Misy 5320 Quizzes for the final

Which term describes a piece of code that is distributed to allow additional functionality to be added to an existing program?

Add-on

How does an IPS differ from an IDS?

An IPS is passive and an IDS is active.

Which component of an IDS examines the collected network traffic and compares it to known patterns of suspicious or malicious activity stored in the signature database?

Analysis engine

What is one difference between the misuse and anomaly IDS models?

Anomaly models require knowledge of normal activity, whereas misuse models do not.

____________________ is a system that uses digital signatures and allows Windows users to determine who produced a specific piece of code and whether or not the code has been altered.

Authenticode

Which attack technique involves sending an unauthorized message to another Bluetooth device?

Bluejacking

An attacker who uses Bluetooth to copy e-mails, contact lists, or other files on a device is __________.

Bluesnarfing

An attacker purposely sends a program more data for input than it was designed to handle. What type of attack does this represent?

Buffer overflow

Microsoft produced a forensic tool for law enforcement called ____________________.

COFEE

Which term refers to a specific technique of using an HTTP client to handle authentication on a wireless network?

Captive portal

What is a method of establishing authenticity of specific objects, such as an individual's public key or downloaded software?

Certificates

What is one security issue associated with WTLS?

Clients with low memory or CPU capabilities cannot support encryption.

Which alternative site provides the basic environmental controls necessary to operate, but has few of the computing components necessary for processing?

Cold site

Which indicator of compromise (IOC) standard is a method of information sharing developed by MITRE?

Cyber Observable eXpression (CybOX)

A person registers a domain name, relinquishes it in less than five days, and then gets the same name again. She repeats this cycle over and over again. What term describes this practice?

DNS kiting

Which backup requires a small amount of space and is considered to have a complex restoration process?

Delta

What is an advantage of detecting indicators of compromise (IOCs)?

Detecting IOCs is a quick way to jumpstart a response element.

Oral testimony that proves a specific fact with no inferences or presumptions is which type of evidence?

Direct evidence

Which plan defines the data and resources necessary and the steps required to restore critical organizational processes?

Disaster recovery plan (DRP)

Which access control type would you use to allow a file or resource owner the ability to change the permissions on that file or resource?

Discretionary access control

In an "old school" attack, which step is a listing of the systems and vulnerabilities to build an attack game plan.

Enumeration

What application is associated with TCP Ports 20 and 21?

FTP

What application is associated with TCP Ports 989 and 990?

FTPS

Which plug-in helps a browser maintain an HTTPS connection and gives a warning when it is not present?

HTTPS Everywhere

Which of the following has the least volatile data?

Hard disk

Which term refers to a key measure used to prioritize actions throughout the incident response process?

Information criticality

____________________ is a form of denial of service, specifically against the radio spectrum aspect of wireless.

Jamming

Which term is a mechanism where traffic is directed to identical servers based on availability?

Load balancing

What term refers to a piece of code that sits dormant for a period of time until some event invokes its malicious payload?

Logic bomb

How do most advanced persistent threats (APTs) begin?

Most APTs begin through a phishing or spear phishing attack.

What DRP category would a business function fall under if an organization could last without that function for up to 30 days before the business was severely impacted?

Necessary for normal processing

What tool is the protocol/standard for the collection of network metadata on the flows of network traffic?

NetFlow

Which term refers to the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions?

Network security monitoring (NSM)

Which term refers to a hardware device that can be placed inline on a network connection and that will copy traffic passing through the tap to a second set of interfaces on the tap?

Network tap

Which browser plug-in allows the user to determine which domains have trusted scripts?

NoScript

Which protocol involves a two-way handshake in which the username and password are sent across the link in cleartext?

PAP

What name is given to a logical storage unit that is subsequently used by an operating system?

Partition

____________________ management is the process of restricting a user's ability to interact with the computer system.

Privilege

____________________ is a process of isolating an object from its surroundings, preventing normal access methods.

Quarantine

Which RAID configuration, known as striped disks, simply spreads the data that would be kept on the one disk across several disks?

