Chapter 3 - Threats in Software Environments

Question 1

Software Attack Approaches

Answer 1

Adversaries employ various tactics to attack software applications, seeking to compromise them for data theft, data alteration, or system disruption. These approaches encompass:

1. Authentication Bypass: Attackers aim to access system resources without providing valid authentication credentials.
2. Privilege Escalation: Adversaries, once inside a system, attempt to gain higher privilege levels, potentially granting them access to more data or control over the system.
3. Denial of Service (DoS): Attackers incapacitate a system by inundating it with messages or sending specially crafted ones, hoping to disrupt its normal operation.

These threats involve numerous attack methods:

• Buffer Overflow
• Malicious Software
• Input Attacks
• Logic Bombs
• Object Reuse
• Mobile Code
• Social Engineering
• Backdoor

Question 2

Buffer Overflow

Answer 2

Buffer Overflow is a software vulnerability where excessive input disrupts program operation, potentially leading to memory corruption or unexpected behavior. Several types of attacks exploit this, including Stack Buffer Overflow, NOP Sled Attack, Heap Overflow, and Jump-to-Register Attack.

• Historic Buffer Overflow Attacks include the Morris worm, Ping of Death, Code Red, SQL Slammer, Blaster, Sasser, and Conficker, causing significant damage.
• Countermeasures to mitigate Buffer Overflow include using safer programming languages, safe libraries, executable space protection, stack smashing protection (using canary values), and application firewalls to prevent attacks.

Question 3

Malicious Software

Answer 3

Malicious Software, often referred to as malware, encompasses various harmful software forms, each serving distinct purposes:

• Propagation: Some malware spreads from system to system without other specific functions.
• Damage and Destruction: Malware can alter or delete files on target systems.
• Information Theft: It can locate and steal valuable data such as emails, user IDs, passwords, bank account and credit card numbers, and transmit this information to its operator.
• Usage Monitoring: Malware can record communications, keystrokes, and mouse clicks for later transmission to the operator.
• Denial of Service: Malware can consume system resources or cause malfunctions, rendering the system useless.
• Remote Control: It can implant bots on target systems for remote control, forming bot armies controlled by bot herders or botnet operators.

Malware typically comprises three components:

• Exploit: Code exploiting vulnerabilities in software, enabling malware execution.
• Dropper: Installs the actual malware on the target system.
• Malware: Performs intended functions such as data theft, destruction, network sniffing, or propagation.

Various types of malware include:

• Viruses
• Worms
• Trojan horses
• Rootkits
• Bots
• Remote access Trojans
• Spam
• Pharming
• Spyware and adware

These types continuously evolve, adapting new methods for development, propagation, and evading defenses.

Question 4

Viruses

Answer 4

Viruses are malicious code fragments that attach themselves to legitimate program files. They require human intervention to propagate and often spread via email and web traffic.

Example Types: Master boot record (MBR) viruses, file infector viruses, macro viruses.

Question 5

Worms

Answer 5

Worms are similar to viruses but can propagate independently without human intervention. They spread through various means, including mass-mailing via email and port scanning.

Example Types: Mass-mailing worms, port-scanning worms.

Question 6

Trojan Horses

Answer 6

Trojan horses are programs that disguise themselves as something benign but have hidden malicious functions. Users willingly execute them, unknowingly triggering harmful actions.

Example: Users might open an email attachment claiming to be a game but actually contains a Trojan horse.

Question 7

Rootkits

Answer 7

Rootkits are malware designed to remain hidden from detection by altering the operating system. They use methods like process hiding, file hiding, and registry hiding.

Purpose: To maintain persistent and stealthy control over an infected system.

Question 8

Bots

Answer 8

Bots, short for robots, are often part of malware and allow attackers to remotely control infected computers. They can be used for spam relaying, hosting phishing sites, and launching denial-of-service attacks.

Example: Botnets consist of a collection of bots controlled by a single entity.

