Misy 5320 Quizzes for the final
Which term describes a piece of code that is distributed to allow additional functionality to be added to an existing program?
Add-on
How does an IPS differ from an IDS?
An IPS is passive and an IDS is active.
Which component of an IDS examines the collected network traffic and compares it to known patterns of suspicious or malicious activity stored in the signature database?
Analysis engine
What is one difference between the misuse and anomaly IDS models?
Anomaly models require knowledge of normal activity, whereas misuse models do not.
____________________ is a system that uses digital signatures and allows Windows users to determine who produced a specific piece of code and whether or not the code has been altered.
Authenticode
Which attack technique involves sending an unauthorized message to another Bluetooth device?
Bluejacking
An attacker who uses Bluetooth to copy e-mails, contact lists, or other files on a device is __________.
Bluesnarfing
An attacker purposely sends a program more data for input than it was designed to handle. What type of attack does this represent?
Buffer overflow
Microsoft produced a forensic tool for law enforcement called ____________________.
COFEE
Which term refers to a specific technique of using an HTTP client to handle authentication on a wireless network?
Captive portal
What is a method of establishing authenticity of specific objects, such as an individual's public key or downloaded software?
Certificates
What is one security issue associated with WTLS?
Clients with low memory or CPU capabilities cannot support encryption.
Which alternative site provides the basic environmental controls necessary to operate, but has few of the computing components necessary for processing?
Cold site
Which indicator of compromise (IOC) standard is a method of information sharing developed by MITRE?
Cyber Observable eXpression (CybOX)
A person registers a domain name, relinquishes it in less than five days, and then gets the same name again. She repeats this cycle over and over again. What term describes this practice?
DNS kiting
Which backup requires a small amount of space and is considered to have a complex restoration process?
Delta
What is an advantage of detecting indicators of compromise (IOCs)?
Detecting IOCs is a quick way to jumpstart a response element.
Oral testimony that proves a specific fact with no inferences or presumptions is which type of evidence?
Direct evidence
Which plan defines the data and resources necessary and the steps required to restore critical organizational processes?
Disaster recovery plan (DRP)
Which access control type would you use to allow a file or resource owner the ability to change the permissions on that file or resource?
Discretionary access control
In an "old school" attack, which step is a listing of the systems and vulnerabilities to build an attack game plan.
Enumeration
What application is associated with TCP Ports 20 and 21?
FTP
What application is associated with TCP Ports 989 and 990?
FTPS
Which plug-in helps a browser maintain an HTTPS connection and gives a warning when it is not present?
HTTPS Everywhere
Which of the following has the least volatile data?
Hard disk
Which term refers to a key measure used to prioritize actions throughout the incident response process?
Information criticality
____________________ is a form of denial of service, specifically against the radio spectrum aspect of wireless.
Jamming
Which term is a mechanism where traffic is directed to identical servers based on availability?
Load balancing
What term refers to a piece of code that sits dormant for a period of time until some event invokes its malicious payload?
Logic bomb
How do most advanced persistent threats (APTs) begin?
Most APTs begin through a phishing or spear phishing attack.
What DRP category would a business function fall under if an organization could last without that function for up to 30 days before the business was severely impacted?
Necessary for normal processing
What tool is the protocol/standard for the collection of network metadata on the flows of network traffic?
NetFlow
Which term refers to the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions?
Network security monitoring (NSM)
Which term refers to a hardware device that can be placed inline on a network connection and that will copy traffic passing through the tap to a second set of interfaces on the tap?
Network tap
Which browser plug-in allows the user to determine which domains have trusted scripts?
NoScript
Which protocol involves a two-way handshake in which the username and password are sent across the link in cleartext?
PAP
What name is given to a logical storage unit that is subsequently used by an operating system?
Partition
____________________ management is the process of restricting a user's ability to interact with the computer system.
Privilege
____________________ is a process of isolating an object from its surroundings, preventing normal access methods.
Quarantine
Which RAID configuration, known as striped disks, simply spreads the data that would be kept on the one disk across several disks?
