Chapter 10

Question 1

Two ways to protect malware (and their advantages and disadvantages):

Answer 1

1) signature-based

Advantage: Accuracy is really high.

Disadvantage: You will miss new attacks, they can easily pass checking.

2) anomaly-based

compares against baseline traffic on network

Advantage: Accomodates new types of attacks

Disadvantage: “operation i usually see is different”
May generate false positive

Question 2

Where to focus for Network Security (4 points)?

Answer 2

• Protecting networks
• Protecting network traffic
• Mobile device security
• Network security tools

Question 3

A well-configured and patched network is the _______ of any security program

Answer 3

foundation

Question 4

What is Network segmentation?

Answer 4

• Divide a network into multiple smaller independent networks, called a subnet

Question 5

How can we control the flow of traffic between subnets?

Answer 5

o Allowing or disallowing traffic

o Blocking the traffic entirely

Question 6

We can control traffic flow within the subnet for _______ purposes

Answer 6

troubleshooting

Question 7

True or False: Traffic monitoring is easier in subnets

Answer 7

True

Question 8

Why do we funnel Network Traffic through choke points?

Answer 8

to inspect, filter, and control the traffic

Question 9

What are Choke points?

Answer 9

o Routers that move traffic from one subnet to another

o Firewalls or proxies that control traffic moving within, into, or out of our networks or portions of our networks

o Application proxies that filter the traffic for particular applications such as Web or e-mail traffic

Question 10

Choke points come with some risk because if they ____ the network is _______

Answer 10

fail

compromised

“Choke points come with some risk because if they fail the network is compromised”

Question 11

Redundancy helps to…

Answer 11

mitigate risk to our networks

Question 12

Technical issues or attacks may impact network _______ devices; hence, network operations.

Answer 12

infrastructure

Question 13

Good network design considers planned ________ for devices failing, connectivity loss etc.

Answer 13

redundancy

Question 14

Give an example of planning for redundancy:

Answer 14

In the even of a DDoS attack to a border device:

oRedundancy will allow us switch to a different connection to the Internet, or toute traffic through a different device until we solve current issue

Question 15

What is a firewall?

Answer 15

A mechanism for maintaining control over the traffic that flows into and out of our network

Question 16

Where should we place firewalls, typically?

Answer 16

• Typically on the border between our internal network and the Internet
• Can also be placed within our network for access control

Question 17

What should we filter with firewalls?

Answer 17

Based on a variety of factors and largely depends on the complexity of the firewall

• Example: we may allow Web and e-mail traffic to pass, but block everything else

Question 18

What is Packet Filtering?

Answer 18

• Inspecting contents of each packet individually to make a decision
• Based on the source and destination IP addresses, the port number, and the protocol being used

Question 19

_____ _______ is one of the oldest and simplest of firewall technologies

Answer 19

Packet Filtering

Question 20

Which firewall has the disadvantage that “it is possible to slip attacks through this type of firewall as packets are inspected individually”

Answer 20

Packet Filtering

Question 21

What is the function of a Stateful Firewall?

Answer 21

Same working principle as in packet filtering, but a Stateful Firewall keeps track of the traffic at a granular level

Question 22

A stateful firewall is able to watch the traffic over a ____ _______.

Answer 22

given connection

Question 23

The connection state, as monitored by a stateful firewall, is maintained in a ____ ____.

Answer 23

state table

Question 24

A given connection is defined by:

Answer 24

the source and destination IP addresses, the ports being used, and the already existing network traffic

Question 25

True or False? A stateful firewall allows traffic that is part of a new or already established connection.

Answer 25

True

Question 26

Difference between stateful firewall and packet inspection?

Answer 26

Stateful firewall assesses an entire connection while packet inspection is about inspecting individual packets

Best security policy is to put these two together

Question 27

Most stateful firewalls can also function as a _____ ______ firewall, often combining the two forms of filtering.

