Telecommunications, Network, and Internet Security Flashcards

Question

QUESTION NO: 839 In the OSI/ISO model, at what level are TCP and UDP provided? A. Transport B. Network C. Presentation D. Application

Answer 1

Answer: A Explanation: Transport Layer. …. TCP and UDP operate on this layer.’ Pg 82. Krutz: The CISSP Prep Guide.

Answer 2

Answer: C Explanation: 1. Reference: “[Network Layer] The routing protocols are located at this layer and include the following: …..Internet Protocol Security (IPSec)”. “The following protocols operate within the Session layer: Secure Sockets Layer (SSL)”. “The Presentation layer is also responsible for encryption and compression.” Pg 61-62 Tittel: CISSP Study Guide 2. According to this chart: http://en.wikipedia.org/wiki/OSI\_model Network - IPSEC Presentation – SSL/TLS Session – L2TP Transport – remains an answer. 3. According to Shon Harris / CISSP 5th edition, SSL is at the TRANSPORT layer Conclusion: So, 3 different sources put SSL at 3 completely different layers. But using 1 of the 2 sources does get you with ‘transport’ as being the answer.

Answer 3

Answer: B Explanation: Not A. “The Open System Interconnect (OSI) is a worldwide federation that works to provide international standards. “ Not C. “A protocol is a standard set of rules that determine how systems will communicate across networks. Two different systems can communicate and understand each other because they use the same protocols in spite of their differences.” Pg. 343-344 Shon Harris: CISSP All-In-One Certification Exam Guide

Answer 4

Answer: C Explanation: The transport layer defines how to address the physical locations and /or devices on the network, how to make connections between nodes, and how to handle the networking of messages. It is responsible for maintaining the end-to-end integrity and control of the session. Services located in the transport layer both segment and reassemble the data from upper-layer applications and unite it onto the same data stream, which provides end-to-end data transport services and establishes a logical connection between the sending host and destination host on a network. The transport layer is also responsible for providing mechanisms for multiplexing upperlayer applications, session establishment, and the teardown of virtual circuits. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 275-276 “Transport Layer The agreement on these issues before transferring data helps provide more reliable data transfer, error detection and correction, and flow control and it optimizes network services needed to perform these tasks.” Pg. 318 – 319 Shon Harris: All-In-One CISSP Certification Guide.

Answer 5

Answer: B Explanation: “The Session layer (layer 5) is responsible for establishing, maintaining, and terminating communication sessions between two computers. The primary technology within layer 5 is a gateway. The following protocols operate within the Session layer: Secure Sockets Layer (SSL) Network File System (NFS) Structured Query Language (SQL) Remote Procedure Call (RPC) The presentation layer (layer 6) is responsible for transforming data received from the application layer into a format that any system following the OSI model can understand. It imposes common or standardized structure and formatting rules onto the data. The Presentation layer is also responsible for encryption and compression.” Pg. 79-80 Tittel: CISSP Study Guide.

Answer 6

Answer: D Explanation: By exclusion: Not A. “The Session layer (layer 5) is responsible for establish, maintaining, and terminating communication sessions between two computers.” Pg 79 Tittel: CISSP Study Guide. Not B. “The Transport layer (layer 4) ….This layer includes mechanisms for segmentation, sequencing, error checking, controlling the flow of data, error correction and network service optimization.” Pg 79 Tittel: CISSP Study Guide. Not C. “The Application itself it is not located within this layer [Application]; rather the protocols and services required to transmit files, exchange messages, connect to remote terminals, and so on are here.” Pg. 80 Tittel: CISSP Study Guide.

Answer 7

Answer: B Explanation: The Network layer (layer 3) is responsible for adding routing information to the data. The Network layer accepts the segment from the Transport layer and adds information to it to create a packet. The packet includes the source and destination IP addresses. T The routing protocols are located at this layer and include the following: Internet Control Message Protocol (ICMP) Routing Information Protocol (RIP) Open Shortest Path First (OSPF) Border Gateway Protocol (BGP) Internet Group Management Protocol (IGMP) Internet Protocol (IP) Internet Packet Exchange (IPX) Pg. 78 Tittel: CISSP Study Guide

Answer 8

Answer: B Explanation: “Presentation Layer (Layer 6).” Pg 81 Krutz The CISSP Prep Guide.

Answer 9

Answer: Network

Answer 10

Answer: Presentation

Answer 11

Answer: Application

Answer 12

Answer: A Explanation: The TCP/IP Protocol Model is similar to the OSI model, but it defines only the following four layers instead of seven: Application Layer, Host-to-Host Transport Layer, Internet Layer, Network Access or Link Layer. Pg. 84 Krutz: The CISSP Prep Guide.

Answer 13

Answer: C Explanation: Session services located in the Transport Layer both segment and reassemble the data from upper-layer applications and unite it onto the same data stream, which provides end-toend data transport services and establishes a logical connection between the sending host and destination host on a network. Pg. 82 Krutz: The CISSP Prep Guide.

Answer 14

Answer: Datagram “When the Ethernet software receives a datagram from the Internet layer, it performs the following steps: 1.) Breaks IP layer data into smaller chunks if necessary which will be in the data field of ethernet frames.” Pg. 40 Sams Teach Yourself TCP/IP in 24 hrs.

Answer 15

Answer: A Explanation: The data package created at the transport layer, which encapsulates the Application layer message is called a segment if it comes from TCP/IP.” Pg. 27 Pg. 55 Casad: Sams Teach Yourself TCP/IP in 24 hrs.

