The security administrator has been told that there is some suspicious activity that is taking place on three of the company’s workstations. He has been instructed to review the type of ICMP traffic that is being allowed through the ingress routers. Why would he be told to look at this specifically?
A.
Compromised systems
B.
Backdoor communication
C.
Employee espionage
D.
Malformed fragments
Explanation:
When an attacker compromises a computer and loads a backdoor on the
system, he will need to have a way to communicate to this computer through this
backdoor and stay "under the radar" of the network firewall and IDS.
Hackers have figured out that a small amount of code can be inserted into an ICMP
packet, which is then interpreted by the backdoor software loaded on a compromised
system. Security devices are usually not configured to monitor this type of traffic
because ICMP is a protocol that is supposed to be used just to send status
information-not commands to a compromised system.