CS 6035 - Exam 2 Flashcards
Packet filter firewalls can not prevent attacks that employ application-specific vulnerabilities or functions
(T/F)
True –> because packet filter firewalls do not examine upper-layer data, they cannot prevent attacks that employ application-specific vulnerabilities or functions.
For example, a packet filtering firewall cannot block specific application commands; if a packet filter firewall allows a given application, all functions available within the application will be permitted
A firewall can protect fully against internal threats, such as a disgruntled employee or an employee who unwittingly cooperates with an external attacker.
(T/F)
False
A Stateful Packet Inspection Firewall only allows incoming TCP traffic to high level ports for packets which fit the profile of an entry in its directory of outbound TCP packets
(T/F)
True
A simple packet filtering firewall must permit inbound network traffic on all high-numbers ports for TCP-based traffic filtering. This creates a vulnerability that can be exploited by unauthorized users.
A stateful packet inspection firewall tightens up the rules for TCP traffic by creating a directory of outbound TCP connections. Incoming traffic has to fit the profile of entries.
Internal firewalls usually provide two-way protection for the DMZ (demilitarized zone) network system
(T/F)
True
A botnet attack compromises the availability of a system but not its integrity
(T/F)
False
Which of the following is not used by packet filtering firewall rules?
- Source or destination IP address
- IP protocol field
- TCP port number
- TCP sequence number
TCP sequence number
A privilege - escalation exploit is malicious behavior which:
- Operates by changing system resources such as libraries, directories, registry settings, and user accounts
- Mails a copy of itself to address in the local system’s email address book
- Allows the hacker to access files outside the range of which a server application would normally need to access
- Obtains root access from a (non-root) user account
Obtains access from a (non-root) user account
A _____ vulnerability in a Web server allows the hacker to access files outside the range of what a server application user would normally need access to.
directory traversal
examples of types of malicious behavior addresses by a host-based IPS (HIPS)
You run a network firewall for a company that handles lots of text message traffic. Spammers occasionally try to trick your systems into sending text messages for them. You notice these incoming requests always contain a spoofed address that looks like an IP address internal to your network. What is the most effective countermeasure for you to take against the spoofers.
- Discard packets with an internal source address if that packet arrives on an internal interface
- Change settings in the browser so that they only send requests with their own ip address as the source address
- Modify the routers to block all external traffic
- Discard packets with an internal source address if the packet arrives on an external interface
Discard packets with an internal source address if the packet arrives on an external interface
Which of the following are examples of attacks that can be made on packet-filtering firewalls?
- IP address spoofing
- Fragment attacks
- Source routing attacks
- All of the above
- A & C
All of the above.
In the context of a network-based IPS (NIPS), _____ is a strategy used to identify malicious packets by scanning for attack signatures in a traffic stream, rather than individual packets.
Stateful matching
In the context of a network-based IPS (NIPS), _____ scans incoming packets for specific byte sequences (the signatures) stores in database of known attacks.
Pattern matching
In the context of a network-based IPS (NIPS), _____ looks for deviation from standards set forth in RFCs (remote function call).
Protocol anomaly
In the context of a network-based IPS (NIPS), _____ watches for unusual traffic activities, such as flood of UDP packets or a new service appearing on the network.
Traffic anomaly
In the context of a network-based IPS (NIPS), _____ develops baselines of normal traffic activity and throughput, and alerts on deviations from those baselines.
Statistical anomaly.
A bot is a computer compromised by malware and under the control of a bot master
(T/F)
True
The best defense against being an unwitting participant in a DDoS attack is to prevent your system from being compromised.
(T/F)
True
Botnet command-and-control must be centralize, i.e., all bots communicate with a central server(s).
(T/F)
False
Both static and dynamic analysis are needed in order to fully understand malware behaviors.
True
The domain name(s) of the command and control server(s) of botnet are pre-determined for the lifetime of the bot.
(T/F)
False
Some API attacks last for years before they are detected.
T/F
True
If we find that a botnet server is located in country X, we can be certain that criminals within country X control the botnet.
(T/F)
False
The firewall may be a single computer system or set of two or more systems that cooperate to perform the firewall function
(T/F)
True
A firewall can serve as the platform for IPSec.
T/F
True
A packet filtering firewall is typically configured to filter packets going in both directions.
(T/F)
True
A prime disadvantage of an application-level gateway is additional processing overhead on each connection.
(T/F)
True
A DMZ (demilitarized zone) is one of the internal firewalls protecting the bulk of the enterprise network.
(T/F)
False
External Firewalls
A botnet can use ____ for command-and-control.
- HTTP
- IRC (Internet Relay Chat)
- All of the above
All of the above
In a ____ attack the attacker creates a series of DNS requests containing the spoofed source address for the target system.
- SYN flood
- DNS amplification
- Poison packet
- UDP flood
DNS amplification
Characters of Advanced Persistent Treats (APT) include ________.
- Using zero-day exploit
- Low-and-slow
- Targeting high-value data
- All of the above
All of the above
The _____ defines the transport protocol.
- Destination IP address
- Source IP address
- Interface
- IP protocol field
IP protocol field
A _____ gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host.
- Packet filtering
- Stateful inspection
- Application-level
- Circuit-level
Circuit-level
Typically the systems in the _____ require or foster external connectivity such as a corporate Web site, an email server, or an DNS server.
- DMZ (demilitarized zone)
- IP protocol field
- Boundary firewall
- VPN
DMZ (demilitarized zone)
A ____ configuration involves stand-alone firewall devices plus host-based firewall working together under a central administrative control.
- Packet filtering firewall
- Distributed firewall
- Personal firewall
- Stateful inspection firewall
Distributed firewall
The _____ attack is designed to circumvent filtering rules that depend on TCP header information.
- tiny fragment
- address spoofing
- source routing
- bastion host
Tiny Fragment
When analyzing traffic on a honeypot, care should be used in discerning legitimate traffic from potential intruders.
False.
put true –> still confusing
The purpose of Diffie-Hellman key exchange is to enable two users to securely reach agreement about a shared secret, that can be used as a secret key for subsequent symmetric encryption messages.
True.
