Security

Question 0

Spoofing - what is it? Why do hackers do it?

Answer 0

Spoofing is when a hacker assumes a trusted IP or physical (MAC) address to gain access to your network.

This can be done in order to:

• gain root access

• inject malicious data into your
network

• divert packets to themselves
• perform a DoS attack
• set up a larger attack.

Question 1

DoS

Answer 1

Denial of Service attack - hacker will monopolize a networks resources, keeping legitimate users from being able to get service.

Question 2

Zero-day attacks

Answer 2

Attack involving a virus that has never been seen “in the wild” before. Zero day attacks are more threatening because the malicious software is unrecognizable and often unidentifiable.

Question 3

Pharming

Answer 3

Altering a host file to divert traffic intended for a legitimate site to another site (often an imposter site built by the attacker).

Question 4

Brute Force Attack

Answer 4

A password attack in which all possible password combinations are tried sequentially until the correct one is guessed.

Question 5

Packet Sniffer

Answer 5

A program that can intercept and log traffic passing over a digital network.

Question 6

Keylogger

Answer 6

A program that detects and logs every keystroke made. Can be used to capture passwords and other confidential information.

 Software keyloggers may be augmented with features that capture user information without relying on keyboard key presses as the sole input. Some of these features include:

 •clipboard logging - captures    
  anything copied to the clipboard

 •screen logging - takes screen 
  shots periodically or in response 
  to user behavior

 •programmatically capturing the
  text in a control

 •recording all search engine 
  queries, IM convos, etc.

Question 7

What is the purpose of risk analysis?

Answer 7

To quantify the impact of a potential threat.

Question 8

What are the two types of risk analysis? What does each type use to measure the impact of a threat?

Answer 8

• Quantitative - uses a mathematical
model

• Qualitative - uses a scenario
model

Question 9

What are the five stage of the secure network life cycle?

Answer 9

• Initiation
• Acquisition and development
• Implementation
• Operations and maintenance
• Disposition

Question 10

What are the four different models and frameworks regarding security?

Answer 10

• COBIT
• ISO 27000
• ITIL
• NIST

Question 11

COBIT

Answer 11

Control Objectives for Information and Related Technology

Question 12

ISO 27000

Answer 12

International Organization for Standardization

Question 13

ITIL

Answer 13

Information Technology Infrastructure Library

Question 14

NIST

Answer 14

National Institute of Standards and Technology

Question 15

What is war dialing? Why might a network administrator do it?

Answer 15

War dialing or wardialing is a technique of using a modem to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for computers, Bulletin board systems and fax machines.
Hackers can use the resulting lists for various purposes. It may also be used by security personnel, for example, to detect unauthorized devices, such as modems or faxes, on a company’s telephone network.

Question 16

What is wardriving?

Answer 16

Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer, smartphone or personal digital assistant (PDA).

Question 17

What is an event? What is an incident?

Answer 17

Even - Any observable occurrence in a system or network.

Incident - Any observable occurrence that has a negative consequence.

Question 18

MTD

Answer 18

Maximum Tolerable Downtime - total amount of time the system owner or authorizing official is willing to accept for a mission or a business process outage or disruption; includes all impact considerations

Question 19

RTO

Answer 19

Recovery Time Objective - the total amount of time a system resource can be unavailable before there is an unacceptable impact on other system resources, supported mission or other business processes.

Question 20

RPO

Answer 20

Recovery Point Objective - the point in time (prior to a disruption or system outage) to which business or mission data can be recovered after an outage.

Question 21

IaaS

Answer 21

Infrastructure as as Service

Question 22

SaaS

Answer 22

Software as a Service - software existing in the cloud and being accessed as a service by end-point devices

Question 23

SGA

Answer 23

Security Group Access

Question 24

Cisco ASA

Answer 24

Adaptive security appliance

Question 25

Five Nines

Answer 25

The goal of 99.999% up time

Question 26

What are the three device planes?

Answer 26

• Control
• Management
• Data

Question 27

What happens in the Control Plane?

Answer 27

Exchanges of routing information take place. Routing protocols run on the control plane.

Question 28

What happens on the Data Plane?

Answer 28

Data is actually forwarded.

Question 29

What happens on the Management Plane?

Answer 29

Management processes run.

Question 30

NFP

Answer 30

Network Foundation Protection

Question 31

What are two Control Plane security measures and what do they do?

Answer 31

• CoPP - control plane policing :
regulates the amount of traffic
on the control plane to prevent
DoS attacks

• Routing Protocol Authentication:
authentication solutions that verify
the identity of routers participating
in routing protocols

Question 32

What are some security features associated with the Data Plane and what do they do?

Answer 32

• Private VLANs keep data from
different sectors separate.

• ACLs permit or deny specified
traffic over particular links

Question 33

What are some Management Plane security features and what do they do?

Answer 33

• AAA - authentication, authorization
and accounting: implements role-
based access control

• NTP, Syslog, SNMP, SSH, TLS

Question 34

Cisco Autosecure

Answer 34

One-step automatic security for all three planes.

Question 35

RBAC

Answer 35

Role-based access control

Question 36

CCP

Answer 36

Cisco Configuration Professional - GUI-based tool that allows you to configure Cisco equipment by using wizards rather than by typing commands at the CLI

Question 37

What does the security audit feature in CCP do?

