Malware and Virus Prevention

Questions and Answers

Which action can Windows Defender be configured to perform automatically upon detecting a threat?

• Adjusting the computer's fan speed.
• Creating a system restore point.
• Automatically disabling the software. (correct)
• Sending a report to the software developer.

What is a key difference between anti-spam products operating at the corporate level versus those at the host level?

• Corporate-level products filter messages after they reach the personal inbox.
• Host-level products filter messages as they enter or leave email servers.
• Corporate-level products filter messages as they enter or leave designated email servers. (correct)
• Host-level products are typically more expensive to implement.

Why is disabling autorun for removable media recommended as a malware prevention measure?

• It speeds up the transfer of files from the removable media.
• It automatically encrypts all files on the device.
• It blocks programs from automatically running when the media is inserted, preventing potential malware. (correct)
• It prevents the operating system from recognizing the device.

Besides operating system updates, what other type of updates is crucial for malware prevention?

Application updates for installed software. (A)

An IT department circulates advisories about new malicious threats. What action should users take upon receiving these advisories?

Take note of the advisory and remain vigilant. (B)

Why is it important to only download software from reliable sources as a malware prevention method?

Unreliable sources may bundle malware with the software. (D)

A user notices an unusually high amount of network activity and frequent pop-up ads. Which security software would be MOST helpful in immediately addressing these symptoms?

Personal software firewall (D)

A company wants to ensure its employees are protected from the latest malware threats. Which combination of actions would provide the MOST comprehensive protection?

Educating employees on safe software installation practices and keeping antivirus definitions updated. (C)

Which of the following is the primary function of anti-virus software?

To detect and eliminate malware from a system. (C)

Why is it crucial to regularly update the virus dictionary in anti-virus software?

To detect and remove newly discovered viruses. (B)

What is a key limitation of signature-based scanning in anti-virus software?

It cannot catch viruses that are not already in its virus dictionary. (C)

How does heuristic scanning differ from signature-based scanning in detecting malware?

Heuristic scanning examines code behavior for suspicious activity, while signature-based scanning looks for known virus patterns. (A)

A software is flagged as potentially malicious due to its attempt to modify system files and create hidden processes. Which type of anti-malware scanning likely identified this?

Heuristic scanning, based on suspicious behavior analysis. (D)

Which of the following software would be most effective in preventing unwanted advertisements from appearing on a user's screen while browsing the internet?

Pop-up Blockers (B)

A user notices an increased amount of unsolicited email in their inbox. Which type of software could help mitigate this issue?

Anti-spam Software (A)

A security analyst discovers that a new malware variant is not being detected by their current anti-virus software, which relies primarily on signature-based detection. What is the MOST effective short-term solution to enhance detection capabilities against this new threat?

Implement a host-based intrusion detection system (HIDS) with custom rules to monitor for suspicious behavior. (D)

In a columnar transposition cipher, if the key length is 6, how many different possible key arrangements are there?

720 (A)

Given a columnar transposition cipher with the key WORD, and the plaintext is 'THE QUICK BROWN FOX', what is the first word of the resulting ciphertext?

HROE (D)

With a columnar transposition cipher using key STAR, and the ciphertext is 'SAOT HRTE', what is the plaintext?

THAT SURE (D)

Using the Rail Fence cipher with a key of 4, what is the ciphertext for the plaintext 'DEFEND THE EAST WALL'?

DNETEAL EFHESDWL TA (C)

A message encrypted with a Rail Fence cipher and a key of 3 yields the ciphertext 'WEOERD CAE IE DSEDL'. What is the original plaintext?

WE ARE DISCOVERED FLEE (A)

What primary security measure could RSA have implemented to proactively defend against the attack, as suggested in the provided text?

Implementing real-time fraud detection systems using user and account profiling. (D)

The 'Nigerian Scam' is categorized as what type of fraudulent scheme?

