During a server audit, a security administrator does not notice abnormal activity. However, a
network security analyst notices connections to unauthorized ports from outside the corporate
network. Using specialized tools, the network security analyst also notices hidden processes
running. Which of the following has MOST likely been installed on the server?
A.
SPIM
B.
Backdoor
C.
Logic bomb
D.
Rootkit
Explanation:
Simple enough and it does not require an explanation. Yet for the purpose of this exercise and in order to sediment concepts, here we go:
The fact remains that a server audit was conducted, and nothing untoward was found.
It all depends of the type of audit performed. Judging by the level of questions in the Security+ exam, and the level of technical expertise by the Joe’s , Sara’s and Ann’s I put it to you that not a very good audit was done.
But let’s say that for the purpose of this exercise, a very good and thorough audit was made.
This would pick up A, B and C when properly conducted
WRONG ANSWERS:
A.SPIM: Messaging spam, sometimes called SPIM, is a type of spam targeting users of instant messaging (IM) services, SMS, or private messages within websites. We are clearly not talking about SPIM in here
B.Backdoor: A backdoor in software or a computer system is generally an undocumented portal that allows an administrator to enter the system to troubleshoot or do upkeep. But it also refers to a secret portal that hackers and intelligence agencies use to gain illicit access. This is a tricky one thou. If you are looking for an inactive backdoor, then good luck, you’d need years of computer forensics skills to trace it down. On the other hand, if you are looking for a backdoor that is in use, then using traffic analysis from another system or a hardware device on the network could allow you to see if your computer is emitting any unexpected packets.
So in here it depends whether the Backdcoor is active or inactive. If it is active, a proper server audit with the proper tools and skills would pick up any anomalies created by it.
C.Logic bomb: – A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files (such as a salary database trigger), should they ever be terminated from the company.
As far as detection is concerned, you cannot completely prevent them from attacking your systems or network. But you can detect these logic bombs before they are executed by the auto-protect and email screening functions in an anti-virus software. Generally, monitoring and scanning of the overall network is carried out by experts leaving a chance for injection of logic bombs
So the best answer is indeed “D-Rootkit”
** A root kit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that is not otherwise be allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.
** The term rootkit is a concatenation of “root” (the traditional name of the privileged account on Unix-like operating systems) and the word “kit” (which refers to the software components that implement the tool).
** The term “rootkit” has negative connotations through its association with malware.
A rootkit is a collection of tools (programs) that enable administrator-level access to a computer or computer network. Typically, a cracker installs a rootkit on a computer after first obtaining userlevel access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and, possibly, other machines on the network.
A rootkit may consist of spyware and other programs that: monitor traffic and keystrokes; create a “backdoor” into the system for the hacker’s use; alter log files; attack other machines on the network; and alter existing system tools to escape detection.
The presence of a rootkit on a network was first documented in the early 1990s. At that time, Sun and Linux operating systems were the primary targets for a hacker looking to install a rootkit.
Today, rootkits are available for a number of operating systems, including Windows, and are increasingly difficult to detect on any network.
0
0