Answer 16

Answer: B Explanation: 2 to 16th power = 65,536 “TCP and UDP each have 65,536 ports”. Pg 75 Tittel: CISSP Study Guide

Answer 17

Answer: B Explanation: \* the System Ports, also known as the Well Known Ports, from 0-1023 (assigned by IANA) \* the User Ports, also known as the Registered Ports, from 1024- 49151 (assigned by IANA) \* the Dynamic Ports, also known as the Private or Ephemeral Ports, from 49152-65535 (never assigned)

Answer 18

Answer: D Explanation: The original TACACS protocol was developed by BBN for MILNET. It was UDP based and mainly intended to provide validation of dial up user login passwords. The TACACS protocol was formally specified, but the spec is not generally available.

Answer 19

Answer: D Explanation: ICMP = 1 IGMP = 2 TCP = 6 UDP = 17

Answer 20

Answer: C Explanation: ICMP = 1 IGMP = 2 TCP = 6 UDP = 17

Answer 21

Answer: A Explanation: ICMP = 1 TCP = 6 UDP = 17

Answer 22

Answer: D Explanation: Routing control IS defined, but no mention of Logging & Monitoring.

Answer 23

Answer: B Explanation: An ISO and ITU standard for addressing and transporting e-mail messages. It conforms to layer 7 of the OSI model and supports several types of transport mechanisms, including Ethernet, X.25, TCP/IP, and dial-up lines. - http://www.webopedia.com/TERM/X/X\_400.html

Answer 24

Answer: B Explanation: ICMP = 1 IGMP = 2 TCP = 6 UDP = 17

Answer 25

Answer: B Explanation: The original answer to this question was RED however I think this is incorrect because of this reason. Both Red and MPLS deal with qos/cos issues, there by increasing speed. Mpls more so the RED. However I have not been able to find any documents that state RED is a security implementation while MPLS is heavy used in the ISP VPN market. See this link for MPLS security http://www.nwfusion.com/research/2001/0521feat2.html Below are the link that are formation of the ration for this answer of B (MPLS) Congestion avoidance algorithm in which a small percentage of packets are dropped when congestion is detected and before the queue in question overflows completely http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/r12.htm Multiprotocol Label Switching. Switching method that forwards IP traffic using a label. This label instructs the routers and the switches in the network where to forward the packets based on preestablished IP routing information http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/m12.htm Resource Reservation Protocol. Protocol that supports the reservation of resources across an IP network. Applications running on IP end systems can use RSVP to indicate to other nodes the nature (bandwidth, jitter, maximum burst, and so on) of the packet streams they want to receive. RSVP depends on IPv6. Also known as Resource Reservation Setup Protocol. http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/r12.htm Random Early Detection (RED) is the recommended approach for queue congestion management in routers (Braden et al., 1998). Although in its basic form RED can be implemented in a relatively short C program, as the speed of ports and the number of queues per port increase, the implementation moves more and more into hardware. Different vendors choose different ways to implement and support RED in their silicon implementations. The degree of programmability, the number of queues, the granularity among queues, and the calculation methods of the RED parameters all vary from implementation to implementation. Some of these differences are irrelevant to the behavior of the algorithm-and hence to the resulting network behavior. Some of the differences, however, may result in a very different behavior of the RED algorithm-and hence of the network efficiency. http://www.cisco.com/en/US/products/hw/routers/ps167/products\_white\_paper09186a0080091fe4. shtml Based on label swapping, a single forwarding mechanism provides opportunities for new control paradigms and applications. MPLS Label Forwarding is performed with a label lookup for an incoming label, which is then swapped with the outgoing label and finally sent to the next hop. Labels are imposed on the packets only once at the edge of the MPLS network and removed at the other end. These labels are assigned to packets based on groupings or forwarding equivalence classes (FECs). Packets belonging to the same FEC get similar treatment. The label is added between the Layer 2 and the Layer 3 header (in a packet environment) or in the virtual path identifier/virtual channel identifier (VPI/VCI) field (in ATM networks). The core network merely reads labels, applies appropriate services, and forwards packets based on the labels. This MPLS lookup and forwarding scheme offers the ability to explicitly control routing based on destination and source addresses, allowing easier introduction of new IP services. http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/xlsw\_ds.htm

Answer 26

Answer: B Explanation: Adding a second router to connect between the LAN and DMZ won’t increase security, but will give them a second path to attack (in case the routers aren’t kept identically patched & configured)

Answer 27

Answer: D Explanation: The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private Internets – 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255- that are known as “global non-routable addresses.”” Pg. 94 Krutz: The CISSP Prep Guide.

Answer 28

Answer: A Explanation: The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private Internets – 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255- that are known as “global non-routable addresses.”” Pg. 94 Krutz: The CISSP Prep Guide.

Answer 29

Answer: C Explanation: The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private Internets – 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255- that are known as “global non-routable addresses.”” Pg. 94 Krutz: The CISSP Prep Guide.

Answer 30

Answer: A Explanation: “Ipv4 uses 32 bits for addresses, and Ipv6 uses 128 bits; thus v6 provides more possible addresses to work with.” Pg 331 Shon Harris: All-in-One CISSP Certification

Answer 31

Answer: D Explanation: An Ethernet address is a 48-bit address that is hard-wired into the NIC of the network node. ARP matches up the 32-bit IP address with this hardware address, which is technically referred to as the Media Access Control (MAC) address or the physical address. Pg. 87 Krutz: The CISSP Prep Guide.

