Intrusion Detection Systems, IST447 - EDRM Content - Potter B, Network+ 1, Chapter 17, Security+ Chapter 9, Security+ Chapter 13, Computer Security Chapter 13, Chap. 13, CH 13 Intrusion Detection Systems and Network Security CIS 2337 Vocab, Security+...
Select a password that is still relatively easy to remember, but still difficult to "guess.
"Selecting a good password for each user account is critical to protecting information systems. How should you select a good password? - Use letters in your first name and letters in your last name. - Select a password that is still relatively easy to remember, but still difficult to "guess." - Unfortunately, there is way to keep a password safe, so it really doesn't matter what you use. - Create a password that would be hard to remember, and then write it down so you won't forget it.
Spoofing
"a sophisticated technique of authenticating one machine to another by forging packets from a trusted source address."
TCP SYN Scanning -
"half open" scanning. Sends a SYN packet to each remote port. Open ports respond with a SYN/ACK packet. Closed ports usually respond with an RST packet.
Authentication
"the process those machines use to identify each other."
Trust
"the relationship between machines that are authorized to connect to one another."
Ping
(Packet INternet Groper) A utility designed to determine whether or not a remote system is accessible.
RFC 793: state is CLOSED
(that is, Transmission Control Block does not exist) then all data in the incoming segment is discarded. An incoming segment containing a RESET (RST) is discarded. An incoming segment not containing a RST causes a RST to be sent in response. The acknowledgment and sequence field values are selected to make the reset sequence acceptable to the TCP that sent the offending segment.
Eradication and Recovery Phases
*Mitigation steps*: -Investigation - the causes or nature of the incident might not be clear, in which case further (careful) investigation is warranted -Containment - allow the attack to proceed but ensure that valuable systems/data are not at risk -Hot swap - a backup system is brought into operation and the live system frozen to preserve evidence of the attack -Prevention - countermeasures to end the incident are taken on the live system (even though this may destroy valuable evidence) *Recovery/reconstitution procedures*: -Remove malicious files and tools (also consider infection of backups) -Re-audit security controls - what could have prevented the intrusion? -Notification and remediation of third-parties (customers and suppliers)
Honeypot
- A computer system or portion of a network that has been set up to attract potential intruders, in the hope that they will leave the other systems alone. -Since there are no legitimate users of this system, any attempt to access it is an indication of unauthorized activity and provides an easy mechanism to spot attacks.
Switched Port Analyzer (SPAN)
- A technology employed that can duplicate individual channels crossing a switch to another circuit.
An active IDS can: A) Respond to attacks with TCP resets B) Monitor for malicious activity C) A and B D) None of the above
- Respond to attacks with TCP resets - Monitor for malicious activity
Recognize Scanning: System log file analysis
- look for multiple, short duration connections or connection attempts.
Recognize Scanning: Network traffic
- monitor the volume of inbound and outbound network traffic. If you have established a profile of what is normal activity you will be able to recognize spikes in the activity level which may indicate scanning activity
Firewalls
-A network device—hardware, software, or a combination thereof -Determines what traffic should be allowed or denied to pass in or out of a network
Anomaly detection model
-An IDS model where the IDS must know what "normal" behavior on the host or network being protected really is. -Once the "normal" behavior baseline is established, the IDS can then go to work identifying deviations from the norm, which are further scrutinized to determine whether or not that activity is malicious.
1. Layers 2. detection, complex
-As need for security increases, l_____ of security should be added. -I_______ detection systems are one of the more c______ layers.
Traffic collector
-Collects activity/events for the IDS to examine. On a HIDS, this could be log files, audit logs, or traffic coming to or leaving a specific system. On a NIDS, this is typically a mechanism for copying traffic off the network link—basically functioning as a sniffer.
Active HIDSs
-Contain all components and capabilities of the passive IDs. -Can react to the activity it is analyzing.
Active NIDS
-Contains all the same components and capabilities of the passive NIDS -Can react to the traffic it is analyzing
Windows Defender
-Designed to remove spyware and unwanted programs from your PC -Includes spyware detection and removal, scheduled scanning, automatic updates, real-time protection, software explorer, and configurable responses -NOT a replacement for an antivirus program
Rate-based Monitoring
-Detect and mitigate DoS attacks -Watch the amount of traffic traversing the network, if too much, it can intervene and throttle down traffic to acceptable levels.
Host-Based IDS (HIDS)
-Examines activity only on a specific host -Flags that may raise the alarm in a HIDS -Login failures -Logins at irregular hours -Privilege escalation -Additions of new user accounts
Personal Software Firewalls
-Host-based protective mechanism that controls traffic going into and out of a single system. -Various free and commercial firewall software is available.
Intrusion Prevention Systems
-In addition to IDS functions, it has the capability of stopping or preventing malicious attack. -Must sit inline on the network. -Still can't inspect encrypted traffic, although some vendors included the ability to inspect SSL sessions. -Often rated by the amount of traffic that can be processed without dropping packets.
Disadvantages of a NIDS
-It is ineffective when traffic is encrypted. -It cannot see traffic that does not cross it. -It must be able to handle high volumes of traffic. -It does not know about activity on the hosts themselves.
Disadvantages of NIDS
-It is ineffective when traffic is encrypted. (HIDS are effective) -It can't see traffic that does not cross it -It must be able to handle high volumes of traffic -It doesn't know about activity on the hosts themselves
PC-based Malware Protection
-M_______ p______ for PCs has become a necessity due to the proliferation of "always-on" broadband connections. -Unprotected and unpatched systems are compromised within two hours of coming online, on average.
Active NIDS
-Must be used judiciously lest legitimate activity be disrupted -A commonly-used reactive response to an attack is a TCP reset
Disadvantages of HIDSs
-Must have a process on every system you want to watch. -High cost of ownership and maintenance. -Uses local system resources. -Very focused view and cannot relate to activity around it. -If logging only locally, could be compromised or disabled.
Advantages of NIDS
-Providing IDS coverage requires fewer systems -Deployment, maintenance, and upgrade costs are usually lower -A NIDS has visibility into all network traffic and can correlate attacks among multiple systems -Requires far fewer local resources
Advantages of a NIDS
-Providing IDS coverage requires fewer systems. -Deployment, maintenance, and upgrade costs are usually lower. -NIDS has visibility into all network traffic and can correlate attacks among multiple systems.
Content-based signature
-Signatures that are designed to examine the content of such things as network packets or log entries. -Content-based signatures are typically easy to build and look for simple things, such as a certain string of characters or a certain flag set in a TCP packet.
Context-based signature
-Signatures that are designed to match large patterns of activity and examine how certain types of activity fit into the other activities going on around them. -Context-based signatures are more difficult to analyze and take more resources to match, as the IDS must be able to "remember" past events to match certain context signatures.
Passive HIDSs
-Simply watches the activity, analyzes it, and generates alarms. -Does not interact with the activity itself in any way. -Does not modify the defensive posture of the system to react to the traffic.
Passive NIDS
-Simply watches traffic, analyzes it, and generates alarms -Does not interact with the traffic itself -Does not modify the defensive posture of the system to react to the traffic
Protocol Analyzers (1/2)
-Software or an integrated software/hardware system that can capture and decode network traffic -Detect undesirable traffic -Capture traffic for incident response -Looking for evidence of malicious activity -Looking for unusual traffic -Testing encryption between systems or applications
False positive
-Term used when a security system makes an error and incorrectly reports the existence of a searched-for object. (Examples include an: -intrusion detection system that misidentifies benign traffic as hostile, -an antivirus program that reports the existence of a virus in software that actually is not infected, -or a biometric system that allows access to a system to an unauthorized individual.)
Snort
-The de facto standard IDS engine since its creation in 1998. It has a large user base and set the standard for many IDS element, including rule sets and formats. -Snort rules are the list of activities that Snort will alert on and provide the flexible power behind the IDS platform. -Snort rule sets are updated by a large active community as well as Sourcefire Vulnerability Research Team, the company behind Snort. Snort VRT rule sets are available to subscribers and provide such elements as same-day protection for items such as Microsoft patch Tuesday vulnerabilities. -These rules are moved to the open community after 30 days.
TCP reset
-The most common defensive ability for an active NIDS. -The reset message (RST) tells both sides of the connection to drop the session and stop communicating immediately
How HIDS Work 1. Traffic collector 2. Analysis 3. decision 4. Signature 5. user interface
-The t____ c_____ aggregates information. -The a_____ engine reviews the data. -May implement a d_____ tree to classify activities and make decisions -S_____ database may be used to match activities to predefined activity or patterns -Users work with HIDS through the u___ i_____ which include the visible components of the HIDS.
IDS Components
-Traffic collector / sensor -Analysis engine -Signature database -User interface and reporting
Advantages of HIDSs
-Very operating system-specific with more detailed signatures -Reduce false-positive rates -Examine data after it has been decrypted -Very application specific -Determine whether or not an alarm may impact that specific system
Modern HIDS
-often referred to as host-based intrusion prevention systems (HIPS) -Use the following components to prevent attacks: Integrated system firewall, Behavioral- and signature-based IDS, Application control, Enterprise management, Malware detection and prevention
It allows encryption of all data on a server
.Which of the following is true of BitLocker, in Windows Vista? - It's where malicious code is stored when it's discovered. - It's a form of data storage for network traffic. - It allows encryption of all data on a server. - It monitors Internet Explorer traffic.
Which of the following is an example of a MAC address? - 00:07:H9:c8:ff:00 - 00:39:c8:ff:00 - 00:07:e9:c8:ff:00 - 00:07:59:c8:ff:00:e8
00:07:e9:c8:ff:00
What are the 5 stages of the Review Phase of the EDRM
1) Develop Review Strategy/Plan 2) Setup Review Room/Training 3) Perform Data Analysis/Workflow 4) Conduct Review 5) Evaluate, Plan/Wrap-Up
What are the 5 stages of the Analysis Phase of the EDRM
1) Fact Finding 2) Search Enhancement 3) Review Enhancement 4) Impact Analysis 5) Validation/Quality Assurance
What are the the 9 stages of the EDRM?
1) Information Management 2) Identification 3) Preservation 4) Collection 5) Processing 6) Review 7) Analysis 8) Production 9) Presentation
Class A Address
1-126
Which of the following is a valid IP address? - 192.168.1.1.1 - 10.266.12.13 - 172.11.11 - 12.12.12.12
12.12.12.12
Class B Address
128-191
Which of the following is not a private IP address? - 10.100.200.100 - 172.32.32.21 - 192.168.1.1 - 192.168.254.254
172.32.32.21
Class C Address
192-223
Well-known ports
20 File Transfer Protocol (FTP) Data 21 File Transfer Protocol (FTP) Control 23 Telnet 25 Simple Mail Transfer Protocol (SMTP) 53 Domain Name Server (DNS) 79 Finger 80 World Wide Web (HTTP) 110 Post Office Protocol - Version 3 443 HTTPS
Class D Address
224-239
IP addresses are __________ bit numbers - 6 - 32 - 64 - 128
32
IPv4
32 bit number, four octets, contains network and host info
If you are investigating a computer incident and need to remove the disk drive from a computer and replace it with a copy so the user doesn't know it has been exchanged, how many copies of the disk should you make, and how should they be used?
4 copies: replace, store with original, authenticate, and analyze
5 GHz band
802.11a uses frequencies in the __________________.
Wired Equivalent Privacy (WEP)
802.11i updates the flawed security deployed in ____________________.
The 802.1X protocol is a protocol for Ethernet: A. Authentication B. Speed C. Wireless D. Cabling
A
False
In 2002, Microsoft increased the number of services that were installed and running due to public demand. True or False
authentication header (AH), encapsulating security payload (ESP)
In IPsec, a security association is defined by a specific combination of _____________________ and ___________________.
It defeats buffer overflows.
In Mac OS X, what does library randomization do? - It defeats buffer overflows. - It is used for encryption. - It restricts network access. - It increases the ease of code writing.
Port Scanning
In a Port Scan, the system will attempt to connect to specific (or all) ports on the remote system to see which respond. Responding ports are considered "open" and the attacker can then attempt to exploit (especially known services on well-known ports). Large number of tools available to perform port scanning. nmap is one of the most popular tools that can perform a port scan.
6
In a UNIX operating system, which run level reboots the machine? - 0 - 1 - 3 - 6
1
In a UNIX operating system, which runlevel describes single-user mode?
peer-to-peer trust model
In a(n) ____________, one CA is not subordinate to another CA, and there is no established trust anchor between the CAs involved.
process identifier
In most UNIX operating systems, each running program is given a unique number called a(n) ____________________.
IP Spoofing communication
In the preceding slides, the actions represented by the "OK, I've done it" or the "OK, here it is" lines may actually consist of a series of messages with appropriate responses. The attacker knows what the responses should be, so the attacker can send them, timed appropriately, to ensure the connection is maintained.
Misuse Detection Model
In this model the IDS looks for suspicious activity or activity that violates specific policies and then reacts as it has been programmed to do.
