Practice Exams Flashcards
Lower Layers (Physical, Link, Network, Transport) protection tools are unable to protect against what kind of attacks? Piggy Back Attacks Brute Force Attacks Denial of Service Attacks Content Based Attacks
Content Based Attacks
Lower Layer Protocols do not interact with data contained in the payload. Because Lower Layer Protocols do not interact with data contained in the payload, they are unable to detect content based attacks, since the content per definition is in the payload.
Similarly they cannot detect Denial of Service attacks in the higher layers (application level DoS), however in general they ARE able to detect DoS attacks, just not ALL DoS attacks.
Brute force attacks on password could be at the application layer and could not be detected by lower levels tools as well. However, the more generic and high level term Content Based attacks would include brute force attacks and it is a the BEST choice.
The ISO/IEC 27001:2013 is a standard for:
Information Security Management System
Which of the following is a telecommunication device that translates data from digital to analog form and back to digital?
Multiplexer
Modem
Protocol converter
Concentrator
Modem
A modem is a device that translates data from digital form and then back to digital for communication over analog lines.
Which of the following should NOT be a role of the Security Administrator?
Authorizing access rights
Implementing security rules
Ensuring that local policies have been authorized by management
Allocating access rights
Authorizing access rights
The NOT keyword is used in the question. You need to find out the role which is NOT performed Security Administrator.
For proper segregation of duties, the security administrator should not be responsible for authorizing access rights. This is usually the responsibility of user management/data owner.
For your exam you should know the information below:
End User - The end user is responsible for protecting information assets on a daily basis through adherence to the security policies that have been communicated.
Executive Management/Senior Management - Executive management maintains the overall responsibility for protection of the information assets. The business operations are dependent upon information being available, accurate, and protected from individuals without a need to know.
Security Officer - The security officer directs, coordinates, plans, and organizes information security activities throughout the organization. The security officer works with many different individuals, such as executive management, management of the business units, technical staff, business partners, auditors, and third parties such as vendors. The security officer and his or her team are responsible for the design, implementation, management, and review of the organization‚„¢s security policies, standards, procedures, baselines, and guidelines.
Information Systems Security Professional- Drafting of security policies, standards and supporting guidelines, procedures, and baselines is coordinated through these individuals. Guidance is provided for technical security issues, and emerging threats are considered for the adoption of new policies. Activities such as interpretation of government regulations and industry trends and analysis of vendor solutions to include in the security architecture that advances the security of the organization are performed in this role.
Data/Information/Business/System Owners - A business executive or manager is typically responsible for an information asset. These are the individuals that assign the appropriate classification to information assets. They ensure that the business information is protected with appropriate controls. Periodically, the information asset owners need to review the classification and access rights associated with information assets. The owners, or their delegates, may be required to approve access to the information. Owners also need to determine the criticality, sensitivity, retention, backups, and safeguards for the information. Owners or their delegates are responsible for understanding the risks that exist with regards to the information that they control.
Data/Information Custodian/Steward - A data custodian is an individual or function that takes care of the information on behalf of the owner. These individuals ensure that the information is available to the end users and is backed up to enable recovery in the event of data loss or corruption. Information may be stored in files, databases, or systems whose technical infrastructure must be managed, by systems administrators. This group administers access rights to the information assets.
Information Systems Auditor- IT auditors determine whether users, owners, custodians, systems, and networks are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction, and other requirements placed on systems. The auditors provide independent assurance to the management on the appropriateness of the security controls. The auditor examines the information systems and determines whether they are designed, configured, implemented, operated, and managed in a way ensuring that the organizational objectives are being achieved. The auditors provide top company management with an independent view of the controls and their effectiveness.
Business Continuity Planner - Business continuity planners develop contingency plans to prepare for any occurrence that could have the ability to impact the company‚„¢s objectives negatively. Threats may include earthquakes, tornadoes, hurricanes, blackouts, changes in the economic/political climate, terrorist activities, fire, or other major actions potentially causing significant harm. The business continuity planner ensures that business processes can continue through the disaster and coordinates those activities with the business areas and information technology personnel responsible for disaster recovery.
Information Systems/ Technology Professionals- These personnel are responsible for designing security controls into information systems, testing the controls, and implementing the systems in production environments through agreed upon operating policies and procedures. The information systems professionals work with the business owners and the security professionals to ensure that the designed solution provides security controls commensurate with the acceptable criticality, sensitivity, and availability requirements of the application.
Security Administrator - A security administrator manages the user access request process and ensures that privileges are provided to those individuals who have been authorized for access by application/system/data owners. This individual has elevated privileges and creates and deletes accounts and access permissions. The security administrator also terminates access privileges when individuals leave their jobs or transfer between company divisions. The security administrator maintains records of access request approvals and produces reports of access rights for the auditor during testing in an access controls audit to demonstrate compliance with the policies.
Network/Systems Administrator - A systems administrator (sysadmin/netadmin) configures network and server hardware and the operating systems to ensure that the information can be available and accessible. The administrator maintains the computing infrastructure using tools and utilities such as patch management and software distribution mechanisms to install updates and test patches on organization computers. The administrator tests and implements system upgrades to ensure the continued reliability of the servers and network devices. The administrator provides vulnerability management through either commercial off the shelf (COTS) and/or non-COTS solutions to test the computing environment and mitigate vulnerabilities appropriately.
Physical Security - The individuals assigned to the physical security role establish relationships with external law enforcement, such as the local police agencies, state police, or the Federal Bureau of Investigation (FBI) to assist in investigations. Physical security personnel manage the installation, maintenance, and ongoing operation of the closed circuit television (CCTV) surveillance systems, burglar alarm systems, and card reader access control systems. Guards are placed where necessary as a deterrent to unauthorized access and to provide safety for the company employees. Physical security personnel interface with systems security, human resources, facilities, and legal and business areas to ensure that the practices are integrated.
Security Analyst - The security analyst role works at a higher, more strategic level than the previously described roles and helps develop policies, standards, and guidelines, as well as set various baselines. Whereas the previous roles are ‚“in the weeds‚ and focus on pieces and parts of the security program, a security analyst helps define the security program elements and follows through to ensure the elements are being carried out and practiced properly. This person works more at a design level than at an implementation level.
