SecFnd 210-250 Chapter 12
Which of the following are examples of DNS tunneling tools? (Select all that apply.) a. DeNiSe b. dns2tcp c. DNScapy d. DNStor
A, B, C. DeNiSe, dns2tcp, and DNScapy are examples of DNS tunneling tools. They were originally not created for malicious purposes, but they have been used by attackers to steal data from victims for years.
What are examples of peer-to-peer (P2P) tools? a. LionShare b. P2P NetFlow c. Napster d. Peercoin
A, C, D. LionShare, Napster, and Peercoin are examples of P2P tools. P2P NetFlow does not exist
What is a SQL injection vulnerability? a. A type of vulnerability where an attacker can insert or "inject" a SQL query via the input data from the client to the application or database b. A type of vulnerability where an attacker can "inject" a new password to a SQL server or the client c. A type of DoS vulnerability that can cause a SQL server to crash d. A type of privilege escalation vulnerability aimed at SQL servers
A. Attackers can insert or "inject" a SQL query via the input data from the client to the application or database. Attackers can exploit SQL injector vulnerabilities to read sensitive data from the database, modify or delete database data, execute administration operations on the database, and even issue commands to the operating system.
Why should NTP be enabled in infrastructure devices and for security monitoring? a. Using NTP ensures that the correct time is set and that all devices within the network are synchronized. Also, it helps to reduce the amount of duplicate logs. b. Using NTP ensures that the network tunneling protocol is implemented with the correct encryption algorithms. c. Using NTP ensures that the network tunneling protocol is implemented with the correct hashing algorithms. d. Using NTP ensures that the network tunneling protocol is implemented with the correct DNS names and NetFlow records.
A. The Network Time Protocol (NTP) ensures that the correct time is set and that all devices within the network are synchronized.
What is Tor? a. Tor is The Onion Router and is a free tool that enables its users to surf the Web anonymously. b. Tor is The Onion Router and is a free tool that enables its users to send email in an encrypted way using PGP. c. Tor is The Onion Router and is a free tool that enables its users to route packets anonymously by leveraging the EIGRP or OSPF routing protocol. d. Tor is The Onion Router and is a free tool that enables its users to route packets anonymously by using BGP.
A. The Onion Router (Tor) is both free and enables its users to surf the Web anonymously.
What is a Tor exit node? a. The encrypted Tor network b. The last Tor node or the "gateways" where the Tor encrypted traffic "exits" to the Internet c. The Tor node that performs encryption d. The Tor browser installed in your system in order to "exit" the Internet
B. A Tor exit node is basically the last Tor node or the "gateway" where the Tor encrypted traffic "exits" to the Internet. A Tor exit node can be targeted to monitor Tor traffic. Many organizations block Tor exit nodes in their environment. The Tor project has a dynamic list of Tor exit nodes that make this task a bit easier. This Tor exit node list can be downloaded from https://check.torproject.org/exit-addresses.
What is a Tor exit node? a. A Tor exit node is the first Tor node or the "gateway" where the Tor encrypted traffic "exits" to the Internet. b. A Tor exit node is the last Tor node or the "gateway" where the Tor encrypted traffic "exits" to the Internet. c. A Tor exit node is the Tor node or the "gateway" where the Tor browser connects first. d. A Tor exit node is an Internet routing entity that can define how the Tor browser exits the common Internet and connects to the darknet.
B. A Tor exit node is the last Tor node or the "gateway" where the Tor encrypted traffic "exits" to the Internet.
Network address translation (NAT) introduces challenges in the identification and attribution of endpoints in a security victim. The identification challenge applies to both the victim and the attack source. What tools are available to be able to correlate security monitoring events in environments where NAT is deployed? a. NetFlow b. Cisco Lancope Stealthwatch System c. Intrusion Prevention Systems (IPS) d. Encryption protocols
B. A few security products, such as the Cisco Lancope Stealthwatch system, provide features such as NAT stitching to use NetFlow with other data in the network and be able to correlate and "map" translated IP addresses. This accelerates incident response tasks and eases continuous security monitoring operations.
What is a DNS tunnel? a. A type of VPN tunnel that uses DNS. b. A type of MPLS deployment that uses DNS. c. DNS was not created for tunneling, but a few tools have used it to encapsulate data in the payload of DNS packets. d. An encryption tunneling protocol that uses DNS's UDP port 53.
B. DNS was not created for tunneling, but a few tools have used it to encapsulate data in the payload of DNS packets. Threat actors have been using many different untraditional techniques to steal data from corporate networks without being detected. For example, they have been sending stolen credit card data, intellectual property, and confidential documents over DNS using tunneling.
Which of the following are benefits of encryption? a. Malware communication b. Privacy c. Malware mitigation d. Malware identification
B. Privacy is one of the main benefits of encryption. The rest of the answers are either not valid or not a benefit.
Why does NAT present a challenge to security monitoring? a. NAT can present a challenge when performing security monitoring and analyzing logs because data can be encrypted as a result of the network address translation. b. NAT can present a challenge when performing security monitoring and analyzing logs because data can be dropped as a result of the network address translation. c. NAT can present a challenge when performing security monitoring and analyzing logs, NetFlow, and other data because device IP addresses can be seen in the logs as the "translated" IP address versus the "real" IP address. d. NAT can present a challenge when performing security monitoring and analyzing logs because data can be fragmented as a result of the network address translation.
C. Answer C correctly states the challenge NAT presents to security monitoring.
Which of the following is an example of a DNS tunneling tool? a. dig b. nslookup c. DNScapy d. DNSSEC
C. DNScapy is an example of a DNS tunneling tool.
Why can encryption be challenging to security monitoring? a. Encryption introduces latency. b. Encryption introduces additional processing requirements by the CPU. c. Encryption can be used by threat actors as a method of evasion and obfuscation, and security monitoring tools might not be able to inspect encrypted traffic. d. Encryption can be used by attackers to monitor VPN tunnels.
C. Encryption can be used by threat actors as a method of evasion and obfuscation, and security monitoring tools might not be able to inspect encrypted traffic.
If the date and time are not synchronized among network and security devices, logs can become almost impossible to correlate. What protocol is recommended as a best practice to deploy to mitigate this issue? a. Network address translation b. Port address translation c. Network Time Protocol (NTP) d. Native Time Protocol (NTP)
C. NTP is recommended as a best practice to synchronize the "clock" (date and time) of all network infrastructure devices, servers, and other endpoints.
Which of the following is an example of an encoding mechanism used by threat actors? a. Base24 encoding b. GRE tunnels c. Hex tunnels d. Base64 encoding
D. Base64 encoding is an example of an encoding mechanism used by threat actors.
What is Tor? a. An encryption protocol. b. A hashing protocol. c. A VPN tunnel client. d. Tor is a free tool that enables its users to surf the Web anonymously.
D. Tor is a free tool that enables its users to surf the Web anonymously. Tor has been used by nonmalicious users to keep their activity private, but also by malicious threat actors to carry out their attacks and perform other illicit activities.