CSS 1012 Final (Chpt 9-13)
What are other measures you can do to protect information on an isolated machine?
Encryption, Message filtering, data encapsulation, redundancy, backups
What are the advantages and disadvantages of using a proxy server?
Examines contents of packets and filters on contents, Security can be weak depending on configuration, Shields internal host IP addresses, Can slow down network access, Caches Web pages for faster access, Might require configuration of client programs to use the proxy server, Provides a single point of logging, Provides a single point of failure
To keep log files organized, store them on the server you are monitoring. True or False?
False
True or False: An Security Association is bidirectional
False
True or False: Apache is secure right outside the box
False
True or False: DNSSEC provides message confidentiality and protects against DDoS attacks
False
True or False: Freeware firewalls are never as good as paid firewalls
False
True or False: Hardware firewalls will always be more secure than software firewalls, as software firewalls are too hard to properly secure
False
True or False: blocking zone transfers on a DNS server completely prevents information leakage
False
True or False: every security expect agrees that every network should have honeypots
False
True or False: firewalls can single handily keep attackers away from a network
False
True or False: having one machine perform multiple functions as well as running security software for your network is the recommended
False
True or False: if you use a VPN you don't need to use a firewall
False
True or False: it is easy to set up firewall rules for email traffic, as email comes through only through a small number of ports
False
True or False: phishing emails have gotten so good that there is no good way to tell which ones are legitimate and which ones are fakes
False
True or False: preventing malicious code from being entered in Web pages that allow user input is all that a site administrator must do to prevent SQL injections
False
True or False: screening routers can stop plenty of attacks on their own
False
True or False: the AH changes the contents of the message to fit its new header
False
True or False: the OS chosen for a bastion host should have the newest OS available, as attackers haven't had enough time to find vulnerabilities yet
False
True or false: bastion hosts require that they have as much processor power and RAM as possible
False
True or False: you should disable all services on a bastion machine if you know that you don't need all at once
False (Do them one at a time)
True of False: TCP and UDP packets usually vary in size
False (They attempt to keep them the same size as much as possible)
True or False: requests are commonly made to the root server
False (information is usually cached on lower tiered DNSs)
Risk analysis is a group of related activities that typically follow this sequence:
Holding initial team sessions, Conducting asset valuation, Evaluating vulnerability, Calculating risk
Name the VPN protocols and their protocol ID
ICMP, 1, TCP, 6, UDP, 17, GRE, 47, ESP, 50, AH, 51
What does PPTP use to authenticate users?
MS-CHAP
for a firewall rule, if an S follows a protocol, then what does the protocol has in addition to its other features?
SSL
A protocol developed by Netscape Communications Corporation as a way of enabling Web servers and browsers to exchange encrypted information.
SSL (Secure Sockets Layer)
What factors should a secure VPN design address?
Secure connectivity, Encryption, availability, Authentication, Secure management, reliability, scalability, performance
What attack method takes infrared images of the surface of a CPU, which could provide clues about the code being run.
Thermal imaging attack
True or False: Each IPsec connection can perform encryption, encapsulation, authentication, or a combination of the three.
True
True or False: Every system has some sort of security flaw
True
True or False: Firewalls must be correctly configured to prevent attacks, but they can still be vulnerable to new types of attacks
True
True or False: GRE can enable attacks against VPN computers
True
True or False: GRE is considered a stateless protocol
True
True or False: IIS 7 allows you to restrict the activity of ISAPI and CGI components.
True
True or False: IIS supports SSL encryption
True
True or False: If the security policy violation is a criminal offense, such as possessing child pornography, law enforcement officials must be notified and the investigation is turned over to them.
True
True or False: Kerberos allows postdated tickets and renewable tickets but users cannot modify the tickets directly; they must request these flags when requesting their tickets
True
True or False: Multiple firewalls can help you achieve load distribution that keeps heavy traffic flowing through the gateway smoothly.
True
True or False: One DMZ does not provide enough security for many large corporations that are connected to the Internet or do business online.
True
True or False: PPTP might be the best option when VPN connections must pass through a NAT server or firewall
True
True or False: Reliability features are provided only for control packets and not data packets in an L2TP tunnel
True
True or False: Risk analysis is an ongoing operation
True
True or False: SSL/TLS is available on most new VPN hardware devices
True
True or False: you can filter IP addresses by using an address range
True
True or False: you should back up your system before making any major changes to services
True
True or False: you should filter log files coming from the bastion OS to ensure no malformed packets come through
True
What are some popular OSs used for bastion hosts?
Windows server 2008, Red hat linux, FreeBSD Linux
What does TLS/SSL use for authentication?
certificates
A rule base should end with a(n) ____ rule
cleanup
A packet-filtering rule that comes last in a rule base and covers any packets that have not been covered by preceding rules.
cleanup rule
A type of VPN connection that makes a network accessible to remote users who require dial-up access
client to site VPN (aka remote access VPN)
What is a disadvantage of using a software VPN?
configuration can be complex
What two kinds of packets are sent through an L2DP tunnel?
control, data
What are the advantages of software VPNs compared to hardware?
more cost effective, usually integrated with firewalls, increase network security (Since they're connected to a firewall), flexibility
Which of the following attack methods target Web users? (Choose all that apply.) a. social engineering b. phishing c. SQL injection d. pharming
phishing, pharming
What can you do to defend yourself from ActiveX control attacks?
scrutinize them by using security settings on Web browsers
What are the two advantages of using TLS instead of SSL?
uses a hashed Message Authentication Code, protects its data even if one of its methods of encryption becomes vulnerable (splits the data in half, each using a different encryption algorithm)
How can attackers obtain DNS information even after zone transfers are blocked, even though its extremely slow?
using DNS tools to query systems in an org's IP name space one by one
What is one solution to alleviate the issues with using a star configuration for VPN services?
using multiple routers
What is the preferable setup for network defense instead of just having a proxy server also acting as a firewall?
using several software and hardware programs in a coordinated network defense layer
What are the advantages and disadvantages of software commercial enterprise firewalls?
usually installed on a dedicated host, centralized management, real time monitoring, difficult to install and configure, more expensive (Compared to free and commercial software firewalls)
What is the name of an email that circulates around claiming to be in response to a malicious email that has been circulating in an attempt to get users to spam their own network?
virus hoax
What did java applet attacks using Netscape exploit?
vulnerabilities in Netscape Communicator and Navigator, it allowed an attacker to gain unauthorized local and remote file access by forcing the browser to connect to a URL
Which of the following is a common type of SQL injection attack? (Choose all that apply.) a. Web form attack b. browser executable attack c. system tray attack d. query string attack
web form attack, query string attack
When should an organization conduct a new round of risk analysis? a. every month b. every three months c. as frequently as possible d. when equipment or staff change significantly
when equipment or staff change significantly
When are software firewalls appropriate?
when participating networks use different routers and firewalls or when the endpoints are controlled by different organizations and network administrators.
How does a buffer overflow occur?
when the process of pushing instructions onto the stack consumes all the space allocated for the stack
When might you use a DMZ and a three-pronged firewall?
when you need to provide services to the public but you want to make sure attackers cannot access your sources
A _____ proxy server is a good choice for a business network if you plan to upgrade the software as new versions become available.
Commercial
What level of incident is a burglary or other illegal building access?
2
What level of incident is property loss or theft?
2-3
What do professionals suggest rule bases to be no greater than?
30 or 50
What encryption standard is a variation on Data Encryption Standard (DES), but uses three seperate 64-bit keys to process data
3DS (Triple Encryption standard)
What protocol does GRE use and routing?
47, native IPv4 routing
What ports does IKE use by default?
500
AH uses protocol ID . a. 50 b. 171 c. 500 d. 51
51
What port do zone transfers usually occur on?
53
Which port is used for name/address resolution? A. 20 B. 53 C. 80 D. 110
53
How often should you conduct a risk analysis?
6 to 12 months
How long does a Ticket issued by the TGT last?
8 hours
When you request a web page, which port does the Web server use to send you the page?
80
What ports must you allow to allow web access?
80 (HTTP), 443 (443)
In IIS7, unauthenticated, anonymous account users are logged into which account?
IUSR
A firewall policy does which of the following? (choose all that apply.) A. Describes how employees can use the firewall B. Identifies and mitigates risks C. Explains how the firewall is set up, managed, and updated D. Specifies on how the firewall should handle application traffic
Identifies and mitigates risks, explains how the firewall is set up, managed, and updates, specifies on how the firewall should handle application traffic
What layer does SSL operate at?
Network Layer
In a mesh topology, all participants in the VPN have _____ with one another. a. tunnels b. SAs c. static routes d. trusts
SAs
___ does not attack a Web server directly. It attacks the database used to support Web sites housed on the Web server, and more sophisticated attacks can be extended to attack the database server and its partner Web server.
SQL injection
A group of people designated to take countermeasures when an incident is reported.
Security Incident Response Team (SIRT)
A group of authentication and encryption settings that two computers negotiate to set up a secure VPN connection is called which of the following? a. protocol b. Security Association (SA) c. handshake d. key exchange
Security association
Which of the following provides employees with formal instructions about the organization's security strategy? a. acceptable use policy b. risk assessment c. strategy meeting d. security user awareness program
Security user awareness program
What are the general steps to creating a bastion host?
Select a machine with adequate memory and processor speed, Choose and install the OS and any patches or updates, Determine where the bastion host fits in the network configuration, Make sure it is in a safe and controlled physical environment, Install the services you want to provide, or modify existing services, Remove services and (default) accounts that are not needed, Back up the system and its data, including log files, Conduct a security audit, Connect the system to the network.
Other than IP or port number filtering, what other filtering methods are there?
Service (Such as TCP, telnet, etc...), ID field in the IP header, TCP flags
What are the advantages and disadvantages of a screening router?
Simple, inexpensive; good for home applications if a stateful packet filter is used, provides only minimal protection
What is Kerberos also useful for than just authenticating users?
Single Sign On (SSO)
What is teh point of putting firewalls before the DMZ and between the DMZ and the internal network?
So no outsider can scan for ip addresses inside the network
What three IP packet header fields do packet filters look at?
Source IP, Destination IP, protocol ID
What is the name of a notable freeware proxy server?
Squid for Linux
A VPN server configured to receive PPTP traffic listens for incoming connections on port and needs to receive GRE traffic identified by protocol ID. a. UDP 1443, 17 b. TCP 1723, 47 c. UDP 3349, 443 d. UDP 1723, 47
TCP 1723, 47
A protocol designed to secure Internet traffic. Although it has not replaced SSL yet, it offers improvements and is used more widely than SSL for a variety of applications.
TLS (Transport Layer Security)
What is the name of a common method that encapsulates IPv6 datagrams within IPv4 packets?
Teredo
Survivable Network Analysis begins with what assumption? a. that you have laid the groundwork for a risk analysis b. that your network will be attacked c. that the probability of threats is increasing constantly d. that an effective security policy can reduce risks to zero
That your network will be attacked
what are the differences in how AH works for the two IPsec modes: tunnel and trandport
The IP header is rebuilt in tunnel but not in transport
What is the one major concern with using Kerberos?