Administrative Assistants/Secretaries - This role can be very important to information security; in many companies of smaller size, this may be the individual who greets visitors, signs packages in and out, recognizes individuals who desire to enter the offices, and serves as the phone screener for executives. These individuals may be subject to social engineering attacks, whereby the potential intruder attempts to solicit confidential information that may be used for a subsequent attack. Social engineers prey on the goodwill of the helpful individual to gain entry. A properly trained assistant will minimize the risk of divulging useful company information or of providing unauthorized entry.
Help Desk Administrator - As the name implies, the help desk is there to field questions from users that report system problems. Problems may include poor response time, potential virus infections, unauthorized access, inability to access system resources, or questions on the use of a program. The help desk is also often where the first indications of security issues and incidents will be seen. A help desk individual would contact the computer security incident response team (CIRT) when a situation meets the criteria developed by the team. The help desk resets passwords, resynchronizes/reinitializes tokens and smart cards, and resolves other problems with access control. These functions may alternatively be performed through self-service by the end user, e.g., an
Supervisor - The supervisor role, also called user manager, is ultimately responsible for all user activity and any assets created and owned by these users. For example, suppose Kathy is the supervisor of ten employees. Her responsibilities would include ensuring that these employees understand their responsibilities with respect to security; making sure the employees‚„¢ account information is up-to-date; and informing the security administrator when an employee is fired, suspended, or transferred. Any change that pertains to an employee‚„¢s role within the company usually affects what access rights they should and should not have, so the user manager must inform the security administrator of these changes immediately.
Change Control Analyst Since the only thing that is constant is change, someone must make sure changes happen securely. The change control analyst is responsible for approving or rejecting requests to make changes to the network, systems, or software. This role must make certain that the change will not introduce any vulnerabilities, that it has been properly tested, and that it is properly rolled out. The change control analyst needs to understand how various changes can affect security, interoperability, performance, and productivity. Or, a company can choose to just roll out the change and see what happens
Who should provide access authorization to computerized information?
Database administrator
Security administrator
Data owner
Network administrator
Data Owner
The data owner has the power to determine who can (and cannot) access that data based on the business requirements and constraints affecting that owner. While the owner never has the ability to ignore or contradict the organization‚„¢s access control policies, he or she has the ability to interpret those policies to fit the specific needs of his or her system and his or her users.
Which of the following is the integrity goal addressed by the Biba Model?
Prevent interception of message content by unauthorized parties
Prevent data modification by unauthorized parties
Prevent unauthorized data modification by authorized parties
Maintain internal and external consistency
Prevent data modification by unauthorized parties
This is the only integrity goal addressed by the Biba Integrity model. Clark-Wilson addresses all three goals of integrity but the Biba model addresses only the first goal of integrity.
Below you have the description of the Clark-Wilson model which addresses all three goals of integrity:
Prevent data modification by unauthorized parties (Biba address only this one)
Prevent unauthorized data modification by authorized parties
Maintain internal and external consistency (i.e. data reflects the real world)
In what type of attack does an attacker try, from several encrypted messages, to figure out the key used in the encryption process?
Known-plaintext attack
Ciphertext-only attack
Chosen-Ciphertext attack
Plaintext-only attack
Ciphertext-only attack
In a ciphertext-only attack, the attacker has the ciphertext of several messages encrypted with the same encryption algorithm. Its goal is to discover the plaintext of the messages by figuring out the key used in the encryption process.
In a known-plaintext attack, the attacker has the plaintext and the ciphertext of one or more messages.
In a chosen-ciphertext attack, the attacker can chose the ciphertext to be decrypted and has access to the resulting plaintext.
Which of the following techniques is used in the ENCRYPTION of Hypertext Transport Protocol (HTTP) data between a Web Browser and Web Server?
SSL
PGP
IPSec
Kerberos
SSL (Secure Sockets Layer)
The Secure Socket Layer (SSL) and also the Transport Layer Security (TLS) protocols are used for the encryption of Hypertext Transport Protocol (HTTP) data between a Web Browser and a Web Server.
SSL/TLS and The Internet Protocol Security (IPSec) protocol suite both provides a method of setting up a secure channel for protecting data exchange between two entities wishing to communicate securely with each other.
The biggest difference between IPSEC and SSL is:
Using IPSEC the encryption is done at the Network Layer of the OSI model. The IPSEC devices that share this secure channel can be two servers, two routers, a workstation and a server, or two gateways between different networks. It is always from a HOST to another HOST.
SSL/TLS is used for APPLICATION to APPLICATION secure channels. The question was making reference specifically to a Web Browser, being an Application this ruled out IPSEC as a valid choice.
For your exam you should know the information below about Secure Socket Layer (SSL) and Transport Layer Security (TLS)
These are cryptographic protocols which provide secure communication on Internet. There are only slight difference between SSL 3.0 and TLS 1.0. For general concept both are called SSL.
SSL is session-connection layer protocol widely used on Internet for communication between browser and web servers, where any amount of data is securely transmitted while a session is established. SSL provides end point authentication and communication privacy over the Internet using cryptography. In typical use, only the server is authenticated while client remains unauthenticated. Mutual authentication requires PKI development to clients. The protocol allows application to communicate in a way designed to prevent eavesdropping, tampering and message forging.
SSL involves a number of basic phases
Peer negotiation for algorithm support
Public-key, encryption based key exchange and certificate based authentication
Symmetric cipher based traffic encryption.
SSL runs on a layer beneath application protocol such as HTTP, SMTP and Network News Transport Protocol (NNTP) and above the TCP transport protocol, which forms part of TCP/IP suite.
SSL uses a hybrid hashed, private and public key cryptographic processes to secure transmission over the INTERNET through a PKI.
The SSL handshake protocol is based on the application layer but provides for the security of the communication session too. It negotiate the security parameter for each communication section. Multiple session can belong to one SSL session and the participating in one session can take part in multiple simultaneous sessions.
