Network Defense and Countermeasures - SEC 210 - Intrusion Detection

What is a digital signature? A. A piece of encrypted data added to other data to verify the sender B. A scanned-in version of your signature, often in .jpg format C. A signature that is entered via a digital pad or other device D. A method for verifying the recipient of a document

A. A piece of encrypted data added to other data to verify the sender

What tool does McAfee Personal Firewall offer? A. A visual tool to trace attacks B. NAT C. Strong encryption D. Vulnerability scanning

A. A visual tool to trace attacks

Which of the following has three different key sizes it can use? A. AES B. DES C. Triple DES D. IDEA

A. AES AES specifies three key sizes: 128, 192, and 256 bits. By comparison, DES keys are 56 bits long, and Blowfish allows varying lengths up to 448 bits. AES uses a block cipher.

Which type of encryption is included with the T Series? A. AES and 3DES B. WEP and DES C. PGP and AES D. WEP and PGP

A. AES and 3DES Advanced Encryption Standard (AES) Data Encryption Standard (DES)

Which type of IDS is the Cisco Sensor? A. Anomaly detection B. Intrusion deflection C. Intrusion deterrence D. Anomaly deterrence A sensor is the IDS component that collects data and passes it to the analyzer for analysis.

A. Anomaly detection Anomaly detection involves actual software that works to detect intrusion attempts and notify the administrator. This is what many people think of when they talk about intrusion-detection systems.

Which of the following is a recommended configuration of a firewall to defend against DoS attacks? A. Block ICMP packets that originate outside the network B. Block all incoming packets C. Block all ICMP packets D. Block TCP packets that originate outside the network

A. Block ICMP packets that originate outside the network

Which of the following is an important feature of D-Link 2560? A. Built-in IDS B. WEP encryption C. Vulnerability scanning D. Liberal licensing policy

A. Built-in IDS

Which of the following is a benefit of Cisco firewalls? A. Extensive training available on the product B. Very low cost C. Built-in IDS on all products D. Built-in virus scanning on all products

A. Extensive training available on the product

What is the best method of defending against IP spoofing? A. Installing a router/firewall that blocks packets that appear to be originating within the network B. Installing a router/firewall that blocks packets that appear to be originating from outside the network C. Blocking all incoming TCP traffic D. Blocking all incoming ICMP traffic

A. Installing a router/firewall that blocks packets that appear to be originating within the network

Attempting to make your system appear less appealing is referred to as what? A. Intrusion deterrence B. Intrusion deflection C. System camouflage D. System deterrence

A. Intrusion deterrence Intrusion deterrence involves simply trying to make the system seem like a less palatable target. In short, an attempt is made to make any potential reward from a successful intrusion attempt appear more difficult than it is worth. The other tactic in this methodology involves raising the perceived risk of a potential intruder being caught. This can be done in a variety of ways, including conspicuously displaying warnings and warning of active monitoring.

IDS is an acronym for: A. Intrusion-detection system B. Intrusion-deterrence system C. Intrusion-deterrence service D. Intrusion-detection service

A. Intrusion-detection system An IDS is designed to detect signs that someone is attempting to breach a system and to alert the system administrator that suspicious activity is taking place.

Why is the method XOR, used for a simple encryption, not secure? A. It does not change letter or word frequency. B. The mathematics are flawed. C. It does not use a symmetric key system. D. The key length is too short.

A. It does not change letter or word frequency.

Which of the following is the primary weakness in the Caesar cipher? A. It does not disrupt letter frequency. B. It does not use complex mathematics. C. It does not use a public key system. D. There is no significant weakness; the Caesar cipher is adequate for most encryption uses.

A. It does not disrupt letter frequency.

What is one complexity found in enterprise environments that is unlikely in small networks or SOHO environments? A. Multiple operating systems B. Diverse user groups C. Users running different applications D. Web vulnerabilities

A. Multiple operating systems

Why is encryption an important part of security? A. No matter how secure your network is, the data being transmitted is still vulnerable without encryption. B. Encrypted transmissions will help stop denial of service attacks. C. A packet that is encrypted will travel faster across networks. D. Encrypted transmissions are only necessary with VPNs.

