401_3 Flashcards

Internet Security Technologies

1
Q

What is Kevin Mitnick vs. Tsutomu Shimomura

A

Famous example of attack
Compromised 3 major tenant of security CIA (confidentiality, integrity and availability)
Accessing files that were not his (confidentiality)
penetrating network resources he was not granted access (confidentiality)
Executing a SYN flood as a DoS (availability)

3-6

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a trust relationship?

A

Means that a computer is familiar with another computer and trusts the information that is coming from it.

3-8

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How do complex attacks against specific target usually start?

A

With a reconnaissance phase in which the attacker maps out the lay of the LAN.

3-8

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the reconnaissance phase of an attack?

A

Phase in which attacker determines which hosts are present and gathering as much information about them as possible.

3-8

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is finger?

A

A Unix service that can return information about users.

3-9

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the use of a .rhost file?

A

It directs one computer to accept incoming login connections from the other computer on trust and not prompt for a password.

3-9

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the use of a hosts.equiv file?

A

Directs one computer to accept logins for all users on a machine on trust and not prompt for a password.

3-9

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is showmount?

A

Unix command to lists the file system exported by an NFS file server.

3-9

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is rpcinfo?

A

Unix command to enumerate the various RPC-based services on a remote machine.

3-10

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is Sun’s Network Information Service (NIS)?

A

Network user database included with most varieties of Unix.

3-10

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is IP spoofing?

A

Sending packets to a remote computer but lie about your source IP address.

3-11

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is SYN flooding?

A

Sending numerous SYN packets to the machine to be silenced but never completing the TCP handshake protocol.

3-12

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the role of the initial sequence number in negotiating a TCP connection?

A

To indicate the next byte the ACKer expects to receive.

3-13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The information security cycle (also known as the risk management cycle) consists of what three parts?

A
  1. Prevention
  2. Detection
  3. Response
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

In modern-day information security what is often considered to be one of the most important tasks for system administrators and security professional alike.

A

Patching of systems and applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What two helpful functions does a firewall provide?

A
  1. Prevents outsiders from accessing internal network services
  2. Prevents outsiders from using spoofed IP addresses that should only appear inside your own network.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are three fairly common types of malicious code?

A
  1. Logic bombs
  2. Trojan horses
  3. Trap doors or back doors
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are some of the more interesting DoS attacks?

A
  1. smurf
  2. SYN floods
  3. DDoS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

When does a DoS attack occur?

A

When a user is deprived of the use of some data, computing resource, or service due to malicious actions on the part of an attacker.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What happens to the number of possible keys for every bit you add to the key length?

A

It doubles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is probably the least efficient attack?

A

Brute force

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the primary purpose of a browsing attack?

A

Reconnaissance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are race conditions also know as?

A

Time of Check/Time of Use or TOC/TOU attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is a firewall?

A

A means to control what is allowed across some point in a network as a mechanism to enforce policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Firewalls are utilized at a variety of network locations, name two of them.

A
  1. Between the public internet and an organization’s private internal network
  2. Between a PC’s network interface card (NIC) and the rest of the PC
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Firewalls may be implemented as what?

A

Dedicated network appliances
Hardware or software inserted into a network device such as a router
Software running on a general purpose computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Where is a firewall most commonly deployed?

A

At boundaries between you site and the internet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which of the following is not a primary benefit of a firewall?
(Answers)
A. Protect internal/external systems from attack
B. Help detect problems with network operations
C. Perform NAT (Network Address Translation)
D. Encrypt communications for VPN (IPSec)
E. Logging to aid in intrusion detection and forensics

A

B. Help detect problems with network operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Firewalls can have the following shortcomings.

A
  1. Attacks at the application layer may sneak through
  2. Dial-up, VPN, extranet connections may bypass firewalls
  3. Organizations may let down their guard in other security areas (passwords, patches, encryption)
  4. Management sees firewall as a silver bullet
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What are three methods to circumvent firewall policies?

A
  1. Installing modems
  2. Setting up wireless access
  3. Implementing peer-to-peer file sharing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

If a packet doesn’t match a firewall rule how is it processed.