The SSL protocol provides Confidentiality Integrity Authentication, e.g. between client and server Non-repudiation
Which of the following BEST provides e-mail message authenticity and confidentiality?
Signing the message using the sender’s public key and encrypting the message using the receiver’s private key
Signing the message using the sender’s private key and encrypting the message using the receiver’s public key
Signing the message using the receiver’s private key and encrypting the message using the sender’s public key
Signing the message using the receiver’s public key and encrypting the message using the sender’s private key
Signing the message using the sender’s private key and encrypting the message using the receiver’s public key
By encrypting the message with the receiver’s public key, only the receiver can decrypt the message using his/her own private key, only the receiver has a copy of the matching private key, thus ensuring confidentiality.
By signing the message encrypting the message digest using the sender private key, the receiver can verify its authenticity and integrity using the sender’s public key.
The receiver’s private key is confidential and must be protected by the receiver, therefore unknown to the sender.
Messages encrypted using the sender’s private key can be read by anyone (with the sender’s public key) to prove the authenticity only.
For your exam you should know the information below:
A digital signature is used to achieve integrity, authenticity and non-repudiation. In a digital signature the sender’s private key is used to encrypt a message digest of the message and receiver need to validate the same using sender’s public key.
A digital signature (not to be confused with a digital certificate) is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures are easily transportable, cannot be imitated by someone else, and can be automatically time-stamped. The ability to ensure that the original signed message arrived means that the sender cannot easily repudiate it later.
A digital signature can be used with any kind of message, whether it is encrypted or not, simply so that the receiver can be sure of the sender’s identity and that the message arrived intact. A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real.
How It Works
Assume you were going to send the draft of a contract to your lawyer in another town. You want to give your lawyer the assurance that it was unchanged from what you sent and that it is really from you.
- You copy-and-paste the contract (it’s a short one!) into an e-mail note.
- Using special software, you obtain a message hash (mathematical summary) of the contract.
- You then use a private key that you have previously obtained from a public-private key authority to encrypt the hash.
- The encrypted hash becomes your digital signature of the message. (Note that it will be different each time you send a message.)
At the other end, your lawyer receives the message.
- To make sure it’s intact and from you, your lawyer makes a hash of the received message.
- Your lawyer then uses your public key to decrypt the message hash or summary.
- If the hashes match, the received message is valid.
Which of the following organizations PRODUCES and PUBLISHES the Federal Information Processing Standards (FIPS)?
The National Computer Security Center (NCSC)
The National Institute of Standards and Technology (NIST)
The National Security Agency (NSA)
The American National Standards Institute (ANSI)
The National Institute of Standards and Technology (NIST)
FIPS publications are issued by NIST after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Reform Act of 1996, Public Law 104-106, and the FISMA Act of 2002.
Which of the following is NOT part of the Kerberos authentication protocol?
Symmetric key cryptography
Authentication Service (AS)
Principals
Public Key
Public Key
There is no such component within kerberos environment. Kerberos uses only symmetric encryption and does not make use of any public key component.
A DMZ is also known as a
screened subnet
three legged firewall
a place to attract hackers
bastion host
screened subnet
This is another name for the demilitarized zone (DMZ) of a network.
What type of attack involves IP spoofing, ICMP ECHO and a bounce site?
IP spoofing attack
Teardrop attack
SYN attack
Smurf attack
Smurf attack
A smurf attack occurs when an attacker sends a spoofed (IP spoofing) PING (ICMP ECHO) packet to the broadcast address of a large network (the bounce site). The modified packet containing the address of the target system, all devices on its local network respond with a ICMP REPLY to the target system, which is then saturated with those replies. An IP spoofing attack is used to convince a system that it is communication with a known entity that gives an intruder access. It involves modifying the source address of a packet for a trusted source’s address. A teardrop attack consists of modifying the length and fragmentation offset fields in sequential IP packets so the target system becomes confused and crashes after it receives contradictory instructions on how the fragments are offset on these packets. A SYN attack is when an attacker floods a system with connection requests but does not respond when the target system replies to those requests.
Which of the following is a LAN transmission method?
Broadcast
Carrier-sense multiple access with collision detection (CSMA/CD)
Token ring
Fiber Distributed Data Interface (FDDI)
Broadcast
LAN transmission methods refer to the way packets are sent on the network and are either unicast, multicast or broadcast.
CSMA/CD is a common LAN media access method.
Token ring is a LAN Topology.
LAN transmission protocols are the rules for communicating between computers on a LAN.
Common LAN transmission protocols are: polling and token-passing.
A LAN topology defines the manner in which the network devices are organized to facilitate communications.
Common LAN topologies are: bus, ring, star or meshed.
LAN transmission methods refer to the way packets are sent on the network and are either unicast, multicast or broadcast.
LAN media access methods control the use of a network (physical and data link layers). They can be Ethernet, ARCnet, Token ring and FDDI.
Which of the following standards concerns digital certificates?
X.400
X.25
X.509
X.75
X.509
X.509 is used in digital certificates.
X.400 is used in e-mail as a message handling protocol. X.25 is a standard for the network and data link levels of a communication network
X.75 is a standard defining ways of connecting two X.25 networks.
In this type of attack, the intruder re-routes data traffic from a network device to a personal machine. This diversion allows an attacker to gain access to critical resources and user credentials, such as passwords, and to gain unauthorized access to critical systems of an organization. Pick the best choice below.
Network Address Translation
Network Address Hijacking
Network Address Supernetting
Network Address Sniffing
Network Address Hijacking
Network address hijacking allows an attacker to reroute data traffic from a network device to a personal computer.
Also referred to as session hijacking, network address hijacking enables an attacker to capture and analyze the data addressed to a target system. This allows an attacker to gain access to critical resources and user credentials, such as passwords, and to gain unauthorized access to critical systems of an organization.
Session hijacking involves assuming control of an existing connection after the user has successfully created an authenticated session. Session hijacking is the act of unauthorized insertion of packets into a data stream. It is normally based on sequence number attacks, where sequence numbers are either guessed or intercepted.
