Module 1: Layered Defense
A network-based Intrusion ___________________ System is designed to monitor the network for attacks, and when an attack is observed, take steps to keep the attack from spreading or continuing.
Prevention
Which three of the following are kinds of protection offered by a host-based Intrusion Prevention System (IPS)? Select one or more: a. Analysis of encrypted network traffic (before it has been encrypted, or after it has been decrypted). b. Monitoring of log files. c. Analysis of program (i.e. process or application) activity. d. Analysis of network traffic patterns, monitoring increases and decreases in the amount of network traffic.
a, b, c
How does a host-based Intrusion Detection System (IDS) differ from a network-based IDS? Select one: a. A host-based IDS monitors a single computer, and examines items like log files and CPU load that a network-based IDS would not be able to examine. b. A host-based IDS provides a "birds-eye view" of network traffic, while a network-based IDS monitors individual resources. c. A host-based IDS monitors only network traffic, while a network-based IDS monitors encrypted traffic. d. A host-based IDS uses simple probes or sensors that are set up through the network, and a network-based IDS monitors only individual resources.
a. A host-based IDS monitors a single computer, and examines items like log files and CPU load that a network-based IDS would not be able to examine.
What does a host based IDS monitor? Select one: a. A single computer b. A small local area network c. A computer network d. An series of Internet Provider servers
a. A single computer
Stateful packet inspection firewalls enhance the security of a network by doing what? Select one: a. Blocking packets that are inconsistent with allowed network connections (through configuration). b. Blocking packets that are known to originate from hostile (blocked) IP addresses. c. Blocking packets that carry prohibited data, like streaming media. d. Blocking packets that contain viruses, worms, Trojans, or other malware in the payload.
a. Blocking packets that are inconsistent with allowed network connections (through configuration).
How are NAT and PAT firewalls similar? Select one: a. Both allow a large number of systems to share a smaller number of public IP addresses for Internet access. b. Both examine network traffic, watching for deviations from normal, and shut down Internet access when there are signs that an attack is underway. c. Both utilize artificial intelligence to determine when network traffic should be rejected. d. Both monitor incoming traffic for viruses, worms, Trojans, or other malware that is being downloaded onto the protected network.
a. Both allow a large number of systems to share a smaller number of public IP addresses for Internet access.
Which of the following is a reason why an organization might bridge networks in two locations via a VPN? Select one: a. Cost savings - the ability to connect or bridge two networks using the Internet is lower cost than leased lines. b. Reliability - using only one set of network resources increases reliability (single point of failure). c. Speed - it is faster to have only a single network. d. None of these are reasons why an organization may utilize a VPN.
a. Cost savings - the ability to connect or bridge two networks using the Internet is lower cost than leased lines.
How does an Intrusion Prevention System (IPS) differ from an Intrusion Detection System (IDS)? Select one: a. In the way it responds to attacks and intrusions. b. In the type(s) of detection technology used (anomaly, signature/rule, etc.). c. In the types of threat that can be detected. d. In the place where monitoring occurs (on each individual computer vs. the entire network).
a. In the way it responds to attacks and intrusions.
Syslog functions as a Select one: a. System logging service, receiving event messages from other parts of the operating system and outputting those messages to the correct log file or console. b. Log file analyzer, allowing administrators to extract pertinent information from large log files. c. Log file parsing utility, allowing administrators to quickly scan event logs for the information they need. d. Log file compression utility that prevents log files from becoming too large.
a. System logging service, receiving event messages from other parts of the operating system and outputting those messages to the correct log file or console.
What is the fastest way for an attacker to gain unauthorized access to encrypted information (assuming a strong cipher was chosen)? Select one: a. Theft of the key. b. Crypto-analysis of the cipher. c. Side-channel attack of the encryption key. d. Brute-force cracking of the encryption key.
a. Theft of the key.
What is the purpose of an Intrusion Prevention System (IPS)? Select one: a. To monitor for signs of intrusion or attack, and take action to stop the attack from spreading or proceeding further. b. To block user activities that are deemed to be dangerous or in violation of the acceptable use policy (AUP). c. To block unwanted network traffic from reaching its intended destination. d. To monitor for signs of intrusion or attack, and alert administrators when one is observed.
a. To monitor for signs of intrusion or attack, and take action to stop the attack from spreading or proceeding further.
PAT firewalls cannot be purchased in reality. The concept of a PAT firewall is really just the implementation of a feature on a router or firewall. When implemented on a router, this feature is often called: Select one: a. Virtual IP Address. b. Address Overloading. c. Port Forwarding. d. Link Local Address.
b. Address Overloading.
