Intrusion Detection Systems, IST447 - EDRM Content - Potter B, Network+ 1, Chapter 17, Security+ Chapter 9, Security+ Chapter 13, Computer Security Chapter 13, Chap. 13, CH 13 Intrusion Detection Systems and Network Security CIS 2337 Vocab, Security+...

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Select a password that is still relatively easy to remember, but still difficult to "guess.

"Selecting a good password for each user account is critical to protecting information systems. How should you select a good password? - Use letters in your first name and letters in your last name. - Select a password that is still relatively easy to remember, but still difficult to "guess." - Unfortunately, there is way to keep a password safe, so it really doesn't matter what you use. - Create a password that would be hard to remember, and then write it down so you won't forget it.

Spoofing

"a sophisticated technique of authenticating one machine to another by forging packets from a trusted source address."

TCP SYN Scanning -

"half open" scanning. Sends a SYN packet to each remote port. Open ports respond with a SYN/ACK packet. Closed ports usually respond with an RST packet.

Authentication

"the process those machines use to identify each other."

Trust

"the relationship between machines that are authorized to connect to one another."

Ping

(Packet INternet Groper) A utility designed to determine whether or not a remote system is accessible.

RFC 793: state is CLOSED

(that is, Transmission Control Block does not exist) then all data in the incoming segment is discarded. An incoming segment containing a RESET (RST) is discarded. An incoming segment not containing a RST causes a RST to be sent in response. The acknowledgment and sequence field values are selected to make the reset sequence acceptable to the TCP that sent the offending segment.

Eradication and Recovery Phases

*Mitigation steps*: -Investigation - the causes or nature of the incident might not be clear, in which case further (careful) investigation is warranted -Containment - allow the attack to proceed but ensure that valuable systems/data are not at risk -Hot swap - a backup system is brought into operation and the live system frozen to preserve evidence of the attack -Prevention - countermeasures to end the incident are taken on the live system (even though this may destroy valuable evidence) *Recovery/reconstitution procedures*: -Remove malicious files and tools (also consider infection of backups) -Re-audit security controls - what could have prevented the intrusion? -Notification and remediation of third-parties (customers and suppliers)

Honeypot

- A computer system or portion of a network that has been set up to attract potential intruders, in the hope that they will leave the other systems alone. -Since there are no legitimate users of this system, any attempt to access it is an indication of unauthorized activity and provides an easy mechanism to spot attacks.

Switched Port Analyzer (SPAN)

- A technology employed that can duplicate individual channels crossing a switch to another circuit.

An active IDS can: A) Respond to attacks with TCP resets B) Monitor for malicious activity C) A and B D) None of the above

- Respond to attacks with TCP resets - Monitor for malicious activity

Recognize Scanning: System log file analysis

- look for multiple, short duration connections or connection attempts.

Recognize Scanning: Network traffic

- monitor the volume of inbound and outbound network traffic. If you have established a profile of what is normal activity you will be able to recognize spikes in the activity level which may indicate scanning activity

Firewalls

-A network device—hardware, software, or a combination thereof -Determines what traffic should be allowed or denied to pass in or out of a network

Anomaly detection model

-An IDS model where the IDS must know what "normal" behavior on the host or network being protected really is. -Once the "normal" behavior baseline is established, the IDS can then go to work identifying deviations from the norm, which are further scrutinized to determine whether or not that activity is malicious.

1. Layers 2. detection, complex

-As need for security increases, l_____ of security should be added. -I_______ detection systems are one of the more c______ layers.

Traffic collector

-Collects activity/events for the IDS to examine. On a HIDS, this could be log files, audit logs, or traffic coming to or leaving a specific system. On a NIDS, this is typically a mechanism for copying traffic off the network link—basically functioning as a sniffer.

Active HIDSs

-Contain all components and capabilities of the passive IDs. -Can react to the activity it is analyzing.

Active NIDS

-Contains all the same components and capabilities of the passive NIDS -Can react to the traffic it is analyzing

Windows Defender

-Designed to remove spyware and unwanted programs from your PC -Includes spyware detection and removal, scheduled scanning, automatic updates, real-time protection, software explorer, and configurable responses -NOT a replacement for an antivirus program

Rate-based Monitoring

-Detect and mitigate DoS attacks -Watch the amount of traffic traversing the network, if too much, it can intervene and throttle down traffic to acceptable levels.

Host-Based IDS (HIDS)

-Examines activity only on a specific host -Flags that may raise the alarm in a HIDS -Login failures -Logins at irregular hours -Privilege escalation -Additions of new user accounts

Personal Software Firewalls

-Host-based protective mechanism that controls traffic going into and out of a single system. -Various free and commercial firewall software is available.

Intrusion Prevention Systems

-In addition to IDS functions, it has the capability of stopping or preventing malicious attack. -Must sit inline on the network. -Still can't inspect encrypted traffic, although some vendors included the ability to inspect SSL sessions. -Often rated by the amount of traffic that can be processed without dropping packets.

Disadvantages of a NIDS

-It is ineffective when traffic is encrypted. -It cannot see traffic that does not cross it. -It must be able to handle high volumes of traffic. -It does not know about activity on the hosts themselves.

Disadvantages of NIDS

-It is ineffective when traffic is encrypted. (HIDS are effective) -It can't see traffic that does not cross it -It must be able to handle high volumes of traffic -It doesn't know about activity on the hosts themselves

PC-based Malware Protection

-M_______ p______ for PCs has become a necessity due to the proliferation of "always-on" broadband connections. -Unprotected and unpatched systems are compromised within two hours of coming online, on average.

Active NIDS

-Must be used judiciously lest legitimate activity be disrupted -A commonly-used reactive response to an attack is a TCP reset

Disadvantages of HIDSs

-Must have a process on every system you want to watch. -High cost of ownership and maintenance. -Uses local system resources. -Very focused view and cannot relate to activity around it. -If logging only locally, could be compromised or disabled.

Advantages of NIDS

-Providing IDS coverage requires fewer systems -Deployment, maintenance, and upgrade costs are usually lower -A NIDS has visibility into all network traffic and can correlate attacks among multiple systems -Requires far fewer local resources

Advantages of a NIDS

-Providing IDS coverage requires fewer systems. -Deployment, maintenance, and upgrade costs are usually lower. -NIDS has visibility into all network traffic and can correlate attacks among multiple systems.

Content-based signature

-Signatures that are designed to examine the content of such things as network packets or log entries. -Content-based signatures are typically easy to build and look for simple things, such as a certain string of characters or a certain flag set in a TCP packet.

Context-based signature

-Signatures that are designed to match large patterns of activity and examine how certain types of activity fit into the other activities going on around them. -Context-based signatures are more difficult to analyze and take more resources to match, as the IDS must be able to "remember" past events to match certain context signatures.

Passive HIDSs

-Simply watches the activity, analyzes it, and generates alarms. -Does not interact with the activity itself in any way. -Does not modify the defensive posture of the system to react to the traffic.

Passive NIDS

-Simply watches traffic, analyzes it, and generates alarms -Does not interact with the traffic itself -Does not modify the defensive posture of the system to react to the traffic

Protocol Analyzers (1/2)

-Software or an integrated software/hardware system that can capture and decode network traffic -Detect undesirable traffic -Capture traffic for incident response -Looking for evidence of malicious activity -Looking for unusual traffic -Testing encryption between systems or applications

False positive

-Term used when a security system makes an error and incorrectly reports the existence of a searched-for object. (Examples include an: -intrusion detection system that misidentifies benign traffic as hostile, -an antivirus program that reports the existence of a virus in software that actually is not infected, -or a biometric system that allows access to a system to an unauthorized individual.)

Snort

-The de facto standard IDS engine since its creation in 1998. It has a large user base and set the standard for many IDS element, including rule sets and formats. -Snort rules are the list of activities that Snort will alert on and provide the flexible power behind the IDS platform. -Snort rule sets are updated by a large active community as well as Sourcefire Vulnerability Research Team, the company behind Snort. Snort VRT rule sets are available to subscribers and provide such elements as same-day protection for items such as Microsoft patch Tuesday vulnerabilities. -These rules are moved to the open community after 30 days.

TCP reset

-The most common defensive ability for an active NIDS. -The reset message (RST) tells both sides of the connection to drop the session and stop communicating immediately

How HIDS Work 1. Traffic collector 2. Analysis 3. decision 4. Signature 5. user interface

-The t____ c_____ aggregates information. -The a_____ engine reviews the data. -May implement a d_____ tree to classify activities and make decisions -S_____ database may be used to match activities to predefined activity or patterns -Users work with HIDS through the u___ i_____ which include the visible components of the HIDS.

IDS Components

-Traffic collector / sensor -Analysis engine -Signature database -User interface and reporting

Advantages of HIDSs

-Very operating system-specific with more detailed signatures -Reduce false-positive rates -Examine data after it has been decrypted -Very application specific -Determine whether or not an alarm may impact that specific system

Modern HIDS

-often referred to as host-based intrusion prevention systems (HIPS) -Use the following components to prevent attacks: Integrated system firewall, Behavioral- and signature-based IDS, Application control, Enterprise management, Malware detection and prevention

It allows encryption of all data on a server

.Which of the following is true of BitLocker, in Windows Vista? - It's where malicious code is stored when it's discovered. - It's a form of data storage for network traffic. - It allows encryption of all data on a server. - It monitors Internet Explorer traffic.

Which of the following is an example of a MAC address? - 00:07:H9:c8:ff:00 - 00:39:c8:ff:00 - 00:07:e9:c8:ff:00 - 00:07:59:c8:ff:00:e8

00:07:e9:c8:ff:00

What are the 5 stages of the Review Phase of the EDRM

1) Develop Review Strategy/Plan 2) Setup Review Room/Training 3) Perform Data Analysis/Workflow 4) Conduct Review 5) Evaluate, Plan/Wrap-Up

What are the 5 stages of the Analysis Phase of the EDRM

1) Fact Finding 2) Search Enhancement 3) Review Enhancement 4) Impact Analysis 5) Validation/Quality Assurance

What are the the 9 stages of the EDRM?

1) Information Management 2) Identification 3) Preservation 4) Collection 5) Processing 6) Review 7) Analysis 8) Production 9) Presentation

Class A Address

1-126

Which of the following is a valid IP address? - 192.168.1.1.1 - 10.266.12.13 - 172.11.11 - 12.12.12.12

12.12.12.12

Class B Address

128-191

Which of the following is not a private IP address? - 10.100.200.100 - 172.32.32.21 - 192.168.1.1 - 192.168.254.254

172.32.32.21

Class C Address

192-223

Well-known ports

20 File Transfer Protocol (FTP) Data 21 File Transfer Protocol (FTP) Control 23 Telnet 25 Simple Mail Transfer Protocol (SMTP) 53 Domain Name Server (DNS) 79 Finger 80 World Wide Web (HTTP) 110 Post Office Protocol - Version 3 443 HTTPS

Class D Address

224-239

IP addresses are __________ bit numbers - 6 - 32 - 64 - 128

32

IPv4

32 bit number, four octets, contains network and host info

If you are investigating a computer incident and need to remove the disk drive from a computer and replace it with a copy so the user doesn't know it has been exchanged, how many copies of the disk should you make, and how should they be used?

4 copies: replace, store with original, authenticate, and analyze

5 GHz band

802.11a uses frequencies in the __________________.

Wired Equivalent Privacy (WEP)

802.11i updates the flawed security deployed in ____________________.

The 802.1X protocol is a protocol for Ethernet: A. Authentication B. Speed C. Wireless D. Cabling

A

False

In 2002, Microsoft increased the number of services that were installed and running due to public demand. True or False

authentication header (AH), encapsulating security payload (ESP)

In IPsec, a security association is defined by a specific combination of _____________________ and ___________________.

It defeats buffer overflows.

In Mac OS X, what does library randomization do? - It defeats buffer overflows. - It is used for encryption. - It restricts network access. - It increases the ease of code writing.

Port Scanning

In a Port Scan, the system will attempt to connect to specific (or all) ports on the remote system to see which respond. Responding ports are considered "open" and the attacker can then attempt to exploit (especially known services on well-known ports). Large number of tools available to perform port scanning. nmap is one of the most popular tools that can perform a port scan.

6

In a UNIX operating system, which run level reboots the machine? - 0 - 1 - 3 - 6

1

In a UNIX operating system, which runlevel describes single-user mode?

peer-to-peer trust model

In a(n) ____________, one CA is not subordinate to another CA, and there is no established trust anchor between the CAs involved.

process identifier

In most UNIX operating systems, each running program is given a unique number called a(n) ____________________.

IP Spoofing communication

In the preceding slides, the actions represented by the "OK, I've done it" or the "OK, here it is" lines may actually consist of a series of messages with appropriate responses. The attacker knows what the responses should be, so the attacker can send them, timed appropriately, to ensure the connection is maintained.

Misuse Detection Model

In this model the IDS looks for suspicious activity or activity that violates specific policies and then reacts as it has been programmed to do.

