CISSP Domain 8 - Flashcards

Question

Software Development Life Cycle - Development Phase - Static Analysis

Answer 1

* Process of examining the source code for defects or security policy violations * Limitation: cannot understand logic flows

Answer 2

* Unit Testing: Testing individual components * Integration Testing: Testing multiple components working together * Acceptance Testing: Testing to ensure the application meets the customer's requirements * Regression Testing: After a change, rerunning all previously passing tests to ensure the application is still on solid footing

Answer 3

* Automated test that will exercise individual code modules or classes * Simulates a range of inputs and checks the resulting output for the expected result. This ensures the code will always run in an expected and secure manner * Allows the software to be automatically retested at any point to validate that changes have not introduced new defects

Answer 4

* The unit test is written first, followed by the source code that will pass the test * If done properly, it can result in superior code

Answer 5

A separate team should beresponsible for formal testing

Answer 6

* Should happen in an environment that mirrors the production environment as close as possible * The identified risk must be expressed in terms of a repeatable test that proves that the vulnerability has been mitigated to an acceptable level

Answer 7

* Should use: - Manual Testing: Needs to be carried out by testers skilled in the security area, and sometimes involves the use of social engineering - Automatic Testing

Answer 8

* Attack technique in which a large amount of randomly malformed and unexpected inputs are provided to an application * Fuzzing tools: Used for discovering: - Buffer overflows - DoS vulnerabilities - Validation problems - Injection weaknesses - Any other input that can cause a crash, freeze or unexpected errors

Answer 9

* An application is being evaluated in real-time as it is running * Profiles the application and checks for memory leaks or dependencies without having access to the source code

Answer 10

1) Reported to the development team 2) The development team addresses the issues 3) More testing to ensure the issues were properly fixed 4) This cycle continues until everyone agrees the application is ready for production 4a) If the application is intended for a specific customer, that customer should perform their own testing and formally accept the product when they are satisfied

Answer 11

* Verification: Does the product meet the requirements as written? * Validation: Does the product meet the original goal as it was envisioned? * It is possible for a product to be verified, but not valid due to missed or incorrect requirements. It is extremely unlikely that a product could ever be valid but fail verification

Answer 12

* More issues are almost guaranteed to appear * The development team will address the issue by creating them * The patch will need to be tested and formally accepted, followed by a rollout to the already installed product

Answer 13

When an issue with software is discovered, it remains a zero-day vulnerability until a patch, update or a configuration change is made available that will address it

Answer 14

* Used when a development team follows no formal SDLC model | * No formal requirements or design phases

Answer 15

* Linear-sequential life-cycle approach * Each phase must come to a complete close before the next phase is allowed to begin * At the end of each phase, a review is held * Once the next phase is started, there is no capability to go back and change the output from a previous phase * It is virtually impossible to know all requirements up-front, so the entire process must be completed before changes can be made on the next release * Phases - Feasibility - Analysis - Design - Implement - Test - Maintain

Answer 16

* Allowing testing to start earlier and continue throughout the entire SDLC * Higher chance of success than the Waterfall model, but not by much

Answer 17

* Prototype: Simple model of a complex idea that can be used to vet or explore that complex idea without investing too much time or effort * Rapid Prototype: Creates a 'throwaway' product with just enough functionality to decide whether it is worth pursuing * Evolutionary Prototype: Not intended to be discarded, but rather incrementally improved upon until it reaches full maturity and can be placed into production * Operational Prototype: Same as an evolutionary prototype but it is designed to be placed into production immediately and 'tweaked' on-the-fly as customer feedback is received

Answer 18

* Involves iterations of something similar Waterfall Model * After each iteration of the entire SDLC, the customer provides feedback (i.e. more requirements) and the team goes back to the beginning with the new set of requirements and enhances the previous product. * Phases of each iteration - Analysis - Design - Code - Test

Answer 19

* Uses an iterative approach * Employed when a focus on risk analysis is desired * Good choice for complex projects in which requirements change often * Phases - Determine objectives - Identify and resolve risks - Development and test - Plan the next iteration

Answer 20

* Working product is quickly developed * The intention is to use the product to elicit requirements, as opposed to using the requirements to build the product * It is a good fit when the customer is unsure of what they want, or requirements are guaranteed to change quickly and often at the beginning of a project * Phases - Analysis and quick design - RAD (build, demonstrate, refine) - Testing - Implementation

