Vol 2 Part 2: Security Services

Question 1

THIS is anything that can be considered a weakness that can compromise something else

Answer 1

A Vulnerability

Question 2

THIS is a means of taking advantage of a vulnerability to compromise something else

Answer 2

An exploit

Question 3

THIS is the actual potential to use an exploit IOT take advantage of a vulnerability

Answer 3

A threat

Question 4

What do we call the measures we take in order to counteract threats?

Answer 4

Mitigation techniques

Question 5

Spoofing attacks involve an attacker spoofing what two items in order to gain unauthorized access to something?

Answer 5

IP Addresses and MAC addresses

Question 6

This attack refers to an attacker looking to leave server resources depleted and unavailable?

Answer 6

Denial of Service Attack

Question 7

During a DOS attack, the attacker opens up the BLANK connection, and then uses a fake address so that the server continues to send a BLANK expecting a reply of a BLANK

Answer 7

1. TCP Connection
2. SYN,ACK
3. ACK

Question 8

An attacker can use a master computer and take control of other computers during a DOS attack, so that these other computers can take part in the DOS. What are these other computers referred to as, and what kind of attack is this known as?

Answer 8

bots, distributed denial of service (DDoS)

Question 9

During a spoofing attack, the attacker uses a spoofed or “stolen” address. However, a reflection attack uses a BLANK instead of their own.

Answer 9

a legitimate host’s address

Question 10

What kind of attack involves packets being sent to a server and then the server sending a reply to a different host, the target.

Answer 10

Reflection

Question 11

An amplification attack differs from the reflection attack, because in an amplification attack, the attacker uses a protocol or service that does what with respect to the target host?

Answer 11

It sends a large volume of traffic

Question 12

This kind of attack involves an attacker wedging themselves in between the communication path of two systems

Answer 12

Man in the middle

Question 13

During a MitM attack, an attacker could be in between a host and a server without notice. What is this known as?

Answer 13

Eavesdropping

Question 14

During a MitM attacker, the attacker will commonly reply as if it is the device the original host was trying to contact. The attacker sends an ARP reply last so that the ARP table on the source host points to the attacker’s computer. This kind of attack is known as what?

Answer 14

ARP table poisoning

Question 15

What command is used during a reconnaissance attack in order to reveal the owner of the domain and IP address space?

Answer 15

nslookup

Question 16

What two commands are used as a compliment during a reconnaissance attack in order to query DNS information to reveal domain owners, contact info, mail servers, and more?

Answer 16

whois and dig

Question 17

This kind of attack involves sending a large amount of data to a device with the intent to fill up the memory and crashing the device?

Answer 17

Buffer overflow

Question 18

Malicious software is also known as what?

Answer 18

Malware

Question 19

A trojan horse involves the hiding of an executable file within what appears to be legitimate software. When the seemingly legitimate software is installed, the malware is installed as well. What is required in order for this to happen?

Answer 19

The user must open the file or software and execute it

Question 20

This kind of malware propagates between systems more readily and must inject itself into another application, relying on user to transport the software to other victims. What is this malware known as, and how does it differ from a trojan horse?

Answer 20

A virus. It differs from a trojan horse as it is actual code that is hidden inside of software.

Question 21

This kind of malware is self-propagating, replicating itself over and over without any user interaction

Answer 21

Worm

Question 22

This kind of vulnerability is a more drastic approach of phishing. It involves the attacker modifying a DNS entry to a valid link, leading to a victim visiting a site via a link but getting sent to a malicious site instead of the legitimate one.

Answer 22

Pharming

Question 23

Explain the difference between the online and offline attack with regards to password vulnerabilities.

Answer 23

Online involve the attacker trying each time at the login prompt, offline occurs when an attacker obtains the password ahead of time

Question 24

What is AAA and explain what each letter of the abbreviation means.

Answer 24

Authentication- who is the user
Authorization- what can they access or do
Accounting- where have they been and what have they done

Question 25

An effective security program consists of three main items. What are they?

Answer 25

User awareness, user training, physical access control

Question 26

The enable secret command sets a privileged exec credential using a hashing algorithm. What was the old algorithm used and what is currently used?

