The Marvin Monroe Memorial Hospital recently suffered a serious attack. The attackers notified management personnel that they encrypted a significant amount of data on the hospital’s servers and it would remain encrypted until the management paid a hefty sum to the attackers. Which of the following identifies the MOST likely threat actor in this attack?
A. This attack was most likely launched by an organized crime group because their motivation is primarily money. While the scenario describes ransomware, ransomware is the malware, not the threat actor. Competitors often want to obtain proprietary information and it would be very rare for a hospital competitor to extort money from another hospital. A hacktivist typically launches attacks to further a cause, not to extort money.
Dr. Terwilliger installed code designed to enable his account
automatically if he ever lost his job as a sidekick on a television show. The code was designed to reenable his account three days after it is disabled. Which of the following does this describe?
D. A logic bomb is code that executes in response to an event. In this scenario, the logic bomb executes when it discovers the account is disabled (indicating Dr. Bob Terwilliger is no longer employed at the company). In this scenario, the logic bomb is creating a backdoor. A rootkit includes hidden processes, but it does not activate in response to an event. Spyware is software installed on user systems without their awareness or consent. Its purpose is often to monitor the user’s computer and the user’s activity. Ransomware demands payment as ransom.
Lisa recently developed an application for the Human Resources department. Personnel use this application to store and manage employee data, including PII. She programmed in the ability to access this application with a username and password that only she knows, so that she can perform remote maintenance on the application if necessary. Which of the following does this describe?
C. A backdoor provides someone an alternative way of accessing a system or application, which is exactly what Lisa created in this scenario. It might seem as though she’s doing so with good intentions, but if attackers discover a backdoor, they can exploit it. A virus is malicious code that attaches itself to an application and executes when the application runs, not code that is purposely written into the application. A worm is self-replicating malware that travels throughout a network without the assistance of a host application or user interaction. A Trojan is software that looks like it has a beneficial purpose but includes a malicious component.
Dr. Terwilliger installed code designed to run if he ever lost his job as a sidekick on a television show. The code will create a new account with credentials that only he knows three days after his original account is deleted. Which type of account does this code create?
A. The code is creating a new account that Dr. Terwilliger can use to access as a backdoor. He is creating this with a logic bomb, but a logic bomb is the malware type, not the type of account that he created. Rootkits include hidden processes, but they do not activate in response to events. Ransomware demands payment to release a user’s computer or data.
Security administrators recently discovered suspicious activity
within your network. After investigating the activity, they discovered malicious traffic from outside your network connecting to a server within your network. They determined that a malicious threat actor used this connection to install malware on the server and the malware is collecting data and sending it out of the network. Which of the following BEST describes the type of malware used by the threat actor?
B. The scenario describes a remote access Trojan (RAT), which is a type of malware that allows attackers to take control of systems from remote locations. While the threat actor may be a member of an advanced persistent threat (APT) or an organized crime group, these are threat actor types, not types of malware. Crypto-malware is a type of ransomware that encrypts data, but there isn’t indication that the data is being encrypted in this scenario.
A security administrator recently noticed abnormal activity on a workstation. It is connecting to systems outside the organization’s internal network using uncommon ports. The administrator discovered the computer is also running several hidden processes. Which of the following choices BEST describes this activity?
A. A rootkit typically runs processes that are hidden and it also attempts to connect to computers via the Internet. Although an attacker might have used a backdoor to gain access to the user’s computer and install the rootkit, backdoors don’t run hidden processes. Spam is unwanted email and is unrelated to this question. A Trojan is malware that looks like it’s beneficial, but is malicious.
Lisa is a database administrator and received a phone call from
someone identifying himself as a technician working with a known hardware vendor. The technician said he’s aware of a problem with database servers they’ve sold, but it only affects certain operating system versions. He asks Lisa what operating system the company is running on their database servers. Which of the following choices is the BEST response from Lisa?
D. This sounds like a social engineering attack where the caller is attempting to get information on the servers, so it’s appropriate to end the call, report the call to a supervisor, and independently check the vendor for potential issues. It is not appropriate to give external personnel information on internal systems from a single phone call. It isn’t necessary to ask for a phone number because you wouldn’t call back and give information on the servers. The caller has not committed a crime by asking questions, so it is not appropriate to contact law enforcement personnel.
Bart is in a break area outside the office. He told Lisa that he forgot
his badge inside and asked Lisa to let him follow her when she goes back
inside. Which of the following does this describe?
D. Tailgating is the practice of following closely behind someone else without using credentials. In this scenario, Bart might be an employee who forgot his badge, or he might be a social engineer trying to get in by tailgating. Spear phishing and whaling are two types of phishing with email. Mantraps prevent tailgating.
While cleaning out his desk, Bart threw several papers containing PII
into the recycle bin. Which type of attack can exploit this action?
D. Dumpster divers look through trash or recycling containers for valuable paperwork, such as documents that include Personally Identifiable Information (PII). Instead, paperwork should be shredded or incinerated. Vishing is a form of phishing that uses the phone. Shoulder surfers attempt to view monitors or screens, not papers thrown into the trash or recycling containers. Tailgating is the practice of following closely behind someone else, without using proper credentials.
Your organization recently suffered a loss from malware that wasn’t previously known by any trusted sources. Which of the following BEST describes this attack?
D.
A recent change in an organization’s security policy states that
monitors need to be positioned so that they cannot be viewed from outside any windows. Additionally, users are directed to place screen filters over the monitor. What is the purpose of this policy?
B.
Attackers recently sent some malicious emails to the CFO within your organization. These emails have forged From blocks and look like they are coming from the CEO of the organization. They include a PDF file that is described as a funding document for an upcoming project. However, the PDF is infected with malware. Which of the following BEST describes the attack type in this scenario?
C.
A recent spear phishing attack that appeared to come from your organization’s CEO resulted in several employees revealing their passwords to attackers. Management wants to implement a security control to provide assurances to employees that email that appears to come from the CEO actually came from the CEO. Which of the following should be implemented?
D.
A recent attack on your organization’s network resulted in the
encryption of a significant amount of data. Later, an attacker demanded that your organization pay a large sum of money to decrypt the data. Security investigators later determined that this was the result of a new employee within your company clicking on a malicious link he received in an email. Which of the following BEST describes the vulnerability in this scenario?
C.
The CEO of a company recently received an email. The email
indicates that her company is being sued and names her specifically as a defendant in the lawsuit. It includes an attachment and the email describes the attachment as a subpoena. Which of the following BEST describes the social engineering principle used by the sender in this scenario?