An advance fee fraud, also known as 419 fraud. (B)

What is the main purpose of Open-Source Intelligence (OSINT) gathering in the context of cyber attacks?

To gather information for social engineering and phishing attacks. (B)

Frank Abagnale, Jr., whose exploits were depicted in 'Catch Me If You Can', was known primarily for what skill?

His skill in impersonation and fraud. (D)

What is the 'ILOVEYOU' worm primarily known for?

Its rapid spread through email with a catchy subject line. (D)

What is Kevin Mitnick primarily known for in the world of cybersecurity?

His exceptional social engineering skills. (A)

Based on the additional readings provided, what common psychological aspect do phishing scammers often manipulate?

The amygdala and oxytocin response. (D)

What key element distinguishes social engineering from other hacking methods?

Manipulating individuals to divulge information or perform actions. (D)

According to the sensitivity classification, what is the correct order from most sensitive to least sensitive?

Official, Official(Closed), (Closed)\Sensitive, (Closed)\Non-Sensitive, Normal (B)

The provided frequency distribution of letters is most likely from which of the following ciphers, given its relatively uniform shift?

A Caesar cipher due to its simple alphabetic shift. (B)

If a ciphertext has 'G' as the most frequent and 'V' as the second most frequent letter, which cipher is most likely responsible?

Caesar cipher, due to the consistent shift in letter frequencies. (A)

In a Caesar ciphertext, if 'K' is the highest frequency letter, what is the most likely key used for encryption?

6 (A)

Which of the following best describes the primary goal of social engineering?

To manipulate individuals into divulging information or performing actions. (C)

A message encrypted with a Caesar cipher has the ciphertext 'Lipps Asvph'. Assuming a standard shift, what is the original plaintext?

Hello World (A)

Why is it difficult to completely eliminate social engineering attacks?

Because people are naturally trusting and helpful, making them susceptible to manipulation. (B)

Which of the following is a primary weakness of the Caesar cipher that makes it vulnerable to cryptanalysis?

Its short key length and limited number of possible shifts. (D)

What potential legal consequences might individuals face for engaging in social engineering?

Criminal charges leading to potential jail time. (C)

A Caesar cipher with a key of 3 encrypts 'hello'. If you then decrypt the resulting ciphertext with a key of -3, what do you get?

hello (C)

You intercepted the message 'Bzcd', which you believe was encrypted using a Caesar cipher. Knowing that 'a' was encrypted as 'b', what is the decrypted message?

Yabc (D)

An attacker uses information found on a company's website, such as employee names and positions, to craft a convincing phishing email. Which OSINT aspect is most directly contributing to the success of this attack?

Collecting personal details of employees to personalize the attack. (C)

In what scenario would OSINT techniques be LEAST effective for a social engineer?

When targeting an individual with a completely private online profile and no public data. (A)

A social engineer aims to gather information about a target company. Which of these OSINT activities would likely provide the MOST valuable insights for crafting a convincing pretext?

Searching social media for employee posts about ongoing projects and internal events. (A)

A penetration tester is contracted to assess a company's vulnerability to social engineering. How could they effectively use OSINT to enhance the realism and effectiveness of their simulated attacks?

By using OSINT to gather detailed information about employees, their roles, and ongoing projects to create highly targeted phishing campaigns. (B)

An attacker seeks to compromise a company's network by targeting a high-level executive. Which of the following OSINT steps would be MOST crucial in preparing a spear-phishing attack against this individual?

Compiling a list of the executive's professional connections and recent business activities through LinkedIn and industry publications. (D)

Flashcards

Malware Protection

Methods and tools designed to protect systems from malware.

Anti-virus Software

Software designed to detect and remove malware.

Signature-based Scanning

Scans files by comparing their code to known virus signatures in a dictionary.

Virus Dictionary

A database of unique binary patterns used to identify known viruses.

Update Virus Signatures

Regularly updating the virus dictionary to include newly discovered threats.

