INSTANT DOWNLOAD WITH ANSWERS
Computer Security Principles And Practice 3rd Edition by Stalling – Test Bank
Chapter 6 – Malicious Software
TRUE/FALSE QUESTIONS:
T F 1. Malicious software aims to trick users into revealing sensitive personal data.
T F 2. Keyware captures keystrokes on a compromised system.
T F 3. Metamorphic code is software that can be shipped unchanged to a
heterogeneous collection of platforms and execute with identical semantics.
T F 4. A virus that attaches to an executable program can do anything that the
program is permitted to do.
T F. 5. It is not possible to spread a virus via an USB stick.
T F 6. A logic bomb is the event or condition that determines when the payload is
activated or delivered.
T F 7. Many forms of infection can be blocked by denying normal users the right to
modify programs on the system.
T F 8. A macro virus infects executable portions of code.
T F 9. E-mail is a common method for spreading macro viruses.
T F 10. In addition to propagating, a worm usually carries some form of payload.
T F 11. A Trojan horse is an apparently useful program containing hidden code that,
when invoked, performs some harmful function.
T F 12. Packet sniffers are mostly used to retrieve sensitive information like
usernames and passwords.
T F 13. A bot propagates itself and activates itself, whereas a worm is initially
controlled from some central facility.
T F 14. Every bot has a distinct IP address.
T F 15. Programmers use backdoors to debug and test programs.
MULTIPLE CHOICE QUESTIONS:
- A program that is covertly inserted into a system with the intent of compromising the integrity or confidentiality of the victim’s data is __________.
- Adobe B. Animoto
- malware D. Prezi
- __________ are used to send large volumes of unwanted e-mail.
- Rootkits B. Spammer programs
- Downloaders D. Auto-rooter
- A __________ is code inserted into malware that lies dormant until a predefined condition, which triggers an unauthorized act, is met.
- logic bomb B. trapdoor
- worm D. Trojan horse
- The term “computer virus” is attributed to __________.
- Herman Hollerith B. Fred Cohen
- Charles Babbage D. Albert Einstein
- Computer viruses first appeared in the early __________.
- 1960s B. 1970s
- 1980s D. 1990s
- The __________ is what the virus “does”.
- infection mechanism B. trigger
- logic bomb D. payload
- The __________ is when the virus function is performed.
- dormant phase B. propagation phase
- triggering phase D. execution phase
- During the __________ the virus is idle.
- dormant phase B. propagation phase
- triggering phase D. execution phase
- A __________ uses macro or scripting code, typically embedded in a document and triggered when the document is viewed or edited, to run and replicate itself into other such documents.
- boot sector infector B. file infector
- macro virus D. multipartite virus
- __________ is the first function in the propagation phase for a network worm.
- Propagating B. Fingerprinting
- Keylogging D. Spear phishing
- Unsolicited bulk e-mail is referred to as __________.
- spam B. propagating
- phishing D. crimeware
- __________ is malware that encrypts the user’s data and demands payment in order to access the key needed to recover the information.
- Trojan horse B. Ransomware
- Crimeware D. Polymorphic
- A __________ attack is a bot attack on a computer system or network that causes a loss of service to users.
- spam B. phishing
- DDoS D. sniff
- The ideal solution to the threat of malware is __________.
- identification B. removal
- detection D. prevention
- __________ will integrate with the operating system of a host computer and monitor program behavior in real time for malicious actions.
- Fingerprint-based scanners B. Behavior-blocking software
- Generic decryption technology D. Heuristic scanners
SHORT ANSWER QUESTIONS:
- A _________ is a set of programs installed on a system to maintain covert access to that system with administrator (root) privileges while hiding evidence of its presence.
- A __________ uses multiple methods of infection or propagation to maximize the speed of contagion and the severity of the attack.
- A computer __________ is a piece of software that can “infect” other programs or any type of executable content and tries to replicate itself.
- Sometimes referred to as the “infection vector”, the __________ is the means by which a virus spreads or propagates.