A. No matter how secure your network is, the data being transmitted is still vulnerable without encryption.

What are the three approaches to security? A. Perimeter, layered, and hybrid B. High security, medium security, and low security C. Internal, external, and hybrid D. Perimeter, complete, and none

A. Perimeter, layered, and hybrid

An intrusion-detection system is an example of: A. Proactive security B. Perimeter security C. Hybrid security D. Good security practices

A. Proactive security Dynamic Security Approach, or Proactive Defense, is one in which steps are taken to prevent attacks before they occur. One example of a proactive defense is the use of an IDS, which works to detect attempts to circumvent security measures. These systems can tell a system administrator that an attempt to breach security has been made, even if that attempt is not successful. An IDS can also be used to detect various techniques intruders use to assess a target system, thus alerting a network administrator to the potential for an attempted breach before the attempt is even initiated.

What implementation is Check Point 5000 series firewall? A. Router-based B. Network-based C. Switch-based D. Host-based

A. Router-based

Which of the following is the best definition for IP spoofing? A. Sending a packet that appears to come from a trusted IP address B. Rerouting packets to a different IP address C. Setting up a fake website that appears to be a different site D. Sending packets that are misconfigured

A. Sending a packet that appears to come from a trusted IP address

What is the name for a DoS attack that causes machines on a network to initiate a DoS against one of that network's servers? A. Smurf attack B. SYN flood C. Ping of Death D. Distributed denial of service

A. Smurf attack

Which of the following is the best definition of malware? A. Software that has some malicious purpose B. Software that self-replicates C. Software that damages your system D. Any software that is not properly configured for your system

A. Software that has some malicious purpose

What is a Trojan horse? A. Software that self-replicates B. Software that appears to be benign but really has some malicious purpose C. Software that deletes system files then infects other machines D. Software that causes harm to your system

A. Software that self-replicates B. Software that appears to be benign but really has some malicious purpose

From the attacker's point of view, what is the primary weakness in a DoS attack? A. The attack must be sustained. B. The attack does not cause actual damage. C. The attack is easily thwarted. D. The attack is difficult to execute.

A. The attack must be sustained.

When assessing threats to a system, what three factors should you consider? A. The system's attractiveness, the information contained on the system, and how much traffic the system gets B. The skill level of the security team, the system's attractiveness, and how much traffic the system gets C. How much traffic the system gets, the security budget, and the skill level of the security team D. The system's attractiveness, the information contained on the system, and the security budget

A. The system's attractiveness, the information contained on the system, and how much traffic the system gets

Setting up parameters for acceptable use, such as the number of login attempts, and watching to see if those levels are exceeded is referred to as what? A. Threshold monitoring B. Resource profiling C. System monitoring D. Executable profiling

A. Threshold monitoring Threshold monitoring presets acceptable behavior levels and observes whether these levels are exceeded. This could include something as simple as a finite number of failed login attempts or something as complex as monitoring the time a user is connected and the amount of data that user downloads. Thresholds provide a definition of acceptable behavior.

Cracker

Another term for a black hat hacker. There is a Longstanding controversy surrounds the meaning of the term "hacker". In this controversy, computer programmers reclaim the term hacker, arguing that it refers simply to someone with an advanced understanding of computers and computer networks and that "cracker" is the more appropriate term for those who break into computers, whether computer criminals (black hats) or computer security experts (white hats).

Sneaker White hat hackers may also work in teams called "sneakers and/or hacker clubs", red teams, or tiger teams. The term "white hat" in Internet slang refers to an ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies that ensures the security of an organization's information systems. Ethical hacking is a term meant to imply a broader category than just penetration testing. While a white hat hacker hacks under good intentions with permission, and a black hat hacker, most often unauthorized, has malicious intent, there is a third kind known as a grey hat hacker who hacks with good intentions but at times without permission.