Answer 26

MD5 (old) SHA-256 (new)

Question 27

What command is used if you want to enable a password using the SHA-256 algorithm? What about the scrypt encryption?

Answer 27

enable algorithm-type sha-256 secret *password* | enable algorithm-type scrypt secret *password*

Question 28

What is used in order to deny host devices outside of an IP range for telnet and SSH into a network device?

Answer 28

Access Control Lists (ACL)

Question 29

Firewalls sit in the forwarding path of all packets for inspection, functioning similarly to an ACL, but they can do much more! What can firewalls do that make them more useful than just an ACL?

Answer 29

- Deeper packet inspection - Intelligent decision making based on data flow with regards to whether or not an attack is on going - Application layer flows to know what TCP and UDP ports are being used by the flow - Can match URI of an HTTP request - Keep state information about each packet for historical analysis (Stateful Firewall)

Question 30

What is utilized in order to define which hosts can initiate connections, ensuring that interfaces reside in these with rules in a firewall defining interaction from one to another?

Answer 30

Security Zones

Question 31

What is utilized in order to allow outsiders to access your public servers but protect your internal users from being accessed?

Answer 31

Demilitarized Zone (DMZ)

Question 32

This device compares packets with its database of exploit signatures to determine if an attack is ongoing

Answer 32

Intrusion Prevention System (IPS)

Question 33

Cisco Next-Generation Firewalls (NGFW) and Next-Generation IPS (NGIPS) rely on identifying *BLANK* instead of just using port numbers in order to observe traffic. It does this by using *BLANK*.

Answer 33

1. the application | 2. Application visibility and control

Question 34

What does advanced malware protection do?

Answer 34

It is a network-based antimalware that runs on the firewall itself

Question 35

What does URL filtering do?

Answer 35

It categorizes URLs and either filters or rate limits the traffic based on rules.

Question 36

What is Cisco Talos Security Group?

Answer 36

It monitors and creates reputation scores of web domains on the internet. NGFWs using URL filtering can utilize these scores in order to filter, categories, and/or rate limit.

Question 37

NGIPS, like a traditional IPS, compares data with exploit signatures, and also uses AVC in order to do deep packet inspection at the application later. What are the 3 other things it can do that make it better than a simple traditional IPS?

Answer 37

1. Contextual Awareness- gathers data from hosts to determine what is on the network and focuses only on the vulnerabilities of those devices 2. Reputation based filtering using Cisco TALOS 3. Event impact level- provides assessments based on impact levels with characterizations as to the impact if an event is indeed an attack.

Question 38

Port security on switches allow engineers to do what?

Answer 38

Lock down ports if the device is known

Question 39

Port security identifies what kind of addresses? How does it get this address?

Answer 39

MAC Addresses. This is based on the source address on received packets inbound to an interface ONLY.

Question 40

What command is used to set the max amount of mac addresses per port? What is the default number of MACs per port?

Answer 40

1. Switchport port-security maximum *number* | 2. Default is 1 MAC per port

Question 41

What command is used to set a static MAC instead of a dynamic one?

Answer 41

Switchport port-security mac-address *MAC ADDRESS*

Question 42

What command is used to enable sticky mac?

Answer 42

Switchport port-security mac-address sticky

Question 43

What is sticky mac?

Answer 43

Sticky mac configures a switch so that it will automatically append the first learned MAC on the port without the need to manually specify a MAC

Question 44

What command is used to show dynamically learned MACs? Why wont ports with port security enabled who up when you run this command?

Answer 44

1. Show mac address-table dynamic | 2. A port with port security is no longer considered dynamically learned

Question 45

What 2 commands can be used to view ports with port security enabled?

Answer 45

Show mac address-table secure | Show mac address-table static

Question 46

What is the default violation mode when a violation is found on a port with port security? What mode will the port be in when you run a show interfaces or show interfaces status command?

Answer 46

Shutdown, err-disabled

Question 47

What commands can be used to do automatic recovery in the event of a violation of port security?

Answer 47

Errdisable recovery cause psecure-violation | Errdisable recovery interval *seconds*