Anomaly Detection Model

In this model, the IDS must know what "normal" behavior on the host or network being protected really is. Once the "normal" behavior baseline is established, the IDS can then go to work identifying deviations from the norm.

Anomaly Detection Model

In this model, the IDS must know what normal behavior on the host or network being protected really is. Once the normal behavioir baseline is established, the IDS can then go to work identifying deviations from the norm.

Network-based IDS (NIDS)

Information about network traffic

public key infrastructure (PKI)

Infrastructure for binding a public key to a known user through a trusted intermediary, typically a certificate authority, is called the _________________________.

Which of the following is NOT a network topology? - Star - Ring - Integrated - Mixed

Integrated

User Interface

Interfaces with the human element, providing alerts when appropriate and giving the user a means to interact with and operate the IDS.

User Interface and Reporting

Interfaces with the human element, providing alerts when appropriate and giving the user a means to interact with and operate the IDS.

User interface (and reporting)

Interfaces with the human element, providing alerts when appropriate and giving the user a means to interact with and operate the IDS.

User interface and reporting

Interfaces with the human element, providing alerts when appropriate and giving the user a means to interact with and operate the IDS.

The series of worldwide interconnected networks is referred to as the - DMZ - Intranet - Extranet - Internet

Internet

Your boss is concerned about employees viewing in appropriate or illegal web sites in the workplace. Which device would be the best at addressing this concern? - Antivirus - Firewall - Protocol analyzer - Internet content filter

Internet content filter

A network that lies completely inside a trusted area of a network, and is under the security control of the system and network administrators, is referred to as the - DMZ - Intranet - Extranet - Internet

Intranet

The model that most modern intrusion detection systems use is largely based upon a model created by Dorothy Denning and Peter Neumann called: - Intrusion Detection Interface System (IDIS) - Intrusion Response Interdiction system (IRIS) - Intrusion Detection Expert System (IDES) - Discovery, Haystack, Multics Intrusion Detection and Alerting System (MIDAS)

Intrusion Detection Expert System (IDES)

9. IPS stands for:

Intrusion prevention system

IPS stands for: A) Intrusion processing system B) Intrusion prevention sensor C) Intrusion prevention system D) Interactive protection system

Intrusion prevention system

IPS stands for:

Intrusion prevention system.

/etc/hosts.equiv are essentially equivalent to a system-wide .rhosts file and contain lines with hostnames. If system1 contained the /etc/hosts.equiv file:

It would indicate that any user on system2, system4, or system5 could log into system1 without having to supply a password. This assumes that an equivalent username exists on system1 as the one being used on the accessing system (i.e. system2, system4, or system5). A + in the /etc/hosts.equiv file says all systems trusted

access tokens

Items carried by the user to allow them to be authenticated are called ______________________.

Unfortunately hackers abuse the ICMP protocol by using it to - Send internet worms - Launch denial-of-service (DoS) attacks - Steal passwords and credit card numbers - Send spam

Launch denial-of-service (DoS) attacks

Internet Layer

Layer in the Internet Protocol suite of protocols that provides network addressing and routing through an internetwork.

Egress filtering is used to detect spam that is:

Leaving an organization.

Ping Sweep Less Effective

Less effective today than in the past Recent rise in DoS attacks which also use ICMP have resulted in administrators setting their systems to reject inbound ICMP echo requests.

According to SANS Internet Storm Center, the average survival time of an unpatched Windows PC on the Internet is - Less than two minutes - Less than two hours - Less than two days - Less than two weeks

Less than two hours

chmod

Linux and other operating systems use the _______ command to change the read-write-execute properties of a file or directory. - tracert - ifconfig - chmod - chkconfig

Define Identification

Locating potential sources of ESI & determining its scope, breadth & depth.

Misuse Detection Model

Looks for things that violate policy. For example, a denial of service attack launched at your web server or an attacker attempting to brute-force an SSH session.

Packets delivered to a network, such as an office LAN, are usually sent using the destination system's - IP address - MAC address - Apple address - Logical address

MAC address

False

Mac OS X FileVault encrypts files with 3DES encryption. True or False

False negatives

Malicious activity goes undetected

Antispam does all of the following EXCEPT: - Blacklisting - Malicious code detection - Language filtering - Trapping

Malicious code detection

Windows service that facilitates communication between the agents, event viewer, and the administrator.

Manager

Identification Phase - First Responder

Member of CIRT taking charge of a reported incident Analysis and incident identification: -Incident - an event that breaches security policy -Classify and prioritize -False positives

Restriction of connections to a restricted subnet only Checking of a client OS patch level before a network connection is permitted Denial of a connection based on client policy settings

Microsoft NAP permits:

Modern antivirus products have:

Modern antivirus products have: Automated updates Automated scanning Manual scanning Media scanning E-mail scanning Problem resolution

Anomaly-based (heuristic) IDS

Monitors activity and attempts to classify it as either "normal" or "anomalous"

Intrusion Prevention System (IPS)

Monitors network traffic for malicious or unwanted behavior and can block, reject, or redirect that traffic in real time.

Authentication and Trust

Most common method of authentication is the userid/password combination. If a user on a local network wants to access another system on the local network, having to supply the password to log on is a nuisance. Consequently, a trusted relationship may be established where one local system will trust the other to have authenticated the user originally and will thus not require additional authentication. An example of this is the UNIX .rhosts and hosts.equiv files.

shadow file

Most modern UNIX versions store the passwords associated with a user account in a - BitLocker - shadow file - passwd file - Registry

a. CTRL-ALT-INSERT

Most virtual machine managers replace the CTRL-ALT-DELETE key sequence with: Select one: a. CTRL-ALT-INSERT b. CTRL-ALT-FN c. CTRL-ALT-ESC d. ALT-F4

routing

Moving packets from source to destination across multiple networks is called ______________________.

Disadvantages of HIDS 1. process 2. ownership, maitenance 3. resources 4. focused 5. compromised

Must p______ information on every system you want to watch May have a high cost of o______ and m________ Uses local system r________ A f_______ view and cannot relate to activity around it If logged locally, could be c________ or disabled

Which IDS primarily uses passive software?

NIDS

Incident Response Procedures

NIST Computer Security Incident Handling Guide Preparation - IRP (Incident Response Plan) - write policies and procedures; assign personnel and resources; establish secure out-of-band communications Identification/detection and analysis Containment, eradication, and recovery Post-incident activity

Preparation Phase - Communication Processes

Need to know - incident response communications must be confidential Out-of-band communications - avoid alerting intruder Communication with other stakeholders (law enforcement, regulators)

Which of the following improves the security of the network by hiding internal addresses? - Antivirus - IDS - Star topology - Network Address Translation (NAT)

Network Address Translation (NAT)

1. What are two main types of intrusion detection system?

Network Based and Host-Based

NAP

Network access control is associated with which of the following?

_____________ is a technique where a host is queried and identified based on its response to a query.

Network tap

False

Network-based IDS examines activity on a system such, as a mail server or web server. True or False

What are the two Main types of intrusion detection systems A) Network-based and host-based B) Signature-based and event-based C) Active and reactive D) Intelligent and passive

Network-based and host-based

Is Windows Defender available with every version of the Windows operating system?

No, it is only available for Windows Vista and Windows 7 and is available as a free download for Windows XP and Windows Server 2003.

No permissions

On a UNIX system, if a file has the permission r-x rw- ---, what permission does the world have? - Read and execute - Read and write - Read, write, execute - No permissions

Read

On a UNIX system, if a file has the permission rwx r-- ---, what permission does the group have? - Execute, read, write - Read - Read, write, execute - No permissions

Read, write, and execute

On a UNIX system, if a file has the permissions rwx r-x rw-, what permissions does the owner of the file have?

Endpoints of the tunnel only

On a VPN, traffic is encrypted and decrypted at:

The user can now encrypt session keys and messages with this public key and can validate the sender's digital signatures.

Once an individual validates another individual's certificate, what is the use of the public key that is extracted from this digital certificate?

They can reduce false-positive rates H

One of the advantages of HIDS is that - They can reduce false-positive rates - Their signatures are broader - They can examine data before it has been decrypted - They are inexpensive to maintain in the enterprise

The ________________ is a method of determining whether a certificate has been revoked that does not require local machine storage of CRLs.

Online Certificate Status Protocol

True

Only active intrusion detection systems (IDS) can aggressively respond to suspicious activity, whereas passive IDS cannot. True or False

Perimeter Security

Operate NIDS like a castle and focus efforts and attention on securing and controlling the ways in and out. Ergo, if you can control the perimeter, you don't have to worry about what's going on inside.

What are the three methods for monitoring network traffic?

Packet capture software, filters and triggers, and Intrusion Detection Software or System

True

Permissions under Linux are the same as for other UNIX-based operating systems. True or False

Zone Alarm, Windows ICF, and iptables are all examples of - Antivirus - Antispyware - Antispam - Personal firewalls

Personal firewalls

Protocol Analyzer

Piece of software or an integrated software/hardware system that can capture and decode network traffic.

The nuisance of web pages that automatically appear on top of your current web page can be remedied with - Antivirus - Antispam - Pop-up blockers - Firewalls

Pop-up blockers

______________ allows administrators to send all traffic passing through a network switch to a specific port on the switch.

Port mirroring

Identification Phase

Precursors Detection channels, which include: -Security mechanisms (IDS, log analysis, alerts) -Manual inspections -Notification procedures -Public reporting -Confidential reporting/whistleblowing

Are designed to stop malicious activity from occuring

Preventative intrusion detection systems:

Outright theft of the computers

Probably the simplest physical attack on the computer system is:

Antispam

Products that attempt to filter out that endless stream of junk e-mail so you don't have to.

Antivirus

Products that attempt to identify, neutralize, or remove malicious programs, macros, and files.

A ________________ is a piece of software or an integrated software/hardware system that can capture and decode network traffic.

Protocol Analyzer

Application Layer

Protocols allow software programs to negotiate formatting procedural, security, synchronization, and other requirements

A _____________________ is a structure that provides all of the necessary components for different types of users and entities to be able to communicate securely and in a predictable manner.

Public key infrastructure (PKI)

Define Processing

Reducing the volume of ESI and converting it, if necessary, to forms more suitable for review & analysis.

Signature-based IDS

Relies heavily on a predefined set of attack and traffic patterns called signatures

bootdisk

Removable media from which computer can be booted is called a(n) _____________________.

Containment Phase

Response must be different/competing objectives: -What is the loss/potential for loss? What countermeasures are available? What evidence can be collected? Quarantine and device removal: -Prevent or interrupt an attack? Allow it to proceed until actual harm is threatened? Escalation Data breach and reporting: -Handle incident at higher level. Inform affected parties (suppliers and customers/users, regulatory bodies, law enforcement)

Main Goal of Incident Response

Restore system functionality Preserve evidence of intrusion Prevent re-occurrence Refer to *NIST*

Name three types of proxies?

Reverse, Web, Open.

What is called when network components are connected to each other in a closed loop, with each device directly connected to two other devices. - Star - Bus - Ring - Hybrid

Ring

Describe the state of initialization and what system services are operating in a Linux system

Run levels are used to - Determine which users are allowed on a Windows machine - Describe the state of initialization and what system services are operating in a Linux system - Determine the level of user in Linux systems - Are a Windows construct to manage which services are allowed to autostart

E-mail

SMTP is a protocol used for which of the following functions?

Remote access to network infrastructure

SNMP is a protocol used for which of the following functions?

What are the two components of NIDS?

SNORT and ASIM

The correct sequence of the three-way handshake is - SYN/SYN, ACK/ACK, SYN/SYN - SYN/ACK, SYN/ACK, SYN/ACK - SYN, SYN/ACK, ACK - ACK, SYN/ACK, SYN

SYN, SYN/ACK, ACK

Switched Port Analyzer (SPAN)

Same as port mirroring.

Active HIDS

Same capabilities as a passive HIDS, with the ability to react to activity by possibly running a script or terminating a process

Vulnerability Scanners: Service scanners:

Scanning tool used to examine a specific network service, such as WWW, for common vulnerabilities associated with that service

Egress filtering - Scans incoming mail to catch spam - Scans outgoing mail to catch spam - Messages are scan for specific words or phrases - Filters out POP traffic

Scans outgoing mail to catch spam

TCP port 22

Secure Shell uses which port to communicate?

False

Securing access to files and directories in Solaris is vastly different from most UNIX variants. True or False

Hardening

Securing and preparing a system for the production environment is called __________________.

My monitoring activity within the honeypot:

Security personnel are better able to identify potential attackers along with their tools and capabilities

Perimeter Security

Security set up on the outside of the network or server to protect it.

Analyzers must be able to:

See and capture network traffic to be effective, and many switch vendors support network analysis through the use of mirroring or SPAN ports

TCP FIN Scanning -

Sends a FIN packet (normally sent to clear connection when conversation is finished). Closed ports usually respond with an RST packet. Open ports usually ignore FIN packets.