Another term for ethical hacker

Denial of service attacks target what of CIA?

Availability CIA is an acronym for Confidentiality, Integrity, and Availability. This has direct bearing on access to resources. The concept is that data must be kept confidential. That means that only those personnel with a need to know will have access to the data. Secondly, the data integrity must be maintained. This means that the data must be reliable. That involves limiting who can alter the data and under what conditions they can alter it. Finally, all data must be available to be accessed.

A series of ICMP packets sent to your ports in sequence might indicate what? A. A DoS attack B. A ping flood C. A packet sniffer D. A port scan

B. A ping flood - A ping flood is a simple denial-of-service attack where the attacker overwhelms the victim with ICMP "echo request" (ping) packets. This is most effective by using the flood option of ping which sends ICMP packets as fast as possible without waiting for replies. The attacker hopes that the victim will respond with ICMP "echo reply" packets, thus consuming both outgoing bandwidth as well as incoming bandwidth.

Which of the following best describes a buffer overflow attack? A. An attack that overflows the target with too many TCP packets B. An attack that attempts to put too much data in a memory buffer C. An attack that attempts to send oversized TCP packets D. An attack that attempts to put misconfigured data into a memory buffer

B. An attack that attempts to put too much data in a memory buffer

Which of the following types of privacy laws affect computer security? A. Any state privacy law B. Any privacy law applicable to your organization C. Any privacy law D. Any federal privacy law

B. Any privacy law applicable to your organization

What is a computer virus? A. Any program that is downloaded to your system without your permission B. Any program that self-replicates C. Any program that causes harm to your system D. Any program that can change your Windows registry

B. Any program that self-replicates Malware is a generic term for software that has a malicious purpose. It includes virus attacks, Trojan horses, and spyware. Because this category of attack is perhaps the most prevalent danger to systems.... The most obvious example of malware is the computer virus. One definition for a virus is "a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself."

What is another term for preemptive blocking? A. Intrusion deflection B. Banishment vigilance C. User deflection D. Intruder blocking

B. Banishment vigilance Preemptive blocking, sometimes called banishment vigilance, seeks to prevent intrusions before they occur. This is done by noting any danger signs of impending threats and then blocking the user or IP address from which these signs originate. This can lead to the problem of false positives, in which the system mistakenly identifies legitimate traffic as some form of attack. Usually, a software system will simply alert the administrator that suspicious activity has taken place. A human administrator will then make the decision whether or not to block the traffic. If the software automatically blocks any addresses it deems suspicious, you run the risk of blocking out legitimate users.

Which encryption algorithm uses a variable-length symmetric key? A. RSA B. Blowfish C. DES D. PGP

B. Blowfish Blowfish is a symmetric block cipher. This means that it uses a single key to both encrypt and decrypt the message and works on "blocks" of the message at a time. It uses a variable-length key ranging from 32 to 448 bits. This flexibility in key size allows you to use it in various situations.

The first computer incident response team is affiliated with what university? A. Princeton University B. Carnegie-Mellon University C. Harvard University D. Yale University

B. Carnegie-Mellon University

Which of the following is a symmetric key system using blocks? A. RSA B. DES C. PGP D. Diffie-Hellman

B. DES Data Encryption Standard, or DES as it is often called, was developed by IBM in the early 1970s and made public in 1976. DES uses a symmetric key system. This means the same key is used to encrypt and to decrypt the message. DES uses short keys and relies on complex procedures to protect its information.

Attempting to attract intruders to a system set up to monitor them is called what? A. Intrusion deterrence B. Intrusion deflection C. Intrusion banishment D. Intrusion routing

B. Intrusion deflection The essence of it is quite simple. An attempt is made to attract the intruder to a subsystem set up for the purpose of observing him. This is done by tricking the intruder into believing that he has succeeded in accessing system resources when, in fact, he has been directed to a specially designed environment. Being able to observe the intruder while he practices his art will yield valuable clues and can lead to his arrest.

