Appendix: End of Chapter Question Answers
Chapter 2: The Anthem Break-in Case Study
1.
a. Spear phishing
b. Waterholes
2.
a. Enterprise Compromise Assessment Tool (ECAT) scanning software
3.
a. The China Chopper web shell
4.
a. They use the Sticky Keys trick to modify the registry on the target’s system server.
5.
a. It’s a network of virtual tunnels that is used to hide websites from each other and outsiders.
6.
a. Control and relay packets. Tor packets set up an anonymous path. The path sets up links in sequence, and when it is finished, hackers send relay packets containing malware, code, and software to the target site.
7.
a. The process of encapsulating a transmitted message in a series of encrypted IP addressing layers is called onion wrapping.
Chapter 3: Anonymous Persistent Threats
1.
a. Altering/poisoning web pages maintained by an organization
b. Exploiting systems using different SETHC.exe methods accessible via Remote Desktop Protocol
c. Extensive use of time/date stamping of malicious files to hinder forensic analysis
2.
a. Involved in global cyber espionage in 2007, The Mask is malware. It is an advanced threat actor that attacks and infects victims.
3.
a. What makes The Mask special is the complexity of the toolset used by the attackers. This includes malware, rootkit, bootkit, and Mac and Linux versions.
4.
a. Government institutions
b. Energy, oil, and gas companies
c. Private equity firms
Chapter 4: Creating Secure Code
1.
a. The purpose is to isolate modules so it becomes difficult for malware to transmit their effects across a confinement chasm
b. Physical confinement
c. Virtual confinement
d. Operating system confinement
e. Isolation of threads
2.
a. Physical confinement is the most primitive method. This method uses an “air gap,” which is a network security measure. It physically isolates the device from unsecured networks. If one device is attacked, the others will still be safe.
3.
a. Chroot: An operating system separating it from the main operating system and directory structure. Essentially generates a confined space with its own root directory to run software programs.
i. This provides security to the base system.
b. Jail kit:
i. A set of utilities to limit user accounts to specific files using Chroot and specific commands.
c. FreeBSD
i. Confines stronger mechanisms by binding sockets with specified Internet Protocol (IP) addresses and authorized ports.
d. All of these are forms of network security.
4.
a. Yes, only specific types of programs can run in jail-restricted environments, and Chroot and jail routines tend to have coarse, inflexible policies.
Chapter 5: Providing a Secure Architecture
1.
a. Isolation and least privilege
b. Access control concepts
c. Operating system isolation
d. Browser isolation and least privilege
2.
a. Fix bugs, concede overflow, and add run-time code to detect overflow exploits
3.
a. Passwords: Hackers use graphics processing units to calculate various character combinations to eventually crack the password.
4.
a. Compartmentalize
b. Utilize defense in depth
c. Keep it simple
Chapter 6: Hacker Strategy: Expanded
1.
a. Surveillance
2.
a. Spear-phishing e-mails: Commonly used in an effort to trick the target into giving information
b. Watering holes: Where hackers create an attractive website catering to the target’s behaviors
3.
a. Binary analysis can uncover potential vulnerabilities like the basic data flow from the network, or the use of bad application programming interface (API).
4.
a. Zero day refers to an unknown software vulnerability that the developers are unaware of that can be triggered on day “zero.” This can result in potential damage to your computer/personal data.
5.
a. Using buffers and buffer overrun. Hackers are able to determine the return address in the memory stack by guessing the approximate stack state and inserting a no-operation line of code.
6.
a. Address space layout randomization
7.
a. Four
b. Fix bugs
c. Concede overflow but prevent code execution
d. Add run-time code to detect overflow exploit
e. Data execution prevention
Chapter 7: Malware, Viruses, Worms, Bugs, and Botnets
1.
a. Honeypot
2.
a. After a computer is taken over by a bot, it can be used to carry out four tasks:
i. Sending
ii. Stealing
iii. Denial of service (DoS)
iv. Clickfraud
3.
a. Worms self-replicate and spread across networks, exploiting vulnerabilities. They don’t need to latch onto another computer program.
i. Example: An e-mail worm or the Love Bug worm
b. Viruses are self-replicating but insert themselves into other computer programs, hard drives, and data files.
i. Example: Through USB, e-mail, pop-up message
4.
a. Polymorphic code and metamorphic code d.
b. Polymorphic code encrypts its original code to avoid pattern recognition. Metamorphic code reprograms itself to different versions.
