401_3

Question 1

What is Kevin Mitnick vs. Tsutomu Shimomura

Answer 1

Famous example of attack
Compromised 3 major tenant of security CIA (confidentiality, integrity and availability)
Accessing files that were not his (confidentiality)
penetrating network resources he was not granted access (confidentiality)
Executing a SYN flood as a DoS (availability)

3-6

Question 2

What is a trust relationship?

Answer 2

Means that a computer is familiar with another computer and trusts the information that is coming from it.

3-8

Question 3

How do complex attacks against specific target usually start?

Answer 3

With a reconnaissance phase in which the attacker maps out the lay of the LAN.

3-8

Question 4

What is the reconnaissance phase of an attack?

Answer 4

Phase in which attacker determines which hosts are present and gathering as much information about them as possible.

3-8

Question 5

What is finger?

Answer 5

A Unix service that can return information about users.

3-9

Question 6

What is the use of a .rhost file?

Answer 6

It directs one computer to accept incoming login connections from the other computer on trust and not prompt for a password.

3-9

Question 7

What is the use of a hosts.equiv file?

Answer 7

Directs one computer to accept logins for all users on a machine on trust and not prompt for a password.

3-9

Question 8

What is showmount?

Answer 8

Unix command to lists the file system exported by an NFS file server.

3-9

Question 9

What is rpcinfo?

Answer 9

Unix command to enumerate the various RPC-based services on a remote machine.

3-10

Question 10

What is Sun’s Network Information Service (NIS)?

Answer 10

Network user database included with most varieties of Unix.

3-10

Question 11

What is IP spoofing?

Answer 11

Sending packets to a remote computer but lie about your source IP address.

3-11

Question 12

What is SYN flooding?

Answer 12

Sending numerous SYN packets to the machine to be silenced but never completing the TCP handshake protocol.

3-12

Question 13

What is the role of the initial sequence number in negotiating a TCP connection?

Answer 13

To indicate the next byte the ACKer expects to receive.

3-13

Question 14

The information security cycle (also known as the risk management cycle) consists of what three parts?

Answer 14

1. Prevention
2. Detection
3. Response

Question 15

In modern-day information security what is often considered to be one of the most important tasks for system administrators and security professional alike.

Answer 15

Patching of systems and applications.

Question 16

What two helpful functions does a firewall provide?

Answer 16

1. Prevents outsiders from accessing internal network services
2. Prevents outsiders from using spoofed IP addresses that should only appear inside your own network.

Question 17

What are three fairly common types of malicious code?

Answer 17

1. Logic bombs
2. Trojan horses
3. Trap doors or back doors

Question 18

What are some of the more interesting DoS attacks?

Answer 18

1. smurf
2. SYN floods
3. DDoS

Question 19

When does a DoS attack occur?

Answer 19

When a user is deprived of the use of some data, computing resource, or service due to malicious actions on the part of an attacker.

Question 20

What happens to the number of possible keys for every bit you add to the key length?

Answer 20

It doubles

Question 21

What is probably the least efficient attack?

Answer 21

Brute force

Question 22

What is the primary purpose of a browsing attack?

Answer 22

Reconnaissance

Question 23

What are race conditions also know as?

Answer 23

Time of Check/Time of Use or TOC/TOU attacks

Question 24

What is a firewall?

Answer 24

A means to control what is allowed across some point in a network as a mechanism to enforce policy.

Question 25

Firewalls are utilized at a variety of network locations, name two of them.

Answer 25

1. Between the public internet and an organization’s private internal network
2. Between a PC’s network interface card (NIC) and the rest of the PC

Question 26

Firewalls may be implemented as what?

Answer 26

Dedicated network appliances
Hardware or software inserted into a network device such as a router
Software running on a general purpose computer

Question 27

Where is a firewall most commonly deployed?

Answer 27

At boundaries between you site and the internet

Question 28

Which of the following is not a primary benefit of a firewall?
(Answers)
A. Protect internal/external systems from attack
B. Help detect problems with network operations
C. Perform NAT (Network Address Translation)
D. Encrypt communications for VPN (IPSec)
E. Logging to aid in intrusion detection and forensics

Answer 28

B. Help detect problems with network operations

Question 29

Firewalls can have the following shortcomings.

Answer 29

1. Attacks at the application layer may sneak through
2. Dial-up, VPN, extranet connections may bypass firewalls
3. Organizations may let down their guard in other security areas (passwords, patches, encryption)
4. Management sees firewall as a silver bullet

Question 30

What are three methods to circumvent firewall policies?