Answer 21

* Approaches that emphasize incremental product deliveries built on continuous-feedback from the customer * User Story: A simple description of a single feature written by an end-user * Agile models do not use prototypes. Instead, they break the product down into smaller features that are being continuously delivered

Answer 22

* Most widely recognized Agile model * Can handle projects of any size * Very focused on customer feedback * Recognizes upfront that customer needs will never be fully understood and will change. Therefore, focus is put on close collaboration with the customer and continuous delivery * Allows for interruptions at clearly defined points (sprints), after which everyone gathers back together and puts the ball back into play * Sprints: - Pre-defined interval (usually 2 weeks) during which the customer is not allowed to make changes - At the end of each sprint, the customer has the freedom to completely change direction if it so desires - At the beginning of each sprint, the development team selects the user stories, starting at the top of the backlog * Backlog: Prioritized list of user stories

Answer 23

* Relies on Pair Programming * Developers work in pairs, with one developer telling the other what to type * Two eyes are constantly reviewing the code as it is being written, which reduces code complexity as well as errors * Requires test-driven development (TDD) - The test is written before any code is laid down, so it will immediately fail - Code is added until the test passes

Answer 24

* Stresses a visual tracking of development tasks, resulting in a just-in- time delivery of features * Kanban wall - Sticky notes representing each task and the wall being divided up into vertical sections, with the sections usually being labelled Planned, In Progress and Done - Developers will always take the top sticky note in the Planned column when they free up

Answer 25

Used when the goals of a project are not well-known, but final specifications that the product must meet are known

Answer 26

Can be used when non-developers are able to dedicate their full time to the project and sit with the development team as work progresses

Answer 27

Assumes that existing prototypes have already been created and are progressively enhanced

Answer 28

* Used when preventing errors and mistakes is the highest priority * Achieved by using structured and formal methods for development and testing * Usually employed for extremely high-quality and mission-critical applications that will need to pass a strict certification process.

Answer 29

* Made up from - Development team - Representatives from each stakeholder * More focused on internal customers than external customers * IPT is not a methodology, but works well with certain methodologies such as JAD or Agile

Answer 30

* Intersection of - Software development - IT - QA * Security is the big winner as it is addressed from the beginning because of IT's involvement

Answer 31

* Software industry: - Multiple versions of a capability maturity model (CMM) - CMM: Attempts to provide guidelines for best-practiced development processes * CMMI: - Developed to combine them all into a single cohesive set - Used as a set of guidelines on establishing a mature software development process * Companies can become CMMI certified by third-parties

Answer 32

Each level builds on the previous levels: they are accumulative * Level 1: Initial: Process is unpredictable, poorly controlled and reactive * Level 2: Repeatable: Process within a project is repeatable * Level 3: Defined: Process within an organization is repeatable * Level 4: Managed: Process is quantitatively measured and controlled * Level 5: Optimizing: Has a focus on continually improving the process

Answer 33

* Process of controlling any changes that take place during a product's lifetime and documenting the activities that result * Should be in place at the beginning of a project or chaos will result

Answer 34

* To have an agreed upon baseline before work starts: any changes may justify additional charges to the customer * So the development team knows how to deal with changes as they happen * To ensure changes do not negatively affect other components of the project

Answer 35

1. Make a formal request for a change 2. Analyze the request a. Develop the implementation strategy b. Calculate the costs c. Review security implications 3. Record the change request 4. Submit the change request for approval 5. Develop the change a. Implement the change b. Link the changes to the formal change control request c. Test the software d. Repeat until quality is adequate e. Make version changes 6. Report results to management

Answer 36

* Tool that provides traceability throughout the lifetime of the project by tracking change requests as they are entered, approved and delivered to the customer * Almost always used for implementing change control procedures related to software development

Answer 37

* Keeps track of each change made to a file * At any point the current copy can be 'rolled back' to a previous version * Keep track of the 'who, what and when' of each change

