MIS 379 test 2

The Smurf attack is an example of what kind of attack?

The Smurf attack is one of the very first examples of a DDoS attack. In a Smurf attack, the attacker spoofs an ICMP echo request packet from the target's address and sends it to one or more network addresses. Each host that receives the packet will respond to the target address with an echo reply packet. The attacker is able to distribute the attack among multiple sources and overwhelm the target with traffic

Your boss has asked you to identify two of the most dangerous software errors that your company should address as soon as possible. State where you can find the latest top 25 list of most dangerous software errors and explain to your boss how you can address two of those top 25

The Top 25 is maintained by MITRE, and is found at http://cwe.mitre.org/top25/

When examining a packet capture from your network, you notice a large number of packets with the URG, PUSH, and FIN flags set. What type of traffic are you seeing in that packet capture?

The Xmas attack uses packets with the URG, PUSH, and FIN flag set. Different devices will respond differently to Xmas attacks. Some systems will slow down, some will reboot or crash, and some will drop the packet completely

A user is having issues with her domain account locking multiple times throughout the day. She suspects someone is trying to brute force her account or lock her out on purpose. Which of the following logs would most likely show the source? a. event log b. syslogs c. security logs d. access logs

The best source of information for this situation is going to be the security logs. As this is a domain account and most likely on a Windows system, you will want to look at all failed logins associated with this account. Those are stored in the security logs

Why is the buffer overflow such a popular attack?

The buffer overflow is a popular attack because it can provide arbitrary code execution by inserting the code directly into memory

Your vulnerability scanning tool reports that your website is vulnerable to a SQL injection attack that manipulates the values of a hidden parameter. You've tested this throughly by hand but cannot validate the finding. Each time you try, you get a non-standard error message indicating the query has been terminated. Your vulnerability scanner is most likely reporting:

There must be a user error in testing. When any scanning tool reports a "finding" that isn't really there and doesn't really exist, this is known as a false positive

List three items that are important for determining risk:

Tree items that are important for determining risk are likelihood of threat, discoverability of vulnerability, and value of impact to asset. You must account for the threat, impact, and asset value to calculate risk

Your antivirus solution has detected malware on one of your computers. The AV program tells you the malware is located in a certain directory, but when you go to remove the malware, you discover that the directory does not exist. This is most likely an example of:

Tricking AV software into believing the malware is located in one location when it's actually located in another is a common technique used by an armored virus. Armored viruses are designed to be more resistant to detection, reverse engineering, and removal

Your entire office is passing around a PowerPoint presentation of dancing and singing hamsters. Everyone thinks it's great until the next morning when everyone's hard drives appear to have been erased. The dancing hamster file is an example of a:

Trojans are malicious programs that often appear to be or do one thing while performing undesirable actions without user approval. Trojan software is named after the trojan horse from the Trojan War

www.whitehouse.com is a famous example of:

Typo Squatting involves setting up a website using common misspellings, typos, or errors that occur when users are attempting to reach legitimate sites. For example, users wishing to reach www.whitehouse.gov might mistakenly type ".com" instead of ".gov" and be directed to a completely different website than they intended to visit

What threats will you attempt to eliminate through input sanitization?

(SQL injection and LDAP injection). Sanitizing input helps ensure that no raw commands are passed directly to supporting applications

Which of the following are common logs associated with a system? a. security b. failure c. system d. data integrity

A and C. Security and system logs are examples of common system logs

Which of the following can be used to assist in hardening a network? a. MAC limiting b. 802.11 c. Rogue user detection d. disable unused ports

A and D. MAC limiting and disabling unused ports are valuable security functions in setting up a network. 802.11 us the designation for Ethernet, and is not directed issue (802.1x is, not 802.11). Rouge user detection is beyond the network function

A list of Wi-Fi access points in an area is most likely generated by?

War driving involves driving around with a wireless scanner and GPS and logging the location of Wi-Fi access points

You've found a printout with a bunch of IP addresses and descriptions next to them such as "220 Microsoft ESMTP MAIL Service ready" and "220 Microsoft FTP Service." What type of activity might have generated this type of list?

A list showing service "banners" such as "220 Microsoft FTP Service" is usually created by banner grabbing. There are a number of tools that specialize in banner grabbing, but you can accomplish the same thing by simply using a Telnet client to connect to a service. In most cases the service will return a banner telling you various details about the service

A password policy should address the following questions: _______, ________, and ________

A password policy should address: what is an acceptable level of risk? How secure does the system need to be? How often should users change their passwords? What account lockout policy should be used? What password composition rules should be enforced?

