Review Questions - Network Defense and Countermeasures - SEC 210 - Intrusion Detection
Which of the following is not a common feature of most single PC firewalls? A. Software-based B. Packet filtering C. Ease of use D. Built-in NAT
D. Built-in NAT
Once you have a Trojan horse on your system, it may perform what types of unwanted activities?
- Erasing files on a computer. - Spreading other malware, such as viruses. Another term for a Trojan horse that does this is a dropper. - Using the host computer to launch distributed denial of service (DDoS) attacks or send spam. - Searching for personal information such as bank account data. - Installing a back door on a computer system. This means providing the creator of the Trojan horse easy access to the system, such as creating a username and password she can use to access the system.
What should you do to protect a system against Trojan horses?
- Never download any attachment unless you are completely certain it is safe. - If a port is not needed, close it. - Do not download or install any software, browser skins, toolbars, screen savers, or animations on your machine. If you require one of these items, have the IT department scan it first to ensure safety. - Be cautious of hidden file extensions. For example, a file you think is an image could be a malicious application. Instead of mypic.jpg, it may actually be mypic.jpg.exe.
Which of the following best describes a gray hat hacker? A person that usually follows the law but, in some cases, performs illegal activities Someone who hacks into systems with the permission of the owner of the systems Someone who hacks into systems to cause some type of harm Someone who is hired by a company to hack into systems
A person that usually follows the law but, in some cases, performs illegal activities
Which of the following best describes a rainbow table? A table that contains passwords A table that contains usernames A table that contains all possible hashes for all possible character combinations A table that contains all possible usernames and passwords
A table that contains all possible hashes for all possible character combinations
How Do Viruses Spread
A virus will usually spread in one of two ways. The most common, and the simplest, method is to read your e-mail address book and e-mail itself to everyone in your address book. Programming this is a trivial task, which explains why it is so common. The second method is to simply scan your computer for connections to a network, and then copy itself to other machines on the network to which your computer has access. This is actually the most efficient way for a virus to spread, but it requires more programming skill than the other method.
What Is a Worm
A worm is a special type of virus. Some texts go to great lengths to differentiate worms and viruses, while others treat the worm as simply a subset of a virus. A worm is a virus that can spread without human intervention. In other words, a virus requires some human action in order to infect a machine (downloading a file, opening an attachment, and so on), but a worm can spread without such interaction. Frankly, today most of what is called a "virus" is actually a worm.
What is a digital signature? A. A piece of encrypted data added to other data to verify the sender B. A scanned-in version of your signature, often in .jpg format C. A signature that is entered via a digital pad or other device D. A method for verifying the recipient of a document
A. A piece of encrypted data added to other data to verify the sender
Which of the following has three different key sizes it can use? A. AES B. DES C. Triple DES D. IDEA
A. AES AES specifies three key sizes: 128, 192, and 256 bits. By comparison, DES keys are 56 bits long, and Blowfish allows varying lengths up to 448 bits. AES uses a block cipher.
What protocols make up IPSec? A. AH, IKE, ESP, ISAKMP B. AH, PAP, CHAP, ISAKMP C. ISAKMP, MS-CHAP, PAP, AH D. AH, SPAP, CHAP, ISAKMP
A. AH, IKE, ESP, ISAKMP - Authentication Header (AH), - Internet Key Exchange, (IKE), - Encapsulating Security Payload (ESP), - - Internet Security Association and Key - - Management Protocol (ISAKMP)
Which of the following is an important feature of D-Link 2560? A. Built-in IDS B. WEP encryption C. Vulnerability scanning D. Liberal licensing policy
A. Built-in IDS
What is the recommended secure setting in Internet Explorer for Initialize and script ActiveX controls not marked as safe? A. Disable B. Enable C. Forbid D. Prompt
A. Disable
Which of the following templates is used to provide the most security for the domain controllers? A. Hisecdc.inf B. Securedc.inf C. Hisecws.inf D. Sectopdc.inf
A. Hisecdc.inf - Hisecdc.inf: This template is designed to increase the security and communications with domain controllers. - Hisecws.inf: This template is designed to increase security and communications for client computers and member servers. - Securedc.inf: This template is designed to increase the security and communications with domain controllers, but not to the level of the High Security DC security template. - Securews.inf: This template is designed to increase security and communications for client computers and member servers. - Setup security.inf: This template is designed to reapply the default security settings of a freshly installed computer. It can also be used to return a system that has been misconfigured to the default configuration.
What is the best method of defending against IP spoofing? A. Installing a router/firewall that blocks packets that appear to be originating within the network B. Installing a router/firewall that blocks packets that appear to be originating from outside the network C. Blocking all incoming TCP traffic D. Blocking all incoming ICMP traffic
A. Installing a router/firewall that blocks packets that appear to be originating within the network
IDS is an acronym for: A. Intrusion-detection system B. Intrusion-deterrence system C. Intrusion-deterrence service D. Intrusion-detection service
A. Intrusion-detection system An IDS is designed to detect signs that someone is attempting to breach a system and to alert the system administrator that suspicious activity is taking place.
Which of the following is an important security feature in CHAP? A. It periodically re-authenticates. B. It uses 3DES encryption. C. It is immune to IP spoofing. D. It uses AES encryption.
A. It periodically re-authenticates. CHAP is actually a three-part handshaking procedure. After the link is established, the server sends a challenge message to the client machine originating the link. The originator responds by sending back a value calculated using a one-way hash function. The server checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise, the connection is usually terminated. This means that the authorization of a client connection has three stages.
What is the purpose of IKE? A. Key exchange B. Packet encryption C. Header protection D. Authentication
A. Key exchange IPSec can also work in two modes. Those modes are transport mode and tunnel mode. Transport mode is the mode wherein IPSec encrypts the data, but not the packet header. Tunneling mode does encrypt the header as well as the packet data. There are other protocols involved in making IPSec work. IKE, or Internet Key Exchange, is used in setting up security associations in IPSec. A security association is formed by the two endpoints of the VPN tunnel, once they decide how they are going to encrypt and authenticate. For example, will they use AES for encrypting packets, what protocol will be used for key exchange, and what protocol will be used for authentication? All of these issues are negotiated between the two endpoints, and the decisions are stored in a security association (SA). This is accomplished via the IKE protocol. Internet Key Exchange (IKE and IKEv2) is used to set up an SA by handling negotiation of protocols and algorithms and to generate the encryption and authentication keys to be used. The Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for authentication and key exchange. Once the IKE protocol sets up the SA, then it is time to actually perform the authentication and key exchange.
Which authentication protocols are available with L2TP that are not available with PPTP? A. MS-CHAP, PAP, SPAP B. EAP, CHAP C. PAP, EAP, MS-CHAP D. SPAP, MS-CHAP
A. MS-CHAP, PAP, SPAP Like PPTP, L2TP supports EAP and CHAP. However, it also offers support for other authentication methods, for a total of six: EAP CHAP, MS-CHAP, PAP, SPAP, and Kerberos
What does disabling the default administrator account and setting up an alternative account accomplish? A. Makes it more difficult for someone to guess the log-on information B. Keeps administrators conscious of security C. Allows closer management of administrator access D. Makes the password stronger
A. Makes it more difficult for someone to guess the log-on information
What is one complexity found in enterprise environments that is unlikely in small networks or SOHO environments? A. Multiple operating systems B. Diverse user groups C. Users running different applications D. Web vulnerabilities
A. Multiple operating systems
Why is encryption an important part of security? A. No matter how secure your network is, the data being transmitted is still vulnerable without encryption. B. Encrypted transmissions will help stop denial of service attacks. C. A packet that is encrypted will travel faster across networks. D. Encrypted transmissions are only necessary with VPNs.
A. No matter how secure your network is, the data being transmitted is still vulnerable without encryption.
What is the difference between voluntary and compulsory tunneling in PPTP? A. Only voluntary tunneling allows the user to choose encryption. B. Only compulsory tunneling forces the user to send his password. C. Only voluntary tunneling allows standard PPP/non-VPN connection. D. Only compulsory tunneling forces 3DES encryption.