Arranging for the sender and receiver to have the same secret key is the first requirement for digital envelope to protect a message.
False.
Digital envelope allows a message to be protected without first arranging for the sender and receiver to have the same key.
In RSA cryptography, a public key size of 100 bits is sufficient to secure a message.
False.
Currently, a 1024-bit key size is considered strong enough for virtually all applications.
A worm can potentially be identified through the use of anomaly detection techniques like noticing that hosts are using ports that they do not normally use.
True.
Compared to symmetric encryption, public-key encryption.
- is more important
- relies on bit operations instead of mathematical functions
- is more secure from cryptanalysis
- uses less computational overhead
- all of the above
- none of the above
None of the above.
X.509 certificates are not used in:
- IP Security (IPSec)
- Transport Layer Security (TLS)
- Secure Shell (SSH)
- Secure/Multi-purpose Internet Mail Extension (S/MIME)
- Physical Layer Security (PLS)
- None of the Above
Physical Layer Security (PLS)
Which of the following are algorithms that can be used in the digital signature process:
- RSA
- Diffie-Hellman
- Elliptic Curve
- RSA
3. Elliptic Curve
Hash functions can be used for which of the following applications:
- Message authenticity
- Password security
- Intrusion detection
- All of the above
All of the above
The four major categories of Snort rule options are:
- Sub-Data
- Meta-Data
- Payload
- Non-Payload
- Post-Detection
- Pre-Detection
- Meta-Data
- Payload
- Non-Payload
- Post-Detection
Intrusion detection is based on the assumption that the behavior of the intruder differs from that can be quantified
True
To be of practical use an IDS (intrusion detection system) should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level.
True.
An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the device.
False.
A common location for Network Intrusion Detection (NIDS) sensor is just inside the external firewall.
True
Network-based intrusion detection makes use of signature detection and anomaly detection.
True
Symmetric encryption is used primarily to provide confidentiality.
True.
Two of the most important applications of public-key encryption are digital signatures and key management
True.
The secret key is one of the inputs to a symmetric-key encryption algorithm.
True.
The strength of a hash function against brute-force attacks depends on the length of the hash code produced by the algorithm
True
Public-key algorithms are based on simple operations on bit patterns.
False.
A ______ monitors the characteristics of a single host and the events occurring within that host for suspicious activity.
host-based IDS
______ involves an attempt to define a set of rules or attack patterns that can be used to decide if a given behavior is that of an intruder.
Signature detection
_____ involves the collection of data relating to the behavior of legitimate users over a period of time.
Anomaly detection
A(n) _____ is inserted into a network segment so that the traffic that is monitoring must pass through the sensor.
inline sensor
The _____ is the IDS component that examines the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator.
analyzer
On average, ______ of all possible keys must be tried in order to achieve success with a brute-force attack.
half
If the only form of attack that could be made on an encryption algorithm is brute-force, then the way to counter such attacks would be to _____.
use longer keys
_______ is a procedure that allows communicating parties to verify that received or stored messages are authentic.
message authentication
The purpose of a _______ is to produce a “fingerprint” of a file, message, or other block of data.
hash function
A _______ is created by using a secure hash function to generate a hash value for a message and then encrypting the hash code with a private key.
digital signature
A _____ applies a set of rules to each incoming and outgoing IP packet and then forwards or discards the packet.
packet filtering firewall
note: the firewall is typically configured to filter packets going in both directions (from and to the internal network)
A ______ is in essence an inline NIDS with the authority to modify or discard packets and tear down TCP connections
network-based IPS (intrusion protection system)
As with a NIDS, a NIPS makes use of techniques used in a NIPS but not commonly found in a firewall.
The principle features of ____ that enables it to support these applications is that it can encrypt and/or authenticate all traffic at the IP level.
IPSec
example use cases:
- secure branch office connectivity over the internet
- secure remote access over the internet
- establishing extranet and intranet connectivity with partners
- enhancing electronic commerce security
Symmetric encryption is also referred to as secret-key or single-key encryption
(T/F)
True.
The ciphertext-only attack is the easiest to defend against
T/F
True
Because the opponent has the least amount of information to work with.
A brute-force approach involves trying every possible key until an intelligible translation of the ciphertext into plaintext is obtained.
(T/F)
True.
Advanced Encryption Standard (AES) users a Feistel structure.
(T/F)
False
AES uses a block length of 128 bits and a key length that can be 128, 192, or 256 bits.
Each block of 64 plaintext bits is encoded independently using the same key is a description of the CBC mode of operation.
False.
CBC encryption algorithm is the XOR of the 64 bits of plaintext and the preceding 64 bits of cipher text.
Timing attacks are only applicable to RSA
False.
These depend on the running time of the decryption algorithm.
Applicable not just to RSA, but to other public-key cryptography systems.
_____ RSA attack involves trying all possible private keys
Brute force
_____ RSA attack, there are several different approaches, all equivalent in effort to factoring the product of two primes.
Mathematical attacks.
_____ RSA attack, this type of attack exploits properties of RSA algorithm.
Chosen ciphertext attacks.
Using PKCS (public-key cryptography standard), when RSA encrypts the same message twice, different ciphertexts will be produced.
True.
The Diffie-Hellman algorithm depends for its effectiveness on the difficulty of computing discrete logarithsm
True.
A key exchange protocol is vulnerable to a man-in-the-middle attack if it does not authenticate the participants
True
Just like RSA can be used for signature as well as encryption, Digital Signature Standard can also be used for encryption.
False
Digital Signature Standard is a suite of algorithms that can be used to generate digital signatures.
In general, public key based encryption is much slower than symmetric key based encryption.
(T/F)
True
______ is the original message or data that is fed into the encryption process as input
- Plaintext
- Encryption algorithm
- Decryption algorithm
- Ciphertext
Plaintext
Which of the following would allow an attack that to know the plaintext of the current message must be the same as one previously transmitted because their ciphertexts are the same.
- CBC Cipher Block Chaining
- ECB Electronic Code Book
- CFB Cipher Feedback
- OFB Output Feedback
- CTR Counter
ECB Electronic Code Book
_____ is a term that refers to the means of delivering a key to two parties that wish to exchange data without allowing others to see the key.
