CS 249
What is RADIUS? What advantage does it have over TACACS?
RADIUS or "AuthenticationDial-In User Service" works to help allow a user to log in and work remotely it first comes as a request remotely from (hopefully) an authorized worker, it then goes over to a remote access server to deal with authentication, it is then sent to the radius server to confirm or deny the request, then the yes or no signal is sent back to the remote access server and back to the client toconfirm the connection request
How do screened host architectures for firewalls differ from screened subnet firewall architectures? Which of these offers more security for the information assets that remain on the trusted network?
Screened host firewalls combine the packet filtering router with a separate, dedicated firewall, such as an application proxy server. This approach allows the router to prescreen packets to minimize the network traffic and load on the internal proxy. The architecture of screened subnet firewall provides a DMZ. The DMZ can be a dedicated port on the firewall device linking a single bastion host, or it can be connected to a screened subnet. Screened subnet firewalls offers more security than screen host firewall.
What special function does a cache server perform? Why is this useful for larger organizations?
A cache server is a server that basically makes available frequently used pages. For example, big corporations use cache servers to make sure pages that they use to market their products are basically pre-rendered and ready to send instead of asking for a full request from a webpage host. It also adds an additional layer of protection against attacks as only portions of a website can be attacked at a time.
Why do many organizations ban port scanning activities on their internal networks? Why would ISPs ban outbound port scanning by their customers?
Many organizations ban port scanning on their internal networks because this could be an easy way for a hacker to footprint a large number of computers quickly. Also, port scanning takes up un-necessary system and network resources. This slow down can cause an unproductive office if it is done often or on a large scale. ISPs may ban outbound port scanning because this can be considered a DoS, which could lead to law suits, and on large ISPs with broadband users, their customer computers could be used as drone computers to DoS a large network or system.
List and describe the actions that should be taken during an incident response.
Notification and Documentation
How is an application layer firewall different from a packet filtering firewall? Why is an application layer firewall sometimes called a proxy server?
Packet filtering firewall functions on the IP level and determines whether to allow or deny and packets based on the information in their packet heading and if this information violates a rule in the firewall settings.
What is the name for the broad process of planning for the unexpected? What are its three primary components?
1) Business Impact Analysis (BIA) 2) Incident Response Plan 3) Disaster Recovery Plan 4) Business Continuity Plan
List the seven-step CP process as defined by the NIST. Why is it the recommended standard approach to the process?
1) Develop CP policy statement 2) Conduct BIA 3) Identify preventative controls 4) Develop recovery strategies 5) Develop IT contingency plan 6) Plan testing, training, and exercises 7) Plan maintenanceIt is a tested methodology.
List and describe the three criteria used to determine whether an actual incident is occurring.
1) It is directed against information assets 2) It has a realistic chance of success 3) It threatens the confidentiality, integrity, or availability of information resources and assetsPossible, probable, definite
What percentage of businesses that do not have a disaster plan go out of business after a major loss
40%
What is a DMZ? Is this really a good name for the function that this type of subnet performs?
A DMZ works as sort of a middle ground between an untrusted network and a trusted network, usually between two firewalls. I believe it is a proper name for the technology as it helps with being an area where nobody can really do anything, unless somebody is tapped directly into the line itself.
How does a network-based IDPS differ from a host-based IDPS?
A network based IDS resides on a network segment and monitors activity across that segment, a host based IDS resides on a particular computer or server, known as the host and monitors activity only on that system.
What kind of data and information can be found using a packet sniffer?
A packet sniffer can be used to collect and view all packets on a network, or for a certain set of addresses. It will show encrypted and clear text transmissions, and allow an administrator or hacker to view these packets. If the packets are in clear text, all the text can be easily viewed. Such occasions where packets are in clear text are services such as FTP, E-Mail, and Instant messengers. There are upgraded services for each of these to allow for SSL encryption.
What is evidentiary material?
Also known as items of potential evidentiary value, any information that could potentially support the organization's legal- based or policy- based case against a suspect.
What is an alert roster? What is an alert message? Describe the two ways they can be used.
An Alert Roster is documentation containing contact information on the specified people to be notified in the event of an actual incident occurrence. Alert Messages are a scripted description of the specified incident. The messages would be sent to the specified people on the roster.
Why should continuity plans be tested and rehearsed?
An untested plan is not really a useable plan. Without testing and/or rehearsal the quality of the plan and its ability to accomplish its objective to shorten recovery time is unknown. One key objective of this type of planning is to remove as many unknown factors as possible. Testing can also reveal hidden flaws in the plan which can be repaired before the plan is needed for actual use.
What criteria should be used when considering whether or not to involve law enforcement agencies during an incident?
Answer: Law enforcement should be involved in all issues where a criminal act has been detected. For acts not deemed to be criminal the decision to involve law enforcement should be based on the needs of the organization to prosecute a computer crime. Law enforcement will be able to handle warrants and subpoenas necessary and are better equipped at processing evidence and, in some cases, computer forensics. Involving law enforcement may, however, involve the loss of control of the investigation, a failure to be kept informed as to the status of the investigation, and possibly the tagging and seizure of information assets vital to the organization's ongoing business operations.
Define asymmetric encryption. Why would it be of interest to information security professionals?
Asymmetric cryptography or public-key cryptography is cryptography in which a pair of keys is used to encrypt and decrypt a message so that it arrives securely.Security professionals need to ensure that first they have the correct keys to unlock the information and they also need to ensure that they safeguard those keys so that don't fall into the wrong hands.
Explain the key differences between symmetric and asymmetric encryption. Which can the computer process faster? Which lowers the costs associated with key management?