Answer 30

1. Installing modems
2. Setting up wireless access
3. Implementing peer-to-peer file sharing

Question 31

If a packet doesn’t match a firewall rule how is it processed.

Answer 31

Using the default rule which could be either deny all, which is more restrictive, or allow all, which is more permissive.

Question 32

Ingress and egress filtering applies to traffic headed in which directions?

Answer 32

Ingress - inbound traffic

Egress - outbound traffic

Question 33

What are low-end firewall are also know as?

Answer 33

Stateless Packet Filters

Question 34

What are possible state values in a stateful firewall?

Answer 34

1. SYN_SENT
2. SYN_RECV
3. ESTABLISHED
4. FIN_WAIT1
5. LAST_ACK
6. FIN_WAIT2
7. CLOSED

Question 35

At what network layer do stateless packet filters and stateful firewalls operate?

Answer 35

Stateless operates at Layer 3 (Network)

Stateful operates at Layer 4 (Transport)

Question 36

What protocol headers are examined by stateful firewalls

Answer 36

IP and TCP

Question 37

Proxy firewall must maintain a complete TCP connection state and sequencing through which two connections?

Answer 37

1. The session user (the source) to the proxy

2. The proxy to the destination server

Question 38

What is the difference between operating system control and application control approaches to personal firewalls?

Answer 38

Application control blocks specific applications from accessing system resources such as the internet whereas operating system control blocks programs from running altogether.

Question 39

What are common Linux and Windows 7 personal firewall tools?

Answer 39

Linux - IP Tables

Windows - Windows 7 Firewall

Question 40

What is the most commonly overlooks feature of a firewall?

Answer 40

Using the logging functionality to generate a forensic trail of evidence.

Question 41

Why is RFC 1918 a very import standard?

Answer 41

Because it sets aside specific networks as private address space.

Question 42

What does Network Address Translation (NAT) enable?

Answer 42

Many more computers to participate in the public Internet than available addresses would otherwise allow and provides a degree of privacy regarding your internal network structure.

Question 43

True of False, generally, NAT is use in the inbound direction, from the Internet to your network.

Answer 43

False - NAT is typically used in the outbound direction, from your network to the Internet.

Question 44

The process of translating traffic from multiple internal hosts to a single external address is called?

Answer 44

Port Address Translation

Question 45

What is a honeypot?

Answer 45

An information system resource whose value lies in unauthorized or illicit use of that resource.

Question 46

What are some system resources that might be used as honeypots?

Answer 46

1. A dedicated server
2. A simulated system or stat machine
3. A service on a selected host
4. A virtual server
5. A single file with special attributes which is sometimes called a honeytoken

Question 47

What are some of the advantages of honeypots?

Answer 47

1. Provides insight into the tactics, motives, and tools of attackers
2. Reduces challenges of false positives, false negatives, and data collection by determining true attack traffic
3. Provides additional Defense-in-Depth for orgainizations

Question 48

What can be said about the use or access of a honeypot or honeytoken?

Answer 48

It could be accidental or hostile but always unauthorized.

Question 49

Why can honeypots capture and identify hostile activity from exploits that are not currently known?

Answer 49

Because all access to this is unauthorized and therefore either hostile or accidental in nature.

Question 50

What is the most significant reasons organizations should not deploy honeypots?

Answer 50

The risk of misconfigured honeypots

Question 51

Why does honeypots become a resource burden for organizations?

Answer 51

Because they require:

1. constant monitoring
2. swift response
3. detailed analysis of attacks

Question 52

What are the four general categories for classifying a honeypot

Answer 52

1. Purpose: Production or Research
2. Location: Internal or External
3. Scope: Honeynet (network), Honeypot (system), Honeytoken (file)

Question 53

During which phase of an attack does the adversary find new systems, map out networks, and prob for specific, exploitable vulnerabilities?

Answer 53

Reconnaissance.

Question 54

Evidence of reconnaissance activity be a clue to what?

Answer 54

A targeted attack may be on the horizon.

Question 55

What are the 3 Rs?

Answer 55

1. Reconnaissance
2. Resource Protection
3. ROI

Question 56

The best use of the security dollar would be to ensure that a scanning program also has what?

Answer 56

A solid prioritized remediation process

Question 57

Scanning without remediating might actually be considered what?

Answer 57

Negligence

Question 58

What is a simple ROI formula?