Answer 32

Answer: B Explanation: “As with ARP, Reverse Address Resolution Protocol (RARP) frames go to all systems on the subnet, but only the RARP server responds. Once the RARP server receives this request, it looks in its table to see which IP address matches the broadcast hardware address. The server then sends a message back to the requesting computer that contains its IP address. The system now has an IP address and can function on the network.” Pg 357 Shon Harris: All-in- One CISSP Certification

Answer 33

Answer: D Explanation: Bastion Host: A system that has been hardened to resist attack at some critical point of entry, and which is installed on a network in such a way that it is expected to come under attack. Bastion hosts are often components of firewalls, or may be 'outside" Web servers or public access systems. Generally, a bastion host is running some form of general purpose operating system (e.g., LNIX, VMS, WNT, etC.) rather than a ROM-based or firmware operating system. http://www.securesynergy.com/library/articles/it\_glossary/glossary\_b.php

Answer 34

Answer: C Explanation: A bastion host or screened host is just a firewall system logically positioned between a private network and an untrusted network. - Ed Tittle CISSP Study Guide (sybex) pg 93

Answer 35

Answer: C Explanation: "An application-level gateway firewall is also called a proxy firewall. A proxy is a mechanism that copies packets from one network into another; the copy process also changes the source and destination address to protect the identity of the internal or private network. An application-level gateway firewall filters traffic based on the Internet service (i.e., application) used to transmit or receive the data." - Shon Harris All-in-one CISSP Certification Guide pg 92

Answer 36

Answer: A Explanation: Circuit-level proxy creates a circuit between the client computer and the server. It does not understand or care about the higher-level issues that an application-level proxy deals with. It knows the source and destinations addresses and makes access decisions based on this information...IT looks at the data within the packet header versus the data within the payload of the packet. It does not know if the contents within the packet are actually safe or not. - Shon Harris All-in-one CISSP Certification Guide pg 419-420

Answer 37

Answer: C Explanation: “Stateful Inspection Characteristics The firewall maintains a state table that tracks each and every communication channel. Frames are analyzed at all communication layers. It provides a high degree of security and does not introduce the performance hit that proxy firewalls introduce. It is scaleable and transparent to users It provides data tracking for tracking connectionless protocols such as UDP and ICMP The stat and context of the data within the packets are stored and updated continuously. It is considered a third-generation firewall.” Pg. 375 Shon Harris: All-in-One CISSP Certification Not A: “Packet filtering is the first generation firewall—that is, it was the first type that was created and used, and other types were developed fall into different generations.” Pg 373 Shon Harris: All-in- One CISSP Certification

Answer 38

Answer: C Explanation: The original answer was A (translated source destination address). I did not come across this term in my reading. Screening router A screening router is one of the simplest firewall strategies to implement. This is a popular design because most companies already have the hardware in place to implement it. A screening router is an excellent first line of defense in the creation of your firewall strategy. It's just a router that has filters associated with it to screen outbound and inbound traffic based on IP address and UDP and TCP ports.

Answer 39

Answer: D Explanation: This is a sort of iffy question. Hardware allows faster performance then software and does not need to utilize an underlying OS to make the security software operate. (An example is PIX firewall vs checkpoint). The meantime to failure answer to me is ok but the hardware that the software security also has a MTFF. A few people looked over this question and had no problem with the answer of B (meantime to failure question) but as I looked into it I have picked D. MTTF is typical the time to failure. "MTFF is the expected typical functional lifetime of the device given a specific operating environment" (- Ed Tittle CISSP Study Guide (sybex) pg 657). This leads me to think that this question says hardware has a SHORTER lifespan then software. Thus I am going to have to go with D (higher performance). This can be because of ASICs. As always uses your best judgment, knowledge and experience on this question. Below are some points of view. Few things to consider when deploying software based firewall: Patching OS or firewall software could bring down firewall or open additional holes OS Expertise vs. firewall expertise (you may need two administrators). Support contract (One for hardware, one for OS, one for firewall), who do you call? Administration (One for OS and one for firewall). If your not an expert in both then forget it. High-availability (Stateful failover) (usually requires additional software and costs a lot of money). As a result it adds to support costs. Is software firewalls a bad idea it depends. Every situation is different. -Bob http://www.securityfocus.com/archive/105/322401/2003-05-22/2003-05-28/2 A software firewall application is designed to be installed onto an existing operating system running on generic server or desktop hardware. The application may or may not 'harden' the underlying operating system by replacing core components. Typical host operating systems include Windows NT, 2000 server or Solaris. Software firewall applications all suffer from the following key disadvantages: They run on a generic operating system that may or may not be hardened by the Firewall installation itself. A generic operating system is non-specialized and more complex than is necessary to operate the firewall. This leads to reliability problems and hacking opportunities were peripheral/unnecessary services are kept running. Generic operating systems have their own CPU and memory overheads making software based firewalls slower than their dedicated hardware counterparts. If the software firewalls uses PC hardware as the host platform, then there may be additional reliability problems with the hardware itself. Sub-optimal performance of generic hardware also affects software applications bundled with their own operating systems. There is no physical or topological separation of the firewalling activity. A dedicated hardware firewall is a software firewall application and operating system running on dedicated hardware. This means the hardware used is optimized for the task, perhaps including digital signal processors (DSPs) and several network interfaces. There may also be special hardware used to accelerate the encryption/decryption of VPN data. It may be rack mounted for easy installation into a comms' cabinet. We recommend dedicated hardware firewalls as they offer several key advantages over software applications: Dedicated hardware is typically more reliable. Hardware firewalls are simpler, hence more secure. Hardware firewalls are more efficient and offer superior performance, especially in support of VPNs. The firewalling activity is physically and topologically distinct.