- Session Key
- Subkey
- Key distribution technique
- Ciphertext key
Key distribution technique
Which of the following features can only be provided by publc-key cryptography?
Integrity protection
______ attacks have several approaches, all equivalent in effort to factoring the product of two primes.
- Mathematical
- Brute-force
- Chosen cipher
- Timing
mathematical
_____ are analogous to a burglar guessing a safe combination by observing how long it takes to turn the dial from number to number.
- Digital standards
- Mathematical attacks
- Ciphertext attacks
- Timing attacks
Timing attacks
______ was the first published public-key algorithm
- NIST
- Diffie-Hellman
- RC4
- RSA
Diffie-Hellman
One problem inherent in public-key infrastructure (PKI) is that not all certificate authorities (CAs) are equally trustworthy.
(T/F)
True.
A certificate authority’s X.509 certificate can be used for encrypting email in addition to signing other certificates.
(T/F)
False.
signing executable code. An X.509 certificate contains a public key and an identity (a hostname, or an organization, or an individual), and is either signed by a certificate authority or self-signed.
When attacking HMAC, the attacker can generate message/code pairs offline, even though the attacker does not know K (the secret key)
(T/F)
False.
When attacking HMAC, the attacker cannot generate message/code pairs offline because the attacker does not know K. Therefore, the attacker must observe a sequence of messages generated by HMAC under the same key and perform the attack on these known messages.
A Certificate Authority’s public key is not needed to verify a certificate it has issued.
(T/F)
False.
The brute force method of attacking RSA algorithms involves trying all public keys.
(T/F)
False.
all private keys
X.509 is used in:
- IP Security (IPSec)
- Secure socket layer (SSL)
- Secure electronic transactions (SET)
- All of the above
- None of the above
All of the above.
Kerberos makes use of a protocol that involves:
- Clients
- Application servers
- a Kerberos server
- All of the above
All of the above.
Which of the following is not true of the p and q in the RSA public key generation algorithm.
- p cannot equal q
- the value of M (the message) is not related to p and q
- sign(n) is not directly dependent on p and q (only being dependent on the public key n)
- the exponent e is independent of p and q
- none of the above
sign(n) is not directly dependent on p and q (only being dependent on the public key n)
Which of the following are required to be part of a Kerberos realm?
- The Kerberos server must share a public key with each server
- The Kerberos server must have the user ID and password of all participating users in the database
- All servers are registered with the Kerberos server.
- The Kerberos server must have the user ID and password of all participating users in the database
- All servers are registered with the Kerberos server.
In IPSec, packets can be protected using Encapsulating Security Payloads (ESP) or Authentication Headers (AH) but not both at the same time.
(T/F)
False
In IPSec, if A uses Data Encryption Standard (DES) for traffic from A to B, then B must also uses DES for traffic from B to A.
(T/F)
False.
In IPSec, the sequence number is used for preventing replay attacks.
(T/F)
True.
Most browsers come equipped with SSL and most Web servers have implemented the protocol.
(T/F)
True.
Even web searches have (often) been in HTTPS.
T/F
True
In a wireless network, traffic is broadcasted into the air, and so it is much easier to sniff wireless traffic compared with wired traffic.
(T/F)
True.
Compared with Wired Equivalent Privacy (WEP), Wi-Fi Protected Access 2 (WPA2) has more flexible authentication and stronger encryption schemes.
(T/F)
True
iOS has no vulnerability
T/F
False
In iOS, each file is encrypted using a unique, per-file key.
T/F
True
In iOS, an app can run its own dynamic, run-time generated code.
(T/F)
False
The App Store review process can guarantee that no malicious iOS is allowed into the store for download.
(T/F)
False.
In iOS, each app runs in its own sandbox
T/F
True
In Android, all apps have to be reviewed and signed by Google.
(T/F)
False.
In Android, an app will never be able to get more permission than what the user has approved
(T/F)
False.
Since Android is open-source, each handset vendor can customize it, and this is good for security
False.
The more complex and important part of Transport Security Layer (TLS) is the ______.
- signature
- message header
- payload
- handshake protocol
handshake protocol
______ is a list that contains the combinations of cryptographic algorithms supported by the client.
- compression method
- session ID
- cipher suite
- all of the above
- cipher suite
Encapsulating Security Payloads (ESP) supports two modes of use: transport and _____.
- padding
- tunnel
- payload
- sequence
tunnel
provides confidentiality, connectionless data integrity, data-origin authentication, an anti-repay service, and limited traffic-flow confidentiality.
The benefit of IPSec is _______.
- that it is below the transport layer and transparent to applications
- there is no need to revoke keying material when users leave the organization
- it can provide security for individual users if needed
- all of the above
all of the above
The ______ field in the outer IP header indicates whether the association is an Authentication Header (AH) or Encapsulating Security Payloads (ESP) security association.
- protocol identifier
- security parameter index
- IP destination address
- sequence path counter
protocol identifier
A _____ is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
SYN Flood
SYN is one of 3 TCP handshakes. SYN, SYN-ACK, ACK
SYN spoofing attack targets \_\_\_\_\_. A. Email service B. TCP connection table C. DNS service D. None of the above
TCP connection table.
What is a poison packet?
A. A packet that tiggers a bug in the network software and makes it crash.
B. A packet that contains the signature of a virus
C. A packet that infects other packets in the network buffer.
D. A packet that redirects other packets to a malicious target.
A. A packet that triggers a bug in the network software and makes it crash.
What is a cyber slam?
A large number of queries that severely load a server.
If an attacker directs a large number of forged requests to a server, what type of attack is being made?
SYN spoofing
ICMP (Internet Control Message Protocol ) flood attacks remain common because some ICMP packets are critical to normal network behavior and cannot be filtered
(T/F)
True
What is the difference between a TCP SYN flood attack and a SYN spoofing attack?
A. There is no difference
B. The difference is the volume of kacets
C. SYN spoofing works with UDP only
D. TCP SYN flood attakcs don’t use spoofed source addresses.
Ther
TCP SYN flood attacks may or may not use spoofed addresses, but the difference is in the volume of packets sent, meant to overwhelm the server. The SYN spoofing attack is meant to overwhelm the server in sending SYN-ACK messages to spoofed (preferably not invalid) addresses.