5.
a. Host-based instruction detection systems (HIDS)
b. Network-based instruction detection systems (NIDS)
Chapter 8: Cryptography and the RSA Algorithm
1.
a. Cryptography
2.
a. Cryptography is the study and practice of applying encryption techniques for ensuring secure communication.
b. Encryption is the use of a process or algorithm (cipher) to make information hidden or secret.
3.
a. Block ciphers.
b. In symmetric-key encryption, the sender and receiver of a message share a single common key. Symmetric is simple and faster, but the two parties must somehow exchange the key in secure way.
c. Public-key uses two keys: a public key and private key. Public-key encryption is more secure.
4.
a. Hashing is another form of cryptography. Hashing stores passwords, and it is very difficult for someone with access to raw data to reverse the hashed data back to the original. It is great for usage where you want to compare a value with stored value.
Chapter 9: Browser Security
1.
a. Website, victim, and attacker
2.
a. To execute untested code or untrusted programs from unverified third parties
3.
a. Port scanning is important in managing networks.
b. However, it can also be malicious if someone is looking for a weakened access point to break in.
4.
a. Frame busting: Preventing a web page from loading in a frame
Chapter 10: Banking Security, Zeus, and SpyEye
1.
a. Eavesdropping attack that occurs when a malicious actor inserts himself as a relay into a communication session
2.
a. Money mule
3.
a. Steals personal data such as e-mail passwords and financial information such as online banking passwords. Hackers use Zeus Trojan to steal information.
4.
a. Can delete its own installation files
b. Injects itself into dynamic link libraries
5.
a. A file encrypting ransomware that encrypts personal documents on a victim’s computer and makes them pay a ransom.
b. Distributed through several means such as malicious websites that have been hacked and can infect your machine. Spam e-mail is another method.
Chapter 11: Web Application Security
1.
a. Scanbox software collects information and compromises user’s machine.
2.
a. A language for updating, deleting, and requesting information from databases.
3.
a. Select, where, pwd
4.
a. Web-browser behavior such as cookies and Hypertext Transfer Protocol (HTTP) authentication
b. Knowledge by attacker
c. Application session management
d. Existence of Hypertext Markup Language (HTML) tags
Chapter 12: Session Management, User Authentication, and Web Application Security
1.
a. Confidentiality
b. Integrity
c. Availability
d. Common attacks
2.
a. Border gateway
3.
a. A program that can see all of the information passing over the network it is connected to
4.
a. Unfiltered: Captures all of the packets
b. Filtered: Captures only those packets containing specific data elements
5.
a. Eavesdropping
b. Disruption
c. Injection
6.
a. Attackers want to hide their identity, so they change the source address while attacking the victim.
7.
a. MAC addresses, Dynamic Host Configuration Protocol (DHCP) servers, Internet Protocol (IP) addresses, and other Transmission Control Protocol (TCP)/IP settings.
8.
a. Because there is no authentication or authorization takes place during an exchange between DHCP server and DHCP client.
Chapter 13: Web Security, DNS Security, and the Internet
1.
a. Short for IP security, this is a set of protocols to support secure exchange of packets at the IP layer (Layer 3).
2.
a. Transport and tunnel
3.
a. Tunnel mode encrypts both the header and the data portion
4.
a. Secure socket layer is used to provide the security protocol used by the Internet to provide easy access to websites.
5.
a. Unlike a firewall, Snort has the ability to detect hostile intent.
Chapter 14: Network Security and Defenses
1.
a. Confidentiality
b. Integrity
c. Availability
d. Common attacks
2.
a. Confidentiality: Packet sniffing
b. Integrity: Cross-site scripting (XSS)
c. Availability: Denial-of-service (DoS) attacks
d. Common attacks: Address translation poisoning attacks
3.
a. Border gateways. Because it is an area network and another area network bridged through use of border area gateway.
4.
a. Address Resolution Protocol (ARP)
5.
a. It presents vulnerability because it is easy to spoof ARP requests and replies.
6.
a. Creates stop-and-start flooding, making it difficult to identify the source of attacks. Normally used through distributed denial of service (DDoS).
7.
a. Eavesdropping (sniffing)
8.
a. Source and destination addresses
9.
a. Blind spoofing
Chapter 15: Network Security Protocols and Defensive Mechanisms
1.
a. Relies on standard private/public-key cryptography.
b. Adds cryptographic signature to Domain Name System (DNS) answers returned.
c. It is important because DNS uses User Datagram Protocol (UDP) for packet transport, so when you query, any returned UDP packet could be the answer. The returned UDP packet has to have the right source IP, destination IP, and port.
