Chapter 17 Preventing and Responding to Incidents

Question 1

Any event that has a negative effect on the confidentiality, integrity, or availability of an organization’s assets is called what ?

Answer 1

An incident

Question 2

The result of an attack, or the result of malicious or intentional actions on the part of users is called what ?

Answer 2

computer security incident

Question 3

What are the five steps involved in managing incident response ?

Answer 3

1  Detection
2 Response
3 Mitigation 
4  Reporting 
5  Recovery
6 Remediation 
7  Lessons Learned

Question 4

What type of attack doesn’t attack the victim directly, but instead manipulates traffic or a network service so that the attacks are reflected back to the victim from other sources ?

Answer 4

distributed reflective denial-of-service (DRDoS) attack

Question 5

What type of attack disrupts the standard three-way handshake used by TCP to initiate communication sessions.

Answer 5

SYN flood attack

Question 6

What is a method of blocking SYN flood attack ?

Answer 6

Reduce the amount of time a server will wait for an ACK, using SYN cookies.

Question 7

What type of attack is a spoofed broadcast ping request using the IP address of the victim as the source IP address.

Answer 7

smurf attack

Question 8

What type of attack floods the victim with Internet Control Message Protocol (ICMP) echo packets instead of with TCP SYN packets ?

Answer 8

smurf attack

Question 9

In what type of attack does the attacker sends the echo request out as a broadcast to all systems on the
network and spoofs the source IP address ?

Answer 9

smurf attack

Question 10

What standard changed the standard

default for routers so that they do not forward directed broadcast traffic ?

Answer 10

RFC 2644

Question 11

What attack will broadcast a UDP

packet using the spoofed IP address of the victim ?

Answer 11

Fraggle attacks

Question 12

What type of attack employs an oversized ping packet ?

Answer 12

ping-of-death attack

Question 13

In what type of attack does an attacker fragments traffic in such a way that a system is unable to put data packets back together ?

Answer 13

teardrop attack

Question 14

In what type of attack does the attacker sends spoofed SYN packets to a victim using the victim’s IP address as both the source and destination IP address ?

Answer 14

land attack

Question 15

What method of detection uses a database of known attacks developed by the IDS vendor ?

Answer 15

Knowledge-based Detection

Question 16

What type of responses can modify the environment by modifying ACLs to block traffic based on ports, protocols, and source addresses, and even disabling all communications over specific cable segments ?

a) Passive Response
b) Active Response

Answer 16

Active Response

Question 17

An IDS that uses an active response is sometimes referred to as _______ .

Answer 17

IPS

Question 18

What type of IDS monitors specific application traffic between two or more servers ?

Answer 18

application-based IDS,

Question 19

Which are more costly to manage HIDS or NIDS ?

Answer 19

HIDS

Question 20

Can a NIDS monitor the content of encrypted traffic ?

Answer 20

No

Question 21

What is an intrusion prevention system (IPS) ?

Answer 21

a special type of active IDS that attempts to detect and block attacks before they reach target systems.

Question 22

a portion of allocated IP addresses within a network that are not used is called what ?

Answer 22

darknet

Question 23

_________ are individual computers created as a trap for intruders.

Answer 23

Honeypots

Question 24

__________ are false vulnerabilities or apparent loopholes intentionally implanted in a system in an attempt to tempt attackers.

Answer 24

Pseudo flaws

Question 25

A _________ is a simulated environment that offers fake data to retain an intruder’s interest, similar to a honeypot.

Answer 25

padded cell

Question 26

_______ logs commonly log key packet information such as source and destination IP addresses, and source and destination ports, but not the actual contents of the packets. ``` Security Logs System Logs Application Logs Firewall Logs Proxy Logs Change Logs ```

