Chapter 4

Question 1

What do IDSs do?

Answer 1

IDSs monitor a network and send alerts when they detect suspicious events

Question 2

What do IPSs do?

Answer 2

IPSs react to attacks in progress and prevent them from reaching systems and networks

Question 3

Acronym

HIDS

Answer 3

Host-based Intrusion Detection System

Question 4

Definition

What is HIDS

Answer 4

It is additional software installed on a system that
* monitors the individual host
* can detect potential attacks
* analyzes critical operating system files

HIDS can monitor all traffic on a single host system

Question 5

Acronym

NIDS

Answer 5

Network-based Intrusion Detection System

monitors and assesses threats on the network from traffic sent in plaint

Question 6

What do NIDS sensors do?

Answer 6

Gather information and report to a central monitoring network appliance hosting a NIDS console

sensors AKA collectors

Question 7

What can a NIDS NOT do?

Answer 7

• Detect anomalies that don’t change network traffic
• Decrypt encrypted traffic

Question 8

What is port mirroring?

AKA port spanning

Answer 8

configuring a switch to send all the traffic it receives to a single port

Question 9

Where should you place a sensor if you want to see all attacks on your network?

Answer 9

On the internet side

Question 10

Where should you place a sensor if you only want to see attacks that get through on your network?

Answer 10

On the internal network

Question 11

Where are NIDS sensors installed?

Answer 11

Network devices: switches, routers, or firewalls

Question 12

What are the two primary detection methods

Answer 12

1. Signature based
2. heuristic/behavioral-based/anomaly based

Question 13

How do signature based IDSs detect attacks?

Answer 13

They use a database of known vulnerabilities or known attack patterns

Question 14

How do Trend based IDSs detect attacks?

Answer 14

• Identifies the network’s normal behavior and creates a baseline
• when abnormal activity is detected, it gives an alert

Good at detecting zero day exploits

Question 15

What are zero day exploits

Answer 15

vulnerabilities that are unknown to the vendor. There is no patch for the vulnerability

Question 16

IDS aggregator

Answer 16

Stores log entries from dissimilar systems

Question 17

Acronym

NOC

Answer 17

Network Operations Center

Question 18

IDS False Positive

Answer 18

An alert or alarm on an event that is non threatening or harmless

opposite of true positive

Question 19

IDS False negative

Answer 19

A real attack that is undetected by the system

Opposite of true negative

Question 20

What does a high incidence of false positives cause?

Answer 20

Increasr of the administrator’s workload

Question 21

Differences between IPS and IDS

Answer 21

• IPS can detect, react to, and prevent attacks while IDS an only detect and react
• IPS is in-line with the traffic - traffic goes through the IPS while IDS is out of band. Monitors the network but traffic doesnt go through it
• IPS is referred to as Active, IDS is referref to as Passive

Question 22

Acronym

RAT

Answer 22

Remote Access Trojan

Question 23

Acronym

APT

Answer 23

Advanced Persistent Threat

Question 24

Honeypot

Answer 24

A server that looks like an easy target so attackers spends their time in the honeypot instead of on the real network

Question 25

Honeynet

Answer 25

A group of honeypots within a separate network but accessible from an organization’s primary network

Question 26

Honeyfile

Answer 26

A file designed to attract the attention of an attacker

Question 27

Honeytoken

Answer 27

Fake data or credentials planted within a system to detect unauthorized access attempts

Question 28

Acronym

WLAN

Answer 28

Wireless Local Area Networks

Question 29

What does a wireless access point(AP) do?

Answer 29

Connects wireless clients to a wired network

Question 30

What are APs with routing capabilites marketed as?