Answer 38

More than one developer working on the same project simultaneously

Answer 39

* Can implement SCM * Can protect integrity of the source by managing versioning and synchronization among multiple developers * Must be securely protected * Allow only authorized users to access the code * Reasons to protect this asset - Someone could steal the source code for their own use - An attacker could look at the source code to find vulnerabilities to exploit later - An attacker could inject vulnerabilities that can be exploited later * Most effective method for securing source code - Create an isolated network containing all development, test and QA systems - 'Air-gap' the whole thing - Remote work is no longer possible * Software Escrow - Companies use it to protect themselves in the event that partner company goes out of business or violates a contract - Only the compiled version that is usable for run-time is delivered - The source code is given to a third-party who holds on to it in case something unforeseen happens and the two companies no longer wish to cooperate - In this case, the third-party will release the source code held in escrow to the first company

Answer 40

* Invented in the 50's | * Language that humans can understand and that is easily translated into binary so computers understand it

Answer 41

* It's the binary Language | * Computers speak it

Answer 42

* aka Assembly Language * Uses instructions instead of 0's and 1's * Assembler: Converts assembly language into machine language * Programs written in assembly language are hardware-dependent and not portable to other processor types

Answer 43

* aka High-Level Languages * Introduced the if...then...else construct * Allowed programmers to focus on abstract concepts * Programs written in third-generation languages are portable * Examples: C++, Java

Answer 44

* aka Very High-Level Languages * Further abstracted the underlying complexity of computers from the programmer * Examples: SQL

Answer 45

* These did not simply improve on fourth-generation languages * New way of expressing instructions: Using visual tools * Also called natural language * Technology has not quite caught up yet to this level of programming

Answer 46

* Assembler - Takes assembly language - Converts it into machine language * Compiler - Takes a high-level language - Converts it into a machine-level format * Interpreter - Another abstraction layer * JVM (Java Virtual Machine) * CLR (Common Language Runtime) - Platform independent - Garbage Collection * Memory management is done automatically by the abstraction layer * Huge security advantage

Answer 47

* Object-Oriented Programming (OOP): Focuses on objects instead of a linear progression of code * Encapsulation: Hiding the procedural code behind walls * Message: How outside code communicates and provides input to an object * Method: Internal code that is executed in response to a message * Behavior: The results of a message being processed through a method * Class: A collection of methods that define some behavior * Instance: An object is an instance of a class * Inheritance: Methods from a parent class are inherited by a child class * Delegation: If an object does not have a method to handle a message, it will forward (delegate) that message to another object * Polymorphism: A characteristic of an object that allows it to respond with different behaviors to the same message * Cohesion: The strength of the relationship between methods of the same class; a high cohesion means a class limits the scope of what it does, which is better software design * Coupling: The level of required interaction between objects; low coupling means a class is less dependent on another class, which is a better software design * Data modeling: Views the data independently from code * Data structures: Views the logical relationships between data and how it is presented to code * Abstraction: Hides complex details from being seen, leaving only the bare minimum necessary for interaction * Application Programming Interface (API): Provides a reusable component by abstracting complexity

Answer 48

Focuses on objects instead of a linear progression of code

Answer 49

Hiding the procedural code behind walls

Answer 50

How outside code communicates and provides input to an object

Answer 51

Internal code that is executed in response to a message

Answer 52

The results of a message being processed through a method

Answer 53

A collection of methods that define some behavior

Answer 54

An object is an instance of a class

Answer 55

Methods from a parent class are inherited by a child class

Answer 56

If an object does not have a method to handle a message, it will forward (delegate) that message to another object

Answer 57

A characteristic of an object that allows it to respond with different behaviors to the same message

Answer 58

The strength of the relationship between methods of the same class; a high cohesion means a class limits the scope of what it does, which is better software design

Answer 59

The level of required interaction between objects; low coupling means a class is less dependent on another class, which is a better software design

Answer 60

Views the data independently from code

Answer 61

Views the logical relationships between data and how it is presented to code

Answer 62

Hides complex details from being seen, leaving only the bare minimum necessary for interaction

Answer 63

Provides a reusable component by abstracting complexity

Answer 64

* Solution that has at least two components separated by a network * Client/Server architecture - One client - One server * n-tier architecture - 3 or more tiers - Tiers * Client * Services layer * Server * Remote Procedure Call (RPC) - Generic term used for a client invoking a service on a remote computer - The client doesn't understand the details of how the interaction happens - RPC hides the details

Answer 65

* Standard developed by Open Software Foundation (OSF) * First attempt at providing a standard method for distributing computer communication * Enables users, servers and resources to be contacted regardless of where each lives * Uses a UUID (Universal Unique Identifier) * No longer being used