False

Service pack is the term given to a small software update designed to address a specific problem, such as a buffer overflow in an application that exposes the system to attacks. True or False

Honeypots are specialized forms of intrusion detection that involve:

Setting up simulated hosts and services for attackers to target

Email spoofing

Similar email address - some may not consider this real spoofing Register email address at site such as hotmail that is similar to target's email address e.g. if target is [email protected], register [email protected] Modify mail client - some will allow you to modify what will be put in the From line. Telnet to Port 25 - allows you to completely specify From line Attacker acts like mail server connected to port

Access control lists

Simple rule sets that are applied to port number and IP addresses are called - Network address translation - Stateful packet filtering - Access control lists - Basic packet filtering

All of the following are advantages of TCP over UDP EXCEPT: - Guaranteed delivery - Sequenced packets - Smaller header - Three-way handshake to establish connection

Smaller header

Windows Defender does all of the following EXCEPT: - Spyware detection and removal - Real-time malware protection - Spam filtering - Examine programs running on your computer

Spam filtering

Host-based IDSs can apply:

Specific context sensitive rules because of the known host role

All the network components are connected to a central point in which topology? - Star - Bus - Ring - Hybrid

Star

How does stateful packet filtering differ from basic packet filtering? - Stateful packet filtering looks only at each packet individually. - Stateful packet filtering looks at the packets in relation to other packets. - Stateful packet filtering looks at the destination address. - Stateful packet filtering looks at the source address.

Stateful packet filtering looks at the packets in relation to other packets

______________ is a new entry in the IDS toolset as a replacement for Snort.

Suricata

Newer versions of IDSs include prevention capabilities that automatically block:

Suspicious or malicious traffic before it reaches its intended destination. Most vendors call these intrusion prevention systems (IPSs)

Data Link Layer

Switches operate at which layer of the OSI model?

Which transport layer protocol is connection oriented? - UDP - TCP - IP - ICMP

TCP

The main difference between TCP and UDP packets is - UDP packets are a more widely used protocol. - TCP packets are smaller and thus more efficient to use. - TCP packets are connection oriented, whereas UPD packets are connectionless. - UDP is considered to be more reliable because it performs error checking.

TCP packets are connection oriented, whereas UPD packets are connectionless.

Help secure the system by restricting network connections

TCP wrappers do what?

Proxy Servers

Takes client requests and forwards to the destination server on behalf of the client Security application for filtering undesirable traffic and blocking potentially hostile web sites

Which of the following correctly defines real evidence?

Tangible objects that prove or disprove a fact

False Positive

Term used when a security system makes an error and incorrectly reports the existence of a searched for object. Examples include an intrusion detection system that misidentifies benign traffic as hostile, an antivirus program that reports the existence of a virus in software that actually is not infected, or a biometric system that allows access to a system to an unauthorized individual

False Positive

Term used when a security system makes an error and incorrectly reports the existence of a searched-for object. Examples include an intrusion detection system that misidentifies benign traffic as hostile, an antivirus program that reports the existence of a virus in software that actually is not infected, or a biometric system that allows access to a system to an unauthorized individual.

False negative

Term used when a system makes an error and misses reporting the existence of an item that should have been detected.

False Negative

Term used when a system makes and error and misses reporting the existence of an item that should have been detected

service set identifier (SSI)

The 32-character identifier attached to the header of a packet used for authentication to an 802.11 access point is the ________________.

Authentication

The 802.1X protocol is a protocol for Ethernet:

Which of the following is NOT a disadvantage of host-based IDS? - The IDS uses local system resources. - The IDS can have a high cost of ownership and maintenance. - The IDS must have a process on every system you want to watch. - The IDS is ineffective when traffic is encrypted.

The IDS is ineffective when traffic is encrypted.

EUI-64

The IEEE standrard defining 64-bit physical addresses. In the EUI-64 scheme, the OUI portion of an address is 24 bits in length. A 40-bit extension identifier makes up the rest of the physical address tot total 64 bits.

True

The NIDS signature database is usually much larger than that of a host-based system. True or False

Allows for packets to be processed in the order they were sent

The TCP protocol:

is a connectionless protocol

The UDP protocol:

certificate server

The ___________ is the actual service that issues certificates based on the data provided during the initial registration process.

online certificate status protocol (OCSP)

The _____________ is a method of determining whether a certificate has been revoked that does not require local machine storage CRLs.

ISAKMP

The ________________ is a protocol framework that defines the mechanics of implementing a key exchange protocol and negotiation of a security policy.

initialization vector (IV)

The __________________ is the part of the RC4 cipher that has a weak implementation in WEP.

MAC addresses

The ________________________ is the hardware address used to uniquely identify each device on a network.

certificate authority (CA)

The _____________is the trusted authority for certifying individuals' identities and creating an electronic document indication that individuals are who they say they are.

operating system

The basic software on a computer that handles input and output is called the __________________.

Snort

The de facto standard IDS engine since its creation in 1998.

Anomaly models require knowledge of normal activity, whereas misuse models don't.

The difference between misuse and anomaly IDS models is - Misuse models require knowledge of normal activity, whereas anomaly models don't. - Anomaly models require knowledge of normal activity, whereas misuse models don't. - Anomaly models are based on patterns of suspicious activity. - Anomaly model-based systems suffer from many false negatives

Wireless Transport Layer Security (WTLS)

The encryption protocol that is used on Wireless Application Protocol (WAP) networks is called _________________.

Which of the following correctly defines evidence as being sufficient?

The evidence is convincing or measures up without question

Which of the following correctly defines documentary evidence?

The evidence is in the form of business records, printouts, manuals, and other items

Which of the following correctly defines evidence as being competent?

The evidence is legally qualified and reliable

Which of the following correctly defines evidence as being relevant?

The evidence is material to the case or has a bearing on the matter at hand

Session Layer

The fifth layer in the OSI model. The Session layer establishes and maintains communication between two nodes on the network. It can be considered the "traffic cop" for network communications.

What was the first commercial, network-based IDS product?

The first commercial network-based IDS product was NetRanger, released by WheelGroup in 1995.

Transport Layer

The fourth layer of the OSI model. In this layer protocols ensure that data are transferred from point A to point B reliably and without errors. This layer services include flow control, acknowledgment, error correction, segmentation, reassembly, and sequencing.

Digital Sandbox

The isolation of a program and its supporting elements from common operating system functions.

Digital sandbox

The isolation of a program and its supporting elements from common operating system functions.

Network Interface Layer

The lowest level of the TCP/IP suite; it is responsible for placing and removing packets on the physical network.

Physical Layer

The lowest, or first, layer of the OSI model. Protocols in the Physical layer generate and detect signals so as to transmit and receive data over a network medium. These protocols also set the data transmission rate and monitor data error rates, but do not provide error correction.

To help security professionals better understand and protect against threats to the system

The main purpose of a honeypot is - To identify hackers so they can be tracked down by the FBI - To slow hackers down by providing an additional layer of security that they must pass before accessing the actual network - To distract hackers away from attacking an organization's live network - To help security professionals better understand and protect against threats to the system

Group policies

The mechanism that allows for centralized management and configuration of computers and remote users in an Active Directory environment is called:

False

The misuse detection IDS model is more difficult to implement than the anomaly detection model, and is not as popular as a result. True or False

Intrusion Detection Expert System (IDES)

The model that most modern intrusion detection systems use is largely based upon a model created by Dorothy Denning and Peter Neumann called: - Intrusion Detection Interface System (IDIS) - Intrusion Response Interdiction system (IRIS) - Intrusion Detection Expert System (IDES) - Discovery, Haystack, Multics Intrusion Detection and Alerting System (MIDAS)

Anomaly Detection Model

The more complicated of IDS models, this models examines "normal" behavior and looks for behavior that contrasts from the norm before examining the event to see if it is actually malicious or not. (Also known as Heuristic)

Port Mirroring

The network traffic is essentially copied or mirrored to a specific port, which can then support a protocol analyzer.

Pop-up blockers

The nuisance of web pages that automatically appear on top of your current web page can be remedied with - Antivirus - Antispam - Pop-up blockers - Firewalls

three-way handshake

The packet exchange sequence (SYN, SYN/ACK, ACK) that indicates a TCP connection is called the __________________.

b. offsite

The practice of hosting machines, processing, or networks at a site other than your location is referred to as: Select one: a. onsite b. offsite c. centralized d. decentralized

auhtentication

The process of comparing credentials to those established during the identification process is referred to as _________________.

DHCP

The process that dynamically assigns an IP address to a network device is called:

content protection

The protection of the data portion of a packet is __________________.

context protection

The protection of the header portion of a packet is __________________.

Reduce Crosstalk

The purpose of twisting the wires in a twisted-pair circuits is to:

Which of the following correctly defines free space?

The remaining sectors of a previously allocated file that are available for the operating system to use

Data Link Layer

The second layer in the OSI model. The Data Link layer bridges the networking media with the Network layer. Its primary function is to divide the data it receives from the Network layer into frames that can then be transmitted by the Physical layer.

Anonymizing proxy

The security tool that will hide information about the requesting system and make the browsing experience secret is a - Web proxy - Reverse proxy - Anonymizing proxy - Open proxy

Application Layer

The seventh layer of the OSI model. Application layer protocols enable software programs to negotiate formatting, procedural, security, synchronization, and other requirements with the network.

The password associated with a user account

The shadow file of a UNIX system contains:

topology

The shape or arrangement of a network, such as bus, star, ring, or mixed, is known as the _____________________ of the network.

Misuse Detection Model

The simple of the two IDS models, it looks for suspicious activity or activity that violates specific policies and then reacts as it has been programmed to do. It's cheaper and widely used.

Presentation Layer

The sixth layer of the OSI model. Protocols in the Presentation layer translate between the application and the network. Here, data are formatted in a schema that the network can understand, with the format varying according to the type of network used. The Presentation layer also manages data encryption and decryption, such as the scrambling of system passwords.

IEE 802.11

The standard for wireless local area networks is called __________________.

a. hypervisors

The term "bare-metal" virtualization software refers to which of the following? Select one: a. hypervisors b. virtual switches c. hardware consolidation d. VMMs

Network Layer

The third layer in the OSI model. Protocols in the Network layer translate network addresses into their physical counterparts and decide how to route data from the sender to the receiver.

What are the two main types of IDS signatures?

The two main types of IDS signatures are context-based and content-based. Context-based signatures examine traffic and how that traffic fits into the other traffic around it. Example: Port Scanner A content-based signature looks at what is inside the traffic, such as the contents of a specific packet.

What are the two main types of intrusion detection systems?

The two main types of intrusion detection systems are network-based and host-based. Network-based systems monitor network connections for suspicious traffic. Host-based systems reside on an individual system and monitor that system for suspicious or malicious activity.

Mobile Device Management (MDM)

The type of application used to control security across multiple mobile devices in an enterprise is called ___________________.

Which of the following correctly defines slack space?

The unused space on a disk drive when a file is smaller than the allocated unit of storage

Which of the following is NOT an advantage of network-based IDS? - It takes fewer systems to provide IDS coverage. - They can reduce false positive rates. - Development, maintenance, and upgrade costs are usually lower. - Visibility into all network traffic and can correlate attacks among multiple systems.

They can reduce false positive rates.

One of the advantages of HIDS is that - They can reduce false-positive rates - Their signatures are broader - They can examine data before it has been decrypted - They are inexpensive to maintain in the enterprise

They can reduce false-positive rates

IP Spoofing

This may simply consist of forging the from address in an IP packet so it appears to have come from somewhere else. Often used to trick target machine into believing packet is coming from a host it trusts, thus getting the target machine to perform some task. To do appropriately it may involve sniffing, spoofing, and DoS attack

Network Interface Card (NIC)

To connect a computer to a network, you use a(n) _____________________.

Open UDP port 1701

To establish a L2TP conncetion across a firewall, you must do which of the following?

Open TCP port 1723

To establish a PPTP conncetion across a firewall, you must do which of the following?

The main purpose of a honeypot is - To identify hackers so they can be tracked down by the FBI - To slow hackers down by providing an additional layer of security that they must pass before accessing the actual network - To distract hackers away from attacking an organization's live network - To help security professionals better understand and protect against threats to the system

To help security professionals better understand and protect against threats to the system

Saas

To offer software to end users from the cloud is a form of _________________________.

kill

To stop a particular service or program running on a UNIX operating system, you might use the __________________ command.

Network Admission Control (NAC)

To verify that a computer is properly configured to connect to a network, the network can use ________________.

Network Address Translation (NAT) - Translates private (non-routable) IP addresses into public (routable) IP addresses - Translates the IP addresses of one protocol to the IP address of another protocol - Is one of the items in an IP packet header - Translates MAC addresses to IP addresses

Translates private (non-routable) IP addresses into public (routable) IP addresses

The TLS Record Protocol and TLS Handshake Protocol

Transport Layer Security consists of which two protocols?

443

Transport Layer Security for HTTP uses what port to communicate?

Preparation Phase - Incident Types/Categories

Triage = identify what must be prioritized, to include: -Data integrity -Downtime -Economic/publicity -Scope -Detection time -Recovery time Develop playbooks for dealing with incident types

A protocol analyzer can be used to:

Troubleshoot network problems, Collect network traffic statistics, Monitor for suspicious traffic.