What can best be described as an abstract machine which must mediate all access to subjects to objects?
A security domain
The reference monitor
The security kernel
The security perimeter
The reference monitor
The reference monitor is an abstract machine which must mediate all access to subjects to objects, be protected from modification, be verifiable as correct, and is always invoked. The security kernel is the hardware, firmware and software elements of a trusted computing base that implement the reference monitor concept. The security perimeter includes the security kernel as well as other security-related system functions that are within the boundary of the trusted computing base. System elements that are outside of the security perimeter need not be trusted. A security domain is a domain of trust that shares a single security policy and single management.
Which of the following steps should be one of the first step performed in a Business Impact Analysis (BIA)?
Identify all CRITICAL business units within the organization.
Evaluate the impact of disruptive events.
Estimate the Recovery Time Objectives (RTO).
Identify and Prioritize Critical Organization Functions
Identify and Prioritize Critical Organization Functions
One of the first steps of a BIA is to Identify and Prioritize Critical Organization Functions. All organizational functions and the technology that supports them need to be classified based on their recovery priority. Recovery time frames for organization operations are driven by the consequences of not performing the function. The consequences may be the result of organization lost during the down period; contractual commitments not met resulting in fines or lawsuits, lost goodwill with customers.
How long are IPv4 addresses?
32 bits long.
64 bits long.
128 bits long.
16 bits long.
32 bits long.
IPv4 addresses are currently 32 bits long.
IPv6 addresses are 128 bits long.
Which of the following protocols is designed to send individual messages securely?
Kerberos
Secure Electronic Transaction (SET).
Secure Sockets Layer (SSL).
Secure HTTP (S-HTTP).
Secure HTTP (S-HTTP).
An early standard for encrypting HTTP documents, Secure HTTP (S-HTTP) is designed to send individual messages securely. SSL is designed to establish a secure connection between two computers. SET was originated by VISA and MasterCard as an Internet credit card protocol using digital signatures. Kerberos is an authentication system.
Which layer of the OSI/ISO model handles physical addressing, network topology, line discipline, error notification, orderly delivery of frames, and optional flow control?
Physical
Data link
Network
Session
Data link
The Data Link layer provides data transport across a physical link. It handles physical addressing, network topology, line discipline, error notification, orderly delivery of frames, and optional flow control.
The Diffie-Hellman algorithm is used for:
Encryption
Digital signature
Key agreement
Non-repudiation
Key agreement
The Diffie-Hellman algorithm is used for Key agreement (key distribution) and cannot be used to encrypt and decrypt messages.
Note: key agreement, is different from key exchange, the functionality used by the other asymmetric algorithms.
When a possible intrusion into your organization’s information system has been detected, which of the following actions should be performed first?
Eliminate all means of intruder access.
Contain the intrusion.
Determine to what extent systems and data may be compromised.
Communicate with relevant parties.
Determine to what extent systems and data may be compromised
Think Triage!!! Don’t let the wording fool you.
Once an intrusion into your organization’s information system has been detected, the first action that needs to be performed is determining to what extent systems and data may be compromised (if they really are), and then take action.
Which of the following statements pertaining to disaster recovery planning is incorrect?
Every organization must have a disaster recovery plan
A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
A disaster recovery plan should cover return from alternate facilities to primary facilities.
Every organization must have a disaster recovery plan
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
Which of the following was developed as a mechanism to allow simple network terminals to load their operating system from a server over the LAN?
DHCP
BootP
DNS
ARP
BootP
What is the name of the third party authority that vouches for the binding between the data items in a digital certificate?
Registration authority
Certification authority
Issuing authority
Vouching authority
Certification Authority
A certification authority (CA) is a third party entity that issues digital certificates (especially X.509 certificates) and vouches for the binding between the data items in a certificate. An issuing authority could be considered a correct answer, but not the best answer, since it is too generic.
Whose role is it to assign classification level to information?
Security Administrator
User
Owner
Auditor
Owner.
The Data/Information Owner is ultimately responsible for the protection of the data. It is the Data/Information Owner that decides upon the classifications of that data they are responsible for.
The data owner decides upon the classification of the data he is responsible for and alters that classification if the business need arises.
A business impact assessment is one element in business continuity planning. What are the three primary goals of a BIA?
Criticality prioritization, downtime estimation, and resource requirements.
Which ITU-T standard did Microsoft base the development of Active Directory on?
X.400
ISO/IEC 9594
X.500
LDAP
X.500 which is the first in a series of directory standards.
This question is like many that require factual knowledge that the X.500 is a series of standards that all pertain to directory’s. Please see table below.
Active Directory - is a directory service that Microsoft developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services.[1][2] Initially, Active Directory was only in charge of centralized domain management. Starting with Windows Server 2008, however, Active Directory became an umbrella title for a broad range of directory-based identity-related services. https://en.wikipedia.org/wiki/Active_Directory
Within a single organization, a centralized access control system is often used. For example, a directory service is a centralized database that includes information about subjects
and objects. Many directory services are based on the Lightweight Directory Access Protocol (LDAP). For example, the Microsoft Active Directory Domain Services is LDAP based.
X.500 - https://en.wikipedia.org/wiki/X.500 X.500 is a series of computer networking standards covering electronic directory services. The X.500 series was developed by ITU-T, formerly known as CCITT, and first approved in 1988.[1] The directory services were developed in order to support the requirements of X.400 electronic mail exchange and name lookup. ISO was a partner in developing the standards, incorporating them into the Open Systems Interconnection suite of protocols. ISO/IEC 9594 is the corresponding ISO identification
See X.500 series standards printout
What is the MOST important step in business continuity planning?
Risk Assessment
Due Care
Business Impact Analysis (BIA)
Due Diligence
Business Impact Analysis (BIA)
The BIA is the first step after the initiation of the project. It is one of the most important step. THis is where you identify and prioritize your information systems and components critical to supporting the organization’s mission/business processes.
- Step one is Initiation of the project where management would be involved and a business continuity policy would be put in place.