Anomaly Detection Model
In this model, the IDS must know what "normal" behavior on the host or network being protected really is. Once the "normal" behavior baseline is established, the IDS can then go to work identifying deviations from the norm.
Anomaly Detection Model
In this model, the IDS must know what normal behavior on the host or network being protected really is. Once the normal behavioir baseline is established, the IDS can then go to work identifying deviations from the norm.
Network-based IDS (NIDS)
Information about network traffic
public key infrastructure (PKI)
Infrastructure for binding a public key to a known user through a trusted intermediary, typically a certificate authority, is called the _________________________.
Which of the following is NOT a network topology? - Star - Ring - Integrated - Mixed
Integrated
User Interface
Interfaces with the human element, providing alerts when appropriate and giving the user a means to interact with and operate the IDS.
User Interface and Reporting
Interfaces with the human element, providing alerts when appropriate and giving the user a means to interact with and operate the IDS.
User interface (and reporting)
Interfaces with the human element, providing alerts when appropriate and giving the user a means to interact with and operate the IDS.
User interface and reporting
Interfaces with the human element, providing alerts when appropriate and giving the user a means to interact with and operate the IDS.
The series of worldwide interconnected networks is referred to as the - DMZ - Intranet - Extranet - Internet
Internet
Your boss is concerned about employees viewing in appropriate or illegal web sites in the workplace. Which device would be the best at addressing this concern? - Antivirus - Firewall - Protocol analyzer - Internet content filter
Internet content filter
A network that lies completely inside a trusted area of a network, and is under the security control of the system and network administrators, is referred to as the - DMZ - Intranet - Extranet - Internet
Intranet
The model that most modern intrusion detection systems use is largely based upon a model created by Dorothy Denning and Peter Neumann called: - Intrusion Detection Interface System (IDIS) - Intrusion Response Interdiction system (IRIS) - Intrusion Detection Expert System (IDES) - Discovery, Haystack, Multics Intrusion Detection and Alerting System (MIDAS)
Intrusion Detection Expert System (IDES)
9. IPS stands for:
Intrusion prevention system
IPS stands for: A) Intrusion processing system B) Intrusion prevention sensor C) Intrusion prevention system D) Interactive protection system
Intrusion prevention system
IPS stands for:
Intrusion prevention system.
/etc/hosts.equiv are essentially equivalent to a system-wide .rhosts file and contain lines with hostnames. If system1 contained the /etc/hosts.equiv file:
It would indicate that any user on system2, system4, or system5 could log into system1 without having to supply a password. This assumes that an equivalent username exists on system1 as the one being used on the accessing system (i.e. system2, system4, or system5). A + in the /etc/hosts.equiv file says all systems trusted
access tokens
Items carried by the user to allow them to be authenticated are called ______________________.
Unfortunately hackers abuse the ICMP protocol by using it to - Send internet worms - Launch denial-of-service (DoS) attacks - Steal passwords and credit card numbers - Send spam
Launch denial-of-service (DoS) attacks
Internet Layer
Layer in the Internet Protocol suite of protocols that provides network addressing and routing through an internetwork.
Egress filtering is used to detect spam that is:
Leaving an organization.
Ping Sweep Less Effective
Less effective today than in the past Recent rise in DoS attacks which also use ICMP have resulted in administrators setting their systems to reject inbound ICMP echo requests.
According to SANS Internet Storm Center, the average survival time of an unpatched Windows PC on the Internet is - Less than two minutes - Less than two hours - Less than two days - Less than two weeks
Less than two hours
chmod
Linux and other operating systems use the _______ command to change the read-write-execute properties of a file or directory. - tracert - ifconfig - chmod - chkconfig
Define Identification
Locating potential sources of ESI & determining its scope, breadth & depth.
Misuse Detection Model
Looks for things that violate policy. For example, a denial of service attack launched at your web server or an attacker attempting to brute-force an SSH session.
Packets delivered to a network, such as an office LAN, are usually sent using the destination system's - IP address - MAC address - Apple address - Logical address
MAC address
False
Mac OS X FileVault encrypts files with 3DES encryption. True or False
False negatives
Malicious activity goes undetected
Antispam does all of the following EXCEPT: - Blacklisting - Malicious code detection - Language filtering - Trapping
Malicious code detection
Windows service that facilitates communication between the agents, event viewer, and the administrator.
Manager
Identification Phase - First Responder
Member of CIRT taking charge of a reported incident Analysis and incident identification: -Incident - an event that breaches security policy -Classify and prioritize -False positives
Restriction of connections to a restricted subnet only Checking of a client OS patch level before a network connection is permitted Denial of a connection based on client policy settings
Microsoft NAP permits:
Modern antivirus products have:
Modern antivirus products have: Automated updates Automated scanning Manual scanning Media scanning E-mail scanning Problem resolution
Anomaly-based (heuristic) IDS
Monitors activity and attempts to classify it as either "normal" or "anomalous"
Intrusion Prevention System (IPS)
Monitors network traffic for malicious or unwanted behavior and can block, reject, or redirect that traffic in real time.
Authentication and Trust
Most common method of authentication is the userid/password combination. If a user on a local network wants to access another system on the local network, having to supply the password to log on is a nuisance. Consequently, a trusted relationship may be established where one local system will trust the other to have authenticated the user originally and will thus not require additional authentication. An example of this is the UNIX .rhosts and hosts.equiv files.
shadow file
Most modern UNIX versions store the passwords associated with a user account in a - BitLocker - shadow file - passwd file - Registry
a. CTRL-ALT-INSERT
Most virtual machine managers replace the CTRL-ALT-DELETE key sequence with: Select one: a. CTRL-ALT-INSERT b. CTRL-ALT-FN c. CTRL-ALT-ESC d. ALT-F4
routing
Moving packets from source to destination across multiple networks is called ______________________.
Disadvantages of HIDS 1. process 2. ownership, maitenance 3. resources 4. focused 5. compromised
Must p______ information on every system you want to watch May have a high cost of o______ and m________ Uses local system r________ A f_______ view and cannot relate to activity around it If logged locally, could be c________ or disabled
Which IDS primarily uses passive software?
NIDS
Incident Response Procedures
NIST Computer Security Incident Handling Guide Preparation - IRP (Incident Response Plan) - write policies and procedures; assign personnel and resources; establish secure out-of-band communications Identification/detection and analysis Containment, eradication, and recovery Post-incident activity
Preparation Phase - Communication Processes
Need to know - incident response communications must be confidential Out-of-band communications - avoid alerting intruder Communication with other stakeholders (law enforcement, regulators)
Which of the following improves the security of the network by hiding internal addresses? - Antivirus - IDS - Star topology - Network Address Translation (NAT)
Network Address Translation (NAT)
1. What are two main types of intrusion detection system?
Network Based and Host-Based
NAP
Network access control is associated with which of the following?
_____________ is a technique where a host is queried and identified based on its response to a query.
Network tap
False
Network-based IDS examines activity on a system such, as a mail server or web server. True or False
What are the two Main types of intrusion detection systems A) Network-based and host-based B) Signature-based and event-based C) Active and reactive D) Intelligent and passive
Network-based and host-based
Is Windows Defender available with every version of the Windows operating system?
No, it is only available for Windows Vista and Windows 7 and is available as a free download for Windows XP and Windows Server 2003.
No permissions
On a UNIX system, if a file has the permission r-x rw- ---, what permission does the world have? - Read and execute - Read and write - Read, write, execute - No permissions
Read
On a UNIX system, if a file has the permission rwx r-- ---, what permission does the group have? - Execute, read, write - Read - Read, write, execute - No permissions
Read, write, and execute
On a UNIX system, if a file has the permissions rwx r-x rw-, what permissions does the owner of the file have?
Endpoints of the tunnel only
On a VPN, traffic is encrypted and decrypted at:
The user can now encrypt session keys and messages with this public key and can validate the sender's digital signatures.
Once an individual validates another individual's certificate, what is the use of the public key that is extracted from this digital certificate?
They can reduce false-positive rates H
One of the advantages of HIDS is that - They can reduce false-positive rates - Their signatures are broader - They can examine data before it has been decrypted - They are inexpensive to maintain in the enterprise
The ________________ is a method of determining whether a certificate has been revoked that does not require local machine storage of CRLs.
Online Certificate Status Protocol
True
Only active intrusion detection systems (IDS) can aggressively respond to suspicious activity, whereas passive IDS cannot. True or False
Perimeter Security
Operate NIDS like a castle and focus efforts and attention on securing and controlling the ways in and out. Ergo, if you can control the perimeter, you don't have to worry about what's going on inside.
What are the three methods for monitoring network traffic?
Packet capture software, filters and triggers, and Intrusion Detection Software or System
True
Permissions under Linux are the same as for other UNIX-based operating systems. True or False
Zone Alarm, Windows ICF, and iptables are all examples of - Antivirus - Antispyware - Antispam - Personal firewalls
Personal firewalls
Protocol Analyzer
Piece of software or an integrated software/hardware system that can capture and decode network traffic.
The nuisance of web pages that automatically appear on top of your current web page can be remedied with - Antivirus - Antispam - Pop-up blockers - Firewalls
Pop-up blockers
______________ allows administrators to send all traffic passing through a network switch to a specific port on the switch.
Port mirroring
Identification Phase
Precursors Detection channels, which include: -Security mechanisms (IDS, log analysis, alerts) -Manual inspections -Notification procedures -Public reporting -Confidential reporting/whistleblowing
Are designed to stop malicious activity from occuring
Preventative intrusion detection systems:
Outright theft of the computers
Probably the simplest physical attack on the computer system is:
Antispam
Products that attempt to filter out that endless stream of junk e-mail so you don't have to.
Antivirus
Products that attempt to identify, neutralize, or remove malicious programs, macros, and files.
A ________________ is a piece of software or an integrated software/hardware system that can capture and decode network traffic.
Protocol Analyzer
Application Layer
Protocols allow software programs to negotiate formatting procedural, security, synchronization, and other requirements
A _____________________ is a structure that provides all of the necessary components for different types of users and entities to be able to communicate securely and in a predictable manner.
Public key infrastructure (PKI)
Define Processing
Reducing the volume of ESI and converting it, if necessary, to forms more suitable for review & analysis.
Signature-based IDS
Relies heavily on a predefined set of attack and traffic patterns called signatures
bootdisk
Removable media from which computer can be booted is called a(n) _____________________.
Containment Phase
Response must be different/competing objectives: -What is the loss/potential for loss? What countermeasures are available? What evidence can be collected? Quarantine and device removal: -Prevent or interrupt an attack? Allow it to proceed until actual harm is threatened? Escalation Data breach and reporting: -Handle incident at higher level. Inform affected parties (suppliers and customers/users, regulatory bodies, law enforcement)
Main Goal of Incident Response
Restore system functionality Preserve evidence of intrusion Prevent re-occurrence Refer to *NIST*
Name three types of proxies?
Reverse, Web, Open.
What is called when network components are connected to each other in a closed loop, with each device directly connected to two other devices. - Star - Bus - Ring - Hybrid
Ring
Describe the state of initialization and what system services are operating in a Linux system
Run levels are used to - Determine which users are allowed on a Windows machine - Describe the state of initialization and what system services are operating in a Linux system - Determine the level of user in Linux systems - Are a Windows construct to manage which services are allowed to autostart
SMTP is a protocol used for which of the following functions?
Remote access to network infrastructure
SNMP is a protocol used for which of the following functions?
What are the two components of NIDS?
SNORT and ASIM
The correct sequence of the three-way handshake is - SYN/SYN, ACK/ACK, SYN/SYN - SYN/ACK, SYN/ACK, SYN/ACK - SYN, SYN/ACK, ACK - ACK, SYN/ACK, SYN
SYN, SYN/ACK, ACK
Switched Port Analyzer (SPAN)
Same as port mirroring.
Active HIDS
Same capabilities as a passive HIDS, with the ability to react to activity by possibly running a script or terminating a process
Vulnerability Scanners: Service scanners:
Scanning tool used to examine a specific network service, such as WWW, for common vulnerabilities associated with that service
Egress filtering - Scans incoming mail to catch spam - Scans outgoing mail to catch spam - Messages are scan for specific words or phrases - Filters out POP traffic
Scans outgoing mail to catch spam
TCP port 22
Secure Shell uses which port to communicate?
False
Securing access to files and directories in Solaris is vastly different from most UNIX variants. True or False
Hardening
Securing and preparing a system for the production environment is called __________________.
My monitoring activity within the honeypot:
Security personnel are better able to identify potential attackers along with their tools and capabilities
Perimeter Security
Security set up on the outside of the network or server to protect it.
Analyzers must be able to:
See and capture network traffic to be effective, and many switch vendors support network analysis through the use of mirroring or SPAN ports
TCP FIN Scanning -
Sends a FIN packet (normally sent to clear connection when conversation is finished). Closed ports usually respond with an RST packet. Open ports usually ignore FIN packets.