What type of attack is based on sending a large number of INVITE requests with spoofed IP addresses to a server? A. Reflection attack B. Smurf attack C. Slashdot attack D. SIP flood attack
SIP flood attack
The best defense against a reflection attack is to not allow directed broadcasts to be routed into the network
(T/F)
False.
The best defense against a amplification attack is to not allow directed broadcasts to be routed into the network
To defend against a reflection attack, filtering to block spoofed-source packets.
A reflection attack is a method of attacking a challenge-response authentication system that uses the same protocol in both directions. That is, the same challenge-response protocol is used by each side to authenticate the other side. The essential idea of the attack is to trick the target into providing the answer to its own challenge.
A characteristic of reflect attacks is the lack of backscatter traffic
(T/F)
True.
What are some ways to prevent SYN spoofing attacks?
A. use SYN cookies
B. modify the size of the TCP connections table or timeout period
C. impose rate limits on network links
D. use selection or random dropping of TCP table entries.
E. all of the above
F. none of the above
All of the above.
Slowloris uses a ping flood via ICMP (Internet Control Message Protocol ) echo request packets.
(T/F)
False.
Smurf attack uses a ping flood via ICMP echo request packets
Slowloris exploits servers that use multiple threads by sending multiple incomplete connections (by not including the terminating newline sequence) to the server.
In a TCP spoofing attack, attacker ideally wishes to use addresses that will not respond to the SYN-ACK with a RST.
(T/F)
True
A recursive HTTP flood attack is also known as what? A. a Fraggle attack B. a Delayed Binding attack C. a Spidering attack D. a SIP flood
C. A spidering attack
Bots start from given HTTP link and then follows all links on the provided website in a recursive way. This is also called spidering.
When is comes to defense against attacks one fo the most important principles is what? A. Authorization B. Authentication C. Defense-in-depth D. Time
D. Defense-in-depth
Firewalls are what type of mechanisms? A. Prevention B. Botnet C. Attack D. None of the above
A. Prevention
The firewall will enforce different security restrictions on traffic
(T/F)
True
A \_\_\_\_\_ is a device that provide secure connectivity between networks. A. Enterprise intranet B. Trusted users C. Firewall D. DMZ
C. Firewall
Firewalls as a prevention mechanism should be designed to enforce what? A. User safety B. Security Policy C. Organizational Policy D. Public Key Infrastructure
B. Security Policy
All traffic from internal network to the internet and visa versa (external and out of the network) must pass through the firewall
(T/F)
True.
A critical component of planning and implementation of firewall is specifying a suitable \_\_\_\_ policy? A. Security B. Access C. Network D. Directory
Network
At a high level the types of traffic that are allowed through the access policy is what?
A. Address ranges (Machines, protocols, the applications and the contents)
B. IPSec & TLS
C. Intranet
D. Defense in depth
A. Address ranges
Firewalls can log all traffic and can provide Network Address Translation
(T/F)
True
What is firewall filtering?
A. when policies are defined for the firewall
B. authentication into the system
C. means the firewall decides whether to let the traffic through or not
D. means whether it will allow for a defense in depth strategy to protect the organizations digital assets
C. Firewall filtering means the firewall decides whether to let the traffic through or not
Session filtering is based on the context within a session. In order to do this a firewall maintains a session or connection and performs a \_\_\_\_\_\_\_\_. A. Traffic Block B. Stateful inspection C. DMZ re route D. Virtual Switch
B. Stateful inspection
In a packet filtering firewall decisions are made on a per packet basis and not by other packets.
(T/F)
True
The packet filtering firewall applies a list of rules to match the IP or TCP header of a packet and based on the rules match the firewall and then to decide to forward or discard the packet
(T/F)
True.
IP or TCP header information that a firewall can use to filter a packet
• Source IP address where the packets from
• Destinations IP address this is the IP for the destination
• Source and destination transport-level address- This defines the port number and applications such as smtp, http
• IP Protocol field this defines TCP , UDP or ICMP (Internet Control Message Protocol)
• Interface this is with three or more ports with which interface the packet came or where it is going to.
What policies for packet filtering firewalls are used? A. Default discard policy B. Default forward policy C. Default isolation policy D. Default write down policy
A. Default discard policy
B. Default forward policy
When there is no rule that matches the packet it will be discarded this is safe procedure but also a hindrance to users who see that some traffic isn’t allowed.
Forward policy is easier to use and manage and use but less secure it just lets all packets in
What are the weaknesses to packet filtering?
A. Limited logging functionality
B. Vulnerable to attacks that take advantage of TCP/IP
C. Can’t prevent attacks that employ application specific vulnerabilities or functions
D. Packet filter firewalls are susceptible to security breaches if improperly configured
D. All of the above.
All of the above.
Packet Filtering Firewall Countermeasures are which of the following: A. IP address spoofing B. Source routing attacks C. Tiny fragment attack D. Stateful inspection attack
A. IP address spoofing
B. Source routing attacks
C. Tiny fragment attack
_______ countermeasure is: enforcing a rule that the first fragment of a packet must contain a predefined minimum amount of the transport header.
Tiny Fragment Attack
_____ countermeasure discards all packets in which the source destinations specifies to the route
Source Routing Attacks
______ countermeasure discards packets with an inside source address if the packet arrives on an external interface
IP Address Spoofing
A major component in the planning and implementation of a firewall is specifying an access policy.
(T/F)
True.
A firewall access policy would use which of the following to filter traffic? A.) IP Address and Protocol values B.) Application Protocol C.) User Identity D.) Network Activity E.) All of the Above
E.) All of the Above
A web proxy is a form of application-level gateway
T/F
True.
Intrusion is what?
A.) Any attack that aims to compromise the security goals of an Organization
B.) Any attack that is hidden from a user
C.) A form of detection which users are able to see everyone on the network
D.) A form of encryption which allows end to end security.