You want to install some new software on a system for which you have only a regular user account, and the system won't allow you to load new software. Your friend gives you a USB key with a program called "runme.bat" on it. After you run the program, the screen flashes and all the programs you had open close, but you are now able to install the new software. What did that program on the USB key do<

A privilege escalation attack exploits a bug, flaw, or misconfiguration that allows elevated access to resources and actions that are normally not available to the average user

What type of network attack uses repetition or delay of valid data transmissions?

A replay attack is a network attack that repeats or delays valid data transmissions. In most attack that repeats or delays valid data transmissions. In most replay attack scenarios, an attacker captures a valid traffic stream (such as the submission of a login credentials) and "replays" the traffic at a later date.

What is the process used to identify potential hazards and evaluate their impact called?

A risk assessment is the process used to identify potential hazards and analyze the impact should those hazards actually occur

What makes rouge access points a threat?

A rouge access point established outside of IT's control will typically let anyone who can detect the access point connect to the internal corporate network

Your site survey had discovered hidden in the ceiling a rouge access point resembling one of the fire detectors. What type of device is this likely to be?

A wireless evil twin is likely to be disguised to avoid detection while it attempts to capture user accounts from unsuspecting wireless users

Which of the following correctly describes cross-site request forgery (XSRF)? a. attacking a system by sending malicious input and relying upon the parsers and execution elements to perform the requested actions b. an enhanced data cryptographic encapsulation method c. attacking a system by sending script commands and relying upon the parsers and execution element to perform the requested actions d. attempting to break a cryptographic system

A. Cross-site request forgery (XSRF) is attacking a system by sending malicious input and relying upon the parsers and elevation elements to perform the requested actions

Your friends recommend a free software package that helps organizes your playlists. You've tried it and it is great- except for the fact that you have to wait 30 seconds every time it starts for a product video to finish before you can use it. This type of software is known as:

Adware- is the term used to describe software that typically is free of charge but contains embedded advertisements or the ability to display advertisements while the software is being used. Often the advertising function can be removed by purchasing the software

Error and exception handling should be performed in what fashion?

All errors/exceptions should be trapped and handled in the generating routine

What is being compromised during an IV attack?

An Initialization Vector (IV) attack seeks to attack the implementation of encryption around the way the cipher initializes. This is a known weakness in the WEP encryption standard for Wi-Fi networks

Why would an integer overflow be a security issue?

An integer over flow can occur when two large numbers are added and go beyond the specified number of integers, resulting in a very small number. This can lead to unexpected application behavior

You are working on a penetration test and discover a web server that appears to be vulnerable to SQL injection attack. It works. What penetration testing steps have you just performed?

Any time you find a vulnerability and then use tools or techniques that exercise that vulnerability to gain access or manipulate data, you have performed vulnerability exploitation. Identifying vulnerabilities stops short of doing something with the discovered vulnerabilities. Using SQL injection attack to gain access to a system would definitely qualify as exploiting a vulnerability

Which of the following is the least favorable location for security checks? a. server-side code b. client-side code c. server-side input validation d. server-side output validation

B. The client is not a suitable place to perform any critical value checks, or security checks

Your boss wants a network device that will detect malicious network traffic as it happened and stop if from reaching systems inside your network. She has asked you to come up with several different options and present them to her in the morning. You should start researching which of the following? a. intrusion detection system b. intrusion prevention systen c. firewall d. continous auditing system

B. Your boss it looking for an intrusion prevention system (IPS). An IPS is very similar to an intrusion detection system (IDS), with one marked difference: an IPS is designed to interact with and stop malicious traffic

How can you prevent bluesnarfing?

Bluesnarfing depends on pairing to the mobile device, so turning off pairing stops the blues snarfing attack

An intrusion detection system is most like which of the following physical security measures? a. locked door b. electric fence c. security camera d. mantrap entry

C. An intrusion detection system is most like a security camera. An IDS has the ability to monitor for suspicious activity and can record what it has "seen".

Which of the following describes fuzzing? a. interstice development b. removing and not using old code c. systematic application of malformed inputs d. buffer overflows

C. Fuzzing is the systematic application of malformed inputs to test how the program responds

Which of the following is not a common use of cross-site scripting attacks? a. information theft b. deploying malware c. website defacement d. session hijacking

C. Website defacement is not normally performed via cross-site scripting attacks

Which of the following is not a step you'd perform when hardening a production system? a. disable unnecessary services b. disable unnecessary accounts c. enable simple TCP services d. configure auditing

C. When hardening a system, one of the objectives is to remove or disable unnecessary services. The simple TCP services such as ECHO, CHARGEN, and so on should typically be disabled as part of any system hardening process.