Asymmetric encryption uses a public key system with a private key, while symmetric encryption uses a private key only. Symmetric encryption systems are almost always more efficient when viewed only in terms of computing efficiency, however, asymmetric systems offer a lower total cost of ownership due to the ease of key management compared to symmetric systems. This is based on the fact that advanced PKI systems can make such hybrid systems vastly easier to use.
What is the difference between authentication and authorization? Can a system permit authorization without authentication? Why or why not?
Authentication is a process of identifying a user based on their credentials (means user id and password). Authorization is process of determining whether an authenticated user is allowed to access a specific resource or not.If a system isn't set up correctly you might gain authorization to use the system but maybe certain areas might require you to be authenticated before you continue.
Which two communities of interest are usually associated with contingency planning? Which community must give authority to ensure broad support for the plans?
Businesses and federal agencies. Need support from the general business community.
What is a VPN? Why is it becoming more widely used?
Content filters are basically filters that are put locally on a client computer, or as part of a firewall that help with managing content a client or computer is using. They are really great because they help block out NSFW content and potentially dangerous material from entering a network. They can be set up alongside a firewall within an organization's network internally, or installed on a client computer
What is digital forensics, and when is it used in a business setting?
Digital forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis. Digital forensics is used in a business setting to investigate what happened in the event of a policy or legal violation on the part of an employee, contractors or outsider, or in the event of an attack on a physical or information asset.
What is a disaster recovery plan, and why is it important to the organization?
Disaster recovery planning (DRP) is the preparation for and recovery from a disaster, whether natural or manmade. The key role of a DRP is defining how to reestablish operations at the location where the organization is usually located.
List and describe several containment strategies given in the text. On which tasks do they focus?
Disconnecting the affected communication circuits, Disable any compromised user accounts, Reconfigure the firewalls to block any potentially problematic traffic, Stop all the computers and any other network devices, Taking down the conduit application(s) or the server(s)
List and describe the three sets of procedures used to detect, contain, and resolve an incident
During the incident: Planners develop and document the procedures that must be performed during the incidentThese procedures are grouped and assigned to various rolesThe planning committee drafts a set of function-specific procedures After the incident: Once the procedures for handling an incident are drafted, planners develop and document the procedures that must be performed immediately after the incident has ceasedSeparate functional areas may develop different procedures Before the incident: Planners draft a third set of procedures, those tasks that must be performed in advance of the incident
What is network foot printing? What is network fingerprinting? How are they related?
Footprinting is the organized research of the Internet addresses owned or controlled by a target organization. The attacker uses public Internet data sources to perform keyword searches to identify the network addresses of the organization. This research is augmented by browsing the organization's Web pages. Web pages usually contain quantities of information about internal systems, individuals developing Web pages, and other tidbits, which can be used for social engineering attacks. The next phase of the attack protocol is a second intelligence or data-gathering process called fingerprinting. This is a systematic survey of all of the target organization's Internet addresses (which were collected during the footprinting phase described above); the survey is conducted to ascertain the network services offered by the hosts in that range. Complete fingerprinting requires the knowledge of the Internet presences of the target that is collected in the footprinting process.
One tenet of cryptography is that increasing the work factor to break a code increases the security of that code. Why is that true?
Increasing the work factor can make your encrypted content very secure because it will force any potential attacker to take much effort and a long time (perhaps centuries) to crack. Most business information will have lost a significant portion of its value in that time.
What are the main components of cryptology?
Is the process of deciphering the original message (or plaintext) from an encrypted message (or ciphertext), without knowing the algorithms and keys used to perform the encryption.
What is the most widely accepted biometric authorization technology? Why do you think this technology is acceptable to users?
Signature capturing is widely accepted as a biometric authorization technology. It is due to the fact that signatures are saved and references or compared to a database that are saved signatures.
What is the typical relationship between the untrusted network, the firewall and the trusted network?
Simply put, the untrusted network (IE: the internet) is on the 'outside' of the Firewall, logically separating it from the trusted network, which you want to keep safe. In this way, you can think of the Firewall as the outer gates of your protected network.
Which types of organizations might use a unified continuity plan? Which types of organizations might use the various contingency planning components as separate plans? Why?
Small to medium sized organizations might use unified contingency plans because it concise and easier to test. Large organizations do not use unified because it would be an overwhelming document to write or test.
List and describe the four teams that perform the planning and execution of the CP plans and processes. What is the primary role of each?
The CP team - collects information about information systems and the threats they face, conducts the BIA, and creates CPs. Include champion, manager, and team members. The incident recovery (IR) team - manages and executes the IR plan by detecting, evaluating, and responding to incidents.
What is a business continuity plan and why is it important?
The business continuity planning (BCP) ensures that critical business functions can continue if a disaster occurs. It is important because it focuses on re-establishing critical business functions at an alternate site.
What is the purpose of the business impact analysis (BIA)?
The business impact analysis provides the CP team information about the systems and the threats they face. The BIA is used for providing crucial scenarios so they can prepare for probable disasters.
What is the most effective biometric authorization technology?
The most effective biometric authorization technology is iris scan, due to its unique patterns.
Explain the relationship between plaintext and ciphertext.
They have the same semantic content, except that ciphertext is text has had the content concealed from unauthorized usage by being encrypted.
Why is TCP port 80 always of critical importance when securing an organization's network?
This is usually associated with a web server, which could contain critical data that is viewed by a large audience. If a web server was hacked, or a server put up on a machine on port 80, it could jeopardize the company's security and security assurance. If there is not a web server up and running, there is no reason for port 80 to be active.
Define the term incident as used in the context of IRP. How is it related to the concept of incident response?
incident - an unexpected event that may compromise information resources and assets. Incident response is a set of procedures that commence when an incident is detected.
What is a incident classification?
the process of examining an adverse envent or incident candidate and determing wither it constitutes an actual .