Midterm2-1
A consequence of a buffer overflow error is __________
- Corruption of data used by the program - Unexpected transfer of control in the program - Possible memory access violation
_________ is a form of overflow attack
- Heap Overflows - Return to system call - Replacement stack frame
The Packet Storm Web site includes a large collection of packaged shellcode, including code that can:
- create a reverse shell that connects back to the hacker - flush firewall rules that currently block other attacks - set up a listening service to launch a remote shell when connected to
A buffer can be located _________
- in the heap - on the stack - in the data section of the process
T
1. An intruder can also be referred to as a hacker or cracker.
firewall
1. The _________ is inserted between the premises network and the Internet to establish a controlled link and to erect an outer security wall or perimeter to protect the premises network from Internet-based attacks.
activists
1. The broad classes of intruders are: cyber criminals, state-sponsored organizations, _________ , and others.
B
1. _________ are either individuals or members of a larger group of outsider attackers who are motivated by social or political causes. A. State-sponsored organizations B. Activists C. Cyber criminals D. Others
C
1. _________ control determines the types of Internet services that can be accessed, inbound or outbound. A. Behavior B. Direction C. Service D. User
net-work based (NIDS)
10. A ________ IDS monitors traffic at selected points on a network or interconnected set of networks.
B
10. A _________ configuration involves stand-alone firewall devices plus host-based firewalls working together under a central administrative control. A. packet filtering firewall B. distributed firewall C. personal firewall D. stateful inspection firewall
host-based IPS (HIPS)
10. A ___________ makes use of both signature and anomaly detection techniques to identify attacks.
F
10. Anomaly detection is effective against misfeasors.
attack reaction
10. The four lines of defense against DDoS attacks are: attack prevention and preemption, attack detection and filtering, attack source traceback and identification and ______.
C
10. The purpose of the ________ module is to collect data on security related events on the host and transmit these to the central manager. A. central manager agent B. LAN monitor agent C. host agent D. architecture agent
D
11. A(n) ________ is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor. A. passive sensor B. analysis sensor C. LAN sensor D. inline sensor
Intrusion Detection Message Exchange Requirements
11. The _________ (RFC 4766) document defines requirements for the Intrusion Detection Message Exchange Format (IDMEF).
T
11. To be of practical use an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level.
C
11. Typical for SOHO applications, a __________ is a single router between internal and external networks with stateless or full packet filtering. A. single bastion T B. double bastion inline C. screening router D. host-resident firewall
Pattern
11. _________ matching scans incoming packets for specific byte sequences (the signature) stored in a database of known attacks.
B
12. A(n) ________ event is an alert that is generated when the gossip traffic enables a platform to conclude that an attack is under way. A. PEP B. DDI C. IDEP D. IDME
F
12. An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the device.
Traffic
12. __________ anomaly watches for unusual traffic activities, such as a flood of UDP packets or a new service appearing on the network.
A
12. __________ are attacks that attempt to give ordinary users root access. A. Privilege-escalation exploits B. Directory transversals C. File system access D. Modification of system resources
IDS
12.The functional components of an _________ are: data source, sensor, analyzer, administration, manager, and operator.
T
13. A common location for a NIDS sensor is just inside the external firewall.
Sdrop
13. Snort Inline adds three new rule types: drop, reject, and _________.
security policy
13. The _________ is the predefined formally documented statement that defines what activities are allowed to take place on an organization's network or on particular hosts to support the organization's requirements.
A
13. _________ is a document that describes the application level protocol for exchanging data between intrusion detection entities. A. RFC 4767 B. RFC 4766 C. RFC 4765 D. RFC 4764
D
13. __________ scans for attack signatures in the context of a traffic stream rather than individual packets. A. Pattern matching B. Protocol anomaly C. Traffic anomaly D. Stateful matching
UTM (unified threat management)
14. A single device that integrates a variety of approaches to dealing with network-based attacks is referred to as a __________ system.
T
14. Network-based intrusion detection makes use of signature detection and anomaly detection.
C
14. The rule _______ tells Snort what to do when it finds a packet that matches the rule criteria. A. protocol B. direction C. action D. destination port
B
14. __________ looks for deviation from standards set forth in RFCs. A. Statistical anomaly B. Protocol anomaly C. Pattern matching D. Traffic anomaly
Honeypots
14.________ are decoy systems that are designed to lure a potential attacker away from critical systems.