The KDC (or AS) is a single point of failure, if it goes down nobody can be authenticated
When a VPN encapsulates a packet, what are the packets new source and destination IP address?
The VPN gateway source and destination address
What is an advantage and disadvantages of hardware firewalls?
They do not depend on a conventional OS, more scalable than software, better throughput, more expensive
Which of the following factors enables attackers to program ActiveX controls to run malicious code on a user's Web browser a.They run in a sandbox b. They do not require user action to be activated c.They run automatically when the browser loads the Web page d.They have almost full access to the Windows OS
They do not require user action to be activated, they run automatically when the browser loads the web page, they have almost full access to the Windows OS
True or False: A packet-filtering server (proxy server) can filter out suspicious packets that come from inside the network as a result of Trojan programs or viruses.
True
True or False: A security policy is ever changing
True
True or False: A security policy provides a foundation for an organizations overall security stance
True
True or False: An SSL session makes use of both asymmetric and symmetric keys
True
True or False: An authentication header ensures integrity but not confidentiality
True
True or False: Attackers probe common hardware/software server configurations, such as Windows running Internet Information Services or Linux running Apache Web Server, in an attempt to discover security holes.
True
____ is a router at each network gateway that encrypts outbound packets and decrypts inbound packets.
VPN hardware
Standardized communication settings that software and hardware use to encrypt data sent through a VPN
VPN protocols
A method to address the problem of remote clients not meeting an organization's security standards. Quarantine places remote clients in a secured area while they are checked to ensure that software updates and current patches have been applied, antivirus software has been installed and updated, and other policies are in compliance.
VPN quarentine
A computer designed to accept VPN connections from clients
VPN server
A risk analysis report should call attention to. a. all identified risks b. the most urgent risks c. the newest risks d. the risks that are easiest to manage
all identified risks
Hardening a bastion host involves which of the following measures? a. disabling unnecessary services b. removing unnecessary accounts c. installing current patches d. all of the above
all of the above
If organizations have employees who connect remotely, which of the following security concerns should be considered? a. the possibility of mobile devices being stolen b.virus infections spreading from home and mobile systems to corporate systems c.the use of updated, effective antivirus and firewall software on mobile devices or home systems that connect to the network d. all of the above
all of the above
What are the three options for a firewall rule base to respond with?
allow, block, ask
What three actions can a firewall respond with when it receives a packet?
allow, block, reject (a notice is sent to the user)
Computers that are accessible to untrusted hosts that has been specially protected with OS patches, authentication, and encryption
bastion hosts
documenting every change you make and how the system reacts to the change, helping you if you need to troubleshoot later is called what?
change management
What makes port filtering complicated?
communication between two computers rarely use the same ports, the destination port is usually determined dynamically on a per connection basis
How does a network admin secure zone transfers?
configure all DNS servers to restrict zone transfers to specific authorized users
What is the name of services that a system needs to function correctly?
dependency services
Ensuring that databases remain accessible if primary systems go offline is known as . a. fault tolerance b. failover c. redundancy d. resiliency
fault tolerance
Which of the following issues would you consider in firewall design? (Choose all that apply.) a. Fault tolerance b. log size c. authorization d. load balancing
fault tolerance, load balancing
What enables servers in a server farm to work together to handle requests? a. a router b. a switch c. a networking hub d. load-balancing software
load balancing software
What is the name of an employee in a network security policy who is responsible for ensuring that end users have access to network resources on their servers
local administrators
What should you keep in mind when buying a firewall?
number of users you need to protect, the amount of network traffic passing through the firewall, the budget, the organizations level of concern about security
How many bastion hosts should you have in an ideal situation?
one host for each service you provide (to the outside)
What must a VPN have for every network?
one server and tunnel
What is a major defense to IP spoofing?
packet filtering
What are examples of threats?
power supply, crime rate, facility (old building), industry (
What is also a concern in multiple entry point configurations?
preventing VPN domains from overlapping
When attackers probe networks to look for vulnerabilities, they pay special attention to _____ because they store valuable personal and corporate information.
servers that host Internet services (such as DNS or Web servers)
IIS 7 supports _____, which allows administrators to import configuration files and cryptographic keys from a centralized location, which can be backed up
shared configuration
What are the advantages and disadvantages of using TLS
takes place without user action, makes it easier to administer firewalls and NAT, requires more processing power and administration time for managing certificates
What part of the buffer is targeted by attackers in a buffer overflow attack?
the call or function stack
What is an issue when using ESP for IPsec tunnel mode
the packet cannot pass through a firewall that performs NAT
ISP facilities that provide connectivity to the Internet for business, education, and home users.
Point of Presence (POP) ISP
What is the simplest method to check to see if a form text box isn't verifying the text inside?
' (quotation mark)
A term for products that integrate a variety of security features into a single application, device, or product. These features include VPN and remote access services, firewalls, intrusion detection and prevention functions, and management consoles.
(Unified Threat Management) UTM
What are the advantages and disadvantages of using a VPN?
(adv) Far less expensive than leased lines, Many elements working together provide strong security, Standards and protocols used in VPNs are well developed and widely used, Can result in less overall complexity in an organization's network, Can make use of a company's existing broadband connection. (disadv) VPN hardware and software from different vendors might prove incompatible because they use different protocols, Can be complex to configure, Can result in slower data transfer rates than a leased line, Depends on the often unpredictable Internet; if your ISP or other parts of the Internet go down, your VPN goes down, Requires administrators to install VPN client software on remote computers
Similar to power-monitoring attacks, this method of attack uses the sound produced by computations. The current used to power hardware produces heat, which is leaked into the atmosphere. The fluctuations of heating and cooling (thermodynamics) produce low-level acoustic noise that can be examined for clues about the underlying system.
Acoustic cyproanalysis
To isolate all external Web requests to a specific Web server on the DMZ, it would be best to use many-to-one NAT. True or False?
False
True or False: IPsec has replaced SSL completely as a security standard for VPNs
False
True or False: Java applets are considered immune to exploit because they run in a sandbox that can't interact with the host computer in any way
False
True or False: Just having a firewall protecting your network is okay
False
True or False: L2TP provides confidentiality and authentication on its own
False
True or False: PPTP MUST be used when VPN connections must pass through a NAT server or firewall
False
True or False: SSLs have no problems going through NAT enabled firewalls
False
True or False: To date, there has been no successful attacks against AES
False
True or False: VPN quarantines are a cure all for potential security vulnerabilites
False
True or False: When a firewall denies a packet, it usually lets the user know that it was blocked to help them realize what they did wrong
False
True or False: You can use GRE in IPv6
False
True or False: all DNS root servers reside in the U.S.
False
True or False: it is perfectly secure to terminate a VPN connection in front of the external firewall
False (it will be unprotected for a short period of time)
A firewall can do which of the following? (Choose all that apply) a. Screen traffic for viruses. b. Determine what user is sending transmissions. c. Filter traffic based on rules. d. Provide a layer of protection for the network.
Filter traffic based on rules, provide a layer of protection for the network
True or False: A honeypot must be a bastion host
Flase
An amendment to the U.S. Constitution that provides protection from illegal search and seizure.
Fourth Ammendedment
_____ proxy servers tend to offer a specific function rather than the full range of proxy server functions, so they are often described by names such as"content filter."
Freeware
In a ACL, how are rules read?
From top to bottom (meaning the more important ones should be there)
In a DNS zone transfer, what is actually transferred? a. fully qualified domain names and IP addresses b. usernames and passwords c. server MAC addresses d. UDP and ICMP messages
Fully qualified domain names and IP addresses
What are the names of the various employees in a network security policy?
Functional managers, local administrators, end users
A nonproprietary tunneling protocol that can encapsulate a variety of Network layer protocols.
Generic Routing Encapsulation (GRE)
A service that runs on Windows computers. It retrieves IPsec security policy settings from Active Directory and applies them to computers in the domains that use IPsec.
IPsecurity Policy Management
How does IPv6 present issues for firewalls?
IPv6 contains a large number of error messages, informational messages, and responses. This information can be useful to attackers and must be prevented from leaving the internal network, but it must pass through internal firewalls.
An IPsec-related protocol that enables two computers to agree on security settings and establish a Security Association so that they can use Internet Key Exchange.
ISAKMP (Internet Security Association Key Management Protocol)
What are IPSec's components?
ISAKMP, IKE, Oakley, IPSecurity Policy Management service, IPsec driver
The internet backbone is connected to regional ISPs via which of the following? a. POP ISPs b. network service points c. network access points d. carrier network points
Network access points
____ encompasses a broad range of issues related to locking down hardware components of a corporate network.
Physical and facility security
Which encryption method do many VPNs support?
AES
What encryption algorithm is stronger than 3DES and works faster, uses the Rijndael symmetric encryption algorithm, and is a block cipher
AES (Advanced Encryption Standard)
What was the original internet backbone?
ARPANET (From the US. dept of defense)
A policy that defines acceptable and unacceptable uses of company resources.
Acceptable use policy
The Windows RPC service works like the UNIX ____ service. a. Mountd B. Portmapper c. QOTD D. INFS
Portmapper
A process of analyzing the threats an organization faces, determining which resources are at risk, and determining the priority of each asset.
Risk analysis
What are the steps in a risk analysis life cycle?
Risk assessment, Security Policy creation, Policy implementation, Enforcement and monitoring
The process of identifying, choosing, and setting up countermeasures justified by the risks you identify.
Risk management
What type of attack utilizes a vulnerability of web forms text boxes not verifying their contents correctly, allowing an attacker to potentially send malicious commands to the web server its connected to
SQL injection, web form attack
Because of an increase in the use of Web-based business applications, there has been an increase in _____-based VPNs. a. SSL b. IPsec c. L2TP d. PPTP
SSL
What are techniques for minimizing risks?
Securing hardware, secure information databases in your network, conduct routing analysis, respond to security incidents
A designation for users, computers, or gateways that can participate in a VPN and encrypt and decrypt data by using keys.
Security Association (SA)
An ___ is the method that IPSec uses to track all the details of a communication session
Security Association (SA)
What are the two major factors in cracking an algorithm?
The amount of cryptographic knowledge required to design the attack and the amount of processing power needed to perform the attack.
Why is it not perfectly fine to have a web server inside your local network instead of in a DMZ?
The amount of traffic coming to the web server could overload the firewall
An Internet use policy prohibits broadcasting e-mail messages. True or False?
True
True or False: A VPN is an excellent solution for an organization that needs to follow a budget while maintaining security.
True
True or False: A bare-bones configuration on a bastion host reduces the risk of attacks and has the extra benefit of boosting efficiency.
True
True or False: A comprehensive security plan should not be evaluated strictly in terms of ROI, but as a vehicle for protecting systems and customer information.
True
True or False: To authenticate all or part of a packet's contents, AH adds a header that is calculated by IP header and data values in the packet, which is then combined with a secret key to ensure integrity
True
True or False: To compete with other security programs, most proxy servers are described as part of a more comprehensive firewall package.
True
True or False: VPN endpoints are vulnerable to many of the same viruses, Trojan programs, and spyware as internal network computers
True
True or False: Vulnerabilities in MPPE and Microsoft Challenge/Response Authentication Protocol (MS-CHAP) make PPTP a poor choice for high-performance networks with many hosts.