Answer 66

* Open Standard * Developed by the Object Management Group (OMG) * Platform independent * Dictates how the components communicate by defining the API and communication protocols

Answer 67

* Form the middle layer of services * Responsible for knowing where objects live * CORBA objects can be created in any language or format as long as it aligns with the CORBA standard * Work structure 1) A client requests services from an ORB by giving it: - The name of the object it is interested in - The requested operation - Any necessary parameters 2) The ORB - Locates the object - Carry out the request - Return any resulting data

Answer 68

* Created by Microsoft - Goal: Provide the ability for Interprocess communication (IPC) on a single computer * It is language independent * Only used for Windows systems

Answer 69

* COM extension for distributed environments | * Only used for Windows systems

Answer 70

* Based on COM * Allows objects such as images, spreadsheets and Word documents to be shared on a Windows computer * The object can be - Linked: One program calls another in real-time - Embedded: The foreign object is fully contained inside of a native application

Answer 71

* Created by Oracle * Goal: Extend the Java language across the network * Works on multiple platforms * Uses CORBA standard for communications

Answer 72

* Not a technology or a standard: It's a pattern * Provides clear-cut patterns to follow when creating services * Goal: The services layer can provide reusable building blocks for any number of applications and currently unknown future uses * Main idea: - Slice functionality up in discrete services that have high cohesion and low coupling - Expose an abstract interface

Answer 73

* Usually based on HTTP * Web Services Description Language (WSDL, an XML format): Describes the methods and parameters a SOA service offers * Universal Description, Discovery and Integration (UDDI) service: Provides the ability to lookup a service * The service itself will provide a WDSL: Describing the supported methods * Platform independent * Can communicate of normal HTTP ports * Provides significant security capabilities. This makes it 'fat' compared to Representational State Transfer (REST)

Answer 74

* Any type of code that can be transmitted through a network | * Compiled, self-contained component that is downloaded and executed on a client

Answer 75

* Run-time environment in which bytecode can be executed * Java Virtual Machine (JVM) - Must be installed on a client computer - Converts bytecode to machine-language and runs it - Supposed to prevent the applet from doing bad things. But hackers routinely figure out ways to circumvent the sandbox * Applet: Bytecode that is - Downloaded across the network - Executed in the JVM

Answer 76

* Similar to Java applets * Specific to Windows machines * Downloaded in a native format specific to the machine * Built on COM and OLE * Security issues - Can allow other apps to run within the browser using a component container - There is no sandbox * The code will execute with the privileges of the current user * Microsoft relies on Digital Certificates - ActiveX components are stored on the user's hard drive

Answer 77

* Very convenient but dangerous if exposed over the Internet * Access should be limited to local IP addresses: Being able to connect using a VPN * Better solution: An out-of-band administrative interface. Example: SSH

Answer 78

* Passwords - Most common authentication method - Do not prove identity * Usernames: Can be mined or easily guessed * Many financial organizations require multi-factor authentication * Credentials: Should be sent TLS-encrypted

Answer 79

* Deals with the consumption of user-provided variables * Ways to send variables - Through the URL - Using input fields

Answer 80

* Path or Directory Traversal Attack - aka dot-dot-slash attack - Carried out by inserting the '../' characters into a URL - '../' command: Instructs the web server to walk back up one level from the current directory - Prevention: URL filtering - Example: If the URL 'http://www.mydomain.com/pages/../../../../c:\windows\system32' is sent to a web site and the site is located in c:\inetpub\www\mydomain\pages, the web server might try to send back a list of al files in c:\windows\system32 and possibly even run a program from there * Unicode Encoding - Unicode: Standard that allows all characters to be expressed as a hexadecimal equivalent - Instead of inserting the normal character, inserting its Unicode equivalent, this could circumvent URL filtering * URL Encoding - Using an alternate method for sending characters - Also aimed at bypassing filtering mechanisms

Answer 81

* The attacker puts SQL commands into a text field and submits a form * The server then executes the text as legitimate SQL allowing the attacker to run SQL commands directly against the database * This could result in reading, updating or deleting data * Countermeasures: - Input values should be scrubbed and cleaned of any SQL-like clauses - Use 'parameterized statements' * The input is not string-concatenated into SQL and executed * The values are provided as parameters to the SQL engine

