ITN 261 - Chap 3
How would you calculate risk? Probability * loss value Probability * mitigation factor (Loss value + mitigation factor) * (loss value/probability) Probability * mitigation factor
A. Risk is the probability of the occurrence of an event multiplied by the dollar value of loss. There is no mitigation factor that is quantified, so it could be put into a risk calculation.
Which of these is an example of an application layer gateway? Web application firewall Runtime application self-protection Java applet Intrusion prevention system
A. Runtime application self-protection is a plug-in used on an application server to prevent bad messages from impacting the application. A Java applet is an implementation of a Java program. An intrusion prevention system is used to detect and block potential intrusions. A web application firewall, however, makes decisions based on Application layer traffic and will either allow or block that traffic. This makes it an Application layer gateway.
What would you use a security information event manager for? Aggregating and providing search for log data Managing security projects Escalating security events Storing open-source intelligence
A. Security information event managers are used to aggregate event data, such as log information. Once the data has been aggregated, it can be searched and correlated. Even though it's called an event manager, it isn't used to manage security projects, nor is it used to escalate security events. Other tools can be used to gather and store open-source intelligence.
What is the purpose of a security policy? To provide high-level guidance on the role of security To provide specific direction to security workers To increase the bottom line of a company To align standards and practices
A. Standards and practices should be derived from a security policy, which is the high-level guidance on the role of security within an organization. Security does not generally increase the bottom line of a company. Policies are not for providing specific directions, which would be the role of procedures.
What type of attack is a compromise of availability? Watering hole DoS Phishing Buffer overflow
B. A watering hole attack looks to compromise a system that visits a website. A phishing attack looks to gather information from victims, potentially by compromising the victim's system. A buffer overflow attack tries to introduce code provided by the attacker. A denial of service attack, however, has the intention of making a service unavailable for users.
How would you ensure that confidentiality is implemented in an organization? Watchdog processes Encryption Cryptographic hashes Web servers
B. Confidentiality is keeping secret information secret, which means unauthorized users can't access it. Encryption is a good way to keep unauthorized users from data because in order to get to the data, they need to have the key. Watchdog processes are used to ensure that programs remain running. Cryptographic hashes are used to verify the integrity of data. Web servers are used to serve up information.
What would be necessary for a TCP conversation to be considered ESTABLISHED by a stateful firewall? Final acknowledgment message Three-way handshake complete Sequence numbers aligned SYN message received
B. In TCP, a three-way handshake is used to synchronize sequence numbers and establish a connection. While the sequence numbers are shared, they wouldn't be called aligned, which might suggest that each end was using the same sequence number. A SYN message is part of the three-way handshake, but it is not sufficient to establish a connection. Option A, "Final acknowledgment message," is ambiguous. It could refer to the acknowledgment to a FIN message, closing the connection.
What can an intrusion prevention system do that an intrusion detection system can't? Generate alerts Block or reject network traffic Complete the three-way handshake to bogus messages Log packets
B. While an intrusion prevention system can generate alerts, so can an intrusion detection system. Both systems may also be able to log packets, as needed. A bogus message likely wouldn't result in a completed three-way handshake, and the handshake shouldn't be completed anyway. An intrusion prevention system can, however, block or reject network traffic, while an intrusion detection system can't.
Which information would a packet filter use to make decisions about what traffic to allow into the network? HTTP REQUEST message Ethernet type UDP source port SNMP OID
C. A packet filter would use layer 2/3/4 headers to make decisions. An HTTP REQUEST message is at the Application layer (layer 7). Ethernet type isn't used to make decisions in a packet filter. SNMP OID is also an Application layer message. A packet filter would, though, use source or destination ports, potentially, to make decisions about allowing or blocking a packet.
Why is it important to store system logs remotely? Local systems can't handle it. Bandwidth is faster than disks. Attackers might delete local logs. It will defend against attacks.
C. Commonly, system logs are stored on the system that generated the log message. Certainly local systems can handle the logs they have generated. Log messages don't typically consume a lot of space at an individual message level, so bandwidth isn't a problem. Transmitting over a network is generally not faster than moving data within local disks. System logs can be used in identifying attacks, but the logs won't defend against attacks. However, if an attacker does compromise a system, the attacker may delete the local logs because they could get access to them.