F
15. Snort can perform intrusion prevention but not intrusion detection.
D
15. The _______ is the ID component that analyzes the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator. A. data source B. sensor C. operator D. analyzer
A
15. The _________ attack is designed to circumvent filtering rules that depend on TCP header information. A. tiny fragment B. address spoofing C. source routing D. bastion host
administrator
15. The __________ is the human with overall responsibility for setting the security policy of the organization, and, thus, for decisions about deploying and configuring the IDS.
defense in depth
15. The firewall follows the classic military doctrine of _________ because it provides an additional layer of defense.
journeyman
2. A ________ is a hacker with sufficient technical skills to modify and extend attack toolkits to use newly discovered vulnerabilities.
packet filtering
2. A _________ firewall applies a set of rules to each incoming and outgoing IP packet and then forwards or discards the packet.
D
2. A _________ is a security event that constitutes a security incident in which an intruder gains access to a system without having authorization to do so. A. intrusion detection B. IDS C. criminal enterprise D. security intrusion
F
2. Activists are either individuals or members of an organized crime group with a goal of financial reward.
B
2. _________ control controls how particular services are used. A. Service B. Behavior C. User D. Direction
A
3. A _________ monitors the characteristics of a single host and the events occurring within that host for suspicious activity. A. host-based IDS B. security intrusion C. network-based IDS D. intrusion detection
T
3. Running a packet sniffer on a workstation to capture usernames and passwords is an example of intrusion.
source
3. The ________ IP address is the IP address of the system that originated the IP packet.
user interface
3. The _________ to an IDS enables a user to view output from the system or control the behavior of the system.
C
3. _________ control determines the direction in which particular service requests may be initiated and allowed to flow through the firewall. A. Behavior B. User C. Direction D. Service
C
4. A ________ monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity. A. host-based IDS B. security intrusion C. network-based IDS D. intrusion detection
spoofing
4. An intruder transmitting packets from the outside with a source IP address field containing an address of an internal host is known as IP address _________.
T
4. Those who hack into computers do so for the thrill of it or for status.
A
4. ________ control controls access to a service according to which user is attempting to access it. A. User B. Direction C. Service D. Behavior
Intrusion Detection
4. __________ is a security service that monitors and analyzes system events for the purpose of finding, and providing real-time warning of attempts to access system resources in an unauthorized manner.
sensors
5. An IDS comprises three logical components: analyzers, user interface and _____.
T
5. Intruders typically use steps from a common attack methodology.
A
5. The ________ is responsible for determining if an intrusion has occurred. A. analyzer B. host C. user interface D. sensor
D
5. The _________ defines the transport protocol. A. destination IP address B. source IP address C. interface D. IP protocol field
SOCKS
5. The __________ protocol is an example of a circuit-level gateway implementation that is conceptually a "shim-layer" between the application layer and the transport layer and does not provide network-layer gateway services.
D
6. A __________ gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host. A. packet filtering B. stateful inspection C. application-level D. circuit-level
intrusion
6. Copying a database containing credit card numbers, viewing sensitive data without authorization, and guessing and cracking passwords are examples of _________ .
bastion host
6. Identified as a critical strong point in the network's security, the _________ serves as a platform for an application-level or circuit-level gateway.
F
6. The IDS component responsible for collecting data is the user interface.
B
6. __________ involves an attempt to define a set of rules or attack patterns that can be used to decide if a given behavior is that of an intruder. A. Profile based detection B. Signature detection C. Threshold detection D. Anomaly detection
personal
7. A __________ firewall controls the traffic between a personal computer or workstation on one side and the Internet or enterprise network on the other side.
B
7. An example of a circuit-level gateway implementation is the __________ package. A. application-level B. SOCKS C. SMTP D. stateful inspection
T
7. Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified.
Profile-based
7. _________ anomaly detection focuses on characterizing the past behavior of individual users or related groups of users and then detecting significant deviations.
D
7. _________ involves the collection of data relating to the behavior of legitimate users over a period of time. A. Profile based detection B. Signature detection C. Threshold detection D. Anomaly detection
B
8. A (n) __________ is a hacker with minimal technical skill who primarily uses existing attack toolkits. A. Master B. Apprentice C. Journeyman D. Activist
VPN (virtual private network)
8. A ________ uses encryption and authentication in the lower protocol layers to provide a secure connection through an otherwise insecure network, typically the Internet.
T
8. The primary purpose of an IDS is to detect intrusions, log suspicious events, and send alerts.
A
8. Typically the systems in the _________ require or foster external connectivity such as a corporate Web site, an e-mail server, or a DNS server. A. DMZ B. IP protocol field C. boundary firewall D. VPN
Signature
8. ________ detection techniques detect intrusion by observing events in the system and applying a set of rules that lead to a decision regarding whether a given pattern of activity is or is not suspicious.
C
9. A _________ consists of a set of computers that interconnect by means of a relatively unsecure network and makes use of encryption and special protocols to provide security. A. proxy B. UTM C. VPN D. stateful inspection firewall
F
9. Signature-based approaches attempt to define normal, or expected behavior, whereas anomaly approaches attempt to define proper behavior.