True
True or False: When multiple firewalls are used together, they must be configured identically and use the same firewall software.
True
True or False: When you are stopping or removing services, you should not disable any dependency services
True
True or False: Windows Digest Authentication uses Active Directory to authenticate users, but the client browser must support the HTTP 1.1 protocol.
True
True or False: a packet encrypted by ESP in IPsec transport mode can pass through a firewall that performs NAT
True
True or False: a security aware resolver must have at least one trust anchor
True
True or False: after a L2TP tunnel is established, it is bidirectional
True
True or False: all attacks against web users can be prevented
True
True or False: budget shouldn't always be the org's main concern, as cheap firewalls may become inadequate as the network grows
True
True or False: commercial OSs, Web servers, and databases are more vulnerable to buffer attacks than customized software that companies create for internal use.
True
True or False: depending on the size of the ISP, an ISP can offer services for every tier of the internet (from local/POP to backbone)
True
True or False: hardware products dedicated to VPN operation can handle more network traffic, are more scalable, and are more secure than software products.
True
True or False: having both parts of an malicious email attachment virus is rare because most antivirus software detect the malicious email before it even reaches the user
True
True or False: he purpose of a server security policy is to regulate IT staff who have privileged access to company servers.
True
True or False: in a multiple entry point configuration, excluding the gateway from the VPN is extremely improtant
True
True or False: in a single entry point configuration, the gateway must be a member of the VPN domain
True
which type of firewall blocks traffic on a case by case basis. In other words, when the firewall comes in contact with a type of traffic it doesn't recognize, it will prompt you to decide whether the traffic should be blocked or not
personal firewall
A variation of phishing that intercepts traffic to a legitimate Web site and redirects it to a phony replica site.
pharming
Using social engineering techniques via e-mail to trick users into providing personal information at the attacker's Web site. This site is designed to look like a legitimate business site.
phishing
What are the four types of assests?
physical (equipment), data (data you store), Software (apps), personnel (people)
What is a common setup to protect a network?
placing a firewall before a DMZ, and then another firewall between the DMZ and the internal network
Filtering by TCP or UDP port numbers is commonly called waht?
port filtering, protocol filtering
Countermeasures against side channel attacks include:
power conditioning and UPS systems to control power fluctuations and emissions, shielding to prevent radiation leakage, and strong physical security to prevent acoustic recorders or other monitoring devices from being installed.
What method of attack monitors the varying power consumption levels by hardware during computation. Watching the power input to the CPU during computation offers information that can help determine the algorithm.
power monitoring attacks
What are contracts between commercial NSPs or ISPs that enable them to bypass the Internet backbone for data and route exchanges.
private peering relationships
What are the advantages and disadvantages of a screened subnet DMZ
protects public servers by isolating them from the internal network, servers in the DMZ are highly vulnerable and need to be hardened
What is the new primary goal of modern proxy servers?
provide security at the application layer and shield hosts on the internal network
Software that forwards network packets to and from the network being protected and caches Web pages to speed up network performance.
proxy server
What did java applet attacks using Internet explorer exploit?
proxy server network connection, to redirect the user to another website where the attacker would be able to capture information
What is the difference between a proxy server and a NAT?
proxy servers rebuild packets before sending them, NAT simply repackages them
How should you physically protect servers?
put them in a locked room with an alarm system
To use VPN quarantine, what must you have?
quarantine-compatible remote access clients and servers, resources for a quarantine network, an accounts database, and a quarantine remote access policy
an important function of a security policy is to ____
reduce legal liability
A ____ ISP sells bandwidth to local or POP ISPs or to organizations with high bandwidth requirements.
regional
What are the disadvantages and advantages of software firewalls?
require extensive work to configure and secure the OS, less expensive than hardware firewalls
A device that filters outgoing connections
reverse firewall
What should you do before you plan out a VPN deployment?
review the company security policy, analyze the existing network, research VPN service options
What is the first step in developing a security policy?
risk analysis
A method of authentication that grants users limited system access based on their assigned role in the company and that defines the resources the role is allowed to use.
role based authentication
Almost every type of firewall depends on what configurable feature for its effectiveness? a. network connection b. state table c. rule base d. management console
rule base
The collection of rules that filter traffic at an interface of a firewall
rule base
The term ____ describes computer applications or processes that have been protected against attacks.
sanitized
Which of the following is an advantage of using a hardware firewall rather than a software firewall? (Choose all that apply) a. scalability b. cost c. ease of maintainence d. increased throughput
scalability, increased throughput
A dual homed host in which one interface is connected to an internal network and the other interface is connected to a router to an untrusted network which carries out IP filtering
screened host
A router placed between an untrusted network and an internal network
screening router
A legal document issued by a court that allows authorities to search a particular place for specific evidence. The warrant must detail what the search is seeking and where authorities are permitted to look for it.
search warrant
A computing system that is compliant with DNSSEC and that attempts to resolve a fully qualified domain name to an IP address (or vice versa).
security aware resolver
are countermeasures you can take to reduce threats, such as installing firewalls and IDPSs, locking doors, and using passwords and encryption.
security controls
A statement that defines the defenses configured to block unauthorized access to a network, acceptable use of network resources, an organization's response to attacks, and how employees should handle the organization's resources to prevent data loss or file damage.
security policy
A password policy should be established in the and enforced by whenever possible. a. risk assessment process, management b. company Web site, network administrators c. security policy, software d. company employee handbook, security guards
security policy, software
the discussions between managers and supervisors and other employees about the security policy, why it is important, and why employees should support it are called what?
security user awareness program
A computer dedicated to providing firewall policies
security workstation
A group of servers connected in a subnet that work together to receive requests
server farm
What is the issue of having the java applet vulnerability on Netscape forcing a user to start a new connection?
since this is a reverse connection, this negates the protection of the user's firewall, as it is only monitoring incoming traffic
A VPN configuration in which all traffic to and from the network passes through a single gateway, such as a router or firewall.
single entry point configuration
Small networks that use VPNs typically have what configuration?
single entry point configuration
What is the issue of having a proxy server also acting as your firewall?
single point of failure
In a SQL injection attack, which character is an attacker most likely to use? a. asterisk b. single quotation mark c. exclamation mark d. double quotation mark
single quotation mark
A VPN that uses hardware devices, such as routers, to connect two networks
site to site VPN (aka gateway to gateway VPN)
The end point of a computer-to-computer connection defined by an IP address and port address.
socket
A variation of phishing directed at specific users instead of using spam e-mail. It is often directed at employees of a particular organization, for example.
spear phishing
What was the original goals of proxy servers?
speeding up network communications
A network architecture that divides DNS services between two servers: a public DNS domain with a server on the organization's DMZ for Internet services and an internal DNS domain with a server on the internal network for service to internal hosts.
split DNS architecture
A network architecture that uses a single DNS domain with a DNS server on the organization's DMZ for Internet services and a DNS server on the internal network for service to internal hosts. All records that refer to internal hosts must be removed from the DMZ DNS server.
split brain architecture
The term used to describe multiple paths. One path goes to the VPN server and is secured, but an unauthorized and unsecured path permits the user to connect to the Internet or some other network while still connected to the corporate VPN.
split tunneling
The ____ stores information about the processes an application is currently running as well as return addresses, local variables, and parameters.
stack
A VPN configuration in which a single gateway is the hub and other participating networks are considered rim networks
star configuration
A file maintained by stateful packet filters that contains a record of all current connections.
state table
Filters that are similar to stateless packet filters, except that they also determine whether to allow or block packets based on information about current connections.
stateful packet filters
Simple filters that determine whether to allow or block packets based on information in protocol headers
stateless packet filters
____ is a version of one-to-one NAT that is often used when private addressing is used on a DMZ and all traffic for a busy DMZ server, such as a Web server, needs to have a dedicated public IP interface.
static mapping
Attackers often use DNS cache poisoning to do which of the following? a. Query systems on a network one by one. b. Steer unsuspecting users to a server of their choice instead of the Web site where users intended to go. c. Flood the network with packets and cause it to crash. d. Install a virus on the network.
steer unsuspecting users to a server of their choice instead of the web site where users intended to go
A legal document that requires a person to appear in court, provide testimony, or cooperate with law enforcement.
subpoena
The ability to continue functioning in the presence of attacks or disasters
survivability
TLS/SSL uses _____ cryptography for bulk encryption and ____ cryptography for authentication and key exchange.
symmetric, asymmetric
What is the issue of using 3DS?
takes a long to encrypt and is process intensive
Why does a dual homed host only provide limited security?
the firewall depends on the same computer used for day to day communication (Therefore, any problem with the host can affect the firewall), there is only one layer of protection
What exactly is the reason why a buffer overflow attack exploits?
the lack of bounds checking on the size of data stored in the buffer array, by writing data larger than its size in the array, it cause the buffer overflow
What is the main problem with a screening router? a. The router can be configured incorrectly. b. The router might not provide an adequate screen. c. The router cannot be used with a firewall. d. The router alone cannot stop many types of attacks.
the router alone cannot stop many types of attacks
What is a requirement for a successful file attachment attack? a. The user must open the file attachment. b. The user must reply to the e-mail that contains the attachment. c. The user must delete the file attachment immediately. d. The attachment must be an image file.
the user must open the file attachment
What are the advantages and disadvantages of stateless packet filters?
they are free or inexpensive, included with routers or open source OSs, cumbersome to maintain in a complex network, handles every packet separately and doesn't record which packets have already passed through the filter
A firewall with separate interfaces connected to an untrusted network, a semitrusted network, and a trusted network
three pronged firewall
What are the goal of packet filtering rules?
to account for all possible ports a type of communication might use or for all variations of a protocols
How are NAPs positioned?
to be able to provide interconnectivity between each backbone in every country
What is the objective of a phishing attack?
to entice a user to enter personal information that can be used to steal personal assets or identities
What is a common enhancement to a screened host?
to have it act as a proxy server
What is the main goal of a proxy server?
to prevent direct connections between the internal network and the internet
The way in which systems in a network are connected to one another
topology
True or False: A screened host is essentially a combination of a dual-homed host and screening router configuration
true
True or False: a buffer overflow attack requires programming expertise
true
The top level digital certificate in a PKI chain
trust anchor
The VPN connection through which data passes from one endpoint to another is called a(n) . a. gateway b. extranet c. tunnel d. transport
tunnel
What is the name of the connection through which data is sent?
tunnel
Network protocols that encapsulate (wrap) one protocol or session inside another.
tunneling protocols
Authentication that requires at least two forms of verification for a user to be granted access.
two factor authentication
What are some clientside issues when ensuring security?
whether to require clients to use a firewall and IDPS, whether policies should be enforced on client computers before allowing remote users to authenticate to the internal network.
What client-side issues do you need to consider when planning a VPN deployment? (Choose all that apply.) a. whether to require the client to use a firewall b. the organization's current growth rate c. how policies should be enforced on the client computer d. the cost of equipment that employees need to buy
whether to require the client to use a firewall, how policies should be enforced on the client computer
Descriptions of the worst consequences that can befall an organization if a threat occurs.
worst case senarios
what are the advantages of using a risk analysis program is that you can analyze cost estimates and present them in a report format
you can analyze cost estimates and present them in a report format, can calculate the mean cost of replacing hardware, software, etc.
