Technical

Question 1

What are the common types of attacks and signatures

Answer 1

“There are three types of attacks:
Reconnaissance These include ping sweeps, DNS zone transfers, e-mail recons, TCP or UDP port scans, and possibly indexing of public web servers to find cgi holes.

Exploits Intruders will take advantage of hidden features or bugs to gain access to the system.

Denial-of-service (DoS) attacks Where the intruder attempts to crash a service (or the machine), overload network links, overloaded the CPU, or fill up the disk. The intruder is not trying to gain information, but to simply act as a vandal to prevent you from making use of your machine.

Question 2

What is a network based IDS system

Answer 2

“An IDS is a system designed to detect and report unauthorized attempts to access or utilize computer and/or network resources. A network-based IDS collects,
filters, and analyzes traffic that passes through a specific network location. “

Question 3

A digital certificate

Answer 3

“is a credential required by PKI systems that can securely identify an individual, as well as create an association between the individual?s authenticated identity and public keys.
A trusted third party, called a certificate authority (CA), is used to sign and issue certificates.
The CA is responsible for verifying the identity of a key owner and binding the owner to a public key.
This enables users who have never met to exchange encrypted communications, because the authentication is performed by the third-party CA.
Each certificate contains a unique serial number, identity, and public key information of the user, and the validity dates for the life of the certificate.”

Question 4

A digital signature

Answer 4

is a hash value that has been encrypted with the sender?s private key.

Question 5

Accountability

Answer 5

Holding individuals responsible for their actions. In a system, the ability to trace actions to an individual (auditing) so they can be held accountable.

Question 6

Authorization

Answer 6

After I&A, the granting to a user, program, or process the right of access to data.

Question 7

countermeasure, or safeguard -

Answer 7

a software configuration, a hardware device, or a procedure that eliminates a vulnerability or that reduces the likelihood a threat agent will be able to exploit a vulnerability

Question 8

Exposure -

Answer 8

is an instance of being exposed to losses from a threat.

Question 9

HASH

Answer 9

is an instance of being exposed to losses from a threat.

Question 10

How would you define Buffer Overflow

Answer 10

it’s a programming flaw that can be exploited to improperly processes input and run code.

Question 11

How would you harden a Windows Server What about a Linux Server

Answer 11

”? Enforce a password policy. Time of expiration. Length of passwords with character sets. Add thresholds for bad passwords and length of lock out.
? Disable guest accounts
? Patch the hell out of the servers and applications
? Remove default password
? Check for null sessions
? Enable FW feature set on the NIC.
? Audit admin rights for all accounts.
? Backup on regular basis.
? Mandate SMB signing

”

Question 12

Identification and Authentication

Answer 12

Recognition of a subject by a computer system and verification by the computer system that the subject is indeed who the identification process says he is.

Question 13

Please detail 802.1x security vs. 802.11 security (dont confuse the protocols).

Answer 13

802.1x port-based Network Access Control (PNAC) - provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

IEEE 802.11 is a set of standards carrying out wireless local area network
“

Question 14

Process of PGP:

Answer 14

The users private key is generated and encrypted when the application asks the user to randomly type on her keyboard for a specific amount of time.
Instead of using passwords, PGP uses passphrases.
The passphrase is used to encrypt the user?s private key that is stored on her hard drive.
PGP does not use a hierarchy of CAs, or any type of formal trust certificates, but instead relies on a ?web of trust? in its key management approach.
Each user generates and distributes his or her public key, and users sign each other?s public keys, which creates a community of users who trust each other.

”

Question 15

Risk

Answer 15

is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact.

Question 16

SYN Flood Mitigation

Answer 16

“By implementing a SYN proxy on the firewall, now the firewall can manage the
connections to the server. If a predefined threshold of SYN requests (let?s say 500 in a second) occurs, the firewall is on guard. If requests continue to come in, the firewall has the option of dropping the oldest requests that haven?t resulted in an established connection, thereby allowing legitimate connections to make their way to be processed by the server.”

Question 17

Threat

Answer 17

“is any potential danger to information or systems.
The threat is that someone, or something, will identify a specific vulnerability and use it against the company or individual.”

Question 18

Threat agent

Answer 18

The entity that takes advantage of a vulnerability is referred to as a

Question 19

Vulnerability

Answer 19

is a software, hardware, procedural, or human weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment.

Question 20

What anonymous account allows access to resources through IIS

Answer 20

IUSR

Question 21

What are the latest threats you foresee for the near future

Answer 21

Wireless is becoming the norm for connecting to the internet, so Wireless threats are going to be the majority of hacks out there.

Question 22

What are the most common application security flaws

Answer 22

” * A1: Injection
* A2: Cross-Site Scripting (XSS)
* A3: Broken Authentication and Session Management
* A4: Insecure Direct Object References
* A5: Cross-Site Request Forgery (CSRF)
* A6: Security Misconfiguration
* A7: Insecure Cryptographic Storage
* A8: Failure to Restrict URL Access
* A9: Insufficient Transport Layer Protection
* A10: Unvalidated Redirects and Forwards “

Question 23

What Command do you use in UNIX to search a file

Answer 23

GREP

Question 24

What do you do if you are a victim of a DoS

Answer 24

Follow the incident response process at work. If at home, contact the ISP to change IP Address.

Question 25

What is a spoofed packet

Answer 25

A packet with a fake source IP Address.

Question 26

What is a buffer overflow

Answer 26

it’s a programming flaw that can be exploited to improperly processes input and run code.

Question 27

What is a Denial of Service attack

Answer 27

Exhaust all resources on a system or network to keep it from fuctioning properly.