A. Only voluntary tunneling allows the user to choose encryption. In voluntary tunneling, a remote user dials into a service provider's network and a standard PPP session is established that enables the user to log on to the provider's network. The user then launches the VPN software to establish a PPTP session back to the PPTP remote-access server in the central network. This process is called voluntary tunneling because the user selects the type of encryption and authentication to use. In compulsory tunneling, the server selects the encryption and authentication protocols.
Which of the following is generally considered the least secure? A. PAP B. SPAP C. MS-CHAP D. X-PAP
A. PAP Password Authentication Protocol (PAP) is the most basic form of authentication. With PAP, a user's name and password are transmitted over a network and compared to a table of name-password pairs. Typically, the passwords stored in the table are encrypted. However, the transmissions of the passwords are in clear text, unencrypted, the main weakness with PAP. The basic authentication feature built into the HTTP protocol uses PAP.
What are the three approaches to security? A. Perimeter, layered, and hybrid B. High security, medium security, and low security C. Internal, external, and hybrid D. Perimeter, complete, and none
A. Perimeter, layered, and hybrid
What four rules must be set for packet filtering firewalls? A. Protocol type, source port, destination port, source IP B. Protocol version, destination IP, source port, username C. Username, password, protocol type, destination IP D. Source IP, destination IP, username, password
A. Protocol type, source port, destination port, source IP
What is changing the TCP/Settings in the registry called? A. Stack tweaking B. Stack altering C. Stack compression D. Stack building
A. Stack tweaking The Windows Registry is a database used to store settings and options for Microsoft Windows operating systems. This database contains critical information and settings for all the hardware, software, users, and preferences on a particular computer. Regardless of the version of Windows you are using, you cannot edit the registry directly by opening and editing these files. Instead you must use a tool, regedit.exe, to make any changes. The Windows Registry controls everything about Windows. Several registry settings affect how the TCP/IP stack handles incoming packets. Setting these properly can help reduce your vulnerability to DoS attacks. This process, stack tweaking....
From the attacker's point of view, what is the primary weakness in a DoS attack? A. The attack must be sustained. B. The attack does not cause actual damage. C. The attack is easily thwarted. D. The attack is difficult to execute.
A. The attack must be sustained.
Boeing MSL LAN and Honeywell SCOMP systems have which of the following security ratings? B1 B3 A1 A2
A1 Division A is the highest security division. It is divided into A1 and A2 and beyond. A2 and above are simply theoretical categories for operating systems that might someday be developed. There are currently no such operating systems in existence. A1 - Verified Protection; This level includes everything found in B3 with the addition of formal methods and proof of integrity of TCB. The biggest difference between A-rated and B-rated operating systems lies in the development process. For A-rated systems the Orange Book carefully delineates specific controls that must be in place during the development of the system and testing standards that must be adhered to. This basically means that an A-rated system has had every aspect of its security carefully verified during its development. Doing this requires a great deal of effort and expense. You can actually find a few A1-certified systems: - Boeing MLS LAN: This is a highly secure and specialized network operating system. - Honeywell SCOMP (Secure Communications Processor): This is a highly secure and specialized network operating system.
Which of the following is an example of a disaster? A hard drive crash on a critical server A fire that causes you to close your offices for a week A hacker taking over your web server and deleting critical files All of the above
All of the above
Which of the following physical security measures should be applied to a server room? The room should be locked at all times. The room should be fireproof. The room should have no windows. All of the above
All of the above
Which of the following criteria should be met for a system to receive a C2 rating? The system should be able to assign permissions to individual users rather than to groups. Users should have usernames and passwords to gain access to the system. Security activities should be logged including information about the date, time, and user account involved. All of the above
All of the above C2, as the name suggests, is C1 with additional restrictions. - Object protection can be on a single-user basis, for example, through an ACL or Trustee database. - Authorization for access may be assigned only by authorized users. - Mandatory identification and authorization procedures for users, for example, username/password. - Full auditing of security events (the event, date, time, user, success/ failure, terminal ID). - Protected system mode of operation. - Documentation as C1 plus information on examining audit information.
Which of the following physical security measures should be applied when using a video monitoring system? Installing cameras at all entrances and exits of a building Using night vision-capable cameras if external lighting isn't adequate Placing cameras at a height that is difficult for someone to reach All of the above
All of the above - Installing cameras at all entrances and exits of a building - Using night vision-capable cameras if external lighting isn't adequate - Placing cameras at a height that is difficult for someone to reach
Norton AntiVirus can perform which of the following scans? Instant messages Email attachments Anti-spyware All of the above
All of the above - Instant messages - Email attachments - Anti-spyware
What should you do if your system is infected by a virus? Remove the virus. Find out how the infection started. Stop the spread of the virus. All of the above
All of the above - Remove the virus. - Find out how the infection started. - Stop the spread of the virus.
Physical security includes which of the following? Securing the servers and workstations Controlling access to the company facilities Knowing how to respond to fires All of the above
All of the above - Securing the servers and workstations - Controlling access to the company facilities - Knowing how to respond to fires
Which of the following methods can viruses use to spread themselves? By e-mailing itself to every e-mail address in the victim's address book By scanning the victim's machine for network connections and copying itself to other machines the victim's machine has access to By using its own internal e-mail engine to spread itself All of the above
All of the above By e-mailing itself to every e-mail address in the victim's address book By scanning the victim's machine for network connections and copying itself to other machines the victim's machine has access to By using its own internal e-mail engine to spread itself
Which of the following is a method you can use to stop the spread of a virus? If there are backup devices connected to the infected machine, disconnect them. If the infection is on a subnetwork, immediately disconnect that subnetwork. If there are servers with sensitive data that are connected to the infected machine, disconnect those servers. All of the above
All of the above If there are backup devices connected to the infected machine, disconnect them. If the infection is on a subnetwork, immediately disconnect that subnetwork. If there are servers with sensitive data that are connected to the infected machine, disconnect those servers.
Which of the following is a characteristic of wet pipe fire suppressions systems? Water held back by a clapper Always contains water Air blows out of a pipe; the water flows Preferred for computer installations
Always contains water Fire suppression systems are common in larger office buildings. These systems are divided into three categories: - Wet Pipe -- Always contains water -- Most popular and reliable -- 165-degree fuse melts -- Can freeze in winter Pipe breaks can cause floods - Dry Pipe -- No water in pipe -- Preferred for computer installations -- Water held back by clapper -- Air blows out of pipe, water flows - Pre-action -- Usually recommended for computer rooms -- Basically operates like a dry pipe -- When a certain temperature is reached, water goes into the pipe, then is released when a higher temperature is reached
Which of the following is an appropriate antivirus policy? E-mail attachments are always safe to open. It is safe to download files from the Internet. Always use a virus scanner. Believe all "security alerts" that you receive.
Always use a virus scanner. In general, virus scanners work in two ways. 1) The first method is that they contain a list of all known virus files. Generally, one of the services that vendors of virus scanners provide is a periodic update of this file. This list is typically in a small file, often called a .dat file (short for data). When you update your virus definitions, what actually occurs is that your current file is replaced by the more recent one on the vendor's website. 2) Another way a virus scanner can work is to monitor your system for certain types of behavior that are typical of a virus. This might include programs that attempt to write to a hard drive's boot sector, change system files, alter the system registry, automate e-mail software, or self-multiply. Another technique virus scanners often use is searching for files that stay in memory after they execute. This is called a Terminate and Stay Resident (TSR) program. Some legitimate programs do this, but it is often a sign of a virus.
What account lockout threshold does the NSA recommend? A. 5 tries B. 3 tries C. 4 tries D. 2 tries
B. 3 tries
Which of the following most accurately describes the registry? A. A relational database containing system settings B. A database containing system settings C. A database where software is registered D. A relational database where software is registered
B. A database containing system settings
A series of ICMP packets sent to your ports in sequence might indicate what? A. A DoS attack B. A ping flood C. A packet sniffer D. A port scan
B. A ping flood - A ping flood is a simple denial-of-service attack where the attacker overwhelms the victim with ICMP "echo request" (ping) packets. This is most effective by using the flood option of ping which sends ICMP packets as fast as possible without waiting for replies. The attacker hopes that the victim will respond with ICMP "echo reply" packets, thus consuming both outgoing bandwidth as well as incoming bandwidth.