An application is being delayed after one of the testers discovered a major bug. Now developers are being tasked to examine each other's code line by line and find any remaining bugs. What are these developers doing?

Code review- a system examination of source code to find and eliminate bugs, mistakes, typos, and so on

Your boss is considering outsourcing the network security task for your organization. There are several proposals to look at, many of which claim to "collect information from security controls and perform analysis based on pre-established metrics." What capability are these venders referring to?

Continuous security monitoring is an attempt to answer the age-old question, "Are we secure?" By collecting data from implemented security controls such as firewalls, IDS/IPS, policies, and so forth and analyzing the data against established metrics, organizations hope to gain a better picture of the security state of their networks. For example, if the perimeter firewall records a sharp rise in outbound traffic on UDP port 33456, this could be an early indication of some type of bonnet infection

Why is cross-site scripting successful?

Cross-site scripting folds malicious content, typically from a third-party website, into a portion of the verified content delivered correctly from the web server

Which of the following correctly describes cross-site scripting (XSS)? a. overflowing the allocated storage area to corrupt a running program b. attempting to break a cryptographic system c. exploiting the trust a site has in the user's browser d. exploiting the trust a user has for the site

D. Cross-site scripting (XSS) exploits the trust a user has for the site

Which of the following is a way to defend against buffer overflow errors? a. write fast code b. use pointers c. use unbounded string manipulation d. treat all input from outside a function as hostile

D. One way to defend against buffer overflow errors is to treat al input from outside a function as hostile

Which of the following types of log entries will you not find in Windows Security logs? a. account logon event b. object access events c. policy change events d. system shutdown events

D. System shutdown events would be noted in the security event log, not the security log

Which of the following best describes the attack surface of an application? a. all logins and user inputs b. all logins, user inputs, and data field c. all logins, user inputs, data field, and certification in use d. all logins, user inputs, data field, paths for data in/out of the application, and code that protects data paths

D. The attack surface of an application is really a description of all the different places where an attack could penetrate or disrupt the application. This would include all data paths into and out of the application, all data used buy the application, and the code that protects and processes the data and data paths

You have seen several users attempting to perform directory traversal attacks on your site. What action will you take?

Directory traversal attacks center on executing items that should not be accessible to external users. Proper permissions and removal of all unnecessary execute rights will assist in mitigating the attack

Why is free Wi-Fi, such as in coffee shops, a popular target for session hijacking?

Frequently, SSL is only used for website's login page, so an attacker sniffing the Wi-Fi could capture the user's session coolie and use it to impersonate the user

You've been asked to perform some testing on a new web application your organization has developed. The CEO wants you to perform gray-box testing. What will you need in order to perform this type of test?

Grey-box testing is a combination of white- and black-box testing. The tester haas some knowledge of the system or application being examined, such as the data structures and algorithms, but doesn't know everything about the application, as they would during white-box testing

You boot your computer on April 1st and a large pop-up appears that reads "Ha Ha Ha" with the Joker's face underneath it. When the pop-up disappears, all the icons are missing from your desktop. What type of malware was your computer infected with?

If a malicious action takes place at a certain time or date or when specific conditions occur, it is most likely the work of a logic bomb. Logic bombs are malware designed to run undetected until certain conditions are met- a specific time, a specific date, a certain number of mouse clicks, and so on. When those conditions are met, the logic bomb executed its "payload", which is often something designed to damage, disrupt, or destroy the infected system

Your colleague tells you that he had prepared a server for the production environment. He says that he has patches it, made sure all the accounts have strong passwords, and removes all the development code that was on it. When you scan the server, a large amount of open ports respond. What did your colleague forget to do when securing this server?

If a server has a large number of active ports, it is likely running a large number of services. Disabling unnecessary services should be part of the system build process for all production (and development) systems. Disabling or removing unnecessary services can reduce the attack surface of the system.

Your boss promised to help out the Audit department and has enlisted you. They're looking for a list of every system in the server farm and what services are responding on each of those systems. What kind of tool might you use to create this type of list?