Answer 26

Firewall Logs

Question 27

``` _________ can also be helpful as part of a disaster recovery program. Security Logs System Logs Application Logs Firewall Logs Proxy Logs Change Logs ```

Answer 27

Change Logs

Question 28

________ include the ability to record details such as what sites specific users visit and how much time they spend on these sites. They can also record when users attempt to visit known prohibited sites. ``` Security Logs System Logs Application Logs Firewall Logs Proxy Logs Change Logs ```

Answer 28

Proxy Logs

Question 29

_______ can record when a user accessed, modified, or deleted a file ``` Security Logs System Logs Application Logs Firewall Logs Proxy Logs Change Logs ```

Answer 29

Security Logs

Question 30

_______ record information for specific programs. ``` Security Logs System Logs Application Logs Firewall Logs Proxy Logs Change Logs ```

Answer 30

Application Logs

Question 31

______ can also be helpful as part of a disaster recovery program. ``` Security Logs System Logs Application Logs Firewall Logs Proxy Logs Change Logs ```

Answer 31

Change Logs

Question 32

________ detect when systems reboot, or when services stop and can help administrators discover potentially malicious activity.

Answer 32

System Logs

Question 33

______ is a centralized application to automate monitoring of systems on a network.

Answer 33

Security Information | and Event Management (SIEM)

Question 34

__________ provide a record of system activity and can reconstruct activity leading up to and during security events

Answer 34

Audit trails

Question 35

___________ uses precise mathematical functions to extract meaningful information from a very large volume of data.

Answer 35

Sampling, or data extraction,

Question 36

_____ selects only events that exceed a predefined threshold for the event.

Answer 36

Clipping

Question 37

____ are forms | of monitoring that examine the flow of packets rather than actual packet contents.

Answer 37

Traffic analysis and trend analysis

Question 38

______ refers to monitoring outgoing traffic to prevent data exfiltration, which is the unauthorized transfer of data outside the organization.

Answer 38

Egress monitoring

Question 39

Which of the Incident Response Steps includes : personnel look at the incident and attempt to identify what allowed it to occur, and then implement methods to prevent it from happening again. Root Cause Analysis ``` Detection Response Mitigation Reporting Recovery Remediation Lessons Learned ```

Answer 39

Remediation

Question 40

Which of the Incident Response Steps includes : investigating an event and determining it is a security incident ``` Detection Response Mitigation Reporting Recovery Remediation Lessons Learned ```

Answer 40

Detection

Question 41

Which of the Incident Response Steps includes : personnel look for any areas where they can improve their response. the output of this stage can be fed back to the detection stage of incident management. ``` Detection Response Mitigation Reporting Recovery Remediation Lessons Learned ```

Answer 41

Lessons Learned

Question 42

Which of the Incident Response Steps includes : In the United States, this may mean notifying the Federal Bureau of Investigations (FBI), district attorney offices, and/or state and local law enforcement agencies. In Europe, organizations may report the incident to the International Criminal Police Organization (INTERPOL) or some other entity based on the incident and their location. ``` Detection Response Mitigation Reporting Recovery Remediation Lessons Learned ```

Answer 42

Reporting

Question 43

Which of the Incident Response Steps includes : attempts to contain an incident. One of the primary goals is to limit the effect or scope of an incident. ``` Detection Response Mitigation Reporting Recovery Remediation Lessons Learned ```

Answer 43

Mitigation

Question 44

Which of the Incident Response Steps includes : investigating the incident, assessing the damage, collecting evidence, reporting the incident, and recovery procedures. ``` Detection Response Mitigation Reporting Recovery Remediation Lessons Learned ```

Answer 44

Response

Question 45

Which of the Incident Response Steps includes : may include rebuilding a system ``` Detection Response Mitigation Reporting Recovery Remediation Lessons Learned ```

Answer 45

Recovery

Question 46

Sessions are normally terminated with either the FIN (finish) or the RST (reset) packet. Attackers can spoof the source IP address in a RST packet and disconnect active sessions. The two systems then need to reestablish the session. This is primarily a threat for systems that need persistent sessions to maintain data with other systems. When the session is reestablished, they need to re-create the data so it’s much more than just sending three packets back and forth to establish the session.

Answer 46

TCP Reset Attack

Question 47

A fraggle attack uses UDP packets over UDP ports _ and _ .

Answer 47

7 & 19

Question 48

Which attack includes systematically dialing phone numbers and listen for computer carrier tones.

Answer 48

War Dialing

Question 49

(also called signature-based detection or pattern-matching detection), uses a database of known attacks developed by the IDS vendor. Real-time traffic is matched against the database, and if the IDS finds a match, it raises an alert. Behavior-based Detection Knowledge-based Detection

Answer 49

Knowledge-based Detection

Question 50

(also called statistical intrusion detection, anomaly detection, and heuristics-based detection), starts by creating a baseline of normal activities and events on the system. Once it has accumulated enough baseline data to determine normal activity, it can detect abnormal activity that may indicate a malicious intrusion or event. Behavior-based Detection Knowledge-based Detection

Answer 50

Behavior-based Detection