Which of the following products might be used as an intrusion detection system? Elastic Stack Prewikka Snort Snorby
C. ElasticStack is an implementation of a security information event manager. Prewikka can be used along with an intrusion detection system as a dashboard. Snorby is an auxiliary program used with Snort. Snort is an intrusion detection program.
An intrusion detection system can perform which of the following functions? Block traffic Filter traffic based on headers Generate alerts on traffic Log system messages
C. Firewalls are used to block traffic into a network, though an intrusion prevention system will also block traffic. A packet filtering firewall uses header information, such as source and destination address and port, to determine whether to allow traffic into the network. Syslog and the Windows event subsystem can be used to log system messages. Intrusion detection systems can be used to generate alerts on traffic.
If you were implementing defense in breadth, what might you do? Install multiple firewalls Install intrusion detection systems Introduce a DevSecOps culture Ensure policies are up to date
C. Installing multiple firewalls and intrusion detection systems and ensuring that policies are up to date are all elements of a defense in depth approach. Introducing a DevSecOps culture may be an attempt to reduce the number of vulnerabilities and also get them resolved more quickly. As such, it might be considered defense in breadth.
To remove malware from the network before it gets to the endpoint, you would use which of the following? Packet filter Application layer gateway Unified threat management appliance Stateful firewall
C. Packet filters are used to make block/allow decisions based on header data like source and destination address and port. Stateful firewalls add in the ability to factor in the state of the connection—new, related, established. An Application layer gateway knows about Application layer protocols. A unified threat management appliance adds additional capabilities on top of firewall functions, including antivirus.
What additional properties does the Parkerian hexad offer over the CIA triad? Confidentiality, awareness, authenticity Utility, awareness, possession Utility, possession, authenticity Possession, control, authenticity
C. The Parkerian hexad takes the confidentiality, integrity, and availability of the CIA triad and adds utility, possession (or control), and authenticity.
Which of these isn't an example of an attack that compromises integrity? Buffer overflow Man in the middle Heap spraying Watering hole
D. A buffer overflow attack is used to execute attacker-supplied code by altering the return address in the stack. A man in the middle attack can be used to intercept and potentially alter a conversation between two systems. A heap spraying attack sends a lot of data into the heap to overwrite what's there. A watering hole attack does not compromise integrity since its purpose is to introduce malware to a system. The malware might eventually compromise integrity, but the watering hole attack itself does not.
If you were on a client engagement and discovered that you left an external hard drive with essential data on it at home, which security principle would you be violating? Confidentiality Integrity Non-repudiation Availability
D. Confidentiality is about making sure secrets are kept secret. Integrity makes sure that data isn't altered accidentally or by an unauthorized agent. Non-repudiation makes sure someone can't say a message didn't originate with them if it came from their identity. Availability means making sure data is where it needs to be when it should be there. This includes services as well.
Which of these would be an example of a loss of integrity? User making changes to a file and saving it Bad blocks flagged on disk Credit cards passed in cleartext Memory failures causing disk drivers to run incorrectly
D. If a user makes a change to a file and saves it, that's an intentional act and the data is what the user expects and wants. If the disk drive has flagged bad blocks on the disk, the drive won't write any data out to those blocks, so there will be no loss of integrity. Credit cards passed in cleartext would be a violation of confidentiality. Memory failures, though, could cause a loss of data integrity, even in the case of writing data to the drive. The corrupted data in memory could be written to disk. Also, memory failures may cause issues with the disk driver, which may also cause data corruption.
Which of the following is one factor of a defense in depth approach to network design? Switches Using Linux on the desktop Optical cable connections Access control lists on routers
D. Switches and optical cable connections can certainly be part of a network design, but in and of themselves they don't add any security features. You may use Linux on the desktop, but without more of a strategy for patch and vulnerability management, Linux is no better than other operating systems. Access control lists on routers can add an additional layer of security, especially when combined with other elements like firewalls and intrusion detection systems.
What important event can be exposed by enabling auditing? System shutdown Service startup Package installation User login
D. While system shutdown, service startup, and package installation may be events that are logged, they are generally logged by normal system logging. Auditing functions are different between Windows and Linux/Unix, but audit systems for both will generate logs when a user logs into a system.
