Computer Security Principles And Practice 3rd Edition by Stalling – Test Bank





Computer Security Principles And Practice 3rd Edition by Stalling – Test Bank


Chapter 6 – Malicious Software




T          F          1.   Malicious software aims to trick users into revealing sensitive personal data.

T          F          2.  Keyware captures keystrokes on a compromised system.

T          F          3.  Metamorphic code is software that can be shipped unchanged to a

heterogeneous collection of platforms and execute with identical semantics.


T          F          4.  A virus that attaches to an executable program can do anything that the

program is permitted to do.


T          F.         5.  It is not possible to spread a virus via an USB stick.


T          F          6.  A logic bomb is the event or condition that determines when the payload is

activated or delivered.


T          F          7.  Many forms of infection can be blocked by denying normal users the right to

modify programs on the system.


T          F          8.  A macro virus infects executable portions of code.


T          F          9.  E-mail is a common method for spreading macro viruses.


T          F          10.  In addition to propagating, a worm usually carries some form of payload.


T          F          11.  A Trojan horse is an apparently useful program containing hidden code that,

when invoked, performs some harmful function.


T          F          12.  Packet sniffers are mostly used to retrieve sensitive information like

usernames and passwords.


T          F          13.  A bot propagates itself and activates itself, whereas a worm is initially

controlled from some central facility.


T          F          14.  Every bot has a distinct IP address.


T          F          15.  Programmers use backdoors to debug and test programs.





  1. A program that is covertly inserted into a system with the intent of compromising the integrity or confidentiality of the victim’s data is __________.
  2. Adobe B.  Animoto
  3. malware D.  Prezi
  4. __________ are used to send large volumes of unwanted e-mail.
  5. Rootkits B.  Spammer programs
  6. Downloaders D.  Auto-rooter
  7. A __________ is code inserted into malware that lies dormant until a predefined condition, which triggers an unauthorized act, is met.
  8. logic bomb B.  trapdoor
  9. worm D.  Trojan horse
  10. The term “computer virus” is attributed to __________.
  11. Herman Hollerith B.  Fred Cohen
  12. Charles Babbage D.  Albert Einstein
  13. Computer viruses first appeared in the early __________.
  14. 1960s B.  1970s
  15. 1980s D.  1990s
  16. The __________ is what the virus “does”.
  17. infection mechanism         B.  trigger
  18. logic bomb                         D.  payload
  19. The __________ is when the virus function is performed.
  20. dormant phase                   B.  propagation phase
  21. triggering phase                 D.  execution phase
  22. During the __________ the virus is idle.
  23. dormant phase                   B.  propagation phase
  24. triggering phase                 D.  execution phase
  25. A __________ uses macro or scripting code, typically embedded in a document and triggered when the document is viewed or edited, to run and replicate itself into other such documents.
  26. boot sector infector           B.  file infector
  27. macro virus                        D.  multipartite virus
  28. __________ is the first function in the propagation phase for a network worm.
  29. Propagating                       B.  Fingerprinting
  30. Keylogging                        D.  Spear phishing
  31. Unsolicited bulk e-mail is referred to as __________.
  32. spam                                  B.  propagating
  33. phishing                             D.  crimeware
  34. __________ is malware that encrypts the user’s data and demands payment in order to access the key needed to recover the information.
  35. Trojan horse                      B.  Ransomware
  36. Crimeware                         D.  Polymorphic
  37. A __________ attack is a bot attack on a computer system or network that causes a loss of service to users.
  38. spam                                  B.  phishing
  39. DDoS                                D.  sniff
  40. The ideal solution to the threat of malware is __________.
  41. identification                     B.  removal
  42. detection                           D.  prevention
  43. __________ will integrate with the operating system of a host computer and monitor program behavior in real time for malicious actions.
  44. Fingerprint-based scanners           B.  Behavior-blocking software
  45. Generic decryption technology     D.  Heuristic scanners