What advantage does AH have over SPAP? A. AH uses stronger encryption. B. AH is stronger authentication. C. AH is not susceptible to replay attacks. D. None; SPAP is more secure.
B. AH is stronger authentication.
Which authentication protocols are available under PPTP? A. MS-CHAP, PAP, SPAP B. EAP, CHAP C. PAP, EAP, MS-CHAP D. SPAP, MS-CHAP
B. EAP, CHAP When connecting users to a remote system, encrypting the data transmissions is not the only facet of security. You must also authenticate the user. PPTP supports two separate technologies for accomplishing this: Extensible Authentication Protocol (EAP) and Challenge Handshake Authentication Protocol (CHAP).
What protects the actual packet data in IPSec? A. AH B. ESP C. SPAP D. CHAP
B. ESP
What does PPTP use to accomplish encryption? A. MPPE B. IPSec C. 3DES D. AES
B. IPSec - An important improvement in L2TP over PPTP is that it uses IPSec for encryption, whereas PPTP only uses Microsoft Point-to-Point Encryption (MPPE). MPPE is actually a version of DES and as such is secure enough for most situations.
What does L2TP stand for? A. Level 2 Transfer Protocol B. Layer 2 Tunneling Protocol C. Level 2 Tunneling Protocol D. Level 2 Transfer Protocol
B. Layer 2 Tunneling Protocol Layer 2 Tunneling Protocol is an extension or enhancement of the Point-to-Point Tunneling Protocol that is often used to operate virtual private networks over the Internet. Essentially, it is a new and improved version of PPTP. As its name suggests, it operates at the data link layer of the OSI model (like PPTP). Both PPTP and L2TP are considered by many experts to be less secure than IPSec.Like PPTP, L2TP supports EAP and CHAP. However, it also offers support for other authentication methods, for a total of six: EAP, CHAP, MS-CHAP, PAP, SPAP, Kerberos.
An improvement on the Caesar cipher that uses more than one shift is called a what? A. DES encryption B. Multi-alphabet substitution C. IDEA D. Triple DES
B. Multi-alphabet substitution
Which of the following is a weakness in PPTP? A. Clear text passwords B. No encryption C. Used only with IP networks D. Not supported on most platforms
B. No encryption
What is the primary vulnerability in SPAP? A. Weak encryption B. Playback attacks C. Clear text passwords D. No hash code
B. Playback attacks Shiva Password Authentication Protocol (SPAP) is a proprietary version of PAP. Most experts consider SPAP somewhat more secure than PAP because the username and password are both encrypted when they are sent, unlike with PAP. Because SPAP encrypts passwords, someone capturing authentication packets will not be able to read the SPAP password. However, SPAP is still susceptible to playback attacks (that is, a person records the exchange and plays the message back to gain fraudulent access). Playback attacks are possible because SPAP always uses the same reversible encryption method to send the passwords over the wire.
PPTP is an acronym for which of the following? A. Point-to-Point Transmission Protocol B. Point-to-Point Tunneling Protocol C. Point-to-Point Transmission Procedure D. Point-to-Point Tunneling Procedure
B. Point-to-Point Tunneling Protocol - PPTP is a tunneling protocol that enables an older connection protocol, PPP (Point-to-Point Protocol), to have its packets encapsulated within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself. PPTP is often used to create VPNs. Another important benefit of PPTP is that it operates at layer 2 of the OSI model (the data link layer), allowing different networking protocols to run over a PPTP tunnel.
What is an advantage of an enterprise environment? A. Multiple operating systems to deal with B. Skilled technical personnel available C. Lower security needs D. IDS systems not needed
B. Skilled technical personnel available
Which type of firewall is considered the most secure? A. Dual-homed B. Stateful packet inspection C. Circuit level gateway D. Packet screening
B. Stateful packet inspection
What is the rule for unused services on any computer? A. Turn them off only if they are critical. B. Turn them off. C. Monitor them carefully. D. Configure them for minimal privileges.
B. Turn them off.
What minimum password length does the NSA recommend? A. 6 B. 8 C. 10 D. 12
C. 10
What size key does the Data Encryption Standard, or DES, encryption algorithm use? A. 255 bit B. 128 bit C. 56 bit D. 64 bit
C. 56 bit DES uses a 56-bit cipher key applied to a 64-bit block. There is actually a 64-bit key, but one bit of every byte is actually used for error detection, leaving just 56 bits for actual key operations.
Who issues certificates? A. The UN encryption authority B. The United States Department of Defense C. A private certificate authority D. The Association for Computing Machinery
C. A private certificate authority
What operating systems require periodic patches? A. Windows B. Linux C. All D. Macintosh
C. All Security flaws are found in operating systems. As software vendors become aware of flaws, they usually write corrections to their code, known as patches or updates. Whatever operating system you use, you must apply these patches as a matter of routine.
At what layer of the OSI model does PPTP operate? A. Physical B. Network C. Data link D. Transport
C. Data link Although newer VPN protocols are available, PPTP is still widely used in part because almost all VPN equipment vendors support PPTP. Another important benefit of PPTP is that it operates at layer 2 of the OSI model (the data link layer), allowing different networking protocols to run over a PPTP tunnel. For example, PPTP can be used to transport IPX, NetBEUI, and other data.
What type of encryption does EFS utilize? A. Single key B. Multi-alphabet C. Public key encryption D. A secret algorithm proprietary to Microsoft
C. Public key encryption With Encrypting File System (EFS), each file is encrypted using a randomly generated file encryption key, which is independent of a user's public/private key pair.
16. Which of the following is the most common legitimate use for a password cracker? A. There is no legitimate use for a password cracker. B. Military intelligence agents using it to break enemy communications. C. Testing the encryption of your own network. D. Trying to break the communications of criminal organizations in order to gather evidence.
C. Testing the encryption of your own network.
What is the purpose of a certificate? A. To verify that software is virus free B. To guarantee that a signature is valid C. To validate the sender of a digital signature or software D. To validate the recipient of a document
C. To validate the sender of a digital signature or software
Which of the following would most likely be classified as misuse(s) of systems? A. Looking up information on a competitor using the web B. Getting an occasional personal e-mail C. Using your business computer to conduct your own (non-company) business D. Shopping on the web during lunch
C. Using your business computer to conduct your own (non-company) business
Which of the following DoD security categories applies to systems with the highest level of security? Category A Category B Category C Category D
Category A The DoD security categories are designated by a letter ranging from D (minimal protection) to A (verified protection). The Orange Book designations are generally used to evaluate the security level of operating systems rather than entire networks. Division A is the highest security division. It is divided into A1 and A2 and beyond. A2 and above are simply theoretical categories for operating systems that might someday be developed. There are currently no such operating systems in existence.
Which of the following DoD security categories applies to systems that offer the lowest level of security? Category A Category B Category C Category D
Category D The DoD security categories are designated by a letter ranging from D (minimal protection) to A (verified protection). The Orange Book designations are generally used to evaluate the security level of operating systems rather than entire networks. However, your network will not be particularly secure if the operating systems running on your servers and workstations are not secure.
Which of the following security models is a subject-object model that introduces a new element, programs? Biba Integrity Model Clark-Wilson Model Chinese Wall Model Bell-LaPadula Model
Clark-Wilson Model In addition to considering subjects (systems accessing data) and objects (the data), it also considers subjects accessing programs. With the Clark-Wilson model there are two primary elements for achieving data integrity: - Well-formed transaction; Well-formed transaction simply means users cannot manipulate or change the data without careful restrictions. This prevents transactions from inadvertently altering secure data. - Separation of duties; Separation of duties prevents authorized users from making improper modifications, thus preserving the external consistency of data.
Which of the following fire extinguisher types is used for flammable liquids? Class A Class B Class C Class D
Class B Fire extinguishers can be classified by what types of fire they are able to put out: Class A: Ordinary combustibles such as wood or paper Class B: Flammable liquids such as grease, oil, or gasoline Class C: Electrical equipment Class D: Flammable metals
Which of the following fire extinguisher types is used for electrical equipment fires? Class A Class B Class C Class D
Class C Fire extinguishers can be classified by what types of fire they are able to put out: Class A: Ordinary combustibles such as wood or paper Class B: Flammable liquids such as grease, oil, or gasoline Class C: Electrical equipment Class D: Flammable metals
Which of the following port scans is most likely to be detected by the target network? Ping scan Connect Scan SYN scan FIN scan
Connect scan: This type of scan actually tries to make a full connection to the target IP address at a given port. This is the most reliable type of scan. It will not yield false positives or false negatives. However, it is the scan most likely to be detected by the target network.
