246 Chapter 8 ■ Malicious Code and Application Attacks
1. What is the size of the Master Boot Record on a system installed with a typical configuration? A. 256 bytes
B. 512 bytes C. 1,024 bytes D. 2,048 bytes
2. How many steps take place in the standard TCP/IP handshaking process? A. One
B. Two C. Three D. Four
3. Which one of the following types of attacks relies upon the difference between the timing of two events?
B. TOCTTOU C. Land
4. What propagation technique does the Good Times virus use to spread infection? A. File infection
B. Boot sector infection C. Macro infection
D. None of the above
5. What advanced virus technique modifies the malicious code of a virus on each system it infects? A. Polymorphism
6. Which one of the following files might be modified or created by a companion virus? A. COMMAND.EXE
B. CONFIG.SYS C. AUTOEXEC.BAT D. WIN32.DLL
Review Questions 247
7. What is the best defensive action that system administrators can take against the threat posed by brand new malicious code objects that exploit known software vulnerabilities?
A. Update antivirus definitions monthly
B. Install anti-worm filters on the proxy server C. Apply security patches as they are released
D. Prohibit Internet use on the corporate network
8. Which one of the following passwords is least likely to be compromised during a dictionary attack? A. mike
C. dayorange D. dlayna
9. What file is instrumental in preventing dictionary attacks against Unix systems? A. /etc/passwd
B. /etc/shadow C. /etc/security D. /etc/pwlog
10. Which one of the following tools can be used to launch a distributed denial of service attack against a system or network?
A. Satan B. Saint C. Trinoo D. Nmap
11. Which one of the following network attacks takes advantages of weaknesses in the fragment reassembly functionality of the TCP/IP protocol stack?
A. Teardrop B. Smurf
C. Ping of death D. SYN flood
12. What type of reconnaissance attack provides hackers with useful information about the services running on a system?
A. Session hijacking B. Port scan
C. Dumpster diving D. IP sweep
248 Chapter 8 ■ Malicious Code and Application Attacks
13. A hacker located at IP address 184.108.40.206 wants to launch a Smurf attack on a victim machine located at IP address 220.127.116.11 utilizing a third-party network located at 18.104.22.168/16. What would be the source IP address on the single packet the hacker transmits?
B. 22.214.171.124 C. 126.96.36.199
14. What type of virus utilizes more than one propagation technique to maximize the number of penetrated systems?
A. Stealth virus
B. Companion virus C. Polymorphic virus D. Multipartite virus
15. What is the minimum size a packet can be to be used in a ping of death attack? A. 2,049 bytes
B. 16,385 bytes C. 32,769 bytes D. 65,537 bytes
16. Jim recently downloaded an application from a website that ran within his browser and caused his system to crash by consuming all available resources. Of what type of malicious code was Jim most likely the victim of?
A. Virus B. Worm
C. Trojan horse D. Hostile applet
17. Alan is the security administrator for a public network. In an attempt to detect hacking attempts, he installed a program on his production servers that imitates a well-known operating system vulnerability and reports exploitation attempts to the administrator. What is this type of tech-nique called?
A. Honey pot B. Pseudo-flaw C. Firewall
D. Bear trap
Review Questions 249
18. What technology does the Java language use to minimize the threat posed by applets? A. Confidentiality
B. Encryption C. Stealth
19. Renee is the security administrator for a research network. She’s attempting to convince her boss that they should disable two unused services—chargen and echo. What attack is the network more vulnerable to with these services running?
A. Smurf B. Land C. Fraggle
D. Ping of death
20. Which one of the following attacks uses a TCP packet with the SYN flag set and identical source/ destination IP addresses and ports?
A. Smurf B. Land C. Fraggle
D. Ping of death
250 Chapter 8 ■ Malicious Code and Application Attacks
Answers to Review Questions
1. B. The Master Boot Record is a single sector of a floppy disk or hard drive. Each sector is nor-mally 512 bytes. The MBR contains only enough information to direct the proper loading of the operating system.
2. C. The TCP/IP handshake consists of three phases: SYN, SYN/ACK, and ACK. Attacks like the SYN flood abuse this process by taking advantage of weaknesses in the handshaking protocol to mount a denial of service attack.
3. B. The time-of-check-to-time-of-use (TOCTTOU) attack relies upon the timing of the execution of two events.
4. D. The Good Times virus is a famous hoax that does not actually exist.
5. A. In an attempt to avoid detection by signature-based antivirus software packages, polymorphic viruses modify their own code each time they infect a system.
6. A. Companion viruses are self-contained executable files with filenames similar to those of exist-ing system/program files but with a modified extension. The virus file is executed when an unsuspecting user types the filename without the extension at the command prompt.
7. C. The vast majority of new malicious code objects exploit known vulnerabilities that were already addressed by software manufacturers. The best action administrators can take against new threats is to maintain the patch level of their systems.
8. D. All of the other choices are forms of common words that might be found during a dictionary attack. Mike is a name and would be easily detected. Elppa is simply apple spelled backwards, and dayorange combines two dictionary words. Crack and other utilities can easily see through these “sneaky” techniques. Dlayna is simply a random string of characters that a dictionary attack would not uncover.
9. B. Shadow password files move encrypted password information from the publicly readable /etc/passwd file to the protected /etc/shadow file.
10. C. Trinoo and the Tribal Flood Network (TFN) are the two most commonly used distributed denial of service (DDoS) attack toolkits. The other three tools mentioned are reconnaissance techniques used to map networks and scan for known vulnerabilities.
11. A. The teardrop attack uses overlapping packet fragments to confuse a target system and cause the system to reboot or crash.
12. B. Port scans reveal the ports associated with services running on a machine and available to the public.
13. B. The single packet would be sent from the hacker to the third-party network. The source address of this packet would be the IP address of the victim (188.8.131.52), and the destina-tion address would be the broadcast address of the third-party network (184.108.40.206).
14. D. Multipartite viruses use two or more propagation techniques (i.e., file infection and boot sector infection) to maximize their reach.
nguon tai.lieu . vn