- You then conduct the business impact analysis (BIA). The BIA helps identify and prioritize information systems and components critical to supporting the organization’s mission/business processes.
- Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.
- Create contingency strategies. Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.
- Develop an information system contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system unique to the system’s security mpact level and recovery requirements.
- Ensure plan testing, training, and exercises. Testing validates recovery capabilities, whereas training prepares recovery personnel for plan activation and exercising the plan identifies planning gaps; combined, the activities improve plan effectiveness and overall organization preparedness.
- Ensure plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements and organizational changes.
Which of the following authentication protocol encrypts only the password in the access-request packet, from the client to the server versus the whole body of the packet?
XTACACS
TACACS
RADIUS
TACACS+
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a mechanism that allows authentication of remote and other network connections. Once intended for use on dial-up connections, it has moved far beyond that and has many modern features. It is used on both wired and wireless networks.
The RADIUS protocol is an IETF standard, and it has been implemented by most of the major operating system manufacturers. A RADIUS server can be managed centrally, and the servers that allow access to a network can verify with a RADIUS server whether an incoming caller is authorized. In a large network with many connections, this allows a single server to perform all authentications.
The communication is encrypted using a fix key between the RADIUS Client and the RADIUS Server. However, the information is NOT encrypted between the Supplicant and the RADIUS Client.
PACKET ENCRYPTION
RADIUS
RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
TACACS+
TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
CobiT was developed from the COSO framework. Which of the choices below best describe the COSO’s main objectives and purpose?
COSO main purpose is to help ensure fraudulent financial reporting cannot take place in an organization
COSO main purpose is to define a sound risk management approach within financial companies.
COSO addresses corporate culture and policy development.
COSO is risk management system used for the protection of federal systems.
COSO main purpose is to help ensure fraudulent financial reporting cannot take place in an organization
The Committee of Sponsoring Organizations of the Treadway Commission (COSO)2 was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, which studied factors that lead to fraudulent financial reporting and produced recommendations for public companies, their auditors, the Securities Exchange Commission, and other regulators.
COSO identifies five areas of internal control necessary to meet the financial reporting and disclosure objectives.
These include:
(1) control environment,
(2) risk assessment,
(3) control activities,
(4) information and communication, and
(5) monitoring.
Which of the following answers can use RC4 for encryption?
SSL and WEP
SSL and CHAP
CHAP and 3DES
WEP and AES
SSL and WEP
SSL can use a wide variety of key algorithms including RC4, RC2, DES, 3DES, Idea, Fortezza, AES and others.
WEP uses the RC4 encryption algorithm.
Suppose that you are the COMSEC - Communications Security custodian for a large, multinational corporation. Susie, from Finance approaches you in the break room saying that she lost her smart ID Card that she uses to digitally sign and encrypt emails in the PKI.
What happens to the certificates contained on the smart card after the security officer takes appropriate action?
They are added to the CRL
They are reissued to the user
New certificates are issued to the user
The user may no longer have certificates
They are added to the CRL
Smart ID Cards can contain digital certifications user for establishing identity and for digitally encrypting and decrypting messages.
Commonly, there are three types of certificates on an ID Card: Identity certificate, private certificate and public certificate:
- Identity Certificate: This is the cert used to guarantee your identity, as when you swipe to enter a facility or when logging onto a computer
- Public Certificate: This is freely shared with the public. All who have it can use it to decrypt messages that you encrypt with your private key.
- Private Certificate: This is the key that you use to encrypt messages. It is a complimentary key to your public key. Only your public key can decrypt messages encrypted with the private key.
Which one of these answers is NOT a feature of WPA2?
Static Keys
Uses AES Encryption
Personal and Enterprise Version
Full IEEE 802.11i standard
Static Keys
Discussion: WPA2 implements IEEE 802.11i standards, uses AES encryption and is currently comes in two versions:
WPA2 Personal: AKA PSK Pre-shared key (Password)
WPA2 Enterprise: Requires a RADIUS Authentication Server and supports multiple accounts for each user
Static keys was an unfortunate feature of WEP which was partly to blame for its relatively short lifespan and quick replacement by WPA.
Which of the following answers BEST depicts the whole purpose of Digital Certificates?
Primary method of uniquely identifying valid users
To encrypt messages
To decrypt messages
To take part in PKI
Primary method of uniquely identifying valid users and systems
The whole point behind using digital certificates is to uniquely identify not only users but also trusted systems. Routers, switches, servers, users and their computers can all be issued digital certificates permitting them to take part in a domain model in an enterprise.
Which answer BEST describes a technology that offers us the ability to segment network traffic and allow segregation of network users and resources from each other logically using features on enterprise switch?
VLANs
WANS
WLANS
STP
VLANs
VLANs or Virtual LANs were a way to mitigate broadcast traffic when hubs were still common. Back then with hubs, there was a single collision domain where all computers would ‘see’ all other traffic. This caused network latency and was a security risk after the rise of network sniffers.
VLANs allow us to assign physical switch ports to a specific VLAN to mitigate collision traffic, increase network performance, provide some level of security by isolating sensitive traffic.
Basically, the switch administrator assigns computers to a VLAN, often times by the department of the user. E.g., finance, personnel, marketing etc. This is not a great security benefit but can limit access to sensitive VLANs.
Which of the following statement correctly describes the differences between tunnel mode and transport mode of the IPSec protocol?
In tunnel mode the ESP is encrypted where as in transport mode the ESP and its header’s are encrypted
In transport mode the ESP is encrypted where as in tunnel mode the ESP and its header’s are encrypted
There is no encryption provided when using ESP or AH
In both modes (tunnel and transport mode) the ESP and its header’s are encrypted
In transport mode the ESP is encrypted where as in tunnel mode the ESP and its header’s are encrypted.
ESP can be used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and (limited) traffic flow confidentiality. The set of services provided depends on options selected at the time of Security Association (SA) establishment and on the location of the implementation in a network topology.For you exam you should know the information below about the IPSec protocol:
The IP network layer packet security protocol establishes VPNs via transport and tunnel mode encryption methods.