  1. A _________ is a set of programs installed on a system to maintain covert access to that system with administrator (root) privileges while hiding evidence of its presence.
  2. A __________ uses multiple methods of infection or propagation to maximize the speed of contagion and the severity of the attack.
  3. A computer __________ is a piece of software that can “infect” other programs or any type of executable content and tries to replicate itself.
  4. Sometimes referred to as the “infection vector”, the __________ is the means by which a virus spreads or propagates.
  5. Sometimes known as a “logic bomb”, the __________ is the event or condition that determines when the payload is activated or delivered.
  6. The four phases of a typical virus are: dormant phase, triggering phase, execution phase and __________ phase.
  7. During the __________ phase the virus is activated to perform the function for which it was intended.
  8. A __________ virus is explicitly designed to hide itself from detection by anti-virus software.
  9. __________ code refers to programs that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics.
  10. A __________ is when a user views a Web page controlled by the attacker that contains a code that exploits the browser bug and downloads and installs malware on the system without the user’s knowledge or consent.
  11. A __________ is a collection of bots capable of acting in a coordinated manner.
  12. A bot can use a __________ to capture keystrokes on the infected machine to retrieve sensitive information.
  13. Countermeasures for malware are generally known as _________ mechanisms because they were first developed to specifically target virus infections.
  14. Developed by IBM and refined by Symantec, the __________ provides a malware detection system that will automatically capture, analyze, add detection and shielding, or remove new malware and pass information about it to client systems so the malware can be detected before it is allowed to run elsewhere.
  15. __________ technology is an anti-virus approach that enables the anti-virus program to easily detect even the most complex polymorphic viruses and other malware, while maintaining fast scanning speeds.


Chapter 6 – Malicious Software

Answer Key




  1. T
  2. F
  3. F
  4. T
  5. F
  6. T
  7. T
  8. F
  9. T
  10. T
  11. T
  12. T
  13. F
  14. T
  15. T




  1. C
  2. B
  3. A
  4. B
  5. C
  6. D
  7. D
  8. A
  9. C
  10. B
  11. A
  12. B
  13. C
  14. D
  15. B





  1. rootkit
  2. blended attack
  3. virus
  4. infection mechanism
  5. trigger
  6. propagation
  7. triggering
  8. stealth
  9. Mobile
  10. drive-by-download
  11. botnet
  12. keylogger
  13. anti-virus
  14. digital immune system
  15. Generic decryption (GD)


Chapter 7 – Denial-of-Service Attacks





T          F          1.  A denial-of-service attack is an attempt to compromise availability by

hindering or blocking completely the provision of some service.


T          F          2.  DoS attacks cause damage or destruction of IT infrastructures.

T          F          3.  A DoS attack targeting application resources typically aims to overload

or crash its network handling software.


T          F          4.  The SYN spoofing attack targets the table of TCP connections on the



T          F          5.  A cyberslam is an application attack that consumes significant

resources, limiting the server’s ability to respond to valid requests from

other users.


T          F          6.  The source of the attack is explicitly identified in the classic ping flood



T          F          7.  Given sufficiently privileged access to the network handling code on a

computer system, it is difficult to create packets with a forged source



T          F          8.  SYN-ACK and ACK packets are transported using IP, which is an

unreliable network protocol.


T          F          9.  The attacker needs access to a high-volume network connection for a

SYN spoof attack.


T          F          10.  Flooding attacks take a variety of forms based on which network

protocol is being used to implement the attack.


T          F          11.  The best defense against being an unwitting participant in a DDoS

attack is to prevent your systems from being compromised.


T          F          12.  A SIP flood attack exploits the fact that a single INVITE request

triggers considerable resource consumption.


T          F          13.  Slowloris is a form of ICMP flooding.


T          F          14.  Reflector and amplifier attacks use compromised systems running the

attacker’s programs.


T          F          15.  There is very little that can be done to prevent a flash crowd.





  1. ______ relates to the capacity of the network links connecting a server to the wider Internet.
  2. Application resource                  B.  Network bandwidth
  3. System payload                          D.  Directed broadcast


  1. A ______ triggers a bug in the system’s network handling software causing it to crash and the system can no longer communicate over the network until this software is reloaded.
  2.   echo                                 B.  reflection
  3.   poison packet                  D.  flash flood


  1. Using forged source addresses is known as _________.
  2. source address spoofing                B.  a three-way address
  3. random dropping                           D.  directed broadcast


  1. The ______ attacks the ability of a network server to respond to TCP connection requests by overflowing the tables used to manage such connections.


