first to make wide use of peer-to-peer communications. Storm has a self-defense mechanism. When the botnet is probed too much, it reacts automatically and starts a denial-of-service (DoS) attack against the probing entity.
Botnets can be particularly tricky and sophisticated, making use of social engineering. A collection of botnets, known as Zbot, last year stole millions from banks in four nations. The scammers enticed bank customers to click a link to download an updated digital certificate. This was a ruse, and Zbot installed a program that allowed it to see the next time the user successfully accessed the account. Zbot then automatically completed cash transfers to other accounts while the victims did their online banking.
The main issue with botnets is that they are securely hidden. This allows the botnet masters to perform tasks, gather information, and commit crimes while remaining undetected. Attackers can increase the depth and impact of their crimes by using multiple computers because each computer in a botnet can be programmed to execute the same command.
Logic Bombs
A logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. For a virus to be considered a logic bomb, the user of the software must be unaware of the payload. A programmer might create a logic bomb to delete all his code from the server on a future date, most likely after he has left the company. In several cases recently, ex-employees have been prosecuted for their role in this type of destruction. For example, one of the most high-profile cases of a modern-day logic bomb was the case of Roger Duronio. Duronio was a disgruntled computer programmer who planted a logic bomb in the computer systems of UBS, an investment bank. UBS estimated the repair costs at $3.1 million, and that doesn’t include the downtime, lost data, or lost business. The actions of the logic bomb coincided with stock transactions by Mr. Duronio, so securities and mail fraud charges were added to the computer crime charges. The logic bomb that he planted on about 1,000 systems deleted critical files and prevented backups from occurring. He was found guilty of leaving a logic bomb on the systems and of securities fraud. He was sentenced to more than eight years in jail and fined $3.1 million.[1]
During software development, it is a good idea to evaluate the code to keep logic bombs from being inserted. Even though this is a preventive measure, code evaluation will not guarantee a logic bomb won’t be inserted after the programming has been completed.
Protecting Against Malicious Code
You can take several steps to protect your network from malicious code:
• Install antivirus software and update the files on a regular basis. Antivirus software doesn’t do a company any good if it is not updated often.
• Only open attachments sent to you by people you know. Many viruses infect user address books. So even if you know who the attachment is from, be sure to scan it before you open it.
• Do not use any type of removable media from another user without first scanning the disk.
• Perform backups on a daily basis.
• Install firewalls or intrusion-prevention systems on client machines.
• Subscribe to newsgroups and check antivirus websites on a regular basis.
Security Threats to System Hardware and Peripherals
The preceding section discussed issues that arise from threats such as privilege escalations and malware. However, these are not the only threats that exist. System hardware and peripherals can pose just as many threats. This section examines the hardware risks you should be aware of, especially when formulating security policies. Taking the time to evaluate the environment as a whole can save you many headaches down the road.
BIOS
There are ample documented procedures for securing operating systems, but significantly less is available on how to secure some of the integrated components of a system, such as the Basic Input/Output System (BIOS). Because the BIOS performs a basic function, you might not realize that it can be compromised and allow an attacker full control over a machine. The BIOS can be compromised in several ways:
• BIOS password
• Known vulnerabilities
• Bypassing access control
System access to the BIOS configuration utility is controlled by a password. After the password is set, the configuration of the computer cannot be changed without inputting the password. However, many BIOS manufacturers build in backdoor passwords. Often, they are simple, such as the name of the BIOS manufacturer. In addition, lists of known backdoor passwords are available on the Internet. Because this method of access has become so public, BIOS manufacturers have become more secretive about any backdoors they may now use.
Depending on the manufacturer, the laptop may have a hardware dongle or special loopback device to bypass the password. Again, there are Internet instructions and a helpful YouTube video showing how to create your own dongle.
A vulnerability in the BIOS can allow local users to cause a DoS and the system not to boot. This scenario results from an error in the BIOS code. The nature of the coding error means that it is difficult to identify and might leave the computer inoperable for an extended period of time. Any computer using this version of the BIOS can be configured so that the bootable partition is defined below the first slot in the master boot record (MBR) partition table, and then it will not boot. An attack at any time during an operating session can leave the computer unable to reboot.