Answer 58

ROI = (gain - expenditure)/(expenditure) X 100%

Question 59

Why is it important to define ROI when discussing it?

Answer 59

Because ROI can mean different things in different contexts.

Question 60

What are some common uses of ROI?

Answer 60

1. Development of a business case
2. Evaluating whether to go ahead with the purchase of a product/service/line of business
3. Predicting revenue

Question 61

What are the 5 vulnerability axioms?

Answer 61

1. Vulnerabilities are the gateway through whcih threats are manifested
2. Vulnerability scans without remediation have little value
3. A little scanning and remediation is better than a lot of scanning and less remediation
4. Prioritizing systems and vulnerabilities is critical
5. Stay on track

Question 62

Prevention is another type of what?

Answer 62

Countermeasure

Question 63

List 5 threat vectors?

Answer 63

1. Outsider attack from network
2. Outsider attack from telephone
3. Insider attack from local network
4. Insider attack from local system
5. Attack from malicious code

Question 64

How can Firewalls protections be bypassed?

Answer 64

1. Worms and Wireless
2. Modems/Wireless Hot Spots - Restrictive Firewalls
3. Tunnel anything through HTTP
4. Social engineering

Question 65

The more restrictive a site’s firewall policy the more likely the employees will use what?

Answer 65

A modem

Question 66

What is social engineering

Answer 66

An attempt to manipulate or trick a person into providing valuable information or access to that information.

The process of attacking a network or system by exploiting the people who interact with that system.

Question 67

What type of social engineering involves one person trying to get valuable information from another person?

Answer 67

Human-based

Question 68

What type of Exploiting human curiosity, gullibility, or greed, even automatically via the use of mass-mail worms, is pure what at work?

Answer 68

Social Engineering

Question 69

What is the best defense against social engineering?

Answer 69

Establish clear security policies and enforce them.

Question 70

What network analysis tool fits ping’s ICMP concept to TCP and UDP?

Answer 70

Hping3

Question 71

How does hping3 find silent hosts?

Answer 71

With a repeated TCP ping of a host, followed by examination of that host’s returned TCP sequence and IP ID numbers, it is possible to tell if that host is engaged in communication with any other host.

Question 72

What is a TCP version of Ping?

Answer 72

Hping3

Question 73

What is a Port Scan?

Answer 73

The process of enumerating all hosts that respond on a given network and tells you which ports on each machine have listener processes bound to them.

Question 74

What is a popular freeware network mapping tools that supports a large number of scanning techniques including port scanning (TCP and UDP), SYN, FIN, ACK, as well as ICMP ping sweeps?

Answer 74

Nmap

Question 75

How do port scanners often report on the services running on each port?

Answer 75

Usually from a text file that amps ports numbers to their well-known service names.

Question 76

What are the three possible states indicated for each port during an Nmap scan?

Answer 76

1. Open
2. Closed
3. Filtered

Question 77

What are general scan techniques available from Nmap?

Answer 77

1. Full Open
2. Half Open (Stealth Scan)
3. UDP
4. Ping Scans

Question 78

How do scanners identify operating systems?

Answer 78

By performing several different test and correlated the output to develop a fingerprint for each OS.

Question 79

What is the cardinal rule of scanning or vulnerability assessment?

Answer 79

To be certain to only scan systems that you own or are authorized to scan.

Question 80

What are 4 things to consider before you invest money in a vulnerability scanner?

Answer 80

1. How is the product licensed?
2. How interoperable is the product? Does is support the Common Vulnerabilities and Exposures (CVE) standard for cataloging vulnerabilities?
3. Can you easily compare the results of a scan today with the results of one four weeks ago?
4. Does your manager like the report output

Question 81

What is the difference between a penetration tester and a hacker?

Answer 81

Permission

Question 82

How do you do a vulnerability scan?

Answer 82

1. Get permission
2. Put out the word
3. click target selection
4. Heavy scan but do not allow DoS scan
5. Only scan when you are in the office by the phone
6. Fix te red “priority” problems first..

Question 83

What is OpenVAS
(Answers)
A. Port scanner
B. Vulnerability scanner
C. Firewall
D. Network intrusion detection system

Answer 83

B. Vulnerability scanner

Question 84

What is any point where an attacker can gain access to the network, including wireless called?

Answer 84

A network perimeter

Question 85

What are the two favored tools for wireless network mapping?

Answer 85

1. NetStumbler

2. Kismet

Question 86

What tool is designed to be a passive wireless sniffer, a wardriving tool, a wireless vulnerability assesment tool and an intrusion detection tool?

