Exam 04 - CYBR 3200
What are the primary and secondary goals of modern proxy servers?
- Speeding up network connections by reducing load on web server - Provides security at the application layer - Controls which web sites users are allowed to access
What are the 8 general steps for creating a bastion host? (p. 359)
1. Select a machine with adequate memory and processor speed. 2. Choose and install the OS and any patches or updates. 3. Determine where the bastion host fits in the network configuration. 4. Install the services you want to provide or modify existing services. 5. Remove services and accounts that are not needed. 6. Back up the system and its data, including log files. 7. Conduct a security audit. 8. Connect the system to the network.
What are the characteristics of a corporate phishing e-mail? List three of them. (p. 449-50)
1. The email is unsolicited. 2. The logo and other graphics are copies of corporate images and seem to be legitimate. 3. The message uses a generic greeting instead of the recipient's real name 4. The message conveys urgency 5. Personal account information is requested usually asking that the information is confirmed. 6. The email contains a link that seems to be a secure HTTPS link. 7. Usually the link to which you are redirected is no longer active after several hours.
What four events occur when one IPsec-compliant computer connects to another? (p.395)
1. The ipsec driver and ISAKMP retrieve the IPsec policy settings. 2. ISAKMP negotiates between hosts base on their policy settings, and builds an SA between them. 3. The Oakley protocol generates a master key to secure IPsec communication. 4. Based on the security policy established for the session, the IPsec driver monitors, filters, and secures the network traffic.
List three of the steps you should take to close potential holes against SQL injection attacks. (p. 448-449)
1. Tighten database authentication and limit table access. Always require password access, and never leave default usernames setup during installation. 2. Use stored procedures to eliminate passing any SQL commands to the database. 3. Validate all user entries to make sure they are formed properly. 4. Place the webserver and database server in a network DMZ 5. Use nonstandard naming conventions in database construction 6. Configure a custom error message that does not reveal information for attackers to exploit.
A network addressing scheme that allows DNS services to be decentralized among a group of servers, regardless of their location 1.anycast addressing 2.DNSSEC 3.network access points 4.pharming 5.POP ISPs 6.security-aware resolver 7.spear phishing 8.split DNS architecture 9.split brain DNS architecture 10.zone transfer
1.anycast addressing
The communication of a zone file from the primary DNS server to secondary DNS servers for updating 1.anycast addressing 2.DNSSEC 3.network access points 4.pharming 5.POP ISPs 6.security-aware resolver 7.spear phishing 8.split DNS architecture 9.split brain DNS architecture 10.zone transfer
10.zone transfer
A protocol designed to improve DNS security by using cryptography to ensure DNS integrity and authentication 1.anycast addressing 2.DNSSEC 3.network access points 4.pharming 5.POP ISPs 6.security-aware resolver 7.spear phishing 8.split DNS architecture 9.split brain DNS architecture 10.zone transfer
2.DNSSEC
Highly secure public facilities where commercial Internet backbones and ISPs exchange routing and traffic data 1.anycast addressing 2.DNSSEC 3.network access points 4.pharming 5.POP ISPs 6.security-aware resolver 7.spear phishing 8.split DNS architecture 9.split brain DNS architecture 10.zone transfer
3.network access points
A variation of phishing that intercepts traffic to a legitimate Web site and redirects it to a phony replica site 1.anycast addressing 2.DNSSEC 3.network access points 4.pharming 5.POP ISPs 6.security-aware resolver 7.spear phishing 8.split DNS architecture 9.split brain DNS architecture 10.zone transfer
4.pharming
ISP facilities that provide connectivity to the Internet for business, education, and home users 1.anycast addressing 2.DNSSEC 3.network access points 4.pharming 5.POP ISPs 6.security-aware resolver 7.spear phishing 8.split DNS architecture 9.split brain DNS architecture 10.zone transfer
5.POP ISPs
A computing system that is compliant with DNSSEC and that attempts to resolve a fully qualified domain name to an IP address 1.anycast addressing 2.DNSSEC 3.network access points 4.pharming 5.POP ISPs 6.security-aware resolver 7.spear phishing 8.split DNS architecture 9.split brain DNS architecture 10.zone transfer
6.security-aware resolver
A variation of phishing directed at specific users instead of using spam e-mail 1.anycast addressing 2.DNSSEC 3.network access points 4.pharming 5.POP ISPs 6.security-aware resolver 7.spear phishing 8.split DNS architecture 9.split brain DNS architecture 10.zone transfer
7.spear phishing
A network architecture that divides DNS services between two servers 1.anycast addressing 2.DNSSEC 3.network access points 4.pharming 5.POP ISPs 6.security-aware resolver 7.spear phishing 8.split DNS architecture 9.split brain DNS architecture 10.zone transfer
8.split DNS architecture
A network architecture that uses a single DNS domain with a DNS server on the organization's DMZ for Internet services and a DNS server on the internal network for service to internal hosts 1.anycast addressing 2.DNSSEC 3.network access points 4.pharming 5.POP ISPs 6.security-aware resolver 7.spear phishing 8.split DNS architecture 9.split brain DNS architecture 10.zone transfer
9.split brain DNS architecture
What is a bastion host and how is one typically configured?
A bastion host is a computer on the network perimeter that has been specifically protected with OS patches, authentication, and encryption. A bastion host is configured on a machine with adequate memory and processor speed, with an appropriate OS updated/patched, loaded with desired services, and undesired services are removed. The bastion host is usually located outside the internal network.