Answer 40

Answer: A Explanation: A firewall is a device that supports and enforces the company's network security policy. - Shon Harris All-in-one CISSP Certification Guide pg 412

Answer 41

Answer: B Explanation: Session control is protected (Cisco - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/product\_data\_sheet0 9186a0080117962.html) Session initialization is protected (protection against SYN attacks/DoS) Session termination is protected – they terminate idle connection so they don’t consume resources So, by the process of elimination, the correct answer is ‘session support’.

Answer 42

Answer: D Explanation: “IPSec can work in one of two modes: transport mode, where the payload of the message is protected, and tunnel mode, where the payload and the routing and header information is protected.” Pg 527 Shon Harris: All-in-One CISSP Certification Not:” Encapsulating Security Payload (ESP) authentication must be used” “IPSec is not a strict protocol that dictates the type of algorithm, keys, and authentication method to be used, but it is an open, modular framework that provides a lot of flexibility for companies when they choose to use this type of technology. IPSec uses two basic security protocols: Authentication Header (AH) and the Encapsulating Security Payload (ESP). AH is the authenticating protocol, and ESP is an authenticating and encrypting protocol that uses cryptographic mechanisms to provide source authentication, confidentiality, and message integrity.” Pg 527 Shon Harris: All-in-One CISSP Certification

Answer 43

Answer: B Explanation: “IPSec uses two basic security protocols: Authentication Header (AH) and the Encapsulating Security Payload (ESP).” pg 575 Shon Harris CISSP All-In-One Certification Exam Guide

Answer 44

Answer: B,C

Answer 45

Answer: B Explanation: “Encapsulating Security Payload (ESP). AH is the authenticating protocol and ESP is an authenticating and encrypting protocol that uses cryptographic mechanisms to provide source authentication, confidentiality, and message integrity.” Pg 575 Shon Harris CISSP All-In- One Certification Exam Guide

Answer 46

Answer: A Explanation: “Socks Proxy Server Characteristics Circuit-level proxy server Requires clients to be SOCKS-fied with SOCKS client software Mainly used for outbound Internet access and virtual private network (VPN) functionality Can be resource-intensive Provides authentication and encryption features to other VPN protocols, but not considered a traditional VPN protocol” Pg. 422 Shon Harris CISSP All-In-One Certification Exam Guide Reference: The SOCKS is an example of a circuit-level proxy gateway that provides a secure channel between two computers. pg. 379 Shon Harris CISSP

Answer 47

Answer: D Explanation: “SOCKS is an example of a circuit-level proxy gateway that provides a secure channel between two computers. When a SOCKS-enabled client sends a request to a computer on the Internet, this request actually goes to the network’s SOCKS proxy server…” pg 379 Shon Harris: All-in-One CISSP Certification

Answer 48

Answer: A Explanation: The major functional groups of protocols and methods are the Application Layer, the Transport Layer, the Internet Layer, and the Link Layer (RFC 1122). It should be noted that this model was not intended to be a rigid reference model into which new protocols have to fit in order to be accepted as a standard.

Answer 49

Answer: B Explanation: “Client Authentication using Digital IDs Enable access by certificates

Answer 50

Answer: A Explanation: Secure Sockets Layer (SSL). An encryption technology that is used to provide secure transactions such as the exchange of credit card numbers. SSL is a socket layer security protocol and is a two-layered protocol that contains the SSL Record Protocol and the SSL Handshake Protocol. Similiar to SSH, SSL uses symmetric encryption for private connections and asymmetric or public key cryptography (certificates) for peer authentication. It also uses a Message Authentication Code for message integrity checking. Krutz: The CISSP Prep Guide pg. 89. It prevents a man in the middle attack by confirming that you are authenticating with the server desired prior entering your user name and password. If the server was not authenticated, a man-in-the-middle could retrieve the username and password then use it to login. The SSL protocol has been known to be vulnerable to some man-in-the-middle attacks. The attacker injects herself right at the beginning of the authentication phase so that she obtains both parties' keys. This enables her to decrypt and view messages that were not intended for her. Using digital signatures during the session-key exchange can circumvent the man-in-the-middle attack. If using kerberos, when Lance and Tanya obtain each other's public keys from the KDC, the public keys are signed by the KDC. Because Tanya and Lanace have the public key of the KDC, they both can decrypt and verify the signature on each other's public key and be sure that it came from the KDC itself. Because David does not have the private key of the KDC, he cannot substitute his pubic key during this type of transmission. Shon Harris All-In-One CISSP Certification pg. 579. One of the most important pieces a PKI is its public key certificate. A certificate is the mechanism used to associate a public key with a collection of components sufficient to uniquely authenticate the claimed owner. Shon Harris All-In-One CISSP Certification pg. 540.