A DMZ acts as a buffer zone between the Internet, where no controls exist, and the inner, secure network, where an organization has security policies in place. True or False

True

A network can logically appear as one topology, but physically match a different topology. True or False

True

A sniffer must use a NIC in promiscuous mode; otherwise it will not see all the network traffic coming into the NIC. True or False

True

Content-based signatures detect character patterns and TCP flag settings. True or False

True

DNS resolves a domain name to an IP address. True or False

True

LAN and WAN networks can be connected. True or False

True

NAT translates private (nonroutable) IP addresses into public (routable) IP addresses. True or False

True

Only active intrusion detection systems (IDS) can aggressively respond to suspicious activity, whereas passive IDS cannot. True or False

True

The NIDS signature database is usually much larger than that of a host-based system. True or False

True

NIDS is not capable of decrypting encrypted traffic T/F?

True, it CANNOT decrypt encrypted traffic

Encapsulating packets so they can traverse the network in a secure, confidential manner is referred to as - DMZ - Steganography - Tunneling - Layered defense

Tunneling

remote-wiping, screen locking

Two common mobile device security measures are ________________ and ____________________.

Heuristic Scanning

Typically looks for commands or instructions that are not normally found in application programs, such as attempts to access a reserved memory register.

Which transport layer protocol is connectionless? - UDP - TCP - IP - ICMP

UDP

Authentication and UNIX Trusted relationships

UNIX will base its trust decision, using the .rhosts or hosts.equiv files, on the IP address of the connecting system. But.... The IP address (and most other fields) of an IP header can be forged!!!

An RJ-45 connector

UTP cables are terminated for Ethernet using what type of connector?

Mandatory access control (MAC)

Under which access control system is each piece of information and every system resource (files, devices, networks, and so on) labeled with its sensitivity level?

Intrusion detection is a mechanism for detecting:

Unexpected or unauthorized activity on computer systems

A firmware update

Updating the software loaded on a nonvolatile RAM is called:

Approach to vulnerability scanning

Use a port-scanning tool such as nmap to identify the OS and to log all listening ports May return something like Linux Kernel 2.2 with ports 21, 25, 53, 80 listening What the ports are and what vulnerabilities that may exist in them is an exercise left up to the user.

Protocol Analyzers (2/2)

Used by network administrators for: -Analyzing network problems -Detecting misconfigured applications or misbehaving applications -Gathering and reporting network usage and traffic statistics -Debugging client/server communications Requires NIC capable of promiscuous mode -Tells the NIC to process every packet that it sees regardless of the intended destination

Internet Content Filter

Used to block employees' viewing of inappropriate or illegal content at the workplace and the subsequent complications that occur when such viewing takes place.

Antivirus Products

Used to identify, neutralize, or remove malicious programs, macros, and files. Scanning approaches: -Signature-based scanning -Heuristic scanning

Ping Sweep

Using PING, attackers can send an ICMP echo request to every address within a range to determine which systems are "up and running" Every system that is up will respond with an echo reply, providing a list of potential targets

multiple-factor authentication

Using a token, fingerprint reader, and PIN keypad would be an example of ______________________.

A logical implementation of a LAN that allows computers connected to different physical networks to act and communicate as if they were on the same physical network is referred to as a - DMZ - VLAN - Extranet - Tunnel

VLAN

c. Mac OS X

VMware Fusion is a popular virtual machine manager for which operating system? Select one: a. Windows 7 b. Linux c. Mac OS X d. Solaris

c. 32

VMware's ESX server can support up to how many CPUs, depending upon the version? Select one: a. 64 b. 8 c. 32 d. 4

Common components of vulnerability scanning

Vulnerability data - information about known vulnerabilities, how knowledgeable is the tool? Scanning mechanism - the "guts" of the scanner, how accurate is the tool? Reporting mechanism - interface with user

Wireless Transport Layer Security (WTLS)

WAP uses the ____________________ protocol to attempt to ensure confidentiality of data.

RC4

WEP has used an implementation of which of the following encryption algorithms?

Message Authentication codes

WTLS ensures integrity through what device?

Passive HIDS

Watches activity, analyzes it, and generates and alarm

Context-based and content-based

What are the two main types of IDS signatures?

Network-based and host-based

What are the two main types of intrusion detection systems?

Honeypot

What device would you use to attract potential attacks, so that you could safely monitor the activity and discover the intentions of the attacker? - Firewall - Antivirus - IDS - Honeypot

A single system

What does a host-based IDS monitor? - A single system - Networks - Physical intrusions into facilities - A system and all its surrounding systems

Mobile device carrier selection

What element does not belong in a mobile device security policy in an enterprise employing BYOD?

Network Access Protection

What feature in Windows Server 2008 controls access to network resources based on a client computer's identity and compliance with corporate governance policy?

the physical layer

What is Layer 1 of the OSI model called?

Loss or theft of the token

What is a common threat to token-based access controls?

a. guest

What is another term for a virtual machine? Select one: a. guest b. environment c. host d. emulator

Sending an unsolicited message via Bluetooth

What is bluejacking?

Keep Bluetooth discoverability off

What is the best way to avoid problems with Bluetooth?

The first step in addressing password issues is to create an effective and manageable password policy that both system administrators and users can work with.

What is the first step in addressing issues with passwords? - The first step in addressing password issues is to create an effective and manageable password policy that both system administrators and users can work with. - The first step in addressing password issues is to find a systematic, alpha-numeric combination and then assign passwords, so that both system administrators and users can tell which department is using what system. - The first step in addressing password issues is to see how many passwords are required. - The first step in addressing password issues is to see how many accounts can use the same password.

key

What is the most common example of a access token?

DNS

What is the name of the protocol that translates names into IP addresses?

Baselining

What is the process of establishing a system's security state called? - Hardening - Baselining - Securing - Controlling

defines services to manage heterogeneous PKI operations via XML

What is the purpose of XKMS?

It binds an individual identity to a public key

What is the purpose of a digital certificate?

b. virtual reality

What is the term for an environment created by software, with sight and sound provided by video and audio equipment, primarily used for gaming and simulation? Select one: a. hypervisor b. virtual reality c. sandbox d. virtual machine

SYN, SYN/ACK, ACK

What is the three-way handshake sequence used to initiate TCP connections?

Enable port mirroring.

What must you do in order to sniff the traffic on all ports on a switch? - Nothing; you can see all the traffic on a switch by default. - Nothing; a switch does not allow you do see all traffic. - Enable port mirroring. - Run a cable to each port.

UDP

What protocol is used for RADIUS?

The user's software creates a message digest for the digital certificate and decrypts the encrypted message included within the digital certificate. If the decryption performs properly and the message digest values are the same, the certificate is validated.

What steps does a user's software take to validate a CA's digital signature on a digital certificate?

buffer overflow

When a user or process supplies more data than was expected, a(n) _____________________ may occur.

The user submits a certificate request to the RA.

When a user wants to participate in PKI, what component does he/she need to obtain, and how does that happen?

false positive

When an IDS generates an alarm on "normal" traffic that is actually not malicious or suspicious, that alarm is called a(n) _____________________.

True

When hardening Mac OS X, the same guidelines for all UNIX systems apply. True or False

pkgparam

Which UNIX command can be used to show the patches that are installed for a specific software package? - pkglist - pkgparam - pkgqury - pkgdump

chmod

Which UNIX command would you use to change permissions associated with a file or directory? - chmod - chown - chgrp - chng

Analysis engine

Which component of an IDS examines the collected network traffic and compares it to known patterns of suspicious or malicious activity? - Traffic collector - Analysis engine - Signature database - Examination collector

b. virtual switches

Which of the following allows all VMs to communicate with each other, the host, and the network? Select one: a. hypervisors b. virtual switches c. Virtual Machine Manager d. Virtual PBX

d. research and testing and system recovery

Which of the following are important reasons to implement virtualization? Select one: a. system installation and system recovery b. system recovery and system installation c. hardware increases and system installation d. research and testing and system recovery

b. virtualization

Which of the following creates a complete environment for a guest operating system to function as though that operating system were installed on its own computer? Select one: a. translation b. virtualization c. emulation d. polyinstantiation

Runs on the local system Does not interact w/ the traffic around it Can look at system event and error logs

Which of the following describes a passive, host-based IDS?

d. emulator

Which of the following describes software or hardware that converts the commands to and from the host machine into an entirely different platform? Select one: a. hypervisor b. Virtual Machine Manager c. supervisor d. emulator

Modify

Which of the following is NOT a UNIX file permission? - Read - Write - Modify - Execute

Expert knowledge database

Which of the following is NOT a component of an IDS? - Traffic collector - Signature database - Expert knowledge database - User interface and reporting

The IDS is ineffective when traffic is encrypted.

Which of the following is NOT a disadvantage of host-based IDS? - The IDS uses local system resources. - The IDS can have a high cost of ownership and maintenance. - The IDS must have a process on every system you want to watch. - The IDS is ineffective when traffic is encrypted.

Maintaining SNMP community strings

Which of the following is NOT a general step in securing a networking device? - Choosing good passwords - Password-protecting the console - Maintaining SNMP community strings - Turning off unnecessary services

They can reduce false positive rates. N

Which of the following is NOT an advantage of network-based IDS? - It takes fewer systems to provide IDS coverage. - They can reduce false positive rates. - Development, maintenance, and upgrade costs are usually lower. - Visibility into all network traffic and can correlate attacks among multiple systems.

c. Network as a Service

Which of the following is a cloud service offering virtualized networks, servers, and services? Select one: a. Software as a Service b. virtual machine c. Network as a Service d. Virtualization as a Service

ICMP

Which of the following is a control and information protocol used by network devices to determine such things as a remote network's availability and the length of time required to reach a remote network?

ISO/IEC 27002

Which of the following is a detailed standard for creating and implementing security policies?

Common Criteria

Which of the following is a joint set of security processes and standards used by approved laboratories to award an Evaluation Assurance Level (EAL) from EAL1 to EAL7?

S/MIME

Which of the following is a secure e-mail standard?

c. dedicated bridging

Which of the following is a type of virtual switching that gives every VM its own physical NIC? Select one: a. NAT b. routing c. dedicated bridging d. virtual bridging

c. Parallels

Which of the following is a virtual machine manager for Mac OS X? Select one: a. VirtualPC b. Hyper-V c. Parallels d. ESX

c. KVM

Which of the following is an open-source virtual machine manager developed by Red Hat? Select one: a. Virtual Box b. Xen c. KVM d. Virtual PC

Can decrypt and read encrypted traffic

Which of the following is not a capability of network-based IDS?

Password selection

Which of the following is one of those critical activities that is often neglected as part of a good security baseline? - Password selection - Hardening the OS - Securing the firewall - Hardening applications

Kill

Which of the following is the command to stop a service in UNIX? - Stop - Kill - End - Finish

d. POST

Which of the following is the first step a virtual machine takes when it is powered on? Select one: a. snapshot b. instant-on c. dedicated bridging d. POST

d. RAM

Which of the following is the most limiting factor in a host's ability to run virtual machines? Select one: a. network bandwidth b. CPU c. hard disk space d. RAM

They control who can access the registry and how it can be accessed.

Which of the following is true of the registry permissions area settings in security templates? - They control who should be allowed to join or be part of certain groups. - They are for services that run on the system. - They control who can access the registry and how it can be accessed. - They are settings that apply to files and folders, such as permission inheritance.

An Attribute Certificate

Which of the following is used to grant permissions using rule-based, role-based, and rank-based access controls?

a. Microsoft Windows

Which of the following operating systems, when added as a virtual machine, requires a separate, licensed copy? Select one: a. Microsoft Windows b. OpenBSD c. Ubuntu Linux d. FreeDOS

A framework that does not specify any technologies but provides a foundation for confidentiality, integrity, and availability services

Which of the following properly describes what a public key infrastructure (PKI) actually is?

ISAKMP

Which of the following provides a method for implementing a key exchange protocol?

c. virtual machine manager (VMM)

Which of the following requires an underlying operating system in order to create and manage virtual machines? Select one: a. Virtual PBX b. Virtual Switch c. virtual machine manager (VMM) d. hypervisor

b. snapshot

Which of the following terms describe a point-in-time backup of a virtual machine? Select one: a. full backup b. snapshot c. differential backup d. system state backup

00:07:e9:7c:c8:aa

Which of the following woukd be a valid MAC address?

Shoulder-to-waist geometry

Which one is not commonly used as a biometric?

NAT

Which protocol translates private (nonroutable) IP addresses into public (routable) IP addresses?

Possible information from scanning

Which systems are active What services are available/listening What operating system is in use Which version of an application is running Which users have an account on the system and which are active What the security configuration/settings are Whether certain patches have been installed Information about specific vulnerabilities Possibly whether a specific exploit will be successful

False

While NIDS are able to detect activities such as port scans and brute force attacks, it is unable to detect tunneling. True or False

It is broadcast in every beacon frame

While the SSID provides some measure of authentication, why is it not very effective?