Answer 27

packet filtering

Question 28

A stateful firewall that also has a packet filtering component can do the following (2 objectives):

Answer 28

• Can identify and track the traffic related to a particular user initiated connection to a Web site
• Knows when the connection has been closed and further traffic should not legitimately be present

Question 29

Example of a scanning tool?

Answer 29

Nmap

Question 30

True or False: Packet filtering and stateful firewalls only inspect the structure of packets without inspecting the content.

Answer 30

True

Question 31

______ adds extra layer of intelligence to firewalls through packet-content inspection.

Answer 31

Deep Packet Inspection

Question 32

Deep Packet Inspection can block a large number of attacks at the price of ____.

Answer 32

delay

Question 33

Deep Packet Inspection introduces ______ issue as content of our packets are inspected.

Answer 33

privacy

Question 34

Proxy servers are…

Answer 34

A specialized variant of a firewall that can serve as a choke point

Question 35

Proxy servers offer these functionalities (2):

Answer 35

• Offer security and performance by filtering unwanted traffic
• Allow us to log the traffic that goes through them for later inspection

Question 36

What are some applications of proxy servers (3)?

Answer 36

Applications:

•Spam, Web traffic, and malware filtering

Question 37

True of False: Nmap is a very useful tool for both OS and network

Answer 37

True

Question 38

What is a Demilitarized Zone (DMZ) as it pertains to network security?

Answer 38

A combination of a network design feature and a protective device such as a firewall

Question 39

What are DMZs used for?

Answer 39

Used to offer security for mail servers, proxy servers, software as a service application, and Web servers

Question 40

Draw a diagram of a DMZ

Answer 40

https://i.imgur.com/oiFFYDN.png

Question 41

What does IDS stand for in network security?

Answer 41

Intrusion Detection Systems

Question 42

What is penetration testing?

Answer 42

Actively trying to break the system and analyze its level of security that way

Question 43

What does an Intrusion Detection System do?

Answer 43

monitors networks, hosts, or applications to which it is connected for unauthorized activity

Question 44

What are 3 types of IDS?

Answer 44

• Host-based intrusion detection systems (HIDSes)
• Application protocol-based intrusion detection systems (APIDSes)
• Network-based intrusion detection systems (NIDSes)

Question 45

What does NIDSes stand for?

Answer 45

Network-based intrusion detection systems

Question 46

What does APIDSes stand for?

Answer 46

Application protocol-based intrusion detection systems

Question 47

What does HIDSes stand for?

Answer 47

Host-based intrusion detection systems

Question 48

Placement of ______ important to efficiently monitor ongoing network traffic without overwhelming the _____.

Answer 48

NIDSes

Placement of NIDSes important to efficiently monitor ongoing network traffic without overwhelming the NIDSes.

Question 49

Draw a diagram of an IDS:

Answer 49

https://i.imgur.com/ureBoKc.png

Question 50

NIDSes may miss _____ _____ _____.

Answer 50

packet crafting attacks

Question 51

What are packet crafting attacks?

Answer 51

• specifically designed packets of traffic that carry attacks or malicious code
• designed to avoid detection by IDSes, firewalls, and other similar devices

Question 52

Common defense in-depth security program combine _____ and _____.

Answer 52

firewalls and IDSs

Question 53

What is the difference between Signature-based detection and Anomaly-based detection in an IDS? (diagram)

Answer 53

https://i.imgur.com/gIHZNre.png

Question 54

True of false: Signature-based detection does not work similar to most antivirus systems.

Answer 54

False: Signature-based detection does works similar to most antivirus systems.

Question 55

Signature-based detection maintains a database of _____ that signal a particular type of attack

It compares incoming traffic to those signatures.

Answer 55

signatures

Question 56

Signature-based detection is usually precise if the signature _______ is up-to-date

Answer 56

database

Question 57

True of False: Attackers may test crafted packets on the same IDS tools that we use to avoid our security measures

Answer 57

True

Question 58

Anomaly-based detection uses a ______ of normal traffic and activity on the network

Answer 58

baseline

Question 59

________-based detection measures the present state of traffic against this baseline

Answer 59

Anomaly

Question 60

True or False: Anomaly-based detection is useful to detect new attacks or attacks that have been deliberately assembled to avoid IDSes.