Answer 30

Wireless routers

All wireless routers are APs but not all APs are wireless routers

Question 31

Acronym

WAN

Answer 31

Wide Area Network

Question 32

Acronyms

NAT and PAT

Answer 32

1. Networks Address Translation
2. Port Address Translation

Question 33

Acronym

DHCP

Answer 33

Dynamic Host Configuration Protocol

Question 35

Acronym and Definition

SSID

Answer 35

Service Set Identifier

The name of the wireless network

Question 36

What is MAC Filtering

Answer 36

Restricting access to a network based on the MAC address

Question 37

What is MAC address cloning

Answer 37

Changing the MAC address address on a device to match the MAC address of another device, typically the WAN port on an internet-facing router

spoofing a MAC address is easy

Question 38

What is a site survey?

Answer 38

examining a wireless environment to identify issues like areas with noise or potential security issues

Question 39

What do Wi-Fi analyzers do?

Answer 39

Identify and analyze activity on channels within the same wireless spectrum

A site survey tool

Question 40

What is a heat map

Answer 40

It gives a color coded representation of wireless signals

A site survey tool

Question 41

Wireless footprinting

Answer 41

Gives a detailes diagram of wireless APs, hotspots, and dead spots within an organization

Question 42

Acronym

WEP

Answer 42

Wired Equivalent Privacy

Question 43

Acronym

WPA

Answer 43

Wi-Fi Protected Access

Question 44

Which wireless cryptographic protocols should not be used and why?

Answer 44

• WEP and WPA
• These protocols are weak and deprecated

Question 45

Acronym

WPA2

Answer 45

• Wi-Fi Protected Access 2
• Uses AES and Counter-mode/CBC-MAC

Question 46

Acronym

AES

Answer 46

Advanced Encryption Standard

Question 47

Acronym

CCMP

Answer 47

Counter-mode/CBC-MAC

Question 48

What modes can WPA2 operate in?

Answer 48

1. Open
2. PSK
3. Enterprise Mode

Question 49

What is open mode

Answer 49

• Doesn’t use any security
• Data is transferred in cleartext
• Turns off all the security featues of WPA2

WPA2

Question 50

What is PSK mode

Answer 50

Allows users to access the wireless network anonymously with a PSK or passphrase

WPA2

Question 51

What is enterprise mode

Answer 51

• Forces users to authenticate with unique credentials before granting access to the wireless network
• uses an 802.1X server (implemented as a RADIUS server) to add authentication

WPA2: think of eduroam

Question 52

Acronym

WPA3

Answer 52

Wi-Fi Protected Access 3

Question 53

What modes can WPA3 operate in?

Answer 53

1. Enhanced open mode
2. SAE mode
3. Enterprise mode

Question 54

What is Enhanced open mode

Answer 54

• replaces the unencrypted open mode of WPA2
• Allows you to easily run a secure guest network

Question 55

Acronym

SAE mode

Answer 55

Simultaneos Authentication of Equals mode

Question 56

What is SAE mode

Answer 56

• replaces WPA2’s PSK mode p
• uses a passphrase

Question 57

True or false: WPA2 and WPA3 have the same enterprise mode

Answer 57

True

Question 58

What is the purpose of authentication protocols in wireless networks?

Answer 58

to verify the identity of devices attempting to connect to a wireless network.

Question 59

Acronym

EAP

Answer 59

Extensible Authentication Protocol

Question 60

What is the function of the EAP in wireless security?

Answer 60

• provides a method for two systems to create a secure encryption key (PKA).
• Systems then use the PTK to encrypt data transmitted between devices

Question 61

Acronym

PMK

Answer 61

Pairwise Master Key

Question 62

Acronym

PTK

Answer 62

Pairwise Transient key

Question 63

Acronym and Definition

PEAP

Answer 63

• Protected EAP
• Provides an extra layer of protection for EAP by requiring a certificate on the server

Question 64

Acronym

LEAP

Answer 64

Lightweight Extensible Authentication Protocol

Question 65

What makes LEAP an insecure authentication protocol?

Answer 65

It has known vulnerabilities that make is susceptible to attacks

Question 66

Acronym

EAP-FAST

Answer 66

EAP- Flexible Authentication via Secure Tunneling

Question 67

How does EAP-FAST improve upon LEAP’s security?