Heuristic Scanning

Detects malware by analyzing the behavior of a program or code.

Suspicious Behaviour

Anything suspicious or potentially malicious that requires further examination is closely examined.

Virus Signature

A unique string of bits or binary pattern that identifies a specific virus.

Windows Defender Software Explorer

Provides details on software, indicating if it's safe or malware, file size, and publication date.

Windows Defender Configurable Responses

Lets you configure actions against detected threats: disable, quarantine, uninstall software.

Anti-Spam Products

Filters junk emails automatically at the corporate or host level.

Malware Prevention - Safe Practices

Careful software installation, downloads from reliable sources, disabling autorun on removable media.

Personal Software Firewall

Software that blocks unwanted network traffic.

Operating System Updates

Regular updates patch bugs that could be exploited by malware.

Application Updates

Patches vulnerabilities and enhances security, separate from OS updates.

Transposition Cipher

Rearranges the order of characters in a message to encrypt it.

Columnar Transposition Cipher

A transposition cipher where the plaintext is written horizontally in rows, and then read out vertically in columns to create the ciphertext.

Key (in Columnar Transposition)

The secret word or phrase used to determine the order in which columns are read in a columnar transposition cipher.

Key in Rail Fence Cipher

The number representing how many rows to write the message in.

Rail Fence Cipher

A simple transposition cipher where the plaintext is written diagonally along rails, then read off in rows.

Fraud detection systems

Using statistical models and rules to detect unusual user or account activity for real-time intervention.

Kevin Mitnick

A hacker known for expertise in manipulating people to gain access to systems or information.

Nigerian Scam

A type of fraud involving an advance fee that the victim never recovers.

Open-Source Intelligence (OSINT)

Gathering information from publicly available sources.

OSINT in Cyber Attacks

Cyber attacks use OSINT to gather information for social engineering and phishing attacks.

Social Engineering

Defined as manipulating individuals into divulging confidential or personal information that can be used for fraudulent purposes.

Phishing

A technique to decieve individuals into revealing sensitive information or installing malware through deceptive emails, messages or websites seeming legitimate.

ILOVEYOU Worm

A computer worm that propagated via email with the subject line "ILOVEYOU".

OSINT (Open Source Intelligence)

Techniques to gather information from publicly available sources, used by attackers to identify potential vulnerabilities.

Is Social Engineering legal?

Social engineering is an illegal act. You can be charged and may face a jail term in some countries.

Why is social engineering effective?

Trusting nature of people.

Motives behind Social Engineering?

To obtain information, competitive edge, or sabotage.

The purpose of social engineering is...

Persuading the victim to perform some action for the hacker.

Social Engineering is...

Manipulation of trust.

Social Engineering involves...

Influence and persuasion.

Official (Closed)

Closed' indicates that access to the information is restricted to a specific group or individuals.

Official Sensitive

Sensitive' indicates that the information requires special handling due to its potential impact if compromised or disclosed.

Official Normal

Normal' indicates information that does not require special handling or protection.

Frequency Analysis in Caesar Cipher

Caesar ciphers shift letters by a fixed amount, preserving the original frequency distribution of letters.

Caesar Cipher

A Caesar cipher shifts each letter by a constant number of positions in the alphabet.

Most Frequent Letter in English

In the English language, 'E' is the most frequent letter.

Caesar Cipher Key based on Frequency

If 'G' is the most frequent letter in a Caesar ciphertext, it's likely the original 'E' was shifted to 'G'.

Caesar Cipher Key with K as highest frequency

If K is the highest frequency letter, we can find the key by calculating the shift from E to K

Study Notes

C235 IT Security and Management - Lesson 2.1: Types of Malware

• Addresses learning objectives to explain malware definitions, categorize malware, distinguish categories, and explain potential dangers and damages.

