Ch5 - System Security Threats

Question 1

Types of Privilege Escalation

Answer 1

Vertical privilege escalation
When someone with normal user access is able to raise their privileges to administrative access

Horizontal privilege escalation
When the same level of access is maintained, but the resource being accessed is different

Privilege de-escalation
When someone with administrative access is
able to lower their privilege level so that they can access data that a specific user has access to

Question 2

Rootkits. Types of Rootkits

Answer 2

A rootkit is a software installed on the system by the hacker that is typically hidden from the administrator and that gives the hacker privileged access to the system.

Application-level
An application-level rootkit is a user mode executable file that gives the hacker access to the system. Examples of application-level rootkits are Trojan viruses.

Library-level
A library-level rootkit is not an executable file, but
rather is a library of code that can be called by an application. Library-level rootkits are DLL files that run in user mode and typically will replace a DLL on the system in order to hide themselves.

Kernel-level
A kernel-level rootkit is a rootkit loaded by the operating
system kernel and is typically planted on a system by replacing a device driver file on the system. A kernel-level rootkit runs in kernel mode as opposed to user mode, which means it runs with more privileges than a user mode rootkit and, as a result, has greater access
to the system and could cause more damage.

Virtualized
A virtualized rootkit is a rootkit that loads instead of the
operating system when a system starts. This rootkit then loads the real operating system in a virtualized environment. These rootkits are hard to detect because the operating system has no idea it is being hosted in
the virtualized environment, and because no application code or DLLs have been replaced in the operating system.

Firmware
A firmware rootkit is stored in firmware code on a system or device and is hard to detect because it is not present in the operating system.

Question 3

Polymorphic Malware

Answer 3

Polymorphic malware is malware that alters itself to avoid detection from antivirus software that has a definition of the malware. Because the malware has mutated itself, it makes the definition in the antivirus software useless

Question 4

Armored Virus

Answer 4

An armored virus is a virus that protects itself from being analyzed by security professionals. It is common for security personnel to decompile the virus code to better understand how the virus works. An armored virus makes it difficult for someone to decompile the program and view the code of the virus.

Question 5

Bluesnarfing

Answer 5

A Bluetooth exploit that allows the hacker to connect to
a Bluetooth-enabled phone and to retrieve data off the phone

The unauthorized retrieval of data from a Bluetooth device

Question 6

Bluejacking

Answer 6

The sending of unsolicited messages from one Bluetooth device to another Bluetooth device

Question 7

Bluebugging

Answer 7

A Bluetooth exploit that involves the hacker gaining

access to the phone and leveraging its full capabilities, including making calls using the AT command set on the phone