A
9. The _________ module analyzes LAN traffic and reports the results to the central manager. A. LAN monitor agent B. host agent C. central manager agent D. architecture agent
Neural networks
9. _________ simulate human brain operation with neurons and synapse between them that classify observed data
IPSec
9. __________ protocols operate in networking devices, such as a router or firewall, and will encrypt and compress all traffic going into the WAN and decrypt and uncompress traffic coming from the WAN.
10. A characteristic of reflection attacks is the lack of _______ traffic. A. backscatter B. network C. three-way D. botnet
A
11. In both direct flooding attacks and ______ the use of spoofed source addresses results in response packets being scattered across the Internet and thus detectable. A. SYN spoofing attacks B. indirect flooding attacks C. ICMP attacks D. system address spoofing
A
15. When a DoS attack is detected, the first step is to _______. A. identify the attack B. analyze the response C. design blocking filters D. shut down the network
A
3. Using forged source addresses is known as _________. A. source address spoofing B. a three-way address C. random dropping D. directed broadcast
A
6. _______ bandwidth attacks attempt to take advantage of the disproportionally large resource consumption at a server. A. Application-based B. System-based C. Random D. Amplification
A
True
A SIP flood attack exploits the fact that a single INVITE request triggers considerable resource consumption.
Network-based IDS
A _____ monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity.
Host-based IDS
A _____ monitors the characteristics of a single host and the events occurring within that host for suspicious activity.
captcha
A ______ is a graphical puzzle used to attempt to identify legitimate human initiated interactions.
denial of service
A ______ is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units, memory, bandwidth, and disk space.
backscatter
A characteristic of reflection attacks is the lack of _______ traffic.
True
A common location for a NIDS sensor is just inside the external firewall.
Inline Sensor
A(n) _____ is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor.
"Smashing the Stack for Fun and Profit" was a step by step introduction to exploiting stack-based buffer overflow vulnerabilities that was published in Phrack magazine by _________ .
Aleph One
8. ______ attacks are a variant of reflector attacks and also involve sending a packet with a spoofed source address for the target system to intermediaries.
Amplification
False
An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the device.
1. ______ relates to the capacity of the network links connecting a server to the wider Internet. A. Application resource B. Network bandwidth C. System payload D. Directed broadcast
B
12. In a _______ attack the attacker creates a series of DNS requests containing the spoofed source address for the target system. A. SYN flood B. DNS amplification C. poison packet D. UDP flood
B
4. The ______ attacks the ability of a network server to respond to TCP connection requests by overflowing the tables used to manage such connections. A. DNS amplification attack B. SYN spoofing attack C. basic flooding attack D. poison packet attack
B
8. Bots starting from a given HTTP link and then following all links on the provided Web site in a recursive way is called _______. A. trailing B. spidering C. spoofing D. crowding
B
13. It is possible to specifically defend against the ______ by using a modified version of the TCP connection handling code. A. three-way handshake B. UDP flood C. SYN spoofing attack D. flash crowd
C
2. A ______ triggers a bug in the system's network handling software causing it to crash and the system can no longer communicate over the network until this software is reloaded. A. echo B. reflection C. poison packet D. flash flood
C
7. _______ is a text-based protocol with a syntax similar to that of HTTP. A. RIP B. DIP C. SIP D. HIP
C
__________ aim to prevent or detect buffer overflows by instrumenting programs when they are compiled
Compile Time Defense
14. Modifying the system's TCP/IP network code to selectively drop an entry for an incomplete connection from the TCP connections table when it overflows, allowing a new connection attempt to proceed is _______. A. poison packet B. slashdot C. backscatter traffic D. random drop
D
5. TCP uses the _______ to establish a connection. A. zombie B. SYN cookie C. directed broadcast D. three-way handshake
D
9. ______ attempts to monopolize all of the available request handling threads on the Web server by sending HTTP requests that never complete. A. HTTP B. Reflection attacks C. SYN flooding D. Slowloris
D
A DMZ is one of the internal firewalls protecting the bulk of the enterprise network.
F
A bot propagates itself and activates itself, whereas a worm is initially controlled from some central facility.
F
A buffer overflow error is not likely to lead to eventual program termination.
F
A macro virus infects executable portions of code.
F
A major disadvantage of the baseline risk assessment approach is the significant cost in time, resources, and expertise needed to perform the analysis.
F
A single countermeasure for SQLi attacks.
F
A user program executes in a kernel mode in which certain areas of memory are protected from the user's use and certain instructions may not be executed.
F
A view cannot provide restricted access to a relational database so it cannot be used for security purposes.
F
Activists are either individuals or members of an organized crime group with a goal of financial reward.
F
An attacker can generally determine in advance exactly where the targeted buffer will be located in the stack frame of the function in which it is defined.
F
An individual's signature is not unique enough to use in biometric application.