Answer 82

* Entry point to Cross-Site Scripting (XSS) attacks | * An attacker somehow gets their own script to execute inside of a user's browser

Answer 83

* aka Reflected Vulnerabilities * The attacker convinces the web server to emit HTML that downloads a rogue script from another site * This is accomplished when the web server 'reflects' back to the browser data that was previously submitted, normally in the form of query parameters embedded in the URL * Cross-Origin Resource Sharing (CORS) controls - Normally prevent this from happening - Workaround: JSONP - Countermeasure: Always encode the values from the query line if they need to be emitted back to the browser - Example: An attacker could get a user to click on a link such as https://www.mydomain.com?search=link_to_evil_script. If the website doesn't properly filter the input or output, it can embed the evil script in the HTML that goes back to the browser

Answer 84

* When an attacker is able to convince a server to store their data in a database field * Later, another visitor views a page that contains the attacker's code, resulting in execution of the malicious payload * Countermeasure: Always encode the input values before storing in the database * This often results in some rather ugly content, but usability must be weighed against security * Example: - An attacker posts a message to a forum, and the message contains 'alert('I am evil!');' - When another visitor views that forum post, the browser will pop up a scary message as soon as the page is loaded saying 'I am evil''

Answer 85

* Leverage the ability to dynamically generate content within the browser using the DOM * Example: If a page's script executes 'document.write('You are viewing: ' + document.location)', then the following URL can force a message to pop up: 'http://www.mydomain.com?alert('I am evil!');' * Countermeasures - Not perform this type of DOM manipulation in a web page - Or include code to properly encode the value before inserting it into the DOM

Answer 86

* Occurs when client code ensures that all required fields are provided and checks for invalid values * Once client-side validation is passed, the request is then sent to the server * Server code should never trust data regardless of what type of client-side validation was performed. Hackers can easily bypass browsers and substitute their own values, thereby completely negating any client-side validation

Answer 87

* While input validation centers around the server examining and validating values provided from the user before processing them. The server also needs to be concerned about another class of values * Concerned with the server examining and validating values that are assumed to be beyond the ability of a user to change * Many web applications assume the user does not have the ability to change cookies or parameters * Examples: - Values stored in a client-side cookie or hidden fields - By using a web proxy on the client machine an attacker can intercept any HTTP traffic (even if it is encrypted!) and change cookie values, hidden fields, the URL, pretty much anything sent over an HTTP connection can be manipulated, including HTTP header values * Countermeasures - Never send any server-side data to the browser and expect it to be to be returned unless it is intentionally supposed to be manipulated by the user - Execute pre-validation: The client ensures the data is valid before submission to the server; this is optional - Execute post-validation: The server validates incoming values before trusting them

Answer 88

* The ability to tie a browser request with an existing user interaction * The connectionless nature of HTTP and HTTPS means that the server will rely on the browser to tell it which session the browser wants to work with * Relies on the server generating a unique session ID the first time a browser connects * Requires the browser to always send back the session ID for any subsequent HTTP request * Session ID - Can be stored in a cookie, sent as a hidden input field, or added as part of every URL requested - Almost always sent over as clear text unless HTTPS is used * Session Hijacking - If TLS is not enabled, it can occur in which an attacker sniffs a current session ID, and uses it in her own packets - Countermeasures * Session IDs should be randomly generated to prevent an attacker from predicting a valid value * Some type of timestamp should be required to prevent replay attacks * Cookies containing session information should contain encrypted data: At least the attacker will be unable to look at information such as shopping cart contents

Answer 89

* Keep it simple: Security loves simplicity, and the simpler a site is, the easier it is to enforce proper security and detect issues * Look at user input: Closely scrutinize areas that allow user input and ensure the values are being properly vetted * Look at system output: Look for any places where data is emitted. It should always be HTM, encoded to prevent XSS * Encrypt everything: Any traffic between the server and the browser should be encrypted * Fail securely: When an error is encountered, always provide a friendly and generic message to the user and never divulge internal details * Strike a good security/usability balance: Too much security and users will hate your site; too little security and hackers will love your site * Never use security through obscurity: There is no such thing on the web; either it is in plain site or it needs to be wrapped in proper authentication/authorization measures

Answer 90

* Access to a database should be based on roles only - Not individual user accounts - This limits the damage that can be done if an external attacker gains direct access to the database