What is a major advantage of setting up a DMZ with multiple firewalls?
you can control traffic in the three networks you are dealing with
What is the issue with active FTP for a rule base?
you cannot specify a port because the machine can establish a connection with the server on any port about 1023, instead, you should specify the IP address
A ____ is a set of instructions for resolving domain names into IP addresses.
zone file
The communication of a zone file from the primary DNS server to secondary DNS servers for updating.
zone transfer
The Center for Internet Security (CIS) recommends the following security settings for Apache:
● Harden the underlying OS as you would any OS by removing unused applications and sample code and updating OS patches and hot fixes. ●Install the latest Apache binary distribution code from the OS vendor. ●Disable unnecessary Apache modules and services, disable processing of server-side includes (SSIs), and delete unneeded or default Apache files and sample code. These measures reduce the number of Web processes that are available to attackers. ●Create Web groups so that users can be granted limited administrative rights without having root access. ●Create user and group accounts with limited privileges for running Apache Web Server, and never run Apache as the root account. If the Web service runs with root permissions, any compromise results in attackers having root access to the Web server. ●Subscribe to OS vendor and Apache security advisories to stay informed about security issues. ●Develop customized messages for Web pages that display error information. As you learned previously, attackers can use error messages to gather information about server setup. ●Install the ModSecurity module to have URLs in Web traffic inspected for anomalies. The ModSecurity module adds a filter to prevent these types of requests. ●To secure access, use Digest authentication instead of Basic authentication for accepting usernames and passwords. (If you need to review these authentication methods, conduct an Internet search for articles.) ● When setting access control lists (ACLs), determine whether allow or deny rules are evaluated first. An ACL's effect could change if you do not use the correct order of evaluation. ●Use Secure Sockets Layer (SSL) to encrypt the communication from user to Web server. ●Limit the Web server to accepting and processing only certain HTTP request methods, such as GET, POST, HEAD, and PUT. ●Disable HTTP traces to prevent attackers from investigating HTTP request paths for potential targets. ●Enable logging on the Web server so that you can spot potential problems and suspicious activity. To prevent attackers from accessing and altering logs, store them on a separate network server, not the Web server.
True or False: in order for the proxy serve to view the packet, it "reconstruct the packet," in other words, the proxy server opens the packet, examines its contents, and replaces the original header with a new header that contains the proxy servers own IP address instead of the original clients
True
True or False: it is a good idea to only have management software located in the DMZ
True
True or False: it is a good idea to subnet DMZs based on their function
True
True or False: it is best to have a balance between security and productivity in remote access and VPN policies
True
True or False: it is important to monitor system performance continuously
True
True or False: launching side channel attacks require a high level expertise
True
True or False: many small companies overlook the need to implement a security policy
True
True or False: one of the goals of a proxy server is to prevent a direct connection between an external computer and an internal computer
True
True or False: routers in network service provider backbones are able to handle much more traffic than routers in a normal LAN
True
True or False: security policies enable management to set security priorities
True
True or False: stakeholders in a project should have input during the planning stage (system design state)
True
True or False: the source and destination IP addresses of encapsulated data packets can be in private reserved blocks that are not routable over the Internet.
True
True or False: the world wide web is just one of the services the internet offers
True
True or false: Each server farm/DMZ should be protected by its own firewall or packet-filtering router.
True
True or false: most software products aren't designed to be survivable
True
True or False: most companies don't allow employees to perform risk analysis
True (They rely on software instead)
Which of the following sections of a security policy affects the most people in an organization? a. incident handling policy b. privileged access policy c. acceptable use policy d. remote access policy
acceptable use policy
____ defines how employees should use the organization's resources, including the Internet, e-mail, and software programs.
acceptable use policy
A password policy might specify which of the following attributes for password selection? a. length requirements b. complexity requirements c. frequency for changing passwords d. all of the above
all of the above
What is the one of the most serious mistake a network admin can make when handling DNS servers?
allowing untrusted Internet users to perform zone transfers
What are some weaknesses of DNSSEC
an attacker can enumerate the contents of a DNS zone by following the NSEC resource record chain, it is more complicated than DNS, its effectiveness depends on unbroken chains of authentication (Which is unlikely to happen until all Internet zones are DNSSEC compliant)
For a more comprehensive solution, you should combine a firewall with what other network defenses?
antivirus and IDPS
who should you make user accounts for?
anyone who accesses your network
What are the hardware, software, and informational resources you need to protect? a. threats b. tangibles c. assets d. business holdings
assests
The hardware, software, and informational resources you need to protect by developing and implementing a comprehensive security policy.
asset
where is the acceptable use policy usually located in a security policy?
at the beginning
Where should you place the most important rules in a rule base? a. in the connection log file b. at the bottom of the rule base c. in the state table d. at the top of the rule base
at the top of the rule base
How does Kerberos authenticate the identity of network users?
authentication by assertion
How does a screening router determine whether to allow or deny traffic?
based on their source and destination IP addresses and other information in their headers
When should you start training your employees?
before implementation
Where does TLS run?
below application layer protocols but above transport layer protocols
Where are personal firewall products located?
between the Ethernet adapter driver of the machine where they are installed and the TCP/IP stack so they can inspect traffic between the driver and the stack.
Where is a honeypot located in a network?
between the bastion host and the internal network
A symmetric algorithm that encrypts data in blocks of bits. These blocks are used as input to mathematical functions that perform substitution and transportation of the bits
block cipher
What is one way to block DNS information leakage?
blocking zone transfers
What part of the packet does ESP encrypt when using tunnel mode for IPsec?
both the header and data portion
A network of zombie computers that attackers assemble to magnify the effect of an attack.
botnet
How does TCP/IP transmit information? How does UDP transmit information?
breaking it into segments (TCP), breaking it into datagrams (IP, UDP)
A ____ is a section of random access memory shared by application processes that depend on one another but operate at different speeds or with different priorities. its purpose is to coordinate data intended for use by separate activities
buffer
Which of the following is caused by a flaw in how a running process allocates memory to a variable? a. unsecured cryptographic storage b. buffer overflow c. broken authentication d. SQL injection
buffer overflow
A ____ is when an attacker finds a vulnerability in poorly written code that doesn't check for a defined amount of memory space use.
buffer overflow attack (aka stack smashing attack)
How does IPSec make L2TP more secure?
by encapsulating the entire packet
What do enterprise firewall programs come with that personal firewalls dont?
centralized management option, that ability install multiple instances from a central location
What can an admin do to a client computer who is VPNing prevent split tunneling?
configure the remote system to use the corporate network's default gateway for further Internet access.
What is the secondary goal of modern proxy servers?
controlling which web sites users are allowed to access
A technique for comparing the costs of an investment with the benefits it proposes to return.
cost benefit analysis
What are the advantages and disadvantages of using intergrated solutions, such as a UTM?
cost, interoperablility, easier management, single point of failure, reduces layers of defense
When securing an Apache Web server, which of the following tasks is not necessary? a. installing the latest Apache patches b. disabling processing of server-side includes (SSIs) c. deleting unneeded or default Apache files and sample code d. creating a privileged user ID for the Apache Web User account with root access
creating a privileged user ID for the Apache Web User account with root access
What was the original purpose of GRE
creating virtual point to point links for cisco routers
What is the most important type of assest?
data
What part of the packet does ESP encrypt when using transport mode for IPsec?
data only
What is the name of the person who is primarily responsible for the network
data owner
What is the name of a map of tables and fields in the database
database footprint
What is an escalation procedure? a. how network security can be improved in stages. b. how a virus can multiply and affect more assets. c. different levels of response based on incident severity. d. employees who should be involved in the response.
different levels of response based on incident severity, employees who should be involved in the response
A computer configured with more than one network interface
dual homed host
Users who are connected to the internet usually use what type of setup?
dual homed host
Which of the following computers is likely to be found in a DMZ? (Choose all that apply.) a. e-mail server b. domain controller c. Web server d. customer information database
e mail server, web server
What is a product by SafeNet that scans traffic for malware and application-level threats and filters content to improve productivity. It also helps prevent data leaks.
eSafe Content Security
What specific products should you integrate with a firewall?
eSafe Content Security, ManageEngine Firewall Analyzer
What are the advantages and disadvantages of using a mesh configuration?
each participant can establish VPN communication with all other participants, however, it is difficult to expand the network and update every VPN device whenever a host is added
What are the advantages and disadvantages of using a star configuration for VPN services?
easy to increase the VPNs size, (but there is) signle point of failure, slower speeds
Word-processing documents, spreadsheets, Web pages, and other documents on your network computers.
electronic assests
What are a common vehicle for introducing malicious code into a network?
email attachments
What are one of the best and least expensive methods of securing data?
encryption
Which of the following technologies helps protect sensitive data even after it has been stolen from a secured medium? a. virus protection b. authentication c. encryption d. Spybot
encryption
What is the name of an employee in a network security policy who have access to the organization's network; these employees are responsible for using the network in accordance with the network security policy
end users
What outgoing connections might be useful to track using a reverse firewall?
ensuring data isn't downloaded, filtering out unauthorized connection attempts from the internal to the outside network, log connection to web sites to look at web traffic, could find zombies (Though this is a feature that any firewall can do)
A set of roles, responsibilities, and measures taken in response to a security incident.
escalation procedure
IPsec provides for what security activity to take place before data is encrypted or transmitted? a. encapsulation b. authentication c. establishment of a Security Association (SA) d. application of security policy settings
establishment of a Security Association (SA)
Vulnerability to loss resulting from the occurrence of a threat, such as disclosure, destruction, or modification of information resources. Exposure increases with the presence of multiple threats.
exposure
A private network that a company sets up as an extension of its corporate intranet so contractors, suppliers, and external partners can access a limited portion of the network infrastructure.
extranet
A backup firewall that is configured to switch on if the current firewall fails
failover firewall
Stateless packet filters are more secure than stateful packet filters because they do not contain a state table that can be exploited by an attacker. True or False?
false
Hardware or software configured to block unauthorized access to a network.
firewall
Hardware devices with firewall functionality
firewall appliances
An addition to a security policy that describes how firewalls should handle application traffic, such as Web or e-mail applications.
firewall policy
Stacks are allocated a ____ size in memory when created
fixed
What is the main reason for using using software VPNs?
flexibility
In this mesh setup, every subnetwork is connected to all other subnets in the VPN. This topology is complex to manage and is best used with small VPNs.
full mesh
What is the name of an employee in a network security policy that have primary responsibility?
functional managers
What is the goal of SQL injections?
gain additional information about a database's structure for further attacks
What is a common method of finding web form candidates?
google search for login pages
how is a web server usually secured?
hardening the underlying OS, installing patches, disabling unused services, and restricting the number of user accounts and their access permissions. In addition, you can use platform-specific software tools.