Which of the following describes how anomaly detection (used in IDSs and IPSs) works? Select one: a. Anomaly detection monitors the activities of computer users for signs of corporate espionage or insider attacks. b. Anomaly detection monitors activities for deviations from normal behavior, which might indicate that an attack is underway or has taken place. c. Anomaly detection compares observed activities to a database of known attacks, watching for similarities that could indicate an attack is underway or has taken place. d. Anomaly detection is a series of audit techniques designed to ensure that system administrators are not being overly restrictive or abusive of power.
b. Anomaly detection monitors activities for deviations from normal behavior, which might indicate that an attack is underway or has taken place.
Logging is the gathering of data with the intention of ________. Select one or more: a. Launching defensive attacks b. Ensuring accurate data c. Analyzing data to prevent future attacks d. Attempting to identify the attacker
b. Ensuring accurate data c. Analyzing data to prevent future attacks
Disk partitioning is virtualization in its most complicated form. Select one: a. True b. False
b. False
Firewalls have been proven to be a very important component of a layered defense. This fact has led to a progressive increase in both their popularity and in the number of variations of firewalls that have been introduced into the marketplace. Which one of the following is NOT a common firewall variation? Select one: a. Stateful packet inspection (SPI) firewalls b. Host-based firewalls c. Application layer firewalls d. NAT and PAT firewalls
b. Host-based firewalls
Which of the following describes an Intrusion Detection System? Select one: a. It is a system that scans network traffic for dropped packets that fit the guidelines of acceptable traffic. b. It is a system that monitors computer or computer network activities to detect attack patterns and/or abnormal behavior, and notifies administrators or logs a possible attack. c. It is a system that monitors a computer or computer network, and actively takes steps to isolate an attacker when an attack is observed. d. It is a system that only scans individual computers for direct signs of infection by viruses, worms, and Trojans.
b. It is a system that monitors computer or computer network activities to detect attack patterns and/or abnormal behavior, and notifies administrators or logs a possible attack.
What does a host-based Intrusion Detection System (IDS) do? Select one: a. It monitors network traffic for signs that encrypted data may have been compromised. b. It monitors a variety of things like CPU load, log files, and network activity for signs that the local system may be under attack, reporting its findings to an administrator. c. It monitors network traffic, both incoming and outgoing, for signs that the network may be under attack. d. It monitors a variety of things like CPU load, log files, and network activity for signs that the local system may be under attack, taking steps to isolate an attacker if an intrusion is detected.
b. It monitors a variety of things like CPU load, log files, and network activity for signs that the local system may be under attack, reporting its findings to an administrator.
Virtualization is a _________ of physical devices. Select one: a. Complex version b. Logical representation c. Transparent d. Hybrid version
b. Logical representation
What kind of protection is offered by a network-based Intrusion Prevention System (IPS)? Select one: a. Monitoring of log files of each system connected to the network. b. Monitoring of the entire or most of activity on a network. c. Monitoring of program (i.e. process, application) activity on each individual computer on the network. d. Monitoring of user activities to ensure that corporate espionage is not occurring. e. Describe the protection offered by host IPS.
b. Monitoring of the entire or most of activity on a network.
Which of the following is a drawback of signature based detection? Select one: a. The need to catalog signatures of system users. b. The need to update definition files in order to offer defense against the latest techniques employed by hackers. c. The cost of the platforms required. d. The rate at which hackers can discover the signatures of a company.
b. The need to update definition files in order to offer defense against the latest techniques employed by hackers.
What is stateful packet inspection (SPI)? Select one: a. The evaluation of network traffic to see if it is consistent with the normal behavior of common application layer protocols (HTTP, SMTP, DNS, etc.). b. The validation of incoming network packets against the known state of the connection. For example, a SYN-ACK packet would be dropped unless a SYN packet had been transmitted to the remote computer/server first. c. An integrity checking scheme designed to ensure that the system whose address is listed in the "SOURCE" field of the packet really is the system that transmitted the packet. d. The examination of incoming network packets for signs that they are transporting viruses, Trojans, or worms.
b. The validation of incoming network packets against the known state of the connection. For example, a SYN-ACK packet would be dropped unless a SYN packet had been transmitted to the remote computer/server first.