If all the audit department needs is a list of the systems and the open services on those systems, a port scanner is all you need. Any decent port scanner, such as Nmap, will be able to detect the system and probe any active ports on those systems

If the attacker is able to insert himself into an encrypted conversation between you and a secure web server, he has successfully executed what type of attack?

If an attacker is able to insert himself into the middle of an encrypted conversation and have each victim believe they are still talking to their original parties in the conversation, then the attacker has successfully executed a man-in-the-middle attack. A man-in-the-middle attack can only succeed if the attacker can impersonate both endpoints in the conversation successfully

While performing a port scan of your organization, you discover an Ubuntu-based system with TCP port 65123 open on it. When you connect to the port using Telnet, all you see is a prompt that looks like ##. You try typing a few commands and notice that you are able to do almost anything on the system, including displaying the contents of /etc/shadow. What did you just discover on the Ubuntu-base system?

If you are able to access a system on a uncommon port and bypass normal authentication mechanisms, you have most likely discovered a backdoor

You need something that will help you more effectively analyze the traffic on your network, something that will record traffic at the packet level so you can look for problems like ARP storms, duplicate MAC addresses, and so on. What type of tool should you be shopping for?

If you are looking for a tool to help you analyze network traffic, you should be shopping for a protocol analyzer. Protocol analyzers are tools used to capture and examine signals and data across a communication channel. Protocol analyzers exist for almost every kind of communication channel

Your organization is infected with a piece of malware that you just can't seem to get rid of. It seems like every time a system is cleaned and you update all the antivirus definitions with your organization, another system shows signs of the infection. What type of malware might you be facing in this example?

If you have a piece of malware that is extremely difficult to eradicate no matter how many times you update antivirus signatures, you are most likely facing polymorphic malware. Polymorphic malware is designed to constantly change and make itself increasingly more difficult to detect or remove. The malware "evolves" through techniques like filename changes, compression techniques, variable key encryption, and so on.

You want to place a tool on the network that will continuously look for vulnerabilities on your network. Your network admin refuses to allow anything that might interfere with network traffic. What type of tool could you use that would be a compromise between the two positions?

If you want a tool that will look for vulnerabilities but won't interfere with network traffic, your best compromise will be some type of passive network vulnerability scanner. A "passive" scanner waits for data to com to it- it doesn't perform any scans or probes on its own and doesn't interact with the traffic it observes

You want to hire someone to test an application your company just developed. The app handles sensitive data, so you want to limit the amount of information you release about the application to people outside your company. Which of the following testing types are you looking for?

If you want someone to test your application without any knowledge of how the software works internally or how the software was built, then you are looking for a black-box testing service. Black-box testing examines the functionality of the software with no knowledge of the data structure in use or internal workings of the software

Your organization wants someone to examine your intranet portal to assess the threat from a malicious insider. What kind of testing is the most appropriate for this situation?

If you want to assess the threat from a malicious insider, you will most likely use credentialed testing. Credentialed testing uses a set of valid user credentials when tests are conducted. This allows the tester to examine the application from the same viewpoint and with the same permissions as a valid user would have

Your boss is trying to find more information about port-based network access control. Which of the following IEEE standards should she be looking at?

If your boss is researching port-based network access control, the she should be looking at IEEE 802.1x

You've noticed some strange behavior today on your organization's system. This morning things were working fine, but now when you enter the URL for your company's main web page, you get a web page written in a foreign language. Which of the following attacks is occurring at your organization?

In a DNS poisoning attack, the attacker attempts to corrupt DNS servers or DNS caches in a way that returns an incorrect IP address when DNS resolution takes place. This type of attack is commonly used to divert traffic to one of the attacker's systems

Due to your good work on the website, the CISO has asked for your help with random behavior occurring on the Wi-Fi system. In some parts of the building the wireless signal is available but does not allow any traffic through. What measures could help with this issue?

Interference can be caused by devices emitting 2.4-GHz signals, such as corned phones or microwave ovens. Rouge access points are often configured on the default channel, which can interfere with the properly configured corporate wireless system. Site surveys can identify dead spots and possible bad equipment

Your organization has a computer in an open lobby at the front of the building. The system is secured in a locked cabinet at night, but someone has been unplugging the PC from the wall and using the network jack behind the seek to surf the Internet with another computer. What type of mitigation technique could you use to stop unauthorizes use of that network jack?

MAC filtering techniques can control which MAC addresses are allowed to send or receive traffic across specific switch ports. If you were to lock down that network jack to the MAC address of the PC in the locked cabinet, that would help stop anyone else from using the network jack without permission

How is near field communication like Ethernet?