Answer 51

Answer: D Explanation: This is a question that I disagreed with. The premises that SSH does use RSA and 3DES, thus susceptible to cryptographic attack (namely birthday attach) has merit but I think the answer is more simple, in that you SSH cant protect against a compromised source/destination. You can safely rule out spoofing and manipulation (that is the job of ssh to protect the transmission). Original answer was C birthday attack. Use your best judgment based on knowledge and experience. The use of ssh helps to correct these vulnerabilities. Specifically, ssh protects against these attacks: IP spoofing (where the spoofer is on either a remote or local host), IP source routing, DNS spoofing, interception of cleartext passwords/data and attacks based on listening to X authentication data and spoofed connections to an X11 server. http://wwwarc. com/sara/cve/SSH\_vulnerabilities.html Birthday attack - Usually applied to the probability of two different messages using the same hash function that produces a common message digest; or given a message and its corresponding message digest, finding another message that when passed through the same hash function generates the same specific message digest. The term "birthday" comes from the fact that in a room with 23 people, the probability of two people having the same birthday is great than 50 percent. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 212

Answer 52

Answer: B Explanation: Active attacks find identities by being a man-in-the-middle or by replacing the responder in the negotiation. The attacker proceeds through the key negotiation with the attackee until the attackee has revealed its identity. In a well-designed system, the negotiation will fail after the attackee has revealed its identity because the attacker cannot spoof the identity of the originally-intended system. The attackee might then suspect that there was an attack because the other side failed before it gave its identity. Therefore, an active attack cannot be persistent because it would prevent all legitimate access to the desired IPsec system. http://msgs.securepoint.com/cgi-bin/get/ipsec-0201/18.html Not C: Traffic analysis is a good attack but not the most effective as it is passive in nature, while Man in the middle is active.

Answer 53

Answer: D Explanation: "The following are the three most common VPN communications protocol standards: Point-to-Point Tunneling Protocol(PPTP). PPTP works at the Data Link Layer of the OSI model. Designed for individual client to server connections, it enables only a single point-to-point connection per session. This standard is very common with asynchronous connections that use Win9x or NT clients. PPTP uses native Point-to-Point Protocol (PPP) authentication and encryption services. Layer 2 Tunneling Protocol (L2TP). L2TP is a combination of PPTP and the earlier Layer 2 Forwarding (L2F) Protocol that works at the Data Link Layer like PPTP. It has become an accepted tunneling standard for VPN's. In fact, dial-up VPNs use this standard quite frequently. Like PPTP, this standard was designed for single point-to-point client to server connections. Not that multiple protocols can be encapsulated within the L2TP tunnel, but do not use encryption like PPTP. Also, L2TP supports TACACS+ and RADIUS, but PPTP does not. IPSEC. IPSec operates at the Network Layer and it enables multiple and simultaneous tunnels, unlike the single connection of the previous standards. IPSec has the functionality to encrypt and authenticate IP data. It is built into the new Ipv6 standard, and is used as an add-on to the current Ipv4. While PPTP and L2TP are aimed more at dial-up VPNs, IPSec focuses more on network-tonetwork connectivity." Pg. 123-125 Krutz: The CISSP Prep Guide: Gold Edition.

Answer 54

Answer: B Explanation: A SYN attack occurs when an attacker exploits the use of the buffer space during a Transmission Control Protocol (TCP) session initialization handshake. The attacker floods the target system's small "in-process" queue with connection requests, but it does not respond when a target system replies to those requests. This causes the target system to time out while waiting for the proper response, which makes the system crash or become unusable. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 103 “In a SYN flood attack, hackers use special software that sends a large number of fake packets with the SYN flag set to the targeted system. The victim then reserves space in memory for the connection and attempts to send the standard SYN/ACK reply but never hears back from the originator. This process repeats hundreds or even thousands of times, and the targeted computer eventually becomes overwhelmed and runs out of available resources for the half-opened connections. At that time, it either crashes or simply ignores all inbound connection requests because it can’t possibly handle any more half-open connections.”

Answer 55

Answer: B Explanation: This reference is close to the one listed DNS poisoning is the correct answer however, Harris does not say the name when describing the attack but later on the page she state the following. This is how DNS DOS attack can occur. If the actual DNS records are unattainable to the attacker for him to alter in this fashion, which they should be, the attacker can insert this data into the cache of there server instead of replacing the actual records, which is referred to as cache poisoning. - Shon Harris All-in-one CISSP Certification Guide pg 795

Answer 56

Answer: C Explanation: Reference “This paper is for those who want a practical approach to writing buffer overflow exploits. As the title says, this text will teach you how to write these exploits in Perl. There are reasons why we construct the buffer this way. First we have a lot of NOPs, then the shellcode (which in this example will execute /bin/sh), and at last the ESP + offset values.” http://hackersplayground.org/papers/perl-buffer.txt