- Sometimes known as a “logic bomb”, the __________ is the event or condition that determines when the payload is activated or delivered.
- The four phases of a typical virus are: dormant phase, triggering phase, execution phase and __________ phase.
- During the __________ phase the virus is activated to perform the function for which it was intended.
- A __________ virus is explicitly designed to hide itself from detection by anti-virus software.
- __________ code refers to programs that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics.
- A __________ is when a user views a Web page controlled by the attacker that contains a code that exploits the browser bug and downloads and installs malware on the system without the user’s knowledge or consent.
- A __________ is a collection of bots capable of acting in a coordinated manner.
- A bot can use a __________ to capture keystrokes on the infected machine to retrieve sensitive information.
- Countermeasures for malware are generally known as _________ mechanisms because they were first developed to specifically target virus infections.
- Developed by IBM and refined by Symantec, the __________ provides a malware detection system that will automatically capture, analyze, add detection and shielding, or remove new malware and pass information about it to client systems so the malware can be detected before it is allowed to run elsewhere.
- __________ technology is an anti-virus approach that enables the anti-virus program to easily detect even the most complex polymorphic viruses and other malware, while maintaining fast scanning speeds.
Chapter 6 – Malicious Software
Answer Key
TRUE/FALSE QUESTIONS:
- T
- F
- F
- T
- F
- T
- T
- F
- T
- T
- T
- T
- F
- T
- T
MULTIPLE CHOICE QUESTIONS:
- C
- B
- A
- B
- C
- D
- D
- A
- C
- B
- A
- B
- C
- D
- B
SHORT ANSWER QUESTIONS:
- rootkit
- blended attack
- virus
- infection mechanism
- trigger
- propagation
- triggering
- stealth
- Mobile
- drive-by-download
- botnet
- keylogger
- anti-virus
- digital immune system
- Generic decryption (GD)
Chapter 7 – Denial-of-Service Attacks
TRUE/FALSE QUESTIONS:
T F 1. A denial-of-service attack is an attempt to compromise availability by
hindering or blocking completely the provision of some service.
T F 2. DoS attacks cause damage or destruction of IT infrastructures.
T F 3. A DoS attack targeting application resources typically aims to overload
or crash its network handling software.
T F 4. The SYN spoofing attack targets the table of TCP connections on the
server.
T F 5. A cyberslam is an application attack that consumes significant
resources, limiting the server’s ability to respond to valid requests from
other users.
T F 6. The source of the attack is explicitly identified in the classic ping flood
attack.
T F 7. Given sufficiently privileged access to the network handling code on a
computer system, it is difficult to create packets with a forged source
address.
T F 8. SYN-ACK and ACK packets are transported using IP, which is an
unreliable network protocol.
T F 9. The attacker needs access to a high-volume network connection for a
SYN spoof attack.
T F 10. Flooding attacks take a variety of forms based on which network
protocol is being used to implement the attack.
T F 11. The best defense against being an unwitting participant in a DDoS
attack is to prevent your systems from being compromised.
T F 12. A SIP flood attack exploits the fact that a single INVITE request
triggers considerable resource consumption.
T F 13. Slowloris is a form of ICMP flooding.
T F 14. Reflector and amplifier attacks use compromised systems running the
attacker’s programs.
T F 15. There is very little that can be done to prevent a flash crowd.
MULTIPLE CHOICE QUESTIONS:
- ______ relates to the capacity of the network links connecting a server to the wider Internet.
- Application resource B. Network bandwidth
- System payload D. Directed broadcast
- A ______ triggers a bug in the system’s network handling software causing it to crash and the system can no longer communicate over the network until this software is reloaded.
- echo B. reflection
- poison packet D. flash flood
- Using forged source addresses is known as _________.
- source address spoofing B. a three-way address
- random dropping D. directed broadcast
- The ______ attacks the ability of a network server to respond to TCP connection requests by overflowing the tables used to manage such connections.
