Topic 3 - Software

Question 1

What are Vectors in Computer Security?

Answer 1

Vectors are the mechanism through which a malware infects a machine i.e. a software vulnerability or someone clicked a suspicious link, etc…

Question 2

What are payloads?

Answer 2

Payloads are the actual malware deposited on the machine, or the harmful results

Question 3

What is the formal definition of a virus?

Answer 3

A piece of self-replicating code, which propagates by attaching itself to a disk, file or document

Question 4

What is the formal definition of a worm?

Answer 4

Worms are self-replicating and stand-alone programs, which do not require human intervention. They exploit known software vulnerabilities in order to spread.

Question 5

What is the ‘Exploit Lifecycle’?

Answer 5

Exploit lifecycle measures how long the exploit takes to cause problems. Example - Standard lifecycle involves the exploit being discovered by reverse-engineering a patch.

Question 6

What is a ‘Zero-Day’ exploit?

Answer 6

It is an exploit in the system that was previously unknown by the system developers - Substantially more dangerous than a standard exploit.

Question 7

What is a Trojan?

Answer 7

A malicious program pretending to be a legitimate application
It is often obtained through email attachments or malicious websites.

Question 8

How does ransomware work?

Answer 8

Ransomware will encrypt or block access to files and demand a ransom. Due to this, if you attempt to remove it via an Anti-Virus, then your files will still remain inaccessible.

Question 9

What is a defining feature of Trojans?

Answer 9

Trojans cannot replicate themselves - They rely on human error to spread.

Question 10

What are some challenges faced when attempting to install ransomware on another machine?

Answer 10

Getting a user to run it
Bypassing the Anti-Virus and browser protections

Question 11

What are some of the common methods for deploying Ransomware?

Answer 11

Fake emails
Malicious web pages
Obfuscated Javascript attachments
Deployed using exploit kits

Question 12

What is a formal definition of an Exploit?

Answer 12

A software or hardware bug that allows an attacker to circumvent an OS’s security perimeter.

Question 13

What are some key areas that exploits target with Memory Management?

Answer 13

Buffer Overflow
Stack Overflow
Heap Overflow

Question 14

How does a Buffer Overflow occur?

Answer 14

Buffer overflows occur when data is written into a buffer. If the data is larger than the buffer and exceeds its size, then an overflow occurs, and then the data will overwrite the memory beyond the buffer.

Question 15

How is the Stack defined?

Answer 15

A stack holds information on local variables and function calls. A function call will push a new frame onto the stack, and a return will pop it off.

Question 16

How does Stack Smashing work?

Answer 16

Stack Smashing works by crafting a specific long string, and then, within C/C++ programs, causing the memory management to push over a buffer limit, thereby overriding data with custom exploit code

Question 17

How does a Canary work?

Answer 17

Stack canaries modify the prologue and epilogue of all functions to check a value in front of the return address is unchanged.

Question 18

How do modern systems defend against a memory overflow attack?

Answer 18

Modern systems include a feature called Data Execution Prevention (NX), which marks stacks as non-executable if they detect any issues.

Question 19

What are some further protection methods that are used?

Answer 19

Developers restrict access to obvious system calls
Address Space Layout Randomisation (ASLR) moves the address of library and programs around
Null bytes are inserted into standard library addresses

Question 20

What is Return-Oriented Programming?

Answer 20

It doesn’t insert exploit code, and instead pieces together other bits of code already on the machine and uses them to execute exploits instead.

Question 21

What are the three types of Anti-Virus?

Answer 21

Signature-based detection
Heuristics
Machine Learning/Next-Gen

Question 22

How does Signature-based detection work in Anti-Virus?

Answer 22

Stores some small code signature for each virus
Scan files either in bulk or at runtime, compare with the signatures on file
Uses generic signatures

Question 23

How does Heuristic Detection work in Anti-Virus?

Answer 23

Heuristics determine what actions and rules a virus program will normally adopt
It starts the program in a VM, and sees what it does
Theoretically it can detect a virus that doesn’t strictly match some signatures

Question 24

What is an IDS and how does it work?

Answer 24

Intrusion Detection System:
Detects possible intrusion attempts, and generates alerts and logs for administrators

Question 25

What is an IPS, and how does it work?

Answer 25

Intrusion Prevention System: Identical to IDS, except it also stops the attack

Question 26

What are the two types of IDS deployment and how does each one work?

Answer 26

Host-based: Monitors a single host to find suspicious activity including resource/app usage Network-based: Monitors network traffic and analyses packets from different protocols to identify suspicious activity

Question 27

How does Host-based IDS work on a finer scale?

Answer 27

It is an additional layer of security software running on a host within a protected LAN or VPN It creates a profile of usage for specific users It can monitor CPU, memory use, application use and the network stack.

Question 28

How does Network-based IDS work on a finer scale?

Answer 28

It is placed at a viewpoint on a network to examine and analyse traffic i.e. installed on a firewall or behind a screened subnet May perform deeper analysis than many firewalls e.g. stateful protocol analysis and deep packet inspection

Question 29

What are the general components of an IDS?