A

Using the default rule which could be either deny all, which is more restrictive, or allow all, which is more permissive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Ingress and egress filtering applies to traffic headed in which directions?

A

Ingress - inbound traffic

Egress - outbound traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What are low-end firewall are also know as?

A

Stateless Packet Filters

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What are possible state values in a stateful firewall?

A
  1. SYN_SENT
  2. SYN_RECV
  3. ESTABLISHED
  4. FIN_WAIT1
  5. LAST_ACK
  6. FIN_WAIT2
  7. CLOSED
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

At what network layer do stateless packet filters and stateful firewalls operate?

A

Stateless operates at Layer 3 (Network)

Stateful operates at Layer 4 (Transport)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What protocol headers are examined by stateful firewalls

A

IP and TCP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Proxy firewall must maintain a complete TCP connection state and sequencing through which two connections?

A
  1. The session user (the source) to the proxy

2. The proxy to the destination server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What is the difference between operating system control and application control approaches to personal firewalls?

A

Application control blocks specific applications from accessing system resources such as the internet whereas operating system control blocks programs from running altogether.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What are common Linux and Windows 7 personal firewall tools?

A

Linux - IP Tables

Windows - Windows 7 Firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

What is the most commonly overlooks feature of a firewall?

A

Using the logging functionality to generate a forensic trail of evidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Why is RFC 1918 a very import standard?

A

Because it sets aside specific networks as private address space.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

What does Network Address Translation (NAT) enable?

A

Many more computers to participate in the public Internet than available addresses would otherwise allow and provides a degree of privacy regarding your internal network structure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

True of False, generally, NAT is use in the inbound direction, from the Internet to your network.

A

False - NAT is typically used in the outbound direction, from your network to the Internet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

The process of translating traffic from multiple internal hosts to a single external address is called?

A

Port Address Translation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What is a honeypot?

A

An information system resource whose value lies in unauthorized or illicit use of that resource.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

What are some system resources that might be used as honeypots?

A
  1. A dedicated server
  2. A simulated system or stat machine
  3. A service on a selected host
  4. A virtual server
  5. A single file with special attributes which is sometimes called a honeytoken
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

What are some of the advantages of honeypots?

A
  1. Provides insight into the tactics, motives, and tools of attackers
  2. Reduces challenges of false positives, false negatives, and data collection by determining true attack traffic
  3. Provides additional Defense-in-Depth for orgainizations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

What can be said about the use or access of a honeypot or honeytoken?

A

It could be accidental or hostile but always unauthorized.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Why can honeypots capture and identify hostile activity from exploits that are not currently known?

A

Because all access to this is unauthorized and therefore either hostile or accidental in nature.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

What is the most significant reasons organizations should not deploy honeypots?

A

The risk of misconfigured honeypots

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Why does honeypots become a resource burden for organizations?

A

Because they require:

  1. constant monitoring
  2. swift response
  3. detailed analysis of attacks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

What are the four general categories for classifying a honeypot

A
  1. Purpose: Production or Research
  2. Location: Internal or External
  3. Scope: Honeynet (network), Honeypot (system), Honeytoken (file)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

During which phase of an attack does the adversary find new systems, map out networks, and prob for specific, exploitable vulnerabilities?

A

Reconnaissance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Evidence of reconnaissance activity be a clue to what?

A

A targeted attack may be on the horizon.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

What are the 3 Rs?

A
  1. Reconnaissance
  2. Resource Protection
  3. ROI
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

The best use of the security dollar would be to ensure that a scanning program also has what?

A

A solid prioritized remediation process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Scanning without remediating might actually be considered what?

A

Negligence

58
Q

What is a simple ROI formula?

A

ROI = (gain - expenditure)/(expenditure) X 100%

59
Q

Why is it important to define ROI when discussing it?

A

Because ROI can mean different things in different contexts.

60
Q

What are some common uses of ROI?

A
  1. Development of a business case
  2. Evaluating whether to go ahead with the purchase of a product/service/line of business
  3. Predicting revenue
61
Q

What are the 5 vulnerability axioms?