They can bring malicious code past other security mechanisms

Why can USB flash drives be a threat?

Sabotage of the AC unit would make the computers overheat and shit down.

Why is HVAC important to computer security?

It's easy

Why is attacking wireless networks so popular ?

If enrollment is not done carefully, false positives will increase.

Why is enrollment important to biometrics?

Because physical access defeats nearly all network security measures.

Why is physical security so important to good network security?

They are the eyes and ears of the corporation when it comes to security.

Why should security guards get cross-training in network security?

To make sure all data encryption keys are available for the company if and when it needs them

Why would a company implement a key archiving and recovery system within the organization?

If the private key had been compromised.

Why would a digital certificate be added to a certificate revocation list (CRL)?

Spam filtering

Windows Defender does all of the following EXCEPT: - Spyware detection and removal - Real-time malware protection - Spam filtering - Examine programs running on your computer

False

Windows Defender is new, personal firewall software included in Vista. True or False

All users and devices within an environment trust the CA, which allows them to indirectly trust each other.

Within a PKI environment, where does the majority of the trust actually lie?

analysis engine

Within an IDS, the _________________ examines the collected network traffic and compares it to known patterns of suspicious or malicious activity stored in the signature database.

Created

XKMS allows certificated to be all of the following except:

Internet content filter

Your boss is concerned about employees viewing in appropriate or illegal web sites in the workplace. Which device would be the best at addressing this concern? - Antivirus - Firewall - Protocol analyzer - Internet content filter

An active HIDS

Your boss would like you to implement a network device that will monitor traffic and turn off processes and reconfigure permissions as necessary. To do this you would use - A firewall - A sniffer - A passive HIDS - An active HIDS

Personal firewalls

Zone Alarm, Windows ICF, and iptables are all examples of - Antivirus - Antispyware - Antispam - Personal firewalls

Application Layer Proxies

[Firewall Related] Examines the content of the traffic as well as the ports and IP addresses. For example, an application layer has the ability to look inside a user's web traffic, detect a malicious website attempting to download malware to the user's system, and block the malware.

Stateful Packet Filtering

[Firewall Related] Looks at each packet entering or leaving, but it can examine the packet in it relation to other packets. Stateful firewalls keep track of network connections and can apply slightly different rule sets based on whether the packet is part of an established session or not.

Access Control Lists (ACLs)

[Firewall Related] Simple rule sets that are applied to port numbers and IP addresses. They can be configured for inbound and outbound traffic and are most commonly used on routers and switches.

Basic Packet Filtering

[Firewall Related] looks at each packet entering or leaving the network and then either accepts the packet or rejects the packet based on user-defined rules. Each packet is examined separately.

IPSEC

_____________ is a protocol used to secure IP packets during transmission across a network. It offers authentication, integrity, and confidentiality services. It used Authentication Headers (AHs) and Encapsulating Security Payload (ESP) to accomplish this functionality.

Baselining

______________ is the process of establishing a system's security state.

network segmentation

______________ is the use of the network architecture to limit communication between devices.

key escrow

________________ is the process of giving keys to a third party so that they can decrypt and read sensitive information if the need arises.

port mirroring

_________________ allows administrators to send all traffic passing through a network switch to a specific port on the switch.

run levels

__________________ are used to describe the state of init and what system services are operating in UNIX systems.

mandatory access control (MAC)

__________________ describes a system where every resource has access rules set for all of the time.

X.509

__________________ is a format that has been adopted to standardize digital certificates.

context-based signatures

__________________ is a technique to match an element against a large set of patterns and use activity as a screening element.

workstation

____________________ is a name for the typical computer a user uses on a network.

single sign-on (SSO)

_____________________ is an authentication process where the user can enter their user ID (or username) and password and then be able to move from application to application or resource to resource without having to supply further authentication information.

ISAKMP

______________________ is a key management and exchange protocol used with IPsec.

CCTV

_______________________ is a system where the camera and monitor are directly linked.

Suricata

________________________ is a new entry in the IDS toolset as a replacement for Snort.

Pretty Good Privacy (PGP)

________________________ is a popular encryption program that has the ability to encrypt and digitally sign e-mail and files.

role-based access control (RBAC)

_________________________ is designed around the type of tasks people perform.

Kerberos

__________________________ is an authentication model designed around the concept of using tickets for accessing objects.

USB devices

___________________________ include MP3 players and flash drives.

Network Address Translation (NAT)

___________________________ is the protocol that allows the use of private, internal IP addresses for internal traffic and public IP addresses for external traffic.

LiveCD

___________________________ prevent an attacker from making the machine boot off the DVD drive.

layered access

____________________________ forces a user to authenticate again when entering a more secure area.

biometrics

____________________________ is the measurement of unique biological properties, like the fingerprint.

geo-tagging

_____________________________ is a feature that can disclose a user's position when sharing photos.

Bridge

a circuit consisting of two branches (4 arms arranged in a diamond configuration) across which a meter is connected

Cable

a conductor for transmitting electrical or optical signals or electric power

Router

a device that forwards data packets between computer networks

Honeynet

a group of honeypots

IP Address

a number that uniquely identifies each computer or device connected to the internet

Packet

a small segment of data that is bundled for sending over transmission media. Each packet contains the address of the computer or peripheral device to which it is being sent

MAC Address

also called physical address. a permanent address given to each network interface card (NIC) at the factory

IPv6

an Internet layer protocol that uses 128-bit addresses and is gradually replacing IPv4

7. Within an IDS, the ______ examines the collected network traffic and compares it to known pattern of suspicious or malicious activity stored in the signature database

analysis engine

5. An IDS that looks for unusual or unexpected behavior is using a(n)______

anomaly detection model

An IDS that looks for unusual or unexpected behavior is using an _______________.

anomaly detection model

8. Preventative intrusion detection systems:

are designed to stop malicious activity from occurring

Fragmentation Scanning -

break scan up into several smaller packets. This may result in being able to hide the scan from firewalls and IDS

Non-Technical Spoofing: Social engineering

call target and pretend to be somebody else (e.g. call help desk as new user)

4. Which of the following is not a capability of network based IDS?

can decrypt and read encrypted traffic

4. A(n)_______ Looks at certain strings of characters inside a TCP packet.

content based signature

A _____________________ looks at a certain string of characters inside a TCP packet.

content-based signatures

9. ___________is a technique to match an element against a large set of patterns and use activity as a screening element.

context based signature

Switch

control consisting of a mechanical or electrical or electronic device for making or breaking or changing the connections in a circuit

A ________________ is used when independent CAs establish peer to peer trust relationships.

cross-certification certificate

RFC 793

defines how TCP will react to FIN, ACK, and SYN packets.

Vulnerability Scanners: Freeware scanners:

developed and released "in the community"

Vulnerability Scanners: Commercial scanners:

developed and sold by companies (e.g. ISS and Cisco). Due to development time, often lag freeware scanners

Non-Technical Spoofing: reverse social engineering

generally harder to accomplish. Get somebody to call you (e.g. send target users a post card congratulating them on purchase of new computer, promise them 5 hours of free tech support and provide them a number—yours—to call)

3. An attacker scanning a network full of inviting, seemingly vulnerable targets might actually be scanning a(n)______where the attackers every move can be watched and monitored by security administrators.

honeypot

An attacker scanning a network full of inviting, seemingly vulnerable targets might actually be scanning a ____________ where the attacker's every move can be watched and monitored by security administrators.

honeypot

_____________________ is the process of giving keys to a third party so that they can decrypt and read sensitive information if the need arises

key escrow

A ________ is a network typically smaller in terms of size and geographic coverage and consist of two or more connected devices. Home or office networks are typically classified as this type of network. - local area network - office area network - wide area network - internal area network

local area network

Vulnerability Scanners: General-purpose scanners:

look for a wide range of vulnerabilities on a large number of operating systems and applications. Often used in a security audit

Recognize Scanning: firewall and router logs

look for multiple rejections or access violations coming from the same source or group of sources

Honeypots are based on the concept of:

luring attackers away from legitimate systems by presenting more tempting or interesting systems that, n most cases, appear to be easy targets

Recognize Scanning: intrusion detection systems

most IDS contain built-in methods for examining traffic to detect scanning attempts

8. _________ is a technique where a host is queried and identifies based on its response to a query.

network tap

Guessing the sequence number: non-binding spoof

no problem as you can see the responses.

UDP Scanning -

often more difficult than TCP since UDP services will not respond. If an ICMP "port unreachable" message is received, however, it is an indication the service is NOT running. If the message is NOT received...

In a ___________________, one CA is not subordinate to another CA, and there is no established trusted anchor between CAs is involved.

peer to peer trust model

6. ____________allows administrators to send all traffic passing through a network switch to a specific port on the switch.

port mirroring

Port Scanner

program that checks a computer's TCP/IP stack for ports that are in the LISTEN state. There are 65,535 possible ports 1-1023 are considered "well known" 1024-49151 are called "registered ports" 49152-65,535 are dynamic or private ports

1. A(n) ______ is a piece of software or an integrated software/hardware system that can capture and decode network traffic.

protocol analyzer

Decoy scanning -

send a large number of spoofed packets along with your real one so they hide the real scan.

Relay or bounce scanning -

send scan through another system (proxy or forwarding gateway), may confuse/hide origin of attack

10. ____________ is a new entry in the IDS tool-set as a replacement for snort.

suricata

blinding spoof

the target's responses can not be observed.

RFC 793: state is LISTEN

then first check for an RST, An incoming RST should be ignored. Second check for an ACK. Any acknowledgment is bad if it arrives on a connection still in the LISTEN state. An acceptable reset segment should be formed for any arriving ACK-bearing segment. Third check for a SYN, if the SYN bit is set, check the security. IF the security/compartment on the incoming segment does not exactly match the security/compartment in the TCB then send a reset and return.

sequence numbers

used to aknowledge recipt of data

Trusted relationship in UNIX: .rhost file

used to establish a trusted relationship between machines. Used by rlogin, rsh, and rcp to determine which remote hosts and users are considered "trusted" and are allowed to access the host without supplying a password. rlogin (remote login), rsh (remote shell), rcp (remote copy)

.rhost example: system2 system4 system5 user2 system2 user5

user1 could log in from system2 as user1 user1 could log in from system4 as user1 user1 could log in from system5 as user2 user1 could also log in from system2 as user5

Vulnerability Scanners: Application scanners:

written to examine a specific application for vulnerabilities associated with it.

Vulnerability Scanners: Specific vulnerability scanners:

written to only check for a specific vulnerability.

Network Interface Card

A Network Interface Card (NIC) is an interface fitted inside a personal computer or network terminal which allows it to communicate with other machines over a network. The card technology will vary according to the network used, but every card on a network must have some way of uniquely identifying itself and some means of converting the signals form the computer to a form which can be transmitted over the connection.

Patch

A _________ is a more formal, large software update that may address several or many software problems. - Script - Log - Hotfix - Patch

5. An active IDS can:

A and B. respond to attacks with TCP resets. Monitor for malicious activity.

Signature Database

A collection of activity patterns that have already been identified and categorized and that typically indicate suspicious or malicious activity.

Signature Databse

A collection of activity patterns that have already been identified and categorized and that typically indicate suspicious or malicious activity.

Signature database

A collection of activity patterns that have already been identified and categorized and that typically indicate suspicious or malicious activity.

Signature Database

A collection of patterns and definitions of known suspicious or malicious activity.

Honeynet

A collection of two or more honeypots.

Honeypot

A computer system or portion of a network that has been set up to attract potential intruders, in the hope that they will leave the other systems alone. Since there are no legitimate users of this system, any attempt to access it is an indication of unauthorized activity and provides an easy mechanism to spot attacks.

Network Tap

A connection to a network that allows sampling, duplication, and collection of traffic.

Network tap

A connection to a network that allows sampling, duplication, and collection of traffic.

certificate revocation list (CRL)

A digitally signed object that lists all of the current but revoked certificates issued by a given certificate authority is called the __________________. It allows users to verify whether a certificate is currently valid even if the expiration date hasn't passed.

mantrap

A door system is designed to only allow a single person through is called a(n) _____________________.

b. Virtual PBX

A form of virtualization that eliminates telephone switching hardware is called a: Select one: a. POTS b. Virtual PBX c. ISDN d. VoIP

security association (SA)

A formal manner of describing the necessary and sufficient portions of the IPsec protocol series to achieve a specific level of protection is a(n) __________________.

Network Tap

A hardware device that can be placed inline on a network connection and that will copy traffic passing through the tap to a second set of interfaces on the tap.

Network Tap

A hardware device that can be placed inline on a network connection and that will copy traffic passing through the tap to a second set of interfaces on the tap. -Often used to sniff traffic passing b/w devices at the network perimeter.

Trusted relationship in UNIX: file consist of

A host name, indicating that this user is trusted when accessing the system from the specified host, or A host name followed by a login name, which indicates that the listed login name is trusted when accessing the system from the specified host

Access Control Lists (ACLs)

A list associated with an object (such as a file) that identifies what level of access each subject (such as a user) has—what they can do to the object (such as read, write, or execute).

