Chapter 17 Preventing and Responding to Incidents Flashcards
Any event that has a negative effect on the confidentiality, integrity, or availability of an organization’s assets is called what ?
An incident
The result of an attack, or the result of malicious or intentional actions on the part of users is called what ?
computer security incident
What are the five steps involved in managing incident response ?
1 Detection 2 Response 3 Mitigation 4 Reporting 5 Recovery 6 Remediation 7 Lessons Learned
What type of attack doesn’t attack the victim directly, but instead manipulates traffic or a network service so that the attacks are reflected back to the victim from other sources ?
distributed reflective denial-of-service (DRDoS) attack
What type of attack disrupts the standard three-way handshake used by TCP to initiate communication sessions.
SYN flood attack
What is a method of blocking SYN flood attack ?
Reduce the amount of time a server will wait for an ACK, using SYN cookies.
What type of attack is a spoofed broadcast ping request using the IP address of the victim as the source IP address.
smurf attack
What type of attack floods the victim with Internet Control Message Protocol (ICMP) echo packets instead of with TCP SYN packets ?
smurf attack
In what type of attack does the attacker sends the echo request out as a broadcast to all systems on the
network and spoofs the source IP address ?
smurf attack
What standard changed the standard
default for routers so that they do not forward directed broadcast traffic ?
RFC 2644
What attack will broadcast a UDP
packet using the spoofed IP address of the victim ?
Fraggle attacks
What type of attack employs an oversized ping packet ?
ping-of-death attack
In what type of attack does an attacker fragments traffic in such a way that a system is unable to put data packets back together ?
teardrop attack
In what type of attack does the attacker sends spoofed SYN packets to a victim using the victim’s IP address as both the source and destination IP address ?
land attack
What method of detection uses a database of known attacks developed by the IDS vendor ?
Knowledge-based Detection
What type of responses can modify the environment by modifying ACLs to block traffic based on ports, protocols, and source addresses, and even disabling all communications over specific cable segments ?
a) Passive Response
b) Active Response
Active Response
An IDS that uses an active response is sometimes referred to as _______ .
IPS
What type of IDS monitors specific application traffic between two or more servers ?
application-based IDS,
Which are more costly to manage HIDS or NIDS ?
HIDS
Can a NIDS monitor the content of encrypted traffic ?
No
What is an intrusion prevention system (IPS) ?
a special type of active IDS that attempts to detect and block attacks before they reach target systems.
a portion of allocated IP addresses within a network that are not used is called what ?
darknet
_________ are individual computers created as a trap for intruders.
Honeypots
__________ are false vulnerabilities or apparent loopholes intentionally implanted in a system in an attempt to tempt attackers.
Pseudo flaws
A _________ is a simulated environment that offers fake data to retain an intruder’s interest, similar to a honeypot.
padded cell
_______ logs commonly log key packet information such as source and destination IP addresses, and source and destination ports, but not the actual contents of the packets.
Security Logs System Logs Application Logs Firewall Logs Proxy Logs Change Logs
Firewall Logs
\_\_\_\_\_\_\_\_\_ can also be helpful as part of a disaster recovery program. Security Logs System Logs Application Logs Firewall Logs Proxy Logs Change Logs
Change Logs
________ include the ability to record details such as what sites specific users visit and how much time they spend on these sites. They can
also record when users attempt to visit known prohibited sites.
Security Logs System Logs Application Logs Firewall Logs Proxy Logs Change Logs
Proxy Logs
_______ can record when a user accessed, modified, or deleted a file
Security Logs System Logs Application Logs Firewall Logs Proxy Logs Change Logs
Security Logs
_______ record information for specific programs.
Security Logs System Logs Application Logs Firewall Logs Proxy Logs Change Logs
Application Logs
______ can also be helpful as part of a disaster recovery program.
Security Logs System Logs Application Logs Firewall Logs Proxy Logs Change Logs
Change Logs
________ detect when systems reboot, or when services stop and can help administrators discover potentially malicious activity.
System Logs
______ is a centralized application to automate monitoring of systems on a
network.
Security Information
and Event Management (SIEM)
__________ provide a record of system activity and can reconstruct activity leading up to and during security events
Audit trails
___________ uses precise mathematical functions to extract meaningful information from a very large volume of data.
Sampling, or data extraction,
_____ selects only events that exceed a predefined threshold for the event.
Clipping
____ are forms
of monitoring that examine the flow of packets rather than actual packet contents.
Traffic analysis and trend analysis
______ refers to monitoring outgoing traffic to prevent data exfiltration, which is the unauthorized transfer of data outside the organization.
Egress monitoring
Which of the Incident Response Steps includes :
personnel look at the incident and attempt to identify what allowed it to occur, and then implement methods to prevent it from happening again.
Root Cause Analysis
Detection Response Mitigation Reporting Recovery Remediation Lessons Learned
Remediation
Which of the Incident Response Steps includes :
investigating an event and determining it is a security incident
Detection Response Mitigation Reporting Recovery Remediation Lessons Learned
Detection
Which of the Incident Response Steps includes :
personnel look for any areas where they can improve their response.
the output of this stage can be fed back to the detection stage of incident management.
Detection Response Mitigation Reporting Recovery Remediation Lessons Learned
Lessons Learned
Which of the Incident Response Steps includes :
In the United States, this may mean notifying the Federal Bureau of Investigations (FBI), district attorney offices, and/or state and local law
enforcement agencies. In Europe, organizations may report the incident to the International Criminal Police Organization (INTERPOL) or some other entity based on the incident and their location.
Detection Response Mitigation Reporting Recovery Remediation Lessons Learned
Reporting
Which of the Incident Response Steps includes :
attempts to contain an incident.
One of the primary goals is to limit the effect or scope of an incident.
Detection Response Mitigation Reporting Recovery Remediation Lessons Learned
Mitigation
Which of the Incident Response Steps includes :
investigating the incident, assessing the damage, collecting evidence, reporting the incident, and recovery procedures.
Detection Response Mitigation Reporting Recovery Remediation Lessons Learned
Response
Which of the Incident Response Steps includes :
may include rebuilding a system
Detection Response Mitigation Reporting Recovery Remediation Lessons Learned
Recovery
Sessions are normally terminated with either the FIN (finish) or the RST (reset) packet. Attackers can spoof the source IP address in a RST packet and disconnect
active sessions. The two systems then need to reestablish the session. This is primarily a threat for systems that need persistent sessions to maintain data with other systems. When the session is reestablished, they need to re-create the data so
it’s much more than just sending three packets back and forth to establish the
session.
TCP Reset Attack
A fraggle attack uses UDP packets over UDP ports _ and _ .
7 & 19
Which attack includes systematically dialing phone numbers and listen for computer carrier tones.
War Dialing
(also called signature-based detection or pattern-matching detection), uses a database of known attacks developed by the IDS vendor. Real-time traffic is matched against the database, and if the IDS finds a match, it raises an alert.
Behavior-based Detection
Knowledge-based Detection
Knowledge-based Detection
(also called statistical intrusion detection, anomaly detection, and heuristics-based detection), starts by creating a baseline of normal activities and events on the system. Once it has accumulated enough baseline data to determine normal activity, it can detect abnormal activity that may indicate a malicious intrusion or event.
Behavior-based Detection
Knowledge-based Detection
Behavior-based Detection