Answer 86

Kismet

Question 87

What is the difference in the way NetStumbler and Kismet discover wireless networks?

Answer 87

NetStumbler uses an active approach whereas Kismet is completely passive

Question 88

In addition to identifying located wireless networks, what information about discovered wireless networks can Kismet provide?

Answer 88

1. Clients that are on the network
2. Cryptographically weak traffic
3. clear-text strings transmitted over the wireless network
4. factory-default access point configurations

Question 89

Driving, or walking, or busing, or sitting still with equipment to detect wireless networks is called?

Answer 89

Wardriving

Question 90

How can you reduce the range from where an attacker can map a wireless network?

Answer 90

1. By reducing the signal strength
2. Using careful placement techniques to limite RF leakage.
3. RF-barriers such as metal-screening inside exterior walls

Question 91

What is the best defense for a wireless network?

Answer 91

Strong authentication and encryption system

Question 92

What is a simple means of trying to identify modems that may be susceptible to compromise in an attempt to circumvent perimeter security called?

Answer 92

War Dialing

Question 93

What is completed at the conclusion of a vulnerability scan and is used to determine the validity of any identified vulnerabilities?

Answer 93

Penetration Test

Question 94

What is another work for penetration testing?

Answer 94

Ethical Hacking

Question 95

List 6 Pen Test Techniques?

Answer 95

1. War dialing
2. War driving
3. Sniffing
4. Eavesdropping
5. Dumpster diving
6. Social engineering

Question 96

What should organizations consider doing to maintain an audit trail of analysis how and when systems were assessed?

Answer 96

Logging all access to systems through scanning tools, even authorized scans,

Question 97

What is the process of monitoring activity on your network or host and can also be thought of as an alarm system for identifying undesirable activity on your network or hosts?

Answer 97

Intrusion Detection or IDS

Question 98

IDSs should be utilized in conjunction with firewalls, anti-virus software, vulnerability assessment and patch management tool to support a ___________ posture.

Answer 98

Defense-in-Depth

Question 99

What is IDS Not?

Answer 99

1. A replacement for firewalls, strong policies, system hardening, timely patching and other defense-in-depth techniques
2. A low-maintenance tool
3. An inexpensive tool
4. A silver bullet

Question 100

What is IDS in it’s most basic form?

Answer 100

Log messages from any device.

Question 101

What generates IDS alerts?

Answer 101

Events of Interest (EOI)

Question 102

What 4 types of IDS events must analysts understand?

Answer 102

1. True Positive
2. False Positive
3. True Negative
4. False Negative

Question 103

What are three different methods used by NIDS devices to identify events of interest on the network?

Answer 103

1. Signature Analysis
2. Anomaly Analysis
3. Application or Protocol Analysis

Question 104

How does signature analysis work to identify of interest on the network?

Answer 104

1. Performs pattern matching
2. Rules indicate criteria in packets that represent EOI
3. Rules are applied to packets as they are received by the IDS
4. Alerts are created when matches are found

Question 105

Most IDS tools will allow the analyst to examine and classify data on what packet characteristics?

Answer 105

1. Protocol, address and port information
2. Payload contents
3. String matching
4. Traffic flow analysis
5. Flags in protocol headers
6. Any fields in the packet

Question 106

What must first be know In order for anomaly analysis to identify events of interest on the network?

Answer 106

A baseline of “normal” network activity/traffic

Question 107

Why is the use of protocol analysis as an IDS technique very powerful?

Answer 107

Because it can detect both known and unknown attacks against a protocol.

Question 108

From a network-based IDS perspective, vendor have implemented what two different mechanisms of inspecting traffic, typically with rule-based analysis measures?

Answer 108

1. Shallow Packet Inspection

2. Deep Packet Inspection

Question 109

What are the characteristics of shallow and deep packet inspections?

Answer 109

Shallow Packet Inspection

• Fast, but provides little fidelity
• Examines header information, limited payload data

Deep Packet Inspection

• S l o w, requires stateful tracking of data
• Inspects all fields, including variable-length fields

Question 110

Scalability, insight into traffic on the network, detecting problems with network operations, helping organizations react swiftly to incidents, auditing for other security measure, and providing additional flexibility in securing information asses are advantages to what kind of system tool(s)?

Answer 110

A Network Intrusion Detection System (NIDS)

Question 111

When cryptography is used heavily on the network, where is the only useful place to put a sensor?