CPTED, a security concept used by organizations, is an acronym for which of the following? Continuity Plan Through Environmental Design Continuity Plan Through Environmental Design Continuity Plan Through Equipment Design Crime Prevention Through Equipment Design
Crime Prevention Through Equipment Design General Premises Security: "Crime Prevention Through Environmental Design" (CPTED) is a security concept organizations use. This means that the layout and design of the premises reduces crimes. This can be done with several methods. One is to incorporate barriers into the layout and design of a building. For example, bollards would prevent a vehicle from crashing into a door, and can also be decorative. Fences, lighting, and alarms all deter physical entrance into a building.
What maximum password age does Microsoft recommend? A. 20 days B. 3 months C. 1 year D. 42 days
D. 42 days
What type of firewall requires individual client applications to be authorized to connect? A. Screened gateway B. Stateful packet inspection C. Dual-homed D. Application gateway
D. Application gateway
Which of the following is a security recommendation for Linux not common to Windows? A. Shut down all services that you are not using (called daemons in Linux). B. Configure the browser securely. C. Routinely patch the operating system. D. Disable all console-equivalent access for regular users.
D. Disable all console-equivalent access for regular users.
What level of privileges should all users have? A. Administrator B. Guest C. Most privileges possible D. Least possible
D. Least possible
What is the difference between transport mode and tunnel mode in IPSec? A. Only transport mode is unencrypted. B. Only tunneling mode is unencrypted. C. Only tunneling mode does not encrypt the header. D. Only transport mode does not encrypt the header.
D. Only transport mode does not encrypt the header.
PPTP is based on what earlier protocol? A. SLIP B. L2TP C. IPSec D. PPP
D. PPP PPP was designed for moving datagrams across serial point-to-point links. It sends packets over a physical link, a serial cable set up between two computers. It is used to establish and configure the communications link and the network layer protocols, and also to encapsulate datagrams. PPP has several components and is actually made up of several protocols: MP: PPP Multilink Protocol, MP+: Ascend's Multilink Protocol Plus, MPLS: and Multiprotocol Label Switching. Each of these handles a different part of the process. PPP was originally developed as an encapsulation protocol for transporting IP traffic over point-to-point links. PPP also established a standard for a variety of related tasks including: assignment and management of IP addresses, asynchronous and bit-oriented synchronous encapsulation, network protocol multiplexing, link configuration, link quality testing, and error detection.
What is the term for hacking a phone system? A. Telco-hacking B. Hacking C. Cracking D. Phreaking
D. Phreaking
What is the minimum secure setting in Internet Explorer for Run components not signed with Authenticode? A. Disable B. Enable C. Forbid D. Prompt
D. Prompt
What happens if you copy an unencrypted file into an encrypted folder? A. It remains unencrypted. B. The folder becomes unencrypted. C. Nothing happens. D. The file becomes encrypted.
D. The file becomes encrypted.
What did the Jdbgmgr hoax ask users to do? Install the jdbgmgr file on their systems. Delete the jdbgmgr file from their systems. Warned users not to send their taxes online because it wasn't safe. Warned users that the virus will damage their hardware.
Delete the jdbgmgr file from their systems. Jdbgmgr.exe is actually the Microsoft Debugger Registrar for Java. Deleting it may cause Java-based programs and web applets not to function properly.
Which of the following is one of the criteria that should be met for a system to receive a C1 security rating? Discretionary access control Mandatory access control for all operations Hierarchical device labels Zero design flaws in the TCB
Discretionary access control C1 - Discretionary Security Protection is the C protection with a bit more added to it. The following list defines a number of additional features required to achieve C1-level protection. - Discretionary access control, for example access control lists (ACLs), user/group/world protection. Usually for users who are all on the same security level. - Periodic checking of the trusted computing base (TCB). The trusted computing base is the Orange Book's general term for any computing system. - Username and password protection and secure authorizations database. - Protected operating system and system operations mode. - Tested security mechanisms with no obvious bypasses. - Documentation for user security. - Documentation for systems administration security. - Documentation for security testing.
Which virus scanning technique checks files on your system to see whether they match any known virus? File scanning Active code scanning Instant messaging scanning E-mail and attachment scanning
File scanning Download and e-mail scanning will only protect your system against viruses that you might get downloading from a site, or that come to you in e-mail. Those methods will not help with viruses that are copied over a network, deposited on a shared drive, or that are already on your machine before you install the virus scanner. This is the type of scanning in which files on your system are checked to see whether they match any known virus. This sort of scanning is generally done on an on-demand basis instead of an ongoing basis. File scanning looks for known virus signatures. Therefore this method is limited to finding viruses that are already known and will not find new viruses.
Which of the following backups is the fastest to restore? Full backup Incremental backup Differential backup All backups above take the same time to restore
Incremental (I Disagree with Full Backup) From a security point of view the three-primary backup types are: - Full: All changes - Differential: All changes since last full backup - Incremental: All changes since last backup of any type Consider a scenario where you do a full backup at 2 a.m. each morning. However, you are concerned about the possibility of a server crash before the next full backup. So, you want to do a backup every two hours. The type of backup you choose will determine the efficiency of doing those frequent backups and the time needed to restore. Let's consider each type of backup in a crash scenario and what would happen if the system crashes at 10:05 a.m. - Full: In this scenario you do a full backup at 4 a.m., 6 a.m., ...10 a.m., and then the system crashes. You just have to restore the last full backup, which was done at 10 a.m. This makes restoration much simpler. However, running a full backup every 2 hours is very time consuming and resource intensive and will have a significant negative impact on your server's performance. - Differential: In this scenario you do a differential backup at 4 a.m., 6 a.m., ...10 a.m., and then the system crashes. You need to restore the last full backup done at 2 a.m., and the most recent differential backup done at 10 a.m. This is just a little more complicated than the full backup strategy. However, those differential backups are going to get larger each time you do them, and thus more time consuming and resource intensive. Although they won't have the same impact as doing full backups, they will still slow down your network. - Incremental: In this scenario you do an incremental backup at 4 a.m., 6 a.m., ...10 a.m., and then the system crashes. You need to restore the last full backup done at 2 a.m., and then each incremental backup done since then, and they must be restored in order. This is a much more complex restore, ** but each incremental backup is small and does not take much time nor consume many resources. **
Which of the following is a side effect of heuristic scanning? It identifies false negatives. It identifies false positives. It identifies true negatives. It identifies true positives.
It identifies false positives. This is perhaps the most advanced form of virus scanning. This sort of scanning uses rules to determine whether a file or program is behaving like a virus, and is one of the best ways to find a virus that is not a known virus. A new virus will not be on any virus definition list, so you must examine its behavior to determine whether it is a virus. However, this process is not foolproof. Some actual virus infections will be missed, and some non-virus files might be suspected of being a virus. It might identify a file as a virus, when in fact it is not.
What Is a Virus
It is the self-replication and rapid spread that define a virus. Often this growth, in and of itself, can be a problem for an infected network. It can lead to excessive network traffic and prevent the network from functioning properly. The more a virus floods a network with traffic, the less capacity is left for real work to be performed.
Which of the following Wi-Fi attacks is essentially a denial of service attack on a wireless access point? WPS attack Cracking the password Jamming De-authentication
Jamming
Which of the following is a virus hoax? Kedi RAT Rombertik Jdbgmgr Linux.Encoder.1
Jdbgmgr This particular virus hoax is perhaps the most well known and well examined. You will see some mention of it in almost any comprehensive discussion of viruses. The jdbgmgr.exe virus hoax encouraged the reader to delete a file that was actually needed by the system. Jdbgmgr.exe is actually the Microsoft Debugger Registrar for Java. Deleting it may cause Java-based programs and web applets not to function properly.
Which of the following is the major issue with a ping scan? It is easy to detect. It will not identify open ports. Many firewalls block ICMP packets so the scan might not be successful. The scan produces many false negatives and false positives.