Should a home user block incoming ICMP traffic, and why or why not? A. It should be blocked because such traffic is often used to transmit a virus. B. It should be blocked because such traffic is often used to do port scans and flood attacks. C. It should not be blocked because it is necessary for network operations. D. It should not be blocked because it is necessary for using the web.

B. It should be blocked because such traffic is often used to do port scans and flood attacks.

The most desirable approach to security is one which is: A. Perimeter and dynamic B. Layered and dynamic C. Perimeter and static D. Layered and static

B. Layered and dynamic - Perimeter security approach, the bulk of security efforts are focused on the perimeter of the network. This focus might include firewalls, proxy servers, password policies, and any technology or procedure that makes unauthorized access of the network less likely. Little or no effort is made to secure the systems within the network. - A Layered security approach is one in which not only is the perimeter secured, but individual systems within the network are also secured. All servers, workstations, routers, and hubs within the network are secure. - Dynamic security approach, or proactive defense, is one in which steps are taken to prevent attacks before they occur.

An improvement on the Caesar cipher that uses more than one shift is called a what? A. DES encryption B. Multi-alphabet substitution C. IDEA D. Triple DES

B. Multi-alphabet substitution

Which of the following is the best definition for non-repudiation? A. Security that does not allow the potential intruder to deny his attack B. Processes that verify which user performs what action C. It is another term for user authentication D. Access control

B. Processes that verify which user performs what action

NAT is a replacement for what technology? A. Firewall B. Proxy server C. Antivirus software D. IDS

B. Proxy server

What type of encryption uses a different key to encrypt the message than it uses to decrypt the message? A. Private key B. Public key C. Symmetric D. Secure

B. Public key

Which of the following would be the best defense if your web server had limited resources but you needed a strong defense against DoS? A. A firewall B. RST cookies C. SYN cookies D. Stack tweaking

B. RST cookies

What is an advantage of an enterprise environment? A. Multiple operating systems to deal with B. Skilled technical personnel available C. Lower security needs D. IDS systems not needed

B. Skilled technical personnel available

If you are using a block cipher to encrypt large amounts of data, which of the following would be the most important consideration when deciding which cipher to use (assuming all of your possible choices are well known and secure)? A. Size of the keys used B. Speed of the algorithm C. Whether or not it has been used by any military group D. Number of keys used

B. Speed of the algorithm

Which of the following is a common problem when seeking information on firewalls? A. It is difficult to find information on the web. B. Unbiased information might be hard to find. C. Documentation is often incomplete. D. Information often emphasizes price rather than features.

B. Unbiased information might be hard to find.

Are there any reasons not to take an extreme view of security, if that view errs on the side of caution? A. No, there is no reason not to take such an extreme view. B. Yes, that can lead to wasting resources on threats that are not likely. C. Yes, if you are going to err, assume there are few if any realistic threats. D. Yes, that can require that you increase your security skills in order to implement more rigorous defenses.

B. Yes, that can lead to wasting resources on threats that are not likely. Before you can explore the topic of computer security, you must first formulate a realistic assessment of the threats to those systems. The key word is realistic. Clearly one can imagine some very elaborate and highly technical potential dangers. However, as a network security professional, you must focus your attention—and resources—on the likely dangers. Before delving into specific threats, let's get an idea of how likely attacks, of any type, are on your system.

What size key does the Data Encryption Standard, or DES, encryption algorithm use? A. 255 bit B. 128 bit C. 56 bit D. 64 bit

C. 56 bit DES uses a 56-bit cipher key applied to a 64-bit block. There is actually a 64-bit key, but one bit of every byte is actually used for error detection, leaving just 56 bits for actual key operations.