False positives

A match generates a response for benign traffic

Port Mirroring

A method of monitoring network traffic. When enabled, the switch sends a copy of all network packets seen on one port.

Network Address Translation (NAT)

A method of readdressing packets in a network at a gateway point to enable the use of local nonroutable IP addresses over a public network such as the Internet.

Hub

A network device used to connect several computers to a network. Commonly used in a twisted-pair LAN. A cable runs from each computer's NIC to the hub. The hub is often connected to a router.

Firewall

A network device used to segregate traffic based on rules.

Honeynet

A network version of a honeypot, or a set of honeypots networked together

Honeynet

A network version of a honeypot, or a set of honeypots networked together.

What is not a capability of network-based IDS?

A network-based IDS typically cannot decrypt and read encrypted traffic. This is one of the principle weaknesses of network-based intrusion detection systems.

HIPS

A new breed of IDS that is designed to identify and prevent malicious activity from harming a system. - Dynamic IDS - Preventive IDS - Active IDS - HIPS

datagram

A packet in an IP network is sometimes called a(n) __________________.

Describes a passive, host-based IDS?

A passive, host-based IDS runs on the local system, cannot interfere with traffic or activity on that system, and would have access to local system logs.

hardware security model (HSM)

A physical device that safeguards cryptographic keys is called a(n) ________________.

Monitor for suspicious traffic

A protocol analyzer can be used to:

Wireless Application Protocol (WAP)

A protocol for transmitting data to small handheld devices like cellular phones is the _________________.

A security association

A relationship where two or more entities define how they will communicate securely is known as what?

Intrusion Detection System (IDS)

A security system that detects inappropriate or malicious activity on a computer or network.

A signature database contains a list of the contents of the IP packet header's signature block, for every type of packet the IDS monitors. True or False

A signature database contains a list of the contents of the IP packet header's signature block, for every type of packet the IDS monitors.

False

A signature database contains a list of the contents of the IP packet header's signature block, for every type of packet the IDS monitors. True or False

What does a host-based IDS monitor? - A single system - Networks - Physical intrusions into facilities - A system and all its surrounding systems

A single system

Hotfix

A small software update designed to address an urgent or specific problem is called a:

Local Area Network (LAN)

A small, typically local network covering a relatively small area such as a single floor of an office building is called a(n) ____________________________.

True

A sniffer must use a NIC in promiscuous mode; otherwise it will not see all the network traffic coming into the NIC. True or False

IDSs can be host-base, examining only the activity applicable to:

A specific system, or network-based, examining network traffic for a large number of systems

Multilayer Switch

A switch that has functions that operate at multiple layers of the OSI seven-layer model.

Port Mirroring / Switched Port Analyzer (SPAN)

A system design to see all traffic passing through a switch or a specific VLAN(s), or all the traffic passing through other specific switch ports. The traffic is copied to a specific port, which can then support a protocol analyzer.

Network-Based IDS (NIDS)

A system for examining network traffic to identify suspicious, malicious, or undesirable behavior.

Network-based IDS (NIDS)

A system for examining network traffic to identify suspicious, malicious, or undesirable behavior.

Honeypot (digital sandbox)

A system or group of systems designed to attract an attacker's attention -Allows the attackers methods to be observed without putting real systems at risk -Activity recorded for later analysis -Afford information and additional security but require significant cost and effort to maintain

Host-Based IDS (HIDS)

A system that looks for computer intrusions by monitoring activity on one or more individual PCs or servers

Host-Based IDS (HIDS)

A system that looks for computer intrusions by monitoring activity on one or more individual PCs or servers.

Host-based IDS (HIDS)

A system that looks for computer intrusions by monitoring activity on one or more individual PCs or servers.

Intrusion Prevention System (IPS)

A system to identify suspicious, malicious, or undesirable activity that indicates a breach in computer security and respond automatically without specific human interaction

Intrusion prevention system (IPS)

A system to identify suspicious, malicious, or undesirable activity that indicates a breach in computer security and respond automatically without specific human interaction.

Intrusion Detection System (IDS)

A system to identify suspicious, malicious, or undesirable activity that indicates a breach in computer security.

Intrusion detection system (IDS)

A system to identify suspicious, malicious, or undesirable activity that indicates a breach in computer security.

Internet Content Filter

A system to protect companies or institutions from their users viewing inappropriate or illegal content.

a. bridging

A technique that gives each virtual NIC a connection to a physical NIC is called: Select one: a. bridging b. NAT c. routing d. switching

Banner grabbing

A technique used to gather information from a service that publicizes information via a banner.

Port mirroring

A technique where a mirrored port will see all the traffic passing through the switch or through a specific VLAN(s), or all the traffic passing through other specific switch ports. The network traffic is essentially copied (or mirrored) to a specific port, which can then support a protocol analyzer.

Perimeter security

A technique where more and more companies operate their computer security like a castle or military base, with attention and effort focused on securing and controlling the ways in and out—the idea being that if you could restrict and control access at the perimeter, you didn't have to worry as much about activity inside the organization.

Frame

A term referring to a data-link header and trailer, plus the data encapsulated between the header and trailer.

Kerberos

A ticket-granting server is an important element in which of the following authentication models?

Protocol Analyzer

A toll used by network personnel to identify packets and header information during network transit. The primary use is in troubleshooting network communication issues.

Protocol analyzer

A tool used by network personnel to identify packets and header information during network transit. The primary use is in troubleshooting network communication issues.

d. set of files

A virtual machine that is not powered on is stored as a: Select one: a. hard drive b. process in RAM c. snapshot d. set of files

certificate signing request (CSR)

A(n) ____________ is the actual request to a CA containing a public key and the requisite information needed to generate a certificate.

public key infrastructure (PKI)

A(n) ______________ is a structure that provides all of the necessary components for different types of users and entities to be able to communicate securely and in a predictable manner.

cross-certificate certificate

A(n) ______________ is used when independent CAs establish peer-to-peer trust relationships.

Hot fix

A(n) _______________ is a small software update designed to address a specific, often urgent, problem.

certificate authority (CA)

A(n) _______________ is an entity that is responsible for issuing and revoking certificates. This term is also applied to server software that provides these services.

security template

A(n) ________________ is a collection of security settings that can be applied to a system.

certificate recovery

A(n) ________________ is a holding place for individuals' certificates and public keys that are participating in a particular PKI environment.

protocol analyzer

A(n) ________________ is a piece of software or an integrated software/hardware system that can capture and decode network traffic.

content-based signatures

A(n) __________________ looks at a certain string of characters inside of a TCP packet.

hub

A(n) ___________________ repeats all data traffic across all connected ports.

service pack

A(n) ____________________ is a bundled set of software updates, fixes, and additional functions contained in a self-installing package.

network

A(n) _____________________ is a group of two or more devices linked together to share data.

subnet mask

A(n) _____________________ tells you what portion of a 32-bit IP address is being used as the network ID and what portion is being used as the host ID.

Private Branch Exchange (PBX)

A(n) ________________________ is an extension of the telephone service into a firm's telecommunications network.

false positive

A(n) _________________________ happens when an unauthorized user is allowed access.

protocol

A(n) __________________________ is an agreed-upon format for exchanging information between systems.

bridge/router

A(n) ___________________________ or _________________________ distributes traffic based on MAC addresses.

router

A(n) ____________________________ routes packets based on IP addresses.

How can users have faith that the CRL was not modified to present incorrect information? A) The CRL is digitally signed by the CA. B) The CRL is encrypted by the CA. C) The CRL is open for anyone to post certificate information to. D) The CRL is accessible only to the CA.

A) The CRL is digitally signed by the CA.

How does a user validate a digital certificate that is received from another user? A) The user first sees whether her system has been configured to trust the CA that digitally signed the other user's certificate and then validates that CA's digital signature. B) The user calculates a message digest and compares it to the one attached to the message. C) The user first sees whether her system has been configured to trust the CA that digitally signed the certificate and then validates the public key that is embedded within the certificate. D) The user validates the sender's digital signature on the message.

A) The user first sees whether her system has been configured to trust the CA that digitally signed the other user's certificate and then validates that CA's digital signature.

What steps does a user's software take to validate a CA's digital signature on a digital certificate? A) The user's software creates a message digest for the digital certificate and decrypts the encrypted message digest included within the digital certificate. If the decryption performs properly and the message digest values are the same, the certificate is validated. B) The user's software creates a message digest for the digital signature and encrypts the message digest included within the digital certificate. If the encryption performs properly and the message digest values are the same, the certificate is validated. C) The user's software creates a message digest for the digital certificate and decrypts the encrypted message digest included within the digital certificate. If the user can encrypt the message digest properly with the CA's private key and the message digest values are the same, the certificate is validated. D) The user's software creates a message digest for the digital signature and encrypts the message digest with its private key. If the decryption performs properly and the message digest values are the same, the certificate is validated.

A) The user's software creates a message digest for the digital certificate and decrypts the encrypted message digest included within the digital certificate. If the decryption performs properly and the message digest values are the same, the certificate is validated.

Why would a company implement a key archiving and recovery system within the organization? A) To make sure all data encryption keys are available for the company if and when it needs them B) To make sure all digital signature keys are available for the company if and when it needs them C) To create session keys for users to be able to access when they need to encrypt bulk data D) To back up the RA's private key for retrieval purposes

A) To make sure all data encryption keys are available for the company if and when it needs them

Which protocol is responsible for resolving an IP address to a MAC address? - DNS - ARP - RARP - ICMP

ARP

Which protocol is based on transferring data in fixed-size packets? (The fixed packet sizes help ensure that no single data type monopolizes the available bandwidth.) - AppleTalk - ATM - FDDI - Token Ring

ATM

Simple rule sets that are applied to port number and IP addresses are called - Network address translation - Stateful packet filtering - Access control lists - Basic packet filtering

Access control lists

Less than two hours

According to SANS Internet Storm Center, the average survival time of an unpatched Windows PC on the Internet is - Less than two minutes - Less than two hours - Less than two days - Less than two weeks

Which of the following correctly describes the chain of custody for evidence?

Accounts for all persons who handled or had access to a specific item of evidence

Incident

Act of violating an explicit or implied security policy

False

Adding more services and applications to a system helps to harden it. True or False

Creates and administers the security policies, creates and manages domains and connects to the managers,

Administrator

Monitors events and can perform actions within the parameters of the predefined security policies.

Agent

What are the four components of intruder alert?

Agent, Manager, Event Viewer, Administrator

A protocol analyzer can be used to: A) Troubleshoot network problems B) Collect network traffic statistics C) Monitor for suspicious traffic D) All of the above

All of the above

3. Which of the following describes a passive, host based IDS?

All of the above. Runs on local systems, does not interact w traffic, can look at system event and error log.

10. A protocol analyzer can be used to:

All of the above. Troubleshoot network problems. collect network traffic statistics. monitor for suspicious traffic

a. development testing

All of the following are advantages to using virtualization in research and testing environments EXCEPT Select one: a. development testing b. security testing c. product testing d. hardware testing

b. requires Windows Server 2008

All of the following are characteristics of Hyper-V EXCEPT: Select one: a. simple to use b. requires Windows Server 2008 c. available for free d. Microsoft product

c. requires Linux host OS

All of the following are characteristics of VMware's ESX Server EXCEPT: Select one: a. ability to move running VMs b. automatic fault tolerance c. requires Linux host OS d. support for large storage

a. Virtual PC

All of the following are examples of hypervisors EXCEPT: Select one: a. Virtual PC b. ESX c. Oracle VM Server d. Hyper-V

c. Snes9X

All of the following are virtual machine managers EXCEPT: Select one: a. VMware Workstation b. KVM c. Snes9X d. Microsoft Virtual PC

Pop-UP Blocker

Allows users to restrict or prevent pop-ups with functionality.

Preparation Phase - Cyber Incident Response Team (*CIRT*)

Also referred to as Cyber Security Incident Response Team (*CSIRT*) Technical skills - junior and senior staff Management and decision making authority

beacon frame

An AP uses ____________________________ to advertise its existence to potential wireless clients.

False Negative

An IDS is also limited by its signature set-it can match only activity for which it has stored patterns. Hostile activity that does not match an IDS signature and therefore goes undetected. In this case, the IDS is not generating any alarms, even though it should be, giving a false sense of security.

Misuse detection model

An IDS model where the IDS looks for suspicious activity or activity that violates specific policies and then reacts as it has been programmed to do. This reaction can be an alarm, e-mail, router reconfiguration, or TCP reset message.

anomaly detection model

An IDS that looks for unusual or unexpected behavior is using a(n) _______________________.

Public IP Address

An IP address available to the Internet.

Private IP Address

An IP address that is used on a private TCP/IP network that is isolated from the Internet.

Promiscuous Mode

An Network Interface Card (NIC) that accepts and processes every packet regardless of its origin an destination.

Your boss would like you to implement a network device that will monitor traffic and turn off processes and reconfigure permissions as necessary. To do this you would use - A firewall - A sniffer - A passive HIDS - An active HIDS

An active HIDS

What can an active IDS do?

