CH04 Security Applications and Devices Flashcards
You have been investigating how a malicious actor was able to exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that the web server’s BIOS had been modified by the installation of a rootkit. After you remove the rootkit and reflash the BIOS to a known good image, what should you do in order to prevent the malicious actor from affecting the BIOS again?
a. Install an anti-malware application
b. Install a host-based IDS
c. Utilize secure boot
d. Utilize file integrity monitoring
c. Utilize secure boot
Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that it has been digitally signed by the OS vendor. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used.
Your company recently suffered a small data breach that was caused by an employee emailing themselves a copy of the current customer’s names, account numbers, and credit card limits. You are determined that something like this shall never happen again. Which of the following logical security concepts should you implement to prevent a trusted insider from stealing your corporate data?
a. Firewall
b. MDM
c. DLP
d. Strong passwords
c. DLP
Data loss prevention software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use (endpoint actions), in transit (network traffic), and at rest (data storage). Since the user was an authorized user (employee), changing your password policy, reconfiguring the firewall, or setting up a MDM solution would not solve this problem. Instead, a DLP solution must be implemented.
You are trying to select the best device to install in order to detect an outside attacker who is trying to reach into your internal network. The device should log the event, but it should not take any action to stop it. Which of the following devices would be the BEST for you to select?
a. Proxy server
b. Authentication server
c. IPS
d. IDS
d. IDS
An intrusion detection system is a device or software application that monitors a network or system for malicious activity or policy violations. Any malicious activity or violation is typically reported either to an administrator or collected centrally using a security information and event management system. Unlike an IPS, which can take action to stop malicious activity or policy violations, an IDS can only log these issues and not stop them.
You are trying to select the best device to install to proactively stop outside attackers from reaching your internal network. Which of the following devices would be the BEST for you to select?
a. IPS
b. Proxy server
c. Syslog server
d. IDS
a. IPS
OBJ-3.3: An intrusion prevention system (IPS) is a form of network security that detects and prevents identified threats. Intrusion prevention systems continuously monitor your network, looking for possible malicious incidents, and capturing information about them. An IPS can block malicious network traffic, unlike an IDS, which can only log them. A proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. System Logging Protocol (Syslog) uses port 514 and is a way network devices can use a standard message format to communicate with a logging server. It was designed specifically to make it easy to monitor network devices. Devices can use a Syslog agent to send out notification messages under a wide range of specific conditions.
You are reviewing a rule within your organization’s IDS. You see the following output:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $ HOME_NET any
msg: “BROWSER-IE Microsoft Internet Explorer
CacheSize exploit attempt”;
flow: to_client, established;
file_data;
content : “recordset”; offset:14; depth:9;
content : “.CachesSize”; distance:0; within:100;
pcre: “/CacheSize\s*=\s/”;
byte_test:10,>, 0x3ffffffe,0,relative,string;
max-detect-ips drop, service http;
reference:cve,2016-8077;
classtype: attempted-user;
sid:65535;rev:1;
Based on this rule, which of the following malicious packets would this IDS alert on?
a. Any malicious outbound packets
b. A malicious outbound TCP packet
c. A malicious inbound TCP packet
d. Any malicious inbound packets
c. A malicious inbound TCP packet
OBJ-4.3: The rule header is set to alert only on TCP packets based on this IDS rule’s first line. The flow condition is set as “to_client, established,” which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule. This rule is an example of a Snort IDS rule. For the exam, you do not need to create your own IDS rules, but you should be able to read them and pick out generic content like the type of protocol covered by the signature, the port to be analyzed, and the direction of flow.