Which of the following is the best definition for the term ethical hacker? A. An amateur who hacks a system without being caught B. A person who hacks a system by faking a legitimate password C. A person who hacks a system to test its vulnerabilities D. An amateur hacker

C. A person who hacks a system to test its vulnerabilities

Which of the following encryption algorithms is a block cipher, and uses the Rijndael algorithm? A. DES B. RSA C. AES D. NSA

C. AES Advanced Encryption Standard (AES) uses the Rijndael algorithm. AES specifies three key sizes: 128, 192, and 256 bits. By comparison, DES keys are 56 bits long, and Blowfish allows varying lengths up to 448 bits. AES uses a block cipher.

Which of the following is the best definition of "sensitive information"? A. Military- or defense-related information B. Any information that is worth more than $1,000 C. Any information that, if accessed by unauthorized personnel, could damage your organization in any way D. Any information that has monetary value and is protected by any privacy laws

C. Any information that, if accessed by unauthorized personnel, could damage your organization in any way

Which of the following is the most accurate definition of a virus? A. Any program that spreads via e-mail B. Any program that carries a malicious payload C. Any program that self-replicates D. Any program that can damage your system

C. Any program that self-replicates One definition for a virus is: "a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself." .... A computer virus is analogous to a biological virus in that both replicate and spread. The most common method for spreading a virus is using the victim's e-mail account to spread the virus to everyone in his address book. Some viruses do not actually harm the system itself, but all of them cause network slowdowns or shutdowns due to the heavy network traffic caused by the virus replication.

Which of the following gives the best definition of spyware? A. Any software that logs keystrokes B. Any software used to gather intelligence C. Any software or hardware that monitors your system D. Any software that monitors which websites you visit

C. Any software or hardware that monitors your system Another form of spyware, called a key logger, records all of your keystrokes. Some also take periodic screen shots of your computer. Data is then either stored for retrieval later by the party who installed the key logger or is sent immediately back via e-mail. In either case, every single thing you do on your computer is recorded for the interested party.

Which of the following is the oldest known encryption method? A. PGP B. Multi-alphabet C. Caesar cipher D. Cryptic cipher

C. Caesar cipher

Which of the following is the most basic security activity? A. Installing a firewall B. Authenticating users C. Controlling access to resources D. Using a virus scanner

C. Controlling access to resources

Which of the following is the best definition for war-driving? A. Driving while hacking and seeking a computer job B. Driving while using a wireless connection to hack C. Driving looking for wireless networks to hack D. Driving and seeking rival hackers

C. Driving looking for wireless networks to hack

A system that is set up for attracting and monitoring intruders is called what? A. Fly paper B. Trap door C. Honeypot D. Hacker cage

C. Honeypot A honeypot. Essentially, you set up a fake system, possibly a server that appears to be an entire subnet. The administrator makes that system look attractive to hackers, perhaps making it appear to have sensitive data, such as personnel files, or valuable data, such as account numbers or research. The actual data stored in this system is fake. The real purpose of the system is to carefully monitor the activities of any person who accesses the system. Because no legitimate user ever accesses this system, it is a given that anyone accessing it is an intruder.

Snort is which type of IDS? A. Router-based B. OS-based C. Host-based D. Client-based

C. Host-based Snort is perhaps the most well-known open source IDS available. It is a software implementation installed on a server to monitor incoming traffic. It typically works with a host-based firewall in a system in which both the firewall software and Snort run on the same machine. Snort is available for Unix, Linux, Free BSD, and Windows.

What is a technical weakness of the stack tweaking defense? A. It is complicated and requires very skilled technicians to implement. B. It only decreases time out but does not actually stop DoS attacks. C. It is resource intensive and can degrade server performance. D. It is ineffective against DoS attacks.

C. It is resource intensive and can degrade server performance.

Why might you run Specter in strange mode? A. It may confuse hackers and deter them from your systems. B. It will be difficult to determine the system is a honeypot. C. It might fascinate hackers and keep them online long enough to catch them. D. It will deter novice hackers.

