Understanding Mitigation Techniques Flashcards
Constantly scanning the networking for possible break-ins is an example of what kind of intruder detection?
Active
logging all network events to a file
Examining files and calculating checksums for each
Are examples of what type of Intruder detection?
Passive
NetRanger, Session and Snort are forms of what?
Active-Intrusion Detection Software
The below list are examples of reactive or proactive defence?
1) stay current, patch security holes
2) know your enemies’ strategies
3) using tools to protect your network against attack
Pro-active
What process are the below first 3 steps associated?
1) Detect the ?
2) Respond to it
3) Report it
? = incident
The Incident Response process
What is eDiscovery?
the exchange of evidence by both sides in a law suit using electronic means
In digital-forensic investigations, what is the name of the records that show who controlled, secured and obtained the evidence?
Chain of Custody records
In digital-forensics investigations, what report contains the below two pieces of information?
1) time stamps and identification properties
2) full incident reconstruction
Forensics Report
What is suspended during a Legal Hold?
Normal processing of data
In PKI, the public or the private key can be used to encrypt the data - TRUE or FALSE
TRUE.
The most common way is the private key encrypts and everyone else with the public key can decrypt. This verifies the information came from the sender and the data is considered signed.
SSH requires a certificate authority, TRUE or FALSE?
FALSE.
What would you do to mitigate against VLAN hopping or DTP (Dynamic Trunking Protocol) attacks?
Change the default VLAN number
setting the root bridges priority to zero helps mitigate against what kind of attack/threat? Why?
Rogue Switch attack
Why? - Because the elected root bridge is based on MAC address and priority, it prevents an attacker connecting a switch and setting it with a very low priority.
Apart from using Flood-Guard, what manual intervention can prevent MAC flooding attack of the Content Addressable Memory (MAC table) in a switch?
*if the CAM gets exhausted it will forward frames out of all ports, allowing the attacker to capture traffic for all hosts.
Limit the number of MAC addresses that can be associated with each user facing port to two (one for computer, one for IP phone).
What is an STP switching attack and how can it be mitigated?
Where an attacker connects their rogue switch that has an extremely low priority to the company’s switch. Because of the low priority, it forces their switch to be elected the new root bridge, thereby moving all traffic through their switch.
It can be prevented using BPDU guard (or Root Guard). BPDU guard will place the switch port into a disabled state if BPDUs are detected on the ports.
*BPDU guard is never implemented on trunk ports because BPDUs are only permitted on trunk ports.
What Cisco switch features can protect against the introduction of a rogue switch with a lower port priority?
Root Guard
BPDU guard
What Cisco switch feature allows configuration of ‘trusted ports’ to allow DHCP messages to be forwarded on? What type of attack does this prevent?
Both the feature and attack are called DHCP Snooping
Name the two File Integrity Monitoring services used on Windows and Unix, what is another name for these systems?
System Files Check - Windows
Tripwire - Unix
They’re both forms of HIDS (Host Based Intrusion Detection Systems)
What type of administrative roll separation allow a normal user to be granted a local administrator role for the server without granting the domain administrator role?
Read Only Domain Controllers
What is an open relay?
an open relay is an email server that relays from any server that requests. (should be restricted)
The below steps form the latter of 6 steps of what process?
4) Recover
5) Remediate all components affected to ensure all traced of the ? have been removed
6) Review the ? and document findings
? = incident
the incident response process
System Files Check and Tripwire are examples of Network Based Intrusion Detection Systems - true or false?
False - they’re examples of Host Based Intrusion Detection Systems