Which of the following statements describes an application layer firewall? Select one: a. This is a firewall that runs locally on each individual computer, instead of on the network. b. This is a firewall that understands common application layer protocols (HTTP, SMTP, DNS, etc.) and can block network activity when a connection begins exhibiting abnormal behavior for that protocol. c. This is a firewall that prevents users from accessing certain types of media, like Internet radio. d. This is a firewall that blocks network traffic by examining its intended recipient's IP address and TCP port number.
b. This is a firewall that understands common application layer protocols (HTTP, SMTP, DNS, etc.) and can block network activity when a connection begins exhibiting abnormal behavior for that protocol.
What are Intrusion Detection Systems (IDS) used for? Select one: a. To monitor activities on a computer or computer network and, when a possible attack is observed, intervene and prevent the attack from spreading. b. To monitor activities on a computer or computer network and alert administrators when a possible attack or abnormality is observed. c. To block viruses and Trojans from being downloaded onto protected computers. d. To monitor a user's activities to ensure that his/her computer usage is consistent with the organization's Acceptable Use Policy (AUP).
b. To monitor activities on a computer or computer network and alert administrators when a possible attack or abnormality is observed.
Which of the following is sometimes used to encrypt data at the data-link layer of the TCP/IP stack? Select one: a. IPsec b. WPA / WPA2 c. TLS d. SSL
b. WPA / WPA2
AES can utilize keys of __________ bits in length Select one: a. 512 b. 392 c. 256 d. 148
c. 256
What does a host-based Intrusion Detection System do? Select one: a. A host-based IDS does a better job of filtering unwanted network traffic, since it only has to monitor traffic for one system. b. A host-based IDS examines network traffic after it has been encrypted and monitors for signs that the encryption may have been defeated by an attacker. c. A host-based IDS monitors a single computer for signs of attack. It is capable of gathering information, like CPU load, that a network-based IDS cannot. d. A host-based IDS monitors the user's activities and ensures that the user is using the computer in accordance with the Acceptable Use Policy (AUP) of his corporation.
c. A host-based IDS monitors a single computer for signs of attack. It is capable of gathering information, like CPU load, that a network-based IDS cannot.
What is signature based detection (used in IDSs and IPSs)? Select one: a. A technique for verifying someone's identity on the Internet. b. A technique for isolating attackers who breach perimeter defenses. c. A technique for detecting potential intrusions and attacks. d. A technique for ensuring that information has not been altered during transmission.
c. A technique for detecting potential intrusions and attacks.
Which of the following ciphers is considered to be the most secure, according to NIST recommendations? Select one: a. RC4. b. DES. c. AES. d. 3DES.
c. AES.
Which of the following does NOT describe anomaly detection (used in IDSs and IPSs)? Select one: a. Anomaly detection may have a higher false positive error rate when first used. b. Anomaly detection monitors activities for deviations from normal behavior which may indicate an attack is occurring. c. Anomaly detection compares current activities to a database of known attacks, alerting administrators when a match is found. d. Anomaly detection may use artificial intelligence to "learn" what constitutes normal behavior.
c. Anomaly detection compares current activities to a database of known attacks, alerting administrators when a match is found.
Which cipher, which is still widely used, is being phased out in favor of the new AES cipher? Select one: a. ROT-13 b. MD5 c. DES / 3DES d. TLS
c. DES / 3DES
Regarding Virtual Private Networks (VPNs), what is tunneling? Select one: a. Using the recipient's public key to encrypt data prior to transmission, thereby ensuring that the data cannot be decrypted except by the intended user. b. Using a packet's payload to generate a hash (known as a message digest), then packaging that hash along with the original payload as a means of verifying the integrity of the packet. c. Encrypting a packet as it leaves one network, placing it inside another packet for transmission to the remote client/network, then decrypting it prior to delivery. d. Verifying one party's identity with a trusted third party.
c. Encrypting a packet as it leaves one network, placing it inside another packet for transmission to the remote client/network, then decrypting it prior to delivery.
What does a host-based IPS do? Select one: a. A host-based IPS can examine network traffic after it has been decrypted, allowing it to monitor for suspicious activity that would elude a network-based device. b. Monitor the activities on a single computer, notifying the administrator if anything unusual or suspicious is observed. c. Monitor the activities on a single computer, taking steps to block any potentially malicious programs that might be active. d. Monitor the incoming network traffic, blocking unsolicited traffic.
c. Monitor the activities on a single computer, taking steps to block any potentially malicious programs that might be active.