Answer 57

Answer: D Reference: “TCP Port 5000 Buffer Overflow Attack The attack on Port 5000 was part of this scan pattern Mar 14, 2004 15:58:17.837 - (TCP) 68.144.13.102 : 2282 \>\>\> 192.168.1.36 : 2745 Mar 14, 2004 15:58:17.857 - (TCP) 68.144.13.102 : 2283 \>\>\> 68.144.193.246 : 135 Mar 14, 2004 15:58:17.887 - (TCP) 68.144.13.102 : 2284 \>\>\> 192.168.1.38 : 1025 Mar 14, 2004 15:58:17.907 - (TCP) 68.144.13.102 : 2285 \>\>\> 68.144.193.246 : 445 Mar 14, 2004 15:58:17.938 - (TCP) 68.144.13.102 : 2286 \>\>\> 192.168.1.36 : 3127 Mar 14, 2004 15:58:17.958 - (TCP) 68.144.13.102 : 2287 \>\>\> 68.144.193.246 : 6129 Mar 14, 2004 15:58:17.988 - (TCP) 68.144.13.102 : 2288 \>\>\> 68.144.193.246 : 139 Mar 14, 2004 15:58:18.008 - (TCP) 68.144.13.102 : 2289 \>\>\> 192.168.1.36 : 5000 Mar 14, 2004 15:58:29.164 - (TCP) 68.144.13.102 : 1442 \>\>\> 68.144.193.246 : 1981 Mar 14, 2004 15:58:33.470 - (TCP) 68.144.13.102 : 1442 \>\>\> 68.144.193.246 : 1981 Mar 14, 2004 15:58:39.288 - (TCP) 68.144.13.102 : 1442 \>\>\> 68.144.193.246 : 1981 The attack appears to be a buffer overfull attack on the Plug and Play service on TCP Port 5000, which likely contains instructions to download and execute the rest of the worm. TCP Connection Request ---- 14/03/2004 15:40:57.910 68.144.193.124 : 4560 TCP Connected ID = 1 ---- 14/03/2004 15:40:57.910 Status Code: 0 OK 68.144.193.124 : 4560 TCP Data In Length 697 bytes MD5 = 19323C2EA6F5FCEE2382690100455C17 ---- 14/03/2004 15:40:57.920 0000 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0010 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0020 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0030 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0040 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0050 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0060 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0070 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0080 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 00A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 00B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 00C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 00D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 00E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 00F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0100 90 90 90 90 90 90 90 90 90 90 90 90 4D 3F E3 77 ............M?.w 0110 90 90 90 90 FF 63 64 90 90 90 90 90 90 90 90 90 .....cd......... 0120 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0130 90 90 90 90 90 90 90 90 EB 10 5A 4A 33 C9 66 B9 ..........ZJ3.f. 0140 66 01 80 34 0A 99 E2 FA EB 05 E8 EB FF FF FF 70 f..4...........p 0150 99 98 99 99 C3 21 95 69 64 E6 12 99 12 E9 85 34 .....!.id......4 0160 12 D9 91 12 41 12 EA A5 9A 6A 12 EF E1 9A 6A 12 ....A....j....j. 0170 E7 B9 9A 62 12 D7 8D AA 74 CF CE C8 12 A6 9A 62 ...b....t......b 0180 12 6B F3 97 C0 6A 3F ED 91 C0 C6 1A 5E 9D DC 7B .k...j?.....^..{ 0190 70 C0 C6 C7 12 54 12 DF BD 9A 5A 48 78 9A 58 AA p....T....ZHx.X. 01A0 50 FF 12 91 12 DF 85 9A 5A 58 78 9B 9A 58 12 99 P.......ZXx..X.. 01B0 9A 5A 12 63 12 6E 1A 5F 97 12 49 F3 9A C0 71 E5 .Z.c.n.\_..I...q. 01C0 99 99 99 1A 5F 94 CB CF 66 CE 65 C3 12 41 F3 9D ....\_...f.e..A.. 01D0 C0 71 F0 99 99 99 C9 C9 C9 C9 F3 98 F3 9B 66 CE .q............f. 01E0 69 12 41 5E 9E 9B 99 9E 24 AA 59 10 DE 9D F3 89 i.A^....$.Y..... 01F0 CE CA 66 CE 6D F3 98 CA 66 CE 61 C9 C9 CA 66 CE ..f.m...f.a...f. 0200 65 1A 75 DD 12 6D AA 42 F3 89 C0 10 85 17 7B 62 e.u..m.B......{b 0210 10 DF A1 10 DF A5 10 DF D9 5E DF B5 98 98 99 99 .........^...... 0220 14 DE 89 C9 CF CA CA CA F3 98 CA CA 5E DE A5 FA ............^... 0230 F4 FD 99 14 DE A5 C9 CA 66 CE 7D C9 66 CE 71 AA ........f.}.f.q. 0240 59 35 1C 59 EC 60 C8 CB CF CA 66 4B C3 C0 32 7B Y5.Y.`....fK..2{ 0250 77 AA 59 5A 71 62 67 66 66 DE FC ED C9 EB F6 FA w.YZqbgff....... 0260 D8 FD FD EB FC EA EA 99 DA EB FC F8 ED FC C9 EB ................ 0270 F6 FA FC EA EA D8 99 DC E1 F0 ED C9 EB F6 FA FC ................ 0280 EA EA 99 D5 F6 F8 FD D5 F0 FB EB F8 EB E0 D8 99 ................ 0290 EE EA AB C6 AA AB 99 CE CA D8 CA F6 FA F2 FC ED ................ 02A0 D8 99 FB F0 F7 FD 99 F5 F0 EA ED FC F7 99 F8 FA ................ 02B0 FA FC E9 ED 99 0D 0A 0D 0A ......... “

Answer 58

Answer: A Explanation: Sniffing is the action of capture / monitor the traffic going over the network. Because, in a normal networking environment, account and password information is passed along Ethernet in clear-text, it is not hard for an intruder to put a machine into promiscuous mode and by sniffing, compromise all the machines on the net by capturing password in an illegal fashion.