F
An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the device.
F
Anomaly detection is effective against misfeasors.
F
Assurance is the process of examining a computer product or system with respect to certain criteria.
F
Buffer overflow exploits are no longer a major source of concern to security practitioners.
F
Business continuity consists of security services that allocate access, distribute, monitor, and protect the underlying resource services.
F
Computer attacks are considered crimes but do not carry criminal sanctions.
F
Contingency planning is a functional area that primarily requires computer security technical measures.
F
Cryptanalytic attacks try every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained.
F
Detecting and reacting to incidents is not a function of IT security management.
F
Even though it is a high-level programming language, Java still suffers from buffer overflows because it permits more data to be saved into a buffer than it has space for.
F
External devices such as firewalls cannot provide access control services.
F
Fixed server roles operate at the level of an individual database.
F
For information systems, the role of logical security is to protect the physical assets that support the storage and processing of information.
F
High humidity does not pose a threat to electrical and electronic equipment as long as the computer's temperature stays within the optimal range.
F
Identification is the means of establishing the validity of a claimed identity provided by a user.
F
It is not critical that an organization's IT security policy have full approval or buy-in by senior management.
F
It is not possible to spread a virus via an USB stick.
F
Keylogging is a form of host attack.
F
Keyware captures keystrokes on a compromised system.
F
Like the MAC, a hash function also takes a secret key as input.
F
Low-intensity devices such as cell phones do not interfere with electronic equipment.
F
Memory cards store and process data.
F
Metamorphic code is software that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics.
F
Once the IT management process is in place and working the process never needs to be repeated.
F
One disadvantage of a packet filtering firewall is its simplicity.
F
Public-key algorithms are based on simple operations on bit patterns.
F
Security labels indicate which system entities are eligible to access certain resources.
F
Security mechanisms typically do not involve more than one particular algorithm or protocol.
F
Shellcode is not specific to a particular processor architecture.
F
Signature-based approaches attempt to define normal, or expected, behavior, whereas anomaly approaches attempt to define proper behavior.
F
Snort can perform intrusion prevention but not intrusion detection.
F
Software is an example of real property.
F
T/F: A DoS attack targeting application resources typically aims to overload or crash its network handling software.
F
T/F: DoS attacks cause damage or destruction of IT infrastructures.
F
T/F: Given sufficiently privileged access to the network handling code on a computer system, it is difficult to create packets with a forged source address.
F
T/F: Reflector and amplifier attacks use compromised systems running the attacker's programs.
F
T/F: Slowloris is a form of ICMP flooding.
F
T/F: The attacker needs access to a high-volume network connection for a SYN spoof attack.
F
The "A" in CIA Triad stands for authenticity.
F
The Common Criteria specification is primarily concerned with the privacy of personal information concerning the individual rather than the privacy of an individual with respect to that individual's use of computer resources.
F
The IDS component responsible for collecting data is the user interface.
F
The advantage of a stream cipher is that you can reuse keys.
F
The assignment of responsibilities relating to the management of IT security and the organizational infrastructure is not addressed in a corporate security policy.
F
The authentication function determines who is trusted for a given purpose.
F
The cloud carrier is useful when cloud services are too complex for a cloud consumer to easily manage.
F
The countermeasure to tiny fragment attacks is to discard packets with an inside source address if the packet arrives on an external interface.
F
The direct flame is the only threat from fire.
F
The firewall can protect against attacks that bypass the firewall.
F
The optimal temperature for computer systems is between 10 and 32 degrees Fahrenheit.
F
The purpose of the DDS algorithm is to enable two users to securely reach agreement about a shared secret that can be used as a secret key for subsequent symmetric encryption of messages.
F
The successful use of law enforcement depends much more on technical skills than on people skills.
F
Threats are attacks carried out.
F
Traditional RBAC systems define the access rights of individual users and groups of users.
F
Triple DES takes plaintext block of 64 bits and a key of 56 bits to produce a ciphertext block of 64 bits.
F
Unlike a firewall, an IPS does not block traffic.
F
User authentication is a procedure that allows communicating parties to verify that the contents of a received message have not been altered and that the source is authentic.
F
A buffer overflow error is not likely to lead to eventual program termination.
False
Buffer overflow exploits are no longer a major source of concern to security practitioners.
False
Even though it is a highlevel programming language, Java still suffers from buffer overflows because it permits more data to be saved into a buffer than it has space for
False
Shellcode is not specific to a particular processor architecture
False
Stack buffer overflow attacks were first seen in the Aleph One Worm
False
2. _____ attacks flood the network link to the server with a torrent of malicious packets competing with valid traffic flowing to the server.
Flooding
True
Flooding attacks take a variety of forms based on which network protocol is being used to implement the attack.
