CIA Triad/SNORT/Defensive Measures

Question 1

assurance that sensitive information can only be read/interpreted by people/processes that are authorized to

Answer 1

Confidentiality

Question 2

assurance that authorized users can access/work with information assets, resources when needed with sufficient response and performance.

Answer 2

Availability

Question 3

assurance that information remains correct and authentic, protected by means of preventing/detecting unauthorized creation, modification and destruction of information.

Answer 3

Integrity

Question 4

What are some examples of a threat-source?

Answer 4

Natural (Hurricane), human (internal/external).

Question 5

flaw that can present a security breach

Answer 5

vulnerability

Question 6

safeguards/countermeasures to reduce risk

Answer 6

management controls

Question 7

What is the goal of risk management? How can it be accomplished?

Answer 7

to reach zero risk and it can be accomplished by eliminating the threat or the vulnerability.

Question 8

What are the four approaches when planning additional defensive measures?

Answer 8

Uniform Protection, Protected Enclaves, Information Centric, Vector-Oriented

Question 9

Information Centric and Vector are typically used when creating new networks. True or False?

Answer 9

False

Question 10

Uniform Protection and Protected Enclaves are typically used when creating new enterprise networks.

Answer 10

True

Question 11

defensive approach when all internal hosts receive same level of protection

Answer 11

Uniform Protection

Question 12

defensive approach when you subdivide the internal network (subdivide and separate networks) so it isn’t one large zone with no internal protections

Answer 12

Protected Enclaves

Question 13

where the client (supplicant) must pass muster with the networks policy server before getting to the resources on the network

Answer 13

Network Admissions Control

Question 14

Why do we use firewalls?

Answer 14

to isolate or split up groups and sensitive data from everyone else

Question 15

In order to travel from one VLAN to another, what do you have to pass through?

Answer 15

Access Control List (ACL)

Question 16

VPNs can give you two things. What are they?

Answer 16

confidentiality and ability that only hosts that are authorized to connect to other hosts to do so

Question 17

defensive measure that prioritizes protection of information over systems

Answer 17

Information Centric

Question 18

The goal of information centric is to protect the information regardless of where the information is. True or False?

Answer 18

True

Question 19

fast, flexible, open-source Network Intrusion Detection System developed in 1998,

Answer 19

SNORT

Question 20

Snort is not rule-based. (T or F)

Answer 20

F

Question 21

Snort looks at all traffic over IP and sniffs both traffic in both directions. (T or F)

Answer 21

T

Question 22

What are the three main operational modes when using Snort? How are they configured?

Answer 22

Sniffer, Packet Logger, Network Intrusion Detection System (NIDS).

They are configured via command line switches.

Question 23

Snort operational mode that logs all data and post-process to look for anomalous activity

Answer 23

Packet Logger

Question 24

Snort operational mode that can perform portscan detection, ip defrag, app layer analysis

Answer 24

NIDS mode

Question 25

This is used to set the operational configuration of Snort (what to log, what to alert on, what rules to include/location, setting substitution variables?)

Answer 25

snort.conf file

Question 26

Default path of snort.conf

Answer 26

/etc/snort/snort/snort.conf

Question 27

The three types of variables in snort.conf

Answer 27

var, portvar, ipvar

Question 28

Why is setting correct values in variables important?

Answer 28

reduce “false-positive” alerts

Question 29

plug-in tools that allow Snort to look for certain criteria in a packet after it has been decoded but before it is put through the detection engine

Answer 29

Snort Preprocessors

Question 30

set of instructions designed to pick out network traffic that matches a specified pattern, then takes chosen action when traffic matches (Snort)

Answer 30

Rule

Question 31

Most Snort rules are written in a single line. (T or F)

Answer 31

T

Question 32

the two sections of Rules

Answer 32

rule header and rule options

Question 33

alert messages and parts of packet inspected to determine further rule action or not (A Snort Rules Section)

Answer 33

Rule Options

Question 34

action, protocol, source and destination ports and IP addresses (a Snort Rules section)

Answer 34

Rule Header

Question 35

alert tcp any any -> 192.168.1.0/24 80 . Would this be the rule options or rule header?

Answer 35

Rule Header because it contains ip address and destination

Question 36

alert, log, pass, activate and dynamic. which mode is this? (snort rule actions)

Answer 36

detection mode

Question 37

ignore the packet (detection mode)

Answer 37

pass

Question 38

alert and then turn on another dynamic rule (detection mode)

Answer 38

activate

Question 39

drop, reject and sdrop. which mode is this? (snort rule actions)

Answer 39

inline mode

Question 40

make iptables drop packet but do not log (inline mode)

Answer 40

sdrop

Question 41

make iptables drop packet, log and send tcp reset if protocol is tcp (icmp port msg if protocol is UDP) - inline mode.

Answer 41

reject

Question 42

four major categories of rule options

Answer 42

general, payload, non-payload, post-detection

Question 43

provides information about the rule but do not have any effect during detection (Snort rule options)

Answer 43

general options

Question 44

looks for data inside packet payload, can be inter-related (Snort rule options)

Answer 44

payload

Question 45

rule specific triggers that happen after a rule has “fired” (Snort rule options)

Answer 45

post-detection

Question 46

tells logging and alerting engine that the message to print with packet dump or to an alert (Snort rule options)

Answer 46

msg rule option

Question 47

allows rules to include references to external identification systems (could reference bugtraq, cve, or URLs) . (Snort rule options)

Answer 47

reference keyword

Question 48

external attack ID systems

Answer 48

BID and CVE

Question 49

<100 means what? (Snort Rule Options Keywords)

Answer 49

reserved for future use

Question 50

100-1,000,000 means what? (Snort Rule Options Keywords)

Answer 50

rules included with the Snort distribution

Question 51

> 1,000,000 means what? (Snort Rule Options Keywords)

Answer 51

used for local rules

Question 52

what keyword would you use to uniquely identify Snort rules? (hint: three letter word)

Answer 52

sid

Question 53

PHP-based analysis engine to search and process database of security events (various IDSs, firewalls, and network monitoring tools)

Answer 53

Basic Analysis and Security Engine (BASE)

Question 54

In order for BASE to work, you must periodically do what?

Answer 54

refresh the screen