Another BIOS vulnerability is that the BIOS holds the boot order. Boot order determines whether the operating system will be loaded from CD-ROM, hard disk, USB device, or the network. If an attacker gains physical access to the machine and changes the boot order, there is no way to protect the system from compromise. An attacker could boot the system from a device that contains software to change the administrative password, extract password information for a later attack, directly access data on the hard disk, or install a backdoor or Trojan. Keep in mind that one compromised system can be used as a catalyst for further attacks on several other systems or the entire network.
BIOS access control can be bypassed by cracking the BIOS password, overloading the keyboard buffer, and deleting the contents of the CMOS RAM. On almost all systems, the BIOS password information is stored in the CMOS RAM. Although the passwords are stored in hashed values, the hashes used leave a bit to be desired. Therefore, programs created for this specific purpose can usually crack the password in a short period of time. Information for bypassing the BIOS password is readily available on the Internet.
Most organizations do not have a policy for BIOS passwords. In most companies, many computers share the same BIOS password, and that password is seldom changed. If an attacker manages to gain physical access, a large portion of the network could be compromised.
USB Devices
When floppy disks were the only form of removable storage, policies regarding the use of removable media were unnecessary, other than scanning the floppy disks for viruses. However, the 8GB micro drives and 32GB thumb drives currently available can carry entire virtualized environments on them.
Technological advances in virtualization and storage essentially make removable media a PC that can be carried in a pocket. Mobile employees can leave hardware behind and take only software with them. Entire environments can now be carried on devices such as a USB drive or iPod. Organizations are exploring the possibilities of running environments on smaller devices to eliminate the need for specialized systems. All these technological changes present new challenges to the traditional methods of securing systems. In addition, running operating systems and applications this way leaves little trace on the host system.
These small, high-capacity, removable storage devices present a concern when it comes to corporate security and protecting proprietary information. It is quite simple for a disgruntled employee to misuse data (take data and sell it, for instance). Of course, the real issue is access to the information. However, if the information is readily available, even employees with good intentions might misplace or have a removable storage device stolen. Organizations have the option of not allowing removable media. Such a policy can eliminate the issues that arise from the problems presented here.
Organizations must decide whether removable devices will be allowed. If they are allowed, strict policies must dictate who can use them and how. Although it might be difficult to guard against the use of removable storage devices or enforce a policy related to removable storage, it is not impossible. Group Policy can be used to disable the capacity for unauthorized users to use any USB storage devices. Another layer of protection can be applied by encrypting and properly securing sensitive corporate information. Group Policy is discussed further in Chapter 4, “Infrastructure Security and Controls,” and encryption is explored in great depth in Chapter 9, “Cryptography Basics.”
Handheld Devices
Just about everyone carries a cell phone, and most corporate workers have PDAs. These devices have associated risks. The first is, of course, theft or loss. It is estimated that at least eight million cell phones are lost or stolen every year in the United States. For many organizations, losing a cell phone or a PDA loaded with contacts, email, and client data can be a severe detriment to business.
To provide convenience and redundancy, USB cables and client software can be used to sync PDAs and cell phones to a user’s desktop computer. There are also enterprise-level product suites. Although this might prevent lost data, it also presents other risks. New security threats targeting cell phones and other mobile devices could quickly become bigger than anything the industry has seen so far. Considering that there are more cell phones than computers in today’s environment, the impact of a cell phone virus could prove devastating.
The first cell phone virus appeared in 2004. The Cabir smart phone worm attempted to spread between Symbian-based mobile phones by jumping from one Bluetooth-enabled phone to another Bluetooth-enabled phone when both phones were left in the “discoverable” mode. The Cabir virus has since been found in about 15 different variations. The more capabilities a device has, the more vulnerable the device. According to a report from an Ireland-based cell phone security company, in mid-2008 the security company tracked 100,000 virus incidents per day.[2]
The use of operating systems and Bluetooth technology on handheld devices will enable viruses to spread either through short message service (SMS) or by sending Bluetooth requests when cell phones are physically close enough (as demonstrated by the Cabir worm). The difference in method of infection is that SMS viruses spread based on people’s social connections, whereas Bluetooth viruses spread by people’s mobility patterns and population distribution.
Other security threats are also surfacing as customers use cell phones to provide more and more of the functions that computers currently do. Handheld devices are rarely password protected, even though they contain a remarkable amount of data. Cell phone hacking and spyware are becoming more common.