_________ is a tool used to automatically identify potentially vulnerable programs
Fuzzing
__________ can prevent buffer overflow attacks, typically of global data, which attempt to overwrite adjacent regions in the processes address space, such as the global offset table
Guard pages
5. A _______ flood refers to an attack that bombards Web servers with HTTP requests.
HTTP
9. The best defense against broadcast amplification attacks is to block the use of _______ broadcasts.
IP-directed
11. Since filtering needs to be done as close to the source as possible by routers or gateways knowing the valid address ranges of incoming packets, an _______ is best placed to ensure that valid source addresses are used in all packets from its customers.
ISP
replicating
If an organization is dependent on network services it should consider mirroring and ______ these servers over multiple sites with multiple network connections.
DNS amplification
In a _______ attack the attacker creates a series of DNS requests containing the spoofed source address for the target system.
SYN spoofing attacks
In both direct flooding attacks and ______ the use of spoofed source addresses results in response packets being scattered across the Internet and thus detectable.
True
Intruders typically use steps from a common attack methodology.
True
Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified.
SYN spoofing attack
It is possible to specifically defend against the ______ by using a modified version of the TCP connection handling code.
random drop
Modifying the system's TCP/IP network code to selectively drop an entry for an incomplete connection from the TCP connections table when it overflows, allowing a new connection attempt to proceed is _______.
The buffer overflow type of attack has been known since it was first widely used by the __________ Worm in 1988
Morris
The buffer overflow type of attack has been known since it was first widely used by the __________ Worm in 1988.
Morris Internet
The __________ used a buffer overflow exploit in "fingerd" as one of its attack
Morris Internet Worm
The __________ used a buffer overflow exploit in fingerd as one of its attack mechanisms
Morris Internet Worm
True
Network-based intrusion detection makes use of signature detection and anomaly detection.
The __________ project produces a free, multiplatform 4.4BSD-based UNIX-like operating system.
OpenBSD
False
Reflector and amplifier attacks use compromised systems running the attacker's programs.
A buffer overflow in Microoft Windows 2000/XP Local Security Authority Subsystem Service was exploited by the _________
Sasser Worm
In 2004 the ________ exploited a buffer overflow in Microsoft Windows 2000/XP Local Security Authority Subsystem Service.
Sasser Worm
A buffer overflow in Microoft Windows 2000/XP Local Security Authority Subsystem Service was exploited by the _________ .
Sasser worm
3. The standard protocol used for call setup in VoIP is the ________ Protocol.
Session Initiation
The function of ________ was to transfer control to a user commandline interpreter,which gave access to any program available on the system with the privileges of the attacked program
Shellcode
Traditionally the function of __________ was to transfer control to a user commandline interpreter, which gave access to any program available on the system with the privileges of the attacked program
Shellcode
ISP
Since filtering needs to be done as close to the source as possible by routers or gateways knowing the valid address ranges of incoming packets, an ______ is best placed to ensure that valid source addresses are used in all packets from its customers.
In 2003 the _________ exploited a buffer overflow in Microsoft SQL Server 2000
Slammer Worm
In 2003 the _________ exploited a buffer overflow in Microsoft SQL Server 2000.
Slammer worm
False
Slowloris is a form of ICMP flooding.
A Trojan horse is an apparently useful program containing hidden code that, when invoked, performs some harmful function.
T
A common location for a NIDS sensor is just inside the external firewall.
T
A constraint is defined relationship among roles or a condition related to roles.
T
A firewall can serve as the platform for IPSec.
T
A foreign key value can appear multiple times in a table.
T
A good technique for choosing a password is to use the first letter of each word of a phrase.
T
A logic bomb is the event or condition that determines when the payload is activated or delivered.
T
A logical means of implementing an IPSec is in a firewall.
T
A major advantage of the informal approach is that the individuals performing the analysis require no additional skills.
T
A message authentication code is a small block of data generated by a secret key and appended to a message.
T
A packet filtering firewall is typically configured to filter packets going in both directions.
T
A person that becomes statically charged can damage electronic equipment by an electric discharge.
T
A prime disadvantage of an application-level gateway is the additional processing overhead on each connection.
T
A query language provides a uniform interface to the database.
T
A servicemark is the same as a trademark except that it identifies and distinguishes the source of a service rather than a product.
T
A smart card contains and entire microprocessor.
T
A stack overflow can result in some form of denial-of-service attack on a system.
T
A threat may be either natural or human made and may be accidental or deliberate.
T
A traditional packet filter makes filtering decisions on an individual packet basis and does not take into consideration any higher layer context.
T
A user may belong to multiple groups.
T
A virus that attaches to an executable program can do anything that the program is permitted to do.
T
Access control is the central element of computer security.
T
An ABAC model can define authorizations that express conditions on properties of both the resource and the subject.