C. It might fascinate hackers and keep them online long enough to catch them. The Specter honeypot is comprised of a dedicated PC with the Specter software running on it. The Specter software can emulate the major Internet protocols/services such as HTTP, FTP, POP3, SMTP, and others, thus appearing to be a fully functioning server. Specter appears to be running these servers, it is actually just monitoring all incoming traffic. Because it is not a real server for your network, no legitimate user should be connecting to it. Specter logs all traffic to the server for analysis. Users can set it up in one of five modes: * Open: In this mode the system behaves like a badly configured server in terms of security. The downside of this mode is that you are most likely to attract and catch the least skillful hackers. * Secure: This mode has the system behaving like a secure server. * Failing: This mode is interesting in that it causes the system to behave like a server with various hardware and software problems. This might attract some hackers because such a system is likely to be vulnerable. * Strange: In this mode the system behaves in unpredictable ways. This sort of behavior is likely to attract the attention of a more talented hacker and perhaps cause her to stay online longer trying to figure out what is going on. The longer the hacker stays connected, the better the chance of tracing her. * Aggressive: This mode causes the system to actively try and trace back the intruder and derive his identity. This mode is most useful for catching the intruder.

Which of the following is a problem with the approach "Setting up parameters for acceptable use, such as the number of login attempts, and watching to see if those levels are exceeded"? A. It is difficult to configure. B. It misses many attacks. C. It yields many false positives. D. It is resource intensive.

C. It yields many false positives. Thresholds provide a definition of acceptable behavior. Unfortunately, characterizing intrusive behavior solely by the threshold limits can be somewhat challenging. It is often quite difficult to establish proper threshold values or the proper time frames at which to check those threshold values. This can result in a high rate of false positives in which the system misidentifies normal usage as a probable attack.

What is the best way to defend against a buffer overflow? A. Use a robust firewall B. Block TCP packets at the router C. Keep all software patched and updated D. Stop all ICMP traffic

C. Keep all software patched and updated

Blocking attacks seek to accomplish what? A. Install a virus on the target machine B. Shut down security measures C. Prevent legitimate users from accessing a system D. Break into a target system

C. Prevent legitimate users from accessing a system

What type of firewall is Check Point 5000 series firewall? A. Application gateway B. Packet filtering/application gateway hybrid C. SPI/application gateway hybrid D. Circuit-level gateway

C. SPI/application gateway hybrid

What is the name for a DoS defense that is dependent on sending back a hash code to the client? A. Stack tweaking B. RST cookie C. SYN cookie D. Server reflection

C. SYN cookie

Which of the following best describes session hacking? A. Taking over a target machine via a Trojan horse B. Taking control of a target machine remotely C. Taking control of the communication link between two machines D. Taking control of the login session

C. Taking control of the communication link between two machines

16. Which of the following is the most common legitimate use for a password cracker? A. There is no legitimate use for a password cracker. B. Military intelligence agents using it to break enemy communications. C. Testing the encryption of your own network. D. Trying to break the communications of criminal organizations in order to gather evidence.

C. Testing the encryption of your own network.

Which of the following would most likely be classified as misuse(s) of systems? A. Looking up information on a competitor using the web B. Getting an occasional personal e-mail C. Using your business computer to conduct your own (non-company) business D. Shopping on the web during lunch

C. Using your business computer to conduct your own (non-company) business

Which of the following is found in Norton's personal firewall but not in ICF? A. NAT B. A visual tool to trace attacks C. Vulnerability scanning D. Strong encryption

C. Vulnerability scanning

What is ICF? A. Windows XP Internet Connection Firewall B. Windows XP Internet Control Firewall C. Windows 2000 Internet Connection Firewall D. Windows 2000 Internet Control Firewall

C. Windows 2000 Internet Connection Firewall

Which binary mathematical operation can be used for a simple encryption method? A. Bit shift B. OR C. XOR D. Bit swap