Malware

• Refers to unwanted software running on a computer that performs malicious actions.
• Exploits weaknesses or bugs in the target machine.
• Steals information, causes damage (e.g., corrupting or removing files), causes annoyances (e.g., pop-up advertising), sends spam emails, and opens backdoors.
• A backdoor is an avenue providing system access, circumventing security, and can lead to installing additional files for further compromise.

Types of Malware

• Virus
• Worm
• Rootkit
• Trojan
• Spyware
• Botnet
• Scareware
• Adware
• Logic Bomb
• Ransomware
• Zero day

Virus

• Piece of malicious code that replicates by attaching itself to another piece of executable code.
• When the executable code is run, the virus also executes to infect other files and perform designed malicious actions.
• The way viruses infect files and the type of files infected depends on the type of virus.

Types of Virus

• Boot Sector Virus
• Program Virus
• Macro Virus

Boot Sector Virus

• Infects the boot sector code of a drive which runs when the computer is turned on/restarted.
• Can be difficult to remove because the boot program is the first the computer runs.
• If the boot sector is infected, the virus can ensure copies of itself are placed in other operating system files.
• A boot sector is a region of a hard, floppy, or optical disk with machine code to be loaded into RAM by a computer's built-in firmware.

Program Virus

• Attaches to executable files, typically those ending in .exe or .com on Windows systems.
• The virus is attached so that it is executed before the program.
• Program viruses are often not detected until after they execute their malicious payload.
• Payload is the part of a program that does damage; for example, a virus payload can damage the operating system.

Macro Virus

• Also known as a document virus, it launches when a document is opened, searching for other documents to infect.
• Can insert itself into the standard document template, infecting every newly created document.
• Further spreads when infected documents are emailed around to other users.
• Macro is a series of commands/actions to automate tasks; it is effectively a program but short and simple.

Worm

• A standalone program that replicates independently by sending itself to to other systems.
• Worms do not have to attach themselves to anything else so they can spread much faster than viruses.
• Worms typically cause damage via malicious code or by reducing network availability due to self-propagation.

Rootkit

• Malware specifically designed to modify operating system supporting functions, which changes how the system operates.
• Rootkits can avoid the security functions of the operating system to avoid detection.
• Installation usually result in the hacker acquiring root or escalated privileges (e.g., admin).

Trojan

• Named after the large wooden horse that hid Greek soldiers, these programs appear useful but contain malicious code.
• Could open a backdoor, log keyboard inputs to steal passwords, or steal information (spyware).
• These are standalone programs that require user interaction to take effect.

Adware

• Presents unwanted advertisements to the user.
• These advertisements are sometimes pop-ups or unclosable windows.

Spyware

• Malware that "spies" on users, recording and reporting their online activities.
• For example, it can monitor user activity to create profiles or push advertisements.

Botnet

• Also known as a zombie army.
• A network of computers set up to forward transmissions to other computers on the Internet without their owners' knowledge.
• Any such computer is referred to as a zombie, serving the wishes of a master spam or virus originator.
• A zombie is often created through an open Internet port with which a small Trojan horse can be left for future activation.

Scareware

• Poses as legitimate software and tools, such as registry cleaners and virus removers.
• It is typically useless, sometimes with hidden malicious intent.
• Tricks users into purchasing by shocking them with anxiety or a perceived threat.
• Some of them look tremendously convincing.

Logic Bomb

• Generally installed by an authorized user, but in some cases from an external source (e.g. "Friday the 13th" malware).
• Remains dormant until some event invokes its malicious payload.

Ransomware

• Restricts access to infected computer systems and demands a 'ransom' to remove the restriction.

Zero Day Malware

• Previously unknown malware without specific antivirus software signatures available.
• A zero-day vulnerability is a hole in software unknown to the vendor.
• This hole is then exploited by hackers before the vendor is aware and fixes it, for example, a zero-day attack.
• Antivirus software is designed to detect and destroy computer viruses.
• A signature is virus' fingerprint, used by antivirus software to scan for malicious code.