An active IDS can perform all the functions of a passive IDS (monitoring, alerting, reporting, and so on) with the added ability of responding to suspected attacks with capabilities such as sending TCP reset messages to the source and destination IP addresses.

respond to attacks with TCP resets monitor for malicious activity

An active IDS can:

c. system duplication

An advantage of virtualization that enables a VM to be replicated is known as: Select one: a. system recovery b. system installation c. system duplication d. system restoration

A network protocol is - An agreed upon format for exchanging or transmitting data between systems - A set of rules that employees must follow to accomplish a specific task - One of the layers of the OSI model - One of the headers in an IP packet

An agreed upon format for exchanging or transmitting data between systems

Which of the following correctly describes a message digest?

An algorithm that applies mathematical operations to a data stream to calculate a unique number based on the information contained in the data stream

honeypot

An attacker scanning a network full of inviting, seemingly vulnerable targets might actually be scanning a(n) ___________________ where the attacker's every move can be watched and monitored by security administrators.

Transport Security Layer (TSL) / Secure Socket Layer (SSL)

An encryption capability designed to encrypt above the transport layer, enabling secure sessions between hosts, is called _______________.

After administrators have finished patching, securing, and preparing a system

An initial baseline should be performed when? - After every update to a system - Before patches are installed on a system - After administrators have finished patching, securing, and preparing a system - Every 90-120 days, as determined by local policy

Suricata

An open source IDS, begun with grant money from the U.S. government and maintained by the Open Source Security Foundation (OSIF)

Suricata

An open source IDS, begun with grant money from the U.S. government and maintained by the Open Source Security Foundation (OSIF). Suricata has one advantage over Snort: it supports multithreading.

Which component of an IDS examines the collected network traffic and compares it to known patterns of suspicious or malicious activity? - Traffic collector - Analysis engine - Signature database - Examination collector

Analysis engine

Within an IDS, the ______________ examines the collected network traffic and compares it to known patterns of suspicious or malicious activity stored in the signature database.

Analysis engine

The difference between misuse and anomaly IDS models is - Misuse models require knowledge of normal activity, whereas anomaly models don't. - Anomaly models require knowledge of normal activity, whereas misuse models don't. - Anomaly models are based on patterns of suspicious activity. - Anomaly model-based systems suffer from many false negatives

Anomaly models require knowledge of normal activity, whereas misuse models don't.

The security tool that will hide information about the requesting system and make the browsing experience secret is a - Web proxy - Reverse proxy - Anonymizing proxy - Open proxy

Anonymizing proxy

Malicious code detection

Antispam does all of the following EXCEPT: - Blacklisting - Malicious code detection - Language filtering - Trapping

Block network traffic based on policies

Antivirus products do all of the following EXCEPT: - Automated updates - Media scanning - Block network traffic based on policies - Scan e-mail for malicious code and attachments

Which of the following correctly defines the exclusionary rule?

Any evidence collected in violation of the Fourth Amendment is not admissible as evidence

Preventative intrusion detection systems: A) Are cheaper B) Are designed to stop malicious activity from occurring C) Can only monitor activity D) Were the first types of IDS

Are designed to stop malicious activity from occurring

Preventative intrusion detection systems:

Are designed to stop malicious activity from occurring.

Context-based Signature

Are generally more complicated, as they are designed to match large patterns of activity and examine how certain types of activity fit into the other activities going on around them. Ex. Match a potential intruder scanning for open web servers on a specific network. Identify a ping flood attack and Identify a Nessus scan.

Content-based Signature

Are generally the simplest. They are designed to examine the content of such things as network packets or log entries. Ex. Matching the characters/etc/passwd in a Telnet session.

Digital Sandbox

Artificial environment where attackers can be contained and observed without putting real systems at risk.

IP Spoofing across the Internet

Attacker to TS2: this is TS1, add user X to your password file Attacker logs in as user X and DoS attack launched

IP Spoofing on LAN

Attacker: This is TS 1 please end file A| to TS 2 TS2 sends to TS1 TS1: I didnt ask for that?? Attacker uses sniffer to grab file, DoS attack is launched

Once successful spoofing

Attempt to secure a better connection Modify password file Modify hosts.equiv or .rhosts file Shut down spoofed connection (stop the DOS attack). Now log into the target host using new account or based on trusted relationship.

Pop-up Blockers

Attempts to prevent web pages from opening a new tab or window\

6. Honeypots are used to:

Attract attackers by simulating systems with open network services

Honeypots are used to: A) Attract attackers by simulating systems with open network services B) Monitor network usage by employees C) Process alarms from other IDSs D) Attract customers to e-commerce sites

Attract attackers by simulating systems with open network services

Honeypots are used to:

Attract attackers by simulating systems with open network services.

something a user possesses, something a user knows, something measured on the user (fingerprint)

Authentication is typically based upon what?

Preparation Phase - Role-based Responsibilities

Availability of team members - 24/7 response. Also worth considering members should rotate periodically to preclude the *possibility of infiltration* Roles beyond technical response Legal, HR, and Marketing

A(n) _______ class address supports 65,000 hosts on each of 16,000 networks, and allows three sections of the IP address to be devoted to host addressing. - A - B - C - D

B

WTLS ensures integrity through what device? A. Public key encryption B. Message authentication codes C. Source IP D. Digital signatures

B

What is bluejacking? A. Stealing a person's mobile phone B. Sending an unsolicited message via Bluetooth C. Breaking a WEP key D. Leaving your Bluetooth in discoverable mode

B

What is the best way to avoid problems with Bluetooth? A. Keep personal info off your phone B. Keep Bluetooth discoverability off C. Buy a new phone often D. Encryption

B

Within a PKI environment, where does the majority of the trust actually lie? A) All users and devices within an environment trust the RA, which allows them to indirectly trust each other. B) All users and devices within an environment trust the CA, which allows them to indirectly trust each other. C) All users and devices within an environment trust the CRL, which allows them to indirectly trust each other. D) All users and devices within an environment trust the CPS, which allows them to indirectly trust each other.

B) All users and devices within an environment trust the CA, which allows them to indirectly trust each other.

Why would a digital certificate be added to a certificate revocation list (CRL)? A) If the public key had become compromised in a public repository B) If the private key had become compromised C) If a new employee joined the company and received a new certificate D) If the certificate expired

B) If the private key had become compromised

Once an individual validates another individual's certificate, what is the use of the public key that is extracted from this digital certificate? A) The public key is now available to use to create digital signatures. B) Once an individual validates another individual's certificate, what is the use of the public key that is extracted from this digital certificate? C) The public key is now available to encrypt future digital certificates that need to be validated. D) The user can now encrypt private keys that need to be transmitted securely

B) Once an individual validates another individual's certificate, what is the use of the public key that is extracted from this digital certificate

7. Connecting to a server and sending a request over a known port in an attempt to identify the version of service is an example of :

Banner grabbing

Connecting to a server and sending a request over a known port in an attempt to identify the version of a service is an example of: A) Port sniffing B) Protocol analysis C) Banner grabbing D) TCP reset

Banner grabbing

firewall

Basic packet filtering occurs at the ____________________.

Web Spoofing

Basic web spoofing - register domain name similar to target's name Man-in-the-Middle attacks - attacker positions himself so all traffic to target goes through him. (e.g. compromise router) Won't be able to read encrypted traffic but plenty goes unencrypted. URL rewriting - change url's on target to point to attacker which then redirects.

Network traffic can also:

Be viewed using network taps, a device for replicating network traffic passing across a physical link

Host-based IPSs can provide:

Better control over specific attacks as the scope of control is limited to a host

Antivirus products do all of the following EXCEPT: - Automated updates - Media scanning - Block network traffic based on policies - Scan e-mail for malicious code and attachments

Block network traffic based on policies

Defending against Scanning and its effects

Block ports at your router/firewall. Block ICMP, including echo Create a DMZ Use bastion hosts/proxy servers Use NAT to hide private, internal IP addresses Remove default/sample materials Remove unnecessary services Restrict permissions Change default headers associated with services Keep applications and operating systems patched

Total control over mobile phone

Bluebugging can give an attacker what?

Network components connected to the same cable are often called "the backbone" in which topology? - Star - Bus - Ring - Hybrid

Bus

Bluebugging can give an attacker what? A. All of your contacts B. The ability to send "shock" photos C. Total control over a mobile phone D. A virus

C

WEP has used an implementation of which of the following encryption algorithms? A. SHA B. ElGamal C. RC4 D. Triple-DES

C

While the SSID provides some measure of authentication, why is it not very effective? A. It is dictated by the manufacturer of the access point. B. It is encrypted. C. It is broadcast in every beacon frame. D. SSID is not an authentication function.

C

Why is attacking wireless networks so popular? A. There are more wireless networks than wired. B. They all run Windows. C. It's easy. D. It's more difficult and more prestigious than other network attacks.

C

When a user wants to participate in a PKI, what component does he or she need to obtain, and how does that happen? A) The user submits a certificate request to the CA. B) The user submits a key pair request to the CRL. C) The user submits a certificate request to the RA. D) The user submits proof of identification to the CA.

C) The user submits a certificate request to the RA.

Connecting to a server and sending a request over a known port in an attempt to identify the version of a service is known as an example of: a. Port Sniffing b. Protocol Analysis c. Banner Grabbing d. TCP Reset

C. Banner Grabbing

An active IDS can : a. Respond to attacks with TCP resets b. Monitor for malicious activity c. A and B d. None

C. a and b

Proxy Server

Can be used to filter out undesirable traffic and prevent employees from accessing potentially hostile web sites.

Advantages of HIDS 1. operating system 2. false-positive 3. decrypted 4. application 5. alarm

Can be very o______ s_____-specific Can reduce f____-p______ rates Can examine data after it has been d______ Can be very a_______ specific Can determine how an a____ will impact a system

Which of the following is not a capability of network-based IDS? A) Can detect denial-of-service attacks B) Can decrypt and read encrypted traffic C) Can decode UDP and TCP packets D) Can be tuned to a particular network environment

Can decrypt and read encrypted traffic

Ping Sweep useful

Can still be effective for insiders or attackers who have been able to penetrate at least one system

Protocol analyzers, often called sniffers, are tools that:

Capture and decode network traffic

Unshielded Twister-Pair (UTP)

Cat 5 is an example of _______________________ cable.

The _________________ is the trusted authority for certifying individuals' identities and creating an electronic document indicating that individuals are who they say they are.

Certificate Authority

A _____________________ is a holding place for individuals certificates and public keys that are participating in a particular PKI environment.

Certificate Repositories

A _____________________ is the actual service that issues certificates based on the data provided during the initial registration process.

Certificate server

A ___________________ is the actual request to a CA containing a public key and the requisite information needed to generate a certificate.

Certificate signing request

CIDR

Classless Inter Domain Routing a method for assigning IP addresses represented as A.B.C.D /n, where "/n" is called the IP prefix or network prefix.

3-way ahndshake

Client sends TCP packet with an initial sequence number. Server responds with it's own sequence number and an acknowledgement (ACK). The client acknowledges receipt by sending packet with server's number plus one.

one

Coaxial cable carries how many physical channels?

Traffic Collector

Collects activity/events for the IDS to examine. On HIDS this could be log files, audit logs, or traffic coming to or leaving a specific system. On NIDS this is typically a mechanism for copying traffic off the network link basically functioning as a sniffer.

Traffic Collector (or sensor)

Collects activity/events for the IDS to examine. On a HIDS, this could be log files, audit logs, or traffic coming to or leaving a specific system. On a NIDS, this is typically a mechanism for copying traffic off the network link- functioning like a sniffer. This component is often referred to as a sensor.

Traffic Collector

Collects activity/events for the IDS to examine. On a HIDS, this could be log files, audit logs, or traffic coming to or leaving a specific system. On a NIDS, this is typically a mechanism for copying traffic off the network link-basically functioning as a sniffer.

Heuristic scanning looks for:

Commands or instructions that are not normally found in application programs.

Which of the following is a benefit that Network Address Translation (NAT) provides - Compensates for the lack of IP addresses - Allows devices using two different protocols to communicate - It creates a DMZ - Translates MAC addresses to IP addresses

Compensates for the lack of IP addresses

Perimeter Security

Computer security like a castle or military base, with attention and effort focused on securing and controlling the ways in and out.

Encryption Devices

Computers or specialized adapters inserted into other devices, such as routers or servers, that perform encryption.

Banner grabbing

Connecting to a server and sending a request over a known port in an attempt to identify the version of a service is an example of:

Guessing the sequence number: binding spoof

Contact the target and attempt several connections Target will respond with a sequence number for each Analyze the responses to determine the pattern the target uses for incrementing

IDSs match patterns known as signatures that can be:

Content- or context-based. Some IDSs are model-based and alert an administrator when activity does not match normal patterns (anomaly-based) or when it matches known suspicious or malicious patterns (misuse detection)

True

Content-based signatures detect character patterns and TCP flag settings. True or False

2. What are the two main types of IDS signatures?

Context-based and content-based

What are the two main types of IDS signatures? A) Network-based and file-based B) Context-based and content-based C) Active and reactive D) None of the above

Context-based and content-based

______________________ is a technique to match an element against a large set of patterns and use activity as a screening element.