C. XOR

Which of the following is not a common feature of most single PC firewalls? A. Software-based B. Packet filtering C. Ease of use D. Built-in NAT

D. Built-in NAT

A profiling technique that monitors how applications use resources is called what? A. System monitoring B. Resource profiling C. Application monitoring D. Executable profiling

D. Executable profiling Executable profiling seeks to measure and monitor how programs use system resources with particular attention to those whose activity cannot always be traced to a specific originating user. For example, system services usually cannot be traced to a specific user launching them. Viruses, Trojan horses, worms, trapdoors, and other such software attacks are addressed by profiling how system objects such as files and printers are normally used not only by users, but also by other system subjects on the part of users. Executable profiling enables the IDS to identify activity that might indicate an attack. Once a potential danger is identified, the method of notifying the administrator, such as by network message or e-mail, is specific to the individual IDS.

What is the primary advantage of the Data Encryption Standard, or DES, encryption algorithm? A. It is complex. B. It is unbreakable. C. It uses asymmetric keys. D. It is relatively fast.

D. It is relatively fast.

Medium-sized networks have what problem? A. Lack of skilled technical personnel B. Diverse user group C. Need to connect multiple LANs into a single WAN D. Low budgets

D. Low budgets

Which of the following is not an advantage of the Fortigate firewall? A. Built-in virus scanning B. Content filtering C. Built-in encryption D. Low cost

D. Low cost

What is the danger inherent in IP spoofing attacks? A. They are very damaging to target systems. B. Many of these attacks open the door for other attacks. C. They can be difficult to stop. D. Many firewalls don't examine packets that seem to come from within the network.

D. Many firewalls don't examine packets that seem to come from within the network.

Which of the following virus attacks initiated a DoS attack? A. Faux B. Walachi C. Bagle D. MyDoom

D. MyDoom

Which of the following is not one of the three major classes of threats? A. Denial of Service attacks - Blocking B. A computer virus or worm - Malware C. Actually intruding on a system - Intrusion D. Online auction fraud

D. Online auction fraud

Which of the following is not one of Snort's modes? A. Sniffer B. Packet logger C. Network intrusion-detection D. Packet filtering

D. Packet filtering Snort works in one of three modes: sniffer, packet logger, and network intrusion-detection. * In packet sniffer mode, the console (shell or command prompt) displays a continuous stream of the contents of all packets coming across that machine. * Packet logger mode is similar to sniffer mode. The difference is that the packet contents are written to a text file log rather than displayed in the console. * In network intrusion-detection mode, Snort uses a heuristic approach to detecting anomalous traffic. This means it is rules-based and it learns from experience. A set of rules initially governs a process. Over time Snort combines what it finds with the settings to optimize performance. It then logs that traffic and can alert the network administrator. This mode requires the most configuration because the user can determine the rules she wishes to implement for the scanning of packets.

What is the term for hacking a phone system? A. Telco-hacking B. Hacking C. Cracking D. Phreaking

D. Phreaking

Which of the following is an encryption method developed by three mathematicians in the 1970s? A. PGP B. DES C. DSA D. RSA

D. RSA This public key method was developed in 1977 by three mathematicians: Ron Rivest, Adi Shamir, and Len Adleman. The name RSA is derived from the first letter of each mathematician's last name . One significant advantage of RSA is that it is a public key encryption method. That means there are no concerns with distributing the keys for the encryption. However, RSA is much slower than symmetric ciphers. In fact, in general, asymmetric ciphers are slower than symmetric ciphers.

What DoS attack is based on leaving connections half open? A. Ping of Death B. Smurf attack C. Distributed denial of service D. SYN flood

D. SYN flood

Should a home user with a firewall block incoming port 80, and why or why not? A. She should not because it would prevent her from using web pages. B. She should because port 80 is a common attack point for hackers. C. She should not because that will prevent her from getting updates and patches. D. She should unless she is running a web server on her machine.