Answer 67

uses PACs to authenticate users within a secure tunnel.

Question 68

Acronym

PAC

Answer 68

• Protected Access Credentials
• Pre shared keys

Question 69

EAP-TLS is considered a highly secure protocol. What are its key features?

Answer 69

• requires both the client device and the network server to have digital certificates.
• implementing this can be more complex due to the need for certificate management

Mutual Authentication

Question 70

Acronym

EAP-TTLS

Answer 70

EAP- Tunneled TLS

Question 71

How do EAP-TTLS and PEAP balance security and ease of use?

Answer 71

• These protocols create a secure tunnel using TLS, However, only the server is required to have a digital certificate
• Simplifies configurtation for client devices but also maintains security

Question 72

What is IEEE 802.1X?

Answer 72

• A port based authentication protocol
• Requires devices to authenticate when they connect to a specfic wireless AP or a specific physical port

Only authorized clients can connect

Question 73

What is a captive portal

Answer 73

a technical solution that forces clients using web browsers to complete a specific process before it allows them access to the network

Question 74

What is a dissassociation attack?

Answer 74

an attack that removes a wireless client from a wireless network, forcing them to re-authenticate

hotels could use this to kick people off hotspots so they are forced to pay for hotel wifi

Question 75

Acronym

WPS

Answer 75

• Wi-fi protected setup
• Allows users to configure wireless devices by entering an 8 digit pin

Susceptible to brute force attacks

Question 76

What is a rogue AP?

Answer 76

• An AP placed within a network without official authorization
• Used to capture and exfiltrate data

Question 77

What is data exfiltration?

Answer 77

the unauthorized transfer of data from an organization to a location controlled by an attacker

Question 78

What is an evil twin?

Answer 78

A rogue AP with the same SSID as a legitimate AP, sending wireless traffic through the rogue AP instead

Question 79

What is a jamming attack

Answer 79

• an attack where noise or another radio signal is transmitted on the same frequency used by a wireless network.
• usually prevents all users from connecting to a wireless network

Question 80

What is an IV attack?

Answer 80

• Initialization vector attack
• An acctack that attempts to discover the pre shared key after discovering the IV

Question 81

Acronym and definition

NFC

Answer 81

• Near field communication
• A group of standards that allows mobile devices to communicate with other devices when they are close to each other

Question 82

How does an NFC attack work?

Answer 82

The attacker uses an NFC reader to capture data from another NFC device

Question 83

Acronym

RFID

Answer 83

Radio Frequency Identification

Question 84

What are the common RFID attacks?

Answer 84

• Sniffing or eavesdropping
• RFID cloning
• DOS

Question 85

Acronym

PAN

Answer 85

Personal Area Network

Question 86

What is bluejacking?

Answer 86

Sending unsolicited messages to nearby bluetooth devices

Question 87

What is bluesnarfing?

Answer 87

Unauthorized access or theft of information from a bluetooth device

Question 88

What is bluebugging?

Answer 88

Similar to bluesnarfing but in addition to gaining full access to the phone, the attacker installs a backdoor.

Question 89

What prevents the pairing of bluetooth devices?

Answer 89

Faraday cages

Question 90

What is a wireless replay attack?

Answer 90

An attacker captures data sent between two entities, modifies it, and then attempts to impersonate one of the parties by replaying the data

Question 91

Which protocols are resistant to replay attacks?

Answer 91

WPA2 and WPA3

Question 92

What is war driving?

Answer 92

• The practice of looking for vulnerable wireless networks while walking or driving around
• Used by administrators as part of a wireless audit

also war flying: doing the same thing but in a plane

Question 93

What is a VPN concentrator?