Question 28

What is a log host

Question 29

What is a Man In The Middle attack

Answer 29

“The man-in-the middle attack intercepts a communication between two systems.
For example, in an http transaction the target is the TCP connection between client and server.
Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server

Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication”

Question 30

What is a SYN Flood

Answer 30

“A SYN flood is where attackers send fake SYN requests to servers in an attempt to exhaust the amount of legitimate requests the server can maintain.
If the attacker is successful, the server will wait for a predetermined timeout period for the bogus connections to complete (which, of course, never do), and most legitimate requests will be ignored by the server.”

Question 31

What is Cross-Site Scripting and how can it be prevented

Question 32

What is DNS Hijacking

Answer 32

An illegal change to a DNS server that directs a URL to a different Web site.

Question 33

What is GPG (GNU Privacy Guard)

Answer 33

“GnuPG allows to encrypt and sign your data and communication, features a versatile key managment system as well as access modules for all kind of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME.

GnuPG encrypts messages using asymmetric keypairs individually generated by GnuPG users. The resulting public keys can be exchanged with other users in a variety of ways, such as Internet key servers. They must always be exchanged carefully to prevent identity spoofing by corrupting public key ? ““owner”” identity correspondences. It is also possible to add a cryptographic digital signature to a message, so the message integrity and sender can be verified, if a particular correspondence relied upon has not been corrupted.”

Question 34

What is IDS or IDP

Answer 34

Signature or behavior based?.IDS is passive where IPS is inline and can block.

Question 35

What is included in the system state of a windows2003 server

Answer 35

Registry, boot files., COM+class registration and system files.

Question 36

What is NAT and how does it work

Answer 36

Network Address translation - Translates private IP Address to Public address.

Question 37

What is PGP (GNU Privacy Guard)

Answer 37

Encrypts and digitally signs files

Question 38

What is RFC 1918

Answer 38

Private Addressing - 10.0.0.0 - 172.16-32.0.0 , 192.168.0.0

Question 39

What is SSH

Answer 39

“network protocol that allows data to be exchanged using a secure channel between two networked devices.[1] Used primarily on GNU/Linux and Unix based
systems to access shell accounts, SSH was designed as a replacement for Telnet and other insecure remote shells, which send information, notably passwords, in plaintext, rendering them susceptible to packet analysis.[2] The encryption used by SSH provides confidentiality and integrity of data over an insecure network, such as the Internet.”

Question 40

What is SSL

Answer 40

SSL allows application to have authenticated and encrypted communication.

Question 41

What is stateful packet inspection

Answer 41

is a firewall technology that monitors the state of active connections and uses this information to determine which network packets to allow through the firewall.

Question 42

What is Syskey used for

Answer 42

is a utility that encrypts the hashed password information in a SAM database in a Windows

Question 43

What is the default network bandwidth for IIS bandwidth throttling 1024 BPS

Answer 43

1024 BPS

Question 44

What is web-caching

Answer 44

Web caching is the caching of web documents (e.g., HTML pages, images) to reduce bandwidth usage, server load, and perceived lag. A web cache stores copies of documents passing through it; subsequent requests may be satisfied from the cache if certain conditions are met.

Question 45

What kind of authentication does AD use

Answer 45

“Active Directory is a technology created by Microsoft that provides a variety of network services, including:

* Lightweight Directory Access Protocol (LDAP)-like[1] directory services [Lightweight Directory Access Protocol]
* Kerberos-based authentication
* DNS-based naming and other network information
* Central location for network administration and delegation of authority [2]
* Information security and single sign-on for user access to networked based resources [3]
* The ability to scale up or down easily [4]
* Central storage location for application data [5]
* Synchronization of directory updates amongst several servers [6]
“

Question 46

what unix command list the server IP info

Answer 46

Ifconfig

Question 47

Whats port scanning and how does it work

Answer 47

Basic Port Scan: This the easiest type of port scan which involves scanning a designated port by sending a specifically configured packet that contains the port number of the port that is to be scanned. This technique is used to determine which port is available within a specific machine.

TCP Connect: A TCP connect is used to scan a series of ports on a machine to determine port availability. If a port on the machine is listening then the TCP connect is successful in reaching that specific port.

Strobe Scan: This type of scan is generally used by a hacker to find the ports that the hacker already knows how to exploit. A strobe scan performs scanning on a more constricted level and also allows for disclosure of the username of the TCP connection.

Stealth Scan: This type of scan is specifically designed for hacking because it is set up to go undetected by network auditing tools. When a port scanner is used, the ports that are listening will log an error message if an inbound connection is detected but there is no data associated with the connection. Stealth scans are able to bypass this process and therefore go undetected during audits.

Question 48

Whats the difference between a Proxy and a Firewall

Question 49

Whats the difference between encryption and hashing

Answer 49

Encryption is reversable, where hashing is one way.

Question 50

Whats the difference between symmetric and asymmetric encryption

Answer 50

Symmentric encryption is done through private keys. Both sender and reciver will need to have the private key to encrypt and decryp

Question 51

Where are UNIX password and account information save

Answer 51

Etc/password - etc/shadow - etc/secure

Question 52

Why are proxy servers useful

Answer 52

To keep machines behind it anonymous (mainly for security).

To speed up access to resources (using caching). Web proxies are commonly used to cache web pages from a web server.

To apply access policy to network services or content, e.g. to block undesired sites.

To log / audit usage, i.e. to provide company employee Internet usage reporting.

To scan transmitted content for malware before delivery.

To scan outbound content, e.g., for data leak protection.

To circumvent regional restrictions.”

Question 53

Your network has been infected by malware. Please walk me through the process of cleaning up the environment.

Answer 53

Set a schedule for malware removing software to run during non work hours, and remind the user that this is going to happen.