RAID 0

Which RAID configuration, known as mirrored disks, copies the data from one disk onto two or more disks?

RAID 1

Which RAID configuration is known as bit-level error-correcting code and not typically used, as it stripes data across the drives at the bit level as opposed to the block level?

RAID 2

Tangible objects that prove or disprove fact are what type of evidence?

Real evidence

Which strategy is focused on backup frequency?

Recovery point objective (RPO)

Which type of attack occurs when the attacker captures a portion of a communication between two parties and retransmits it at a later time?

Replay

Which access control type would be used to grant permissions based on the specific duties that must be performed?

Role-based access control

Which access control type allows a company to restrict employee logon hours?

Rule-based access control

A(n) ____________________ has the ability to copy network traffic passing through one or more ports on a switch or one or more VLANs on a switch and forward that copied traffic to a port designated for traffic capture and analysis.

SPAN

What protocol has its origins as a replacement for the insecure Telnet application from the UNIX operating system?

SSH

When using Secure FTP (SFTP) for confidential transfer, what protocol is combined with FTP to accomplish this task?

Secure Shell (SSH)

What is a software bomb?

Software that can destroy or modify files when commands are executed on the computer

What type of software records and reports activities of the user (typically without their knowledge)?

Spyware

The process of taking control of an already existing session between a client and a server is known as __________.

TCP/IP hijacking

Which statement describes the primary purpose of JavaScript?

The primary purpose of JavaScript is to enable features such as validation of forms before they are submitted to the server.

What should an incident response team do when they are notified of a potential incident?

The team should confirm the existence, scope, and magnitude of the event and then respond accordingly.

Which term refers to a unique alphanumeric identifier for a user of a computer system?

Username

What term refers to an attacker's attempt to discover unprotected modem connections to computer systems and networks?

War-dialing

An 802.11 device marked as Wi-Fi Certified adheres to the standards of the __________.

Wi-Fi Alliance

Which advanced malware tool assists security engineers in hunting down malware infections based on artifacts that the malware leaves behind in memory?

Yara

A(n) ____________________ is an 802.11 management frame for the network and contains several different fields, such as the time stamp and beacon interval, but most importantly the SSID.

beacon frame

The so-called WAP gap involves the __________ of information where the two different networks meet, the WAP gateways.

confidentiality

A honeypot is sometimes called a(n) __________.

digital sandbox

The hashing algorithm applies mathematical operations to a data stream (or file) to calculate some number, the ____________________, that is unique based on the information contained in the data stream (or file).

hash

A(n) ____________________ is an artificial environment where attackers can be contained and observed, without putting real systems at risk.

honeypot

The ____________________is used in wireless systems as the randomization element at the beginning of a connection.

initialization vector

A(n) ____________________ is a programming error condition that occurs when a program attempts to store a numeric value, an integer, in a variable that is too small to hold it.

integer overflow

Once you realize you need to preserve evidence, you must use a(n) ____________________, or litigation hold, process by which you properly preserve any and all digital evidence related to a potential case.

legal hold

The term __________ refers to software that has been designed for some nefarious purpose.

malware

A __________ is a software or hardware device that is used to observe traffic as it passes through a network on shared broadcast media.

network sniffer

A(n) ____________________ is a connection to a Windows interprocess communications share (IPC$).

null session

If the characteristics of an incident include a large number of packets destined for different services on a machine, a(n) ____________________ is occurring.

port scan

Evidence that is material to the case or has bearing on the matter at hand is known as __________.

relevant evidence

Remote authentication usually takes the common form of an end user submitting his credentials via an established protocol to a(n) ____________________, which acts upon those credentials, either granting or denying access.

remote access server

A(n) ____________________ relationship means that the trust relationship extended to one domain will be extended to any other domain trusted by that domain.

transitive trust

When analyzing computer storage components, a system specially designed for forensic examination, known as a forensic____________________, can be used.

workstation

____________________ is a standardized schema for the communication of observed data from the operational domain.

Cyber Observable eXpression

Which term defines a collection of predefined activity patterns that have already been identified and categorized—patterns that typically indicate suspicious or malicious activity?

Signature database