Malware / Port Question

Sam_aqua

Your secretary downloaded and installed what she thought was a useful free calendar program, now a port scan shows some new ports opened on her computer. What has happened?

• Malware has opened listening ports on her computer
• She violated Corporate IT Security Policy
• Her computer could have been infected
• Nothing. It is normal for a computer to have open ports

The obvious answer looks - Malware has opened listening ports on her computer ... however if one wears a manager hat, then next option - She violated Corporate IT Security Policy could be right ?

Any thoughts folks ..

Cheers
Sam

Tongy

You shouldn't be able to circumvent security policy - and 3rd party unauthorised download/install/drive by downloads shouldn't be possible... If instituted correctly, that is.

We can't download or install anything at work...

Sam_aqua

You shouldn't be able to circumvent security policy - and 3rd party unauthorised download/install/drive by downloads shouldn't be possible. --- > Ideally yes, but practically not always .. so it someone is able to install a 3rd party application that would mean he/she has violated AUP / security policy ...

Eburon

• Her computer could have been infected

According to my simple logic this would be the most rational answer as:

• Malware has opened listening ports on her computer - not 100% sure that the computer is infected - needs to be investigated further to get certainty
• She violated Corporate IT Security Policy - we do not know what the policy is based on the limited info provided by the question
• Nothing. It is normal for a computer to have open ports - very unlikely..

Great fun if you have to answer 250 questions like that..

gespenstern

Tricky question with several seemingly right answers. CISSP style, lol

-- Malware has opened listening ports on her computer -- I don't buy it since there's no hard evidence of malware presented in the question. Open ports is normal and it doesn't necessarily mean malware. Even new open ports could indicate some reconfiguration has happened or new other software was installed.

-- She violated Corporate IT Security Policy -- I don't think so, because there's no evidence that this corp has an IT security policy that prohibits installation of 3rd party software. Plus, policy in general shouldn't even do so, it is a general document that states some stuff like "we as a company do whatever is possible to protect our PCs". Prohibited 3-rd party software installation, I'd say, would be a standard or "acceptable use" signed agreement.

-- Her computer could have been infected -- Yeah, that's something that I would choose. Because it talks in terms of probability, it could be, it could be not, overall situation looks sketchy, but without investigation it only looks so and could very easily be a false positive and calendar application is actually a calendar application, nothing else.

-- Nothing. It is normal for a computer to have open ports -- Good answer, but probably not for a security consultant. It's really okay to have open ports, but new open ports is a change to a baseline and needs to be investigated. Since we have an indication of change in computer's behavior (new open ports) it's worth investigating. We can't just say "it's normal" and do nothing.

cyberguypr

^ this is exactly my line of reasoning. Taking the question at face value with the facts given:

- I can't confirm that calendar app was malware. Legitimate apps could do this or it could be unrelated. Full incident response and analysis is needed to determine this.
- I have no idea what the current policy is or even if there's one. Why are we assuming it exists?
- Something did happen and change was introduced from a (hopefully) known-good config as new ports showed up as open. No idea if this is benign or malicious.

Least sucky answer supported by the question: 'Her computer could have been infected'.

!nf0s3cure

In this day and age if your employees can 1st Download, 2nd Install any program.....your IT folk need a flick! It is policy violation as the most common answer as you would have signed a agreement not to download, install, plug blah blah any device ....rest of the options are a consequence of the action...

cyberguypr

Why do you assume some sort of policy exists?

!nf0s3cure

cyberguypr wrote: »

Why do you assume some sort of policy exists?

Well then the management needs a flick too:)

Mike7

Depends on the exam you are taking

Sec+ : infected?
CEH : malware, hacker has gained access to the network
CASP : infected
CISSP : policy
CISM : IRM (incident response management): investigate, contain the risk (if any) and let user continue with her work
CISA : insufficient controls to minimize risk, do not take action, raise audit red flag
MCSA : this is a server app, of course it has listening ports.

!nf0s3cure

Mike7 wrote: »

Depends on the exam you are taking

Sec+ : infected?
CEH : malware, hacker has gained access to the network
CASP : infected
CISSP : policy
CISM : IRM (incident response management): investigate, contain the risk (if any) and let user continue with her work
CISA : insufficient controls to minimize risk, do not take action, raise audit red flag
MCSA : this is a server app, of course it has listening ports.

Well said. Agree with this interpretation.

Sam_aqua

Option 1 (Malware has opened listening ports on her computer) is correct and I think because questions asks - what has happened (so technical approach) ? rather than what has she violated (management approach).

Jebjeb

Option 1 ) your a manager, why is she talking to you. You have help desk People to deal with her, unless shes hot