False
Service pack is the term given to a small software update designed to address a specific problem, such as a buffer overflow in an application that exposes the system to attacks. True or False
Honeypots are specialized forms of intrusion detection that involve:
Setting up simulated hosts and services for attackers to target
Email spoofing
Similar email address - some may not consider this real spoofing Register email address at site such as hotmail that is similar to target's email address e.g. if target is [email protected], register [email protected] Modify mail client - some will allow you to modify what will be put in the From line. Telnet to Port 25 - allows you to completely specify From line Attacker acts like mail server connected to port
Access control lists
Simple rule sets that are applied to port number and IP addresses are called - Network address translation - Stateful packet filtering - Access control lists - Basic packet filtering
All of the following are advantages of TCP over UDP EXCEPT: - Guaranteed delivery - Sequenced packets - Smaller header - Three-way handshake to establish connection
Smaller header
Windows Defender does all of the following EXCEPT: - Spyware detection and removal - Real-time malware protection - Spam filtering - Examine programs running on your computer
Spam filtering
Host-based IDSs can apply:
Specific context sensitive rules because of the known host role
All the network components are connected to a central point in which topology? - Star - Bus - Ring - Hybrid
Star
How does stateful packet filtering differ from basic packet filtering? - Stateful packet filtering looks only at each packet individually. - Stateful packet filtering looks at the packets in relation to other packets. - Stateful packet filtering looks at the destination address. - Stateful packet filtering looks at the source address.
Stateful packet filtering looks at the packets in relation to other packets
______________ is a new entry in the IDS toolset as a replacement for Snort.
Suricata
Newer versions of IDSs include prevention capabilities that automatically block:
Suspicious or malicious traffic before it reaches its intended destination. Most vendors call these intrusion prevention systems (IPSs)
Data Link Layer
Switches operate at which layer of the OSI model?
Which transport layer protocol is connection oriented? - UDP - TCP - IP - ICMP
TCP
The main difference between TCP and UDP packets is - UDP packets are a more widely used protocol. - TCP packets are smaller and thus more efficient to use. - TCP packets are connection oriented, whereas UPD packets are connectionless. - UDP is considered to be more reliable because it performs error checking.
TCP packets are connection oriented, whereas UPD packets are connectionless.
Help secure the system by restricting network connections
TCP wrappers do what?
Proxy Servers
Takes client requests and forwards to the destination server on behalf of the client Security application for filtering undesirable traffic and blocking potentially hostile web sites
Which of the following correctly defines real evidence?
Tangible objects that prove or disprove a fact
False Positive
Term used when a security system makes an error and incorrectly reports the existence of a searched for object. Examples include an intrusion detection system that misidentifies benign traffic as hostile, an antivirus program that reports the existence of a virus in software that actually is not infected, or a biometric system that allows access to a system to an unauthorized individual
False Positive
Term used when a security system makes an error and incorrectly reports the existence of a searched-for object. Examples include an intrusion detection system that misidentifies benign traffic as hostile, an antivirus program that reports the existence of a virus in software that actually is not infected, or a biometric system that allows access to a system to an unauthorized individual.
False negative
Term used when a system makes an error and misses reporting the existence of an item that should have been detected.
False Negative
Term used when a system makes and error and misses reporting the existence of an item that should have been detected
service set identifier (SSI)
The 32-character identifier attached to the header of a packet used for authentication to an 802.11 access point is the ________________.
Authentication
The 802.1X protocol is a protocol for Ethernet:
Which of the following is NOT a disadvantage of host-based IDS? - The IDS uses local system resources. - The IDS can have a high cost of ownership and maintenance. - The IDS must have a process on every system you want to watch. - The IDS is ineffective when traffic is encrypted.
The IDS is ineffective when traffic is encrypted.
EUI-64
The IEEE standrard defining 64-bit physical addresses. In the EUI-64 scheme, the OUI portion of an address is 24 bits in length. A 40-bit extension identifier makes up the rest of the physical address tot total 64 bits.
True
The NIDS signature database is usually much larger than that of a host-based system. True or False
Allows for packets to be processed in the order they were sent
The TCP protocol:
is a connectionless protocol
The UDP protocol:
certificate server
The ___________ is the actual service that issues certificates based on the data provided during the initial registration process.
online certificate status protocol (OCSP)
The _____________ is a method of determining whether a certificate has been revoked that does not require local machine storage CRLs.
ISAKMP
The ________________ is a protocol framework that defines the mechanics of implementing a key exchange protocol and negotiation of a security policy.
initialization vector (IV)
The __________________ is the part of the RC4 cipher that has a weak implementation in WEP.
MAC addresses
The ________________________ is the hardware address used to uniquely identify each device on a network.
certificate authority (CA)
The _____________is the trusted authority for certifying individuals' identities and creating an electronic document indication that individuals are who they say they are.
operating system
The basic software on a computer that handles input and output is called the __________________.
Snort
The de facto standard IDS engine since its creation in 1998.
Anomaly models require knowledge of normal activity, whereas misuse models don't.
The difference between misuse and anomaly IDS models is - Misuse models require knowledge of normal activity, whereas anomaly models don't. - Anomaly models require knowledge of normal activity, whereas misuse models don't. - Anomaly models are based on patterns of suspicious activity. - Anomaly model-based systems suffer from many false negatives
Wireless Transport Layer Security (WTLS)
The encryption protocol that is used on Wireless Application Protocol (WAP) networks is called _________________.
Which of the following correctly defines evidence as being sufficient?
The evidence is convincing or measures up without question
Which of the following correctly defines documentary evidence?
The evidence is in the form of business records, printouts, manuals, and other items
Which of the following correctly defines evidence as being competent?
The evidence is legally qualified and reliable
Which of the following correctly defines evidence as being relevant?
The evidence is material to the case or has a bearing on the matter at hand
Session Layer
The fifth layer in the OSI model. The Session layer establishes and maintains communication between two nodes on the network. It can be considered the "traffic cop" for network communications.
What was the first commercial, network-based IDS product?
The first commercial network-based IDS product was NetRanger, released by WheelGroup in 1995.
Transport Layer
The fourth layer of the OSI model. In this layer protocols ensure that data are transferred from point A to point B reliably and without errors. This layer services include flow control, acknowledgment, error correction, segmentation, reassembly, and sequencing.
Digital Sandbox
The isolation of a program and its supporting elements from common operating system functions.
Digital sandbox
The isolation of a program and its supporting elements from common operating system functions.
Network Interface Layer
The lowest level of the TCP/IP suite; it is responsible for placing and removing packets on the physical network.
Physical Layer
The lowest, or first, layer of the OSI model. Protocols in the Physical layer generate and detect signals so as to transmit and receive data over a network medium. These protocols also set the data transmission rate and monitor data error rates, but do not provide error correction.
To help security professionals better understand and protect against threats to the system
The main purpose of a honeypot is - To identify hackers so they can be tracked down by the FBI - To slow hackers down by providing an additional layer of security that they must pass before accessing the actual network - To distract hackers away from attacking an organization's live network - To help security professionals better understand and protect against threats to the system
Group policies
The mechanism that allows for centralized management and configuration of computers and remote users in an Active Directory environment is called:
False
The misuse detection IDS model is more difficult to implement than the anomaly detection model, and is not as popular as a result. True or False
Intrusion Detection Expert System (IDES)
The model that most modern intrusion detection systems use is largely based upon a model created by Dorothy Denning and Peter Neumann called: - Intrusion Detection Interface System (IDIS) - Intrusion Response Interdiction system (IRIS) - Intrusion Detection Expert System (IDES) - Discovery, Haystack, Multics Intrusion Detection and Alerting System (MIDAS)
Anomaly Detection Model
The more complicated of IDS models, this models examines "normal" behavior and looks for behavior that contrasts from the norm before examining the event to see if it is actually malicious or not. (Also known as Heuristic)
Port Mirroring
The network traffic is essentially copied or mirrored to a specific port, which can then support a protocol analyzer.
Pop-up blockers
The nuisance of web pages that automatically appear on top of your current web page can be remedied with - Antivirus - Antispam - Pop-up blockers - Firewalls
three-way handshake
The packet exchange sequence (SYN, SYN/ACK, ACK) that indicates a TCP connection is called the __________________.
b. offsite
The practice of hosting machines, processing, or networks at a site other than your location is referred to as: Select one: a. onsite b. offsite c. centralized d. decentralized
auhtentication
The process of comparing credentials to those established during the identification process is referred to as _________________.
DHCP
The process that dynamically assigns an IP address to a network device is called:
content protection
The protection of the data portion of a packet is __________________.
context protection
The protection of the header portion of a packet is __________________.
Reduce Crosstalk
The purpose of twisting the wires in a twisted-pair circuits is to:
Which of the following correctly defines free space?
The remaining sectors of a previously allocated file that are available for the operating system to use
Data Link Layer
The second layer in the OSI model. The Data Link layer bridges the networking media with the Network layer. Its primary function is to divide the data it receives from the Network layer into frames that can then be transmitted by the Physical layer.
Anonymizing proxy
The security tool that will hide information about the requesting system and make the browsing experience secret is a - Web proxy - Reverse proxy - Anonymizing proxy - Open proxy
Application Layer
The seventh layer of the OSI model. Application layer protocols enable software programs to negotiate formatting, procedural, security, synchronization, and other requirements with the network.
The password associated with a user account
The shadow file of a UNIX system contains:
topology
The shape or arrangement of a network, such as bus, star, ring, or mixed, is known as the _____________________ of the network.
Misuse Detection Model
The simple of the two IDS models, it looks for suspicious activity or activity that violates specific policies and then reacts as it has been programmed to do. It's cheaper and widely used.
Presentation Layer
The sixth layer of the OSI model. Protocols in the Presentation layer translate between the application and the network. Here, data are formatted in a schema that the network can understand, with the format varying according to the type of network used. The Presentation layer also manages data encryption and decryption, such as the scrambling of system passwords.
IEE 802.11
The standard for wireless local area networks is called __________________.
a. hypervisors
The term "bare-metal" virtualization software refers to which of the following? Select one: a. hypervisors b. virtual switches c. hardware consolidation d. VMMs
Network Layer
The third layer in the OSI model. Protocols in the Network layer translate network addresses into their physical counterparts and decide how to route data from the sender to the receiver.
What are the two main types of IDS signatures?
The two main types of IDS signatures are context-based and content-based. Context-based signatures examine traffic and how that traffic fits into the other traffic around it. Example: Port Scanner A content-based signature looks at what is inside the traffic, such as the contents of a specific packet.
What are the two main types of intrusion detection systems?
The two main types of intrusion detection systems are network-based and host-based. Network-based systems monitor network connections for suspicious traffic. Host-based systems reside on an individual system and monitor that system for suspicious or malicious activity.
Mobile Device Management (MDM)
The type of application used to control security across multiple mobile devices in an enterprise is called ___________________.
Which of the following correctly defines slack space?
The unused space on a disk drive when a file is smaller than the allocated unit of storage
Which of the following is NOT an advantage of network-based IDS? - It takes fewer systems to provide IDS coverage. - They can reduce false positive rates. - Development, maintenance, and upgrade costs are usually lower. - Visibility into all network traffic and can correlate attacks among multiple systems.
They can reduce false positive rates.
One of the advantages of HIDS is that - They can reduce false-positive rates - Their signatures are broader - They can examine data before it has been decrypted - They are inexpensive to maintain in the enterprise
They can reduce false-positive rates
IP Spoofing
This may simply consist of forging the from address in an IP packet so it appears to have come from somewhere else. Often used to trick target machine into believing packet is coming from a host it trusts, thus getting the target machine to perform some task. To do appropriately it may involve sniffing, spoofing, and DoS attack
Network Interface Card (NIC)
To connect a computer to a network, you use a(n) _____________________.
Open UDP port 1701
To establish a L2TP conncetion across a firewall, you must do which of the following?
Open TCP port 1723
To establish a PPTP conncetion across a firewall, you must do which of the following?
The main purpose of a honeypot is - To identify hackers so they can be tracked down by the FBI - To slow hackers down by providing an additional layer of security that they must pass before accessing the actual network - To distract hackers away from attacking an organization's live network - To help security professionals better understand and protect against threats to the system
To help security professionals better understand and protect against threats to the system
Saas
To offer software to end users from the cloud is a form of _________________________.
kill
To stop a particular service or program running on a UNIX operating system, you might use the __________________ command.
Network Admission Control (NAC)
To verify that a computer is properly configured to connect to a network, the network can use ________________.
Network Address Translation (NAT) - Translates private (non-routable) IP addresses into public (routable) IP addresses - Translates the IP addresses of one protocol to the IP address of another protocol - Is one of the items in an IP packet header - Translates MAC addresses to IP addresses
Translates private (non-routable) IP addresses into public (routable) IP addresses
The TLS Record Protocol and TLS Handshake Protocol
Transport Layer Security consists of which two protocols?
443
Transport Layer Security for HTTP uses what port to communicate?