T
An IDS is a set of automated tools designed to detect unauthorized access to a host system.
T
An IPS incorporates IDS functionality but also includes mechanisms designed to block traffic from intruders.
T
An access right describes the way in which a subject may access an object.
T
An attacker is more interested in transferring control to a location and code of the attacker's choosing rather than immediately crashing the program.
T
An auditing function monitors and keeps a record of user accesses to system resources.
T
An example of a patent from the computer security realm is the RSA public-key cryptosystem.
T
An important aspect of a distributed firewall configuration is security monitoring.
T
An important element in many computer security services and applications is the use of cryptographic algorithms.
T
An intruder can also be referred to as a hacker or cracker.
T
Any program that is owned by, and SetUID to, the "superuser" potentially grants unrestricted access to the system to any user executing that program.
T
Anyone can join the Ad Hoc Committee on Responsible Computing.
T
At the basic machine level, all of the data manipulated by machine instructions executed by the computer processor are stored in either the processor's registers or in memory.
T
Availability assures that systems work promptly and service is not denied to users.
T
Because of the responsibility for IT security is shared across the organization, there is a risk of inconsistent implementation of security and a loss of central monitoring and control.
T
Buffer overflow attacks are one of the most common attacks seen.
T
Buffer overflows can be found in a wide variety of programs, processing a range of different input, and with a variety of possible responses.
T
Computer security is essentially a battle of wits between a perpetrator who tries to find holes and the admin who tries to close them.
T
Computer security is protection of the integrity, availability, and confidentiality of information system resources.
T
Computer technology has involved the creation of new types of entities for which no agreed ethical rules have previously been formed.
T
Computers as targets is a form of crime that involves an attack on data integrity, system integrity, data confidentiality, privacy, or availability.
T
Concerns about the extent to which personal privacy has been and may be compromised have led to a variety of legal and technical approaches to reinforcing privacy rights.
T
Data integrity assures that information and programs are changed only in a specified and authorized manner.
T
Depending on the application, user authentication on a biometric system involves either verification or identification.
T
Depending on the details of the overall authentication system, the registration authority issues some sort of electronic credential to the subscriber.
T
Distributed firewalls protect against internal attacks and provide protection tailored to specific machines and applications.
T
E-mail is a common method for spreading macro viruses.
T
Encryption is a pervasive service that can be provided for data at rest in the cloud.
T
Enrollment creates an association between a user and the user's biometric characteristics.
T
Every bot has a distinct IP address.
T
Hardware is the most vulnerable to attack and the least susceptible to automated controls.
T
Human-caused threats are less predictable than other types of physical threats.
T
IT Security management consists of first determining a clear view of an organization's IT security objectives and general risk profile.
T
IT security management has evolved considerably over the last few decades due to the rise in risks to networked systems.
T
IT security needs to be a key part of an organization's overall management plan.
T
Identifiers should be assigned carefully because authenticated identities are the basis for other security services.
T
If a computer's temperature gets too cold the system can undergo thermal shock when it is turned on.
T
In a biometric scheme some physical characteristic of the individual is mapped into a digital representation.
T
In addition to propagating, a worm usually carries some form of payload.
T
In the context of security our concern is with the vulnerabilities of system resources.
T
Intruders typically use steps from a common attack methodology.
T
Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified.
T
Legal and regulatory constraints may require specific approaches to risk assessment.
T
Malicious software aims to trick users into revealing sensitive personal data.
T
Many forms of infection can be blocked by denying normal users the right to modify programs on the system.
T
Many security admins view strong security as an impediment to efficient and user-friendly operation of an information system.
T
Many users choose a password that is too short or too easy to guess.
T
Misuse of the physical infrastructure includes vandalism, theft of equipment, theft by copying, theft or services, and unauthorized entry.
T
Modes of operation are the alternative techniques that have been developed to increase the security of symmetric block encryption for large sequences of data.
T
Network-based intrusion detection makes use of signature detection and anomaly detection.
T
No cybercriminal database exist that can point investigators to likely suspects.
T
One asset may have multiple threats and a single threat may target multiple assets.
T
Organizational security objectives identify what IT security outcomes should be achieved.
T
Organizational security policies identify what needs to be done.
T
Packet sniffers are mostly used to retrieve sensitive information like usernames and passwords.
T
Physical access control should address not just computers and other IS equipment but also locations or wiring used to connect systems, equipment and distribution systems, telephone and communications lines, backup media, and documents.
T
Physical security must also prevent any type of physical access or intrusion that can compromise logical security.
T
Physical security must prevent misuse of the physical infrastructure that leads to the misuse or damage of the protected information.
T
Programmers use backdoors to debug and test programs.
T
Public-key cryptography is asymmetric.
T
Reliable input is an access control requirement.