Many firewalls block ICMP packets so the scan might not be successful.
RedSheriff?
RedSheriff is spyware, not adware. This product is loaded as a Java applet embedded in a web page you visit. Once you visit the website, this applet will collect information about your visit such as how long the page took to load, how long you stayed, and what links you visited. This information is sent to the parent company.
Which of the following regulates financial practices and corporate governance? HITECH CFAA Sarbanes-Oxley HIPAA
Sarbanes-Oxley The legislation affects not only the financial side of corporations, but also the IT departments whose job it is to store a corporation's electronic records. The Sarbanes-Oxley Act states that all business records, including electronic records and electronic messages, must be saved for "not less than five years." The consequences for non-compliance are fines, imprisonment, or both.
Which of the following enumeration tools finds only shared folders on a network? ShareEnum NSAuditor FreeNetEnumerator Ping
ShareEnum
A type of malware that targets Android systems by including adware with popular applications?
Shedun is a specific type of malware that was first discovered in 2015 and targets Android systems. The attack vector of this Trojan is to repackage legitimate Android applications such as Facebook or the game Candy Crush, but to include adware with them. The goal is to get the adware onto the target system, then inundate the user with ads.
Which of the following is a search engine for vulnerabilities? Shodan.io Archive.org NSAuditor.com Nmap.org
Shodan.io This website is a search engine for vulnerabilities. It finds public-facing IP addresses (web servers, routers, etc.) that have some vulnerability. When you are performing a penetration test, it is a good idea to search the company domain for anything you can find via Shodan. This can guide your penetration testing efforts, and again you can be sure that would-be attackers will use this tool. You can restrict your search to the hostname or domain name of the client who has hired you to conduct a penetration test. You can seek out default passwords, old web servers, unsecure web cameras, and other vulnerabilities in the target network.
What Type of Attack seeks to get information from your computer and make it available to some other person?
Spyware has become an increasingly dangerous problem for computer users, both at home and in organizations. Many websites now drop spyware, or its close relative, adware, onto users' systems whenever the users open the website. Aside from the obvious threat to information security, these applications consume system resources.
Which of the following tools can be used to manually scan a system for vulnerabilities? Ping Telnet ShareEnum OphCrack
Telnet
Which of the following regulates the use and disclosure of individuals' personal health information? Sarbanes-Oxley HIPAA PCI DDS GDPR
The Health Insurance Portability & Accountability Act of 1996 (HIPAA). The HIPAA Privacy Rule, also called the Standards for Privacy of Individually Identifiable Health Information, provided the first nationally recognizable regulations for the use/disclosure of an individual's health information. Essentially, the Privacy Rule defines how covered entities use individually identifiable health information, or the PHI (Personal Health Information). Covered entities is a term often used in HIPAA-compliant guidelines.
Which of the following is the name for a collection of books published by the U.S. Department of Defense (DoD)? The Rainbow series The Colorful Series The Spectrum Series None of the above
The Rainbow series The Orange Book is the common name of one of several books published by the United States Department of Defense (DoD). Because each book is color-coded, the entire series is referred to as The Rainbow Series. The full name of the Orange Book is the Department of Defense Trusted Computer System Evaluation Criteria (DOD-5200.28-STD). It is a cornerstone for computer security standards, and one cannot be a security professional without a good understanding of this book. Although the Orange Book has been supplanted, the concepts in the book are still worthy of study, as they provide significant guidance on security standards for networks. The book outlines the criteria for rating various operating systems.
A Type of Attack application that appears to be benign but actually performs a malicious activity?
Trojan Horses
NetBus and FlashBack are examples of ?
Trojan horses The FlashBack Trojan was first discovered in 2011. Though that is a bit dated, it should be noted that this Trojan horse specifically affected computers running Mac OS X. The infection came from redirecting the user to a site that had an applet containing an exploit. That caused the malware to be downloaded. The NetBus Trojan is quite similar in effect to Back Orifice. A NetBus worm tries to infect target machines with the NetBus Trojan. This tool is a remote administration tool (often called a RAT), much like Back Orifice. NetBus, however, operates only on port 20034. It gives the remote user complete control of the infected machine, as if he were sitting at the keyboard and had full administrative rights.
The Bell-LaPadula Model defines which of the following four security levels? Unclassified, confidential, secret, top secret Classified, confidential, secret, top secret Unrestricted, classified, secret, top secret Unclassified, classified, secret, top secret
Unclassified, confidential, secret, top secret The Bell-LaPadula model divides a system into a serious of subjects and objects. * A subject is any entity that is attempting to access a system or data. That usually refers to an application or system that is accessing another system or data within that system. For example, if a program is designed to perform data-mining operations, requiring it to access data, then that program is the subject, and the data it is trying to access is the object. * An object, in this context, is literally any resource the user may be trying to access. The Bell-LaPadula model defines the access control for these subjects and objects. All interactions between any subjects and objects are based on their individual security levels. There are usually four security levels: - Unclassified, Confidential, Secret, Top secret
Which of the following is an example of a physical access attack? Using a Linux live CD to bypass the password Using cross-site scripting Using an SQL injection Using NSAuditor
Using a Linux live CD to bypass the password
Which of the following is an example of a remote access attack? Using a Linux live CD to bypass the password Using OphCrack to crack the password Using an SQL injection Using OphCrack
Using an Structured Query Language (SQL) injection
Which virus hoax claimed that a new virus could damage people's hardware? W32.Torch Tax Return Jdbgmgr None of the Above
W32.Torch This hoax, like most others, causes no direct harm but can become a huge annoyance—the Internet equivalent of a prank phone call. Unlike the jdbmgre.exe hoax, it does not encourage you to delete files from your system. However it does induce a fair amount of concern in recipients. To date, there have not been any viruses that directly damage hardware.
Which of the following is a characteristic of dry pipe fire suppression systems? Water held back by a clapper Always contains water Can freeze in winter Most popular and reliable
Water held back by a clapper Fire suppression systems are common in larger office buildings. These systems are divided into three categories: - Wet Pipe -- Always contains water -- Most popular and reliable -- 165-degree fuse melts -- Can freeze in winter Pipe breaks can cause floods - Dry Pipe -- No water in pipe -- Preferred for computer installations -- Water held back by clapper -- Air blows out of pipe, water flows - Pre-action -- Usually recommended for computer rooms -- Basically operates like a dry pipe -- When a certain temperature is reached, water goes into the pipe, then is released when a higher temperature is reached
What anti-spyware program that includes a system diagnostics utility that places its results in a web page, making them easy to view or display?
Zero Spyware Zero Spyware is similar in function to Spy Sweeper. Like Spy Sweeper, it offers a free trial version that you can download from the company's website. Unlike the other anti-spyware options, this one has not received much press attention. Its trial version is limited. It does not offer the home page shield or adware shield that the other options offer. It also has fewer scanning options. One advantage of Zero Spyware is that it includes a system diagnostics utility not found in the other anti-spyware software packages. This utility places its results in a web page, making them easy to view or display.
Which of the following is not an advantage of the Fortigate firewall? A. Built-in virus scanning B. Content filtering C. Built-in encryption D. Low cost
D. Low cost
Attempting to make your system appear less appealing is referred to as what? A. Intrusion deterrence B. Intrusion deflection C. System camouflage D. System deterrence
A. Intrusion deterrence Intrusion deterrence involves simply trying to make the system seem like a less palatable target. In short, an attempt is made to make any potential reward from a successful intrusion attempt appear more difficult than it is worth. The other tactic in this methodology involves raising the perceived risk of a potential intruder being caught. This can be done in a variety of ways, including conspicuously displaying warnings and warning of active monitoring.
Which of the following best describes a buffer overflow attack? A. An attack that overflows the target with too many TCP packets B. An attack that attempts to put too much data in a memory buffer C. An attack that attempts to send oversized TCP packets D. An attack that attempts to put misconfigured data into a memory buffer
B. An attack that attempts to put too much data in a memory buffer
Which of the following types of privacy laws affect computer security? A. Any state privacy law B. Any privacy law applicable to your organization C. Any privacy law D. Any federal privacy law
B. Any privacy law applicable to your organization
Which encryption algorithm uses a variable-length symmetric key? A. RSA B. Blowfish C. DES D. PGP
B. Blowfish Blowfish is a symmetric block cipher. This means that it uses a single key to both encrypt and decrypt the message and works on "blocks" of the message at a time. It uses a variable-length key ranging from 32 to 448 bits. This flexibility in key size allows you to use it in various situations.