Answer 111

A host at either end of the encrypted channel, capturing the traffic before it is encrypted or after it is decrypted.

Question 112

A common mistake made in evaluating IDS tools is using the ______________ as a guide for selecting a vendor’s product.

Answer 112

number of rules or signatures

Question 113

Additional processing burdens on the IDS include what?

Answer 113

1. Decryption of traffic
2. Packet and Stream reassembly
3. Data normalization

Question 114

What happens when you IDS is overloaded with more throughput than it can handle?

Answer 114

Performance tends to degrade rapidly, not just discarding excess packets, but thrashing from resource exhaustion.

Question 115

What can be done to lessen the aggregate bandwidth a NIDS device needs to process?

Answer 115

Move it downstream

Question 116

What is the financial reality behind deploying an IDS?

Answer 116

The capital cost is a small fraction of the overall cost.

Question 117

To get the most benefit from an ______ system, organizations must have analysts that are well-trained in te necessary skill of intrusion analysis and incident handling.

Answer 117

IDS

Question 118

What kind of tool is Snort?

Answer 118

Lightweight NIDS

Question 119

What are some recent advance in NIDS technology?

Answer 119

1. Reduction of false-positive reporting through target OS identification
2. Integrated vulnerability assessment for threat profiling/alert prioritization
3. Integration in networking devices
4. IDS for wireless networks

Question 120

How do HIDS tools identify events of interest?

Answer 120

1. File integrity checks
2. Log file monitoring
3. Individual network monitoring

Question 121

Where do host-based intrusion detection work?

Answer 121

On a single host

Question 122

How does a HIDS provide File Integrity Checking?

Answer 122

By regularly checking the hashes of monitored files against an index of known hashes.

Question 123

What mechanism does log monitoring use to define events of interest from log files?

Answer 123

Inclusive or exclusive analysis

Question 124

What do vendors make use of to identify host operating systems, network architecture and what vulnerabilities are present on the network?

Answer 124

Passive analysis techniques

Question 125

What is easily the most widespread tool in information security?

Answer 125

Anti-virus software

Question 126

What is the art of analyzing threats and vulnerabilities, and determining the impact these risks have on your enterprise?

Answer 126

Risk management

Question 127

What is risk management’s main focus?

Answer 127

1. To reduce the risk until its at an acceptable level

2. To identify, control, and minimize the loss associated with each risk.

Question 128

What are the steps for an effective risk management process

Answer 128

1. Identify threats, vulnerabilities and analyze risks

2. Validate due care by using industry best practices.

Question 129

What is the classic definition of risk?

Answer 129

Risk = Threat X Vulnerability

Question 130

What is a threat?

Answer 130

Any event that can cause an undesirable outcome

Question 131

What is a vulnerability?

Answer 131

A weakness in a system that could be exploited

Question 132

When evaluating risk, it is helpful to ask yourself what key questions?

Answer 132

1. What could happen?
2. If it happened, how bad could it be?
3. How often could it happen?
4. How reliable are the answers to the previous questions?

Question 133

What is the formula for SLE?

Answer 133

Single Loss Expectancy = Asset Value ($) X Exposure Factor (EF)

Question 134

When computing single loss expectancy what is the percentage of loss a threat event would have on the asset called?

Answer 134

Exposure Factor (EF)

Question 135

What is the formula for ALE?

Answer 135

Annualized Loss Expectancy = SLE X Annualized Rate of Occurrence (ARO)

Question 136

When computing annualized loss expectancy what is the estimated frequency at which a threat is expect to occur called?

Answer 136

Annualized Rate of Occurrence (ARO)

Question 137

What are the two risk assessment approaches?

Answer 137

Qualitative and Quantitative

Question 138

Which risk assessment approach is more valuable as a business decision tool?

Answer 138

Quantitative since it works in metrics, usually dollars.

Question 139

The process of determining what is at risk and what is the impact if the identified threats materialize is known as?

Answer 139

Risk Analysis

Question 140

What types of scans are often referred to as stealth scans?
(Answers)
A. UDP scan
B. TCP scan
C. FIN scan
D. SYN scan

Answer 140

D. SYN scan

Question 140

What is the purpose of risk analysis?

Answer 140

1. Identify existing countermeasures, threats, and vulnerabilities
2. Support the expenditure of resources and to determine the most cost-effective safeguards to offset the risks
3. Aid in the selection of cost-effective countermeasures that will reduce existing risks to an acceptable level