Answer 59

Answer: D Explanation: SPAM - The term describing unwanted email, newsgroup, or discussion forum messages. Spam can be innocuous as an advertisement from a well-meaning vendor or as malignant as floods or unrequested messages with viruses or Trojan horses attached SYN Flood Attack - A type of DoS. A Syn flood attack is waged by not sending the final ACK packet, which breaks the standard three-way handshake used by TCP/IP to initiate communication sessions. Ping of death attack - A type of DoS. A ping of death attack employs an oversized ping packet. Using special tools, an attacker can send numerous oversized ping packets to a victim. In many cases, when the victimized system attempts to process the packets, an error occurs causing the system to freeze, crash, or reboot. Macro Viruses - A virus that utilizes crude technologies to infect documents created in the Microsoft Word environment. - Ed Tittle CISSP Study Guide

Answer 60

Answer: B Explanation: “[SYN Flood] Attackers can take advantage of this design flaw by continually sending the victim SYN messages with spoofed packets. The victim will commit the necessary resources to setup this communication socket, and it will send its SYN/ACK message waiting for the ACK message in return. However, the victim will never receive the ACK message, because the packet is spoofed, and victim system sent the SYN/ACK message to a computer that does not exist. So the victim system receives a SYN message, add it dutifully commits the necessary resources to setup a connection with another computer. This connection is queued waiting for the ACK message, and the attacker sends another SYN message. The victim system does what is supposed to can commits more resources, sends the SYN/ACK message, and queues this connection. This may only need to happen a dozen times before the victim system no longer has the necessary resources to open up another connection. This makes the victim computer unreachable from legitimate computers, denying other systems service from the victim computer.” Pg. 735 Shon Harris CISSP All-In-One Exam Guide

Answer 61

Answer: D Explanation: Flaw exploitation attacks exploit a flaw in the target system's software in order to cause a processing failure or to cause it to exhaust system resources. An example of such a processing failure is the 'ping of death' attack. This attack involved sending an unexpectedly large ping packet to certain Windows systems. The target system could not handle this abnormal packet, and a system crash resulted. With respect to resource exhaustion attacks, the resources targeted include CPU time, memory, disk space, space in a special buffer, or network bandwidth. In many cases, simply patching the software can circumvent this type of DOS attack.

Answer 62

Answer: D Explanation: The problem is that most users do not request to connect to DNS names or even URLs, they follow hyperlinks... But, whereas DNS names are subject to "DNS spoofing" (whereby a DNS server lies about the internet address of a server) so too are URLs subject to what I call "hyperlink spoofing" or "Trojan HTML", whereby a page lies about an URLs DNS name. Both forms of spoofing have the same effect of steering you to the wrong internet site, however hyperlink spoofing is technically much easier than DNS spoofing. http://www.brd.ie/papers/sslpaper/sslpaper.html

Answer 63

Answer: D Explanation: Another form of attack is called the distributed denial of service (DDOS). A distributed denial of service occurs when the attacker compromises several systems and uses them as launching platforms against on or more victims. - Ed Tittle CISSP Study Guide (sybex) pg 51

Answer 64

Answer: B Explanation: “Network Address Hijacking. It might be possible for an intruder to reroute data traffic from a server or network device to a personal machine, either by device address modification or network address “hijacking.” This diversion enables the intruder to capture traffic to and from the devices for data analysis or modification or to steal the password file from the server and gain access to user accounts. By rerouting the data output, the intruder can obtain supervisory terminal functions and bypass the system logs.”

Answer 65

Answer: B Explanation: The problem is that most users do not request to connect to DNS names or even URLs, they follow hyperlinks... But, whereas DNS names are subject to "DNS spoofing" (whereby a DNS server lies about the internet address of a server) so too are URLs subject to what I call "hyperlink spoofing" or "Trojan HTML", whereby a page lies about an URLs DNS name. Both forms of spoofing have the same effect of steering you to the wrong internet site, however hyperlink spoofing is technically much easier than DNS spoofing. http://www.brd.ie/papers/sslpaper/sslpaper.html

Answer 66

Answer: B Explanation: Another form of DoS. A distributed denial of service occurs when the attacker compromises several systems to be used as launching platforms against one or more victims. The compromised systems used in the attacks are often called claves or zombies. A DDoS attack results in the victims being flooded with data from numerous sources. - Ed Tittle CISSP Study Guide (sybex) pg 693

Answer 67

Answer: D Explanation: “Because a network-based IDS reviews packets and headers, it can also detect denial of service (DoS) attacks.” Pg. 64 Krutz: The CISSP Prep Guide Not A or B: “The following sections discuss some of the possible DoS attacks available. Smurf Fraggle SYN Flood Teardrop DNS DoS Attacks”

Answer 68

Answer: B Explanation: “Traffic analysis and trend analysis are forms of monitoring that examine the flow of packets rather than the actual content of packets. Traffic and trend analysis can be used to infer a large amount of information, such as primary communication routes, sources of encrypted traffic, location of primary servers, primary and backup communication pathways, amount of traffic supported by the network, typical direction of traffic flow, frequency of communications, and much more.” Pg 429 Tittel: CISSP Study Guide

Answer 69

Answer: C Explanation: Denial of Service is an attack on the operating system or software using buffer overflows. The result is that the target is unable to reply to service requests. This is too a large an area of information to try to cover here, so I will limit my discussion to the types of denial of service (DoS) attacks:

Answer 70

Answer: C Explanation: Ping of Death -- This exploit is based on the fragmentation implementation of IP whereby large packets are reassembled and can cause machines to crash. 'Ping of Death takes advantage of the fact that it is possible to send an illegal ICMP Echo packet with more than the allowable 65, 507 octets of data because of the way fragmentation is performed. A temporary fix is block ping packets. Ideally, an engineer should secure TCP/IP from overflow when reconstructing IP fragments.

