Understanding the differences between system worms, viruses and trojan horses is crucial in responding to CISA questions. Here is a typical example of a question regarding worms, viruses and trojan horses.
Ransom’s Question on 18/02/2017 – Asset Protection
An IS Auditor learns that a network computer has been attacked by an internet worm. What is the FIRST action that must be taken?
A – Update the anti-virus software and virus definition.
B – Disconnect the computer that has been attacked from the network.
C – Delete all infected files that have been corrupted.
D – Update the network firewall.
Let us apply the K-E-C approach in answering this question.
Please note that the K-E-C approach is as follows:
K = Keyword, phrase or stem of the question
E = Eliminate two incorrect options
C = Choose the best answer for the remaining two options, linking the answer to the Key or K.
So let us approach this question.
K = Key – The key phrase here is “FIRST action”. This question is about problem resolution and the sequence of events that must be followed during a system attack.
The next key word is “internet worm” which is different from a virus and a trojan horse. It is important that we understand what these differences are in order to determine the action that is most appropriate.
Internet Viruses are malicious software (malware) that attach itself to programs and files and moves from computer to computer. On the contrary, internet worms are also malicious software (malware) but they do not need to be attached to any program or file to spread from computer to computer. They can independently spread and multiply (replicate) without anyone activating or launching the program. On the other hand, Trojan horses are software that appear to be legitimate but when installed can end up becoming malicious.
E = Eliminate two options – If we scan through the options above, we can easily eliminate answers C and D. Option C talks about deleting all infected files that have been corrupted or infected. Deleting infected files is not a good first step in stopping an internet worm from spreading because they do not need files or programs to spread. They can spread unaided or independently, so deleting the corrupted files is not a good first option.
Option D is about updating the network firewall. This too is not a good first action since the internet worm already attacked computers. The virus has already made its way into system resources and computer assets, updating the firewall can happen at a later stage but it is not a good first step or action to take.
C = Choose the correct answer that lines up with the KEY – We are thus left with options A and B to choose from. Option A talks about updating the anti-virus software and virus definition as the first step to take. An anti-virus software is not very effective in combatting worms. The update of virus definition should come at a later stage and it is not an ideal first step. It will not stop the spread of the internet worm from one computer to the next computer.
Option B says we should disconnect the attacked computer that has been attacked from the network. This is the best first step. In resolving a system attack, the first thing to do is to eliminate the threat.
The correct answer is thus B – Disconnect the attacked computer from the network. This will ensure that the internet worm is isolated and it doesn’t spread to other computers. The impact of the attack can thus be assessed and virus definitions as well as updates to firewalls can be made.