Context-based signatures

Honeypots are used to: A) Attract attackers by simulating systems with open network services B) Monitor network usage by employees C) Process alarms from other IDSs D) Attract customers to e-commerce sites

Correct Answer: A

What are the two main types of intrusion detection systems? A) Network-based and host-based B) Signature-based and event-based C) Active and reactive D) Intelligent and passive

Correct Answer: A

Preventative intrusion detection systems: A) Are cheaper B) Are designed to stop malicious activity from occurring C) Can only monitor activity D) Were the first types of IDS

Correct Answer: B

What was the first commercial, network-based IDS product? A) Stalker B) NetRanger C) IDES D) RealSecure

Correct Answer: B

Which of the following is not a capability of network-based IDS? A) Can detect denial-of-service attacks B) Can decrypt and read encrypted traffic C) Can decode UDP and TCP packets D) Can be tuned to a particular network environment

Correct Answer: B

Windows Defender is available with every version of the Windows operating system. A) True B) False

Correct Answer: B

An active IDS can: A) Respond to attacks with TCP resets B) Monitor for malicious activity C) A and B D) None of the above

Correct Answer: C

Egress filtering is used to detect spam that is: A) Coming into an organization B) Sent from known spammers outside your organization C) Leaving an organization D) Sent to mailing lists in your organization

Correct Answer: C

IPS stands for: A) Intrusion processing system B) Intrusion prevention sensor C) Intrusion prevention system D) Interactive protection system

Correct Answer: C

A protocol analyzer can be used to: A) Troubleshoot network problems B) Collect network traffic statistics C) Monitor for suspicious traffic D) All of the above

Correct Answer: D

Heuristic scanning looks for: A) Normal network traffic patterns B) Viruses and spam only C) Firewall policy violations D) Commands or instructions that are not normally found in application programs

Correct Answer: D

What are the three types of event logs generated by Windows 2003 and Vista systems? A) Event, Process, and Security B) Application, User, and Security C) User, Event, and Security D) Application, System, and Security

Correct Answer: D

Which of the following describes a passive, host-based IDS? A) Runs on the local system B) Does not interact with the traffic around it C) Can look at system event and error logs D) All of the above

Correct Answer: D

Which of the following is not a type of proxy? A) Reverse B) Web C) Open D) Simultaneous

Correct Answer: D

What are the two main types of IDS signatures? A) Network-based and file-based B) Context-based and content-based C) Active and reactive D) None of the above

Correct Answer:B

How does 802.11n improve network speed? A. Wider bandwidth B. Higher frequency C. Multiple-input multiple-output (MIMO) D. Both A and C

D

What element does not belong in a mobile device security policy in an enterprise employing BYOD? A. Separation of personal and business-related information B. Remote wiping C. Passwords and screen locking D. Mobile device carrier selection

D

Which of the following properly describes what a public key infrastructure (PKI) actually is? A) A framework that does not specify any technologies, but provides a foundation for confidentiality, integrity, and availability services B) An algorithm that creates public/private key pairs C) A framework that outlines specific technologies and algorithms that must be used D) A framework that does not specify any technologies, but provides a foundation for confidentiality, integrity, and availability services

D) A framework that does not specify any technologies, but provides a foundation for confidentiality, integrity, and availability services

What is the purpose of a digital certificate? A) It binds a CA to a user's identity. B) It binds a CA's identity to the correct RA. C) It binds an individual to an RA. D) It binds an individual to a public key.

D) It binds an individual to a public key.

Define Production

Delivering ESI to others in appropriate forms & using appropriate delivery mechanisms.

False

Deploying, maintaining, and upgrading host-based IDSs in a large network is cheaper than NIDSs. True or False

Which of the following correctly describes the minimum contents of an evidence control log book?

Description, Investigator, Case #, Date, Time, Location, Reason

Antispam

Designed to reduce the amount of electronic junk mail or "spam"

Host-based IDS (HIDS)

Detailed information about one device -Traffic into and out of device -Logs

Define Presentation

Displaying ESI before audiences (at depositions, hearings, trials, etc.), especially in native & near-native forms, to elicit further information, validate existing facts or positions, or persuade an audience.

Subnetting

Dividing a network address space into smaller, seperate networks is called what?

Which of the following describes a passive, host-based IDS? A) Runs on the local system B) Does not interact with the traffic around it C) Can look at system event and error logs D) All of the above

Does not interact with the traffic around it

Which of the following correctly defines the process of acquiring evidence?

Dump the memory, power down the system, create an image of the system, and analyze the image

Scans outgoing mail to catch spam

Egress filtering - Scans incoming mail to catch spam - Scans outgoing mail to catch spam - Messages are scan for specific words or phrases - Filters out POP traffic

Services server, Kerberos realm, ticket authentications

Elements of Kerberos include which of the following?

What must you do in order to sniff the traffic on all ports on a switch? - Nothing; you can see all the traffic on a switch by default. - Nothing; a switch does not allow you do see all traffic. - Enable port mirroring. - Run a cable to each port.

Enable port mirroring.

Define Preservation

Ensuring that ESI is protected against inappropriate alteration or destruction.

Define Analysis

Evaluating ESI for content & context, including key patterns, topics, people & discussion.

Define Review

Evaluating ESI for relevance & privilege.

Displays events captured by the agents.

Event Viewer

Which of the following correctly defines the hearsay rule?

Evidence not from the personal knowledge of a witness

Network-based IDS (NIDS)

Examines activity on the network itself. It has visibility only into the traffic crossing the network link it is monitoring and typically has no idea of what is happening on individual systems.

Analysis Engine

Examines the collected network traffic and compares it to known patterns of suspicious or malicious activity stored in the signature database. The analysis engine is the "brains" of the IDS.

Analysis Engine

Examines the collected network traffic and compares it to known patterns of suspicious or malicious activity stored in the signature database. The analysis engine is the brains of the IDS.

Which of the following is the least rigorous investigative method?

Examining the suspect system using its software without verification

Which of the following is NOT a component of an IDS? - Traffic collector - Signature database - Expert knowledge database - User interface and reporting

Expert knowledge database

The network that is an extension of a selected portion of a company's intranet to external partners is referred to as the - DMZ - Intranet - Extranet - Internet

Extranet

Address Resolution Protocol resolves a MAC address to an IP address. True or False

False

Deploying, maintaining, and upgrading host-based IDSs in a large network is cheaper than NIDSs. True or False

False

Hostile activity that does not match an IDS signature and goes undetected is called a false positive. True or False

False

ICMP is a connection-oriented protocol. True or False

False

Network-based IDS examines activity on a system such, as a mail server or web server. True or False

False

Networks without any architecture are considered to be poor. True or False

False

TCP is connectionless and has lower overhead than UDP. True or False

False

The misuse detection IDS model is more difficult to implement than the anomaly detection model, and is not as popular as a result. True or False

False

UDP uses a three-way handshake to establish connections. True or False

False

While NIDS are able to detect activities such as port scans and brute force attacks, it is unable to detect tunneling. True or False

False

When an IDS generates an alarm on "normal" traffic that is actually not malicious or suspicious, that alarm is called a _______________.

False Positive

2. When an IDS generates an alarm on "normal" traffic that is actually not malicious or suspicious, that alarm is called a(n)_______

False positive

Switched Port Analyzer (SPAN)

Feature, which is sometimes called port mirroring or port monitoring, selects network traffic for analysis by a network analyzer.

Read, write, and execute

File permissions under UNIX consist of what three types?

Stateful packet inspection Port blocking to deny specific services NAT to hide internal IP addresses

Firewalls can use which of the following in their operation?

Define Collection

Gathering ESI for further use in the e-discovery process (processing, review, etc.).

IP Spoofing Prevention Tip

General rule of thumb: Don't have any trusted relationships if you can help it. Don't accept packets from outside of your network that claim to be originating from inside of your network.

Context-based Signatures

Generally more complicated of the signatures. They are designed to match large patterns of activity and examine how certain types of activity fit into other activities going on around them. -Address "How does this events compare to other events that have already happened or might happen in the near future?" -Must be able to "remember" past events to match certain context signatures.

Context-Based Signature

Generally more complicated. Designed to match large patterns of activity and examine how certain types of activity fit into the other activities going on around them.

Content-based Signatures

Generally the simplest of Signatures. Designed to examine the content of such things as network packets or log entries. -Typically easy to build and look for simple things, such as certain string of characters or a certain flag set in a TCP packet.

Content-Based Signature

Generally the simplest. Designed to examine the content of such things as network packets or log entries.

trust v Authentication

Generally these two have an inverse relationship: If a high degree of trust exists between two machines, the amount of authentication is low. If little trusts exists between the machines, a great deal of authentication is required.

Passive NIDS

Generates an alarm when it matches a pattern and does not interact with the traffic in any way

Define Information Management

Getting your electronic house in order to mitigate risk & expenses should e-discovery become an issue, from initial creation of electronically stored information through its final disposition.

Transport Layer

Guarantees the delivery of data across the network. TCP uses the mechanism of acknowledgements to guaranty the transmission of data across the network.

what intrusion detection method works in harmony with AIDS?

HIDS

A new breed of IDS that is designed to identify and prevent malicious activity from harming a system. - Dynamic IDS - Preventive IDS - Active IDS - HIPS

HIPS

True

Hardening applications is similar to hardening operating systems, in that you remove functions that are not needed, restrict access where you can, and make sure the application is up to date with patches. True or False

A physical device that safeguards cryptographic keys is called a ____________________.

Hardware security module

What device would you use to attract potential attacks, so that you could safely monitor the activity and discover the intentions of the attacker? - Firewall - Antivirus - IDS - Honeypot

Honeypot

attract attackers by simulating systems with open network services

Honeypots are used to:

Name the three intrusion detection methods

Host-based IDS (HIDS) Network-based IDS (NIDS) Application-based IDS (AIDS)

False

Hostile activity that does not match an IDS signature and goes undetected is called a false positive. True or False

True

Hotfixes are usually smaller than patches, and patches are usually smaller than service packs. True or False

The CRL is digitally signed by the CA

How can users have faith that the CRL was not modified to present incorrect information?

Wider bandwidth and multiple-input multiple-output (MIMO)

How does 802.11n improve network speed?

IPS will block, reject, or redirect unwanted traffic; an IDS will only alert.

How does IPS differ from an IDS? - IPS is passive and IDS is active. - IPS uses heuristics and IDS is signature based. - IPS will block, reject, or redirect unwanted traffic; an IDS will only alert. - IDS will block, reject, or redirect unwanted traffic; an IPS will only alert.

The user first sees whether her system has been configured to trust the CA that digitally signed the other user's certificate and then validates that CA's signature.

How does a user validate a digital certificate that is received from another user?

By using a combination of authentication, it is more difficult for someone to gain illegitimate access

How does multiple-factor authentication improve security?

Stateful packet filtering looks at the packets in relation to other packets

How does stateful packet filtering differ from basic packet filtering? - Stateful packet filtering looks only at each packet individually. - Stateful packet filtering looks at the packets in relation to other packets. - Stateful packet filtering looks at the destination address. - Stateful packet filtering looks at the source address.

Lessons Learned

How was the incident allowed to develop? How could it be prevented/reduced in impact? Was incident response adequate? What could be improved? Reporting - may be required by regulators. Reassure suppliers, customers, and users

Packet delivery to distant systems is usually accomplished by the use of - MAC addresses - Domain names - IP Addresses - ARP protocol

IP Addresses

IP Spoofing Email Spoofing Web Spoofing Non-technical Spoofing

IP Spoofing - an attacker uses an IP address of another computer to acquire info. Email Spoofing - involves spoofing the from address of an email. Web Spoofing - a site may not be what it appears to be or what its url would imply it is. Non-technical Spoofing - concentrates on compromising the human element of a company.

Intrusion prevention system

IPS stands for:

How does IPS differ from an IDS? - IPS is passive and IDS is active. - IPS uses heuristics and IDS is signature based. - IPS will block, reject, or redirect unwanted traffic; an IDS will only alert. - IDS will block, reject, or redirect unwanted traffic; an IPS will only alert.

IPS will block, reject, or redirect unwanted traffic; an IDS will only alert.

ESP and AH

IPsec provides which An options as security services?

Steps of spoofing attack

Identify the target of the attack (a system with a trusted relationship with another). "Eliminate" (DOS attack) the host you wish to spoof. Forge the address of the host being spoofed in your packet to be sent to the target. Send the spoofed packet to the target Keep the connection active by guessing the correct sequence number used by the target machine.


Ensembles d'études connexes

Life Insurance Exam - Chuck Johnson

View Set

Study/Reading Guide: Articles 25-29: The Resurrection and Ascension of Jesus

View Set

Lab 14-8: Perform Memory Monitoring and Configuration: Linux configuration and installation

View Set

1-MMW: Is Math Invented or Discovered?

View Set