Exam Essentials |
1035 |
Summary
Applications developers have a lot to worry about! Hackers are always becoming more sophisticated in their tools and techniques. Viruses, worms, Trojan horses, logic bombs, and other malicious code exploit vulnerabilities in applications and operating systems or use social engineering to infect systems and gain access to their resources and confidential information. Ransomware combines malware with encryption technology to deny users access to their data until they pay a substantial ransom.
Applications themselves also may contain a number of vulnerabilities. Buffer overflow attacks exploit code that lacks proper input validation to affect the contents of a system’s memory. Backdoors provide former developers and malicious code authors with the ability to bypass normal authentication mechanisms. Rootkits provide attackers with an easy way to conduct privilege escalation attacks.
Many applications are moving to the web, creating a new level of exposure and vulnerability. Cross-site scripting attacks allow hackers to trick users into providing sensitive information to unsecure sites. SQL injection attacks allow the bypassing of application controls to directly access and manipulate the underlying database.
Exam Essentials
Understand the propagation techniques used by viruses. Viruses use four main propagation techniques—file infection, service injection, boot sector infection, and macro infection—to penetrate systems and spread their malicious payloads. You need to understand these techniques to effectively protect systems on your network from malicious code.
Explain the threat posed by ransomware. Ransomware uses traditional malware techniques to infect a system and then encrypts data on that system using a key known only to the attacker. The attacker then demands payment of a ransom from the victim in exchange for providing the decryption key.
Know how antivirus software packages detect known viruses. Most antivirus programs use signature-based detection algorithms to look for telltale patterns of known viruses. This makes it essential to periodically update virus definition files in order to maintain protection against newly authored viruses as they emerge. Behavior-based detection monitors target users and systems for unusual activity and either blocks it or flags it for investigation.
Explain how user and entity behavior analytics (UEBA) functions. UEBA tools develop profiles of individual behavior and then monitor users for deviations from those profiles that may indicate malicious activity and/or compromised accounts.
Be familiar with the various types of application attacks attackers use to exploit poorly written software. Application attacks are one of the greatest threats to modern computing. Attackers exploit buffer overflows, backdoors, time-of-check-to-time-of-use vulnerabilities,
1036 Chapter 21 ■ Malicious Code and Application Attacks
and rootkits to gain illegitimate access to a system. Security professionals must have a clear understanding of each of these attacks and associated countermeasures.
Understand common web application vulnerabilities and countermeasures. As many applications move to the web, developers and security professionals must understand the new types of attacks that exist in this environment and how to protect against them. The two most common examples are cross-site scripting (XSS) and SQL injection attacks.
Written Lab
1.What is the major difference between a virus and a worm?
2.What are the actions an antivirus software package might take when it discovers an infected file?
3.Explain how a data integrity assurance package like Tripwire provides secondary virus detection capabilities.
4.What controls may be used to protect against SQL injection vulnerabilities?
Review Questions |
1037 |
Review Questions
1.Dylan is reviewing the security controls currently used by his organization and realizes that he lacks a tool that might identify abnormal actions taken by an end user. What type of tool would best meet this need?
A.EDR
B.Integrity monitoring
C.Signature detection
D.UEBA
2.Tim is working to improve his organization’s antimalware defenses and would also like to reduce the operational burden on his security team. Which one of the following solutions would best meet his needs?
A.UEBA
B.MDR
C.EDR
D.NGEP
3.Carl works for a government agency that has suffered a ransomware attack and has lost access to critical data but does have access to backups. Which one of the following actions would best restore this access while minimizing the risk facing the organization?
A.Pay the ransom
B.Rebuild systems from scratch
C.Restore backups
D.Install antivirus software
4.What attack technique is often leveraged by advanced persistent threat groups but not commonly available to other attackers, such as script kiddies and hacktivists?
A.Zero-day exploit
B.Social engineering
C.Trojan horse
D.SQL injection
5.John found a vulnerability in his code where an attacker can enter too much input and then force the system running the code to execute targeted commands. What type of vulnerability has John discovered?
A.TOCTTOU
B.Buffer overflow
C.XSS
D.XSRF
1038 Chapter 21 ■ Malicious Code and Application Attacks
6.Mary identified a vulnerability in her code where it fails to check during a session to determine whether a user’s permission has been revoked. What type of vulnerability is this?
A.Backdoor
B.TOC/TOU
C.Buffer overflow
D.SQL injection
7.What programming language construct is commonly used to perform error handling?
A.If...then
B.Case...when
C.Do...while
D.Try...catch
8.Fred is reviewing the logs from his web server for malicious activity and finds this request: http://www.mycompany.com/../../../etc/passwd. What type of attack was most likely attempted?
A.SQL injection
B.Session hijacking
C.Directory traversal
D.File upload
9.A developer added a subroutine to a web application that checks to see whether the date is April 1 and, if it is, randomly changes user account balances. What type of malicious code is this?
A.Logic bomb
B.Worm
C.Trojan horse
D.Virus
10.Francis is reviewing the source code for a database-driven web application that his company is planning to deploy. He is paying particular attention to the use of input validation within that application. Of the characters listed here, which is most commonly used in SQL injection attacks?