Near field communication does not have an integrated encryption functionality and relies on higher-level protocols to provide security

A buffer overflow attack was launched against one of your Windows-based web servers. You'd like to know what process was affected on the server itself. Where might you look for clues as to what process was affected?

On a Windows-based server, the best place to look for information about what processes were affected by a buffer overflow attack would be the application logs

Your organization is having a serious problem with people bringing in laptops and tablets from home and connection them to the corporate network. The organization already has a policy against this, but it doesn't seem to help. Which of the following mitigation techniques might help with this situation?

Rouge machine detection is a mitigation technique to find unwanted, unauthorized decides and systems on your network. Once you've discovered the rouge machines, you can track them down and discipline those responsible for connecting them to the network.

What makes a website vulnerable to SQL injection?

SQL injection is accomplished by using a delimiter or other SQL command structures inside an input field that has poor input filtering. The web page then passes the field on to the database, which then executed the injected command

What change should you make to prevent session hijacking?

Session hijacking can be prevented by using encryption for the entire site, preventing an attacker from stealing an already established user session

Everyone in your organization's sales department received an e-mail stating they were going to receive an award as the salesperson of the year. At the end of the e-mail was a link that would allow them to enter the name they wanted to be placed on the award they would receive. The e-mail turned out to be a fake, and clicking the link infected the user's computer with malware. What type of activity is this?

Spear Phishing uses fraudulent e-mails targeted at a specific organization or group within an organization. The attack is much more selective and targeted than a phishing attack

Explain to your coworker the key difference between cross-site request forgery (XSRF) and cross-site scripting (XXS)

XSRF exploits the trust a site has in the user's browser, whole XXS exploits the trust a user has for the site

Your boss wants you to come up with a "set starting point" for all the Windows 8 workstation in your organization. He wants you to build a golden image that's secure and can be used to load all the other desktops before any department-specific software is loaded. What has your boss asked your to create?

Your boss asked you to create an initial aneling configuration. The configuration you develop will become the starting point fro all Windows 8 desktops. While the desktops may look different as department-specific software packages are loaded, they will all start off with the same attributes and security configuration from that initial baseline

Your boss just read an article about how companies are setting up fake websites to trick attackers into focusing on the fake website instead of the actual production systems. Now he wants you to build something similar for your DMZ. He tells you to :make it inviting" to the attacker. What is your boss really asking you to set up?

Your boss is really looking for a honeypot- a system that is intentionally set up with vulnerabilities and misconfigurations to make it attractive to potential attackers. Honeypots are often used to study the methods and tools attackers use

Your friend's computer is showing a pop-up that reads "WARNING! Your computer has been used in illegal activities and has been locked by the authorities. To access your computer you must pay a fine to..." Nothing your friend does will get rid of the pop-up and they can't use their computer. What has your friend's computer been infected with?

Your friend's computer has been infected with ransomeware, software designed to block access to a system until a "ransom" is paid

Which of the following tools or methods is most likely to show you which servers in your server farm allow anonymous access to share, have TCP port 80 open, and are running an old version of PHP? a. protocol analyzer b. port scanner c. vulnerability scanner d. baseline review

a vulnerability scanner is the only tool or method listed that will supply all three pieces of information. A port scanner could tell you whether or not port 80 is open, but would not test for share access or vulnerability versions of PHP. Most vulnerability scanners, such as Nessus, will perform basic TCP port scanning as well as scanning for misconfigurations, insecure versions of software, and so on.

Which of the following correctly defines SQL injection? a. modifying a database query statement through false input to a function b. the process by which application programs manipulate strings to a base form c. inputs to web applications that are processed by different parsers d. character code set that allow multi language capability

a. SQL injection is modifying a database query statement through false input to a function

Which of the following is one of the most common web attack methodologies? a. cross-site scripting (XXS) b. cross-site request forgery (XSRF) c. buffer overflor d. session hijacking

a. cross-site scripting (XXS) is one of the most common web attack methodologies

The _____ defines the proper configuration settings for an application

application configuration baseline

Input validation is especially well suited for the following vulnerabilities: __________, ___________, and ________.

buffer overflow reliance on untrusted inputs in a security decision, cross-site scripting (XSS), cross-site request forgery (XSRF), path traversal, and incorrect calculation of buffer size

The best process to use for determining unexpected input validation problems is ______.

fuzzing

The two elements of application hardening are _____ and _____

removing unneeded service/options; securing the remaining configuration