Which type of VPN should be considered for fast growing networks that need to encrypt all traffic passing through the VPN device.
hardware
If your organization has a DNS server that is authoritative for your domain on the Internet, how should you set up the DNS servers?
have it in a DMZ and that a split DNS architecture is used
What should a small company do if it cannot enforce totally control over clients, and thus can't ensure that they aren't split tunneling
have them sign a acceptable use agreement
A ____ is a computer placed on the network perimeter to attract attackers so that they stay away from critical servers on the network in addition to logging their activites
honeypot
What are the general steps to creating a firewall policy?
identify which network applications are needed and the vulnerabilities associated with each application, conduct a cost benefit analysis to determine the most cost effective and efficient method for securing application traffic, create a traffic matrix
How should a network security policy handle a LAN security accident?
in a timely manner with little impact to the orgs ability to process and transmit data
What part of a security policy describes in detail who responds to security incidents, what needs to be done in response, and why these procedures are necessary.
incident response
A contingency plan should consider...
incident response, backup operations, and recovery
Stateless packet filters allow or block packets based on which of the following? a. status of the connection b. information in protocol headers c. state table d. packets that have been handled previously
information in protocol headers
What should you do to secure all mobile devices?
install startup and screen saver passwords, encrypt the data
What are the best defenses against buffer overflow attacks
installing the latest patches, installing IDPS
What are some disadvantages of using multiple routers to connect your DMZ subnet to parts of your internal subnets?
internal data might accidentally route through the DMZ to another part in the network, exposing data. Network configuration becomes more difficult
What does a split DNS architecture prevent?
internal zone information from being stored on an Internet-accessible server and prevents internal DNS entries from being sent over Internet DNS.
What two web browsers can be used to perform java applet attacks
internet explorer, netscape
Typically, the time spent in training and the depth of that training is ____ to an employees position in an organization
inversely proportional (the lower you are, the more time you must put in)
A proxy server ______ (Choose all that apply.) a. is designed to improve web access b. is the same as a reverse firewall c. uses fewer system resources than a software firewall d. can filter application layer content.
is designed to improve web access, can filter application layer content
What is a good way to protect information customers send via the internet?
isolate the information so attackers cannot access it
If an RRAS server is used for used for hosting VPN services, what additional logging capabilities does it have?
it can perform local authentication and accounting logging (Which track remote access authentication attempts and use, which is useful for troubleshooting)
What is the advantage of using a hybrid configuration
it combines the star configuration's scalability and the mesh configurations speed
What is the advantage of having management software located in the DMZ?
it gives the management servers an extra level of protection
What is one advantage of a VPN?
its capability to extend a WAN to multiple locations by using the internet
What is a key concern of AES?
its mathematical structure
what people are usually contained in a SIRT?
legal team, IT dept, Managers/CEO's
Where are bastion hosts usually located?
located outside on the internal network and often combined with packet-filtering devices (aka routers or firewalls) on either side (aka in a DMZ)
____ assets include e-mail, any records of instant messaging conversations, and log files compiled by firewalls and IDPSs.
logical
In this IIS login method, users must enter credentials on a login page.
login redirection based authentication
What can attackers do if they exploit a DNS server?
loss of confidentiality (tapping Voice over IP), Web site impersonation, e-mail hijacking, DNS cache poisoning, and theft of information
What are reasons a VPN would be used in a business?
low cost, secure remote access
What are other concerns with using Kerberos?
major security flaws allowing aribtrary code execution, man in the middle attacks, DoS attacks, or cause the Domain controller to shut down. However, patches are available to fix these
A process that uses the source and destination TCP and UDP port addresses to map traffic between internal and external hosts.
many to one NAT (aka Port Address Translation)
A VPN configuration in which all participants in the VPN are connected to one another. This configuration is commonly arranged as a full-mesh or partial-mesh setup.
mesh configuration
The purpose of incident response is to...
mitigate the potentially serious effects of a severe LAN security problem
What areas should encryptino be used to minimize the risk of sensitive data being compromised?
mobile computers, removable media, data transfers
How does an attacker perform a pharming attack?
modifying the users host file, DNS poisoning
A type of VPN configuration in which multiple gateways are used, each with a VPN tunnel connecting a different location.
multiple entry point configuration
Major organizations use which type of configuration? multiple or single
multiple entry point configuration
To name a VLAN, what command do you use?
nameif (New Vlan name)
Where should the penalties for violating the policy be located?
near the beginning
What are the four phases of a security policy life cycle?
needs assessment, system design, system implementation, performance monitoring
Routers, cables, bastion hosts, servers, and firewall components that enable employees to communicate with one another and other computers on the Internet.
network assests
A policy that defines and establishes responsibilities for protecting the network and the information processed, stored, and transmitted on the network.
network security policy
What is the command to prevent port forwarding?
no forward interface (interface name)
What are the benefits of using IPSec with L2TP?
no information about the internal network can be gained, port 1701 doesn't have to be open on any firewall except the endpoint
The ultimate goal of a security policy is which of the following? a. reducing the risks to zero b. doing it right the first time so the policy does not have to be rewritten constantly c. convincing management that the IT budget should be increased d. none of the above
none of the above
The process of mapping one internal IP address to one external IP address
one to one NAT
What are some critical services you should disable on a bastion OS?
ones that perform routing or IP forwarding
What were the earliest firewalls called?
packet filters
In this mesh setup, any subnet in the VPN may or may not be connected to the other subnets, allowing for more flexability.
partial mesh
What does Windows Basic Authentication Require users to do before they're allowed to connect?
password, username
What is a major advantage of Kerberos?
passwords are not stored on the system
What is the downside of Windows Basic Authentication?
passwords are transmitted in plain text
What can prevent a company from wrongful termination lawsuits?
penalty clauses
Which of the following, if worded correctly, can protect companies from wrongful termination lawsuits? a. nondisclosure clauses b. acceptable use policies c. penalty clauses d. punitive clauses
penalty clauses
____ exist so that companies can discipline employees whose computer activities interfere with productivity and make sure employees can't claim ignorance
penalty clauses
Why are spear phishing attacks becoming more common?
people are putting more personal information online
What are the advantages and disadvantages of proxy servers?
perform stateful packet filtering, operate at the Application layer, higher demand in cpu compared to other firewalls
What are the disadvantages of using many to one NAT?
performance degrades as more machines use the network, does not work with some types of VPNs, cannot provide other services (such as a web server) unless you have an additional external IP for them
Where might you use a screened host setup?
perimeter security on a corporate network
For optimum efficiency, configure a domain controller to function also as an IIS Web server. True or False?
False
In a Cisco 5505 firewall, security level 100 is the least secure level. True or False?
False
What can attackers do with modified routing data?
Launch DoS attacks, IP spoofing, man in the middle attacks
What are the various email protocols called?
POP3, IMAP4, SMTP (for outbound email), LDAP (for looking up email), HTTP
A tunneling protocol used for dial-up access to a remote server.
PPTP (Point to point tunneling protocol)
What is GRE commonly used with?
PPTP in Microsoft VPNs
What is IPsec's biggest advantage?
it has been standardized and is supported by a variety of VPN hardware and software devices
Why is IKE becoming increasingly popular?
it provides a high level of security, which outweighs the decrease in network performance
True or False: all 13 root DNS servers were originally in the US
true
What should you do before determining firewall policies?
A risk assessment
An ___ is a Windows object coded in languages such as C++, Visual Basic, and Java. Its purpose is to deliver dynamic, interactive content to Web pages.
ActiveX control
What is the most widely used web server application?
Apache
A security process that assumes a computer system will be attacked and follows a set of steps to build a system that can survive the attack.
Survivable network analysis (SNA)
Why are phishing email attacks so prevalent?
They are easy and cheap to create and carry out
Events and conditions that could potentially occur; their presence increases risk.
Threat
A ____ ISP or NSP gives regional ISPs backbone access.
backbone
A VPN configuration that combines characteristics of the mesh and star configuration
hybrid configuration
The ability of an object or a system to continue operating despite a failure.
Fault tolerance
How many root servers are in the DNS infrastructure? a. 10 b. 11 c. 13 d. 14
13
How many root DNS servers make up the foundation of the Internet DNS, What are their names?
13, A-M
What ports should you commonly block in a network with windows machines?
135-139 (NetBIOS), 161 (SNMP), 445 (SMB), 1755 (Windows Media), 3389 (Remote Desktop Protocol)
What common ports should you block in a network with UNIX machines?
17 (QOTD), 111 (Portmapper), 513 (remote Login), 514 (Syslog), 635 (mountd)
What port does L2TP use?
1701
Why can attackers use ActiveX controls to run malicious code on users computers?
ActiveX has full access to the windows OS, don't require user action to be activated
What is a simple form of phishing that has existed for many years?
Nigerian scam
____ are events and conditions that could potentially occur, and their presence increases risk.
Threats
What do most VPNs use to authenticate users?
IPsec
Software that handles the tasks of encrypting, authenticating, decrypting, and checking packets in an IPsec connection.
IPsec driver
What level of incident is a loss of password?
1
How are incidents usually divided in an escalation procedure?
1 (lowest) to 3 (highest)
Which ICMPv6 message types should you let into your network but never out?
1-4, 128, 129
Which of the following IP addresses is most likely to be the source IP address of an encapsulated VPN packet? a. 150.80.26.59 b. 172.30.78.45 c. 11.17.5.210 d. 210.240.255.48
172.30.78.45
What port is normally used for proxy services?
8080
According to M86 Security Labs, ___ percent of spam e-mail sent in May 2012 was delivered by hijacked zombie computers.
91
A network addressing scheme that allows DNS services to be decentralized among a group of servers, regardless of their location.
Anycast addressing
What This policy should cover the following points:
Applicability, Evaluations (ie the value of data), Responsibilities, Commitment
What are the six factors needed to create a risk analysis?
Assets, threats, probabilities, Vulnerabilities, Consequences, Security controls
Where should packet filtering be performed when using the GRE protocol?
At tunnel endpoints
The process of reviewing records of network computer activity; these records identify who is connecting to a computer, the resources being requested, and whether access is granted or blocked.
Auditing
An IPsec protocol that provides authentication of TCP/IP packets to ensure data integrity.
Authentication Header (AH)
_____ are prepared to ensure that essential tasks can be completed after the LAN environment is disrupted and continue until the LAN is sufficiently restored.
Backup operation plans
What are the advantages and disadvantages of a single DMZ/two firewalls?
Balance traffic load in high traffic situations, Expensive
What is the difference between a split DNS architecture and a split brain architecture?
Both systems use the same domain in the split brain architecture
Which commercial program includes a personal firewall with security levels for grouping programs, protocols, and ports; automated configuration and help for novice users; and features that offer experienced users fine-tuned control. Other features of the suite include cloud-based scanning, browser security, and protection against viruses, spyware, and spam.
CA Internet security suite
This highly regarded organization keeps records of serious security attacks
CIAC (Computer Incident Advisory Capability)
In this IIS login method, the Web client must respond to a challenge from the Web server. An example is Integrated Windows Authentication, in which Active Directory credentials are used.
Challenge based authentication
Which two authentication methods does IIS7 allow you to select?
Challenge based authentication, Login redirection based authentication
What is the name of a firewall that is designed to protect and monitor large-scale networks
Check point NGX
Which programs offer enterprise level protection?
