Threat & Vulnerabilities Flashcards
You are setting initial performance baselines for an important database server. Which of the following collected data is considered a good indication of a system performance baseline?
A. Network bandwidth usage per hour for a 24-hour period
B. CPU processing trends measured during typical working hours
C. CPU, memory, and network usage data collected for an entire week
D. Concurrent connections during the busiest server times
C. To establish a performance baseline, you must measure your system activity for 24 hours per day for at least 7 continuous days. This ensures that you have data for an entire week’s worth of activity, including working hours, nonworking hours, and weekends. Simply sampling performance data for a few hours during the day will not provide a sufficient indication of performance trends.
A signature-based monitoring system has failed to detect an attack on one of your web servers. Which of the following is the most likely cause?
A. A firewall is misconfigured.
B. Signature-based systems scan only outbound
traffic.
C. You did not properly implement an access rule for that type of attack.
D. This a new type of attack that has no signature available yet.
D. Signature-based systems are powerful and efficient because they rely on the collective knowledge of security vendors who analyze and collect information on Internet security threats and trends and are able to update their databases very quickly when new threats arise. However, they are unable to detect very new attacks that do not have signatures available yet.
Which of the following types of scanning methodologies checks for anomalous behavior on a system that differs from its routine baseline performance?
A. Behavioral-based
B. Rule-based
C. Signature-based
D. Role-based
A. Behavior-based monitoring systems start from a baseline of normal system behavior and then learn from these system performance profiles to recognize behavioral anomalies that pass the thresholds of the normal baseline of the system.
Your building’s physical security is very critical, and you need to implement procedures to deal with security issues in the event of a malfunction with the security card access control system or a power outage. For maximum security, which of the following concepts should you use in your implementation?
A. Surveillance video
B. Failopen security
C. Security guards
D. Failsafe security
D. Failsafe or failsecure means that you implement maximum security in the event of a failure or malfunction. In this example, making sure doors stay locked during an access card reader malfunction or power outage is an example of using failsafe concepts.
Due to downsizing, your department of IT administrators has been drastically reduced, and the time available to monitor your security applications and logs is at a minimum. Which of the following logging procedures would reduce the amount of time examining and analyzing several different logs?
A. Disabling logging
B. Logging only minor errors
C. Logging only warning and critical errors
D. Enabling verbose logging of all errors
C. To reduce that number of minor and informational types of messages in the logs, administrators should configure their logging systems to log only warning and critical error messages. This reduces the amount of resources required to store logs and reduces the time required to analyze them, as only the most important data is logged.
You are auditing a performance log for your web server. Which of the following performance statistics may indicate a security issue?
A. Disk space free at 70 percent
B. Memory usage at 45 percent on average
C. CPU usage at 99 percent 75 percent of the time
D. Network bandwidth usage at 50 percent on average
C. A system running with its CPU usage at 99 percent for a long period of time can indicate that some anomalous process (such as a virus, Trojan horse, or worm) is causing CPU processing to spike beyond the normal system operating baseline.
During routine examination of the firewall logs, you notice that a specific host is attempting to connect to the same internal IP address starting at port 1 and continuing to port 65525. Of which of the following issues could this be evidence of?
A. A ping sweep of a server on your network
B. Port scanning of a server on your network
C. Normal behavior for network diagnostics
D. DNS requests for name resolution
A. A host system that is scanning a server for any open ports using the entire port range indicates that a port scanning program is being used to determine which services are running and which ports are open and available. A malicious hacker might be trying to find vulnerabilities and attack your system.
It has come to your attention that a confidential file was accessed without proper authorization. Which of the following logs would you examine to find out which users were logged in during the time the issue occurred?
A. Access log
B. DNS log
C. Performance log
D. Firewall log
A. Access logs provide valuable audit tools because they provide information about when a specific user has logged in to or out of the network. If security anomalies occur during a certain time period, you might be able to narrow down which users were logged in at the time of the incident.
After a security audit, which of the following items would not be considered anomalous behavior?
A. Several unsuccessful attempts to log in as the administrator
B. A ping sweep on the firewall for the IP range 10.10.0.0 to 10.10.255.255
C. Error messages in the system’s log that indicate excessive disk usage
D. A member of the sales group accessing the sales shared file directory
D. A member of a group accessing the shared files for the group to which she belongs does not constitute anomalous behavior; however, ping sweeps against the firewall, disk error messages in the system’s log, and several attempts to access the administrator account are all security issues that should be carefully examined.
You are performing an audit of a file server security log. Which of the following entries would be considered a possible security threat?
A. Five failed login attempts for a user
B. Two successful logins with the administrator
account
C. A 500K print job sent to a printer
D. Three new files saved in the accounting folder by user finance
A. A large number of unsuccessful logins for a specific user is unusual. Either the user has forgotten his password, or someone is trying to guess the password to hack into the account.