A.) Any attack that aims to compromise the security goals of an Organization
Intrusion detection systems are part of the defense in depth strategy
(T/F)
True
Defense in depth strategies should include the following except what?
A.) Encrypting sensitive information
B.) Intrusion detection systems
C.) Detailed audit trails
D.) Strong authentication and authorization controls
E.) Zero day exploits
F.) Actively management of operating systems
G.) Application security
Zero day exploits.
Defense in Depth (DiD) is an approach to cybersecurity in which a series of defensive mechanisms are layered in order to protect valuable data and information.
The key design elements for an intrusion detection system is examining network and group activities
(T/F)
The key design elements of an intrusion detection system is examining network and user activities
Which of the Components is not part of an Intrusion detection system? A.) Data preprocessor B.) Detection Models C.) Detection Engines D.) Decision Table E.) Reporting and Analytics F.) Decision Engine
E.) Reporting and Analytics
An IDS is comprised of three logical components which of the following is not a component: A.) Analyzers B.) User interface C.) Deep Learning D.) Sensors
C. Deep Learning
Sensors are responsible for collecting data
Analyzers receive input from one or more sensors or from other analyzers.
The user interface to an IDS enables a user to view output from the system or control the behavior of the system.
In an IDS system the sensors do what?
A.) Determine if an intrusion has occurred
B.) Allow users to view the output of the system
C.) Provide guidance about what actions to take when the intrusion occurs.
D.) Collect and forward information to the analyzer
D.) Collect and forward information to the analyzer
Analyzers are responsible for determining if an intrusion has occurred.
(T/F)
False.
The analyzer output may include evidence supporting the conclusion that an intrusion occurred. The analyzer may provide guidance about what actions to take as a result of the intrusion
Intrusion Detection Systems are only allowed to use a single sensor.
(T/F)
False.
IDS can use multiple sensors across a range of host and network devices sending information to a centralized analyzer and user interface in a distributed architecture
Maintaining Access is backdoor that is hard to detect because it modifies machine level code
(T/F)
False.
Object Code Backdoors- This backdoor is hard to detect because it modifies machine code
The SNORT system is a signature-based NIDS.
T/F
False.
The SNORT system is a rule-based NIDS. A large collection of rules exist for it to detect a wide variety of network attacks.
A key limitation of anomaly detection approaches used by many IDS’s is that they are generally only trained with legitimate data.
(T/F)
True.
The advantages of __________________ anomaly detection include relative simplicity and low computation cost, and lack of assumptions about behavior expected. Disadvantages include difficulty in selecting suitable metrics, and that all behaviors can’t be modeled using this approach.
A. Statistical B. Knowledge based C. Machine-learning D. Heuristic E. Signature
A. Statistical
A key disadvantage of _______________ anomaly detection is the significant time and computational resources needed.
A. Statistical B. Knowledge based C. Machine-learning D. Heuristic E. Signature
C. Machine-learning
The advantages of ______________ approaches include their robustness and flexibility. A disadvantage is the difficulty and time required and the need for expert assistance.
A. Statistical B. Knowledge based C. Machine-learning D. Heuristic E. Signature
B. Knowledge based
Signature detection would be suitable to detect buffer overflows, password guessing, or malware transmission attacks.
(T/F)
True
Anomaly detection would be suitable to detect policy violation attacks.
(T/F)
False
Signature detection is better suited.
Signature detection would be suitable to worm attacks.
T/F
False.
Anomaly detection is better suited.
Anomaly detection would be suitable to detect DoS attacks.
T/F
True.
Signature detection would be suitable to detect network layer recon attacks, such as spoofed IP addresses or illegal IP header values.
(T/F)
True.
Signature detection would be suitable to detect unexpected application service attacks, such as a host running an unauthorized service.
(T/F)
True
Anomaly detection would be suitable to detect transport layer recon and attacks, such as packet fragmentation, port scanning, or SYN floods.
(T/F)
False.
Signature detection is better suited.
What is unique about Stateful Protocol Analysis?
A. It is primarily used by government organizations.
B. It requires less resource use than other methods
C. It uses predetermined vendor supplied profiles of benign protocol traffic.
D. It measures the state of the system in period time intervals to detect intruder activity.
C. It uses predetermined vendor supplied profiles of benign protocol traffic.
A disadvantage is that it requires high resource use.
There are two schemes to attack a symmetric encryption scheme. What are they?
A.) Cryptanalysis & Brute-Force attacks
B.) Cryptanalysis & DDoS
C.) Brute-force attack and CipherText
D.) Cryptanalysis & Caesar
A.) Cryptanalysis & Brute-Force attacks
The most commonly used asymmetric encryption are block ciphers. They are DES, Tripe DES and AES
(T/F)
False.
DES, Tripe DES and AES as symmetric encryption algorithms.
The two categories of concern about DES fall into two categories. What are they?
A.) 128 bit encryption and the algorithm itself (i.e. its cryptanalysis)
B.) The Key length of 56 bits and 256 bit encryption
C.) The key length of 56 bits and the cryptanalysis of the algorithm
D.) All of the above
C.) The key length of 56 bits and the cryptanalysis of the algorithm
The main reason most companies go with 3DES is because the algorithm is relatively faster in software compared to normal DES and AES
(T/F)
False.
False The principal drawback of 3DES is that the algorithm is relatively sluggish in software.
If you want to achieve the highest level of privacy and reliability, it is often best to use a new or unpublished encryption algorithm.
(T/F)
False.
In practice, we should always use the widely known and deployed algorithms and standards.
A digital envelope is a technique for attaching a one-time key that encrypts a message to the receiver’s public key.
(T/F)
True
Symmetric Encryption relies on a public and private key meanwhile asymmetric encryption relies on a shared key between two parties.
(T/F)
False
The primary advantage of a block cipher is that block ciphers are almost always faster and use far less code than do stream ciphers.
(T/F)
False.
Source: Text pg 35
Both Block Cipher and Stream Cipher are belongs to the symmetric key cipher. These two block cipher and stream cipher are the methods used for converting the plain text into cipher text.
The main difference between Block cipher and Stream cipher is that block cipher converts the plain text into cipher text by taking plain text’s block at a time. While stream cipher Converts the plaint text into cipher text by taking 1 byte of plain text at a time.