Answer 91

* Database definition: Persisted data which users can view and modify as-needed * Database Management System (DMS): Software that exposes the database, enforces access control, provides data integrity and redundancy, and provides procedures for data manipulation * A database should: - Ensure consistency among all associated servers - Provide for easy backups - Provide transaction persistence: Transactions are durable and reliable - Provide recovery and fault tolerance - Support sharing of data among multiple users - Provide security controls that implement integrity, access control and confidentiality

Answer 92

* Hierarchical Data Model * Relational Database Model (RDBM) * Network Database Model * Object-Oriented Database (OOD) * Object-Relational Database (ORD)

Answer 93

* Combines records and fields in a tree structure without using indexes * Example: LDAP

Answer 94

* Uses attributes (columns) and tuples (rows) to store data in 2-dimensional tables * Cell: Intersection of a column and a row * Primary Key: Field that provides a unique value to every record in the table

Answer 95

* Built on the hierarchical data model * Useful for many parent/many children relationships * Set: Defines parent/child relationships

Answer 96

* Designed to handle multiple data types | * Each object contains its own data and methods

Answer 97

* Backed by a standard RDBM | * It's an RDBM with an OOP layer on top for implementing business logic

Answer 98

* Introduction: Make possible for programming code to talk to various databases * Open Database Connectivity (ODBC): - Applications interact with the ODBC API, allowing the same interface to work regardless of the backend database - ODBC locates the database-specific driver and uses it to translate its common language into a database-specific language, but still understands SQL only. * Object Linking and Embedding Database (OLE DB) - Separates data into components that run on middleware and works with different databases in real-time - Replacement for ODBC - Supports non-SQL database - Windows-only solution * ActiveX Data Objects (ADO) - Official API for OLE DB * Java Database Connectivity (JDBC) - ODBC for Java applications

Answer 99

* Schema: Table details * Structure: * Everything outside of tables - Table size - Index size - Views - Table relationships * Data Definition Language (DDL): Defines the structure and schema * Data Manipulation Language (DML): Provides access to the data * Data Control Language (DCL): Defines the internal organization of the database * Ad hoc Query Language (QL): Allows users to make requests (SQL is based on this) * Report Generator: Produces printouts of data in a user-defined format * Data dictionary - Centralized collection of information about all users, user roles, tables, indexes, privileges, etc - Used to provide access controls * Primary key: A unique value across all records in a table, used for indexing * Foreign key: A relationship where Table A has a column that matches a primary key in Table B

Answer 100

* Dealing with multiple users trying to modify the same data at the same time * Lock: - Solution to this problem - A database can lock data so that only one user can modify the value - Can be applied on the following levels * Table * Page * Row * Field

Answer 101

* Semantic Integrity: Ensures the database's structure remains secure * Referential Integrity: Ensures that all foreign keys reference a valid primary key * Entity Integrity: Ensures that all primary keys have a unique value within the table

Answer 102

Sequence of operations performed as a single unit of work

Answer 103

* Rollback: Cancels the current transaction and reverts the database to the state it was before the transaction started * Commit: Completes a transactions and executes all changes just made within the transaction * Two-Phase Commit: For transactions in a distributed environment, all database make a 'pre-commit', and once all database have reported back successfully, they all perform a 'commit' * Batch Processing: Requests for database changes are put into a queue and executed all at once

Answer 104

* Used to provide fault tolerance and better performance with clustered databases * Monitors the entire transaction process across multiple systems and takes steps to ensure integrity across all components while making sure the system remains usable by enabling load-balancing if necessary * Enforces ACID - Atomicity: All changes take effect or none do - Consistency: All data remains consistent in all databases - Isolation: Transactions execute in isolation until completed - Durability: Once the transaction is committed it cannot be rolled back

Answer 105

* Savepoint: Periodic save of a database that can be restored in case of severe interruption * Checkpoint: Triggered when the database fills up a specific amount of memory

Answer 106

* Database View: A virtual table comprised of one or more underlying tables that restrict or aggregate data according to access control policy * Polyinstantiation: Interactively creating two instances of the same object with different attributes; this is used to stop inference attacks

Answer 107

* Combines data from two or more databases into a single large database * Goal: Providing an aggregated view of the source data exclusively for follow-up analysis * During the aggregation process: - Redundant information is removed - The remaining data is properly formatted and correlated * Security should be more stringent