C235 IT Security and Management - Lesson 2.2: Malware Protection and Prevention

• Describes malware protection methods and measures taken to prevent malware.

Malware protection

• Anti-virus Software
• Personal Software Firewall
• Pop-up Blockers
• Windows Defender
• Anti-spam Software
• The term "anti-virus" software/ "anti-malware" are interchangeable
• However anti-virus is more commonly used.

Anti-Virus Software

• Detects and eliminates malware through:
• Heuristic Scanning, which detects potentially malicious behavior.
• Signature-based Scanning, which relies on a virus dictionary of known virus signatures.
• Heuristic scanning is derived from a Greek word that means "to discover".
• A signature is a unique string of bits (a binary Pattern) enabling detection of specific viruses.

Signature-Based Scanning

• Anti-virus contains a virus dictionary with thousands of known virus signatures.
• Virus signatures must be frequently updated, as new viruses are discovered daily.
• Only catches known viruses.

Capabilities of Anti-Virus Software

• Automated Updates: Up-to-date signatures.
• Automated Scanning: Scheduled scans.
• Manual Scanning: On demand.
• Media Scanning scans thumb drives, etc.
• Email Scanning scans attachments.
• Resolution consists of:
• Quarantining the infected file:
• Repairing the infected file; or
• Deleting the infected file

Personal Software Firewalls

• Monitors and controls traffic passing into and out of a single system.
• Can be used to determines what traffic passes or is blocked
• Most modern operating systems have pre-installed basic personal firewalls.
• Windows and macOS have built-in firewall features which protects the system from cyber threats.

Pop-Up Blockers

• Pop-up blocker is in many web browsers and can prevent popups on web browsers.

Windows Defender

• Protects computers from spyware/unwanted software with:
• Spyware Detection and Removal
• Scheduled Scanning
• Automatic Updates
• Real-Time Protection
• Software Explorer
• Configurable Responses

Windows Defender Details

• Spyware Detection and Removal finds/removes spyware/unwanted programs that modify pop-ups, browsers, steal personal info, etc.
• Scheduled Scanning allows to schedule or on demand the scan to detect and remove threats.
• Automatic Updates automatically downloads and installs Windows Defender product.
• Real-time Protection stops spyware and malware from launching.
• Software Explorer provides details on your computer, whether or not software is good, or considered malware.
• Configurable Responses choose what actions you want to take against detected threats.

Anti-Spam Products

• Filters out junk emails automatically.
• Some products operate at the corporate level, filtering messages as they enter or leave designated email servers.
• Host-level products filter messages coming into the user's personal inbox.

Malware Prevention

• Education: being careful when you install or run software and ensuring files are downloaded from reliable sources.
• Security Software: personal software firewall (block unwanted traffic), anti-virus (get virus dictionary updated).
• Disable autorun for removable media such as thumb drives.
• Keep operating system up to date.
• Keep applications updated as exploitation can occur with old apps.
• IT Department should circulate updates of new malicious threats and vigilant.

C235 IT Security and Management - Lesson 2.3: Malware Trends

• Focuses on malware trends, major malwares, ransomware trends, and the ransowmare case study.

Malware Trend 1

• The total malware infections have have seen a rise in recent decades.
• Approximately 230,000 new malware samples are produced every day, and this trends is predicted to keep growing.
• 92% of malware is delivered by email.

Malware Trend 2

• The 8 Most Notorious Malware Attacks of All Time and Real and famous cases of malware attacks illustrate different types of data theft/illegal activity.
• 10 Most Dangerous New Malware and Security Threats in 2021 (updated on January 23, 2024) highlights more prominent Ransomware attacks as a growing problem..

Malware Trend 3

• Emotet Trojan (2014): World's most dangerous malware EMOTET disrupted through global action.
• WannaCry Ransomware (2017): What Has Changed Since the 2017 WannaCry Ransomware Attack?
• Zeus Trojan (2007): The life and death of the Zeus Trojan
• Base code of the above mentioned malware have mutated into variants causing cybersecurity students to study them.