Preparation Phase - Incident Types/Categories
Triage = identify what must be prioritized, to include: -Data integrity -Downtime -Economic/publicity -Scope -Detection time -Recovery time Develop playbooks for dealing with incident types
A protocol analyzer can be used to:
Troubleshoot network problems, Collect network traffic statistics, Monitor for suspicious traffic.
A DMZ acts as a buffer zone between the Internet, where no controls exist, and the inner, secure network, where an organization has security policies in place. True or False
True
A network can logically appear as one topology, but physically match a different topology. True or False
True
A sniffer must use a NIC in promiscuous mode; otherwise it will not see all the network traffic coming into the NIC. True or False
True
Content-based signatures detect character patterns and TCP flag settings. True or False
True
DNS resolves a domain name to an IP address. True or False
True
LAN and WAN networks can be connected. True or False
True
NAT translates private (nonroutable) IP addresses into public (routable) IP addresses. True or False
True
Only active intrusion detection systems (IDS) can aggressively respond to suspicious activity, whereas passive IDS cannot. True or False
True
The NIDS signature database is usually much larger than that of a host-based system. True or False
True
NIDS is not capable of decrypting encrypted traffic T/F?
True, it CANNOT decrypt encrypted traffic
Encapsulating packets so they can traverse the network in a secure, confidential manner is referred to as - DMZ - Steganography - Tunneling - Layered defense
Tunneling
remote-wiping, screen locking
Two common mobile device security measures are ________________ and ____________________.
Heuristic Scanning
Typically looks for commands or instructions that are not normally found in application programs, such as attempts to access a reserved memory register.
Which transport layer protocol is connectionless? - UDP - TCP - IP - ICMP
UDP
Authentication and UNIX Trusted relationships
UNIX will base its trust decision, using the .rhosts or hosts.equiv files, on the IP address of the connecting system. But.... The IP address (and most other fields) of an IP header can be forged!!!
An RJ-45 connector
UTP cables are terminated for Ethernet using what type of connector?
Mandatory access control (MAC)
Under which access control system is each piece of information and every system resource (files, devices, networks, and so on) labeled with its sensitivity level?
Intrusion detection is a mechanism for detecting:
Unexpected or unauthorized activity on computer systems
A firmware update
Updating the software loaded on a nonvolatile RAM is called:
Approach to vulnerability scanning
Use a port-scanning tool such as nmap to identify the OS and to log all listening ports May return something like Linux Kernel 2.2 with ports 21, 25, 53, 80 listening What the ports are and what vulnerabilities that may exist in them is an exercise left up to the user.
Protocol Analyzers (2/2)
Used by network administrators for: -Analyzing network problems -Detecting misconfigured applications or misbehaving applications -Gathering and reporting network usage and traffic statistics -Debugging client/server communications Requires NIC capable of promiscuous mode -Tells the NIC to process every packet that it sees regardless of the intended destination
Internet Content Filter
Used to block employees' viewing of inappropriate or illegal content at the workplace and the subsequent complications that occur when such viewing takes place.
Antivirus Products
Used to identify, neutralize, or remove malicious programs, macros, and files. Scanning approaches: -Signature-based scanning -Heuristic scanning
Ping Sweep
Using PING, attackers can send an ICMP echo request to every address within a range to determine which systems are "up and running" Every system that is up will respond with an echo reply, providing a list of potential targets
multiple-factor authentication
Using a token, fingerprint reader, and PIN keypad would be an example of ______________________.
A logical implementation of a LAN that allows computers connected to different physical networks to act and communicate as if they were on the same physical network is referred to as a - DMZ - VLAN - Extranet - Tunnel
VLAN
c. Mac OS X
VMware Fusion is a popular virtual machine manager for which operating system? Select one: a. Windows 7 b. Linux c. Mac OS X d. Solaris
c. 32
VMware's ESX server can support up to how many CPUs, depending upon the version? Select one: a. 64 b. 8 c. 32 d. 4
Common components of vulnerability scanning
Vulnerability data - information about known vulnerabilities, how knowledgeable is the tool? Scanning mechanism - the "guts" of the scanner, how accurate is the tool? Reporting mechanism - interface with user
Wireless Transport Layer Security (WTLS)
WAP uses the ____________________ protocol to attempt to ensure confidentiality of data.
RC4
WEP has used an implementation of which of the following encryption algorithms?
Message Authentication codes
WTLS ensures integrity through what device?
Passive HIDS
Watches activity, analyzes it, and generates and alarm
Context-based and content-based
What are the two main types of IDS signatures?
Network-based and host-based
What are the two main types of intrusion detection systems?
Honeypot
What device would you use to attract potential attacks, so that you could safely monitor the activity and discover the intentions of the attacker? - Firewall - Antivirus - IDS - Honeypot
A single system
What does a host-based IDS monitor? - A single system - Networks - Physical intrusions into facilities - A system and all its surrounding systems
Mobile device carrier selection
What element does not belong in a mobile device security policy in an enterprise employing BYOD?
Network Access Protection
What feature in Windows Server 2008 controls access to network resources based on a client computer's identity and compliance with corporate governance policy?
the physical layer
What is Layer 1 of the OSI model called?
Loss or theft of the token
What is a common threat to token-based access controls?
a. guest
What is another term for a virtual machine? Select one: a. guest b. environment c. host d. emulator
Sending an unsolicited message via Bluetooth
What is bluejacking?
Keep Bluetooth discoverability off
What is the best way to avoid problems with Bluetooth?
The first step in addressing password issues is to create an effective and manageable password policy that both system administrators and users can work with.
What is the first step in addressing issues with passwords? - The first step in addressing password issues is to create an effective and manageable password policy that both system administrators and users can work with. - The first step in addressing password issues is to find a systematic, alpha-numeric combination and then assign passwords, so that both system administrators and users can tell which department is using what system. - The first step in addressing password issues is to see how many passwords are required. - The first step in addressing password issues is to see how many accounts can use the same password.
key
What is the most common example of a access token?
DNS
What is the name of the protocol that translates names into IP addresses?
Baselining
What is the process of establishing a system's security state called? - Hardening - Baselining - Securing - Controlling
defines services to manage heterogeneous PKI operations via XML
What is the purpose of XKMS?
It binds an individual identity to a public key
What is the purpose of a digital certificate?
b. virtual reality
What is the term for an environment created by software, with sight and sound provided by video and audio equipment, primarily used for gaming and simulation? Select one: a. hypervisor b. virtual reality c. sandbox d. virtual machine
SYN, SYN/ACK, ACK
What is the three-way handshake sequence used to initiate TCP connections?
Enable port mirroring.
What must you do in order to sniff the traffic on all ports on a switch? - Nothing; you can see all the traffic on a switch by default. - Nothing; a switch does not allow you do see all traffic. - Enable port mirroring. - Run a cable to each port.
UDP
What protocol is used for RADIUS?
The user's software creates a message digest for the digital certificate and decrypts the encrypted message included within the digital certificate. If the decryption performs properly and the message digest values are the same, the certificate is validated.
What steps does a user's software take to validate a CA's digital signature on a digital certificate?
buffer overflow
When a user or process supplies more data than was expected, a(n) _____________________ may occur.
The user submits a certificate request to the RA.
When a user wants to participate in PKI, what component does he/she need to obtain, and how does that happen?
false positive
When an IDS generates an alarm on "normal" traffic that is actually not malicious or suspicious, that alarm is called a(n) _____________________.
True
When hardening Mac OS X, the same guidelines for all UNIX systems apply. True or False
pkgparam
Which UNIX command can be used to show the patches that are installed for a specific software package? - pkglist - pkgparam - pkgqury - pkgdump
chmod
Which UNIX command would you use to change permissions associated with a file or directory? - chmod - chown - chgrp - chng
Analysis engine
Which component of an IDS examines the collected network traffic and compares it to known patterns of suspicious or malicious activity? - Traffic collector - Analysis engine - Signature database - Examination collector
b. virtual switches
Which of the following allows all VMs to communicate with each other, the host, and the network? Select one: a. hypervisors b. virtual switches c. Virtual Machine Manager d. Virtual PBX
d. research and testing and system recovery
Which of the following are important reasons to implement virtualization? Select one: a. system installation and system recovery b. system recovery and system installation c. hardware increases and system installation d. research and testing and system recovery
b. virtualization
Which of the following creates a complete environment for a guest operating system to function as though that operating system were installed on its own computer? Select one: a. translation b. virtualization c. emulation d. polyinstantiation
Runs on the local system Does not interact w/ the traffic around it Can look at system event and error logs
Which of the following describes a passive, host-based IDS?
d. emulator
Which of the following describes software or hardware that converts the commands to and from the host machine into an entirely different platform? Select one: a. hypervisor b. Virtual Machine Manager c. supervisor d. emulator
Modify
Which of the following is NOT a UNIX file permission? - Read - Write - Modify - Execute
Expert knowledge database
Which of the following is NOT a component of an IDS? - Traffic collector - Signature database - Expert knowledge database - User interface and reporting
The IDS is ineffective when traffic is encrypted.
Which of the following is NOT a disadvantage of host-based IDS? - The IDS uses local system resources. - The IDS can have a high cost of ownership and maintenance. - The IDS must have a process on every system you want to watch. - The IDS is ineffective when traffic is encrypted.
Maintaining SNMP community strings
Which of the following is NOT a general step in securing a networking device? - Choosing good passwords - Password-protecting the console - Maintaining SNMP community strings - Turning off unnecessary services
They can reduce false positive rates. N
Which of the following is NOT an advantage of network-based IDS? - It takes fewer systems to provide IDS coverage. - They can reduce false positive rates. - Development, maintenance, and upgrade costs are usually lower. - Visibility into all network traffic and can correlate attacks among multiple systems.
c. Network as a Service
Which of the following is a cloud service offering virtualized networks, servers, and services? Select one: a. Software as a Service b. virtual machine c. Network as a Service d. Virtualization as a Service
ICMP
Which of the following is a control and information protocol used by network devices to determine such things as a remote network's availability and the length of time required to reach a remote network?
ISO/IEC 27002
Which of the following is a detailed standard for creating and implementing security policies?
Common Criteria
Which of the following is a joint set of security processes and standards used by approved laboratories to award an Evaluation Assurance Level (EAL) from EAL1 to EAL7?
S/MIME
Which of the following is a secure e-mail standard?
c. dedicated bridging
Which of the following is a type of virtual switching that gives every VM its own physical NIC? Select one: a. NAT b. routing c. dedicated bridging d. virtual bridging
c. Parallels
Which of the following is a virtual machine manager for Mac OS X? Select one: a. VirtualPC b. Hyper-V c. Parallels d. ESX
c. KVM
Which of the following is an open-source virtual machine manager developed by Red Hat? Select one: a. Virtual Box b. Xen c. KVM d. Virtual PC
Can decrypt and read encrypted traffic
Which of the following is not a capability of network-based IDS?
Password selection
Which of the following is one of those critical activities that is often neglected as part of a good security baseline? - Password selection - Hardening the OS - Securing the firewall - Hardening applications
Kill
Which of the following is the command to stop a service in UNIX? - Stop - Kill - End - Finish
d. POST
Which of the following is the first step a virtual machine takes when it is powered on? Select one: a. snapshot b. instant-on c. dedicated bridging d. POST
d. RAM
Which of the following is the most limiting factor in a host's ability to run virtual machines? Select one: a. network bandwidth b. CPU c. hard disk space d. RAM
They control who can access the registry and how it can be accessed.
Which of the following is true of the registry permissions area settings in security templates? - They control who should be allowed to join or be part of certain groups. - They are for services that run on the system. - They control who can access the registry and how it can be accessed. - They are settings that apply to files and folders, such as permission inheritance.
An Attribute Certificate
Which of the following is used to grant permissions using rule-based, role-based, and rank-based access controls?
a. Microsoft Windows
Which of the following operating systems, when added as a virtual machine, requires a separate, licensed copy? Select one: a. Microsoft Windows b. OpenBSD c. Ubuntu Linux d. FreeDOS
A framework that does not specify any technologies but provides a foundation for confidentiality, integrity, and availability services
Which of the following properly describes what a public key infrastructure (PKI) actually is?
ISAKMP
Which of the following provides a method for implementing a key exchange protocol?
c. virtual machine manager (VMM)
Which of the following requires an underlying operating system in order to create and manage virtual machines? Select one: a. Virtual PBX b. Virtual Switch c. virtual machine manager (VMM) d. hypervisor
b. snapshot
Which of the following terms describe a point-in-time backup of a virtual machine? Select one: a. full backup b. snapshot c. differential backup d. system state backup
00:07:e9:7c:c8:aa
Which of the following woukd be a valid MAC address?
Shoulder-to-waist geometry
Which one is not commonly used as a biometric?
NAT
Which protocol translates private (nonroutable) IP addresses into public (routable) IP addresses?
Possible information from scanning
Which systems are active What services are available/listening What operating system is in use Which version of an application is running Which users have an account on the system and which are active What the security configuration/settings are Whether certain patches have been installed Information about specific vulnerabilities Possibly whether a specific exploit will be successful
False
While NIDS are able to detect activities such as port scans and brute force attacks, it is unable to detect tunneling. True or False
It is broadcast in every beacon frame
While the SSID provides some measure of authentication, why is it not very effective?