A.!
B.&
C.*
D.'
Review Questions |
1039 |
11.Katie is concerned about the potential for SQL injection attacks against her organization. She has already put a web application firewall in place and conducted a review of the organization’s web application source code. She would like to add an additional control at the database level. What database technology could further limit the potential for SQL injection attacks?
A.Triggers
B.Parameterized queries
C.Column encryption
D.Concurrency control
12.What type of malicious software is specifically used to leverage stolen computing power for the attacker’s financial gain?
A.RAT
B.PUP
C.Cryptomalware
D.Worm
13.David is responsible for reviewing a series of web applications for vulnerabilities to cross-site scripting attacks. What characteristic should he watch out for that would indicate a high susceptibility to this type of attack?
A.Reflected input
B.Database-driven content
C. .NET technology
D.CGI scripts
14.You are the IT security manager for a retail merchant organization that is just going online with an ecommerce website. You hired several programmers to craft the code that is the backbone of your new web sales system. However, you are concerned that although the new code functions well, it might not be secure. You begin to review the code to track down issues and concerns. Which of the following do you hope to find in order to prevent or protect against XSS? (Choose all that apply.)
A.Input validation
B.Defensive coding
C.Allowing script input
D.Escaping metacharacters
15.Sharon believes that a web application developed by her organization contains a cross-site scripting vulnerability, and she would like to correct the issue. Which of the following is the most effective defense that Sharon can use against cross-site scripting attacks?
A.Limiting account privileges
B.Input validation
C.User authentication
D.Encryption
1040 Chapter 21 ■ Malicious Code and Application Attacks
16. Beth is looking through web server logs and finds form input that looks like this:
<SCRIPT>alert('Enter your password')</SCRIPT>
What type of attack has she likely discovered?
A.XSS
B.SQL injection
C.XSRF
D.TOCTTOU
17.Ben’s system was infected by malicious code that modified the operating system to allow the malicious code author to gain access to his files. What type of exploit did this attacker engage in?
A.Privilege escalation
B.Backdoor
C.Rootkit
D.Buffer overflow
18.Karen would like to configure a new application so that it automatically adds and releases resources as demand rises and falls. What term best describes her goal?
A.Scalability
B.Load balancing
C.Fault tolerance
D.Elasticity
19.What HTML tag is often used as part of a cross-site scripting (XSS) attack?
A.<H1>
B.<HEAD>
C.<XSS>
D.<SCRIPT>
20.Recently, a piece of malicious code was distributed over the internet in the form of software claiming to allow users to play Xbox games on their PCs. The software actually launched the malicious code on the machines of use implemented by one partyrs who attempted to execute it. What type of malicious code does this describe?
A.Logic bomb
B.Virus
C.Trojan horse
D.Worm
Appendix Answers to Review A Questions
1042 Appendix A ■ Answers to Review Questions
Chapter 1: Security Governance
Through Principles and Policies
1.C. Hardware destruction is a violation of availability and possibly integrity. Violations of confidentiality include stealing passwords, eavesdropping, and social engineering.
2.B. The primary goals and objectives of security are confidentiality, integrity, and availability, commonly referred to as the CIA Triad. The other options are incorrect. A security infrastructure needs to establish a network’s border perimeter security, but that is not a primary goal or objective of security. AAA services is a common component of secured systems, which can provide support for accountability, but the primary goals of security remain the elements of the CIA Triad. Ensuring that subject activities are recorded is the purpose of auditing, but that is not a primary goal or objective of security.
3.B. Availability means that authorized subjects are granted timely and uninterrupted access to objects. Identification is claiming an identity, the first step of AAA services. Encryption is protecting the confidentiality of data by converting plain text into cipher text. Layering is the use of multiple security mechanisms in series.
4.D. Security governance seeks to compare the security processes and infrastructure used within the organization with knowledge and insight obtained from external sources. The other statements are not related to security governance. Authorization ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity. Abstraction is used for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a
collective. COBIT is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA) that prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives.
5.C. A strategic plan is a long-term plan that is fairly stable. It defines the organization’s security purpose. It defines the security function and aligns it to the goals, mission, and objectives of the organization. The tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based on unpredicted events. An operational plan is a short-term, highly detailed plan based on the strategic and tactical plans. It is valid or useful only for a short time. A rollback plan is a means to return to a prior state after a change does not meet expectations.
6.A, C, D, F. Acquisitions and mergers place an organization at an increased level of risk. Such risks include inappropriate information disclosure, data loss, downtime, and failure to achieve sufficient return on investment (ROI). Increased worker compliance is not a risk,
but a desired security precaution against the risks of acquisitions. Additional insight into the motivations of inside attackers is not a risk, but a potential result of investigating breaches or incidents related to acquisitions.
