Understanding Mitigation Techniques Flashcards
Constantly scanning the networking for possible break-ins is an example of what kind of intruder detection?
Active
logging all network events to a file
Examining files and calculating checksums for each
Are examples of what type of Intruder detection?
Passive
NetRanger, Session and Snort are forms of what?
Active-Intrusion Detection Software
The below list are examples of reactive or proactive defence?
1) stay current, patch security holes
2) know your enemies’ strategies
3) using tools to protect your network against attack
Pro-active
What process are the below first 3 steps associated?
1) Detect the ?
2) Respond to it
3) Report it
? = incident
The Incident Response process
What is eDiscovery?
the exchange of evidence by both sides in a law suit using electronic means
In digital-forensic investigations, what is the name of the records that show who controlled, secured and obtained the evidence?
Chain of Custody records
In digital-forensics investigations, what report contains the below two pieces of information?
1) time stamps and identification properties
2) full incident reconstruction
Forensics Report
What is suspended during a Legal Hold?
Normal processing of data
In PKI, the public or the private key can be used to encrypt the data - TRUE or FALSE
TRUE.
The most common way is the private key encrypts and everyone else with the public key can decrypt. This verifies the information came from the sender and the data is considered signed.
SSH requires a certificate authority, TRUE or FALSE?
FALSE.
What would you do to mitigate against VLAN hopping or DTP (Dynamic Trunking Protocol) attacks?
Change the default VLAN number
setting the root bridges priority to zero helps mitigate against what kind of attack/threat? Why?
Rogue Switch attack
Why? - Because the elected root bridge is based on MAC address and priority, it prevents an attacker connecting a switch and setting it with a very low priority.
Apart from using Flood-Guard, what manual intervention can prevent MAC flooding attack of the Content Addressable Memory (MAC table) in a switch?
*if the CAM gets exhausted it will forward frames out of all ports, allowing the attacker to capture traffic for all hosts.
Limit the number of MAC addresses that can be associated with each user facing port to two (one for computer, one for IP phone).
What is an STP switching attack and how can it be mitigated?
Where an attacker connects their rogue switch that has an extremely low priority to the company’s switch. Because of the low priority, it forces their switch to be elected the new root bridge, thereby moving all traffic through their switch.
It can be prevented using BPDU guard (or Root Guard). BPDU guard will place the switch port into a disabled state if BPDUs are detected on the ports.
*BPDU guard is never implemented on trunk ports because BPDUs are only permitted on trunk ports.