Answer 29

Sensors/Agents - Collect and collate data from multiple viewpoints on a network Analysers - Ascertain if an intrusion has taken place Reporting - Notify the administrators via alerts on a console or graphical interface

Question 30

What are the three types of Detection Modes?

Answer 30

Signature-based - Fingerprinting sequences of operations or packets Anomaly-based - Build a 'model' and find deviations Stateful Protocol Analysis - More complex version of a stateful packet filter

Question 31

How do Signature-based systems work?

Answer 31

Signatures are created and stored in a database They then compare network activity against the database and an alarm is triggered if there is a match It includes some form of attack language: Mechanisms to describe sequences of events, as well as maintaining and monitoring intermediate states and event transitions

Question 32

What are some advantages of Signature-Based Systems?

Answer 32

Computationally efficient Always spots known attacks

Question 33

What are some disadvantages of Signature-Based Systems?

Answer 33

Always misses unknown attacks Detailed signature databases must be kept up-to-date

Question 34

What is an example signature in Signature-based systems that could flag an issue?

Answer 34

A machine is producing large amounts of ICMP traffic, establishing many TCP connections, and these connections are going to other hosts This example behaviour is indicative of Port Scanning

Question 35

How does Anomaly Detection work?

Answer 35

Anomaly Detection builds up a picture of normal usage across the system, and then detects when something moves beyond what is normal

Question 36

What is a primary disadvantage of Anomaly Detection?

Answer 36

There can be many false positives and false negatives, thereby skewing the results.

Question 37

How does Anomaly Detection collect 'normal' usage data?

Answer 37

It runs a host within a quarantined environment and collects training data This data is constructed by monitoring audit logs It sometimes relies on analysis of sequences of system calls through normal behaviour

Question 38

How is Machine Learning applied in an Anti-Virus context?

Answer 38

It trains a model to make predictions on the normal usage data, and aims to model more complex usage behaviours

Question 39

What is an example of Machine Learning in an Anti-Virus context?

Answer 39

A network is pre-trained Sensor measurements are then passed through the network Activations in specific neurons then signal an alert to an intrusion

Question 40

What are some drawbacks of using Neural Networks as Anti-Virus methods?

Answer 40

Scaling - Search space can increase exponentially, and have to use real-time data False negatives - Limits are in the representation, and what is normal behaviour can change, so do you re-train and risk learning intruder-type behaviour?

Question 41

How does Stateful Protocol Analysis work?

Answer 41

Holds detailed session information on protocols being used, and examines them for attacks e.g. why is the user using root?

Question 42

What are some defining properties of Stateful Protocol Analysis?

Answer 42

Computationally costly Requires the IDS have all possible versions of these protocols described in its database

Question 43

How is Database Security defined in Computer Security?

Answer 43

A range of tools, controls and measures designed to establish and preserve database confidentiality, integrity and availability

Question 44

What does Confidentiality, Integrity and Availability mean in the context of Database Security?

Answer 44

Confidentiality - Protection of sensitive data within a database Integrity - Data in a Database is accurate, complete, consistent and valid Availability - Data in a Database is readily available for use when needed

Question 45

What does Integrity Protection mean in the context of Database Security?

Answer 45

Integrity protection aims to achieve data consistency within a database

Question 46

What are the two different types of Integrity Protection in Database Security?

Answer 46

Internal Consistency - Database entries obey some pre-defined rules External Consistency - Database entries are correct

Question 47

How does SQL Security work?

Answer 47

It implements access control based on three entities: - Users - Actions - Objects

Question 48

Why use View-based Security?

Answer 48

Views are a flexible way of creating policies closer to application requirements Views can simplify complex queries and enhance data security by restricting direct access to tables Data can be easily reclassified

Question 49

Why wouldn't you use View-based Security?

Answer 49

INSERT/UPDATE actions depend on the CHECK options, else they might be blind inserts Completeness and consistency are not achieved automatically Can quickly become very inefficient

Question 50

What is a problem with Statistical Database Security?

Answer 50

When using statistical queries, you can infer some information from the data used.

Question 51

What are some further methods for protecting data inference in Statistical Database Security?

Answer 51

Data Swapping - Swap records but keep stats the same Noise Addition - Alter aggregate output Table Splitting - Separate data completely User Tracking - Log Queries

Question 52

How can a website/application be vulnerable to SQL Injection attacks?

Answer 52

If it doesn't filter SQL control characters, then it is vulnerable

Question 53

What is the difference between an SQL Injection attack and a Blind SQL Injection attack?

Answer 53

A Blind SQL Injection attack won't receive any output response from the database - Performs database analysis completely blind

Question 54

What is a Second Order SQL Injection attack?

Answer 54

Store the exploit for the system in one pass, then execute it in a later pass/command

Question 55

What are some general methods to prevent SQL injection/Database attacks?

Answer 55

Sanitise user input Use Views Parameterise queries Store procedures Use established libraries Use Principle of least privilege