Answer 108

* Combing through the data warehouse information and extracting metadata * Knowledge Discovery in Databases (KDD) - Another term for Data Mining - Approaches to identify patterns * Classification: Groups according to similarities * Probabilistic: Identifies relationships and calculates probabilities * Statistical: Identifies relationships and uses rule discovery

Answer 109

* Very large data sets * Unsuitable for traditional analysis - Reasons * Heterogeneity * Complexity * Variability * Lack of reliability * Volume

Answer 110

* Virus * Macro Virus * Boot Sector Virus * Tunneling Virus * Stealth Virus * Polymorphic Virus * Multipart Virus * Meme Virus * Script Virus

Answer 111

* Small application that infects software and can replicate itself * Requires a host application * Carries payloads that cause the real harm

Answer 112

Written in a macro language such as Visual Basic or VBScript, and usually associated with Microsoft Office products

Answer 113

* Infects the boot sector of a computer | * Often hides itself in hard drive sectors that the virus has marked as bad

Answer 114

* Intercepts requests for a file * Presents a forged version of it instead. The virus can convince the antimalware that everything is fine and to move along

Answer 115

* Hides the modifications it has made by acting as a tunneling virus * Can also mask the size of the file it is hiding in * Move itself around during antimalware activity to avoid detection

Answer 116

* Can alter its appearance in an effort to outwit virus scanners * It will make multiple copies of itself, each with a different appearance so that it reappears when the antimalware software thinks it has eradicated it * Appearance changes - Using different encryption schemes - Change their own code by embedding noise or changing its instructions sequence

Answer 117

Has several components that are distributed in multiple locations on each system, allowing it to spread more quickly

Answer 118

* Not a real virus | * Harm: Wasted bandwidth and possible fear based on the email's message

Answer 119

* Sent in script form in an interpreted language | * Often these scripts are downloaded by a web browser, and when launched can cause great damage

Answer 120

* Self-contained programs * Can reproduce without requiring a host application * Example: Stuxnet

Answer 121

* Bundle of tools that can be used to cause further mayhem after a system has been compromised and the attacker escalated privileges, such as installing a backdoor or to start sniffing for credentials. * Rootkit Types - User-Level Rootkit - Kernel-Level Rootkit - Firmware-Level Rootkit * Tools - Trojan Programs * Replaces valid programs * Will often appear to run correctly - Log Scrubber Removes traces of the attacker's movements from the system log files

Answer 122

Malware that exists to gather information about a victim

Answer 123

* Not intended to harm a system * It is invasive * Can cause privacy concerns

Answer 124

* Bot: - Malware that can be installed through * E-mail * Drive-by downloads * Trojan horses * Shared media - Will check in to let the hacker know it has successfully compromised a system - Then lie dormant until it receives further instructions * Botnet: Network of bots * Bot Herder: - Owner of a botnet - Controls the botnet usually through IRC * Botnet uses - Carry out DDoS attacks - Spamming - Brute-force attacks - Others * Fast Flux: Evasion technique used to continually be on the move by updating DNS entries * Command-and-Control (C&C) Servers: Servers that send instructions to a botnet

Answer 125

Programs that are set to go off and execute its payload whenever a specific trigger is activated

Answer 126

* Programs disguised as other programs * Often carry out the activity that the original program is designed to, but additionally operate in the background * Remote Access Trojan (RAT): Malicious program that allows an intruder to access and use a system remotely

Answer 127

* Ongoing effort as spammers continually work to evade our best detection efforts * Spam: - The receipt of unsolicited junk email - Bayesian Filtering * Technique that applies statistical modeling to the words in an email message to determine how often each is used and in what order * From that analysis make a determination if the message is spam or not * Spammers intentionally misspell words or substitute symbols in an effort to get past the spam filters

Answer 128

* Insertion: Installs itself * Avoidance: Avoid detection * Eradication: Removes itself after the payload has been delivered * Replication: Makes copies of itself and spreads * Trigger: Use an event to execute the payload * Payload: Carries out its function

Answer 129

* Antimalware policy - Companies should have it - Details the type antimalware and antispyware software that should be installed, including configuration parameters * Virus Walls - Scan incoming SMTP, HTTP and FTP traffic for malware - Can be integrated with * E-mail servers * Proxy servers * Firewalls