A
  1. Vulnerabilities are the gateway through whcih threats are manifested
  2. Vulnerability scans without remediation have little value
  3. A little scanning and remediation is better than a lot of scanning and less remediation
  4. Prioritizing systems and vulnerabilities is critical
  5. Stay on track
62
Q

Prevention is another type of what?

A

Countermeasure

63
Q

List 5 threat vectors?

A
  1. Outsider attack from network
  2. Outsider attack from telephone
  3. Insider attack from local network
  4. Insider attack from local system
  5. Attack from malicious code
64
Q

How can Firewalls protections be bypassed?

A
  1. Worms and Wireless
  2. Modems/Wireless Hot Spots - Restrictive Firewalls
  3. Tunnel anything through HTTP
  4. Social engineering
65
Q

The more restrictive a site’s firewall policy the more likely the employees will use what?

A

A modem

66
Q

What is social engineering

A

An attempt to manipulate or trick a person into providing valuable information or access to that information.

The process of attacking a network or system by exploiting the people who interact with that system.

67
Q

What type of social engineering involves one person trying to get valuable information from another person?

A

Human-based

68
Q

What type of Exploiting human curiosity, gullibility, or greed, even automatically via the use of mass-mail worms, is pure what at work?

A

Social Engineering

69
Q

What is the best defense against social engineering?

A

Establish clear security policies and enforce them.

70
Q

What network analysis tool fits ping’s ICMP concept to TCP and UDP?

A

Hping3

71
Q

How does hping3 find silent hosts?

A

With a repeated TCP ping of a host, followed by examination of that host’s returned TCP sequence and IP ID numbers, it is possible to tell if that host is engaged in communication with any other host.

72
Q

What is a TCP version of Ping?

A

Hping3

73
Q

What is a Port Scan?

A

The process of enumerating all hosts that respond on a given network and tells you which ports on each machine have listener processes bound to them.

74
Q

What is a popular freeware network mapping tools that supports a large number of scanning techniques including port scanning (TCP and UDP), SYN, FIN, ACK, as well as ICMP ping sweeps?

A

Nmap

75
Q

How do port scanners often report on the services running on each port?

A

Usually from a text file that amps ports numbers to their well-known service names.

76
Q

What are the three possible states indicated for each port during an Nmap scan?

A
  1. Open
  2. Closed
  3. Filtered
77
Q

What are general scan techniques available from Nmap?

A
  1. Full Open
  2. Half Open (Stealth Scan)
  3. UDP
  4. Ping Scans
78
Q

How do scanners identify operating systems?

A

By performing several different test and correlated the output to develop a fingerprint for each OS.

79
Q

What is the cardinal rule of scanning or vulnerability assessment?

A

To be certain to only scan systems that you own or are authorized to scan.

80
Q

What are 4 things to consider before you invest money in a vulnerability scanner?

A
  1. How is the product licensed?
  2. How interoperable is the product? Does is support the Common Vulnerabilities and Exposures (CVE) standard for cataloging vulnerabilities?
  3. Can you easily compare the results of a scan today with the results of one four weeks ago?
  4. Does your manager like the report output
81
Q

What is the difference between a penetration tester and a hacker?

A

Permission

82
Q

How do you do a vulnerability scan?

A
  1. Get permission
  2. Put out the word
  3. click target selection
  4. Heavy scan but do not allow DoS scan
  5. Only scan when you are in the office by the phone
  6. Fix te red “priority” problems first..
83
Q
What is OpenVAS
(Answers)
A. Port scanner
B. Vulnerability scanner
C. Firewall
D. Network intrusion detection system
A

B. Vulnerability scanner

84
Q

What is any point where an attacker can gain access to the network, including wireless called?

A

A network perimeter

85
Q

What are the two favored tools for wireless network mapping?

A
  1. NetStumbler

2. Kismet

86
Q

What tool is designed to be a passive wireless sniffer, a wardriving tool, a wireless vulnerability assesment tool and an intrusion detection tool?

A

Kismet

87
Q

What is the difference in the way NetStumbler and Kismet discover wireless networks?

A

NetStumbler uses an active approach whereas Kismet is completely passive

88
Q

In addition to identifying located wireless networks, what information about discovered wireless networks can Kismet provide?