What is the most important security advantage to NAT? A. It blocks incoming ICMP packets. B. It hides internal network addresses. C. By default it blocks all ICMP packets. D. By default it only allows outbound connections.
B. It hides internal network addresses.
Which of the following is an advantage of the network host-based configuration? A. It is resistant to IP spoofing. B. It is inexpensive or free. C. It is more secure. D. It has user authentication.
B. It is inexpensive or free.
Which of the following is the best definition for non-repudiation? A. Security that does not allow the potential intruder to deny his attack B. Processes that verify which user performs what action C. It is another term for user authentication D. Access control
B. Processes that verify which user performs what action
Which type of firewall creates a private virtual connection with the client? A. Bastion B. Dual-homed C. Application gateway D. Circuit level gateway
D. Circuit level gateway
Medium-sized networks have what problem? A. Lack of skilled technical personnel B. Diverse user group C. Need to connect multiple LANs into a single WAN D. Low budgets
D. Low budgets
What tool does McAfee Personal Firewall offer? A. A visual tool to trace attacks B. NAT C. Strong encryption D. Vulnerability scanning
A. A visual tool to trace attacks
Which type of encryption is included with the T Series? A. AES and 3DES B. WEP and DES C. PGP and AES D. WEP and PGP
A. AES and 3DES Advanced Encryption Standard (AES) Data Encryption Standard (DES)
Which type of IDS is the Cisco Sensor? A. Anomaly detection B. Intrusion deflection C. Intrusion deterrence D. Anomaly deterrence A sensor is the IDS component that collects data and passes it to the analyzer for analysis.
A. Anomaly detection Anomaly detection involves actual software that works to detect intrusion attempts and notify the administrator. This is what many people think of when they talk about intrusion-detection systems.
Which of the following is a recommended configuration of a firewall to defend against DoS attacks? A. Block ICMP packets that originate outside the network B. Block all incoming packets C. Block all ICMP packets D. Block TCP packets that originate outside the network
A. Block ICMP packets that originate outside the network
Which of the following is a benefit of Cisco firewalls? A. Extensive training available on the product B. Very low cost C. Built-in IDS on all products D. Built-in virus scanning on all products
A. Extensive training available on the product
Why is the method XOR, used for a simple encryption, not secure? A. It does not change letter or word frequency. B. The mathematics are flawed. C. It does not use a symmetric key system. D. The key length is too short.
A. It does not change letter or word frequency.
Which of the following is the primary weakness in the Caesar cipher? A. It does not disrupt letter frequency. B. It does not use complex mathematics. C. It does not use a public key system. D. There is no significant weakness; the Caesar cipher is adequate for most encryption uses.
A. It does not disrupt letter frequency.
Why is an SPI firewall less susceptible to spoofing attacks? A. It examines the source IP of all packets. B. It automatically blocks spoofed packets. C. It requires user authentication. D. It requires client application authentication.
A. It examines the source IP of all packets.
An intrusion-detection system is an example of: A. Proactive security B. Perimeter security C. Hybrid security D. Good security practices
A. Proactive security Dynamic Security Approach, or Proactive Defense, is one in which steps are taken to prevent attacks before they occur. One example of a proactive defense is the use of an IDS, which works to detect attempts to circumvent security measures. These systems can tell a system administrator that an attempt to breach security has been made, even if that attempt is not successful. An IDS can also be used to detect various techniques intruders use to assess a target system, thus alerting a network administrator to the potential for an attempted breach before the attempt is even initiated.
What implementation is Check Point 5000 series firewall? A. Router-based B. Network-based C. Switch-based D. Host-based
A. Router-based
Which of the following solutions is actually a combination of firewalls? A. Screened firewalls B. Router-based firewalls C. Dual-homed firewalls D. Bastion host firewalls
A. Screened firewalls
Which of the following is the best definition for IP spoofing? A. Sending a packet that appears to come from a trusted IP address B. Rerouting packets to a different IP address C. Setting up a fake website that appears to be a different site D. Sending packets that are misconfigured
A. Sending a packet that appears to come from a trusted IP address
What is the name for a DoS attack that causes machines on a network to initiate a DoS against one of that network's servers? A. Smurf attack B. SYN flood C. Ping of Death D. Distributed denial of service
A. Smurf attack
Which of the following is the best definition of malware? A. Software that has some malicious purpose B. Software that self-replicates C. Software that damages your system D. Any software that is not properly configured for your system
A. Software that has some malicious purpose
What is a Trojan horse? A. Software that self-replicates B. Software that appears to be benign but really has some malicious purpose C. Software that deletes system files then infects other machines D. Software that causes harm to your system
A. Software that self-replicates B. Software that appears to be benign but really has some malicious purpose
When assessing threats to a system, what three factors should you consider? A. The system's attractiveness, the information contained on the system, and how much traffic the system gets B. The skill level of the security team, the system's attractiveness, and how much traffic the system gets C. How much traffic the system gets, the security budget, and the skill level of the security team D. The system's attractiveness, the information contained on the system, and the security budget
A. The system's attractiveness, the information contained on the system, and how much traffic the system gets
Setting up parameters for acceptable use, such as the number of login attempts, and watching to see if those levels are exceeded is referred to as what? A. Threshold monitoring B. Resource profiling C. System monitoring D. Executable profiling
A. Threshold monitoring Threshold monitoring presets acceptable behavior levels and observes whether these levels are exceeded. This could include something as simple as a finite number of failed login attempts or something as complex as monitoring the time a user is connected and the amount of data that user downloads. Thresholds provide a definition of acceptable behavior.
What type of encryption uses a different key to encrypt the message than it uses to decrypt the message? A. Private key B. Public key C. Symmetric D. Secure
B. Public key
Which of the following would be the best defense if your web server had limited resources but you needed a strong defense against DoS? A. A firewall B. RST cookies C. SYN cookies D. Stack tweaking
B. RST cookies
What is a computer virus? A. Any program that is downloaded to your system without your permission B. Any program that self-replicates C. Any program that causes harm to your system D. Any program that can change your Windows registry
B. Any program that self-replicates Malware is a generic term for software that has a malicious purpose. It includes virus attacks, Trojan horses, and spyware. Because this category of attack is perhaps the most prevalent danger to systems.... The most obvious example of malware is the computer virus. One definition for a virus is "a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself."
What is another term for preemptive blocking? A. Intrusion deflection B. Banishment vigilance C. User deflection D. Intruder blocking
B. Banishment vigilance Preemptive blocking, sometimes called banishment vigilance, seeks to prevent intrusions before they occur. This is done by noting any danger signs of impending threats and then blocking the user or IP address from which these signs originate. This can lead to the problem of false positives, in which the system mistakenly identifies legitimate traffic as some form of attack. Usually, a software system will simply alert the administrator that suspicious activity has taken place. A human administrator will then make the decision whether or not to block the traffic. If the software automatically blocks any addresses it deems suspicious, you run the risk of blocking out legitimate users.
The first computer incident response team is affiliated with what university? A. Princeton University B. Carnegie-Mellon University C. Harvard University D. Yale University
B. Carnegie-Mellon University
Which of the following is a symmetric key system using blocks? A. RSA B. DES C. PGP D. Diffie-Hellman
B. DES Data Encryption Standard, or DES as it is often called, was developed by IBM in the early 1970s and made public in 1976. DES uses a symmetric key system. This means the same key is used to encrypt and to decrypt the message. DES uses short keys and relies on complex procedures to protect its information.
Attempting to attract intruders to a system set up to monitor them is called what? A. Intrusion deterrence B. Intrusion deflection C. Intrusion banishment D. Intrusion routing
B. Intrusion deflection The essence of it is quite simple. An attempt is made to attract the intruder to a subsystem set up for the purpose of observing him. This is done by tricking the intruder into believing that he has succeeded in accessing system resources when, in fact, he has been directed to a specially designed environment. Being able to observe the intruder while he practices his art will yield valuable clues and can lead to his arrest.