  1. DNS amplification attack             B.  SYN spoofing attack
  2. basic flooding attack                     D.  poison packet attack


  1. TCP uses the _______ to establish a connection.
  2. zombie                               B.  SYN cookie
  3. directed broadcast             D.  three-way handshake
  4. _______ bandwidth attacks attempt to take advantage of the disproportionally large resource consumption at a server.
  5. Application-based             B.  System-based
  6. Random                             D.  Amplification
  7. _______ is a text-based protocol with a syntax similar to that of HTTP.
  8. RIP                                    B.  DIP
  9. SIP                                                D.  HIP
  10. Bots starting from a given HTTP link and then following all links on the provided Web site in a recursive way is called _______.
  11. trailing                               B.  spidering
  12. spoofing                            D.  crowding
  13. ______ attempts to monopolize all of the available request handling threads on the Web server by sending HTTP requests that never complete.
  14. HTTP                                B.  Reflection attacks
  15. SYN flooding                   D.  Slowloris
  16. A characteristic of reflection attacks is the lack of _______ traffic.
  17. backscatter                                    B.  network
  18. three-way                          D.  botnet
  19. In both direct flooding attacks and ______ the use of spoofed source addresses results in response packets being scattered across the Internet and thus detectable.
  20. SYN spoofing attacks                   B.  indirect flooding attacks
  21. ICMP attacks                                D.  system address spoofing
  22. In a _______ attack the attacker creates a series of DNS requests containing the spoofed source address for the target system.
  23. SYN flood                                    B.  DNS amplification
  24. poison packet                    D.  UDP flood
  25. It is possible to specifically defend against the ______ by using a modified version of the TCP connection handling code.
  26. three-way handshake                    B.  UDP flood
  27. SYN spoofing attack                    D.  flash crowd
  28. Modifying the system’s TCP/IP network code to selectively drop an entry for an incomplete connection from the TCP connections table when it overflows, allowing a new connection attempt to proceed is _______.
  29. poison packet                                B.  slashdot
  30. backscatter traffic                         D.  random drop
  31. When a DoS attack is detected, the first step is to _______.
  32. identify the attack                         B.  analyze the response
  33. design blocking filters                   D.  shut down the network



  1. The ICMP echo response packets generated in response to a ping flood using randomly spoofed source addresses is known as _______ traffic.


  1. _____ attacks flood the network link to the server with a torrent of malicious packets competing with valid traffic flowing to the server.


  1. The standard protocol used for call setup in VoIP is the ________ Protocol.


  1. Requests and _______ are the two different types of SIP messages.


  1. A _______ flood refers to an attack that bombards Web servers with HTTP requests.


  1. During a ______ attack, the attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system and when the intermediary responds, the response is sent to the target.


  1. In reflection attacks, the ______ address directs all the packets at the desired target and any responses to the intermediary.


  1. ______ attacks are a variant of reflector attacks and also involve sending a packet with a spoofed source address for the target system to intermediaries.


  1. The best defense against broadcast amplification attacks is to block the use of _______ broadcasts.


  1. The four lines of defense against DDoS attacks are: attack prevention and preemption, attack detection and filtering, attack source traceback and identification and _______.


  1. Since filtering needs to be done as close to the source as possible by routers or gateways knowing the valid address ranges of incoming packets, an _______ is best placed to ensure that valid source addresses are used in all packets from its customers.


  1. A ______ is a graphical puzzle used to attempt to identify legitimate human initiated interactions.


  1. To respond successfully to a DoS attack a good ______ plan is needed that includes details of how to contact technical personal for your ISP(s).


  1. If an organization is dependent on network services it should consider mirroring and ________ these servers over multiple sites with multiple network connections.


  1. A _____ is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units, memory, bandwidth, and disk space.


Chapter 7 – Denial-of-Service Attacks

Answer Key



  1. T
  2. F
  3. F
  4. T
  5. T
  6. T
  7. F
  8. T
  9. F
  10. T
  11. T
  12. T
  13. F
  14. F
  15. T



  1. B
  2. C
  3. A
  4. B
  5. D
  6. A
  7. C
  8. B
  9. D
  10. A
  11. A
  12. B
  13. C
  14. D
  15. A





  1. backscatter
  2. Flooding
  3. Session Initiation
  4. responses
  5. HTTP
  6. reflection
  7. spoofed source
  8. Amplification
  9. IP-directed
  10. attack reaction
  11. ISP
  12. captcha
  13. incident response
  14. replicating
  15. denial-of-service (DoS)