A
  1. Clients that are on the network
  2. Cryptographically weak traffic
  3. clear-text strings transmitted over the wireless network
  4. factory-default access point configurations
89
Q

Driving, or walking, or busing, or sitting still with equipment to detect wireless networks is called?

A

Wardriving

90
Q

How can you reduce the range from where an attacker can map a wireless network?

A
  1. By reducing the signal strength
  2. Using careful placement techniques to limite RF leakage.
  3. RF-barriers such as metal-screening inside exterior walls
91
Q

What is the best defense for a wireless network?

A

Strong authentication and encryption system

92
Q

What is a simple means of trying to identify modems that may be susceptible to compromise in an attempt to circumvent perimeter security called?

A

War Dialing

93
Q

What is completed at the conclusion of a vulnerability scan and is used to determine the validity of any identified vulnerabilities?

A

Penetration Test

94
Q

What is another work for penetration testing?

A

Ethical Hacking

95
Q

List 6 Pen Test Techniques?

A
  1. War dialing
  2. War driving
  3. Sniffing
  4. Eavesdropping
  5. Dumpster diving
  6. Social engineering
96
Q

What should organizations consider doing to maintain an audit trail of analysis how and when systems were assessed?

A

Logging all access to systems through scanning tools, even authorized scans,

97
Q

What is the process of monitoring activity on your network or host and can also be thought of as an alarm system for identifying undesirable activity on your network or hosts?

A

Intrusion Detection or IDS

98
Q

IDSs should be utilized in conjunction with firewalls, anti-virus software, vulnerability assessment and patch management tool to support a ___________ posture.

A

Defense-in-Depth

99
Q

What is IDS Not?

A
  1. A replacement for firewalls, strong policies, system hardening, timely patching and other defense-in-depth techniques
  2. A low-maintenance tool
  3. An inexpensive tool
  4. A silver bullet
100
Q

What is IDS in it’s most basic form?

A

Log messages from any device.

101
Q

What generates IDS alerts?

A

Events of Interest (EOI)

102
Q

What 4 types of IDS events must analysts understand?

A
  1. True Positive
  2. False Positive
  3. True Negative
  4. False Negative
103
Q

What are three different methods used by NIDS devices to identify events of interest on the network?

A
  1. Signature Analysis
  2. Anomaly Analysis
  3. Application or Protocol Analysis
104
Q

How does signature analysis work to identify of interest on the network?

A
  1. Performs pattern matching
  2. Rules indicate criteria in packets that represent EOI
  3. Rules are applied to packets as they are received by the IDS
  4. Alerts are created when matches are found
105
Q

Most IDS tools will allow the analyst to examine and classify data on what packet characteristics?

A
  1. Protocol, address and port information
  2. Payload contents
  3. String matching
  4. Traffic flow analysis
  5. Flags in protocol headers
  6. Any fields in the packet
106
Q

What must first be know In order for anomaly analysis to identify events of interest on the network?

A

A baseline of “normal” network activity/traffic

107
Q

Why is the use of protocol analysis as an IDS technique very powerful?

A

Because it can detect both known and unknown attacks against a protocol.

108
Q

From a network-based IDS perspective, vendor have implemented what two different mechanisms of inspecting traffic, typically with rule-based analysis measures?

A
  1. Shallow Packet Inspection

2. Deep Packet Inspection

109
Q

What are the characteristics of shallow and deep packet inspections?

A

Shallow Packet Inspection

  • Fast, but provides little fidelity
  • Examines header information, limited payload data

Deep Packet Inspection

  • S l o w, requires stateful tracking of data
  • Inspects all fields, including variable-length fields
110
Q

Scalability, insight into traffic on the network, detecting problems with network operations, helping organizations react swiftly to incidents, auditing for other security measure, and providing additional flexibility in securing information asses are advantages to what kind of system tool(s)?

A

A Network Intrusion Detection System (NIDS)

111
Q

When cryptography is used heavily on the network, where is the only useful place to put a sensor?

A

A host at either end of the encrypted channel, capturing the traffic before it is encrypted or after it is decrypted.