T
SQL Server allows users to create roles that can then be assigned access rights to portions of the database.
T
Shellcode must be able to run no matter where in memory it is located.
T
Snort inline enables Snort to function as an intrusion prevention capability.
T
Some form of protocol is needed for public-key distribution.
T
Stack buffer overflow attacks were first seen in the Aleph One Worm.
T
Symmetric encryption is used primarily to provide confidentiality.
T
T/F: A SIP flood attack exploits the fact that a single INVITE request triggers considerable resource consumption.
T
T/F: A cyberslam is an application attack that consumes significant resources, limiting the server's ability to respond to valid requests from other users.
T
T/F: A denial-of-service attack is an attempt to compromise availability by hindering or blocking completely the provision of some service.
T
T/F: Flooding attacks take a variety of forms based on which network protocol is being used to implement the attack.
T
T/F: SYN-ACK and ACK packets are transported using IP, which is an unreliable network protocol.
T
T/F: The SYN spoofing attack targets the table of TCP connections on the server.
T
T/F: The best defense against being an unwitting participant in a DDoS attack is to prevent your systems from being compromised.
T
T/F: The source of the attack is explicitly identified in the classic ping flood attack.
T
T/F: There is very little that can be done to prevent a flash crowd.
T
The CHUID is a PIV card data object.
T
The CSP can provide backup at multiple locations, with reliable failover and disaster recovery facilities.
T
The database management system makes use of the database description tables to manage the physical database.
T
The default set of rights should always follow the rule of least privilege or read-only access.
T
The firewall may be a single computer system or a set of two or more systems that cooperate to perform the firewall function
T
The first comprehensive privacy legislation adopted in the U.S was the Privacy Act of 1974.
T
The first step in devising security services and mechanisms is to develop a security policy.
T
The legal and ethical aspects of computer security encompass a broad range of topics.
T
The more critical a component or service, the higher the level of availability required.
T
The potential for a buffer overflow exists anywhere that data is copied or merged into a buffer, where at least some of the data is read from outside the program.
T
The primary purpose of an IDS is to detect intrusions, log suspicious events, and send alerts.
T
The primary role of the personal firewall is to deny unauthorized remote access to the computer.
T
The principal objectives of computer security are to prevent unauthorized users from gaining access to resources, to prevent legit users from accessing resources in an unauthorized manner, and to enable legitimate users to access resources in an authorized manner.
T
The purpose of the privacy functions is is to provide a user protection against discovery and misuse of identity by other users.
T
The relative lack of success in bringing cybercriminals to justice has led to an increase in their numbers, boldness, and the global scale of their operations.
T
The secret key is input to the encryption algorithm.
T
The strength of a hash function against brute-force attacks depends solely on the length of the hash code produced by the algorithm.
T
The value of a primary key must be unique for each tuple of its table.
T
There are several generic restrictions on the content of shellcode.
T
Those who hack into computers do so for the thrill of it or for status.
T
To be of practical use an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level.
T
To create a relationship between two tables, the attributes that define the primary key in one table must appear as attributes in another table, where they are referred to as a foreign key.
T
To exploit any type of buffer overflow the attacker needs to identify a buffer overflow vulnerability in some program that can be triggered using externally sourced data under the attackers control.
T
To implement a physical security program an organization must conduct a risk assessment to determine the amount of resources to devote to physical security and the allocation of those resources against the various threats.
T
Two of the most important applications of the public-key encryption are digital signatures and key management.
T
Unauthorized physical access can lead to other threats.
T
User authentication is the basis for most types of access control and for user accountability.
T
User authentication is the fundamental building block and the primary line of defense.
T
X.800 architecture was developed as an international standard and focuses on security in the context of networks and communications.
T
False
The IDS component responsible for collecting data is the user interface.
Analyzer
The _____ is the IDS component that analyzes the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator.
False
The attacker needs access to a high-volume network connection for a SYN spoof attack.
True
The best defense against being an unwitting participant in a DDoS attack is to prevent your systems from being compromised.
IP-directed
The best defense against broadcast amplification attacks is to block the use of _______ broadcasts.
True
The primary purpose of an IDS is to detect intrusions, log suspicious events, and send alerts.
True
There is very little that can be done to prevent a flash crowd.
True
To be of practical use an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level.
incident response
To respond successfully to a DoS attack a good ______ plan is needed that includes details of how to contact technical personal for your ISP(s).
A stack overflow can result in some form of a denial-of-service attack on a system.
True
An attacker is more interested in transferring control to a location and code of the attackers choosing rather than immediately crashing the program
True
At the basic machine level, all of the data manipulated by machine instructions executed by the computer processor are stored in either the processors registers or in memory
True
Buffer overflow attacks are one of the most common attacks seen.
True
The buffer overflow type of attack is one of the most common attacks seen.