Check point NGX, Proventia security products
What cisco device is appropriate for small businesses and branch offices? It supports SSL and IPsec VPNs and contains PoE ports to support VoIP phones.
Cisco ASA 5505 firewall
What hardware firewall products are available?
Cisco ASA series, Fortinet Fortigate series, Barracuda NG firewall
What is the name of a firewall that is a self-contained hardware device with firewall functions you can add to a network?
Cisco PIX line
What is the process of how Kerberos works
Client makes request, server asks for password, client supplies password; request is made to AS, AS grants TGT, Client uses TGT to request ticket, TGS grants ticket, client gains access to requested service
What are some advantages of Free Firewall Programs compared to commercial?
Convenient and simple (Making it good for small business and home networks), small file size
Which of the following is an advantage of using a software firewall rather than a hardware firewall? A. Throughput B. Reliability C. Cost D. Availability
Cost
an older protocol standard IBM developed in the mid-1970s that was adopted as an encryption standard in 1977. DES is not a secure encryption method; it can be cracked if enough computers are working on it. For this reason, it is considered obsolete and is rarely used now.
DES (Data encryption standard)
A ____ is a subnet of publicly accessible servers placed outside the internal network
DMZ
A hierarchical name-resolution service for translating host names to IP addresses; used mainly on the Internet.
DNS
When an attacker sends false data to a DNS while it attempts to query other servers looking for DNS information not in its cache. Attackers often use this to steer unsuspecting victims to a server of their choice instead of the Web site where users intended to go.
DNS cache posioning (aka DNS spoofing)
What comes as a result of DNS servers not having authentication?
DNS information leakage
A protocol designed to improve DNS security by using cryptography to ensure DNS integrity and authentication.
DNS security Extensions (DNSSEC)
____ assets include personnel, customer, and financial information that your company needs to protect.
Data
multiple security devices configured to work together to provide protection is called?
Defense in Depth (DiD)
What common guidelines should be reflected in the rule base to implement an organization's security policy?
Employees can have access to the Internet with certain restrictions, such as content filtering or controls on downloads, The public can access the company's Web server and e-mail server, Only authenticated traffic can access the internal network, Employees are not allowed to use instant-messaging or social networking software outside the internal network, Traffic from the company's ISP should be allowed, External traffic should be blocked if it attempts to connect to a port used by instantmessaging software, Only the network administrator should be able to access the internal network directly from the Internet for management purposes
Which of the following is not a best practice for VPN client management? a. Enable split tunneling. b. Disable FTP. c. Disable Telnet. d. Enable VPN quarantine.
Enable split tunneling
An IPsec protocol that encrypts the header and data components of TCP/IP packets.
Encapsulating Security Payload (ESP)
The process of enclosing a packet within another packet that has different IP source and destination information to ensure a high degree of protection. Thus, protecting the integrity of data
Encapsulation
What are the three VPN core activities?
Encapsulation, Encryption, Authentication
What is the most important aspect of a firewall?
Encryption
What feature introduced in IIS 7.5 is designed to decrease the risks associated with man-in-the-middle attacks by providing additional information, such as channel-binding tokens and service-binding identifiers.
Extended Protection
Which of the following functions can a bastion host perform? (Choose all that apply.) a. FTP server b. e-mail server c. security management server d. domain controller
FTP server, email server
A Web server can be hardened just by configuring the Web application correctly. True or False?
False
A bastion host is usually located on the internal network. True or False?
False
A firewall is an effective stand alone security solution. True or False?
False
A form of key exchange used to encrypt and decrypt data as it passes through a VPN tunnel. It uses tunnel method encryption to encrypt and then encapsulate packets for extra security.
IKE (Internet Key Exchange)
To allow L2TP and IPSec through a router, what protocols should be allowed along with their protocol number or port number?
IKE, 1701, UDP, 500, ESP, 50, AH, 51
What applications are hard to block through just blocking port numbers
IM programs
What does IIS7 allow you to restrict access to the Web Server based on what and how specific?
IP address, IP address ranges, Domain names. can restrict to certain web sites, applications, directories, individual files
A socket is a combination of a(n) ____ and a(n) _____. A. NetBIOS name, port number B. Port number, MAC address C. MAC Address, IP address D. IP address, port number
IP address, port number
What features of the IP protocol headers does stateless packet filters look at?
IP address, ports, TCP flags
What are is technique to exploit weaknesses in the internet structure that involves changing the source IP address to perform DoS attacks or to manipulate Web servers to send sensitive information
IP spoofing
What are stateless packet filters vulnerable to?
IP spoofing attacks (as they have no form of authentication)
A set of standard procedures that the Internet Engineering Task Force (IETF) developed for enabling secure communication on the Internet.
IPSec
In order for L2TP to provide confidentiality and authentication, what other service is usually combined with it?
IPSec
What are considered vpn protocols?
IPSec, PPTP, L2TP, SSTP
Which protocols are a very common method of establishing a VPN connection?
IPSec/IKE (IPSec with Internet Key Exchange)
What is another way to check to see if the text inside a form is being checked, other than the quotation mark?
Inject an SQL statement that will always be true (Such as 'x = x')
The ____ is a group of networks tied together to form an infrastructure for communication.
Internet
A policy that defines how users can access and use the Internet and that specifies what rules apply to e-mail and other communications, such as instant messaging.
Internet Use Policy
To determine the value of hardware and software you need to protect, which of the following approaches is easiest to use? a. getting the most recent prices online b. keeping records of purchase costs c. using your experience and expertise d. interviewing support personnel
Interviewing support personnel
Which of the following is an advantage of using a star VPN configuration? a. It is easier to increase the VPN's size b. Fewer VPN hardware or software devices are required c. Only the VPN server at the center or "hub" needs to be updated d. All participants can communicate with all other participants
It is easier to increase the VPN's size
What is the process of an attacker performing an file attachment attack?
It requires two components, the first part changes the registry so that JPEGs are extracted before ran, the second part is the malicious code inside the JPEG, which executes as soon as it is extracted
What points make up an effective rule base?
It should be based on the organization's security policy, It should include a firewall policy with rules for how applications can access the Internet, It should be as simple and short as possible, It should restrict access to ports and subnets on the internal network from the Internet, It should control Internet services.
A ____ is a small program sometimes used as embedded code in Web pages.
Java applet
An IETF standard for secure authentication of requests for resource access.
Kerberos
What does Windows Authentication support for authentication methods?
Kerberos and NTLM (New Technology LAN manager)
What is the difference between using Kerberos instead of PKI
Kerberos has a lower network overhead than PKI (which is especially useful in small networks)
A Kerberos component that holds secret keys for users, applications, services, or resources; it creates and distributes session keys by using symmetric cryptography.
Key Distribution Center (KDC)
What is the name of the Kerberos Authentication Server?
Key Distribution Center (KDC)
A tunneling protocol derived from two older protocols (Cisco's L2F and Microsoft PPTP L2TP) that encapsulates PPP packets and is usually combined with IPsec for improved security.
L2TP (Layer 2 tunneling protocol)
Which endpoint of an L2TP tunnel is the initiator of the tunnel?
L2TP Access Controller (LAC)
What are the two endpoints of an L2TP tunnel?
L2TP Access Controller (LAC), L2TP Network Server (LNS)
Which endpoint of an L2TP tunnel is the server waiting for the tunnel?
L2TP Network Server (LNS)
What is a more secure alternative to PPTP?
L2TP/IPSec
What is filtering IPv6 traffic much harder than IPv4?
Larger Address space, can be encapsulated into IPv4
Attackers can exploit routing information updates to do which of the following? (Choose all that apply.) a. Launch DoS attacks. b. Poison DNS caches. c. Use IP spoofing to intercept packets. d. Launch man-in-the-middle attacks.
Launch DoS attacks, Use IP spoofing to intercept packets, Launch man in the middle attacks
Software that prioritizes and schedules requests and then distributes them to servers in a server cluster based on each server's current load and processing power.
Load balancing software
What elements of filtering packets are especially important to configuring rules and implementing the organization's security policy?
Logging and auditing, Tracking, Filtering, NAT, Quality of Service (QoS), Desktop security policy
What technology does PPTP use to encrypt data passing between the remote computer and the remote access server?
MPPE (Microsoft point to point encryption)
What is a Web-based monitoring and log-analysis tool that collects logs from proxy servers, firewalls, IDPSs, and VPNs to monitor performance, audit traffic, and detect intrusions
ManageEngine Firewall Analyzer
What are the issues of an attacker being able to perform SQL injections?
May be able to shut down the server, could capture sensitive information (such as credit card information)
This commercial program combines the capabilities to cache Web pages and translate source and destination IP addresses with content filtering and traditional firewall functions, such as packet filtering and NAT. It also includes advanced features such as HTTPS inspection, which allows the proxy server to decrypt and inspect traffic that has been protected by asymmetric and symmetric encryption.
Microsoft Forefront Threat Management Gateway (TMG)
What are the advantages and disadvantages of a reverse firewall?
Monitors attacks from inside the network, enables orgs to monitor user activity, slows down user access to external and internal parts of the network
An analytical method that simulates a real-life system by randomly generating values for variables.
Monte Carlo Simulation
How do NSP backbones exchange routing and traffic data?
NAP, private peering relationships
The repackaging of packets so that internal IP addresses are stripped from requests to an untrusted network like the Internet.
NAT (Network address translation)
Which of the following can hide internal IP addresses from the Internet? (Choose all that apply.) a. packet filters b. NAT c. proxy servers d. state tables
NAT, proxy servers
Which free firewall program comes with the Linux 2.4 and 2.6 kernels and is a solution for stateless and stateful packet filtering, Network Address Translation (NAT), and packet processing. This program logs detailed information about traffic in a well-organized manner that is easy to review.
NetFilter
What are two popular free firewall programs?
Netfilter, ZoneAlarm
Highly secure public facilities where commercial Internet backbones and ISPs exchange routing and traffic data.
Network Access Point (NAP)
Yes or No, Can a firewall protect you against internal threats?
No
What are issues with DNS in terms of security?
No authentication or integrity
A screening router would be an appropriate choice for meeting the security needs of a ____. a. a small office network b. home network c. DMZ d. None of the above
None of the above
Which program is designed for home users and includes a personal firewall with controls for both beginners and advanced users. The program includes identity protection along with antivirus, antiphishing, and antispyware features.
Norton Internet Security
What is the name of a Norton firewall that is a personal firewall
Norton Security Suite Firewall
A protocol that enables IPsec to use the Diffie-Hellman encryption algorithm to create keys.
Oakley
Using two firewalls helps in the following ways:
One firewall can control traffic between the DMZ and the Internet, and the other can control traffic between the protected network and the DMZ, the second can act as a failover firewall
Putting a VPN on the firewall has which of the following disadvantages? (Choose all that apply.) a. There are more computers to manage. b. Only one server controls security, so any configuration errors leave the network open to attack. c. Internet access and VPN traffic compete for resources on the server. d. VPN traffic is not encrypted.
Only one server controls security, so any configuration errors leave the network open to attack, Internet access and VPN traffic compete for resources on the server
What software application uses SSL/TLS to tunnel the entire network protocol stack?
OpenVPN
A policy that details additional access options and responsibilities of users with privileged access to resources.