D. She should unless she is running a web server on her machine.

What type of firewall is SonicWALL TZ Series? A. Packet screening B. Application gateway C. Circuit-level gateway D. Stateful packet inspection

D. Stateful packet inspection - The stateful packet inspection (SPI) firewall is an improvement on basic packet filtering. This type of firewall will examine each packet, denying or permitting access based not only on the examination of the current packet, but also on data derived from previous packets in the conversation. This means that the firewall is aware of the context in which a specific packet was sent. This makes these firewalls far less susceptible to ping floods and SYN floods, as well as being less susceptible to spoofing.

Which of the following is not a profiling strategy used in anomaly detection? A. Threshold monitoring B. Resource profiling C. Executable profiling D. System monitoring

D. System monitoring Anomaly detection involves actual software that works to detect intrusion attempts and notify the administrator. The general process is simple: The system looks for any anomalous behavior. Any activity that does not match the pattern of normal user access is noted and logged. The software compares observed activity against expected normal usage profiles. Profiles are usually developed for specific users, groups of users, or applications. Any activity that does not match the definition of normal behavior is considered an anomaly and is logged. Sometimes we refer to this as "trace back" detection or process. We are able to establish from where this packet was delivered. The specific ways in which an anomaly is detected include: Threshold monitoring Resource profiling User/group work profiling Executable profiling

Which of the following best defines the primary difference between an ethical hacker and an auditor? A. There is no difference. B. The ethical hacker tends to be less skilled. C. The auditor tends to be less skilled. D. The ethical hacker tends to use more unconventional methods.

D. The ethical hacker tends to use more unconventional methods.

What is the only way to truly defend against session hacking?

Encrypted transmissions

Which security resources offers a repository for detailed information on virus outbreaks?

F-Secure Corporation

What malware can monitor network traffic and take a snapshot of the target system?

Flame - This malware stored data in a local database that was encrypted. Flame was also able to change its behavior based on the specific antivirus running on the target machine, which indicates that this malware is highly sophisticated. Also of note is the fact that Flame was signed with a fraudulent Microsoft certificate, which meant that Windows systems would trust the software.

What is the unique address of the network interface card (NIC)?

MAC Address

What type of viruses target office documents such as files created in Microsoft Office?

Macro viruses

Which of the layers of the OSI model is responsible for routing the information in the network?

Network Layer is layer 3. The network layer is responsible for packet forwarding including routing through intermediate routers. The network layer provides the means of transferring variable-length network packets from a source to a destination host via one or more networks. Within the service layering semantics of the OSI network architecture, the network layer responds to service requests from the transport layer and issues service requests to the data link layer.

What virus types works as a worm, then either disables system services or encrypts user files and demands a monetary payment to release those files or services?

Ransomware - Ransomware is a type of malware from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the "WannaCry worm", travelled automatically between computers without user interaction.

What software actions are the best defense against buffer overflow attacks?

Routinely patch and update software

What DoS protection techniques alters the TCP stack on the server to decrease the connection timeout time?

Stack Tweaking

Explain Flame

This virus first appeared in 2012 and targeted Windows operating systems. One thing that makes this virus notable is that it was specifically designed for espionage. It was first discovered in May 2012 at several locations, including Iranian government sites. Flame is spyware that can monitor network traffic and take screenshots of the infected system. This malware stored data in a local database that was encrypted. Flame was also able to change its behavior based on the specific antivirus running on the target machine, which indicates that this malware is highly sophisticated. Also, of note is the fact that Flame was signed with a fraudulent Microsoft certificate, which meant that Windows systems would trust the software.

Which of the following protocols operates at the transport layer of the OSI model?

Transmission Control Protocol (TCP) - TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network. Major internet applications such as the World Wide Web, email, remote administration, and file transfer rely on TCP, which is part of the Transport Layer of the TCP/IP suite.

Which attack does a hacker use a computer to call phone numbers in sequence until another computer answers?

War-dialing