Vendors have begun introducing customer-side security features, such as a cellular firewall and software solutions with antivirus and antispam protection for wireless mobile devices. Intrusion-prevention technologies are also a key part of the defense against threats from mobile devices. Of course, one of the best defenses against these threats is a clearly defined security policy.
Removable Storage
Removable storage is today what floppy disks were 10 years ago. Removable hard drives, especially the small passport types, afford users the convenience to carry files for both their work environment and their home environment on one device. This convenience provides an opportunity for viruses and other malware to spread between networks and physical locations as they share files in both environments and with other users. In addition to malware infections, these devices have a large amount of storage space, so they lend themselves to data theft and information leakage.
Preventing unauthorized use of removable storage and portable devices is critical to running a secure environment and meeting compliance requirements. Although some organizations choose to implement measures such as placing a USB lock on ports and prohibiting the use of CDs, this approach is proving inadequate in organizations where data security is paramount. A better approach is to combine security policies with purchasing and issuing removable storage devices as necessary and then allowing the approved devices, while blocking all unauthorized devices. An organization should consider implementing controls that ensure all portable devices and removable media are encrypted and accounted for. The security policy should require encryption of all data on portable computers and removable storage.
The loss of a storage device, such as a backup tape or CD, is often the fault of third parties, such as a contracting or outside insurance firm. Security polices should also dictate that sensitive data be encrypted before it is released to any outside agencies.
Network-Attached Storage
Data storage has become a vital part of the IT enterprise environment. Data management solutions include network-attached storage (NAS) and storage area network (SAN) technologies. An organization now needs to protect terabytes of data on NAS. A NAS unit is a self-contained device connected to a network, used to supply data storage services to other devices on the network. A SAN is a centrally located virtual disk storage system separate from network traffic and shared by servers.
A good antivirus solution is essential to protect the integrity of stored data and to prevent malware from spreading to other parts of the network through the storage system. In addition, some security appliances sit on a SAN or are connected to NAS to protect data considered “at rest.” Although many organizations protect data in motion using encryption, they fail to protect that same data when it reaches its final resting spot on storage subsystems. Additional considerations when dealing with large data repositories should include encryption, authentication devices, secure logging, and key management.
Subscribing to newsgroups and checking security websites daily ensures that you keep up with the latest attacks and exploits. This information will help arm you to protect all the areas of the organization that may be vulnerable.
Exam Prep Questions
1. Which of the following is the most common method used to obtain privilege escalation?
A. Buffer overflow
B. Trojan
C. Virus
D. Spyware
2. Which of the following is a program or piece of code that runs on your computer without your knowledge and is designed to attach itself to other code and replicate?
A. Buffer overflow
B. Trojan
C. Virus
D. Spyware
3. Which of the following is a correct definition of a Trojan?
A. It needs no user intervention to replicate.
B. It sends messages to a computer with an IP address indicating that the message is coming from a trusted host.
C. It collects personal information or changes your computer configuration without appropriately obtaining prior consent.
D. It buries itself in the operating system software and infects other systems only after a user executes the application that it is buried in.
4. Which of the following is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system?
A. Spyware
B. Rootkit
C. Botnet
D. Adware
5. Code Red is considered a _________.
A. Virus
B. Logic bomb
C. Worm
D. Trojan
6. You have created a utility for defragmenting hard drives. You have hidden code inside the utility that will install itself and cause the infected system to erase the hard drive’s contents on April 1, 2008. Which of the following attacks has been used in your code?
A. Virus
B. Spoofing
C. Logic bomb
D. Trojan horse
7. A vulnerability in the BIOS can allow local users to cause which of the following? (Choose two answers.)
A. Hard drive failure
B. System not to boot
C. System to lock up
D. Denial of service
8. Which of the following is a self-contained device connected to a network, used to supply data storage services to other devices on the network?
A. USB device
B. Cell phone
C. Removable storage
D. Network-attached storage
9. BIOS access control can be bypassed by which of the following methods? (Select all correct answers.)
A. Cracking the BIOS password
B. Overloading the keyboard buffer
C. Deleting the contents of the CMOS RAM
D. Deleting the contents of the MBR
10. Which of the following is associated with behaviors such as collecting personal information or changing your computer configuration, without appropriately obtaining prior consent?
