Sophos Threat saurus Exam Questions and Answers All Correct Advanced Persistent Threat (APT) - Answer -Type of targeted attack, characterized by an attacker who has time and resources to plan an infiltration into a network. These attackers actively manage their attack once they have a foothold in a network and are usually seeking information, proprietary or economic, rather than simple financial data. APTs are persistent in that the attackers may remain on a network for some time. APTs should not be confused with botnets, which are usually opportunistic and indiscrim inate attacks seeking any available victim rather than specific information. Adware - Answer -Software that displays advertisements on your computer. Displays advertising banners or pop -ups on your computer when you use an application. This is not necessarily a bad thing. Such advertising can fund the development of useful software, which is then distributed free (for example, Android apps and browser toolbars, many of which are adware funded). This becomes a problem if it: installs itself on your computer without your consent installs itself in applications other than the one it came with and displays advertising when you use those applications hijacks your web browser in order to display more ads (see Browser hijacker) gathers data on your web browsing without your consent and sends it to others via the Internet (see Spyware) is designed to be difficult to uninstall Adware can slow down your PC. It can also slow down your Internet connection by downloading advertisements. Sometimes programming flaws in the adware can make your computer unstable. Some antivirus programs detect adware and report it as potentially unwanted applications. You can then either authorize the adware program or remove it from your computer. There are also dedicated programs for detecting adware. Anonymizing proxy - Answer -Allow the user to hide their web browsing activity. They are often used to bypass web security filters —e.g., to access blocked sites from a work computer. Anonymizing proxies hold security and liability risks for organizations: Security: The anonymizing proxy bypasses web security and allows users to access unauthorized webpages Liability: Organizations can be legally liable if their computers are used to view pornography, hate material or to incite illegal behavior. There are als o ramifications if users violate third -party licenses through illegal MP3, film and software downloads Autorun worm - Answer -Malicious programs that take advantage of the Windows AutoRun feature. They execute automatically when the device on which they are stored is plugged into a computer. Are commonly distributed on USB drives, automatically infecting com puters as soon as the USB is plugged in. AutoPlay is a similar technology to AutoRun. It is initiated on removable media prompting users to choose to listen to music with the default media player, or to open the disk in Windows Explorer. Attackers have similarly exploited AutoPlay, most famously via the Conficker worm. On patche d and newer operating systems, Microsoft has set AutoRun to off by default. As a result, autorun worms should pose less of a threat in the future. Backdoor Trojan - Answer -Allows someone to take control of a user's computer without their permission. May pose as legitimate software to fool users into running it. Alternatively —as is increasingly common —users may unknowingly allow Trojans onto their com puter by following a link in spam email or visiting a malicious webpage. Once the Trojan runs, it adds itself to the computer's startup routine. It can then monitor the computer until the user is connected to the Internet. When the computer goes online, the person who sent the Trojan can perform many actions —for example, run programs on the infected computer, access personal files, modify and upload files, track the user's keystrokes, or send out spam email. Well -known backdoor Trojans include Netbus, Optix Pro, Subseven, BackOrifice and, more recently, Zbot or ZeuS. To avoid backdoor Trojans, you should keep your computers up to date with the latest patches (to close down vulnerabilities in the operating system), and run anti -spam and antivirus software. You should also use a firewall, which can prevent Trojans from accessing the Internet to make contact with the hacker. Boot sector malware - Answer -Spreads by modifying the program that enables your computer to start up. When you turn on a computer, the hardware looks for the boot sector program, which is usually on the hard disk (but can be on a CD/DVD or Flash Drive), an d runs it. This program then loads the rest of the operating system into memory. Replaces the original boot sector with its own, modified version (and usually hides the original somewhere else on the hard disk). The next time you start up, the infected boo t sector is used and the malware becomes active. Boot sectors are now used by some malware designed to load before the operating system in order to conceal its presence (e.g., TDL rootkit). Botnet - Answer -Collection of infected computers that are remotely controlled by a hacker. Once a computer is infected with malicious software (bot), the hacker can control the computer remotely over the Internet. From then on, the computer is a zombie, do ing the bidding of the hacker, although the user is completely unaware. Collectively, such computers are called a botnet. The hacker can share or sell access to control the botnet, allowing others to use it for malicious purposes. For example, a spammer ca n use a botnet to send out spam email. The majority of all spam is distributed this way. This allows the spammers to avoid detection and to get around any blacklisting applied to their own servers. It can also reduce their costs because the computer's owne r is paying for the Internet access. Hackers can also use botnets to launch a distributed denial -of-service attack (DDoS). They arrange for thousands of computers to attempt to access the same website simultaneously, so that the web server is unable to han dle all the requests reaching it. The website thus becomes inaccessible. (See Zombie, Denial -of-service attack, Spam, Backdoor Trojan, Command and control center) Browser hijacker - Answer -Change the default homepage and search engine in your Internet browser without your permission. You may find that you cannot change your browser's homepage once it has been hijacked. Some hijackers edit the Windows registry so tha t the hijacked settings are restored every time you restart your computer. Others remove options from the browser's tools menu, so that you can't reset the start page. Browser hijacking is used to boost advertising revenue, as in the use of blackhat Search Engine Optimization (SEO), to inflate a site's page ranking in search results. Browser hijackers can be very tenacious, as well as sneaky. Attackers use clickjacking, also known as a UI redress attack, by inserting multiple transparent, or opaque, layers on a webpage. This technique can trick a user into clicking on a button or link on a page other than the one they were intending to click on. Effectively the attacker is hijacking clicks meant for one page and routing them to other another page, most likel y owned by another application, domain, or both. Although these threats don't reside on your PC, they do affect your browsing experience. Brute force attack - Answer -Where hackers try a large number of possible keyword or password combinations to gain unauthorized access to a system or file. Are often used to defeat a cryptographic scheme, such as those secured by passwords. Hackers use comp uter programs to try a very large number of passwords to decrypt the message or access the system. To prevent brute force attacks, it is important to make your passwords as secure as possible. (See How to choose secure passwords) Buffer overflow - Answer -Occurs when a program stores excess data by overwriting other parts of the computer's memory, causing errors or crashes. Take advantage of this weakness by sending more data to a program than it expects. The program may then read i n more data than it has reserved space for and overwrite parts of the memory that the operating system is using for other purposes. This may allow unauthorized code to execute or crash the system. Contrary to popular belief, buffer overflows don't just happen in services (such as Windows operating systems) or core programs. They can occur in any application. Command and control center - Answer -Is a computer that controls a botnet (a network of compromised computers). Some botnets use distributed systems, making them more resilient. From this, hackers can instruct multiple computers to perform their desired activities. Often used to launch distributed denial -of-service attacks because they can instruct a vast number of computers to perform the same action at the same time. (See Botnet, Zombie, Denial -of-service attack) Cookie - Answer -Files placed on your computer that allow websites to remember details. When you visit a website, it can place a file on your computer. This allows the website to remember your details and track your visits. Can be a threat to your privacy, but they cannot infect your computer. Were designed to be helpful. For example, when you visit a website, a cookie can store your preferences or login information so you don't have to re -enter them the next time. Also have benefits for webmasters, as they show which webpages are most used, providing useful input when planning a redesign of the
