701 - Chapter 4

Question 1

What is the additional software installed on a system such as a workstation or server that monitors the host, can detect potential attacks and analyzes critical operating system files?

Answer 1

Host based intrusion detection system HIDS

Question 2

What is the primary goal of an IDS?

Answer 2

To monitor traffic and then alert administrators to suspicious activity

Question 3

For HIDS, where does the traffic pass through that it is monitoring?

Answer 3

The network interface card NIC

Question 4

In some cases, HIDS can also detect this?

Answer 4

Malware

Question 5

What is the IDS that monitors traffic on a network?

Answer 5

Network based intrusion detection system, NIDS

Question 6

With NIDS, what is installed on network devices such as switches, routers or firewalls? What do they do? And what do they do with the data?

Answer 6

Sensors or collectors… They gather data from the network… They report to a central monitoring network appliance hosting a NIDS console…

Question 7

True or false NDS is able to decrypt encrypted traffic

Answer 7

False

Question 8

For NIDS, in addition to Switches, routers, firewalls…What else can be used to capture the network traffic?

Answer 8

a tap or port mirror

Question 9

What are the two detection methods used by IDS?

Answer 9

Signature based and trend based

Question 10

How does a signature based IDS work? And what do need to do to be continually effective?

Answer 10

They use a database of known vulnerabilities or known attack patterns… Both the signatures and antivirus definitions from the vendor need to be updated regularly to protect against current threats

Question 11

How does a trend based IDS work?

Answer 11

It starts by identifying the networks regular operation or normal behavior and create a baseline… after the baseline is established, the IDS will monitor network traffic and compare the current network behavior to its baseline

Question 12

Which type of IDS is effective against zero day exploits?

Answer 12

Trend based

Question 13

True or false with a trend based detection IDS once the baseline is established, it’s good forever?

Answer 13

False… Anytime significant changes to a system or network are made that causes normal behavior to change they should re-create the baseline

Question 14

What does an IDS include to store log entries from dissimilar Systems?

Answer 14

An aggregator

Question 15

What can an IDS do if it detects an issue based on the rules created by the organization?

Answer 15

It can provide an alert or an alarm

Question 16

What are the four possible responses of an IDS to an attack or perceived attack? And which two are problematic

Answer 16

False positive, false negative, true negative, true positive… the false positive and the false negative

Question 17

With an IDS, what does an administrator configure within the rules? And how do administrators configure this number with regard to false positives and false negatives?

Answer 17

A threshold… it needs to be high enough to minimize false positives, but low enough that it does not allow false negatives

Question 18

And IDS is what type of control and an IPS is what type of control?

Answer 18

Detective… Preventative

Question 19

What are two differences between an IPS and an IDS?

Answer 19

An IPS can detect react to and prevent attacks whereas an IDS can only detect them… and IPS is in line with the network traffic, where as an IDS can only monitor the traffic using a network tap

Question 20

Because an IPS is in line with traffic, it is sometime referred to as what? And an IDS which is out of band is sometimes referred to as what

Answer 20

Active and passive

Question 21

Why is it important to have in some cases in IPS on the outside and on the inside of a network?

Answer 21

To protect against remote access Trojans installed internally through fishing or malware attacks

Question 22

What is a device that it’s intention is to divert an attacker away from the live network?

Answer 22

A honeypot

Question 23

What are the two objectives of a honeypot?

Answer 23

To deceive attackers and divert them from the live network and to allow observation of an attacker and learn from there methodologies

Question 24

What is a group of honeypots called? And what does it mimic?

Answer 24

A honey net… the functionality of a live network

Question 25

What is a file design to attract the attention of an attacker called?

Answer 25

A honey file

Question 26

What is a fake record, inserted into a database and used to detect data theft called?

Answer 26

A honey token

Question 27

What is where wireless clients connect to a wired network called

Answer 27

A wireless access point

Question 28

True or false… All wireless routers are access points, but not all access points are wireless routers

Answer 28

True

Question 29

What are the two primary radio bands for a wireless network?

Answer 29

2.4 GHz and 5 GHz

Question 30

With which band do wireless signals travel farthest? and which one provides the widest bandwidth?

Answer 30

2.4 and 5

Question 31

Wireless networks are identified by what? And why is it good practice to change its default?

Answer 31

SERVICE set identifier SSID… because the default name might indicate the type of access point it is

Question 32

True or false with a wireless network it is relatively easy for an attacker to circumvent MAC filtering?

Answer 32

True

Question 33

What kind of attack is a wireless network susceptible to with regards to MAC addresses? And how does that work?

Answer 33

A MAC cloning attack also called a MAC spoofing attack… it works when the attacker changes his computers MAC address to one allowed in an authorized system

Question 34

What do administrators often perform when planning and deploying a wireless network?

Answer 34

A site survey

Question 35

What does a site survey provide?