Answer 93

• A dedicated device used for VPNs
• typically placed in a screened subnet

Question 94

Tunnel mode

Answer 94

• Encrypts the entire IP packet, including both the payload and the packet headers.
• Commonly used by VPNs

Question 95

Transport mode

Answer 95

only encyrpts the payload and is commonly used in priivate networks but not with VPNs

Question 96

ESP

Answer 96

Encapsulating Security Payload

Question 97

How does IPsec use authentication to enhance security?

Answer 97

IPsec incorporates an Authentication Header (AH), which allows the devices participating in an IPsec conversation to verify each other’s identities before exchanging any data. This authentication process helps prevent spoofing attacks, where a malicious actor might try to impersonate a legitimate device on the network.

Question 98

Acronym and definition

IKE

Answer 98

• Internet Key Exchange
• Creates Security associations (SA) for the VPN and uses thess to set up a secure channel between the client and the VPN server

Question 99

What is a split tunnel?

Answer 99

allows only specific traffic to be routed through the encrypted VPN tunnel. This means that other traffic, such as internet browsing, bypasses the tunnel and goes directly to the internet through the user’s Internet Service Provider (ISP).

Question 100

Full tunnel

Answer 100

routes all network traffic from the user’s device through the encrypted VPN tunnel. This means that all data sent and received, including internet browsing, is protected by the VPN

Question 101

What does IPsec use for VPN traffic?

Answer 101

• It uses tunnel mode and can be identified with protocol ID 50 for ESP.
• Uses IKE over port 500

Question 102

Site-to-Site VPN

Answer 102

Two VPN servers that act as gateways for two networks separated geographically

can be on demand VPNS or always on VPNs

Question 103

Benefit of site-to-site VPN model

Answer 103

it connects both networks without requiring additional steps on the part of the user

Question 104

Host-to-gateway model

Traditional remote acces VPN

Answer 104

The end user makes the direct connection to the VPN server

Question 105

WH

Always-on VPN

Answer 105

establishes and maintains a secure tunnel automatically whenever the user’s device connects to the internet.

Question 106

Acronym and Definition

L2TP

Answer 106

• Layer 2 Tunneling Protocol
• Data is encrypted with another protocol such as IPsec and then passed to L2TP for transport over the VPN

Question 107

HTML5 VPN

Answer 107

Allows users to connect to the VPN using their web browser

Question 108

Acronym

PBX

Answer 108

Private Branch Exchange

Question 109

Acronym and definition

NAC

Answer 109

• Network Access Control
• Provides continous secutrity monitoring by inspecting computers and preventing them from accessing the network if they don’t pass the inspection

can redirect unhealthy clients to a remediation network

Question 110

What are the common health conditions checked by a NAC

Answer 110

• the client’s firewall is enabled
• the client’s OS is up to date and has all current patches and fixes
• the client’s antivirus software is up to date and has all updated signature definitions

Question 111

What is a permanent NAC agent?

Answer 111

an agent that is installed on the client and stays on the client

Question 112

What is a dissolvable NAC agent?

Answer 112

An agent that is downloaded and runs on the client when the client logs on remotely and is deleted after the session ends

Question 113

What is an agentless NAC system?

Answer 113

A NAC system scans a client remotely without installing code on the client, either permanently or temporarily

Question 114

Acronym

PAP

Answer 114

• Password Authentication Protocol
• Used with PPP to authenticate clients
• Uses a passwork

Weakness: sends information in cleartext

Question 115

Acronym

PPP

Answer 115

Point to Point Protocol

Question 116

Acronym

CHAP

Answer 116

• Challenge Handshake Authentication Protocol
• also uses PPP and authenticates remote users but is more secure than PAP
• Its goal is to allow the client to pass credentials over a public network without allowing attackers to intercept the data and later use it in the attack

Doesn’t send in cleartext

Question 117

Acronym

RADIUS

Answer 117

• Remote Authentication Dial In User Service
• It is a centralized authentication service

Question 118

What do signature based IDS and IPS do?

Answer 118

Use signatures to detect known attacks or vulnerabilities