- DNS amplification attack B. SYN spoofing attack
- basic flooding attack D. poison packet attack
- TCP uses the _______ to establish a connection.
- zombie B. SYN cookie
- directed broadcast D. three-way handshake
- _______ bandwidth attacks attempt to take advantage of the disproportionally large resource consumption at a server.
- Application-based B. System-based
- Random D. Amplification
- _______ is a text-based protocol with a syntax similar to that of HTTP.
- RIP B. DIP
- SIP D. HIP
- Bots starting from a given HTTP link and then following all links on the provided Web site in a recursive way is called _______.
- trailing B. spidering
- spoofing D. crowding
- ______ attempts to monopolize all of the available request handling threads on the Web server by sending HTTP requests that never complete.
- HTTP B. Reflection attacks
- SYN flooding D. Slowloris
- A characteristic of reflection attacks is the lack of _______ traffic.
- backscatter B. network
- three-way D. botnet
- In both direct flooding attacks and ______ the use of spoofed source addresses results in response packets being scattered across the Internet and thus detectable.
- SYN spoofing attacks B. indirect flooding attacks
- ICMP attacks D. system address spoofing
- In a _______ attack the attacker creates a series of DNS requests containing the spoofed source address for the target system.
- SYN flood B. DNS amplification
- poison packet D. UDP flood
- It is possible to specifically defend against the ______ by using a modified version of the TCP connection handling code.
- three-way handshake B. UDP flood
- SYN spoofing attack D. flash crowd
- Modifying the system’s TCP/IP network code to selectively drop an entry for an incomplete connection from the TCP connections table when it overflows, allowing a new connection attempt to proceed is _______.
- poison packet B. slashdot
- backscatter traffic D. random drop
- When a DoS attack is detected, the first step is to _______.
- identify the attack B. analyze the response
- design blocking filters D. shut down the network
SHORT ANSWER QUESTIONS:
- The ICMP echo response packets generated in response to a ping flood using randomly spoofed source addresses is known as _______ traffic.
- _____ attacks flood the network link to the server with a torrent of malicious packets competing with valid traffic flowing to the server.
- The standard protocol used for call setup in VoIP is the ________ Protocol.
- Requests and _______ are the two different types of SIP messages.
- A _______ flood refers to an attack that bombards Web servers with HTTP requests.
- During a ______ attack, the attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system and when the intermediary responds, the response is sent to the target.
- In reflection attacks, the ______ address directs all the packets at the desired target and any responses to the intermediary.
- ______ attacks are a variant of reflector attacks and also involve sending a packet with a spoofed source address for the target system to intermediaries.
- The best defense against broadcast amplification attacks is to block the use of _______ broadcasts.
- The four lines of defense against DDoS attacks are: attack prevention and preemption, attack detection and filtering, attack source traceback and identification and _______.
- Since filtering needs to be done as close to the source as possible by routers or gateways knowing the valid address ranges of incoming packets, an _______ is best placed to ensure that valid source addresses are used in all packets from its customers.
- A ______ is a graphical puzzle used to attempt to identify legitimate human initiated interactions.
- To respond successfully to a DoS attack a good ______ plan is needed that includes details of how to contact technical personal for your ISP(s).
- If an organization is dependent on network services it should consider mirroring and ________ these servers over multiple sites with multiple network connections.
- A _____ is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units, memory, bandwidth, and disk space.
Chapter 7 – Denial-of-Service Attacks
Answer Key
TRUE/FALSE QUESTIONS:
- T
- F
- F
- T
- T
- T
- F
- T
- F
- T
- T
- T
- F
- F
- T
MULTIPLE CHOICE QUESTIONS:
- B
- C
- A
- B
- D
- A
- C
- B
- D
- A
- A
- B
- C
- D
- A
SHORT ANSWER QUESTIONS:
- backscatter
- Flooding
- Session Initiation
- responses
- HTTP
- reflection
- spoofed source
- Amplification
- IP-directed
- attack reaction
- ISP
- captcha
- incident response
- replicating
- denial-of-service (DoS)