Answer 35

It identifies the potential problem areas

Question 36

What identifies an analyzes activity on channels within the wireless spectrum and allow you to analyze one frequency range at a time to see each channels activity and power levels on a graph?

Answer 36

A Wi-Fi analyzer

Question 37

With a site survey, what tool gives you a color-coded representation of the wireless signals (which shows the wireless coverage and dead spots if they exist)?

Answer 37

A heat map

Question 38

What gives you a detailed diagram of wireless access points, hotspots, and dead spots within an organization?

Answer 38

Wireless footprinting

Question 39

What are the two types of antennas?

Answer 39

Omni directional and directional

Question 40

What are two wireless protocols that are deprecated and should not be used?

Answer 40

WEP and WPA

Question 41

What are the three modes in WPA2?

Answer 41

Open mode which doesn’t use any security…PSK mode Which uses a pre-shared key or passphrase also known as Wi-Fi password… enterprise mode which forces users to authenticate with unique credentials before granting access to the network

Question 42

True or false with PSK, the user is authenticated into the wireless network

Answer 42

False…It provides authorization only without authentication.

Question 43

What 802 standard is WPA2 associated with? and what 802 standard is enterprise mode associated with?

Answer 43

802.11i and 802.1x

Question 44

What does enterprise mode use to add authentication?

Answer 44

A RADIUS server

Question 45

WPA2 supports what protocol, which is based on AES?

Answer 45

CCMP… Counter-mode/CBC-MAC protocol

Question 46

WPA3 uses what instead of a pre-shared key?

Answer 46

Simultaneous authentication of equals SAE

Question 47

What are the three modes in WPA3?

Answer 47

Enhanced open mode, SAE mode, enterprise mode

Question 48

What does enhanced open mode in WPA3 offer over open mode and WPA2?

Answer 48

It uses strong encryption to protect the communication of unauthenticated users, which allows to easily run a secure guest network

Question 49

What does SAE replace?

Answer 49

It replaces PSK mode of WPA2, it uses a pass phrase, but add strong security defenses to the technology

Question 50

True or false WPA3 enterprise mode continues to use a RADIUS server and user authentication?

Answer 50

True

Question 51

What is EAP?

Answer 51

Extensible authentication protocol, it is an authentication framework

Question 52

EAP protocol provides what method for two systems to create a secure encryption key? Then uses what to encrypt all data transmitted between the devices? Does it require or support a certificate?

Answer 52

Pairwise master key PMK and pairwise transient key PTK…No

Question 53

Protected EAP, PEAP, provides an extra layer protection for EAP, what is that? Does PEAP require or support a certificate?

Answer 53

PEAP encapsulates and encrypt the EAP conversation in a TLS tunnel… PEAP requires a certificate on the server, but not on the clients

Question 54

EAP-FAST was designed by who? It supports what instead of certificates?

Answer 54

Cisco…Protected Access Credential PAC

Question 55

True or False EAP-TLS is one of the most secure EAP standards? And what is the primary difference between PEAP and EAP-TLS?

Answer 55

True…EAP-TLS require certificates on the 802.1X server and the clients (whereas PEAP only requires a certificate on the server)

Question 56

What is EAP – TTLS? And does it require certificates?

Answer 56

An extension of EAP-TLS allowing Systems to use older authentication methods within a TLS tunnel… it requires a certificate on the 802.1X server but not the clients

Question 57

Enterprise mode always requires a what?

Answer 57

An 802.1X server

Question 58

Which EAP protocol REQUIRES NO CERTIFICATES? WHICH EAP PROTOCOL REQUIRES A CERTIFICATE ON THE 802.1X SERVER ONLY? AND WHICH EAP PROTOCOL REQUIRES CERTIFICATES ON BOTH THE 802.1 X SERVER AND EACH OF THE CLIENTS?

Answer 58

EAP – FAST…PEAP and EAP-TTLS…EAP-TLS

Question 59

What does an 802.1X server provide that insures only authorized clients can connect to a device or network? And what does it prevent from connecting?

Answer 59

Port based authentication… rogue devices

Question 60

What is a technical solution that forces clients using web browsers to complete a specific process for allowing them access to the network? What is an example of this? What is this an alternative to?

Answer 60

Captive portal… a hospitals access to the Internet which forces users to agree to the terms before they can use their Wi-Fi… an 802.1x server/solution

Question 61

Which attack effectively removes a wireless client from a wireless network?

Answer 61

A disassociation attack

Question 62

What allows users to configure a wireless device by entering an eight digit pin and or pressing buttons on the device? And what attack is it vulnerable to? And what is the recommendation by security experts with regards to this?

Answer 62

WPS…brute force…disable it on all devices

Question 63

What is an access point placed with a network without official authorization called?

Answer 63

A rogue access point

Question 64

What is the unauthorized transfer of data from an organization to a location controlled by an attacker?

Answer 64

DATA exfiltration

Question 65

What is a rogue access point with the same or similar SSID as a legitimate access point called? What is an example of this?