All but one of the following situations are examples were Message Authentication confidentiality would not be preferable. Select that situation.
A. When a message or notification is broadcast to many different users.
B. When the receiver is expecting a message from the sender, or when both the user and sender have the same access privileges.
C. When the system for either the sender or recipient are heavily loaded and cannot afford the time to encrypt.
D. When authenticating a computer program, allowing it to execute without having to perform a decryption each time.
B. When the receiver is expecting a message from the sender, or when both the user and sender have the same access privileges.
Which of the following is not a characteristic that is sought in random (or pseudo random) numbers used in cryptography?
A. The overall distribution of numbers is normal or approximately normal.
B. Values are statistically independent of one another.
C. The sequence is unpredictable.
A. The overall distribution of numbers is normal or approximately normal.
The values should be uniformly distributed.
It is possible to for a computer chip to use software to generate true random numbers.
(T/F)
True.
The Intel DRNG, offered on multi-core chips since 2012, uses thermal noise within the silicon to output a random stream of bits.
So called data at rest is often not encrypted, but it should be encrypted.
(T/F)
True
Under which of the following situations would Message Authentication confidentiality NOT be preferable?
A. Encryption software is slow.
B. Hash functions are irreversible
C. Encryption hardware is not inexpensive.
D. Encryption hardware is geared toward larger data sizes.
E. Encryption algorithms may be patent protected.
B. Hash functions are irreversible
What are some uses of hash functions?
I. Message encryption II. Message authentication III. Creating Digital Signatures IV. Password encapsulation V. Intrusion detection
A. I, II, and III B. All of the choices C. I, III, and V D. II, IV, and V E. All except I. F. All except IV.
E. All except I.
A symmetric cipher is characterized by ciphertext that is the same size as the original plaintext.
(T/F)
False
It can be characterized by the use of a shared secret key.
For applications such as file transfer, email, and database, a stream cipher may be more appropriate.
(T/F)
False
A block cipher may be more appropriate for applications that deal with large blocks of data. Stream ciphers may be more appropriate for data in web browsers or data communications channels.
A number of attacks against RC4 have been published, but if a large enough key is used, none of those attacks are practical.
(T/F)
True
RC4 is a very fast and simple to explain, and it allows for variable key lengths.
(T/F)
True
Which of the following is not among the ways two users can arrange to exchange keys?
A. If the two parties have recently used a key, they can transmit the old key, using the new key to encrypt.
B. A third party could physically deliver the key to the second party.
C. If the two parties have an encrypted connection to a third party, the third party can deliver the key.
D. None of the above answers are correct.
A. If the two parties have recently used a key, they can transmit the old key, using the new key to encrypt.
Which of the following defines a Session Key?
A. A key used between entities for the purpose of distributing keys.
B. A one-time key used to communicate between two end systems.
C. The authority that determines which systems are allowed to communicate with each other.
D. A shared key that is used in Asymmetric encryption standards such as RSA.
B. A one-time key used to communicate between two end systems.
How can 3DES be used to decrypt DES encrypted ciphertext?
A. By setting Key1 = Key2 and Key3 = Key_DES
B. By setting Key1 = Key2 = Key3 = Key_DES
C. By setting Key3 = Key_DES
D. By setting Key1 = Key3 and Key2 = Key_DES.
A. By setting Key1 = Key2 and Key3 = Key_DES
In a public-key system using RSA, you intercept the ciphertext C=10 sent to a user whose public key is e=5, n=35. What is the plaintext M (as an integer)?
A. 50 B 25 C. 17 D. 30 E. 5
B
n=35, so p = 7 and q = 5, so phi(n) = 6x4 = 24, so d = e^-1 mod phi(n) = 5, since 5x5 = 25 = 1 mod 24, M = C^d (mod N) = 10^5 mod 35 = 25
Consider a Diffie-Hellman scheme with a common prime q=11 and a primitive root α=2. If user A has public key YA=9, what is A’s private key XA?
A. 6 B. 4 C. 10 D. 5 E. 2
A
YA = 2^x mod 11 = 9, by inspection, 2^6 = 64 mod 11 = 9, so x = 6 = private key
The structure and functions used in SHA-1 and SHA-2 are substantially different from those used in SHA-3.
True
The CTR cipher block mode does not have which of the following advantages listed, according to the text?
A. Simplicity B. Preprocessing capability C. Software efficiency D. Hardware efficiency E. Scalability F. Random Access capability G. Provable Security
E. Scalability
It is possible to convert any block cipher into a stream cipher.
(T/F)
True
Using the Cipher Feedback Mode
AES is a Feistel cipher.
T/F
False
The primary advantage of a block cipher is that block ciphers are almost always faster than stream ciphers.
(T/F)
False
What is the main reason 3DES uses an encrypt-decrypt-encrypt sequence?
A. It makes it more difficult to crytanalyze by eavesdroppers.
B. It is faster than encrypt-encrypt-encrypt would be.
C. It can decrypt DES encrypted messages.
D It is easier to use with cipher block chaining.
C. It can decrypt DES encrypted messages.
Which of the following is not a mode of operation used in Cipher blocks?
A. Random Bit Optimization B. Electronic Code Book C. Cipher Feedback D. Output Feedback E. Counter
A. Random Bit Optimization
Which of the following is the weakest form of attack?
A. Chosen Plaintext B. Chosen Ciphertext C Known Plaintext D Ciphertext Only E. Chosen Text
D Ciphertext Only
What is RC4?
A. A stream cipher.
B. A symmetric block cipher
C An asymmetric block cipher.
D. A set of standards used in Internet encryption
A. A stream cipher.
CTR mode is used for timing, for example, to ensure that encrypted streams remain in sync with one another.
(T/F)
False.
In this mode, both the sender and receiver need to access to a reliable counter, which computes a new shared value each time a ciphertext block is exchanged.
What operation does the Diffie-Hellman algorithm use as a one way function?
A. Discrete exponentiation
B. Elliptical Key Cryptography.
C. Discrete logarithms
D. Hashing functions.
C. Discrete logarithms
OCB offers Authenticated Encryption (T/F?).