Ransomware Trend 1

• Ransomware is a growing threat, so there is increasing global organization- business protection efforts.
• The most prominent malware threat is Ransomware.
• Approx. 236.1 million ransomware attacks occurred globally during the 2022 first half.

Ransomware Trend 2

• 51% of companies faced ransomware attacks.
• 26% of companies paid the ransom to cybercriminals.
• The average ransom amount for big companies in 2020 was $180,000; $6,000 for small businesses.
• Tools needed to launch a ransomware are avilable from the darknet for about $50
• Every 11 seconds, a new ransomware attack is detected.
• Delivery mechanisms include email most commonly and the way of web browsing is 2nd.

Ransomware Trend 3

• Top trends in Ransomware attacks (updated 2024) includes IT outsourcing services exploitation, more vunerable industries, New evolving Ransomware/defenses with rise on mobile.
• Ransomware-as-a-Service (Raas) is inceasing as a subscription for affiliates that use current tools taking a percentage of sucessful ransom payment.

Ransomware Attacks

• To get access to companies, leak sensitive or sell to others in exchange for a money is a key exortion for ransomware cyberattakers.
• List and track Ransomware attacks.
• Colonial Pipeline Ransomware attack is an important case learning how it can affect critical infrastructure.

Colonial Pipeline Ransomware

• Colonial Pipeline attack compromising US critical infrastructure responsible nearly the oil and gas Eastern US by the hacking group as DarkSide.
• On May 7, 2021, Colonial Pipeline's operations were halted to deal prevent and contain attack that impacted the computerized quipment managing the pipeline.
• Paying the ransom of 75 bitcoins ($4.4 million) was given the software but operated slow.
• Justice Department had recovered 63.7 bitcoins ($2.3 million)from counter-seizure of DarkSide's Wallet bitcoin On June 7th.

C235 IT Security and Management - Lesson 3.1: Social Engineering

• Ability to distinguish between various Social Engineering techniques
• Understand why Social Engineering works and its impact
• Understand the importance of protecting organisations from Social Engineering attacks
• Apply protective measures against Social Engineering

Social Engineering

• The use of influence and persuasion to deceive people for the purpose of obtaining information or persuading the victim to perform some action for the hacker.
• This an illegal act and can be charged in court and face jail terms.
• Clever manipulation of trust is difficult to eliminate social engineering because people are trusting by nature.

Social Engineering Techniques

• Pretexting
• Identity Theft
• Phishing
• Spear phishing
• Vishing
• Tailgating
• Dumpster Diving
• Shoulder Surfing
• Baiting

Pretexting

• Creating and utilizing fabricated scenarios to engage with a targeted individual.
• The goal is to persuade them for desired information of action.
• Involves prior research

Identity Theft

• Cheating and fraud using another person's identity.
• Assuming that person’s identity in order to access resources, obtain credit, and other benefits.

Phishing

• Act of obtaining sensitive information by posing a trusted entity in email/instant messages through random users.
• Computer using being fooled into inputting personal information through fake website that are real to trusted.
• Remains the most common form of cybercrime.

Spear Phishing

• Targeting people with a groups with somthing in common
• Success increases with targeted attacks.

What is Vishing?

• Variations of phishing using voice commmunications technology of what the attacker is seeking.
• Can exploit trusting people place in the phone network with obtaining credit card numbers.

Tailgating

• An unauthorized user is able to follow someone to a restricted area without proper consent.

Dumpster Diving

• Recovering thrown away papers from the trash to find sensitive information.

Shoulder Surfing

• The act of looking over other people’s documents/screens for their confidential information.

Description

Protecting systems from malware involves several key strategies. These include configuring Windows Defender for automatic threat response, using anti-spam solutions, disabling autorun for removable media to prevent infections, and keeping all software updated. Additionally, users should follow security advisories and download software only from reliable sources.