Answer 65

An evil twin… Any place that provides free Wi-Fi can be susceptible to this kind of attack

Question 66

What can administrators use to detect rogue access points, including evil twins?

Answer 66

Wireless scanners

Question 67

What kind of attack can transmit noise or another radio signal on the same frequency used by wireless network? And what does it do to users?

Answer 67

A jamming attack… it will prevent users from connecting to the wireless network

Question 68

What are three attacks associated with an RFID?

Answer 68

Sniffing or eavesdropping… RFID cloning… A denial of service

Question 69

What is the unauthorized sending of text messages to a nearby Bluetooth device called?

Answer 69

Blue jacking

Question 70

What is the unauthorized access to or theft of information from a Bluetooth device called?

Answer 70

Blue snarfing

Question 71

Combined with blue snarfing, when an attacker installs a back door what is that called?

Answer 71

Blue bugging

Question 72

What prevents Bluetooth attacks?

Answer 72

Ensuring devices cannot be paired without manual intervention and placing them in a Faraday cage

Question 73

True or false WPA2 and WPA3 are susceptible to replay attacks

Answer 73

False, they are resistant

Question 74

Administrators use what techniques as part of a wireless audit? And what can be detected in these audits?

Answer 74

War driving… rogue access points, and unauthorized users

Question 75

What allows users to access private networks via a public network?

Answer 75

A VPN

Question 76

What is a dedicated device used for VPN that includes all the services to create a secure VPN supporting many clients?

Answer 76

VPN concentrator

Question 77

Where is a VPN concentrator typically placed in a network?

Answer 77

In the screened subnet

Question 78

What are the two modes for IP sec? What is the difference between the two?

Answer 78

Tunnel and transport… tunnel mode is used for VPN traffic and encrypts the entire packet, including the payload and the headers which include IP and MAC addresses. transport mode only encrypt the payload and is commonly used in private networks

Question 79

What is ESP? And what does it provide? And what’s its IP protocol number?

Answer 79

Encapsulating security payload… confidentiality, authentication, and integrity… 50

Question 80

Other than IP sec, what other protocol is a tunneling protocol? What is an advantage of using this protocol?

Answer 80

TLS… it uses port 443 which means the administrator most likely doesn’t have to open an additional port. It also is useful when the VPN tunnel must go through a device using NAT and IP sec is not feasible.

Question 81

What does IP sec use to authenticate clients?

Answer 81

Internet key exchange IKE over port 500

Question 82

What is the difference between a split tunnel, VPN and full tunnel VPN?

Answer 82

A full tunnel encrypt all traffic after a user has connected to a VPN while a split tunnel only encrypt traffic destined for the VPN private network

Question 83

Which VPN includes two VPN servers that act as gateways for two geographically separated networks, its main benefit is that it connects both networks without requiring additional steps on the part of the users

Answer 83

Site to Site

Question 84

What type of VPN maintains the VPN connection at all times?

Answer 84

Always on

Question 85

What is another tunneling protocol used for VPNs that does not provide encryption but instead data is encrypted with another protocol? And what is the latest version?

Answer 85

L2TP, L2TPv3

Question 86

This includes methods to inspect clients for health, such as having up-to-date antivirus software, and can restrict access of unhealthy clients to immediate to a remediation network, this can also be used for VPN clients and internal clients?

Answer 86

Network access control NAC

Question 87

What do NAC Systems use to inspect NAC clients?

Answer 87

Authentication agents, or sometimes called health agents

Question 88

What happens if a client does not meet the health conditions mandated by the NAC server?

Answer 88

The client will be directed to the remediation network, which includes resources for the client to get healthy

Question 89

True or false NAC can only inspect the health of VPN clients?

Answer 89

False… it can also be used to inspect the health of internal clients

Question 90

This type of NAC agent is installed on the client and stays on the client?

Answer 90

A permanent or persistent agent

Question 91

This type of NAC agent is downloaded and runs on the client when the client logs on remotely and then is removed after it’s use?

Answer 91

Agentless NAC also known as a dissolvable agent

Question 92

This form of VPN authentication uses a password and sends it across a network in clear text ? And what attacks is it susceptible to?

Answer 92

Password authentication protocol PAP… sniffing attacks

Question 93

This VPN authentication method is more secure than PAP because it does not send passwords over the network and clear text?

Answer 93

Challenge handshake authentication protocol CHAP

Question 94

What is a centralized authentication service that can also be used for VPN authentication? By default what does this service do with encryption?

Answer 94

Remote authentication dial in user service RADIUS… it encrypts only the password by default

Question 95

This authentication alternative to RADIUS PROVIDES TWO ESSENTIAL SECURITY BENEFITS OVER IT…WHAT IS THIS AND WHAT ARE THE TWO BENEFITS?

Answer 95

Terminal access controller access control system plus TACACS+… It encrypts the entire authentication process and it uses multiple challenges and responses between the client and the server