112
Q

A common mistake made in evaluating IDS tools is using the ______________ as a guide for selecting a vendor’s product.

A

number of rules or signatures

113
Q

Additional processing burdens on the IDS include what?

A
  1. Decryption of traffic
  2. Packet and Stream reassembly
  3. Data normalization
114
Q

What happens when you IDS is overloaded with more throughput than it can handle?

A

Performance tends to degrade rapidly, not just discarding excess packets, but thrashing from resource exhaustion.

115
Q

What can be done to lessen the aggregate bandwidth a NIDS device needs to process?

A

Move it downstream

116
Q

What is the financial reality behind deploying an IDS?

A

The capital cost is a small fraction of the overall cost.

117
Q

To get the most benefit from an ______ system, organizations must have analysts that are well-trained in te necessary skill of intrusion analysis and incident handling.

A

IDS

118
Q

What kind of tool is Snort?

A

Lightweight NIDS

119
Q

What are some recent advance in NIDS technology?

A
  1. Reduction of false-positive reporting through target OS identification
  2. Integrated vulnerability assessment for threat profiling/alert prioritization
  3. Integration in networking devices
  4. IDS for wireless networks
120
Q

How do HIDS tools identify events of interest?

A
  1. File integrity checks
  2. Log file monitoring
  3. Individual network monitoring
121
Q

Where do host-based intrusion detection work?

A

On a single host

122
Q

How does a HIDS provide File Integrity Checking?

A

By regularly checking the hashes of monitored files against an index of known hashes.

123
Q

What mechanism does log monitoring use to define events of interest from log files?

A

Inclusive or exclusive analysis

124
Q

What do vendors make use of to identify host operating systems, network architecture and what vulnerabilities are present on the network?

A

Passive analysis techniques

125
Q

What is easily the most widespread tool in information security?

A

Anti-virus software

126
Q

What is the art of analyzing threats and vulnerabilities, and determining the impact these risks have on your enterprise?

A

Risk management

127
Q

What is risk management’s main focus?

A
  1. To reduce the risk until its at an acceptable level

2. To identify, control, and minimize the loss associated with each risk.

128
Q

What are the steps for an effective risk management process

A
  1. Identify threats, vulnerabilities and analyze risks

2. Validate due care by using industry best practices.

129
Q

What is the classic definition of risk?

A

Risk = Threat X Vulnerability

130
Q

What is a threat?

A

Any event that can cause an undesirable outcome

131
Q

What is a vulnerability?

A

A weakness in a system that could be exploited

132
Q

When evaluating risk, it is helpful to ask yourself what key questions?

A
  1. What could happen?
  2. If it happened, how bad could it be?
  3. How often could it happen?
  4. How reliable are the answers to the previous questions?
133
Q

What is the formula for SLE?

A

Single Loss Expectancy = Asset Value ($) X Exposure Factor (EF)

134
Q

When computing single loss expectancy what is the percentage of loss a threat event would have on the asset called?

A

Exposure Factor (EF)

135
Q

What is the formula for ALE?

A

Annualized Loss Expectancy = SLE X Annualized Rate of Occurrence (ARO)

136
Q

When computing annualized loss expectancy what is the estimated frequency at which a threat is expect to occur called?

A

Annualized Rate of Occurrence (ARO)

137
Q

What are the two risk assessment approaches?

A

Qualitative and Quantitative

138
Q

Which risk assessment approach is more valuable as a business decision tool?

A

Quantitative since it works in metrics, usually dollars.

139
Q

The process of determining what is at risk and what is the impact if the identified threats materialize is known as?

A

Risk Analysis

140
Q
What types of scans are often referred to as stealth scans?
(Answers)
A. UDP scan
B. TCP scan
C. FIN scan
D. SYN scan
A

D. SYN scan

140
Q

What is the purpose of risk analysis?

A
  1. Identify existing countermeasures, threats, and vulnerabilities
  2. Support the expenditure of resources and to determine the most cost-effective safeguards to offset the risks
  3. Aid in the selection of cost-effective countermeasures that will reduce existing risks to an acceptable level