401_3 Flashcards
Internet Security Technologies
What is Kevin Mitnick vs. Tsutomu Shimomura
Famous example of attack
Compromised 3 major tenant of security CIA (confidentiality, integrity and availability)
Accessing files that were not his (confidentiality)
penetrating network resources he was not granted access (confidentiality)
Executing a SYN flood as a DoS (availability)
3-6
What is a trust relationship?
Means that a computer is familiar with another computer and trusts the information that is coming from it.
3-8
How do complex attacks against specific target usually start?
With a reconnaissance phase in which the attacker maps out the lay of the LAN.
3-8
What is the reconnaissance phase of an attack?
Phase in which attacker determines which hosts are present and gathering as much information about them as possible.
3-8
What is finger?
A Unix service that can return information about users.
3-9
What is the use of a .rhost file?
It directs one computer to accept incoming login connections from the other computer on trust and not prompt for a password.
3-9
What is the use of a hosts.equiv file?
Directs one computer to accept logins for all users on a machine on trust and not prompt for a password.
3-9
What is showmount?
Unix command to lists the file system exported by an NFS file server.
3-9
What is rpcinfo?
Unix command to enumerate the various RPC-based services on a remote machine.
3-10
What is Sun’s Network Information Service (NIS)?
Network user database included with most varieties of Unix.
3-10
What is IP spoofing?
Sending packets to a remote computer but lie about your source IP address.
3-11
What is SYN flooding?
Sending numerous SYN packets to the machine to be silenced but never completing the TCP handshake protocol.
3-12
What is the role of the initial sequence number in negotiating a TCP connection?
To indicate the next byte the ACKer expects to receive.
3-13
The information security cycle (also known as the risk management cycle) consists of what three parts?
- Prevention
- Detection
- Response
In modern-day information security what is often considered to be one of the most important tasks for system administrators and security professional alike.
Patching of systems and applications.
What two helpful functions does a firewall provide?
- Prevents outsiders from accessing internal network services
- Prevents outsiders from using spoofed IP addresses that should only appear inside your own network.
What are three fairly common types of malicious code?
- Logic bombs
- Trojan horses
- Trap doors or back doors
What are some of the more interesting DoS attacks?
- smurf
- SYN floods
- DDoS
When does a DoS attack occur?
When a user is deprived of the use of some data, computing resource, or service due to malicious actions on the part of an attacker.
What happens to the number of possible keys for every bit you add to the key length?
It doubles
What is probably the least efficient attack?
Brute force
What is the primary purpose of a browsing attack?
Reconnaissance
What are race conditions also know as?
Time of Check/Time of Use or TOC/TOU attacks
What is a firewall?
A means to control what is allowed across some point in a network as a mechanism to enforce policy.
Firewalls are utilized at a variety of network locations, name two of them.
- Between the public internet and an organization’s private internal network
- Between a PC’s network interface card (NIC) and the rest of the PC
Firewalls may be implemented as what?
Dedicated network appliances
Hardware or software inserted into a network device such as a router
Software running on a general purpose computer
Where is a firewall most commonly deployed?
At boundaries between you site and the internet
Which of the following is not a primary benefit of a firewall?
(Answers)
A. Protect internal/external systems from attack
B. Help detect problems with network operations
C. Perform NAT (Network Address Translation)
D. Encrypt communications for VPN (IPSec)
E. Logging to aid in intrusion detection and forensics
B. Help detect problems with network operations
Firewalls can have the following shortcomings.
- Attacks at the application layer may sneak through
- Dial-up, VPN, extranet connections may bypass firewalls
- Organizations may let down their guard in other security areas (passwords, patches, encryption)
- Management sees firewall as a silver bullet
What are three methods to circumvent firewall policies?
- Installing modems
- Setting up wireless access
- Implementing peer-to-peer file sharing
If a packet doesn’t match a firewall rule how is it processed.
Using the default rule which could be either deny all, which is more restrictive, or allow all, which is more permissive.
Ingress and egress filtering applies to traffic headed in which directions?
Ingress - inbound traffic
Egress - outbound traffic
What are low-end firewall are also know as?
Stateless Packet Filters
What are possible state values in a stateful firewall?
- SYN_SENT
- SYN_RECV
- ESTABLISHED
- FIN_WAIT1
- LAST_ACK
- FIN_WAIT2
- CLOSED
At what network layer do stateless packet filters and stateful firewalls operate?
Stateless operates at Layer 3 (Network)
Stateful operates at Layer 4 (Transport)
What protocol headers are examined by stateful firewalls
IP and TCP
Proxy firewall must maintain a complete TCP connection state and sequencing through which two connections?
- The session user (the source) to the proxy
2. The proxy to the destination server
What is the difference between operating system control and application control approaches to personal firewalls?
Application control blocks specific applications from accessing system resources such as the internet whereas operating system control blocks programs from running altogether.
What are common Linux and Windows 7 personal firewall tools?
Linux - IP Tables
Windows - Windows 7 Firewall
What is the most commonly overlooks feature of a firewall?
Using the logging functionality to generate a forensic trail of evidence.
Why is RFC 1918 a very import standard?
Because it sets aside specific networks as private address space.
What does Network Address Translation (NAT) enable?
Many more computers to participate in the public Internet than available addresses would otherwise allow and provides a degree of privacy regarding your internal network structure.
True of False, generally, NAT is use in the inbound direction, from the Internet to your network.
False - NAT is typically used in the outbound direction, from your network to the Internet.
The process of translating traffic from multiple internal hosts to a single external address is called?
Port Address Translation
What is a honeypot?
An information system resource whose value lies in unauthorized or illicit use of that resource.
What are some system resources that might be used as honeypots?
- A dedicated server
- A simulated system or stat machine
- A service on a selected host
- A virtual server
- A single file with special attributes which is sometimes called a honeytoken
What are some of the advantages of honeypots?
- Provides insight into the tactics, motives, and tools of attackers
- Reduces challenges of false positives, false negatives, and data collection by determining true attack traffic
- Provides additional Defense-in-Depth for orgainizations
What can be said about the use or access of a honeypot or honeytoken?
It could be accidental or hostile but always unauthorized.
Why can honeypots capture and identify hostile activity from exploits that are not currently known?
Because all access to this is unauthorized and therefore either hostile or accidental in nature.
What is the most significant reasons organizations should not deploy honeypots?
The risk of misconfigured honeypots
Why does honeypots become a resource burden for organizations?
Because they require:
- constant monitoring
- swift response
- detailed analysis of attacks
What are the four general categories for classifying a honeypot
- Purpose: Production or Research
- Location: Internal or External
- Scope: Honeynet (network), Honeypot (system), Honeytoken (file)
During which phase of an attack does the adversary find new systems, map out networks, and prob for specific, exploitable vulnerabilities?
Reconnaissance.
Evidence of reconnaissance activity be a clue to what?
A targeted attack may be on the horizon.
What are the 3 Rs?
- Reconnaissance
- Resource Protection
- ROI
The best use of the security dollar would be to ensure that a scanning program also has what?
A solid prioritized remediation process