Describe the setup in which a dual-homed host is used. What are the limitations of this configuration?
A dual homed host is a computer configured with more than one network interface. They are often used for firewalls, proxy servers, packet sniffers. A limitation is that any problem with the host computer weakens the network as it serves to a single entry point.
What is an advantage of Kerberos authentication with respect to password security? (p.405-6)
A major advantage of Kerberos is that passwords are not stored on the system so they cannot be intercepted. A ticket is specific to a user and typically expires after a set period.
How can you harden a DNS server using the split DNS architecture? (p. 455, 462)
A split DNS architecture physically separates public DNS servers from the organization's internal DNS servers. Place the DNS server in the DMZ.
What is a buffer overflow attack? (p.443)
Attackers access the source code of commercial OSs. web servers, or databases where they look for weaknesses and errors in source code, the root of buffer overflow attacks. The security problem starts when hackers discover poorly written code that causes buffer overflows and then inject malicious code into this breach.
Which IPsec component authenticates TCP/IP packets to ensure data integrity? (p. 396) Authentication Header (AH) Encapsulating Security Payload (ESP) IKE ISAKMP
Authentication Header (AH)
What is the DNS hierarchical system? Include a discussion of root servers in your answer. (p.439-440)
DNS is a hierarchical system. Root servers know which servers on the Internet are responsible for top level domains. Each top level domain has its own servers that delegate responsibility for domain name to IP address resolution to name servers lower in the hierarchy. There are 13 root servers in the world named A-M.
Which IPsec component is software that handles the tasks of encrypting, authenticating, decrypting, and checking packets? ISAKMP IKE IPsec driver Oakley protocol
IPsec driver
Which VPN protocol leverages Web-based applications? PPTP L2TP SSL IPsec
SSL
Hardware VPNs create a gateway-to-gateway VPN. True or False
True
IPsec has become the standard set of protocols for VPN security. (p. 394) True or False
True
SQL injection attacks are isolated to custom applications, so administrators can prevent them. (p.448) True or False
True
What was created to address the problem of remote clients not meeting an organization's VPN security standards? split tunneling VPN quarantine IPsec filters GRE isolation
VPN quarantine
Which of the following best describes a DMZ? a network of computers configured with robust firewall software a subnet of publicly accessible servers placed outside the internal network a private subnet that is inaccessible to both the Internet and the company network a proxy server farm used to protect the identity of internal servers
a subnet of publicly accessible servers placed outside the internal network
Which of the following is an improvement of TLS over SSL? requires less processing power uses a single hashing algorithm for all the data uses only asymmetric encryption adds a hashed message authentication code
adds a hashed message authentication code
What feature of the 13 DNS root servers enables any group of servers to act as a root server? multicast addressing broadcast addressing anycast addressing unicast addressing
anycast addressing
DNS _____________ poisoning steers unsuspecting victims to a server of the attacker's choice instead of the intended Web site.
cache
Which of the following is a type of VPN connection? site-to-server client-to-site server-to-client remote gateway
client-to-site
Network gateways are ____________ of the VPN connection.
endpoints
What is the term used for a computer placed on the network perimeter that is meant to attract attackers? bastion host honeypot proxy decoy virtual server
honeypot
In a screened ____________ setup, a router is added between the host and the Internet to carry out IP packet filtering.
host
Why is a bastion host the system most likely to be attacked? it has weak security it contains company documents it is available to external users it contains the default administrator account
it is available to external users
Which of the following is true about the Internet? it is the same as the World Wide Web it was established in the mid-1960s it was developed by a network of banks and businesses it was originally built on an extended star topology
it was established in the mid-1960s
Which of the following is a disadvantage of using a proxy server? shields internal host IP addresses slows Web page access may require client configuration can't filter based on packet content
may require client configuration
Which of the following is true about software VPNs? more cost-effective than hardware VPNs best when all router and firewall hardware is the same usually less flexible than hardware VPNs configuration is easy since there is no OS to rely upon
more cost-effective than hardware VPNs
What type of attack displays false information masquerading as legitimate data? Java applet phishing buffer overflow SQL injection
phishing
Which type of translation should you use if you need 50 computers in the corporate network to be able to access the Internet using a single public IP address? one-to-one NAT port address translation one-to-many NAT DMZ proxy translation
port address translation
A _______________ router determines whether to allow or deny packets based on their source and destination IP addresses.
screening
Which of the following is defined as a relationship between two or more entities that describes how they will use the security services to communicate? pairing security association internet key exchange tunnel
security association
Which of the following is true about a dual-homed host? serves as a single point of entry to the network its main objective is to stop worms and viruses uses a single NIC to manage two network connections it is used as a remote access server in some configurations
serves as a single point of entry to the network
What makes IP spoofing possible for computers on the Internet? network address translation the lack of authentication the 32-bit address space the DNS hierarchy
the lack of authentication
Which of the following is true about private IP addresses? they are assigned by the IANA they are not routable on the Internet they are targeted by attackers NAT was designed to conserve them
they are not routable on the Internet
Which of the following is a top-level digital certificate in the PKI chain? security-aware resolver trust anchor DNSSEC resolver RRSIG record
trust anchor
Which of the following is NOT a step you should take to prevent attackers from exploiting SQL security holes? limit table access use stored procedures use standard naming conventions place the database server in a DMZ
use standard naming conventions