Ch 17 Flashcards
- Which of the following is the best response after detecting and verifying an incident?
A. Contain it
B. Report it
C. Remediate it
D. Gather evidence
Answer: A
Containment is the first step after detecting and verifying an incident. This limits the effect or scope of an incident. Organizations report the incident based on policies and governing laws, but this is not the first step. Remediation attempts to identify the cause of the incident and steps that can be taken to prevent a reoccurrence, but this is not the first step. It is important to protect evidence while trying to contain an incident, but gathering the evidence will occur after containment.
- Which of the following would security personnel do during the remediation stage of an incident response?
A. Contain the incident
B. Collect evidence
C. Rebuild system
D. Root cause analysis
Answer: D
Security personnel perform a root cause analysis during the remediation stage. A root cause analysis attempts to discover the source of the problem. After discovering the cause, the review will often identify a solution to help prevent a similar occurrence in the future. Containing the incident and collecting evidence is done early in the incident response process. Rebuilding a system may be needed during the recovery stage.
- Which of the following are denial-of-service attacks? (Choose three.)
A. Teardrop
B. Smurf
C. Ping of death
D. Spoofing
Answer: A;B;C
Teardrop, smurf, and ping of death are all types of DoS attacks. Attackers use spoofing to hide their identity in a variety of attacks, but spoofing is not an attack by itself.
- How does a SYN flood attack work?
A. Exploits a packet processing glitch in Windows systems
B. Uses an amplification network to flood a victim with packets
C. Disrupts the three-way handshake used by TCP
D. Sends oversized ping packets to a victim
Answer: C
A SYN flood attack disrupts the TCP three-way handshake process by never sending the third packet. It is not unique to any specific operating system such as Windows. Smurf attacks use amplification networks to flood a victim with packets. A ping-of-death attack uses oversized ping packets.
- A web server hosted on the Internet was recently attacked, exploiting a vulnerability in the operating system. The operating system vendor assisted in the incident investigation and verified the vulnerability was not previously known. What type of attack was this?
A. Botnet
B. Zero-day exploit
C. Denial-of-service
D. Distributed denial-of-service
Answer: B
A zero-day exploit takes advantage of a previously unknown vulnerability. A botnet is a group of computers controlled by a bot herder that can launch attacks, but they can exploit both known vulnerabilities and previously unknown vulnerabilities. Similarly, denial-of-service (DoS) and distributed DoS (DDoS) attacks could use zero-day exploits or use known methods.
- Of the following choices, which is the most common method of distributing malware?
A. Drive-by downloads
B. USB flash drives
C. Ransomware
D. Unapproved software
Answer: A
Of the choices offered, drive-by downloads is the most common distribution method for malware. USB flash drives can be used to distribute malware, but this method isn’t as common as drive-by downloads. Ransomware is a type of malware infection, not a method of distributing malware. If users are able to install unapproved software, they may inadvertently install malware, but this isn’t the most common method either.
- Of the following choices, what indicates the primary purpose of an intrusion detection system (IDS)?
A. Detect abnormal activity
B. Diagnose system failures
C. Rate system performance
D. Test a system for vulnerabilities
Answer: A
An IDS automates the inspection of audit logs and real-time system events to detect abnormal activity indicating unauthorized system access. Although IDSs can detect system failures and monitor system performance, they don’t include the ability to diagnose system failures or rate system performance. Vulnerability scanners are used to test systems for vulnerabilities.
- Which of the following is true for a host-based intrusion detection system (HIDS)?
A. It monitors an entire network.
B. It monitors a single system.
C. It’s invisible to attackers and authorized users.
D. It cannot detect malicious code.
Answer: B
An HIDS monitors a single system looking for abnormal activity. A network-based IDS (NIDS) watches for abnormal activity on a network. An HIDS is normally visible as a running process on a system and provides alerts to authorized users. An HIDS can detect malicious code similar to how anti-malware software can detect malicious code.
- Which of the following is a fake network designed to tempt intruders with unpatched and unprotected security vulnerabilities and false data?
A. IDS
B. Honeynet
C. Padded cell
D. Pseudo flaw
Answer: B
Honeypots are individual computers, and honeynets are entire networks created to serve as a trap for intruders. They look like legitimate networks and tempt intruders with unpatched and unprotected security vulnerabilities as well as attractive and tantalizing but false data. An intrusion detection system (IDS) will detect attacks. In some cases an IDS can divert an attacker to a padded cell, which is a simulated environment with fake data intended to keep the attacker’s interest. A pseudo flaw (used by many honeypots and honeynets) is a false vulnerability intentionally implanted in a system to tempt attackers.
- Of the following choices, what is the best form of anti-malware protection?
A. Multiple solutions on each system
B. A single solution throughout the organization
C. Anti-malware protection at several locations
D. One-hundred-percent content filtering at all border gateways
Answer: C
A multipronged approach provides the best solution. This involves having anti-malware software at several locations, such as at the boundary between the Internet and the internal network, at email servers, and on each system. More than one anti-malware application on a single system isn’t recommended. A single solution for the whole organization is often ineffective because malware can get into the network in more than one way. Content filtering at border gateways (boundary between the Internet and the internal network) is a good partial solution, but it won’t catch malware brought in through other methods.
- When using penetration testing to verify the strength of your security policy, which of the following is not recommended?
A. Mimicking attacks previously perpetrated against your system
B. Performing attacks without management knowledge
C. Using manual and automated attack tools
D. Reconfiguring the system to resolve any discovered vulnerabilities
Answer: B
Penetration testing should be performed only with the knowledge and consent of the management staff. Unapproved security testing could result in productivity loss, trigger emergency response teams, and legal action against the tester including loss of employment. A penetration test can mimic previous attacks and use both manual and automated attack methods. After a penetration test, a system may be reconfigured to resolve discovered vulnerabilities.
- What is used to keep subjects accountable for their actions while they are authenticated to a system?
A. Authentication
B. Monitoring
C. Account lockout
D. User entitlement reviews
Answer: B
Accountability is maintained by monitoring the activities of subjects and objects as well as core system functions that maintain the operating environment and the security mechanisms. Authentication is required for effective monitoring, but it doesn’t provide accountability by itself. Account lockout prevents login to an account if the wrong password is entered too many times. User entitlement reviews can identify excessive privileges.
- What type of a security control is an audit trail?
A. Administrative
B. Detective
C. Corrective
D. Physical
Answer: B
Audit trails are a passive form of detective security control. Administrative controls are management practices. Corrective controls can correct problems related to an incident, and physical controls are controls that you can physically touch.
- Which of the following options is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes?
A. Penetration testing
B. Auditing
C. Risk analysis
D. Entrapment
Answer: B
Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Penetration testing attempts to exploit vulnerabilities. Risk analysis attempts to analyze risks based on identified threats and vulnerabilities. Entrapment is tricking someone into performing an illegal or unauthorized action.
- What can be used to reduce the amount of logged or audited data using nonstatistical methods?
A. Clipping levels
B. Sampling
C. Log analysis
D. Alarm triggers
Answer: A
Clipping is a form of nonstatistical sampling that reduces the amount of logged data based on a clipping-level threshold. Sampling is a statistical method that extracts meaningful data from audit logs. Log analysis reviews log information looking for trends, patterns, and abnormal or unauthorized events. An alarm trigger is a notification sent to administrators when specific events or thresholds occur.