Should a home user block incoming ICMP traffic, and why or why not? A. It should be blocked because such traffic is often used to transmit a virus. B. It should be blocked because such traffic is often used to do port scans and flood attacks. C. It should not be blocked because it is necessary for network operations. D. It should not be blocked because it is necessary for using the web.
B. It should be blocked because such traffic is often used to do port scans and flood attacks.
The most desirable approach to security is one which is: A. Perimeter and dynamic B. Layered and dynamic C. Perimeter and static D. Layered and static
B. Layered and dynamic - Perimeter security approach, the bulk of security efforts are focused on the perimeter of the network. This focus might include firewalls, proxy servers, password policies, and any technology or procedure that makes unauthorized access of the network less likely. Little or no effort is made to secure the systems within the network. - A Layered security approach is one in which not only is the perimeter secured, but individual systems within the network are also secured. All servers, workstations, routers, and hubs within the network are secure. - Dynamic security approach, or proactive defense, is one in which steps are taken to prevent attacks before they occur.
NAT is a replacement for what technology? A. Firewall B. Proxy server C. Antivirus software D. IDS
B. Proxy server
It should be routine for someone in the IT security staff to A. Test the firewall by attempting a ping flood B. Review firewall logs C. Reboot the firewall D. Physically inspect the firewall
B. Review firewall logs
Which of the following is the best definition of a virus? A. Software that causes damage to system files B. Software that self-replicates C. Software that causes damage to any files D. Software that attaches to e-mail
B. Software that self-replicates
If you are using a block cipher to encrypt large amounts of data, which of the following would be the most important consideration when deciding which cipher to use (assuming all of your possible choices are well known and secure)? A. Size of the keys used B. Speed of the algorithm C. Whether or not it has been used by any military group D. Number of keys used
B. Speed of the algorithm
Which of the following is a common problem when seeking information on firewalls? A. It is difficult to find information on the web. B. Unbiased information might be hard to find. C. Documentation is often incomplete. D. Information often emphasizes price rather than features.
B. Unbiased information might be hard to find.
Are there any reasons not to take an extreme view of security, if that view errs on the side of caution? A. No, there is no reason not to take such an extreme view. B. Yes, that can lead to wasting resources on threats that are not likely. C. Yes, if you are going to err, assume there are few if any realistic threats. D. Yes, that can require that you increase your security skills in order to implement more rigorous defenses.
B. Yes, that can lead to wasting resources on threats that are not likely. Before you can explore the topic of computer security, you must first formulate a realistic assessment of the threats to those systems. The key word is realistic. Clearly one can imagine some very elaborate and highly technical potential dangers. However, as a network security professional, you must focus your attention—and resources—on the likely dangers. Before delving into specific threats, let's get an idea of how likely attacks, of any type, are on your system.
Which of the following is the best definition for the term ethical hacker? A. An amateur who hacks a system without being caught B. A person who hacks a system by faking a legitimate password C. A person who hacks a system to test its vulnerabilities D. An amateur hacker
C. A person who hacks a system to test its vulnerabilities
Which of the following encryption algorithms is a block cipher, and uses the Rijndael algorithm? A. DES B. RSA C. AES D. NSA
C. AES Advanced Encryption Standard (AES) uses the Rijndael algorithm. AES specifies three key sizes: 128, 192, and 256 bits. By comparison, DES keys are 56 bits long, and Blowfish allows varying lengths up to 448 bits. AES uses a block cipher.
Which of the following is the best definition of "sensitive information"? A. Military- or defense-related information B. Any information that is worth more than $1,000 C. Any information that, if accessed by unauthorized personnel, could damage your organization in any way D. Any information that has monetary value and is protected by any privacy laws
C. Any information that, if accessed by unauthorized personnel, could damage your organization in any way
Which of the following is the most accurate definition of a virus? A. Any program that spreads via e-mail B. Any program that carries a malicious payload C. Any program that self-replicates D. Any program that can damage your system
C. Any program that self-replicates One definition for a virus is: "a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself." .... A computer virus is analogous to a biological virus in that both replicate and spread. The most common method for spreading a virus is using the victim's e-mail account to spread the virus to everyone in his address book. Some viruses do not actually harm the system itself, but all of them cause network slowdowns or shutdowns due to the heavy network traffic caused by the virus replication.
Which of the following gives the best definition of spyware? A. Any software that logs keystrokes B. Any software used to gather intelligence C. Any software or hardware that monitors your system D. Any software that monitors which websites you visit
C. Any software or hardware that monitors your system Another form of spyware, called a key logger, records all of your keystrokes. Some also take periodic screen shots of your computer. Data is then either stored for retrieval later by the party who installed the key logger or is sent immediately back via e-mail. In either case, every single thing you do on your computer is recorded for the interested party.
Which of the following is the oldest known encryption method? A. PGP B. Multi-alphabet C. Caesar cipher D. Cryptic cipher
C. Caesar cipher
Which of the following is the most basic security activity? A. Installing a firewall B. Authenticating users C. Controlling access to resources D. Using a virus scanner
C. Controlling access to resources
Which of the following is the best definition for war-driving? A. Driving while hacking and seeking a computer job B. Driving while using a wireless connection to hack C. Driving looking for wireless networks to hack D. Driving and seeking rival hackers
C. Driving looking for wireless networks to hack
A system that is set up for attracting and monitoring intruders is called what? A. Fly paper B. Trap door C. Honeypot D. Hacker cage
C. Honeypot
Snort is which type of IDS? A. Router-based B. OS-based C. Host-based D. Client-based
C. Host-based Snort is perhaps the most well-known open source IDS available. It is a software implementation installed on a server to monitor incoming traffic. It typically works with a host-based firewall in a system in which both the firewall software and Snort run on the same machine. Snort is available for Unix, Linux, Free BSD, and Windows.
Why might a proxy gateway be susceptible to a flood attack? A. It does not properly filter packets. B. It does not require user authentication. C. It allows multiple simultaneous connections. D. Its authentication method takes more time and resources.
C. It allows multiple simultaneous connections.
Why is an SPI firewall more resistant to flooding attacks? A. It automatically blocks large traffic from a single IP. B. It requires user authentication. C. It examines each packet in the context of previous packets. D. It examines the destination IP of all packets.
C. It examines each packet in the context of previous packets.
What is a technical weakness of the stack tweaking defense? A. It is complicated and requires very skilled technicians to implement. B. It only decreases time out but does not actually stop DoS attacks. C. It is resource intensive and can degrade server performance. D. It is ineffective against DoS attacks.
C. It is resource intensive and can degrade server performance.
Why might you run Specter in strange mode? A. It may confuse hackers and deter them from your systems. B. It will be difficult to determine the system is a honeypot. C. It might fascinate hackers and keep them online long enough to catch them. D. It will deter novice hackers.
C. It might fascinate hackers and keep them online long enough to catch them. The Specter honeypot is comprised of a dedicated PC with the Specter software running on it. The Specter software can emulate the major Internet protocols/services such as HTTP, FTP, POP3, SMTP, and others, thus appearing to be a fully functioning server. Specter logs all traffic to the server for analysis. Users can set it up in one of five modes: * Open: In this mode the system behaves like a badly configured server in terms of security. The downside of this mode is that you are most likely to attract and catch the least skillful hackers. * Secure: This mode has the system behaving like a secure server. * Failing: This mode is interesting in that it causes the system to behave like a server with various hardware and software problems. This might attract some hackers because such a system is likely to be vulnerable. * Strange: In this mode, the system behaves in unpredictable ways. This sort of behavior is likely to attract the attention of a more talented hacker and perhaps cause her to stay online longer trying to figure out what is going on. The longer the hacker stays connected, the better the chance of tracing her. * Aggressive: This mode causes the system to actively try and trace back the intruder and derive his identity. This mode is most useful for catching the intruder.
Why might a circuit level gateway be inappropriate for some situations? A. It has no user authentication. B. It blocks web traffic. C. It requires client-side configuration. D. It is simply too expensive.