Question 9

RATs

Answer 9

Definition: RATs enable remote control of a victim’s computer, either manually or automatically. They are often used in targeted attacks for reconnaissance.

Purpose: To gain unauthorised access to and control over a victim’s computer

Question 10

Spam

Answer 10

Definition: Spam refers to unwanted and unsolicited emails, which can include various types of content such as commercial advertisements, phishing scams, and malware delivery.

Example Types: Unsolicited commercial email (UCE), phishing emails, spear phishing, whaling

Question 11

Pharming

Answer 11

Definition: Pharming redirects internet traffic intended for a legitimate website to a fraudulent one, often used for stealing login credentials or sensitive information.

Methods: Attackers manipulate DNS servers or modify users’ hosts files to redirect traffic

Question 12

Spyware and Adware

Answer 12

Spyware and adware track users’ internet usage behavior, often without their consent, to collect data for marketing or other purposes.

Examples: Tracking cookies, web beacons, browser helper objects (BHOs), keyloggers.

Question 13

Ransomware

Answer 13

Ransomware encrypts a victim’s files or locks them out of their system and demands a ransom payment in exchange for decryption or system access.

Purpose: To extort money from victims by holding their data hostage.

Question 14

Anti-Virus

Answer 14

Anti-virus software detects and blocks malware by using signature-based and heuristics-based methods to identify and remove malicious code from a system.

Use cases: Deployed on end user workstations, e-mail servers, file servers, web proxy servers, and security appliances.

Question 15

Anti-Rootkit Software

Answer 15

Anti-rootkit software is designed to detect hidden processes, registry entries, kernel hooks, and files that rootkits may use to hide their presence on a system.

Use cases: Deployed to identify and remove rootkits on various systems, including end user workstations and servers.

Question 16

Anti-Spyware Software

Answer 16

Anti-spyware software monitors incoming files for signatures of spyware and adware, blocking files that match known signatures.

Use cases: Often bundled with anti-virus programs, used to scan and remove spyware and adware from systems.

Question 17

Anti-Spam Software

Answer 17

Anti-spam software examines incoming e-mails, assigns scores to messages based on content analysis, and blocks or diverts messages with scores exceeding a threshold.

Use cases: Implemented on e-mail servers, spam-blocking appliances, or provided as a service to filter out spam from incoming e-mails.

Question 18

Firewalls

Answer 18

Firewalls are network security devices that filter incoming and outgoing network traffic based on defined rules (firewall rules) to protect systems from unauthorized access and threats.

Use cases: Used as perimeter defenses to protect against unwanted network traffic from the Internet, isolate labs, segregate production networks, and create demilitarised zones (DMZs).

Question 19

Decreased Privilege Levels

Answer 19

Decreasing privilege levels means limiting end users’ access to administrative privileges, reducing the potential harm from malware execution.

Use cases: Implemented by organisations to minimise the impact of malware on systems by restricting user privileges to end user levels.

Question 20

Application Whitelisting

Answer 20

Application whitelisting allows only approved applications to run on a system, preventing the execution of unauthorised or malicious software.

Use cases: Used to control which applications can run on workstations, enhancing security and preventing unauthorized software installations.

Question 21

Process Profiling

Answer 21

Process profiling observes running processes and blocks any process that enters an unknown state, potentially indicating compromise by malware.

Use cases: Employed to monitor and halt suspicious processes on servers or workstations to detect and prevent malware execution

Question 22

Penetration Testing

Answer 22

Penetration testing involves simulating hacker attacks to discover vulnerabilities in systems and networks, allowing organizations to fix weaknesses before attackers exploit them.

Use cases: Conducted to identify and address security vulnerabilities in systems and networks proactively

Question 23

Hardening

Answer 23

Server hardening involves configuring systems securely by deactivating unnecessary services, implementing robust network and software configurations, securing administrator accounts, and keeping security patches up to date.

Use cases: Used to minimise vulnerabilities in servers and systems, making them less susceptible to attacks.