Module 5: Handling Network Security Incident Flashcards

1
Q

What is a denial-of-service attack (DoS)

A

A network security incident where intended authorized users are prevented from using system, network, or applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

TRUE or FALSE: Physically damaging the cables and other resources are a form of DoS

A

TRUE

It prevents authorized users from using the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the difference between DDoS and DoS attacks

A

DDoS is where a single system is attacked by a large number of infected machines over the Internet. DoS is normally done by a single machine flooding the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the two steps in performing a DDoS attack

A
  • Building an attack network (Getting zombies)

* Launching attack on a target system (Using malicious programs in infected systems)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How can you tell if a DoS attack is occuring to a host or network service

A
  • User reports system unavailability
  • Undefined connection loss
  • Alerts from NIDS & HIDS
  • Increased network bandwidth
  • A host having a number of connections
  • Asymmetric network traffic pattern
  • Unprecedented log entries of firewall and router
  • Data packets with abnormal source addresses
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How can Internet Service Provider (ISP) be used to help handling network based DoS attacks

A

ISP’s maintain traffic logs and after checking the logs during the DoS they can trace the source of attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

TRUE or FALSE: There is a foolproof solution against DoS attack.

A

FALSE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the major DoS response strategies

A
  • Absorb the attack
  • Degrade services
  • Shut down the services
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What steps can you use to prevent a DoS incident

A
  • Configuring firewall rules to block traffic
  • Filter ICMP traffic
  • Block the non-critical services such as echo
  • Close unnecessary ports
  • Block unassigned IP address ranges
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

TRUE or FALSE: It is generally not possible to prevent DoS by blocking a few source IP addresses.

A

TRUE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is classified as unauthorized access incidents

A

Gaining of illegal access to resources without authorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How do attackers gain unauthorized access

A
  • Exploiting vulnerabilities in OS or software application
  • Steal user authentication credentials
  • Using social engineering tricks
  • Insider threats
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which team do you need to discuss with should an unauthorized access incident happens

A

The Network Security Admins

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What needs to happen to the passwords in the event of an unauthorized access incident

A

The passwords need to change

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

To help with network security what might help prevent an unauthorized access incident

A
  • Arrange network to block suspicious traffic
  • Secure all the remote access
  • Put any public service in a DMZ
  • Use private IP addresses for internal use
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

To help with host security what might help prevent an unauthorized access incident

A
  • Perform vulnerability assessments
  • Disable unnecessary services
  • Least privileges
  • Install host-based firewall
  • Auto lock idle screens and log off before leaving
  • Verify permission settings
17
Q

How might you contain or stop unauthorized access

A
  • Isolate the affected systems (get them off the network)
  • Disable the affected service (such as OWA for Gulfstream)
  • Restrict the attacker entering into the environment (Blocking the incoming connection)
  • Disable the user accounts used in an attack
  • Enhance physical security measures
18
Q

TRUE or FALSE: As a recommendation for handling the unauthorized access incidents, we as an organization should establish the password security policy such that users change their passwords regularly

19
Q

What is an Inappropriate Usage Incident

A

When a user’s actions violate the acceptable computing use policies

20
Q

TRUE or FALSE: Downloading porn is not a violation of the inappropriate usage policy

21
Q

TRUE or FALSE: Sending spam mails which promote the personal business is not a violation of the inappropriate usage policy

22
Q

TRUE or FALSE: Sending email(s) to a third party with the spoofed source email address from the company is a violation of the inappropriate usage policy

23
Q

TRUE or FALSE: Performing the DoS attack against any other organization using the company resources is a violation of the inappropriate usage policy

24
Q

What are three indications of unauthorized service usage, access to appropriate materials, and attack against external party that are used to detect these inappropriate usage incidents

A
  • Alert from IDS
  • Report of the user/Reports from the outside party
  • Log entries of the application, network, and hosts
25
TRUE or FALSE: Creation of the new files or directories with abnormal names are an indication of unauthorized service usage
TRUE
26
Who should be consulted when handling inappropriate usage incidents
HR and Legal
27
How can incident handler register the log of user activities such as FTP commands, web requests, and email headers
Through proxies and application logs or by some network-based IDPS sensors
28
When all else fails what is the one most appropriate action taken to prevent inappropriate usage incidents
Increasing the awareness among the users for appropriate behavior
29
TRUE or FALSE: Consider limiting outbound connections that use encrypted protocols such as SSH, HTTPS, and IPsec to help prevent an inappropriate usage incident
TRUE The user can use the proxy server for downloading illegal material from websites since the connection is encrypted. Network security controls cannot determine the nature of the activity.
30
What is the most important action to be performed in a case of inappropriate usage incidents
Acquiring the evidence
31
TRUE or FALSE: Normally containment, eradication, or recovery actions are required for the inappropriate usage incidents
FALSE
32
What actions are considered helpful in an inappropriate usage incident
Delete the objectionable materials or to uninstall unauthorized software
33
What is a multiple component incident
A combination of two or more attacks in a system
34
TRUE or FALSE: Multiple component incidents are easy to analyze
FALSE It is often too difficult for the handler to understand that the incident is composed of several stages
35
What should the incident handling team do after the containment strategy to stop multiple component incidents
They should not stop determining the incident after getting any signs of the component about the incident
36
What are the 3 recommendations suggested to handle multiple component incidents
* Use centralized logging and event correlation software * At first control the initial incident then search for the signs of other component * Individually prioritize incident components to be handled
37
In a DDoS attack, attackers first infect multiple systems which are known as
Zombies
38
What is not considered a multiple component incident * An insider intentionally deleting files from a workstation * An attacker using email with malicious code to infect internal work station * An attacker redirecting user to a malicious website and infects his system with Trojan * An attacker infecting a machine to launch a DDoS attack
An insider intentionally deleting files from a workstation