Answer 60

True

Question 61

What is a disadvantage of anomaly-based detection?

Answer 61

It has a high rate of false positives compared to the signature-based IDSes (if the traffic on the network changes from the baseline, anomaly-based detection may consider that as an attack)

Question 62

True or False: we can combine both detection anomaly-based and signature-based methods.

Answer 62

True

Question 63

When data travel across networks it can be exposed to _____ people. (If we use applications or protocols that do not encrypt what they are sending over the network)

Answer 63

unwanted

Question 64

A ______ network is more prone to attack.

Answer 64

Wireless

An open wireless network for public access does not offer any encryption.

Question 65

How can we ensure protection over wireless networks?

Answer 65

Deploy VPNs

Question 66

Virtual private networks allow us to…

Answer 66

send sensitive traffic over unsecure networks

Question 67

True or False: VPNs can create a secure connection to the private network of an organization

Answer 67

True

Question 68

Draw a diagram of a VPN:

Answer 68

https://i.imgur.com/RpH3CpA.png

Question 69

A VPN connection is called a ______.

Answer 69

tunnel (An encrypted connection between two end points)

Question 70

In one end of the connection there is a VPN _____ application and the other end hosts a VPN ______.

Answer 70

client

concentrator

In one end of the connection there is a VPN client application and the other end hosts a VPN concentrator.

Question 71

The client uses a software to authenticate to the VPN ______.

Answer 71

concentrator

Question 72

What are the advantages of VPN?

Answer 72

• Allow us access the internal resources of our organization
• Protect traffic that is sent over untrusted connections
• Allowing us to protect the contents of traffic

o from logging by our ISPs or being sniffed by others on the same network, to obscure our geographical location and bypass location oriented blocking

•Useful in peer-to-peer (P2P) file-sharing services

o VPNs can allow both the traffic and the actual IP addresses to remain hidden

Question 73

What is a Rogue access point (RAP)?

Answer 73

placing an access point on our wireless network without authorization

Question 74

True or False: If a RAP is set up with poor or no security, it will allow anyone within range of the access point access our network.

Answer 74

True

Question 75

How can we Avoid Rogue access points (RAPs)?

Answer 75

Carefully document the legitimate devices that are part of our wireless network infrastructure and regularly scan for additional devices using wireless scanning tool

Question 76

How can we protect traffic passing through the legitimate devices in our network?

Answer 76

Data encryption

Question 77

The most common encryption for 802.11 devices

are (3):

Answer 77

o Wired Equivalent Privacy (WEP)
o Wi-Fi Protected Access (WPA), and
o Wi-Fi Protected Access version 2 (WPA2)

Question 78

____ is the most current encryption and offers the strongest inherent security.

Answer 78

WPA2

Question 79

File Transfer Protocol (FTP) is for ______ ____.

Answer 79

transferring file

Question 80

_____ is for interacting with remote machines.

Answer 80

Telnet

Question 81

Post Office Protocol (POP) for _____ ___.

Answer 81

retrieving e-mail

Question 82

True or False: We must use Secure Shell (SSH) instead of Telnet.

Answer 82

True

Question 83

We must use _______________ instead of FTP, which is also SSH based.

Answer 83

Secure File Transfer Protocol (SFTP)

Question 84

SSH supports many types of traffic over it such as (3 items):

Answer 84

o It can be used for file transfers and terminal access
o when connecting to a remote desktop
o communicating over a VPN

Question 85

The encryption used by SSH is ____, a public key encryption algorithm

Answer 85

RSA

Question 86

What is RSA?

Answer 86

a public key encryption algorithm

Question 87

What is a mobile device?