Answer 71

Answer: C Explanation: Land.c. attack -- Attacks an established TCP connection. A program sends a TCP SYN packet giving the target host address as both the sender and destination using the same port causing the OS to hang.

Answer 72

Answer: A Explanation: Teardrop attack - This is based on the fragmentation implementation of IP whereby reassembly problems can cause machines to crash. The attack uses a reassembly bug with overlapping fragments and causes systems to hang or crash. It works for any Internet Protocol type because it hits the IP layer itself. Engineers should turn off directed broadcast capability.

Answer 73

Answer: D Explanation: SMURF attack -- This attack floods networks with broadcast traffic so that the network is congested. The perpetrator sends a large number of spoofed ICMP (Internet Control Message Protocol) echo requests to broadcast addresses hoping packets will be sent to the spoofed addresses. You need to understand the OSI model and how protocols are transferred between layer 3 and layer 2 to understand this attack. The layer 2 will respond to the ICMP echo request with an ICMP echo reply each time, multiplying the traffic by the number of hosts involved. Engineers should turn off broadcast capability (if possible in your environment) to deter this kind of attack.

Answer 74

Answer: D Explanation: Spamming -- Involves repeatedly sending identical e-message to a particular address. It is a variant of bombing, and is made worse when the recipient replies -- i.e. recent cases where viruses or worms were attached to the e-mail message and ran a program that forwarded the message from the reader to any one on the user's distribution lists. This attack cannot be prevented, but you should ensure that entrance and exit of such mail is only through central mail hubs.

Answer 75

Answer: B Explanation: “The Land denial of service attack causes many older operating systems (such as Windows NT 4, Windows 95, and SunOS 4.1.4) to freeze and behave in an unpredictable manner. It works by creating an artificial TCP packet that has the SYN flag set. The attacker set the destination IP address to the address of the victim machine and the destination port to an open port on that machine. Next, the attacker set the source IP address and source port to the same values as the destination IP address and port. When the targeted host receives this unusual packet, the operating system doesn’t know how to process it and freezes, crashes, or behaves in an unusual manner as a result.” Pg 237 Tittel: CISSP Study Guide

Answer 76

Answer: C Explanation: Trojan Horse attacks - This attack involves a rogue, Trojan horse application that has been planted on an unsuspecting user's workstation. The Trojan horse waits until the user submits a valid PIN from a trusted application, thus enabling usage of the private key, and then asks the smartcard to digitally sign some rogue data. The operation completes but the user never knows that their private key was just used against their will.

Answer 77

Answer: D Explanation: The weakest point in the communication based on asymmetric encryption is the knowledge about the real owners of keys. Somebody evil could generate a key pair, give the public key away and tell everybody, that it belongs to somebody else. Now, everyone believing it will use this key for encryption, resulting in the evil man being able to read the messages. If he encrypts the messages again with the public key of the real recipient, he will not be easily recognized. This sort of attack is called ``man-in-the-middle'' attack and can only be prevented by making sure, public keys really belong to the one being designated as owner.

Answer 78

Answer: C Explanation: Traffic analysis, which is sometimes called trend analysis, is a technique employed by an intruder that involves analyzing data characteristics (message length, message frequency, and so forth) and the patterns of transmissions (rather than any knowledge of the actual information transmitted) to infer information that is useful to an intruder) . -Ronald Krutz The CISSP PREP Guide (gold edition) pg 323

Answer 79

Answer: A Explanation: Zone transfer is method that DNS uses to transfer zone information between servers. In some un-secure DNS installations zone transfers are allowed to un-trusted DNS servers. This allows the hacker to determine internal host names and ip addresses to provide additional information for an attack.

Answer 80

Answer: B Explanation: In telecommunications Telecommunication the local loop is the wiring between the central office and the customer's premises demarcation point. The telephony local loop connection is typically a copper twisted pair carrying current from the central office to the customer premises and back again. Individual local loop telephone lines are connected to the local central office or to a remote concentrator. Local loop connections can be used to carry a range of technologies, including: Analog Voice ISDN DSL

Answer 81

Answer: B Explanation: The potential for fraud to occur in voice telecommunications equipment is a serious threat. PBX's (Private Branch Exchange) are telephone switches used within state agencies to allow employees to make out-going and receive in- coming phone calls. These PBX's can also provide connections for communications between personal computers and local and wide area networks. Security measures must be taken to avoid the possibility of theft of either phone service or information through the telephone systems. Direct Inward System Access (DISA) is the ability to call into a PBX, either on an 800 number or a local dial-in, and by using an authorization code, gain access to the long distance lines and place long distance calls through the PBX http://www.all.net/books/Texas/chap10.html

Answer 82

Answer: D Explanation: The name "TDMA"( Time Division Multiple Access) is also used to refer to a specific second generation mobile phone standard - more properly referred to as IS-136, which uses the TDMA technique to timeshare the bandwidth of the carrier wave. It provides between 3 to 6 times the capacity of its predecessor AMPS, and also improved security and privacy. In the United States, for example, AT&T Wireless uses the IS-136 TDMA standard. Prior to the introduction of IS-136, there was another TDMA North American digital cellular standard called IS-54(which was also referred to just as "TDMA").