1. What is a PHP Remote File Include (RFI) attack, and why are these prevalent in today's Internet world?
RFI stands for Remote File Inclusion that allows the attacker to upload a custom coded/malicious file on a website or server using a script. This vulnerability exploits the poor validation checks in websites and can eventually lead to code execution on server or code execution on website (XSS attack using javascript). RFI is a common vulnerability and all website hacking is not entirely focused on SQL injection. Using RFI you can deface the websites, get access to the server and do almost anything. What makes it more dangerous is that you only need to have your common sense and basic knowledge of PHP to execute this one.

2. What country is the top host of SQL Injection and SQL Slammer infections? Why can't the US Government do anything to prevent these injection attacks and infections?
The U.S. is the top host of SQL Injection and SQL Slammer infections. Cybercriminals have made vast improvements to their infrastructure over the last few years. Its expansion is thousands of websites vulnerable to SQL Injections. Malicious code writers have exploited these vulnerabilities to distribute malware so quick that the government cannot contain such a large quantity.

3. What does it mean to have a policy of Nondisclosure in an organization?
It is a contract where the parties agree not to disclose information covered by the agreement. It outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes, but wish to restrict access to or by third parties.

4. What Trends were tracked when it came to Malicious Code in 2009 by the Symantec Report researched during this lab?
DoS attacks are always common, however targeted attacks using advanced persistent threats (SPT) that occurred in 2009 made headlines.

5. What is Phishing? Describe what a typical Phishing attacks attempt to accomplish?
Phishing is a term used to describe various scams that use fraudulent e-mail messages, sent by criminals, to trick you into divulging personal information. The criminals use this information to steal your identity, rob your bank account, or take over your computer. Counterfeit web sites, using “hijacked” company brands and logos, are created to lure you into revealing information you would not want to be public knowledge.

6. What is the Zero Day Initiative? Do you think this is valuable, and would you participate if you were the managing partner in a large firm?
A program for rewarding security researchers for responsibly disclosing vulnerabilities. It is valuable for firms in that vulnerabilities are shared so that they can be mitigated before more harm can be done.

7. What is a Server Side Include (SSI)? What are the ramifications if an SSI exploit is successful?
The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields. This can lead to access and manipulation of file system and process under the permission of the web server process owner.

8. According to the Tipping Point Report researched in this lab, how do SMB attacks measure up to HTTP attacks in the recent past?
In contrast to HTTP attacks, attacks against the SMB protocol, which is the foundation of countless file shares, has dropped over the sampled time period. This supports the premise that attackers are shifting their concentration away from underlying computer protocols and on to Web applications, because they represent a more lucrative and easier target. 9. According to the Tipping Point Report, what are some of the PHP RFI payload effects DVLabs has detected this year?
Password brute force, E-mail/MMS Spam relay, Network flood, Malware dropper, Botnet member, Recon and re-infection

10. Explain the steps it takes to execute a Malicious PDF Attack as described in the Tipping Point Report?
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the AcroPDF ActiveX control. The issue lies in the messageHandler property of the control. By manipulating the messageHandler's attributes an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.

11. What is a Zero Day attack and how does this relate to an organization's vulnerability window?
A zero-day attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, one that developers have not had time to address and patch. It is called a "zero-day" because the programmer has had zero days to fix the flaw. 12. How can you mitigate the risk from users and employees from clicking on an embedded URL link or e-mail attachment from unknown sources?
Continue with the controls that the government organization already has in place to combat malicious e-mail. Connect to the Internet via a Trusted Internet Connection. Take measures to protect the actual PCs used by users. Use tools to monitor user behavior so that a check can be made on whether policy is being observed. Install the latest web browsers on PCs; they are likely to have better security controls than older browsers. Make users aware of the risks involved and give them examples of the types of attack. Make users aware of the organization’s AUP. Make users aware of the legal issues. Repeat awareness development and training at regular intervals.

13. When auditing an organization for compliance, what role does IT security policies and an IT security policy framework play in the compliance audit?
Since IT systems are used to generate, change, house and transport that data, IT personnel have to build the controls that ensure the information stands up to audit scrutiny. Policies determine what data is to be stored, who has access to the data, and how and where it is stored.

14. When performing a security assessment, why is it a good idea to examine compliance in separate compartments like the seven domains of an IT infrastructure?
Each domain has different degrees of risk that require different mitigation solutions. Each domain will have different standards to meet compliance requirements.

15. True or False. Auditing for compliance and performing security assessments to achieve compliance requires a checklist of compliance requirements.
True