Chapter 17 Preventing and Responding to Incidents Flashcards

1
Q

Any event that has a negative effect on the confidentiality, integrity, or availability of an organization’s assets is called what ?

A

An incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The result of an attack, or the result of malicious or intentional actions on the part of users is called what ?

A

computer security incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the five steps involved in managing incident response ?

A
1  Detection
2 Response
3 Mitigation 
4  Reporting 
5  Recovery
6 Remediation 
7  Lessons Learned
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What type of attack doesn’t attack the victim directly, but instead manipulates traffic or a network service so that the attacks are reflected back to the victim from other sources ?

A

distributed reflective denial-of-service (DRDoS) attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What type of attack disrupts the standard three-way handshake used by TCP to initiate communication sessions.

A

SYN flood attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a method of blocking SYN flood attack ?

A

Reduce the amount of time a server will wait for an ACK, using SYN cookies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What type of attack is a spoofed broadcast ping request using the IP address of the victim as the source IP address.

A

smurf attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What type of attack floods the victim with Internet Control Message Protocol (ICMP) echo packets instead of with TCP SYN packets ?

A

smurf attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

In what type of attack does the attacker sends the echo request out as a broadcast to all systems on the
network and spoofs the source IP address ?

A

smurf attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What standard changed the standard

default for routers so that they do not forward directed broadcast traffic ?

A

RFC 2644

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What attack will broadcast a UDP

packet using the spoofed IP address of the victim ?

A

Fraggle attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What type of attack employs an oversized ping packet ?

A

ping-of-death attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

In what type of attack does an attacker fragments traffic in such a way that a system is unable to put data packets back together ?

A

teardrop attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

In what type of attack does the attacker sends spoofed SYN packets to a victim using the victim’s IP address as both the source and destination IP address ?

A

land attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What method of detection uses a database of known attacks developed by the IDS vendor ?

A

Knowledge-based Detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What type of responses can modify the environment by modifying ACLs to block traffic based on ports, protocols, and source addresses, and even disabling all communications over specific cable segments ?

a) Passive Response
b) Active Response

A

Active Response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

An IDS that uses an active response is sometimes referred to as _______ .

A

IPS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What type of IDS monitors specific application traffic between two or more servers ?

A

application-based IDS,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which are more costly to manage HIDS or NIDS ?

A

HIDS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Can a NIDS monitor the content of encrypted traffic ?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is an intrusion prevention system (IPS) ?

A

a special type of active IDS that attempts to detect and block attacks before they reach target systems.

22
Q

a portion of allocated IP addresses within a network that are not used is called what ?

23
Q

_________ are individual computers created as a trap for intruders.

24
Q

__________ are false vulnerabilities or apparent loopholes intentionally implanted in a system in an attempt to tempt attackers.

A

Pseudo flaws

25
A _________ is a simulated environment that offers fake data to retain an intruder’s interest, similar to a honeypot.
padded cell
26
_______ logs commonly log key packet information such as source and destination IP addresses, and source and destination ports, but not the actual contents of the packets. ``` Security Logs System Logs Application Logs Firewall Logs Proxy Logs Change Logs ```
Firewall Logs
27
``` _________ can also be helpful as part of a disaster recovery program. Security Logs System Logs Application Logs Firewall Logs Proxy Logs Change Logs ```
Change Logs
28
________ include the ability to record details such as what sites specific users visit and how much time they spend on these sites. They can also record when users attempt to visit known prohibited sites. ``` Security Logs System Logs Application Logs Firewall Logs Proxy Logs Change Logs ```
Proxy Logs
29
_______ can record when a user accessed, modified, or deleted a file ``` Security Logs System Logs Application Logs Firewall Logs Proxy Logs Change Logs ```
Security Logs
30
_______ record information for specific programs. ``` Security Logs System Logs Application Logs Firewall Logs Proxy Logs Change Logs ```
Application Logs
31
______ can also be helpful as part of a disaster recovery program. ``` Security Logs System Logs Application Logs Firewall Logs Proxy Logs Change Logs ```
Change Logs
32
________ detect when systems reboot, or when services stop and can help administrators discover potentially malicious activity.
System Logs
33
______ is a centralized application to automate monitoring of systems on a network.
Security Information | and Event Management (SIEM)
34
__________ provide a record of system activity and can reconstruct activity leading up to and during security events
Audit trails
35
___________ uses precise mathematical functions to extract meaningful information from a very large volume of data.
Sampling, or data extraction,
36
_____ selects only events that exceed a predefined threshold for the event.
Clipping
37
____ are forms | of monitoring that examine the flow of packets rather than actual packet contents.
Traffic analysis and trend analysis
38
______ refers to monitoring outgoing traffic to prevent data exfiltration, which is the unauthorized transfer of data outside the organization.
Egress monitoring
39
Which of the Incident Response Steps includes : personnel look at the incident and attempt to identify what allowed it to occur, and then implement methods to prevent it from happening again. Root Cause Analysis ``` Detection Response Mitigation Reporting Recovery Remediation Lessons Learned ```
Remediation
40
Which of the Incident Response Steps includes : investigating an event and determining it is a security incident ``` Detection Response Mitigation Reporting Recovery Remediation Lessons Learned ```
Detection
41
Which of the Incident Response Steps includes : personnel look for any areas where they can improve their response. the output of this stage can be fed back to the detection stage of incident management. ``` Detection Response Mitigation Reporting Recovery Remediation Lessons Learned ```
Lessons Learned
42
Which of the Incident Response Steps includes : In the United States, this may mean notifying the Federal Bureau of Investigations (FBI), district attorney offices, and/or state and local law enforcement agencies. In Europe, organizations may report the incident to the International Criminal Police Organization (INTERPOL) or some other entity based on the incident and their location. ``` Detection Response Mitigation Reporting Recovery Remediation Lessons Learned ```
Reporting
43
Which of the Incident Response Steps includes : attempts to contain an incident. One of the primary goals is to limit the effect or scope of an incident. ``` Detection Response Mitigation Reporting Recovery Remediation Lessons Learned ```
Mitigation
44
Which of the Incident Response Steps includes : investigating the incident, assessing the damage, collecting evidence, reporting the incident, and recovery procedures. ``` Detection Response Mitigation Reporting Recovery Remediation Lessons Learned ```
Response
45
Which of the Incident Response Steps includes : may include rebuilding a system ``` Detection Response Mitigation Reporting Recovery Remediation Lessons Learned ```
Recovery
46
Sessions are normally terminated with either the FIN (finish) or the RST (reset) packet. Attackers can spoof the source IP address in a RST packet and disconnect active sessions. The two systems then need to reestablish the session. This is primarily a threat for systems that need persistent sessions to maintain data with other systems. When the session is reestablished, they need to re-create the data so it’s much more than just sending three packets back and forth to establish the session.
TCP Reset Attack
47
A fraggle attack uses UDP packets over UDP ports _ and _ .
7 & 19
48
Which attack includes systematically dialing phone numbers and listen for computer carrier tones.
War Dialing
49
(also called signature-based detection or pattern-matching detection), uses a database of known attacks developed by the IDS vendor. Real-time traffic is matched against the database, and if the IDS finds a match, it raises an alert. Behavior-based Detection Knowledge-based Detection
Knowledge-based Detection
50
(also called statistical intrusion detection, anomaly detection, and heuristics-based detection), starts by creating a baseline of normal activities and events on the system. Once it has accumulated enough baseline data to determine normal activity, it can detect abnormal activity that may indicate a malicious intrusion or event. Behavior-based Detection Knowledge-based Detection
Behavior-based Detection