They can bring malicious code past other security mechanisms
Why can USB flash drives be a threat?
Sabotage of the AC unit would make the computers overheat and shit down.
Why is HVAC important to computer security?
It's easy
Why is attacking wireless networks so popular ?
If enrollment is not done carefully, false positives will increase.
Why is enrollment important to biometrics?
Because physical access defeats nearly all network security measures.
Why is physical security so important to good network security?
They are the eyes and ears of the corporation when it comes to security.
Why should security guards get cross-training in network security?
To make sure all data encryption keys are available for the company if and when it needs them
Why would a company implement a key archiving and recovery system within the organization?
If the private key had been compromised.
Why would a digital certificate be added to a certificate revocation list (CRL)?
Spam filtering
Windows Defender does all of the following EXCEPT: - Spyware detection and removal - Real-time malware protection - Spam filtering - Examine programs running on your computer
False
Windows Defender is new, personal firewall software included in Vista. True or False
All users and devices within an environment trust the CA, which allows them to indirectly trust each other.
Within a PKI environment, where does the majority of the trust actually lie?
analysis engine
Within an IDS, the _________________ examines the collected network traffic and compares it to known patterns of suspicious or malicious activity stored in the signature database.
Created
XKMS allows certificated to be all of the following except:
Internet content filter
Your boss is concerned about employees viewing in appropriate or illegal web sites in the workplace. Which device would be the best at addressing this concern? - Antivirus - Firewall - Protocol analyzer - Internet content filter
An active HIDS
Your boss would like you to implement a network device that will monitor traffic and turn off processes and reconfigure permissions as necessary. To do this you would use - A firewall - A sniffer - A passive HIDS - An active HIDS
Personal firewalls
Zone Alarm, Windows ICF, and iptables are all examples of - Antivirus - Antispyware - Antispam - Personal firewalls
Application Layer Proxies
[Firewall Related] Examines the content of the traffic as well as the ports and IP addresses. For example, an application layer has the ability to look inside a user's web traffic, detect a malicious website attempting to download malware to the user's system, and block the malware.
Stateful Packet Filtering
[Firewall Related] Looks at each packet entering or leaving, but it can examine the packet in it relation to other packets. Stateful firewalls keep track of network connections and can apply slightly different rule sets based on whether the packet is part of an established session or not.
Access Control Lists (ACLs)
[Firewall Related] Simple rule sets that are applied to port numbers and IP addresses. They can be configured for inbound and outbound traffic and are most commonly used on routers and switches.
Basic Packet Filtering
[Firewall Related] looks at each packet entering or leaving the network and then either accepts the packet or rejects the packet based on user-defined rules. Each packet is examined separately.
IPSEC
_____________ is a protocol used to secure IP packets during transmission across a network. It offers authentication, integrity, and confidentiality services. It used Authentication Headers (AHs) and Encapsulating Security Payload (ESP) to accomplish this functionality.
Baselining
______________ is the process of establishing a system's security state.
network segmentation
______________ is the use of the network architecture to limit communication between devices.
key escrow
________________ is the process of giving keys to a third party so that they can decrypt and read sensitive information if the need arises.
port mirroring
_________________ allows administrators to send all traffic passing through a network switch to a specific port on the switch.
run levels
__________________ are used to describe the state of init and what system services are operating in UNIX systems.
mandatory access control (MAC)
__________________ describes a system where every resource has access rules set for all of the time.
X.509
__________________ is a format that has been adopted to standardize digital certificates.
context-based signatures
__________________ is a technique to match an element against a large set of patterns and use activity as a screening element.
workstation
____________________ is a name for the typical computer a user uses on a network.
single sign-on (SSO)
_____________________ is an authentication process where the user can enter their user ID (or username) and password and then be able to move from application to application or resource to resource without having to supply further authentication information.
ISAKMP
______________________ is a key management and exchange protocol used with IPsec.
CCTV
_______________________ is a system where the camera and monitor are directly linked.
Suricata
________________________ is a new entry in the IDS toolset as a replacement for Snort.
Pretty Good Privacy (PGP)
________________________ is a popular encryption program that has the ability to encrypt and digitally sign e-mail and files.
role-based access control (RBAC)
_________________________ is designed around the type of tasks people perform.
Kerberos
__________________________ is an authentication model designed around the concept of using tickets for accessing objects.
USB devices
___________________________ include MP3 players and flash drives.
Network Address Translation (NAT)
___________________________ is the protocol that allows the use of private, internal IP addresses for internal traffic and public IP addresses for external traffic.
LiveCD
___________________________ prevent an attacker from making the machine boot off the DVD drive.
layered access
____________________________ forces a user to authenticate again when entering a more secure area.
biometrics
____________________________ is the measurement of unique biological properties, like the fingerprint.
geo-tagging
_____________________________ is a feature that can disclose a user's position when sharing photos.
Bridge
a circuit consisting of two branches (4 arms arranged in a diamond configuration) across which a meter is connected
Cable
a conductor for transmitting electrical or optical signals or electric power
Router
a device that forwards data packets between computer networks
Honeynet
a group of honeypots
IP Address
a number that uniquely identifies each computer or device connected to the internet
Packet
a small segment of data that is bundled for sending over transmission media. Each packet contains the address of the computer or peripheral device to which it is being sent
MAC Address
also called physical address. a permanent address given to each network interface card (NIC) at the factory
IPv6
an Internet layer protocol that uses 128-bit addresses and is gradually replacing IPv4
7. Within an IDS, the ______ examines the collected network traffic and compares it to known pattern of suspicious or malicious activity stored in the signature database
analysis engine
5. An IDS that looks for unusual or unexpected behavior is using a(n)______
anomaly detection model
An IDS that looks for unusual or unexpected behavior is using an _______________.
anomaly detection model
8. Preventative intrusion detection systems:
are designed to stop malicious activity from occurring
Fragmentation Scanning -
break scan up into several smaller packets. This may result in being able to hide the scan from firewalls and IDS
Non-Technical Spoofing: Social engineering
call target and pretend to be somebody else (e.g. call help desk as new user)
4. Which of the following is not a capability of network based IDS?
can decrypt and read encrypted traffic
4. A(n)_______ Looks at certain strings of characters inside a TCP packet.
content based signature
A _____________________ looks at a certain string of characters inside a TCP packet.
content-based signatures
9. ___________is a technique to match an element against a large set of patterns and use activity as a screening element.
context based signature
Switch
control consisting of a mechanical or electrical or electronic device for making or breaking or changing the connections in a circuit
A ________________ is used when independent CAs establish peer to peer trust relationships.
cross-certification certificate
RFC 793
defines how TCP will react to FIN, ACK, and SYN packets.
Vulnerability Scanners: Freeware scanners:
developed and released "in the community"
Vulnerability Scanners: Commercial scanners:
developed and sold by companies (e.g. ISS and Cisco). Due to development time, often lag freeware scanners
Non-Technical Spoofing: reverse social engineering
generally harder to accomplish. Get somebody to call you (e.g. send target users a post card congratulating them on purchase of new computer, promise them 5 hours of free tech support and provide them a number—yours—to call)
3. An attacker scanning a network full of inviting, seemingly vulnerable targets might actually be scanning a(n)______where the attackers every move can be watched and monitored by security administrators.
honeypot
An attacker scanning a network full of inviting, seemingly vulnerable targets might actually be scanning a ____________ where the attacker's every move can be watched and monitored by security administrators.
honeypot
_____________________ is the process of giving keys to a third party so that they can decrypt and read sensitive information if the need arises
key escrow
A ________ is a network typically smaller in terms of size and geographic coverage and consist of two or more connected devices. Home or office networks are typically classified as this type of network. - local area network - office area network - wide area network - internal area network
local area network
Vulnerability Scanners: General-purpose scanners:
look for a wide range of vulnerabilities on a large number of operating systems and applications. Often used in a security audit
Recognize Scanning: firewall and router logs
look for multiple rejections or access violations coming from the same source or group of sources
Honeypots are based on the concept of:
luring attackers away from legitimate systems by presenting more tempting or interesting systems that, n most cases, appear to be easy targets
Recognize Scanning: intrusion detection systems
most IDS contain built-in methods for examining traffic to detect scanning attempts
8. _________ is a technique where a host is queried and identifies based on its response to a query.
network tap
Guessing the sequence number: non-binding spoof
no problem as you can see the responses.
UDP Scanning -
often more difficult than TCP since UDP services will not respond. If an ICMP "port unreachable" message is received, however, it is an indication the service is NOT running. If the message is NOT received...
In a ___________________, one CA is not subordinate to another CA, and there is no established trusted anchor between CAs is involved.
peer to peer trust model
6. ____________allows administrators to send all traffic passing through a network switch to a specific port on the switch.
port mirroring
Port Scanner
program that checks a computer's TCP/IP stack for ports that are in the LISTEN state. There are 65,535 possible ports 1-1023 are considered "well known" 1024-49151 are called "registered ports" 49152-65,535 are dynamic or private ports
1. A(n) ______ is a piece of software or an integrated software/hardware system that can capture and decode network traffic.
protocol analyzer
Decoy scanning -
send a large number of spoofed packets along with your real one so they hide the real scan.
Relay or bounce scanning -
send scan through another system (proxy or forwarding gateway), may confuse/hide origin of attack
10. ____________ is a new entry in the IDS tool-set as a replacement for snort.
suricata
blinding spoof
the target's responses can not be observed.
RFC 793: state is LISTEN
then first check for an RST, An incoming RST should be ignored. Second check for an ACK. Any acknowledgment is bad if it arrives on a connection still in the LISTEN state. An acceptable reset segment should be formed for any arriving ACK-bearing segment. Third check for a SYN, if the SYN bit is set, check the security. IF the security/compartment on the incoming segment does not exactly match the security/compartment in the TCB then send a reset and return.
sequence numbers
used to aknowledge recipt of data
Trusted relationship in UNIX: .rhost file
used to establish a trusted relationship between machines. Used by rlogin, rsh, and rcp to determine which remote hosts and users are considered "trusted" and are allowed to access the host without supplying a password. rlogin (remote login), rsh (remote shell), rcp (remote copy)
.rhost example: system2 system4 system5 user2 system2 user5
user1 could log in from system2 as user1 user1 could log in from system4 as user1 user1 could log in from system5 as user2 user1 could also log in from system2 as user5
Vulnerability Scanners: Application scanners:
written to examine a specific application for vulnerabilities associated with it.
Vulnerability Scanners: Specific vulnerability scanners:
written to only check for a specific vulnerability.
Network Interface Card
A Network Interface Card (NIC) is an interface fitted inside a personal computer or network terminal which allows it to communicate with other machines over a network. The card technology will vary according to the network used, but every card on a network must have some way of uniquely identifying itself and some means of converting the signals form the computer to a form which can be transmitted over the connection.
Patch
A _________ is a more formal, large software update that may address several or many software problems. - Script - Log - Hotfix - Patch
5. An active IDS can:
A and B. respond to attacks with TCP resets. Monitor for malicious activity.
Signature Database
A collection of activity patterns that have already been identified and categorized and that typically indicate suspicious or malicious activity.
Signature Databse
A collection of activity patterns that have already been identified and categorized and that typically indicate suspicious or malicious activity.
Signature database
A collection of activity patterns that have already been identified and categorized and that typically indicate suspicious or malicious activity.
Signature Database
A collection of patterns and definitions of known suspicious or malicious activity.
Honeynet
A collection of two or more honeypots.
Honeypot
A computer system or portion of a network that has been set up to attract potential intruders, in the hope that they will leave the other systems alone. Since there are no legitimate users of this system, any attempt to access it is an indication of unauthorized activity and provides an easy mechanism to spot attacks.
Network Tap
A connection to a network that allows sampling, duplication, and collection of traffic.
Network tap
A connection to a network that allows sampling, duplication, and collection of traffic.
certificate revocation list (CRL)
A digitally signed object that lists all of the current but revoked certificates issued by a given certificate authority is called the __________________. It allows users to verify whether a certificate is currently valid even if the expiration date hasn't passed.
mantrap
A door system is designed to only allow a single person through is called a(n) _____________________.
b. Virtual PBX
A form of virtualization that eliminates telephone switching hardware is called a: Select one: a. POTS b. Virtual PBX c. ISDN d. VoIP
security association (SA)
A formal manner of describing the necessary and sufficient portions of the IPsec protocol series to achieve a specific level of protection is a(n) __________________.
Network Tap
A hardware device that can be placed inline on a network connection and that will copy traffic passing through the tap to a second set of interfaces on the tap.
Network Tap
A hardware device that can be placed inline on a network connection and that will copy traffic passing through the tap to a second set of interfaces on the tap. -Often used to sniff traffic passing b/w devices at the network perimeter.