For the transport method, the data portion of each packet is encrypted, encryption within IPSEC is referred to as the encapsulation security payload (ESP), it is ESP that provides confidentiality over the process.
In the tunnel mode, the ESP payload and its header’s are encrypted. To achieve non-repudiation, an additional authentication header (AH) is applied.
Which key is used by the sender of a message to create a digital signature for the message being sent?
Sender’s public key
Sender’s private key
Receiver’s public key
Receiver’s private key
The sender private key is used to calculate the digital singaure
The digital signature is used to archieve integrity, authenticity and non-repudiation. In a digital signature, the sender’s private key is used to encrypt the message disgest (signing) of the message and receiver need to decrypt the same using sender’s public key to validate the signature.
Tip for the exam:
Digital Signature does not provide confidentiality. The sender’s private key is used for calulating digital signature
Encryption provides only confidentiality. The receiver’s public key or symmetric key is used for encryption
Which of the following device in Frame Relay WAN technique is a service provider device that does the actual data transmission and switching in the frame relay cloud?
DTE
DCE
DME
DLE
DCE
Data Circuit Terminal Equipment (DCE) is a service provider device that does the actual data transmission and switching in the frame relay cloud.
For your exam you should know below information about WAN Technologies:
Point-to-point protocol
PPP (Point-to-Point Protocol) is a protocol for communication between two computers using a serial interface, typically a personal computer connected by phone line to a server. For example, your Internet server provider may provide you with a PPP connection so that the provider’s server can respond to your requests, pass them on to the Internet, and forward your requested Internet responses back to you. PPP uses the Internet protocol (IP) (and is designed to handle others). It is sometimes considered a member of the TCP/IP suite of protocols. Relative to the Open Systems Interconnection (OSI) reference model, PPP provides layer 2 (data-link layer) service. Essentially, it packages your computer’s TCP/IP packets and forwards them to the server where they can actually be put on the Internet.
PPP is a full-duplex protocol that can be used on various physical media, including twisted pair or fiber optic lines or satellite transmission. It uses a variation of High Speed Data Link Control (HDLC) for packet encapsulation.
PPP is usually preferred over the earlier de facto standard Serial Line Internet Protocol (SLIP) because it can handle synchronous as well as asynchronous communication. PPP can share a line with other users and it has error detection that SLIP lacks. Where a choice is possible, PPP is preferred.
X.25
X.25 is an ITU-T standard protocol suite for packet switched wide area network (WAN) communication.
X.25 is a packet switching technology which uses carrier switch to provide connectivity for many different networks.
Subscribers are charged based on amount of bandwidth they use. Data are divided into 128 bytes and encapsulated in High Level Data Link Control (HDLC).
X.25 works at network and data link layer of an OSI model.
Frame Relay
Works on a packet switching
Operates at data link layer of an OSI model
Companies that pay more to ensure that a higher level of bandwidth will always be available, pay a committed information rate or CIR
Two main types of equipments are used in Frame Relay
1. Data Terminal Equipment (DTE) - Usually a customer owned device that provides a connectivity between company’s own network and the frame relay’s network.
- Data Circuit Terminal Equipment (DCE) - Service provider device that does the actual data transmission and switching in the frame relay cloud.
The Frame relay cloud is the collection of DCE that provides that provides switching and data communication functionality. Frame relay is any to any service.
Integrated Service Digital Network
Enables data,voice and other types of traffic to travel over a medium in a digital manner previously used only for analog voice transmission.
Same copper telephone wire is used.
Provide digital point-to-point circuit switching medium
Asynchronous Transfer Mode (ATM)
Uses Cell switching method
High speed network technology used for LAN, MAN and WAN
Like a frame relay it is connection oriented technology which creates and uses fixed channel
Data are segmented into fixed size cell of 53 bytes
Some companies have replaces FDDI back-end with ATM
Multiprotocol Label Switching (MPLS)
Multiprotocol Label Switching (MPLS) is a standards-approved technology for speeding up network traffic flow and making it easier to manage. MPLS involves setting up a specific path for a given sequence of packets, identified by a label put in each packet, thus saving the time needed for a router to look up the address to the next node to forward the packet to. MPLS is called multiprotocol because it works with the Internet Protocol (IP), Asynchronous Transport Mode (ATM), and frame relay network protocols. With reference to the standard model for a network (the Open Systems Interconnection, or OSI model), MPLS allows most packets to be forwarded at the Layer 2 (switching) level rather than at the Layer 3 (routing) level. In addition to moving traffic faster overall, MPLS makes it easy to manage a network for quality of service (QoS). For these reasons, the technique is expected to be readily adopted as networks begin to carry more and different mixtures of traffic.
Access Control Types and Categories
- Access Control Types:
- Administrative
- Policies, data classification and labeling and security awareness training
- Technical
- Hardware - MAC Filtering or perimeter devices
- Software controls like account logons and encryption, file perms
- Physical
- Guard, fences and locks
- Administrative
- Access Control Categories:
Directive: specify rules of acceptable behavior
- Policy stating users may not use Facebook
Deterrent:
- Designed to discourage people from violating security directives
- Logon banner reminding users about being subject to monitoring
Preventive:
- Implemented to prevent a security incident or information breach
- Like a fence or file permissions
Detective:
- Used to mitigate the loss.
- Example: Logging, IDS with a Firewall
Compensating:
- To substitute for the loss of a primary control of add additional mitigation
- Example: Logging, IDS inline with firewall
Corrective:
- To remedy, mitigate damage, or restore control
- Example: Fire extinguisher, firing an employee
Recovery:
- To restore conditions to normal after a security incident
- Restore files from backup
This standard was proposed in 1991. It is based on a public key algorithm but it does not provide for confidentiality of the message with encryption and is NOT used for key exchange.
Message Authentication Code
Digital Signature Standard
Digital Encryption Standard
HMAC - Hash Based Message authentication code
The correct answer is: Digital Signature Standard
The DSS was proposed in 1991 as FIPS 186 using the Secure Hashing Algorithm (SHA). It has since been updated several times, most recently in 2009, when it was issued as FIPS 186-3 and expanded to include the Digital Signature Algorithm (DSA) based on RSA and ECC. Contrasted with RSA, a digital signature is based on a public key (asymmetric) algorithm, but it does not provide for confidentiality of the message through encryption and is not used for key exchange.