It used 3DES to encrypt messages. (T/F?)
Its structure is similar to ECB mode, which makes it vulnerable to repeated messages. (T/F?)
It uses the same key for authentication and encryption. (T/F?)
True
False (OCB uses AES)
False (while it’s structure is similar to ECB, it uses an offset xor’ed with PT in each block)
True
OCB mode (Offset Codebook Mode) is an authenticated encryption mode of operation for cryptographic block ciphers.
The MD5 hash function, despite being susceptible to the birthday attack, is suitable for HMAC.
(T/F)
True
RSA can be used for both encryption and key exchange, but DSS (digital signature standard) cannot.
(T/F)
True
If someone finds an efficient way to factor large integers, then AES (advanced encryption standard) will be obsolete.
(T/F)
False
The Certification Authority is responsible for generating the public keys.
(T/F)
False
HMAC treats the SHA function as a black box. What benefits does this have?
I. The hash algorithm used in HMAC is hidden from hackers.
II. It is easy to replace the given hash function.
III. HMAC code can be prepackaged and ready to use without modification.
A. I and II
B. I and III
C. II and III
D. I, II, and III
II. It is easy to replace the given hash function.
III. HMAC code can be prepackaged and ready to use without modification.
Using the Pigeonhole Principle, given that a hash can take an input of any size and output a value of fixed size, then it should have collisions.
(T/F)
(T/F)
The Pigeonhole Principle can be used as a counterexample to the Collision Resistance property of hashes.
(T/F)
False.
While the Pigeonhole Principle says there exist collisions, the collision resistance property says that it is computationally infeasible to find them. So even though collisions exist, they are hard to find, thus keeping the collision resistance property of hashes intact.
From the birthday “paradox”, if the length of the hash is x bits, then a hacker would have to search 2^(x/2) messages in order to find a collision. In doing so, what is the probability, approximately, that the hacker will find a collision?
A. nearly 100% B. about 75% C. about 66% D. about 50% E. about 25% F. less than 25%
D. about 50%
The approximate 2^(n/2) = sqrt(2^n) gives the probability of about 50% that the hacker will find at least 1 match.
So it’s misleading to say that the hacker would have to search 2^(n/2) messages to “find a match”. This would only give the hacker better than 50% chance of finding it without some more strategic choices.
SHA-1 allows message sizes as large as 2 terabytes.
T/F
True.
That’s quite an understatement, though. SHA-1 holds messages up to 2^64 bits, which is a (2^21)*(2^43), , so the answer is more like up to a 2 million terabytes. And SHA-384 and SHA-512 accept messages of that size squared! (2^128)
A truly ideal hash function should be nondeterministic.
T/F
False.
You want to be able to always get the same hash for a given input, hence, it must be deterministic.
What is the main advantage of ECC compared to RSA?
A. Its technique is not as difficult to explain.
B. Hackers have not shown interest in it.
C. Its theory has been around for a long time.
D. It offers equal security with smaller key size.
D. It offers equal security with smaller key size.
(A and B are the opposite of being true, and C is a true statement, but it’s not relevant her- e.
Diffie-Hellman Key Exchange is, on its own, completely vulnerable to a man in the middle attack.
(T/F)
True
It is vulnerable because it does not authenticate the participants.
In attacks on RSA, it has been demonstrated that if the public key d is less than n and the private key d is less than the fourth root of n, then d can be “easily determined”.
(T/F)
True.
According to the text, the largest product of primes that has been factored to date was over 200 decimal digits long.
(T/F)
True.
In fact, it was 232 digits long, and that was done in late 2009.
All hash functions operate using these two principles: (select two)
I. The size of the input is greater than the size of the output
II. The input is viewed as a sequence of n-bit blocks.
III. The input value is “randomized” to overcome regularities.
IV. Ciphertext does not change when blocks are permuted.
V. Input is processed one block at a time in an iterative fashion.
A. I and II B. I and III C. II and III D. II and V E. III and IV F. III and V
II. The input is viewed as a sequence of n-bit blocks.
V. Input is processed one block at a time in an iterative fashion.
SHA-512 is more efficient than SHA-256 on many 64-bit systems.
(T/F)
True
SHA-512 makes use of constants derived from the first 64 bits of fractional parts of cube roots of the first 80 (one for each round) prime numbers.
(T/F)
True
A longitudinal redundancy check is reasonably effective for random data as a data integrity check. It uses which bitwise function?
XOR
What are the principal elements of a Kerberos system?
I. AS
II. TGT
III. TGS
A. I, II, and III
B. I and II only
C. I and III only
D. II and III only
I. AS
III. TGS
What of the following are steps Kerberos uses to ensure security and authentication?
A. It includes a timestamp to prevent replay attacks.
B. It sets a lifetime on TGTs.
C. It uses short-lived authenticators encrypted with session keys.
D. It encrypts the TGT with the server key to prevent alteration.
E. All of the above
E. All of the above
What is an authenticator, as used by Kerberos?
A. A software application that verifies a user’s identity.
B. An encrypted message which contains the ID, the address of the user, and a timestamp.
C. An application that creates a one-time password that authenticates a user.
D. A server which contains the IP, user ID, and user password, used for authentication.
E. None of the above.
B. An encrypted message which contains the ID, the address of the user, and a timestamp.
The Authentication Server holds a copy of symmetric keys for all clients and servers.
(T/F)
True
The TGT includes a key (“ticket”) that gives the client access to the requested service.
(T/F)
False
The user cannot read the TGT, she only passes it forward along with other information, to the TGS.
(T/F)
True
The set of keys and and user ID’s / passwords in a Kerberos network (i.e., a full-service Kerberos environment consisting of a Kerberos server, a number of clients, and a number of application servers) are known as ______________.
A. a realm. B. a session. C. a dictionary. D. an organization E. a Kerberos policy.
A. a realm.
PKI is defined as the set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates based on symmetric cryptography.
False
Change symmetric to asymmetric, and it’s true!
Which of the following is not a long-known problem with the X-509 PKI model?
