Matt Walker Chapter 10

Question 1

10. 1.Which of the following doesn’t define a method of transmitting data that violates a security policy?

A. Backdoor channel
B. Session hijacking
C. Covert channel
D. Overt channel

Answer 1

1.D. Overt channel

Overt channels are legitimate, and used legitimately. Everything else listed would be in violation of a security policy.

Question 2

10. 2.Which virus type is only executed when a specific condition is met?

A. Sparse infector
B. Multipartite
C. Metamorphic
D. Cavity

Answer 2

2.A. Sparse infector

Sparse infector viruses only fire when a specific condition is met. For example, maybe the fifth time Calculator is run, whammo!—virus execution.

Question 3

10. 3.Which of the following propagates without human interaction?

A. Trojan
B. Worm
C. Virus
D. MITM

Answer 3

3.B. Worm

Much like Skynet from the Terminator movies, worms do not need us.

Question 4

10. 4.Which of the following don’t use ICMP in the attack? (Choose two.)

A. SYN flood
B. Ping of death
C. Smurf
D. Peer to peer

Answer 4

4.A, D. SYN flood and Peer to Peer

A SYN flood doesn’t use ICMP at all, nor does a peer-to-peer attack.

Question 5

10. 5.Which of the following is not a recommended step in recovering from a malware infection?

A. Delete system restore points.
B. Back up the hard drive.
C. Remove the system from the network.
D. Reinstall from original media.

Answer 5

5.B. Back up the hard drive.

Backing up a hard drive that’s already infected makes as much sense as putting ketchup on a doughnut. The malicious files are on the drive, so backing it up does nothing but ensure you’ll reinfect something later on.

Question 6

10. 6.Which of the following is a recommendation to protect against session hijacking? (Choose two.)

A. Use only nonroutable protocols.
B. Use unpredictable sequence numbers.
C.Use a file verification application, such as Tripwire.
D. Use a good password policy.
E. Implement IPSec throughout the environment.

Answer 6

6.B, E. Use unpredictable sequence numbers and Implement IPSec throughout the environment.

Unpredictable sequence numbers make session hijacking nearly impossible, and implementing IPSec—which provides encryption and authentication services—is also probably a good idea.

Question 7

10. 7.Which of the following attacks an already-authenticated connection?

A. Smurf
B. Denial of service
C. Session hijacking
D. Phishing

Answer 7

7.C. Session Hijacking

Session hijacking takes advantage of connections already in place and already authenticated.

Question 8

10. 8.How does Tripwire (and programs like it) help against Trojan attacks?

A.Tripwire is an AV application that quarantines and removes malware immediately.
B.Tripwire is an AV application that quarantines and removes malware after a scan.
C.Tripwire is a file-integrity-checking application that rejects malware packets intended for the kernel.
D.Tripwire is a file-integrity-checking application that notifies you when a system file has been altered, potentially indicating malware.

Answer 8

8.D. Tripwire is a file-integrity-checking application that notifies you when a system file has been altered, potentially indicating malware.

Tripwire is one of the better-known file integrity verifiers, and it can help prevent Trojans by notifying you immediately when an important file is altered.

Question 9

10. 9.Which of the following DoS categories consumes all available bandwidth for the system or service?

A. Fragmentation attacks
B. Volumetric attacks
C. Application attacks
D. TCP state-exhaustion attacks

Answer 9

9.B. Volumetric attacks

Volumetric attacks consume all available bandwidth for the system or service.

Question 10

10. 10.During a TCP data exchange, the client has offered a sequence number of 100, and the server has offered 500. During acknowledgments, the packet shows 101 and 501, respectively, as the agreed-upon sequence numbers. With a window size of 5, which sequence numbers would the server willingly accept as part of this session?

A. 102 through 104
B. 102 through 501
C. 102 through 502
D. Anything above 501

Answer 10

10.A. 102 through 104

Starting with the acknowledged sequence number of 101, the server will accept packets between 102 and 106 before sending an acknowledgment.

Question 11

10. 11.Which of the following is the proper syntax on Windows systems for spawning a command shell on port 56 using Netcat?

A. nc -r 56 -c cmd.exe
B. nc -p 56 -o cmd.exe
C. nc -L 56 -t -e cmd.exe
D. nc -port 56 -s -o cmd.exe

Answer 11

11.C. nc -L 56 -t -e cmd.exe

This is the correct syntax for using Netcat to leave a command shell open on port 56.

Question 12

10. 12.Which of the following best describes a DRDoS?

A.Multiple intermediary machines send the attack at the behest of the attacker.
B.The attacker sends thousands upon thousands of SYN packets to the machine with a false source IP address.
C.The attacker sends thousands of SYN packets to the target but never responds to any of the return SYN/ACK packets.
D.The attack involves sending a large number of garbled IP fragments with overlapping, oversized payloads to the target machine.

Answer 12

12.A. Multiple intermediary machines send the attack at the behest of the attacker.

The distributed reflection denial-of-service (DRDoS) attack is, for all intents and purposes, a botnet. Secondary systems carry out the attacks so the attacker remains hidden.

Question 13

10. 13.Which of the following best describes a teardrop attack?

A.The attacker sends a packet with the same source and destination address.
B.The attacker sends several overlapping, extremely large IP fragments.
C.The attacker sends UDP Echo packets with a spoofed address.
D.The attacker uses ICMP broadcast to DoS targets.

Answer 13

13.B. The attacker sends several overlapping, extremely large IP fragments.

In a teardrop attack, the reassembly of fragments takes down the target.