7.A. Information Technology Infrastructure Library (ITIL) was initially crafted by the British government for domestic use but is now an international standard, which is a set
Chapter 1: Security GovernanceThrough Principles and Policies |
1043 |
of recommended best practices for core IT security and operational processes, and is often used as a starting point for the crafting of a customized IT security solution. The other options were not crafted by the British government. ISO 27000 is a family group of international standards that can be the basis of implementing organizational security and related management practices. The Center for Internet Security (CIS) provides OS, application, and hardware security configuration guides. NIST Cybersecurity Framework (CSF) is designed for critical infrastructure and commercial organizations and consists of five functions: Identify, Protect, Detect, Respond, and Recover. It is a prescription of operational activities that are to be performed on an ongoing basis for the support and improvement of security over time.
8.B. The security professional has the functional responsibility for security, including writing the security policy and implementing it. Senior management is ultimately responsible
for the security maintained by an organization and should be most concerned about the protection of its assets. The custodian role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. An auditor is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate.
9.A, B, C, E. The COBIT key principles are: Provide Stakeholder Value (C), Holistic Approach (A), Dynamic Governance System (E), Governance Distinct From Management (not listed), Tailored to Enterprise Needs (not listed), and End-to-End Governance System (B). The concept of maintaining authenticity and accountability are good security ideas, but not a COBIT key principle.
10.A, D. Due diligence is establishing a plan, policy, and process to protect the interests of an organization. Due care is practicing the individual activities that maintain the security effort. The other options are incorrect, they have the terms inverted. The corrected statements are as follows: Due diligence is developing a formalized security structure containing a security policy, standards, baselines, guidelines, and procedures. Due care is the continued application of a security structure onto the IT infrastructure of an organization. Due diligence is knowing what should be done and planning for it. Due care is doing the right action at the right time.
11.B. A policy is a document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection. A standard defines compulsory requirements for the homogenous use of hardware, software, technology, and security controls. A procedure is a detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution. A guideline offers recommendations on how security requirements are implemented and serves as an operational guide for both security professionals and users. III is the definition of a baseline, which was not included as a component option.
12.D. When confidential documents are exposed to unauthorized entities, this is described by the I in STRIDE, which represents information disclosure. The elements of STRIDE are
spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.
13.B. This scenario describes a proactive approach to threat modeling, which is also known as the defensive approach. A reactive approach or adversarial approach to threat modeling
1044 Appendix A ■ Answers to Review Questions
takes place after a product has been created and deployed. There is no threat modeling concept known as qualitative approach. Qualitative is typically associated with a form of risk assessment.
14.A, B, D. These statements are true: (A) Each link in the supply chain should be responsible and accountable to the next link in the chain; (B) Commodity vendors are unlikely to have mined their own metals or processed the oil for plastics or etched the silicon of their chips; and (D) Failing to properly secure a supply chain can result in flawed or less reliable products, or even embedded listing or remote control mechanisms. The remaining option is incorrect. Even if
a final product seems reasonable and performs all necessary functions, that does not provide assurance that it is secure or that it was not tampered with somewhere in the supply chain.
15.D. Though not explicitly stating hardware, this scenario describes a typical and potential risk of a supply chain, that a hardware risk results in the presence of a listening mechanism in the final product. This scenario does not provide information that would indicate that the supply chain risk is focused on software, services, or data.
16.B. In this scenario, Cathy should void the authorization to operate (ATO) of this vendor. This situation describes the fact that the vendor is not meeting minimal security requirements which are necessary to the protection of the service and its customers. Writing a report is not a sufficient response to this discovery. You may have assumed Cathy does or does not have the authority to perform any of the other options, but there is no indication of Cathy’s position in the organization. It is reasonable for a CEO to ask the CISO to perform such an evaluation. Regardless, the report should be submitted to the CISO, not the CIO, whose focus is primarily on ensuring that information is used effectively to accomplish business objectives, not that such use is secure. Reviewing terms and conditions will not make any difference in this scenario, as those typically apply to customers, not internal operations. And reviewing does not necessarily cause a change or improvement to insecure practices. A vendor-signed NDA has no bearing on this scenario.
17.A. Minimum security requirements should be modeled on your existing security policy. This is based on the idea that when working with a third party, that third party should have at least the same security as your organization. A third-party audit is when a third-party auditor is brought in to perform an unbiased review of an entity’s security infrastructure. This audit may reveal where there are problems, but the audit should not be the basis of minimum security requirements for a third party. On-site assessment is when you visit the site of the organization to interview personnel and observe their operating habits. This is not the basis for establishing minimum security requirements for a third party. Vulnerability scan results, like third-party audits, may reveal concerns, but it is not the basis for establishing minimum security requirements for a third party.
18.C. Process for Attack Simulation and Threat Analysis (PASTA) is a seven-stage threat modeling methodology. PASTA is a risk-centric approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected. Visual, Agile, and Simple Threat (VAST) is a threat modeling concept that integrates threat and risk management into an Agile programming environment on a scalable basis. Microsoft uses a Security Development Lifecycle (SDL) with the motto “Secure by Design, Secure by Default, Secure in Deployment and Communication” (also known as SD3+C). STRIDE is a threat categorization scheme developed by Microsoft.