Which of the following aspects of vulnerability and threat assessment has a greater bearing on the allocation and budgeting for solutions and countermeasures?
A. The likelihood and impact of the threat
B. The risk of a threat compromising a vulnerability
C. Whether the vulnerability is physical or nonphysical
D. The nature of the threat
A. By assessing the likelihood and impact of a threat, you can allocate solutions for mitigation based on their impact and probability of occurrence. You will not spend money on countermeasures for a threat that is not likely to occur or has minimal impact.
Which of the following is the most dangerous threat to a fault-redundant file server located on the network administrator’s desk and fully secured with an antivirus program, strict authentication, and access controls?
A. Equipment failure
B. Virus
C. Hacking
D. Theft
D. Because the file server isn’t stored in a secure location, anyone walking by the area could steal it. All the other protections are for network-based threats.
You are designing a new web application service for your company. After an initial design review, it is discovered that a number of attack surfaces have been revealed that go well beyond the initial baseline proposed for the application, including unneeded network services that are enabled. What should you
do?
A. Rework the initial baseline.
B. Perform a black box test.
C. Reduce attack surfaces by removing unneeded services from the design.
D. Reduce the attack surfaces during actual coding.
C. If you discover a number of additional attack surfaces in your software design, you should review them and, if they are not required by the application, remove the services from your initial design. If you wait until the coding stage, it may be too late to undo work that could break other parts of your application.
You are testing a new software application developed by your company. After extensive internal vulnerability testing, you want to simulate the end user experience and test with someone who has never used the product before. Which method of testing do you use?
A. Gray box
B. Open box
C. White box
D. Black box
D. Black box testing is used to simulate an attack from someone completely unfamiliar with the inner design and workings of a software product. The goal is to try to find security issues and vulnerabilities from an objective testing source.
The systems on your network run primarily on Microsoft Windows operating systems, but you have a legacy Unix server that you use for authentication for your development group. Which of the following security controls provides access-control protection for a Unix password database?
A. Salting
B. LANMAN hash
C. Shadow password file
D. Minimum password lengths
C. Unix-based systems protect their hashed password databases by using a shadow password file. In the shadow file, the hashed passwords are removed from the main password database and are stored in a location that is unavailable to unprivileged users.
Your intrusion detection system has detected a number of attempts at brute-force password attacks against your authentication server. Which of the following would be the most effective countermeasure against future password attacks?
A. Allowing dictionary words as passwords
B. Minimum password lengths
C. A login lockout policy
D. Firewall rules
C. A brute-force attack tries multiple permutations of password characters to try to guess the password. By limiting the number of incorrect logins (such as three to five attempts), you have the system automatically lock out the account to prevent any further attempts at cracking the password.
A port scanner has reported that your web server running with a supporting SQL database is listening and responding on TCP ports 80, 443, 21, and 1433. Which of these ports is unnecessary and should be closed to prevent hacking attempts?
A. 80
B. 21
C. 1433
D. 443
B.Port 21 is used by FTP, which is not required for your web/database server. This service and port should be disabled to prevent hackers from connecting to the server via FTP. Ports 80 and 443 are used by HTTP and HTTPS, respectively, and port 1433 is used by the SQL database.
You are performing a vulnerability assessment for a web server. Which of the following web server characteristics would be detected as a risk by a vulnerability scanner?
A. Operating system not updated to latest patch level
B. HTTPS server listening on port 443
C.Network packets being sent in clear text
D. HTTP server listening on port 80
A. A vulnerability scanner is designed to scan a system and determine what services that system is running and whether any unnecessary open network ports or unpatched operating systems and applications exist. In this case, HTTP listening on port 80 and HTTPS listening on port 443 are normal operating parameters for a web server. Unless you are using HTTPS, web network packets are always sent in clear text. The vulnerability scanner will detect that the system is not running the latest operating system patches and advise you to update the system.
After a security audit and vulnerability assessment, several servers required software patches, and unused open network ports needed to be disabled. Which of the following should be performed after these vulnerabilities are fixed to ensure that the countermeasures are secure against a real attack?
A. Advertise the system’s IP address publicly.
B. Put systems back into live production.
C. Perform additional port scanning.
D, Perform penetration testing.
D. Penetration testing evaluates the security of a network or computer system by simulating an actual attack. This helps test a network’s and system’s resilience to a real attack and to test the effectiveness of existing security measures implemented after vulnerability assessments.
New management has decided to test the security of the existing network infrastructure implemented by the current network administrators. Which of the following should be performed to provide the most objective and useful test of your security controls?
A. Hire a real hacker to attack the network.
B. Perform third-party penetration testing.
C. Perform penetration testing by the network administrators.
D. Initiate an external denial-of-service attack.
B. Penetration tests are often performed by third parties who are allowed access to the network by upper management—in some cases, without the network administrator’s knowledge. This ensures the testing scenario is as close to a real, unsuspected attack as possible and provides a detailed analysis of existing vulnerabilities.