True
The potential for a buffer overflow exists anywhere that data is copied or merged into a buffer, where at least some of the data are read from outside the program
True
There are several generic restrictions on the content of shellcode
True
To exploit any type of buffer overflow the attacker needs to identify a buffer overflow vulnerability in some program that can be triggered using externally sourced data under the attackers control
True
identify the attack
When a DoS attack is detected, the first step is to _______.
Signature Detection
_____ involves an attempt to define a set of rules or attack patterns that can be used to decide if a given behavior is that of an intruder.
Anomaly Detection
_____ involves the collection of data relating to the behavior of legitimate users over a period of time.
Slowloris
______ attempts to monopolize all of the available request handling threads on the Web server by sending HTTP requests that never complete.
A buffer _________ is a condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information
all these options / overrun, overwrite, overflow
10. The four lines of defense against DDoS attacks are: attack prevention and preemption, attack detection and filtering, attack source traceback and identification and _______.
attack reaction
1. The ICMP echo response packets generated in response to a ping flood using randomly spoofed source addresses is known as _______ traffic.
backscatter
A __________ can occur as a result of a programming error when a process attempts to store data beyond the limits of a fixed-size buffer and consequently overwrites adjacent memory locations.
buffer overflow (can also accept buffer overrun or buffer overwrite)
Data is simply an array of _________ .
bytes
A _________ value is named after the miner's bird used to detect poisonous air in a mine and warn miners in time for them to escape.
canary
12. A ______ is a graphical puzzle used to attempt to identify legitimate human initiated interactions.
captcha
__________ defenses aim to harden programs to resist attacks in new programs.
compile-time
__________ aim to prevent or detect buffer overflows by instrumenting programs when they are compiled.
compile-time defenses
A consequence of a buffer overflow error is __________ .
corruption of data used by the program, unexpected transfer of control int he program, and possible memory access violation
The Packet Storm Web site includes a large collection of packaged shellcode, including code that can:
create a reverse shell that connects back to the hacker, flush firewall rules that currently block other attacks, and set up a listening service to launch a remote shell when connected to.
15. A _____ is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units, memory, bandwidth, and disk space.
denial-of-service (DoS)
_________ is a tool used to automatically identify potentially vulnerable programs.
fuzzing
Gaps, or __________ , are flagged in the MMU as illegal addresses, and any attempt to access them results in the process being aborted.
guard pages
__________ can prevent buffer overflow attacks, typically of global data, which attempt to overwrite adjacent regions in the processes address space, such as the global offset table.
guard pages
Memory is requested from the ______ by programs for use in dynamic data structures, such as linked lists of records.
heap
The _________ is typically located above the program code and global data and grows up in memory (while the sack grows down toward it).
heap
_________ is a form of overflow attack.
heap overflows, return to system call, and replacement stack frame
13. To respond successfully to a DoS attack a good ______ plan is needed that includes details of how to contact technical personal for your ISP(s).
incident response
The buffer is located __________ .
int he heap, on the stack, and in the data section of the process
_________ attacks can occur in a binary buffer copy when the programmer has included code to check the number of bytes being transferred, but due to a coding error, allows just one more byte to be copied than there is space available.
off-by-one
A buffer _________ is a condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information.
overflow/overrun/overwrite
Shellcode has to be __________, which means it cannot contain any absolute address referring to itself.
position independent
6. During a ______ attack, the attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system and when the intermediary responds, the response is sent to the target.
reflection
14. If an organization is dependent on network services it should consider mirroring and ________ these servers over multiple sites with multiple network connections.
replicating
4. Requests and _______ are the two different types of SIP messages.
responses
__________ defenses aim to detect and abort attacks in existing programs.
run-time
An essential component of many buffer overflow attacks is the transfer of execution to code supplied by the attacker and often saved in the buffer being overflowed. This code is known as _________ .
shellcode
The function of ________ was to transfer control to a user command-line interpreter, which gave access to any program available on the system with the privileges of the attacked program.
shellcode
Traditionally the function of __________ was to transfer control to a user command-line interpreter, which gave access to any program available on the system with the privileges of the attacked program.
shellcode
7. In reflection attacks, the ______ address directs all the packets at the desired target and any responses to the intermediary.
spoofed source
A ___________ overflow occurs when the targeted buffer is located on the stack, usually as a local variable in a function's stack frame.
stack buffer
In the classic __________ overflow, the attacker overwrites a buffer located in the local variable area of a stack frame and then overwrites the saved frame pointer and return address.
stack buffer
A stack buffer overflow attack is also referred to as ______.
stack smashing
__________ is one of the best known protection mechanisms that is a GCC compiler extension that inserts additional function entry and exit code.
stackguard
Running a packet sniffer on a workstation to capture usernames and passwords is an example of intrusion.
t