2.
a. Authentication header (AH): Allows authentication of sender of data.
b. Encapsulating security payload supports both authentication of the sender and encryption of data.
3.
a. Authentication using preshared secret
b. Authentication using Rivest–Shamir–Adleman (RSA) encrypted nonces
c. Authentication using RSA signatures
4.
a. An intrusion detection system (IDS) collects and analyzes information in its database that contains patterns called signatures.
b. An intrusion prevention system (IPS) blocks attacks itself and sits directly in the line of network traffic.
5.
a. No, it is commonly mistaken for a firewall or substitute. They are similar in that they both relate to network security but IDS differs by looking out for intrusions in order to stop them from happening.
6.
a. Misuse detection model
i. Analyzes the information it gathers and compares it with large databases of attack signatures.
b. Anomaly detection model
ii. Monitors network segments to compare their state with the normal baseline and look for anomalies.
Chapter 16: Denial-of-Service Attacks
1.
a. Two
2.
a. Bugs and floods
3.
a. User sends several authentication requests to the server; all requests have false return addresses so the server can’t find the user when it tries to send the authentication approval.
4.
a. Set up a filter or sniffer on a network before a stream of information reaches site web servers.
5.
a. A client repeatedly sends synchronize (SYN) packets to every port on a server using fake IP addresses.
Chapter 17: Mobile Platform Security
1.
a. Cocoa Touch layer
i. Top layer. Contains key frameworks for building iOS apps.
b. Media layer
i. Upper middle layer. Contains graphics, audio, and video that you would use to implement in apps.
c. Core services
i. One of the middle layers. Key service is core foundation frameworks; contains iCloud, social media, and networking.
d. Core operating system (OS) layer
i. Bottom layer. Contains low-level features that most technologies are built on.
2.
a. Activity
b. Service
c. Intents
d. Content provider
e. Broadcast receiver
3.
a. Creates an environment with strict limitations, allowing a program to be hosted on your computer and you want to provide an environment where the program can run.
4.
a. Byte code verifier
b. Applet class loader
c. Security manager
Chapter 18: Cellular Access Security: 4G LTE, Mobile WiMAX, 5G, and MIMOs
1.
a. IEEE 802.16
2.
a. 3G
3.
a. DoS
4.
a. Strong encryption
b. 1G
5.
a. 67%
6.
a. Base station (BS)
7.
a. Packet-switched network implementation
b. Device to device (D2D)
8.
a. Orthogonal frequency division multiplexing (OFDM)
Chapter 19: Wireless LAN Security
1.
a. First component (important) radio card
b. Antenna
c. Ability to operate under the 802.11 protocol standards
2.
a. Confidentiality
b. Integrity
c. Availability
3.
a. Magnetic strip lacks security reliability. It will be equipped with microcontroller that carries its own encryption protocol and authentication.
4.
a. Designed to provide the same level of security as wired LAN but it is vulnerable to tampering and is not as secure.
5.
a. Encryption through use of preshared-key technology. Each packet creates a different 128-bit key.
Chapter 20: The Stuxnet Worm and the Vulnerability of the U.S. Electric Power Grid
1.
a. A simple infection by means of a personal flash driving carrying the worm, which then spreads onto the next machine.
2.
a. Windows OS
b. The Siemens programmable logic controllers (PLC) software
c. PLC
3.
a. Path 1: Via WinCC, interface to system control and data acquisition (SCADA) systems.
b. Path 2: Via network shares: Stuxnet uses Windows shared folders to propagate itself over a local network.
c. Path 3: Via the MS10-061 print spooler 0 day vulnerability: Stuxnet copies itself, places the copy on remote computers.
d. Path 4: Via the MS08-067 SMB vulnerability: Stuxnet can send malformed path over SMB.
e. Path 5: Via Step 7 projects: Stuxnet infects Siemens.
4.
a. The SCADA command and control system uses the same Siemens devices as the Iranian centrifuge system.
b. The means of infection by insertion of a contaminated flash drive is available.
c. The Stuxnet worm has been reverse engineered and is now available worldwide in a much more advanced form.
Chapter 21: Cyber Warfare
1.
a. Citadel toolkit
2.
a. It creates a hidden connection to a control server from the infected computer.
3.
a. A citadel is spread through drive-by exploits.
4.
a. Government regulators
b. Network infrastructure providers
c. Equipment providers
d. Service providers
e. End device users