Trusted relationship in UNIX: file consist of
A host name, indicating that this user is trusted when accessing the system from the specified host, or A host name followed by a login name, which indicates that the listed login name is trusted when accessing the system from the specified host
Access Control Lists (ACLs)
A list associated with an object (such as a file) that identifies what level of access each subject (such as a user) has—what they can do to the object (such as read, write, or execute).
False positives
A match generates a response for benign traffic
Port Mirroring
A method of monitoring network traffic. When enabled, the switch sends a copy of all network packets seen on one port.
Network Address Translation (NAT)
A method of readdressing packets in a network at a gateway point to enable the use of local nonroutable IP addresses over a public network such as the Internet.
Hub
A network device used to connect several computers to a network. Commonly used in a twisted-pair LAN. A cable runs from each computer's NIC to the hub. The hub is often connected to a router.
Firewall
A network device used to segregate traffic based on rules.
Honeynet
A network version of a honeypot, or a set of honeypots networked together
Honeynet
A network version of a honeypot, or a set of honeypots networked together.
What is not a capability of network-based IDS?
A network-based IDS typically cannot decrypt and read encrypted traffic. This is one of the principle weaknesses of network-based intrusion detection systems.
HIPS
A new breed of IDS that is designed to identify and prevent malicious activity from harming a system. - Dynamic IDS - Preventive IDS - Active IDS - HIPS
datagram
A packet in an IP network is sometimes called a(n) __________________.
Describes a passive, host-based IDS?
A passive, host-based IDS runs on the local system, cannot interfere with traffic or activity on that system, and would have access to local system logs.
hardware security model (HSM)
A physical device that safeguards cryptographic keys is called a(n) ________________.
Monitor for suspicious traffic
A protocol analyzer can be used to:
Wireless Application Protocol (WAP)
A protocol for transmitting data to small handheld devices like cellular phones is the _________________.
A security association
A relationship where two or more entities define how they will communicate securely is known as what?
Intrusion Detection System (IDS)
A security system that detects inappropriate or malicious activity on a computer or network.
A signature database contains a list of the contents of the IP packet header's signature block, for every type of packet the IDS monitors. True or False
A signature database contains a list of the contents of the IP packet header's signature block, for every type of packet the IDS monitors.
False
A signature database contains a list of the contents of the IP packet header's signature block, for every type of packet the IDS monitors. True or False
What does a host-based IDS monitor? - A single system - Networks - Physical intrusions into facilities - A system and all its surrounding systems
A single system
Hotfix
A small software update designed to address an urgent or specific problem is called a:
Local Area Network (LAN)
A small, typically local network covering a relatively small area such as a single floor of an office building is called a(n) ____________________________.
True
A sniffer must use a NIC in promiscuous mode; otherwise it will not see all the network traffic coming into the NIC. True or False
IDSs can be host-base, examining only the activity applicable to:
A specific system, or network-based, examining network traffic for a large number of systems
Multilayer Switch
A switch that has functions that operate at multiple layers of the OSI seven-layer model.
Port Mirroring / Switched Port Analyzer (SPAN)
A system design to see all traffic passing through a switch or a specific VLAN(s), or all the traffic passing through other specific switch ports. The traffic is copied to a specific port, which can then support a protocol analyzer.
Network-Based IDS (NIDS)
A system for examining network traffic to identify suspicious, malicious, or undesirable behavior.
Network-based IDS (NIDS)
A system for examining network traffic to identify suspicious, malicious, or undesirable behavior.
Honeypot (digital sandbox)
A system or group of systems designed to attract an attacker's attention -Allows the attackers methods to be observed without putting real systems at risk -Activity recorded for later analysis -Afford information and additional security but require significant cost and effort to maintain
Host-Based IDS (HIDS)
A system that looks for computer intrusions by monitoring activity on one or more individual PCs or servers
Host-Based IDS (HIDS)
A system that looks for computer intrusions by monitoring activity on one or more individual PCs or servers.
Host-based IDS (HIDS)
A system that looks for computer intrusions by monitoring activity on one or more individual PCs or servers.
Intrusion Prevention System (IPS)
A system to identify suspicious, malicious, or undesirable activity that indicates a breach in computer security and respond automatically without specific human interaction
Intrusion prevention system (IPS)
A system to identify suspicious, malicious, or undesirable activity that indicates a breach in computer security and respond automatically without specific human interaction.
Intrusion Detection System (IDS)
A system to identify suspicious, malicious, or undesirable activity that indicates a breach in computer security.
Intrusion detection system (IDS)
A system to identify suspicious, malicious, or undesirable activity that indicates a breach in computer security.
Internet Content Filter
A system to protect companies or institutions from their users viewing inappropriate or illegal content.
a. bridging
A technique that gives each virtual NIC a connection to a physical NIC is called: Select one: a. bridging b. NAT c. routing d. switching
Banner grabbing
A technique used to gather information from a service that publicizes information via a banner.
Port mirroring
A technique where a mirrored port will see all the traffic passing through the switch or through a specific VLAN(s), or all the traffic passing through other specific switch ports. The network traffic is essentially copied (or mirrored) to a specific port, which can then support a protocol analyzer.
Perimeter security
A technique where more and more companies operate their computer security like a castle or military base, with attention and effort focused on securing and controlling the ways in and out—the idea being that if you could restrict and control access at the perimeter, you didn't have to worry as much about activity inside the organization.
Frame
A term referring to a data-link header and trailer, plus the data encapsulated between the header and trailer.
Kerberos
A ticket-granting server is an important element in which of the following authentication models?
Protocol Analyzer
A toll used by network personnel to identify packets and header information during network transit. The primary use is in troubleshooting network communication issues.
Protocol analyzer
A tool used by network personnel to identify packets and header information during network transit. The primary use is in troubleshooting network communication issues.
d. set of files
A virtual machine that is not powered on is stored as a: Select one: a. hard drive b. process in RAM c. snapshot d. set of files
certificate signing request (CSR)
A(n) ____________ is the actual request to a CA containing a public key and the requisite information needed to generate a certificate.
public key infrastructure (PKI)
A(n) ______________ is a structure that provides all of the necessary components for different types of users and entities to be able to communicate securely and in a predictable manner.
cross-certificate certificate
A(n) ______________ is used when independent CAs establish peer-to-peer trust relationships.
Hot fix
A(n) _______________ is a small software update designed to address a specific, often urgent, problem.
certificate authority (CA)
A(n) _______________ is an entity that is responsible for issuing and revoking certificates. This term is also applied to server software that provides these services.
security template
A(n) ________________ is a collection of security settings that can be applied to a system.
certificate recovery
A(n) ________________ is a holding place for individuals' certificates and public keys that are participating in a particular PKI environment.
protocol analyzer
A(n) ________________ is a piece of software or an integrated software/hardware system that can capture and decode network traffic.
content-based signatures
A(n) __________________ looks at a certain string of characters inside of a TCP packet.
hub
A(n) ___________________ repeats all data traffic across all connected ports.
service pack
A(n) ____________________ is a bundled set of software updates, fixes, and additional functions contained in a self-installing package.
network
A(n) _____________________ is a group of two or more devices linked together to share data.
subnet mask
A(n) _____________________ tells you what portion of a 32-bit IP address is being used as the network ID and what portion is being used as the host ID.
Private Branch Exchange (PBX)
A(n) ________________________ is an extension of the telephone service into a firm's telecommunications network.
false positive
A(n) _________________________ happens when an unauthorized user is allowed access.
protocol
A(n) __________________________ is an agreed-upon format for exchanging information between systems.
bridge/router
A(n) ___________________________ or _________________________ distributes traffic based on MAC addresses.
router
A(n) ____________________________ routes packets based on IP addresses.
How can users have faith that the CRL was not modified to present incorrect information? A) The CRL is digitally signed by the CA. B) The CRL is encrypted by the CA. C) The CRL is open for anyone to post certificate information to. D) The CRL is accessible only to the CA.
A) The CRL is digitally signed by the CA.
How does a user validate a digital certificate that is received from another user? A) The user first sees whether her system has been configured to trust the CA that digitally signed the other user's certificate and then validates that CA's digital signature. B) The user calculates a message digest and compares it to the one attached to the message. C) The user first sees whether her system has been configured to trust the CA that digitally signed the certificate and then validates the public key that is embedded within the certificate. D) The user validates the sender's digital signature on the message.
A) The user first sees whether her system has been configured to trust the CA that digitally signed the other user's certificate and then validates that CA's digital signature.
What steps does a user's software take to validate a CA's digital signature on a digital certificate? A) The user's software creates a message digest for the digital certificate and decrypts the encrypted message digest included within the digital certificate. If the decryption performs properly and the message digest values are the same, the certificate is validated. B) The user's software creates a message digest for the digital signature and encrypts the message digest included within the digital certificate. If the encryption performs properly and the message digest values are the same, the certificate is validated. C) The user's software creates a message digest for the digital certificate and decrypts the encrypted message digest included within the digital certificate. If the user can encrypt the message digest properly with the CA's private key and the message digest values are the same, the certificate is validated. D) The user's software creates a message digest for the digital signature and encrypts the message digest with its private key. If the decryption performs properly and the message digest values are the same, the certificate is validated.
A) The user's software creates a message digest for the digital certificate and decrypts the encrypted message digest included within the digital certificate. If the decryption performs properly and the message digest values are the same, the certificate is validated.
Why would a company implement a key archiving and recovery system within the organization? A) To make sure all data encryption keys are available for the company if and when it needs them B) To make sure all digital signature keys are available for the company if and when it needs them C) To create session keys for users to be able to access when they need to encrypt bulk data D) To back up the RA's private key for retrieval purposes
A) To make sure all data encryption keys are available for the company if and when it needs them
Which protocol is responsible for resolving an IP address to a MAC address? - DNS - ARP - RARP - ICMP
ARP
Which protocol is based on transferring data in fixed-size packets? (The fixed packet sizes help ensure that no single data type monopolizes the available bandwidth.) - AppleTalk - ATM - FDDI - Token Ring
ATM
Simple rule sets that are applied to port number and IP addresses are called - Network address translation - Stateful packet filtering - Access control lists - Basic packet filtering
Access control lists
Less than two hours
According to SANS Internet Storm Center, the average survival time of an unpatched Windows PC on the Internet is - Less than two minutes - Less than two hours - Less than two days - Less than two weeks
Which of the following correctly describes the chain of custody for evidence?
Accounts for all persons who handled or had access to a specific item of evidence
Incident
Act of violating an explicit or implied security policy
False
Adding more services and applications to a system helps to harden it. True or False
Creates and administers the security policies, creates and manages domains and connects to the managers,
Administrator
Monitors events and can perform actions within the parameters of the predefined security policies.
Agent
What are the four components of intruder alert?
Agent, Manager, Event Viewer, Administrator
A protocol analyzer can be used to: A) Troubleshoot network problems B) Collect network traffic statistics C) Monitor for suspicious traffic D) All of the above
All of the above
3. Which of the following describes a passive, host based IDS?
All of the above. Runs on local systems, does not interact w traffic, can look at system event and error log.
10. A protocol analyzer can be used to:
All of the above. Troubleshoot network problems. collect network traffic statistics. monitor for suspicious traffic
a. development testing
All of the following are advantages to using virtualization in research and testing environments EXCEPT Select one: a. development testing b. security testing c. product testing d. hardware testing
b. requires Windows Server 2008
All of the following are characteristics of Hyper-V EXCEPT: Select one: a. simple to use b. requires Windows Server 2008 c. available for free d. Microsoft product
c. requires Linux host OS
All of the following are characteristics of VMware's ESX Server EXCEPT: Select one: a. ability to move running VMs b. automatic fault tolerance c. requires Linux host OS d. support for large storage
a. Virtual PC
All of the following are examples of hypervisors EXCEPT: Select one: a. Virtual PC b. ESX c. Oracle VM Server d. Hyper-V
c. Snes9X
All of the following are virtual machine managers EXCEPT: Select one: a. VMware Workstation b. KVM c. Snes9X d. Microsoft Virtual PC
Pop-UP Blocker
Allows users to restrict or prevent pop-ups with functionality.
Preparation Phase - Cyber Incident Response Team (*CIRT*)
Also referred to as Cyber Security Incident Response Team (*CSIRT*) Technical skills - junior and senior staff Management and decision making authority
beacon frame
An AP uses ____________________________ to advertise its existence to potential wireless clients.
False Negative
An IDS is also limited by its signature set-it can match only activity for which it has stored patterns. Hostile activity that does not match an IDS signature and therefore goes undetected. In this case, the IDS is not generating any alarms, even though it should be, giving a false sense of security.
Misuse detection model
An IDS model where the IDS looks for suspicious activity or activity that violates specific policies and then reacts as it has been programmed to do. This reaction can be an alarm, e-mail, router reconfiguration, or TCP reset message.
anomaly detection model
An IDS that looks for unusual or unexpected behavior is using a(n) _______________________.
Public IP Address
An IP address available to the Internet.
Private IP Address
An IP address that is used on a private TCP/IP network that is isolated from the Internet.