Answer 37

It reviews the security settings on a device and suggests changes. Allows you to select which security features you want activated.

Question 38

For management data what should you use instead of telnet to improve security?

Answer 38

SSH

Question 39

AAA

Answer 39

• Authentication
• Authorization
• Accounting

Question 40

Describe the two modes for Cisco AAA:

Answer 40

Administrative - trying to access the router itself (user will be in character mode)

Remote Access - simply using the router as a transit point (users will be in packet mode)

Question 41

How many security levels are there in Cisco secure log? What’s the most severe level?

Answer 41

Eight (0-7)

0 is the most severe, 7 is the least

Question 42

What are the two tools you can use to log information about occurrences in your network?

Answer 42

Syslog and SNMP

Question 43

What is the major vulnerability SNMP versions up to v3 can create? How does SNMPv3 address this issue?

Answer 43

It’s well known that the default community string is “Public”. If you use SNMPv1 or v2 and you don’t change the community string it’s easy for a hacker to use the set and get commands to gain information about a device or change its configuration.
SNMPv3 authenticates the NMS before accepting any community strings from it.

Question 44

What are the two protocols used for communicating between AAA servers and authenticating devices?

Answer 44

TACACS+ and RADIUS

Question 45

What protocol does TACACS+ use? What port number?

Answer 45

TCP

49

Question 46

What transport layer protocols(s) does RADIUS use? What port numbers?

Answer 46

UDP
1645, 1646 (old radius ports)
1645=authentication messages
1646=accounting messages

UDP
1812 and 1813 (new radius ports)
1812=authentication
1813=accounting

Question 47

Which is more secure, RADIUS or TACACS+? Why?

Answer 47

TACACS+, because it encrypts the entire packet

Question 48

Which is more universally supported, TACACS+ or RADIUS? Why?

Answer 48

RADIUS, because it is a non-proprietary protocol, whereas TACACS+ is a Cisco protocol.

Question 49

When both regular and secret passwords are configured on a device which password is it necessary to use in order to enter privileged executive mode?

Answer 49

The secret (encrypted) password

Question 50

What command should be used to encrypt enable, VTY and other passwords in the configuration files?

Answer 50

service password-encryption

Question 51

What does IDS stand for?

Answer 51

Intrusion detection system

Question 52

What does IPS stand for?

Answer 52

Intrusion prevention system

Question 53

What is Syslog and what does it do?

Answer 53

Syslog is a way for network devices to send event messages to a logging server – usually known as a Syslog server. The Syslog protocol is supported by a wide range of devices and can be used to log different types of events. For example, a router might send messages about users logging on to console sessions, while a web-server might log access-denied events.

Question 54

Set the line console timeout to 5 minutes:

Answer 54

R1>enable
R1#config t
R1(configure)#line console 0
R1(config-line)#exec-timeout 5 0

Question 55

What is a one-way hash?

Answer 55

An algorithm that turns messages or text into a fixed string of digits, usually for security or data management purposes. The “one way” means that it’s nearly impossible to derive the original text from the string. A one-way hash function is used to create digital signatures, which in turn identify and authenticate the sender and message of a digitally distributed message.

Question 56

What commands would you use to prevent non-ssh access to your router?

Answer 56

Router1(config)#line vty 0 4
Router1(config-line)#transport input ssh

transport input ssh allows only ssh connections on the specified line/s

Question 57

What are the 4 steps to configure a router to act as an SSH client?

Answer 57

1. Configure the hostname command.
2. Configure the DNS domain.
3. Generate the SSH key to be used.
4. Enable SSH transport support for the virtual type terminal (vtys).

Question 58

How do you calculate yearly downtime?

Answer 58

100 ([525,600 - d] / 525,600)

Question 59

Allow only SSH traffic on vty lines:

Answer 59

Router1> enable

Router1# conf t

Router1(configure)# line vty 0 4

Router1(config-line)# transport input ssh

Question 60

What is the encrypted counterpart to plain text called?

Answer 60

Cipher text

Question 61

Designate an NTP server:

Answer 61

Router#ntp server [x.x.x.x]

Question 62

What is a type 5 password? Configure a username of Myark with a type 5 password of myarkymyark. How would you configure the same type 5 password without associating it with a username?

Answer 62

A password that is encrypted using md5 and stored in the running config. It’s much more secure than a type 0 (plaintext) password, and more secure than a type 7 password.

en
conf t
username Myark secret 0 myarkymyark

en
conf t
enable secret myarkymyark

Question 63

What is a type 0 password? Configure type 0 password thomsowe11 as an enable password. Configure username TomWaits with type 0 password thomsowe11.

Answer 63

An unencrypted (plaintext) password. A type zero password is not secure and can be viewed in the running configuration.

enable
conf t
enable password thomsowe11

en
conf t
username TomWaits password thomsowe11

Question 64

What is a type 7 password? Configure a type 7 enable password of econ101. Configure user name Thomas with a type 7 password of econ101.

Answer 64

A plain text password that has been encrypted using a weak encryption and stored in the running configuration.

en
conf t
enable password econ101
service password-encryption

en
conf t
username Thomas password econ101
service password-encryption