Answer 87

Any device that can access external systems or be acceded while not behind the organizations’ security infrastructure
o Smartphones, tablets, smartwatches, USB, laptops, etc

Question 88

What are Applications of a mobile device?

Answer 88

Send and receive e-mail, surf the web, manipulate documents, play videos, listen to music, play games, etc.

Question 89

What are some characteristics of a mobile device?

Answer 89

o Powerful hardware resources and capabilities
o Connected to a network of some variety at all times
o They move in and out of environments with regularity
o Store and transmit data without notice
o May or may not be compliant with basic security measures

Question 90

What do we want to manage for mobile devices?

Answer 90

oPatching and software upgrades
oForce changing of passwords at some interval
oRegulate and track installed software
oAdjust settings to a standard dictated by our policies

Question 91

An MDM solution mostly utilize an agent on the mobile device to enforce a certain configuration. These agents…

Answer 91

o Regulate access to enterprise resources, such as e-mail, calendaring, or network resources
o Can discontinue access by the client

Question 92

Many MDM solutions enable the device to be remotely ____ or disabled.

Answer 92

wiped

Question 93

In order to reduce load on administrative resources and enable a greater uniformity across devices…

Answer 93

we can try to manage both mobile and nonmobile devices using the same tools and techniques

Question 94

BYOD (Bring Your Own Device)

An organization’s strategy and policies regarding the use of personal versus corporate devices either:

Answer 94

oAllow only corporate-owned devices to interact with enterprise resources
oAllow only personal devices
oAny combination in between

Question 95

Allow only Corporate-owned Devices

Enables more uniform and secure base of mobile devices for the organization to manage

Management and policies:

Answer 95

o We may disallow the use of personal e-mail and file-sharing applications
o Disable the capability of installing new applications that are not business related
o We can also force users to install updates and security patches, and change their password regularly

Question 96

Disadvantages of Allowing only Personal Devices:

Answer 96

•not easy to deploy a uniform and secure MDM

We can have a minimal control over personal devices
o For example, connecting them to a centralized mail server, such as Microsoft Exchange

•Good choice for a very small organization with minimal resources to administer a complex mobile infrastructure

Question 97

To enable a balance between cost and risk management

Answer 97

Allow Personal and Corporate-owned Devices

Question 98

We deploy penetration testing in a regular basis to…

Answer 98

o To catch up with the environmental changes

o To accommodate new attacks

Question 99

We can test security tools using a Security Live CD distributions that come with all of the tools preconfigured

Give an example.

Answer 99

For example: Kali

Question 100

To detect unauthorized devices like Rogue APs, some software we can use are (3 examples):

Answer 100

Kismet:
oRuns on Linux and can be found on the Kali distribution
oCommonly used to detect wireless APs

•NetStumbler:
oSimilar to Kismet; runs on Windows

•coWPAttyand Aircrack-NG
o To break through the different varieties of encryption
o Cracking WEP, WPA, and WPA2

Question 101

What are port scanners?

Answer 101

tools for discovering the networks and systems that are in our environment

Question 102

Two main categories of scanners:

Answer 102

o port scanners

o vulnerability scanners

Question 103

What is Network mapper (Nmap)?

Answer 103

o a port scanner
o can also search for hosts on a network
o Identify the operating systems those hosts are running
o detect the versions of the services running on open ports

Question 104

What are packet sniffers?

Answer 104

Tools that sniff network traffic

Question 105

What is Tcpdump?

Answer 105

o A command-line tool that allows us to monitor the activities of the network to which we are attached
o Can filter traffic
o Usually runs only on UNIX-like operating systems
o A version has been ported to Windows, called WinDum

Question 106

What is Wireshark?

Answer 106

o Capable of intercepting traffic from a wide variety of wired and wireless sources
o It includes a large number of filtering, sorting, and analysis tools
o Can also import data from other applications like Tcpdump
o Agreat tool for troubleshooting traffic on the networ

Question 107

_____ is a specialized wireless networks sniffer

Answer 107

Kismet

Question 108

_______ ______ ______ from Fluke Networks is a hardware packet sniffer

Answer 108

OptiViewPortable Network Analyzer

usually very expensive and well beyond the budget of the average network or security professional

Question 109

What is a honeypot?