A. There is not a standardized set of trust stores used by all browsers and operating systems.
B. The user is sometimes relied upon to make an informed decision regarding certificate trust.
C. All CA’s in the trust store are assumed to be equally trusted, well managed, and applying equal policies.
D. The trust certificates shared in the trust store are not encrypted.
D. The trust certificates shared in the trust store are not encrypted.
What is a trust store?
A. A database of IP addresses of known trusted servers.
B. A list of CA’s and their public keys.
C. A CA that issues authentication certificates.
D. A single internationally specified hierarchy of government regulated CAs.
B. A list of CA’s and their public keys.
The Certification Authority is responsible for generating the public keys.
(T/F)
False
Kerberos provides both authentication and access control.
T/F
True
How does Trudy, the (wo)man in the middle, initiate a mutual authentication reflection attack between two users, Bob and Alice?
A. She tricks Bob into sharing Alice’s public key with her.
B. She tricks Bob into solving a challenge response from Alice.
C. She tricks Alice into sending her challenge twice.
D. She simply re-sends the challenge response that she intercepted from Alice, back to her.
B. She tricks Bob into solving a challenge response from Alice.
What is a major shortcoming of using a pairwise key exchange based on a shared secret (key)?
A. It does not scale well.
B. It lacks computational security.
C. Session keys expire after a set time.
D. It is vulnerable to the man in the middle attack.
A. It does not scale well.
In Kerberos, the localhost must store the user’s password (or password hash) after retrieving the session key from the key distribution center.
(T/F)
False.
What are some reasons a user would revoke a certificate before it expires?
I. A key has been compromised.
II. Upgrades require a new key.
III. The key has been duplicated.
A. I, II, and III B. I and II only C. II and III only D. I and III only E I only
B. I and II only
I. A key has been compromised.
II. Upgrades require a new key.
Conventional X.509 certifications have validity periods of months to years.
(T/F)
True.
What is the main difference between signed data and clear signed data?
A. Signed data allows users without S/MIME capability to view message content, but clear signed data does not.
B. Clear signed data uses base 64 encoding, signed data uses does not.
C. Clear signed data is not authenticated, signed data is.
D. Clear signed data allows users to use PKI, signed data requires users to apply a private key.
E. None of the above are correct.
E. None of the above are correct.
If you switch clear signed data and signed data in answer A, it would be correct. ; )
What is radix 64 encoding (aka base 64 encoding)?
A. Encryption that is optimized for use with 64 bit computers.
B. Encoding that uses binary logarithmic functions (radix base 2) to map input to output values.
C. Encoding that maps binary data to ASCII characters.
D. Encoding that encrypts a message using the receiver’s 64 bit private key.
E. None of the above are correct.
C. Encoding that maps binary data to ASCII characters.
The basic tool that permits the wide scale use of S/MIME is a pseudo random key generator.
(T/F)
False
The tool is a public key certificate that conforms to X509v3 standards.
TLS sessions avoid the need for updating security parameters for each connection.
(T/F)
True
Why is a random parameter sent along with client_hello message during phase 1 of a TLS handshake?
A. It is used as a nonce which is combined with a security key.
B. It prevents an eavesdropper from replaying the message.
C. It is used to to exchange a key using the Diffie-Hellman protocol.
D. It is sent to confuse bots to prevent a DDoS attack.
E. It is part of legacy code, sent to allow back compatibility.
B. It prevents an eavesdropper from replaying the message.
The Heartbleed vulnerability was due to a design flaw that was discovered in the TLS specification.
(T/F)
False
It was due to a programming mistake in the commonly-used OpenSSL library.
Which of the following statements concerning benefits of IPSec is false?
A. IPSec is transparent to applications.
B. No need to train users.
C. IPSec can ensure that a routing update is forged.
D. IPSec can ensure that a routing advertisement comes from an authorized router.
C
It can ensure the update is not forged, i.e., that it is authentic.
When ESP is used in IPSec transport mode, the packet payload and ESP trailer are encrypted, but the ESP header is not encrypted.
(T/F)
True
The header gives security information such as which algorithm or secret key was used.
The Security Policy Database and the Security Association Database are maintained in separate tables.
(T/F)
True
The SA is a two-way relationship between a sender and receiver, defined by IPSec parameters.
(T/F)
False
It is a one-way relationship – one SA for inbound traffic, and another for outbound traffic.
In default mode, if a pre-shared key is compromised during phase 2 of Internet Key Exchange, then all IPSec keys previously computed are compromised.
(T/F)
True
If perfect forward security is required, then for each IPSec SA, the shared key along with new public components from Diffie-Hellman and new nonce values are used, protecting previously generated keys.
Which IPSec mode offers end-to-end security protection?
A. ESP Mode B. IKE Mode C. Tunnel Mode D. TLS Mode E. Transport Mode
E. Transport Mode
Multiple IPSec SAs can be established with one IKE SA.
T/F
True
Which is the main reason a cookie is sent during Phase 1 of IKE?
A. To authenticate the users
B. To store log in credentials for the session.
C. To help prevent DoS attacks.
D. To store header information, such as time stamp, a nonce, and the user’s public key.
C. To help prevent DoS attacks.
Adding firewall policies to limit the scope of data and application access for all mobile devices, as well as setting up IDS and IPS configured to have tighter rules for mobile device traffic is:
A. Device security
B. Traffic security
C. Barrier security
D None of the above
C. Barrier security
Using Virtual Private Network(VPN) configured so that all traffic between mobile devices and the organization’s network is an example of:
A. Device security
B. Traffic security
C. Barrier security
D None of the above
B. Traffic security
What are the main threats to wireless transmission?
I. Eavesdropping II. Disrupted transmissions III. Message integrity attacks IV. Signal attenuation attacks V. Masquerade channel attacks
A. I and II B. I, III, and V C. II, III, and IV D. I, II, III, IV, and V E. none of the above
I. Eavesdropping
II. Disrupted transmissions
III. Message integrity attacks
The main threat to wireless access points is disruption.
T/F
The main threat is unauthorized access to the network.
Configuring routers to use MAC authentication will block unauthorized access to the network.
(T/F)
MAC addresses can be spoofed, so this is just one element of a defense in depth strategy.