Privileged access policy
The possibility that a threat will actually occur, as influenced by geographic, physical, habitual, or other factors that increase or decrease the likelihood of occurrence.
Probability
What are the advantages and disadvantages of a multiple DMZs/Firewalls?
Provides DiD for a business network, Expensive
What are the advantages and disadvantages of Branch offices/multiple firewalls?
Provides protection for all offices in a corporate network as well as central administration, Firewalls must be purchased, installed, and configured at each office location
What are the advantages and disadvantages of a screened host
Provides two layers of protection for home and small-business networks, Provides a single point of entry (and fault), firewall depends on the host computer and the router protecting it
What other SQL injection method invovles the query string used to send information to a database to probe web databases for vulnerabilites
Query Sting attacks
What is also a common authentication service in VPNs?
RADIUS
What does windows also provide support for other than RRAS?
RADIUS based logging
What is the preferred authentication method for VPN quarantine?
RADIUS server
What is the name of the server in a Microsoft network that can log local machine events and record them in the server's System, Security, and Application logs
RRAS (Routing and Remote Access Services)
What attack method records leaked radiation and radio waves coming from a machine and analyzes them to gain information about associated hardware, and sometimes bits of actual data can be captured.
Radiation monitoring (aka TEMPEST)
____ are made to permit smooth, rapid restoration of the LAN environment following interruption of LAN usage.
Recovery plans
A policy that defines necessary security measures before a remote desktop or wireless connection is added to an organization's network.
Remote access and wireless connection policy
The risk remaining after countermeasures and defenses are implemented.
Residual risk
Survivability of a network depends on what four key properties?
Resistance, Recognition, Recovery, Adaptation and evolution
The probability of incurring damage or loss
Risk
An attack method that exploits vulnerabilities of underlying hardware systems that leak data instead of exploiting vulnerabilities in a cryptographic algorithm.
Side channel attack
Which applets should only be allowed to run on Web browsers?
Signed applets
What are the advantages and disadvantages of software commercial personal firewalls?
Simple to install, economical, has auto configuration, not as full featured or robust has hardware or enterprise software firewalls, usually installed on single computer systems
What are the advantages and disadvantages of a Dual-homed host
Simple, economical; can provide effective protection if configured correctly, Provides a single point of entry, firewall depends entirely on the host computer
What feature for an access control list allows you to be very granular in choosing which TCP traffic to allow or deny, by default it drops or clears packets that are considered abnormal. You can use this feature to verify checksums, allow or drop packets that exceed the maximum TCP segment size, and allow or drop invalid ACK flags, among other things.
TCP normaliztion
For PPTP to be allowed through a firewall, what protocols must be allowed along with their protocol ID number?
TCP, 6, GRE, 47
Which of the following is a guideline for developing a firewall rule base? (Choose all that apply.) a. The rule base should restrict all Internet access. b. The rule base should restrict access to ports and subnets on the internal network from the Internet. c. The rule base should be as detailed as possible. d. The rule base should not interfere with application traffic.
The rule base should restrict access to ports and subnets on the internal network from the internet, the rule base should not interfere with application traffic
What are the drawbacks of Free Firewall Programs compared to commercial?
Their logging capabilities aren't as good, configuration can be difficult, no real time monitoring of traffic, no central management, no technical support
What is a main disadvantage of mesh VPNs? a. They are not reliable. b. There is a lack of confidentiality among peers. c. They are difficult to enlarge or change. d. The equipment must be the same at all sites.
They are difficult to enlarge or change
What is an issue with routing protocols?
They are not authenticated, therefore allowing attackers to modify them at will
An approach to risk analysis from the standpoint of threats and risks to an organization's assets and the consequences if those threats and risks occur.
Threat and Risk Assessment (TRA)
How can the VPN endpoints receive the encryption key?
Through a CA or IKE
The part of the KDC that creates and distributes session keys used by clients to access resources.
Ticket Granting Server (TGS)
A digital token sent from the Authentication Server to the client. The client presents this to the TGS to obtain a session key to access the resource.
Ticket granting ticket (TGT)
What method of attack is based on measuring how much time computations take to perform. Monitoring how long it takes to transfer key information can yield clues about key length or eliminate certain key lengths.
Timing attacks
For which of the following reasons would you consider creating a protected subnet within an already protected internal network? (Choose all that apply.) a. to protect customer information b. to protect management servers c. to protect the company's reputation d. to protect Web servers
To protect customer information, to protect management servers, to protect web servers
What term is a graphic that represents the volume of traffic between all possible pairs of sources and destinations in a given IP domain
Traffic matrix
The connection between two endpoints in a VPN
Tunnel
A method of key exchange that encrypts both the header and data components of a packet and encapsulates it within a new packet that has a different header.
Tunnel method encryption
Which protocols and ports must be allowed to pass when you are using L2TP and IPsec? (Choose all that apply.) a. protocol ID 50 b. UDP 500 c. TCP 50 d. protocol ID 1701
UDP 500, protocol ID 1701
What machines is Apache mainly installed on?
UNIX, Linux
A corporation with several branch offices has decided to maintain multiple firewalls, one to protect each branch office's network. What is the most efficient way to maintain these firewalls? a. Use a centralized security workstation. b. Send information about the security policy to each network administrator. c. Set up remote desktop management software. d. Broadcast configuration instructions periodically by e-mail.
Use a centralized security workstation
A cost-effective way for networks to create a secure private connection using public lines (usually the Internet). ____ endpoints establish connections (tunnels) to transmit and receive data, and then tear down the connections when they are no longer needed. Combinations of encryption, authentication, and encapsulation help ensure the confidentiality, privacy, and integrity of information.
VPN (Virtual Private Networks)
A hardware device designed to terminate VPNs and join networks
VPN appliance
A router or OS that initiates a connection to a VPN server
VPN client
A group of one or more computers that the VPN hardware and software handle as a single entity. This group uses the VPN to communicate with another domain.
VPN domain
What makes a VPN a cost-effective option? a. Computers can use the same hardware and software. b. It requires no administrative configuration to set up or maintain. c. Many VPN applications are available as shareware or freeware. d. VPNs use public Internet and ISP connections
VPNs use public Internet and ISP connections
Situations or conditions that increase threats, which in turn increase risk.
Vulnerability
Internet Information Services (IIS) is the Web server used in what systems?
Windows 2000, Windows XP Professional, Windows Server 2003, 2008, Windows Vista, and Windows 7.
What systems support VPN quarantine scripts?
Windows server 2008 R2, Threat Management Gateway 2010
How do you configure a dual homed host to act as a firewall for your network?
You disable the ability to forward packets on the computer, and how firewall software dictate what packets to forward to the rest of the network
Which free firewall program is so effective that before configuration is completed, you might lose your Internet connectivity when you first set it up. A correct configuration that allows only the software and IP addresses you want is critical to maintaining Internet connectivity.
ZoneAlarm
Describe the tiered system of the internet
a backbone network connected via network access points (NAPs) to reigional Internet service providers (ISPs), regional ISPs service Point of Presence ISPs that connect to business, education, or home entworks
A DMZ is . a. a trusted network b. a semitrusted network c. an untrusted network d. not actually a network
a semitrusted network
What is considered the simplest firewall setup?
a single router on the network perimeter configured to filter packets
When should you only use the PPTP for securing a VPN?
a small scale VPN that needs to support mobile users
At a minimum, the server security policy should encompass the following areas:
● Names and positions of IT staff who are responsible for operating and maintaining servers ●Specific identification for all servers, including serial numbers and part numbers ●Username and password security requirements ●Configuration details, including hardware and software versions ● Monitoring requirements and schedules as well as logging requirements ●Data and system backup requirements, storage, schedules, and responsibilities ●System audit requirements and schedules ●Policy compliance and enforcement
To minimize risks, you could specify the following measures in a security policy:
● Never leave company-owned laptops or handheld devices unattended. ●Always protect information on corporate devices with passwords. ●Encrypt any confidential information. ●Use passwords to protect all job records and customer information. ●Restrict access to personnel information to human resources staff and upper management.
What are the general rules a rule base should practice?
●A firewall or packet filter that follows a"deny all"security policy should begin by allowing services selectively as needed and end by blocking all other traffic. ●The rule base should keep everyone except network administrators from connecting to the firewall. Anyone who accesses the firewall could discover internal IP addresses and gain access to the internal network. ●The rule base should block direct access from the Internet to any computers behind the firewall or packet filter. All inbound traffic, in other words, should be filtered first. ●The rule base should permit access to public servers in the DMZ and enable users to access the Internet.
what are general rules that should be put in a sound physical security policy:
●A separate enclosed space should be set aside to house servers and other essential computer network components. ●The computer facility should be located on the building's ground floor. If the building is in an area prone to flooding or other forms of environmental hazards, the facility should be on a higher floor. ●The facility should have no windows and a limited number of doors—preferably one door, if the fire code permits. If possible, the facility should be located away from exterior building walls. ●All access points, including ventilation shafts, should have unbreakable coverings and be double locked. Access codes should be held by as few people as possible. Not everyone who works in the facility requires access codes. ●Access should be limited to people who work in the enclosed facility. If cleaning or maintenance workers have access to the facility, they should be supervised at all times by a facility staff member. ●Fire suppression and intrusion alarm systems should be in place. ●A 24-hour video surveillance system should be maintained and viewed regularly. ●Secure off-site storage should be arranged for backup data.
This third-party access policy should include the following points at a minimum:
●Access should be permitted only for company business. ●Third parties should be subject to a security screening process. ●Precise methods for allowing and denying connectivity should be defined. ●The duration of permitted access and the details of terminating access should be defined. ●Penalties and consequences for violating access terms should be defined because they are different from those for employees.
What parts does a incident response section cover?
●Alarms sent by intrusion detection and prevention systems ●Repeated unsuccessful logon attempts ● New user accounts that suddenly appear without explanation ● New files with unfamiliar filenames that appear on system servers ●Unexplained changes to data or deletion of records ●System crashes ●Poor system performance
On the other hand, putting the VPN server behind the firewall has the following disadvantages:
●All VPN traffic must travel through the firewall, which increases congestion and latency. ●The firewall must handle VPN traffic from the Internet to the VPN server. Getting the firewall to pass encrypted VPN traffic to the VPN server could require advanced configuration. ●The firewall might not know what to do with IP protocols other than ICMP, TCP, and UDP. Supporting VPNs that use IP protocols, such as ESP packets for IPsec or GRE packets for PPTP, could be challenging.
TRA has four steps:
●Asset definition—You identify the software, hardware, and information you need to defend. ●Threat assessment—You identify the kinds of threats that place the asset at risk, including vandalism, fire, natural disasters, and attacks from the Internet. Threat assessment also includes an evaluation of the probability and consequences of each threat. ●Risk assessment—You evaluate each asset for any existing safeguards, the severity of threats and risks to each asset, and the consequences of the threat or risk taking place. The combination of these factors creates an assessment of the actual risk to each asset. ●Recommendations—Based on the risks and current safeguards, you make recommendations to reduce the risks. These recommendations should then become part of a security policy.