What is the main difference between a NAT firewall and a PAT firewall? Select one: a. NAT firewalls and PAT firewalls are the same thing. b. NAT firewalls are used to share a single public IP address. PAT firewalls are used to protect a network from viruses, worms, and Trojans. c. PAT firewalls are capable of sharing a single IP address. NAT firewalls generally maintain a pool of available IP addresses. d. NAT firewalls are capable of sharing only a single IP address. PAT firewalls generally maintain a pool of available IP addresses.
c. PAT firewalls are capable of sharing a single IP address. NAT firewalls generally maintain a pool of available IP addresses.
What protocol is used on the Internet to secure transmissions that uses a combination of Symmetric and Asymmetric cryptography? Select one: a. 3DES b. RC5 c. SSL d. TLS
c. SSL
Which of the following is used to encrypt data at the transport layer of the TCP/IP stack? Select one: a. IPsec. b. WEP. c. TLS. d. WPA / WPA2.
c. TLS.
Application layer firewalls work by examining network traffic to ensure that: Select one: a. The network traffic is not transporting malicious software like viruses, worms, or Trojans. b. Each packet observed is consistent with the current state of a connection. c. The traffic is consistent with the normal behavior of the application layer protocol (HTTP, SMTP, etc.) being used. d. The traffic has not been altered in transit from the sender to the receiver.
c. The traffic is consistent with the normal behavior of the application layer protocol (HTTP, SMTP, etc.) being used.
What is a network-based Intrusion Detection System (IDS)? Select one: a. A system that runs on each individual computer, examining the incoming and outgoing network traffic for signs that it is participating in a bot-net. b. A system that blocks incoming network traffic that is deemed to be carrying unauthorized data (like pirated software, music, etc.). c. A system that blocks incoming network traffic from reaching protected systems. d. A system that monitors an entire network for signs of intrusion or attack
d. A system that monitors an entire network for signs of intrusion or attack
The four types of symmetric cryptography are: Select one: a. AIS, DES, 8DES, RC9 b. AIS, DE5, 8DES, RCS c. AES, DE5, R2D2, RC4 d. AES, DES, 3DES, RC4
d. AES, DES, 3DES, RC4
Which of the following will apply if security of encryption keys is not maintained? Select one: a. Encrypted information could be decrypted and read by unauthorized parties, resulting in a loss of confidentiality. b. Information could be modified or forged, resulting in a loss of integrity. c. Encryption keys will have to be re-generated and re-issued, and systems reliant upon encryption cannot be considered trusted until this occurs, resulting in a loss of availability. d. All of the above.
d. All of the above.
Which of the following is something that a network IPS will NOT do? Select one: a. Cut off network access to some portion of the network. b. Lock down a workstation. c. Block incoming connections to a critical server. d. Allow unlimited network access to critical employees.
d. Allow unlimited network access to critical employees.
Which of the following describes one common use or deployment of VPNs? Select one: a. Route-to-route b. Peer-to-peer c. Border-to-border d. Client-Server
d. Client-Server
Regarding routers, which plane of operation is responsible for accessing, monitoring, and configuring the device? Select one: a. Data plane b. Administration plane c. Control plane d. Management plane
d. Management plane
Firewalls are designed to: Select one: a. Prevent the functioning of malicious software like spyware and adware. b. Secure data while it is in transit from one system to another. c. Prevent employees from taking sensitive data off the organization's network. d. Prevent unwanted network traffic from reaching the intended computer or network, and from leaving the subnet.
d. Prevent unwanted network traffic from reaching the intended computer or network, and from leaving the subnet.
___________ is the most widely used stream cipher. Select one: a. R2D2 b. 3DES c. AES d. RC4
d. RC4
Why are firewalls used? What is the objective of a firewall? Select one: a. To prevent employees from taking sensitive data off the organization's network. b. To secure data while it is in transit from one system to another. c. To prevent the functioning of malicious software like spyware and adware. d. To prevent unwanted network traffic from reaching the intended computer or network, and from leaving the subnet.
d. To prevent unwanted network traffic from reaching the intended computer or network, and from leaving the subnet.
Which of the following are methodologies used in profile based detection? Select one: a. Fuzzy Logic b. Developmental reasoning c. Artificial Neural Network d. a and c e. a and b
d. a and c
Which of the following protocols is used by IPsec to assure confidentiality of data while it is traveling over a secure tunnel? Select one: a. Transport Layer Security. b. Authentication Header. c. Encapsulating Security Protocol. d. Wired Equivalent Privacy.
not a
What is unique about the security log in Windows? Select one: a. The security log is automatically purged at the beginning of a session. b. Ordinary users cannot read the log, unlike some other types of logs. c. This is a trick question - there is no security log. Security events are stored in the system log. d. The security log is automatically saved to a remote server
not d