Which of the following control provides an alternative way of regaining control if a control fails?
Deterrent Access Control
Preventative Controls
Detective Access Control
Compensating Access Control
Compensating Access Control
Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the required controls, there may exist other technology or processes that can supplement the existing environment, closing the gap in controls, meeting policy requirements, and reducing overall risk.
Deterrent Controls
Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced because an attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent, curbing an attacker’s appetite in the face of probable repercussions.
The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events. When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat agent, and any potential for identification and association with their actions is avoided at all costs. It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that an employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing wireless access points.
Preventative Controls
Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control
rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only way to bypass the control is to
find a flaw in the control’s implementation.
Compensating Controls
Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the required controls, there may exist other
technology or processes that can supplement the existing environment, closing the gap in controls, meeting policy requirements, and reducing overall risk. For example, the access control policy may state that the authentication process must be encrypted when performed over the Internet. Adjusting an application to natively support encryption for authentication purposes may be too costly. Secure Socket Layer (SSL), an encryption protocol, can be employed and layered on top of the authentication process to support the policy statement. Other examples include a separation of duties environment, which offers the capability to isolate certain tasks to compensate for technical limitations in the system and ensure the security of transactions. In addition, management processes, such as authorization, supervision, and administration, can be used to compensate for gaps in the access control environment.
Detective Controls
Detective controls warn when something has happened, and are the earliest point in the post-incident timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful incidents through the application of least privilege. However, the detective
nature of access controls can provide significant visibility into the access environment and help organizations manage their access strategy and related security risk. As mentioned previously, strongly managed access privileges provided to an authenticated user offer the ability to reduce the risk exposure of the enterprise’s assets by limiting the capabilities that authenticated user has. However, there are few options to control what a user can perform once privileges are provided. For example, if a user is provided write access to a file and that file is damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of applied access controls will offer visibility into the transaction. The control environment can be established to log activity regarding the identification, authentication, authorization, and use of privileges on a system. This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when provided credentials were exercised. The logging system as a detective device provides evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users.
Corrective Controls
When a security incident occurs, elements within the security infrastructure may require corrective actions. Corrective controls are actions that seek to alter the security posture of an environment to correct any deficiencies and return the environment to a secure state. A security
incident signals the failure of one or more directive, deterrent, preventative, or compensating controls. The detective controls may have triggered an alarm or notification, but now the corrective controls must work to stop the incident in its tracks. Corrective controls can take
many forms, all depending on the particular situation at hand or the particular security failure that needs to be dealt with.
Recovery Controls
Any changes to the access control environment, whether in the face of a security incident or to offer temporary compensating controls, need to be accurately reinstated and returned to normal operations. There are several situations that may affect access controls, their applicability, status, or management. Events can include system outages, attacks, project changes, technical demands, administrative gaps, and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it may adversely affect controls placed on system files or even have default administrative accounts unknowingly implemented upon install. Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy requirements regarding separation of duties. An attack on systems may have resulted in the implantation of a Trojan horse program, potentially exposing private user information, such as credit card information and financial data. In all of these cases, an undesirable situation must be rectified as quickly as possible and controls returned to normal operations.
Which term BEST describes software which lets multiple services on one computer or multiple computers to interact as one?
Embedded Ware
Middleware
Firmware
Signoware
Middleware
The communication between these two pieces of the same software product needs to be controlled, which is why the session layer protocols within the OSI model exist. Session layer protocols take on the functionality of middleware, which allows software on two different computers to communicate.
Middleware is connectivity software that enables multiple processes running on one or more machines to interact. These services are collections of distributed software that are present between the application running on the OS and the network services, which reside on a network node. The main purpose of middleware services is to help solve many application connectivity and interoperability problems.
This method requires that the station possess a digital series of bits sometimes called a frame, indicating that it has permission to talk on the network:
CSMA/CD
CSMA/CA
Certificate Possession
Token Passing
Token Passing
A token is a 24-bit control frame used to control which computers communicate at what intervals. The token is passed from computer to computer, and only the computer that has the token can actually put frames onto the wire. The token grants a computer the right to communicate. The token contains the data to be transmitted and source and destination address information. When a system has data it needs to transmit, it has to wait to receive the token. The computer then connects its message to the token and puts it on the wire. Each computer checks this message to determine whether it is addressed to it, which continues until the destination computer receives the message. The destination computer makes a copy of the message and flips a bit to tell the source computer it did indeed get its message. Once this gets back to the source computer, it removes the frames from the network.
Which of the following network device combines the functionality of a repeater and the functionality of a bridge?
Repeater
Hub
Router
Switches
Switches
Switches combine the functionality of a repeater and the functionality of a bridge. A switch amplifies the electrical signal, like a repeater, and has the built-in circuitry and intelligence of a bridge.
Exam tip
Repeater - A repeater provides the simplest type of connectivity, because it only repeats electrical signals between cable segments, which enables it to extend a network. Repeaters work at the physical layer and are add-on devices for extending a network connection over a greater distance. The device amplifies signals because signals attenuate the farther they have to travel.
Hub - A hub is a multi-port repeater. A hub is often referred to as a concentrator because it is the physical communication device that allows several computers and devices to communicate with each other. A hub does not understand or work with IP or MAC addresses.
Routers - Routers are layer 3, or network layer, devices that are used to connect similar or different networks. (For example, they can connect two Ethernet LANs or an Ethernet LAN to a Token Ring LAN.) A router is a device that has two or more interfaces and a routing table so it knows how to get packets to their destinations. It can filter traffic based on access control lists (ACLs), and it fragments packets when necessary.
Gateways
Gateway is a general term for software running on a device that connects two different environments and that many times acts as a translator for them or somehow restricts their interactions. Usually a gateway is needed when one environment speaks a different language, meaning it uses a certain protocol that the other environment does not understand. The gateway can translate Internetwork Packet Exchange (IPX) protocol
packets to IP packets, accept mail from one type of mail server and format it so another type of mail server can accept and understand it, or connect and translate different data link technologies such as FDDI to Ethernet.