Promiscuous Mode
An Network Interface Card (NIC) that accepts and processes every packet regardless of its origin an destination.
Your boss would like you to implement a network device that will monitor traffic and turn off processes and reconfigure permissions as necessary. To do this you would use - A firewall - A sniffer - A passive HIDS - An active HIDS
An active HIDS
What can an active IDS do?
An active IDS can perform all the functions of a passive IDS (monitoring, alerting, reporting, and so on) with the added ability of responding to suspected attacks with capabilities such as sending TCP reset messages to the source and destination IP addresses.
respond to attacks with TCP resets monitor for malicious activity
An active IDS can:
c. system duplication
An advantage of virtualization that enables a VM to be replicated is known as: Select one: a. system recovery b. system installation c. system duplication d. system restoration
A network protocol is - An agreed upon format for exchanging or transmitting data between systems - A set of rules that employees must follow to accomplish a specific task - One of the layers of the OSI model - One of the headers in an IP packet
An agreed upon format for exchanging or transmitting data between systems
Which of the following correctly describes a message digest?
An algorithm that applies mathematical operations to a data stream to calculate a unique number based on the information contained in the data stream
honeypot
An attacker scanning a network full of inviting, seemingly vulnerable targets might actually be scanning a(n) ___________________ where the attacker's every move can be watched and monitored by security administrators.
Transport Security Layer (TSL) / Secure Socket Layer (SSL)
An encryption capability designed to encrypt above the transport layer, enabling secure sessions between hosts, is called _______________.
After administrators have finished patching, securing, and preparing a system
An initial baseline should be performed when? - After every update to a system - Before patches are installed on a system - After administrators have finished patching, securing, and preparing a system - Every 90-120 days, as determined by local policy
Suricata
An open source IDS, begun with grant money from the U.S. government and maintained by the Open Source Security Foundation (OSIF)
Suricata
An open source IDS, begun with grant money from the U.S. government and maintained by the Open Source Security Foundation (OSIF). Suricata has one advantage over Snort: it supports multithreading.
Which component of an IDS examines the collected network traffic and compares it to known patterns of suspicious or malicious activity? - Traffic collector - Analysis engine - Signature database - Examination collector
Analysis engine
Within an IDS, the ______________ examines the collected network traffic and compares it to known patterns of suspicious or malicious activity stored in the signature database.
Analysis engine
The difference between misuse and anomaly IDS models is - Misuse models require knowledge of normal activity, whereas anomaly models don't. - Anomaly models require knowledge of normal activity, whereas misuse models don't. - Anomaly models are based on patterns of suspicious activity. - Anomaly model-based systems suffer from many false negatives
Anomaly models require knowledge of normal activity, whereas misuse models don't.
The security tool that will hide information about the requesting system and make the browsing experience secret is a - Web proxy - Reverse proxy - Anonymizing proxy - Open proxy
Anonymizing proxy
Malicious code detection
Antispam does all of the following EXCEPT: - Blacklisting - Malicious code detection - Language filtering - Trapping
Block network traffic based on policies
Antivirus products do all of the following EXCEPT: - Automated updates - Media scanning - Block network traffic based on policies - Scan e-mail for malicious code and attachments
Which of the following correctly defines the exclusionary rule?
Any evidence collected in violation of the Fourth Amendment is not admissible as evidence
Preventative intrusion detection systems: A) Are cheaper B) Are designed to stop malicious activity from occurring C) Can only monitor activity D) Were the first types of IDS
Are designed to stop malicious activity from occurring
Preventative intrusion detection systems:
Are designed to stop malicious activity from occurring.
Context-based Signature
Are generally more complicated, as they are designed to match large patterns of activity and examine how certain types of activity fit into the other activities going on around them. Ex. Match a potential intruder scanning for open web servers on a specific network. Identify a ping flood attack and Identify a Nessus scan.
Content-based Signature
Are generally the simplest. They are designed to examine the content of such things as network packets or log entries. Ex. Matching the characters/etc/passwd in a Telnet session.
Digital Sandbox
Artificial environment where attackers can be contained and observed without putting real systems at risk.
IP Spoofing across the Internet
Attacker to TS2: this is TS1, add user X to your password file Attacker logs in as user X and DoS attack launched
IP Spoofing on LAN
Attacker: This is TS 1 please end file A| to TS 2 TS2 sends to TS1 TS1: I didnt ask for that?? Attacker uses sniffer to grab file, DoS attack is launched
Once successful spoofing
Attempt to secure a better connection Modify password file Modify hosts.equiv or .rhosts file Shut down spoofed connection (stop the DOS attack). Now log into the target host using new account or based on trusted relationship.
Pop-up Blockers
Attempts to prevent web pages from opening a new tab or window\
6. Honeypots are used to:
Attract attackers by simulating systems with open network services
Honeypots are used to: A) Attract attackers by simulating systems with open network services B) Monitor network usage by employees C) Process alarms from other IDSs D) Attract customers to e-commerce sites
Attract attackers by simulating systems with open network services
Honeypots are used to:
Attract attackers by simulating systems with open network services.
something a user possesses, something a user knows, something measured on the user (fingerprint)
Authentication is typically based upon what?
Preparation Phase - Role-based Responsibilities
Availability of team members - 24/7 response. Also worth considering members should rotate periodically to preclude the *possibility of infiltration* Roles beyond technical response Legal, HR, and Marketing
A(n) _______ class address supports 65,000 hosts on each of 16,000 networks, and allows three sections of the IP address to be devoted to host addressing. - A - B - C - D
B
WTLS ensures integrity through what device? A. Public key encryption B. Message authentication codes C. Source IP D. Digital signatures
B
What is bluejacking? A. Stealing a person's mobile phone B. Sending an unsolicited message via Bluetooth C. Breaking a WEP key D. Leaving your Bluetooth in discoverable mode
B
What is the best way to avoid problems with Bluetooth? A. Keep personal info off your phone B. Keep Bluetooth discoverability off C. Buy a new phone often D. Encryption
B
Within a PKI environment, where does the majority of the trust actually lie? A) All users and devices within an environment trust the RA, which allows them to indirectly trust each other. B) All users and devices within an environment trust the CA, which allows them to indirectly trust each other. C) All users and devices within an environment trust the CRL, which allows them to indirectly trust each other. D) All users and devices within an environment trust the CPS, which allows them to indirectly trust each other.
B) All users and devices within an environment trust the CA, which allows them to indirectly trust each other.
Why would a digital certificate be added to a certificate revocation list (CRL)? A) If the public key had become compromised in a public repository B) If the private key had become compromised C) If a new employee joined the company and received a new certificate D) If the certificate expired
B) If the private key had become compromised
Once an individual validates another individual's certificate, what is the use of the public key that is extracted from this digital certificate? A) The public key is now available to use to create digital signatures. B) Once an individual validates another individual's certificate, what is the use of the public key that is extracted from this digital certificate? C) The public key is now available to encrypt future digital certificates that need to be validated. D) The user can now encrypt private keys that need to be transmitted securely
B) Once an individual validates another individual's certificate, what is the use of the public key that is extracted from this digital certificate
7. Connecting to a server and sending a request over a known port in an attempt to identify the version of service is an example of :
Banner grabbing
Connecting to a server and sending a request over a known port in an attempt to identify the version of a service is an example of: A) Port sniffing B) Protocol analysis C) Banner grabbing D) TCP reset
Banner grabbing
firewall
Basic packet filtering occurs at the ____________________.
Web Spoofing
Basic web spoofing - register domain name similar to target's name Man-in-the-Middle attacks - attacker positions himself so all traffic to target goes through him. (e.g. compromise router) Won't be able to read encrypted traffic but plenty goes unencrypted. URL rewriting - change url's on target to point to attacker which then redirects.
Network traffic can also:
Be viewed using network taps, a device for replicating network traffic passing across a physical link
Host-based IPSs can provide:
Better control over specific attacks as the scope of control is limited to a host
Antivirus products do all of the following EXCEPT: - Automated updates - Media scanning - Block network traffic based on policies - Scan e-mail for malicious code and attachments
Block network traffic based on policies
Defending against Scanning and its effects
Block ports at your router/firewall. Block ICMP, including echo Create a DMZ Use bastion hosts/proxy servers Use NAT to hide private, internal IP addresses Remove default/sample materials Remove unnecessary services Restrict permissions Change default headers associated with services Keep applications and operating systems patched
Total control over mobile phone
Bluebugging can give an attacker what?
Network components connected to the same cable are often called "the backbone" in which topology? - Star - Bus - Ring - Hybrid
Bus
Bluebugging can give an attacker what? A. All of your contacts B. The ability to send "shock" photos C. Total control over a mobile phone D. A virus
C
WEP has used an implementation of which of the following encryption algorithms? A. SHA B. ElGamal C. RC4 D. Triple-DES
C
While the SSID provides some measure of authentication, why is it not very effective? A. It is dictated by the manufacturer of the access point. B. It is encrypted. C. It is broadcast in every beacon frame. D. SSID is not an authentication function.
C
Why is attacking wireless networks so popular? A. There are more wireless networks than wired. B. They all run Windows. C. It's easy. D. It's more difficult and more prestigious than other network attacks.
C
When a user wants to participate in a PKI, what component does he or she need to obtain, and how does that happen? A) The user submits a certificate request to the CA. B) The user submits a key pair request to the CRL. C) The user submits a certificate request to the RA. D) The user submits proof of identification to the CA.
C) The user submits a certificate request to the RA.
Connecting to a server and sending a request over a known port in an attempt to identify the version of a service is known as an example of: a. Port Sniffing b. Protocol Analysis c. Banner Grabbing d. TCP Reset
C. Banner Grabbing
An active IDS can : a. Respond to attacks with TCP resets b. Monitor for malicious activity c. A and B d. None
C. a and b
Proxy Server
Can be used to filter out undesirable traffic and prevent employees from accessing potentially hostile web sites.
Advantages of HIDS 1. operating system 2. false-positive 3. decrypted 4. application 5. alarm
Can be very o______ s_____-specific Can reduce f____-p______ rates Can examine data after it has been d______ Can be very a_______ specific Can determine how an a____ will impact a system
Which of the following is not a capability of network-based IDS? A) Can detect denial-of-service attacks B) Can decrypt and read encrypted traffic C) Can decode UDP and TCP packets D) Can be tuned to a particular network environment
Can decrypt and read encrypted traffic
Ping Sweep useful
Can still be effective for insiders or attackers who have been able to penetrate at least one system
Protocol analyzers, often called sniffers, are tools that:
Capture and decode network traffic
Unshielded Twister-Pair (UTP)
Cat 5 is an example of _______________________ cable.
The _________________ is the trusted authority for certifying individuals' identities and creating an electronic document indicating that individuals are who they say they are.
Certificate Authority
A _____________________ is a holding place for individuals certificates and public keys that are participating in a particular PKI environment.
Certificate Repositories
A _____________________ is the actual service that issues certificates based on the data provided during the initial registration process.
Certificate server
A ___________________ is the actual request to a CA containing a public key and the requisite information needed to generate a certificate.
Certificate signing request
CIDR
Classless Inter Domain Routing a method for assigning IP addresses represented as A.B.C.D /n, where "/n" is called the IP prefix or network prefix.
3-way ahndshake
Client sends TCP packet with an initial sequence number. Server responds with it's own sequence number and an acknowledgement (ACK). The client acknowledges receipt by sending packet with server's number plus one.
one
Coaxial cable carries how many physical channels?
Traffic Collector
Collects activity/events for the IDS to examine. On HIDS this could be log files, audit logs, or traffic coming to or leaving a specific system. On NIDS this is typically a mechanism for copying traffic off the network link basically functioning as a sniffer.
Traffic Collector (or sensor)
Collects activity/events for the IDS to examine. On a HIDS, this could be log files, audit logs, or traffic coming to or leaving a specific system. On a NIDS, this is typically a mechanism for copying traffic off the network link- functioning like a sniffer. This component is often referred to as a sensor.
Traffic Collector
Collects activity/events for the IDS to examine. On a HIDS, this could be log files, audit logs, or traffic coming to or leaving a specific system. On a NIDS, this is typically a mechanism for copying traffic off the network link-basically functioning as a sniffer.
Heuristic scanning looks for:
Commands or instructions that are not normally found in application programs.
Which of the following is a benefit that Network Address Translation (NAT) provides - Compensates for the lack of IP addresses - Allows devices using two different protocols to communicate - It creates a DMZ - Translates MAC addresses to IP addresses
Compensates for the lack of IP addresses
Perimeter Security
Computer security like a castle or military base, with attention and effort focused on securing and controlling the ways in and out.
Encryption Devices
Computers or specialized adapters inserted into other devices, such as routers or servers, that perform encryption.