A. Spyware
B. Rootkit
C. Botnet
D. Trojan
Answers to Exam Prep Questions
1. A. Perhaps the most popular method of privilege escalation is a buffer overflow attack. Buffer overflows cause disruption of service and lost data. This condition occurs when the data presented to an application or service exceeds the storage space allocation that has been reserved in memory for that application or service. Answer B is incorrect because Trojans are programs disguised as useful applications. Trojans do not replicate themselves like viruses, but they can be just as destructive. Code hidden inside the application can attack your system directly or allow the system to be compromised by the code’s originator. The Trojan is typically hidden, so its ability to spread depends on the popularity of the software and a user’s willingness to download and install the software. Answer C is incorrect because a virus is program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer D is incorrect because spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user.
2. C. A program or piece of code that runs on your computer without your knowledge is a virus. It is designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer A is incorrect. Buffer overflows cause disruption of service and lost data. This condition occurs when the data presented to an application or service exceeds the storage space allocation that has been reserved in memory for that application or service. Answer B is incorrect because Trojans are programs disguised as useful applications. Trojans do not replicate themselves like viruses, but they can be just as destructive. Code hidden inside the application can attack your system directly or allow the system to be compromised by the code’s originator. The Trojan is typically hidden, so its ability to spread depends on the popularity of the software and a user’s willingness to download and install the software. Answer D is incorrect because spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user.
3. D. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code when it is executed. Answer A is incorrect because it describes a worm. Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. Answer B is incorrect because it describes IP spoofing. Answer C is incorrect because it describes spyware.
4. B. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges, such as administrative rights. Answer A is incorrect because spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. Answer C is incorrect. A bot provides the spam or virus originator with the venue to propagate. Many computers compromised in this way are unprotected home computers. A botnet is a large number of computers that forward transmissions to other computers on the Internet. You may also hear a botnet referred to as a zombie army. Answer D is incorrect. Adware is a form of advertising that installs additional tracking software on your system, which keeps in contact with the company through your Internet connection. It reports data to the company, such as your surfing habits and which sites you have visited.
5. C. Code Red. A buffer overflow exploit is used to spread this worm. This threat affects only web servers running Microsoft Windows 2000. Answers A, B, and D are incorrect because Code Red is not a virus, logic bomb, or Trojan.
6. C. A logic bomb is a virus or Trojan horse that is built to go off when a certain event occurs or after a certain period of time passes. Answers A and D are incorrect because a specified time element is involved. Answer B is incorrect because spoofing involves modifying the source address of traffic or the source of information.
7. B, D. A vulnerability in the BIOS can allow local users to cause a denial of service and the system not to boot. Answer A is incorrect because a hard drive failure has to do with the hard disk itself and nothing to do with the BIOS. Answer C is incorrect because system lockup implies that the machine was already booted and is associated more with attacks that happen after the machine is up and running.
8. D. A NAS unit is a self-contained device connected to a network, used to supply data storage services to other devices on the network. Answers A, B, and C are all incorrect because they are removable, small-capacity devices.
9. A, B, C. BIOS access control can be bypassed by cracking the BIOS password, overloading the keyboard buffer, and deleting the contents of the CMOS RAM. Answer D is incorrect because the MBR is part of the hard disk configuration and has nothing to do with the BIOS.
10. A. Spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Answer B is incorrect. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges, such as administrative rights. Answer C is incorrect. A bot provides the spam or virus originator with the venue to propagate. Many computers compromised in this way are unprotected home computers (although many computers in the corporate world are bots, too, as we’ve recently learned). A botnet is a large number of computers that forward transmissions to other computers on the Internet. You might also hear a botnet referred to as a zombie army. Answer D is incorrect. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code when it is executed.
Suggested Reading and Resources
1. McClure, Stuart, Joel Scambray, and George Kurtz. Hacking Exposed, 5th Edition. McGraw-Hill Osborne Media, 2005.
2. Tittle, Ed. PC Magazine Fighting Spyware, Viruses, and Malware. John Wiley & Sons, 2004.
3. Virus Bulletin website: http://www.virusbtn.com
4. SANS Top 20 Security Risks: http://www.sans.org/top20/
5. CERT Coordination Center (CERT/CC): http://www.cert.org
References
[1] Raby, Mark. “IT administrator gets 8 years for cyber sabotage.” TG Daily, December 2006 (http://www.tgdaily.com/content/view/30487/118/).
[2] The Pittsburgh Channel. “Call 4 Action: Cell Phone Virus Threat Grows.” July 2008 (http://www.thepittsburghchannel.com/call4action/17016797/detail.html).