RAID 0
Which RAID configuration, known as mirrored disks, copies the data from one disk onto two or more disks?
RAID 1
Which RAID configuration is known as bit-level error-correcting code and not typically used, as it stripes data across the drives at the bit level as opposed to the block level?
RAID 2
Tangible objects that prove or disprove fact are what type of evidence?
Real evidence
Which strategy is focused on backup frequency?
Recovery point objective (RPO)
Which type of attack occurs when the attacker captures a portion of a communication between two parties and retransmits it at a later time?
Replay
Which access control type would be used to grant permissions based on the specific duties that must be performed?
Role-based access control
Which access control type allows a company to restrict employee logon hours?
Rule-based access control
A(n) ____________________ has the ability to copy network traffic passing through one or more ports on a switch or one or more VLANs on a switch and forward that copied traffic to a port designated for traffic capture and analysis.
SPAN
What protocol has its origins as a replacement for the insecure Telnet application from the UNIX operating system?
SSH
When using Secure FTP (SFTP) for confidential transfer, what protocol is combined with FTP to accomplish this task?
Secure Shell (SSH)
What is a software bomb?
Software that can destroy or modify files when commands are executed on the computer
What type of software records and reports activities of the user (typically without their knowledge)?
Spyware
The process of taking control of an already existing session between a client and a server is known as __________.
TCP/IP hijacking
Which statement describes the primary purpose of JavaScript?
The primary purpose of JavaScript is to enable features such as validation of forms before they are submitted to the server.
What should an incident response team do when they are notified of a potential incident?
The team should confirm the existence, scope, and magnitude of the event and then respond accordingly.
Which term refers to a unique alphanumeric identifier for a user of a computer system?
Username
What term refers to an attacker's attempt to discover unprotected modem connections to computer systems and networks?
War-dialing
An 802.11 device marked as Wi-Fi Certified adheres to the standards of the __________.
Wi-Fi Alliance
Which advanced malware tool assists security engineers in hunting down malware infections based on artifacts that the malware leaves behind in memory?
Yara
A(n) ____________________ is an 802.11 management frame for the network and contains several different fields, such as the time stamp and beacon interval, but most importantly the SSID.
beacon frame
The so-called WAP gap involves the __________ of information where the two different networks meet, the WAP gateways.
confidentiality
A honeypot is sometimes called a(n) __________.
digital sandbox
The hashing algorithm applies mathematical operations to a data stream (or file) to calculate some number, the ____________________, that is unique based on the information contained in the data stream (or file).
hash
A(n) ____________________ is an artificial environment where attackers can be contained and observed, without putting real systems at risk.
honeypot
The ____________________is used in wireless systems as the randomization element at the beginning of a connection.
initialization vector
A(n) ____________________ is a programming error condition that occurs when a program attempts to store a numeric value, an integer, in a variable that is too small to hold it.
integer overflow
Once you realize you need to preserve evidence, you must use a(n) ____________________, or litigation hold, process by which you properly preserve any and all digital evidence related to a potential case.
legal hold
The term __________ refers to software that has been designed for some nefarious purpose.
malware
A __________ is a software or hardware device that is used to observe traffic as it passes through a network on shared broadcast media.
network sniffer
A(n) ____________________ is a connection to a Windows interprocess communications share (IPC$).
null session
If the characteristics of an incident include a large number of packets destined for different services on a machine, a(n) ____________________ is occurring.
port scan
Evidence that is material to the case or has bearing on the matter at hand is known as __________.
relevant evidence
Remote authentication usually takes the common form of an end user submitting his credentials via an established protocol to a(n) ____________________, which acts upon those credentials, either granting or denying access.
remote access server
A(n) ____________________ relationship means that the trust relationship extended to one domain will be extended to any other domain trusted by that domain.
transitive trust
When analyzing computer storage components, a system specially designed for forensic examination, known as a forensic____________________, can be used.
workstation
____________________ is a standardized schema for the communication of observed data from the operational domain.
Cyber Observable eXpression
Which term defines a collection of predefined activity patterns that have already been identified and categorized—patterns that typically indicate suspicious or malicious activity?
Signature database