Banner grabbing
Connecting to a server and sending a request over a known port in an attempt to identify the version of a service is an example of:
Guessing the sequence number: binding spoof
Contact the target and attempt several connections Target will respond with a sequence number for each Analyze the responses to determine the pattern the target uses for incrementing
IDSs match patterns known as signatures that can be:
Content- or context-based. Some IDSs are model-based and alert an administrator when activity does not match normal patterns (anomaly-based) or when it matches known suspicious or malicious patterns (misuse detection)
True
Content-based signatures detect character patterns and TCP flag settings. True or False
2. What are the two main types of IDS signatures?
Context-based and content-based
What are the two main types of IDS signatures? A) Network-based and file-based B) Context-based and content-based C) Active and reactive D) None of the above
Context-based and content-based
______________________ is a technique to match an element against a large set of patterns and use activity as a screening element.
Context-based signatures
Honeypots are used to: A) Attract attackers by simulating systems with open network services B) Monitor network usage by employees C) Process alarms from other IDSs D) Attract customers to e-commerce sites
Correct Answer: A
What are the two main types of intrusion detection systems? A) Network-based and host-based B) Signature-based and event-based C) Active and reactive D) Intelligent and passive
Correct Answer: A
Preventative intrusion detection systems: A) Are cheaper B) Are designed to stop malicious activity from occurring C) Can only monitor activity D) Were the first types of IDS
Correct Answer: B
What was the first commercial, network-based IDS product? A) Stalker B) NetRanger C) IDES D) RealSecure
Correct Answer: B
Which of the following is not a capability of network-based IDS? A) Can detect denial-of-service attacks B) Can decrypt and read encrypted traffic C) Can decode UDP and TCP packets D) Can be tuned to a particular network environment
Correct Answer: B
Windows Defender is available with every version of the Windows operating system. A) True B) False
Correct Answer: B
An active IDS can: A) Respond to attacks with TCP resets B) Monitor for malicious activity C) A and B D) None of the above
Correct Answer: C
Egress filtering is used to detect spam that is: A) Coming into an organization B) Sent from known spammers outside your organization C) Leaving an organization D) Sent to mailing lists in your organization
Correct Answer: C
IPS stands for: A) Intrusion processing system B) Intrusion prevention sensor C) Intrusion prevention system D) Interactive protection system
Correct Answer: C
A protocol analyzer can be used to: A) Troubleshoot network problems B) Collect network traffic statistics C) Monitor for suspicious traffic D) All of the above
Correct Answer: D
Heuristic scanning looks for: A) Normal network traffic patterns B) Viruses and spam only C) Firewall policy violations D) Commands or instructions that are not normally found in application programs
Correct Answer: D
What are the three types of event logs generated by Windows 2003 and Vista systems? A) Event, Process, and Security B) Application, User, and Security C) User, Event, and Security D) Application, System, and Security
Correct Answer: D
Which of the following describes a passive, host-based IDS? A) Runs on the local system B) Does not interact with the traffic around it C) Can look at system event and error logs D) All of the above
Correct Answer: D
Which of the following is not a type of proxy? A) Reverse B) Web C) Open D) Simultaneous
Correct Answer: D
What are the two main types of IDS signatures? A) Network-based and file-based B) Context-based and content-based C) Active and reactive D) None of the above
Correct Answer:B
How does 802.11n improve network speed? A. Wider bandwidth B. Higher frequency C. Multiple-input multiple-output (MIMO) D. Both A and C
D
What element does not belong in a mobile device security policy in an enterprise employing BYOD? A. Separation of personal and business-related information B. Remote wiping C. Passwords and screen locking D. Mobile device carrier selection
D
Which of the following properly describes what a public key infrastructure (PKI) actually is? A) A framework that does not specify any technologies, but provides a foundation for confidentiality, integrity, and availability services B) An algorithm that creates public/private key pairs C) A framework that outlines specific technologies and algorithms that must be used D) A framework that does not specify any technologies, but provides a foundation for confidentiality, integrity, and availability services
D) A framework that does not specify any technologies, but provides a foundation for confidentiality, integrity, and availability services
What is the purpose of a digital certificate? A) It binds a CA to a user's identity. B) It binds a CA's identity to the correct RA. C) It binds an individual to an RA. D) It binds an individual to a public key.
D) It binds an individual to a public key.
Define Production
Delivering ESI to others in appropriate forms & using appropriate delivery mechanisms.
False
Deploying, maintaining, and upgrading host-based IDSs in a large network is cheaper than NIDSs. True or False
Which of the following correctly describes the minimum contents of an evidence control log book?
Description, Investigator, Case #, Date, Time, Location, Reason
Antispam
Designed to reduce the amount of electronic junk mail or "spam"
Host-based IDS (HIDS)
Detailed information about one device -Traffic into and out of device -Logs
Define Presentation
Displaying ESI before audiences (at depositions, hearings, trials, etc.), especially in native & near-native forms, to elicit further information, validate existing facts or positions, or persuade an audience.
Subnetting
Dividing a network address space into smaller, seperate networks is called what?
Which of the following describes a passive, host-based IDS? A) Runs on the local system B) Does not interact with the traffic around it C) Can look at system event and error logs D) All of the above
Does not interact with the traffic around it
Which of the following correctly defines the process of acquiring evidence?
Dump the memory, power down the system, create an image of the system, and analyze the image
Scans outgoing mail to catch spam
Egress filtering - Scans incoming mail to catch spam - Scans outgoing mail to catch spam - Messages are scan for specific words or phrases - Filters out POP traffic
Services server, Kerberos realm, ticket authentications
Elements of Kerberos include which of the following?
What must you do in order to sniff the traffic on all ports on a switch? - Nothing; you can see all the traffic on a switch by default. - Nothing; a switch does not allow you do see all traffic. - Enable port mirroring. - Run a cable to each port.
Enable port mirroring.
Define Preservation
Ensuring that ESI is protected against inappropriate alteration or destruction.
Define Analysis
Evaluating ESI for content & context, including key patterns, topics, people & discussion.
Define Review
Evaluating ESI for relevance & privilege.
Displays events captured by the agents.
Event Viewer
Which of the following correctly defines the hearsay rule?
Evidence not from the personal knowledge of a witness
Network-based IDS (NIDS)
Examines activity on the network itself. It has visibility only into the traffic crossing the network link it is monitoring and typically has no idea of what is happening on individual systems.
Analysis Engine
Examines the collected network traffic and compares it to known patterns of suspicious or malicious activity stored in the signature database. The analysis engine is the "brains" of the IDS.
Analysis Engine
Examines the collected network traffic and compares it to known patterns of suspicious or malicious activity stored in the signature database. The analysis engine is the brains of the IDS.
Which of the following is the least rigorous investigative method?
Examining the suspect system using its software without verification
Which of the following is NOT a component of an IDS? - Traffic collector - Signature database - Expert knowledge database - User interface and reporting
Expert knowledge database
The network that is an extension of a selected portion of a company's intranet to external partners is referred to as the - DMZ - Intranet - Extranet - Internet
Extranet
Address Resolution Protocol resolves a MAC address to an IP address. True or False
False
Deploying, maintaining, and upgrading host-based IDSs in a large network is cheaper than NIDSs. True or False
False
Hostile activity that does not match an IDS signature and goes undetected is called a false positive. True or False
False
ICMP is a connection-oriented protocol. True or False
False
Network-based IDS examines activity on a system such, as a mail server or web server. True or False
False
Networks without any architecture are considered to be poor. True or False
False
TCP is connectionless and has lower overhead than UDP. True or False
False
The misuse detection IDS model is more difficult to implement than the anomaly detection model, and is not as popular as a result. True or False
False
UDP uses a three-way handshake to establish connections. True or False
False
While NIDS are able to detect activities such as port scans and brute force attacks, it is unable to detect tunneling. True or False
False
When an IDS generates an alarm on "normal" traffic that is actually not malicious or suspicious, that alarm is called a _______________.
False Positive
2. When an IDS generates an alarm on "normal" traffic that is actually not malicious or suspicious, that alarm is called a(n)_______
False positive
Switched Port Analyzer (SPAN)
Feature, which is sometimes called port mirroring or port monitoring, selects network traffic for analysis by a network analyzer.
Read, write, and execute
File permissions under UNIX consist of what three types?
Stateful packet inspection Port blocking to deny specific services NAT to hide internal IP addresses
Firewalls can use which of the following in their operation?
Define Collection
Gathering ESI for further use in the e-discovery process (processing, review, etc.).
IP Spoofing Prevention Tip
General rule of thumb: Don't have any trusted relationships if you can help it. Don't accept packets from outside of your network that claim to be originating from inside of your network.
Context-based Signatures
Generally more complicated of the signatures. They are designed to match large patterns of activity and examine how certain types of activity fit into other activities going on around them. -Address "How does this events compare to other events that have already happened or might happen in the near future?" -Must be able to "remember" past events to match certain context signatures.
Context-Based Signature
Generally more complicated. Designed to match large patterns of activity and examine how certain types of activity fit into the other activities going on around them.
Content-based Signatures
Generally the simplest of Signatures. Designed to examine the content of such things as network packets or log entries. -Typically easy to build and look for simple things, such as certain string of characters or a certain flag set in a TCP packet.
Content-Based Signature
Generally the simplest. Designed to examine the content of such things as network packets or log entries.
trust v Authentication
Generally these two have an inverse relationship: If a high degree of trust exists between two machines, the amount of authentication is low. If little trusts exists between the machines, a great deal of authentication is required.
Passive NIDS
Generates an alarm when it matches a pattern and does not interact with the traffic in any way
Define Information Management
Getting your electronic house in order to mitigate risk & expenses should e-discovery become an issue, from initial creation of electronically stored information through its final disposition.
Transport Layer
Guarantees the delivery of data across the network. TCP uses the mechanism of acknowledgements to guaranty the transmission of data across the network.
what intrusion detection method works in harmony with AIDS?
HIDS
A new breed of IDS that is designed to identify and prevent malicious activity from harming a system. - Dynamic IDS - Preventive IDS - Active IDS - HIPS
HIPS
True
Hardening applications is similar to hardening operating systems, in that you remove functions that are not needed, restrict access where you can, and make sure the application is up to date with patches. True or False
A physical device that safeguards cryptographic keys is called a ____________________.
Hardware security module
What device would you use to attract potential attacks, so that you could safely monitor the activity and discover the intentions of the attacker? - Firewall - Antivirus - IDS - Honeypot
Honeypot
attract attackers by simulating systems with open network services
Honeypots are used to:
Name the three intrusion detection methods
Host-based IDS (HIDS) Network-based IDS (NIDS) Application-based IDS (AIDS)
False
Hostile activity that does not match an IDS signature and goes undetected is called a false positive. True or False
True
Hotfixes are usually smaller than patches, and patches are usually smaller than service packs. True or False
The CRL is digitally signed by the CA
How can users have faith that the CRL was not modified to present incorrect information?
Wider bandwidth and multiple-input multiple-output (MIMO)
How does 802.11n improve network speed?
IPS will block, reject, or redirect unwanted traffic; an IDS will only alert.
How does IPS differ from an IDS? - IPS is passive and IDS is active. - IPS uses heuristics and IDS is signature based. - IPS will block, reject, or redirect unwanted traffic; an IDS will only alert. - IDS will block, reject, or redirect unwanted traffic; an IPS will only alert.
The user first sees whether her system has been configured to trust the CA that digitally signed the other user's certificate and then validates that CA's signature.
How does a user validate a digital certificate that is received from another user?
By using a combination of authentication, it is more difficult for someone to gain illegitimate access
How does multiple-factor authentication improve security?
Stateful packet filtering looks at the packets in relation to other packets
How does stateful packet filtering differ from basic packet filtering? - Stateful packet filtering looks only at each packet individually. - Stateful packet filtering looks at the packets in relation to other packets. - Stateful packet filtering looks at the destination address. - Stateful packet filtering looks at the source address.
Lessons Learned
How was the incident allowed to develop? How could it be prevented/reduced in impact? Was incident response adequate? What could be improved? Reporting - may be required by regulators. Reassure suppliers, customers, and users
Packet delivery to distant systems is usually accomplished by the use of - MAC addresses - Domain names - IP Addresses - ARP protocol
IP Addresses
IP Spoofing Email Spoofing Web Spoofing Non-technical Spoofing
IP Spoofing - an attacker uses an IP address of another computer to acquire info. Email Spoofing - involves spoofing the from address of an email. Web Spoofing - a site may not be what it appears to be or what its url would imply it is. Non-technical Spoofing - concentrates on compromising the human element of a company.
Intrusion prevention system
IPS stands for:
How does IPS differ from an IDS? - IPS is passive and IDS is active. - IPS uses heuristics and IDS is signature based. - IPS will block, reject, or redirect unwanted traffic; an IDS will only alert. - IDS will block, reject, or redirect unwanted traffic; an IPS will only alert.
IPS will block, reject, or redirect unwanted traffic; an IDS will only alert.
ESP and AH
IPsec provides which An options as security services?
Steps of spoofing attack
Identify the target of the attack (a system with a trusted relationship with another). "Eliminate" (DOS attack) the host you wish to spoof. Forge the address of the host being spoofed in your packet to be sent to the target. Send the spoofed packet to the target Keep the connection active by guessing the correct sequence number used by the target machine.