2. What country is the top host of SQL Injection and SQL Slammer infections? Why can’t the US Government do anything to prevent these injection attacks and infections? The United States of America is at the top of the list when it comes to SQL Injections and SQL Slammer infections, China comes in second. Cybercriminals have made vast improvements to their infrastructure over the last few years. Its expansion is thousands of websites vulnerable to SQL Injections. Malicious code writers have exploited these vulnerabilities to distribute malware so quick that the government cannot contain such a large quantity. The infected web servers redirected unsuspecting visitors to malicious websites, then the victim’s computers were then subjected to client-side exploit code. Once infected, these computers were added to the thousands of bots under the control of hackers. The attackers knew antivirus companies would write updates and software vendors will patch their code so they made sure their malicious web sites were loaded with a variety of exploit codes.
3. What does it mean to have a policy of Nondisclosure in an organization? It is a contract where the parties agree not to disclose information covered by the agreement. It outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes, but wish to restrict access to or by third parties.
4. What Trends were tracked when it came to Malicious Code in 2009 by the Symantec Report researched during this lab? DoS attacks are always common, however targeted attacks using advanced persistent threats (SPT) that occurred in 2009 made headlines.
5. What is Phishing? Describe what a typical Phishing attacks attempt to accomplish. Phishing is Internet fraud that attempts to gain user’s credentials by deception. It includes theft of passwords, credit card numbers, bank account details and other confidential information. Phishing messages usually take the form of fake notifications from banks, providers, e-pay systems and other organizations. These notifications encourage its recipients, to enter/update their personal data. Excuses can vary but usually relate to loss of data, system breakdown, etc.
6. What is the Zero Day Initiative? Do you think this is valuable, and would you participate if you were the managing partner in a large firm? It is a program for rewarding security researchers for responsibly disclosing vulnerabilities. The outcome can be good for the company in means of protecting its infrastructure from harm, but may also expose weaknesses that can damage the company’s reputation. This policy further reassures researchers that in no case will any of their discoveries be “swept under the rug.” I would participate, but we must pass an internal audit with flying colors before signing up with the program.
7. What is a Server Side Include (SSI)? What are the ramifications if an SSI exploit is successful? The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields. The attacker can access sensitive information, such as password files, and execute shell commands. The SSI directives are injected in input fields and they are sent to the web server. The web server parses and executes the directives before supplying the page. Then, the attack result will be viewable the next time that the page is loaded for the user’s browser.
8. According to the TippingPoint Report researched in this lab how do SMB attacks measure up to HTTP attacks in the recent past? Symantec identified a significant shift in an attackers tactics: 31% of targeted attacks were aimed at businesses with fewer than 250 employees. This shows a threefold increase from Symantec Corp.’s 2012 report, and is the latest sign that attackers are broadening their search for susceptible targets.
9. According to the TippingPoint Report, what are some of the PHP RFI payload effects DVLabs has detected this year? The common vulnerabilities in a CMS are unpatched or poorly patched plug-ins rather than the core system. Poor patch management represents a large hole in the overall security of the organization.
10. Explain the steps it takes to execute a Malicious PDF Attack as described in the Tipping Point Report? Each new release of a toolkit is likely to contain a new zero-day exploit that gives the attacker higher chances of infecting targeted hosts. Some toolkits keep very old exploits (4+ years) to cover a corner case in which targeted hosts are running older, unpatched versions of vulnerable software. Attackers infecting as many hosts as possible to increase profitability by monetizing the exploited systems.
11. What is a Zero Day attack and how does this relate to an organization’s vulnerability window? A zero day vulnerability is a hole in software that is unknown to the vendor. Hackers exploit before the vendor realizes it and hurries to fix it. The organization is vulnerable until the vendor comes out with a patch.
12. How can you mitigate the risk from users and employees from clicking on an imbedded URL link or e-mail attachment from unknown sources? Constant awareness efforts continuously made the organization. Ensure spoofing is included in the organizations AUP, practice risk mitigation exercises to embed in the users minds not to click on unsolicited messages, especially those from social media.
13. When auditing an organization for compliance, what role does IT security policies and an IT security policy framework play in the compliance audit? They play a very important role. Managers are responsible for placing and monitoring IT controls on systems. Senior managers are responsible for making the organization meet governance requirements. System administrators are responsible for implementing IT controls and provide data custodian functions. Risk managers are responsible for managing risks associated with compliance within the organization. IT auditors are responsible for information assurance. Data owners are responsible for identifying which data needs to be protected.
14. When performing a security assessment, why is it a good idea to examine compliance in separate compartments like the seven domains of a typical IT infrastructure? They are tied together.
15. True or False. Auditing for compliance and performing security assessments to achieve compliance requires a checklist of compliance requirements. True. There are different requirements per each compliance.