Bridges
A bridge is a LAN device used to connect LAN segments. It works at the data link layer and therefore works with MAC addresses. A repeater does not work with addresses; it just forwards all signals it receives. When a frame arrives at a bridge, the bridge determines whether or not the MAC address is on the local network segment. If the MAC address is not on the local network segment, the bridge forwards the frame to the necessary network segment.
IPSec Encapsulating Security Payload (ESP) provides some of the services of Authentication Headers (AH), but it is primarily designed to provide:
Confidentiality
Cryptography
Digital signatures
Access Control
Confidentiality
IPSec is an open standard that uses the following protocols to perform various functions:
Authentication Header - provide connectionless integrity and data origin authentication for IP datagrams. Also protects against replay attacks.
Encapsulating Security Payload - ESP: This provides origin authenticity, integrity and confidentiality of packets. It supports both encryption-only and authentication-only configurations.
Internet Protocol Security (IPSec)
The Internet Protocol Security (IPSec) protocol suite provides a method of setting up a secure channel for protected data exchange between two devices. The devices that share this secure channel can be two servers, two routers, a workstation and a server, or two gateways between different networks. IPSec is a widely accepted standard for providing
network layer protection. It can be more flexible and less expensive than end-toend and link encryption methods.
IPSec has strong encryption and authentication methods, and although it can be used to enable tunneled communication between two computers, it is usually employed to establish virtual private networks (VPNs) among networks across the Internet.
IPSec is not a strict protocol that dictates the type of algorithm, keys, and authentication method to use. Rather, it is an open, modular framework that provides a lot of flexibility for companies when they choose to use this type of technology. IPSec uses two basic security protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP). AH is the authenticating protocol, and ESP is an authenticating and encrypting protocol that uses cryptographic mechanisms to provide source authentication, confidentiality, and message integrity.
IPSec can work in one of two modes: transport mode, in which the payload of the message is protected, and tunnel mode, in which the payload and the routing and header information are protected. ESP in transport mode encrypts the actual message information so it cannot be sniffed and uncovered by an unauthorized entity. Tunnel mode provides a higher level of protection by also protecting the header and trailer data an attacker may find useful.
Each device will have at least one security association (SA) for each secure connection it uses. The SA, which is critical to the IPSec architecture, is a record of the configurations the device needs to support an IPSec connection. When two devices complete their handshaking process, which means they have agreed upon a long list of parameters they will use to communicate, these data must be recorded and stored somewhere, which is in the SA. The SA can contain the authentication and encryption keys, the agreed-upon algorithms, the key lifetime, and the source IP address. When a device receives a packet via the IPSec protocol, it is the SA that tells the device what to do with the packet. So if device B receives a packet from device C via IPSec, device B will look to the corresponding SA to tell it how to decrypt the packet, how to properly authenticate the source of the packet, which key to use, and how to reply to the message if necessary.
Imagine you are looking at a packet capture of traffic from a client requesting access to the SSH daemon on a server. You find the initial SYN packets from the client have seemingly random target ports and finally TCP/22 at which point the client is granted access to the SSH Daemon by the firewall. What are you seeing?
Port Knocking
SYN Cookies
Browser Cookies
Dynamic Firewall Rules
Port Knocking
Servers can use the process called port knocking where the service listens only to clients who successfully send a series of packets to a required series of ports to meet the proper sequence.
When TCP conversations occur between two hosts on a network, the traffic is directed between TCP ports on the two hosts. Generally SSH servers listen on 22/TCP so that clients know which port should be listening on the server.
After the proper sequence is seen the firewall rules are dynamically modified to permit that host’s source IP Address from accessing the desired service. There is a variant of this involving a single encrypted TCP Packet.
Which of the following is a best practice for defending against Bluetooth hacking?
Keep Bluetooth devices in non-discoverable mode
Keep the device in Bluetooth discoverable mode
Disable encryption for Bluetooth
Use default numbers as PIN keys
One of the best ways to defend against Bluetooth hackers is to keep your devices in non-discoverable mode. This way they don’t even respond to unsolicited requests for pairing.
Bluetooth is a short-range wireless technology used to eliminate the need for cables over short distances. It is commonly used on PC peripherals like keyboards and mouse devices but also the ubiquitous Bluetooth ear piece tethered to a cell phone.
Common Bluetooth Attacks are:
Bluesmacking: DoS attack which overflows Bluetooth-enabled devices with random packets causing the device to crash.
Blue Snarfing: The theft of information from a wireless device through a Bluetooth connection.
BlueJacking: The art of sending unsolicited messages over Bluetooth to Bluetooth-enabled devices such as PDA and mobile phones.
BlueSniff: Proof of concept code for a Bluetooth wardriving utility.
Mitigation: Other ways to defend against Bluetooth attacks are:
- Use non-default PINS while pairing devices
- Pair devices out of general public areas like at home
- Always enable encryption
- Periodically check your list of paired devices and remove unused or unknown devices
- Keep Bluetooth in disabled mode when you don’t use it.
- Do NOT accept unknown and unexpected requests for pairing with another device you did not expect.
When you carry out an ACK scan of your web servers you find that they are responding to ACK packets sent to port TCP/80.
What is the possible problem here?
The servers are using a stateless firewall
They are using a Windows based firewall
A stateful firewall is being used on those servers
An Active ARP Cache is in use
The servers are using a stateless firewall
This is the correct answer because a computer with a stateless firewall would respond to ACK packets sent to port TCP/80 when the port should not respond to unsolicited ACK packets for a non-existent TCP session.
DISCUSSION:
Summary: Stateless firewalls are not aware of the concept of TCP state so that if an ACK packet arrives it is assumed by the firewall to be simply part of an established conversation and the traffic is passed through the firewall.
Mitigation: Always use stateful firewalls on your hosts. Stateless firewalls should be replaced with stateful firewalls to avoid the condition depicted in the question.