Train employees to follow these simple guidelines for preventing phishing attacks:
●Check the browser address bar and footer. If a Web site does not have an HTTPS address or a lock icon, it is not a secure site, and no personal information should be entered. Also, the lock icon can be faked, so users should not believe that its presence indicates a secure site. ●If you get an e-mail from a company you are familiar with, call the company to confirm that the request is legitimate. Companies usually have an 800 number for this purpose. ●Forward any obvious phishing e-mails to the company being portrayed in the phishing attempt. PayPal and eBay, for example, have forwarding addresses set up for this purpose. ●Delete any unsolicited e-mails about foreign banking.
When should you have a security policy in a company?
●Employees work with confidential or proprietary information. ●Damage, theft, or corruption of systems or data could result in severe financial losses that endanger business continuity. ●The organization has trade secrets that are important to its goods or services. ●Employees regularly access the Internet and use e-mail or other means of electronic communication that could be attacked or infected. ●The company is part of an industry that is subject to state and federal regulations for information security and privacy. ●The company uses Internet connections with partner businesses or application service providers (ASPs)—companies that provide Web-based services for a fee.
Why has IPsec become the standard set of protocols for VPN security?
●IPsec works at Layer 3 and provides a type of security that is not available with protocols that work at Layer 2. ●IPsec can encrypt an entire TCP/IP packet instead of just the data portion, as with other protocols. ●IPsec was originally developed for use with IPv6, although it can also work with IPv4. ●IPsec provides authentication of source and destination computers before data is encrypted or transmitted.
What are a few basic concepts about building an effective security policy:
●If it is too complex, no one will follow it. In fact, users might circumvent it. ●If it hurts productivity, it will fail. ●It should state clearly what employees can and cannot do on company property and with company equipment. Avoid jargon or complex descriptions, but be as thorough as possible. ●Include general clauses to summarize statements. The corporate attorney might need to finetune the wording, but the italicized clause covers anything not specifically mentioned. ●People need to know why a policy is important. They are more likely to accept it as necessary if they understand it. ● When developing the policy, involve representatives of all departments, including rank-and-file employees. The benefits are twofold: First, you will design a more accurate and appropriate policy if you tailor it to fit the needs of people who actually use the systems. Second, by involving every level of the company, you give employees a personal stake in the process. This sense of ownership leads to a more involved attitude and better morale, which equates to a more effective and enforceable security policy. ●The policy should contain a clause that describes the consequences an employee could face for violating the policy. ●The policy must have support from the highest level of the company, and that support must flow down through the ranks. If management does not endorse or obey the policy, why should employees? ● Have all employees sign a document acknowledging their understanding of the policy and agreement to abide by it. ●Keep your security policy updated with current technologies. Remove outdated material that no longer applies or that has been integrated into another area. ● Make certain that your policy directives are consistent with applicable laws. Retaining legal counsel to review your policy draft might be prudent to make sure that all bases are covered and that the policy does not violate civil rights or other laws.
Incorporate the following best practices into your remote access and VPN policy:
●Plan the most secure deployment possible, and keep careful records of all changes. ●Use strong authentication methods. ●Require adequate password strength, length, and complexity, and require passwords to be changed frequently. Make sure that the password history setting is long enough to prevent the reuse of passwords. ● Have the remote access server use DHCP to assign addresses to remote clients or configure a static range of IP addresses on the VPN server so that it can assign addresses dynamically to remote clients. ●Log remote connections and use a centralized database or server for storing log files, if possible. ●Use VPN quarantine procedures, if available, to ensure policy compliance. ●Disable public peer-to-peer (P2P) file-sharing programs. If these programs are necessary for productivity, provide approved programs and ban all others. ●Preventing users from downloading and installing software is usually the safest route. ● Make sure that user accounts do not have full administrative access to their systems. ●Ensure strong encryption for data, especially passwords. ●Disable split tunneling. ●Require remote clients to be configured automatically to limit or eliminate user intervention. In general, you should prevent users from making security decisions. ●Disable or remove vulnerable protocols, such as Telnet, FTP, and rlogin. ●Use extra caution when configuring connectivity methods, especially wireless. Configure automatic disabling of wireless connectivity when users are connected directly or using another method of access. ●Prevent the use of removable storage devices, such as thumb drives or external hard drives, anywhere on the network. ●Install personal firewall and antivirus programs on remote devices and configure them for automatic updates. ● Make sure that remote clients are self-defending, which means remote users cannot disable or bypass security measures. Whenever possible, measures should take place automatically without user intervention. ● Manage user audit information so that remote users receive policy updates and transmit their audit data before connecting. ●Conduct regular user training on security topics.
A SIRT responds to security-related breaches and usually includes functions such as the following in its mission statement:
●Reacting to security breaches that originate outside or inside the organization ●Isolating, reviewing, and interpreting information about security incidents ●Assessing the extent of damage caused by a security incident ●Determining the causes of intrusions and other incidents and recommending countermeasures to prevent them from recurring ● Monitoring the integrity of the organization's network on an ongoing basis
The steps in SNA are as follows:
●System definition—First, you create an overview of the system's organizational requirements. You analyze system architecture while accounting for its hardware components, software installations, databases, servers, and other computers that store information. ●Essential capability definition—You identify a system's essential services and assets that are critical to fulfilling your organization's missions and goals. ●Compromisable capability definition—You design situations in which system intrusions occur and then trace the intrusion through your system architecture to identify what can be accessed and what sorts of damage can occur. ●Survivability analysis—You identify potential points of fault in the system—integral components that can be compromised. You then make recommendations for correcting the points of fault and for improving the system's resistance to intrusions and ability to recover from attacks, accidents, and other disasters.
Putting the VPN server behind the firewall has some advantages:
●The VPN server is completely protected from the Internet by the firewall. ●The firewall is the only device controlling access to and from the Internet. ● Network restrictions for VPN traffic are configured only on the VPN server, making it easier to create rule sets.
Placing a VPN server parallel to a firewall also includes the following disadvantages:
●The VPN server is connected directly to the Internet, making it an ideal target for attackers. ●If the VPN server becomes compromised, the attacker will have direct access to your internal network. ●The cost of supporting a VPN increases with the addition of new servers and extra support staff.
With inputting a quotation mark and having the SQL server respond with an error message, the attacker might be able to learn the following:
●The Web page is not well protected from intrusion. ●The database uses SQL Server and the Web server uses Internet Information Services. ●A careless administrator has not changed the default database username (sa). ●Pages are constructed with Active Server Pages (ASP), which could be a clue about the coding languages used on this Web site.
A phishing email has what characteristics?
●The e-mail is unsolicited and unexpected. ●The logo and other graphics are copies of corporate images and seem to be legitimate. ●The message uses a generic greeting instead of the recipient's real name. ●The message conveys a sense of urgency. The intent is to make readers hurry and perhaps overlook illegitimate aspects of the e-mail. ●Personal account information is requested, usually by asking that the information be confirmed. ●The e-mail contains a link that seems to be a secure HTTPS link. If you hover the mouse pointer over the link, however, the real Web page address appears at the lower left. Other links in the e-mail point to the same illegitimate link. ●Usually the link to which you are redirected is no longer active after several hours. Phishing attackers play a game of hit-and-run to elude authorities, so they do not remain stationary for long.
When reevaluating the organization's security policy, keep the following requirements in mind:
●The reviews need to be routine. ●Upper management must authorize the reassessment schedule. ●The organization needs to respond to security incidents as they occur. ●The organization needs to revise the security policy because of incidents and other identified risks.
What other security considerations should you take when performing web server security?
●The underlying Windows OS must be hardened and maintained ●A domain controller should not also function as an IIS Web server. Domain controllers should be kept in the protected internal network and separated from the Internet with firewalls. ●Place the Web server in a secure room. Restrict access to Web servers by using physical security measures ●Do not connect the IIS Web server to the Internet before it is fully hardened. ●Remove NTFS write and execute permissions when possible to minimize the risk of unauthorized users changing files or running programs. ●Grant permissions for modifying and viewing IIS logs to system and local administrators only. As an added precaution, store logs on another server, not the IIS Web server. ●Allow only the administrator to log on locally to the Web server. Secure services outside the OS, such as SQL Server, to prevent them from being exploited as user accounts. ●If you are serving Web pages to the Internet, place the Web server in a firewall protected DMZ.
What steps should you take to close all potential holes:
●Tighten database authentication and limit table access. Always require password access to the database, and never leave default usernames set up during installation. ●Use stored procedures to eliminate passing any SQL commands to the database. ●Validate all user entries to make sure they are formed properly. Perform this validation in several places if necessary. There should be two layers of validation: form-level validation at the browser before the Web page is submitted and server-level validation when the information reaches the server for processing. ●Place the Web server and database server in a network DMZ. ●Use nonstandard naming conventions in database construction. To thwart attackers, you should make database names, table names, and field names difficult to guess. ●Inevitably, database errors do occur, so configure a custom error message that does not reveal information for attackers to exploit. The standard 404 error message often reveals server information that attackers can use.
For example, the policy might contain the following rules:
●Users are not allowed to share accounts with other employees, visitors, or family members. ●Software may not be downloaded without prior approval. ●Users are not allowed to make copies of company-owned software. ●Users are required to use password-protected screen savers during the day and shut down their computers each night. ● Only IT staff members are allowed to add hard drives or install networking devices on office computers. ●The network administrator needs to assign a username and password to anyone who connects to the office network from a remote location. In addition, any remote PCs used to connect to the network must be protected with firewall and antivirus software.
Your security policy might include the following specifications for user account policies:
●Users are not permitted to gain access to an unauthorized resource. ●Users cannot block an authorized user from gaining access to an authorized resource. ●Users cannot give their account usernames and passwords to other people for any reason. If a password is lost or a user account is disabled, contact the administrator or help desk for assistance. ●Users must protect their usernames and passwords in a secure location that is not visible on their desktops. ●Users must abide by the password policy of the company, specifically: Passwords must meet complexity requirements. Strong passwords use a random combination of letters, numbers, and symbols, and use both uppercase and lowercase characters. Passwords must be at least eight characters. Passwords must not be words from the dictionary, names, dates, or other information that can be associated with the user or company. Passwords must be changed every 90 days. ●Users may not reuse old passwords for a period of one year.
Placing the VPN server parallel to the firewall has the following advantages:
●VPN traffic is not going through the firewall, so there is no need to modify firewall settings to support VPN traffic. ●This configuration can be scaled more easily. New VPN servers can be added without having to reconfigure the firewall. ●If the VPN server becomes too congested, you can add another server and distribute the load.
Putting the VPN on a firewall has the following advantages:
●You can control all network access security from one server. ●You have fewer computers to manage, meaning less chance of configuration mistakes. ●You can create and manage rules that apply to your VPN traffic with the same tools you already use to manage your firewall.
Installing the VPN on a firewall carries disadvantages as well:
●You have one server controlling all network access security. Any errors in configuring the VPN or firewall could leave your network open to attack. ●You must make sure to configure routes carefully so that traffic goes through the correct interfaces. ●Incorrect configuration of the firewall or VPN rules could allow traffic from the Internet to get past your security. ●Internet access and VPN traffic compete for resources on the server, so a more powerful computer might be necessary.