C. It requires client-side configuration.
Which of the following is a problem with the approach "Setting up parameters for acceptable use, such as the number of login attempts, and watching to see if those levels are exceeded"? A. It is difficult to configure. B. It misses many attacks. C. It yields many false positives. D. It is resource intensive.
C. It yields many false positives. Thresholds provide a definition of acceptable behavior. Unfortunately, characterizing intrusive behavior solely by the threshold limits can be somewhat challenging. It is often quite difficult to establish proper threshold values or the proper time frames at which to check those threshold values. This can result in a high rate of false positives in which the system misidentifies normal usage as a probable attack.
What is the best way to defend against a buffer overflow? A. Use a robust firewall B. Block TCP packets at the router C. Keep all software patched and updated D. Stop all ICMP traffic
C. Keep all software patched and updated
Which of the following are four basic types of firewalls? A. Screening, bastion, dual-homed, circuit level B. Application gateway, bastion, dual-homed, screening C. Packet filtering, application gateway, circuit level, stateful packet inspection D. Stateful packet inspection, gateway, bastion, screening
C. Packet filtering, application gateway, circuit level, stateful packet inspection
Blocking attacks seek to accomplish what? A. Install a virus on the target machine B. Shut down security measures C. Prevent legitimate users from accessing a system D. Break into a target system
C. Prevent legitimate users from accessing a system
A device that hides internal IP addresses is called A. Screened host B. Bastion firewall C. Proxy server D. Dual-homed host
C. Proxy server
Which of the following can be shipped preconfigured? A. Stateful packet inspection firewalls B. Network host-based firewalls C. Router-based firewalls D. Dual-homed firewalls
C. Router-based firewalls
What type of firewall is Check Point 5000 series firewall? A. Application gateway B. Packet filtering/application gateway hybrid C. SPI/application gateway hybrid D. Circuit-level gateway
C. SPI/application gateway hybrid
What is the name for a DoS defense that is dependent on sending back a hash code to the client? A. Stack tweaking B. RST cookie C. SYN cookie D. Server reflection
C. SYN cookie
Which of the following best describes session hacking? A. Taking over a target machine via a Trojan horse B. Taking control of a target machine remotely C. Taking control of the communication link between two machines D. Taking control of the login session
C. Taking control of the communication link between two machines
Which of the following is found in Norton's personal firewall but not in ICF? A. NAT B. A visual tool to trace attacks C. Vulnerability scanning D. Strong encryption
C. Vulnerability scanning
What is ICF? A. Windows XP Internet Connection Firewall B. Windows XP Internet Control Firewall C. Windows 2000 Internet Connection Firewall D. Windows 2000 Internet Control Firewall
C. Windows 2000 Internet Connection Firewall
Which binary mathematical operation can be used for a simple encryption method? A. Bit shift B. OR C. XOR D. Bit swap
C. XOR
A profiling technique that monitors how applications use resources is called what? A. System monitoring B. Resource profiling C. Application monitoring D. Executable profiling
D. Executable profiling Executable profiling seeks to measure and monitor how programs use system resources with particular attention to those whose activity cannot always be traced to a specific originating user. For example, system services usually cannot be traced to a specific user launching them. Viruses, Trojan horses, worms, trapdoors, and other such software attacks are addressed by profiling how system objects such as files and printers are normally used not only by users, but also by other system subjects on the part of users. Executable profiling enables the IDS to identify activity that might indicate an attack. Once a potential danger is identified, the method of notifying the administrator, such as by network message or e-mail, is specific to the individual IDS.
What is the primary advantage of the Data Encryption Standard, or DES, encryption algorithm? A. It is complex. B. It is unbreakable. C. It uses asymmetric keys. D. It is relatively fast.
D. It is relatively fast.
What is the danger inherent in IP spoofing attacks? A. They are very damaging to target systems. B. Many of these attacks open the door for other attacks. C. They can be difficult to stop. D. Many firewalls don't examine packets that seem to come from within the network.
D. Many firewalls don't examine packets that seem to come from within the network.
Which of the following virus attacks initiated a DoS attack? A. Faux B. Walachi C. Bagle D. MyDoom
D. MyDoom
Which of the following is not one of the three major classes of threats? A. Denial of Service attacks - Blocking B. A computer virus or worm - Malware C. Actually intruding on a system - Intrusion D. Online auction fraud
D. Online auction fraud
What is the greatest danger in a network host-based configuration? A. SYN flood attacks B. Ping flood attacks C. IP spoofing D. Operating system security flaws
D. Operating system security flaws
Which of the following is not one of Snort's modes? A. Sniffer B. Packet logger C. Network intrusion-detection D. Packet filtering
D. Packet filtering Snort works in one of three modes: sniffer, packet logger, and network intrusion-detection. * In packet sniffer mode, the console (shell or command prompt) displays a continuous stream of the contents of all packets coming across that machine. * Packet logger mode is similar to sniffer mode. The difference is that the packet contents are written to a text file log rather than displayed in the console. * In network intrusion-detection mode, Snort uses a heuristic approach to detecting anomalous traffic. This means it is rules-based and it learns from experience. A set of rules initially governs a process. Over time Snort combines what it finds with the settings to optimize performance. It then logs that traffic and can alert the network administrator. This mode requires the most configuration because the user can determine the rules she wishes to implement for the scanning of packets.
Which of the following is an encryption method developed by three mathematicians in the 1970s? A. PGP B. DES C. DSA D. RSA
D. RSA This public key method was developed in 1977 by three mathematicians: Ron Rivest, Adi Shamir, and Len Adleman. The name RSA is derived from the first letter of each mathematician's last name . One significant advantage of RSA is that it is a public key encryption method. That means there are no concerns with distributing the keys for the encryption. However, RSA is much slower than symmetric ciphers. In fact, in general, asymmetric ciphers are slower than symmetric ciphers.
What DoS attack is based on leaving connections half open? A. Ping of Death B. Smurf attack C. Distributed denial of service D. SYN flood
D. SYN flood
Should a home user with a firewall block incoming port 80, and why or why not? A. She should not because it would prevent her from using web pages. B. She should because port 80 is a common attack point for hackers. C. She should not because that will prevent her from getting updates and patches. D. She should unless she is running a web server on her machine.
D. She should unless she is running a web server on her machine.
What type of firewall is SonicWALL TZ Series? A. Packet screening B. Application gateway C. Circuit-level gateway D. Stateful packet inspection
D. Stateful packet inspection - The stateful packet inspection (SPI) firewall is an improvement on basic packet filtering. This type of firewall will examine each packet, denying or permitting access based not only on the examination of the current packet, but also on data derived from previous packets in the conversation. This means that the firewall is aware of the context in which a specific packet was sent. This makes these firewalls far less susceptible to ping floods and SYN floods, as well as being less susceptible to spoofing.
Which of the following is not a profiling strategy used in anomaly detection? A. Threshold monitoring B. Resource profiling C. Executable profiling D. System monitoring
D. System monitoring Anomaly detection involves actual software that works to detect intrusion attempts and notify the administrator. The general process is simple: The system looks for any anomalous behavior. Any activity that does not match the pattern of normal user access is noted and logged. The software compares observed activity against expected normal usage profiles. Profiles are usually developed for specific users, groups of users, or applications. Any activity that does not match the definition of normal behavior is considered an anomaly and is logged. Sometimes we refer to this as "trace back" detection or process. We are able to establish from where this packet was delivered. The specific ways in which an anomaly is detected include: Threshold monitoring Resource profiling User/group work profiling Executable profiling
Which of the following best defines the primary difference between an ethical hacker and an auditor? A. There is no difference. B. The ethical hacker tends to be less skilled. C. The auditor tends to be less skilled. D. The ethical hacker tends to use more unconventional methods.
D. The ethical hacker tends to use more unconventional methods.
Explain Flame
This virus first appeared in 2012 and targeted Windows operating systems. One thing that makes this virus notable is that it was specifically designed for espionage. It was first discovered in May 2012 at several locations, including Iranian government sites. Flame is spyware that can monitor network traffic and take screenshots of the infected system. This malware stored data in a local database that was encrypted. Flame was also able to change its behavior based on the specific antivirus running on the target machine, which indicates that this malware is highly sophisticated. Also, of note is the fact that Flame was signed with a fraudulent Microsoft certificate, which meant that Windows systems would trust the software.