Answer 109

A honeypot can detect, monitor, and sometimes tamper with the activities of an attacker

Question 110

Honeypots are configured to deliberately display ______ to attract an attacker

Answer 110

vulnerabilities

Question 111

Examples of honeypots (3):

Answer 111

o An intentionally vulnerable service
o An outdated and unpatched operating system
o A network share named “top secret UFO documents”

Question 112

We deploy honeypots to…

Answer 112

o To provide an early warning system for a corporation
o As a method of researching what methods attackers are using
o As an intentional target to monitor the activities of malware in the wild

Question 113

______ are collections of honeypots with varying configurations and vulnerabilities

Answer 113

Honeynets

Question 114

Honeynets generally come with some centralized instrumentation for ______ all the honeypots on the network

Answer 114

monitoring

Question 115

True or False: Honeynets can be particularly useful for large-scale monitoring of malware activity

Answer 115

True

Question 116

The firewall tool Hping3 can:

Answer 116

• Can construct specially crafted Internet Control Message Protocol (ICMP) packets for firewall testing

• We can also script the activities of Hping3 to test the responses of firewalls and IDSes
o To get an idea of the rules on which they are operating

• It can perform port scanning

Question 117

Network-focused business (eBay and Amazon) must…

Answer 117

o Must have rigid security measures in place

o Must continuously evaluate them in order to find weaknesses

Question 118

Secure network design involves:

Answer 118

• Segmentation, Choke points, and Redundancy

- Implement security devices such as firewalls and IDSes to protect us both inside and outside our networks

Question 119

We protect our traffic by…

Answer 119

o We use VPNs to secure our connections over untrusted networks
o We can use security measures specific to wireless networks
o We can make use of secure protocols as a general security measure

Question 120

We use security tools:

Answer 120

o Kismet or NetStumbler in wireless networks
o Wiresharkor Tcpdumpto network trafficoNmapto scan network devices
o hping3 to test firewalls

Question 121

We place honeypots:

Answer 121

o To attract and study attackers and their tools and to alert us to their presence

Question 122

The _____ of an IDS is import for efficient network monitoring

a. Features
b. Processing power
c. Placement
d. Memory

Answer 122

c.Placement

Question 123

An unauthorized Access Point in a wireless network is called a:

a. Sniffer
b. Rogue
c. Booster
d. None of the above

Answer 123

b.Rogue

Question 124

The most common protocol for wireless devices is

a. 802.16
b. 802.15
c. 802.11
d. 802.20

Answer 124

c.802.11

Question 125

Secure Shell (SSH) uses ______ encryption algorithm

a. DES
b. DES3
c. RSA
d. RSA3

Answer 125

c.RSA

Question 126

Nmap stands for

a. Nice map
b. Niche map
c. Network map
d. Network mapper

Answer 126

d.Network mapper

Question 127

What are the drawbacks of Network-based Intrusion Detection Systems?

Answer 127

Answer: NIDSes may miss to detect packet crafting attacks. They may suffer from false positive. They may not process encrypted packets.

Question 128

Compare and contrast signature-based and anomaly-based IDS detection methods?

Answer 128

Answer: Signature-based IDSes maintain a database of the signatures that might signal a particular type of attack and compare incoming traffic to those signatures. The problem is in case of a new type of attack it may fail to detect that attack. Anomaly-based IDSes typically work by taking a baseline of the normal traffic and activity taking place on the network. They can measure the present state of traffic on the network against
this baseline to detect attack. They are better to detect new attacks.

Question 129

What are the advantages of using VPNs?

Answer 129

Answer: VPNs offer a secure connection between two end points over an untrusted network. Also, they protect the content of traffic. VPNs are useful in peer-to-peer file sharing/