CTI 120 ch14

How can packet sniffing and port scanning software be used to improve the security of your network?

**Use a packet sniffer to examine network traffic. It can look for specific types of traffic that should not be on your network or for traffic types associated with known attacks. **Use a port scanner to check for open ports on a system or a firewall. Compare the list of opened ports with the list of ports allowed by your network design and security policy.

Which of the following activities are considered passive in regards to the function of an intrusion detection system? (Select two.) -Disconnecting a port being used by a zombie -Monitoring the audit trails on a server -Listening to network traffic -Transmitting FIN or RES packets to an external host

-Monitoring the audit trails on a server -Listening to network traffic

Creating fake resources such as honeypots, honeynets, and tarpits fulfills which of the following main intrusion detection and prevention goals? (Select two.) -Detect attacks that are unique to the services on valid system resources and monitor application activity. -Reveals information about an attacker's methods and gathers evidence for identification or prosecution purposes. -Entices attackers to reveal their IDS signatures, which can then be matched to known attack patterns. -Offers attackers a target that occupies their time and attention while distracting them from valid resources. -Lures attackers into a non-critical network segment where their actions are passively monitored and logged, then shuns the attacker by simply dropping their connection. -Detect anomalous behavior that varies from standard activity patterns, also referred to as heuristic recognition.

-Reveals information about an attacker's methods and gathers evidence for identification or prosecution purposes. -Offers attackers a target that occupies their time and attention while distracting them from valid resources.

What actions can a typical passive intrusion detection system (IDS) take when it detects an attack? (Select two.) -The IDS logs all pertinent data about the intrusion. -LAN-side clients are halted and removed from the domain. -An alert is generated and delivered via email, the console, or an SNMP trap. -The IDS configuration is changed dynamically, and the source IP address is banned.

-The IDS logs all pertinent data about the intrusion. -An alert is generated and delivered via email, the console, or an SNMP trap.

An active IDS system often performs which of the following actions? (Select two.) -Update filters to block suspect traffic. -Trap and delay the intruder until the authorities arrive. -Request a second logon test for users performing abnormal activities. -Perform reverse lookups to identify an intruder.

-Update filters to block suspect traffic. -Perform reverse lookups to identify an intruder.

What is the advantage of using a network based IDS instead of a host-based?

-cannot be detected by attacking systems =suited for detecting and blocking port scanning and DoS attacks.

Match the port security MAC address type with its description. -SecureConfigured -SecuredDynamic -SecureSticky ----------------------------- -A MAC address manually identified as an allowed address. -A MAC address that has been learned and allowed by the switch. -A MAC address that is manually configured or dynamically learned that is saved in the config file.

A MAC address manually identified as an allowed address. SecureConfigured A MAC address that has been learned and allowed by the switch. SecureDynamic A MAC address that is manually configured or dynamically learned that is saved in the config file. SecureSticky

Secure Dynamic Address

A MAC address that has been dynamically learned and allowed by the swich. SecureDynamic addresses are only saved in the MAC address table in RAM and are not added to the configuration file.

SecuredConfigured Address

A MAC address that has been manually identified as an allowed address.

SecureSticky address

A MAC address that is manually configured or dynamically learned and saved.

Black box test

A black box test(also called a zero knowledge test) is where the tester has no prior knowledge of the target system.

NAP client

A client that has NAP-aware software, either through the operating system or through other components. Clients software generates a Statement of Health(SoH) that reports the client configuration for health requirements.

Network Access Protection(NAP)

A collection of components that allow administrators to regulate network access and communication based on a computer's compliance with health requirement policies.

double-blind test

A double blind test is where the penetration tester does not have prior information about the system and the network administrator has no knowledge that the test is being performed.

Grey box test

A grey box test(also called a partial knowledge test) is where the tester has the same amount of information that would be available to a typical insider in the organization.

Honeynet

A honeynet is a network of honeypot. **set up with purposeful vulnerabilities; its purpose is to request attack, so that an attacker's actions and approaches can be studied and that information used to increase network safety.

Honeypot

A honeypot is a device or virtual machine that entices intruders by displaying a vulnerability, displaying a configuration flaw or appearing to contain valuable data.

Penetration testing

A penetration test (pen test) is an authorized simulated security attack on the network and is conducted from outside the organization's security perimeter.

Physical penetration

A physical penetration test is where the tester attempts to physically enter a building without authorization, access servers or workstations, access wiring closets, and shut down power or other services.

Port violation

A port violation occurs when the maximum number of MAX addresses has been seen on the port and an unknown MAC address is then seen.

How does a port violation occur? How can you resolve it?

A port violations occurs when the maximum number of MAC address has been seen on the port, and an unknown MAC address is then seen. Resolutions: -shutdown the port -drop all frames from the unauthorized MAC addresses -drop all frames and generate an SNMP trap.

single blind test

A single blind test is where one side has advanced knowledge, such as the attacker or defender.

Intrusion Detection System (IDS)

A special network device that can detect attacks and suspicious activity.

Tarpit (sticky honeypot)

A tarpit is a honeypot that answers connection requests in such a way that the attacking computer is stuck for a period of time.

White box test

A white box test(also called a full-knowledge test) is where the tester has detailed information prior to starting the test.

A security administrator is conducting a penetration test on a network. She connects a notebook system running Linux to the wireless network and then uses NMAP to probe various network hosts to see which operating system they are running. Which process did the administrator use in the penetration test in this scenario? Network enumeration Passive fingerprinting Firewalking Active fingerprinting

Active fingerprinting Active fingerprinting is a form of system enumeration that is designed to gain as much information about a specific computer as possible. It identifies operating systems based upon ICMP message quoting characteristics. Portions of an original ICMP request are repeated (or quoted) within the response, and each operating system quotes this information back in a slightly different manner. Active fingerprinting can determine the operating system and even the patch level.

Electronic penetration

An electronic penetration test is where the tester attempts to gain access and information about computer systems and the data on those systems using methods, such as system scanning, port scanning, network monitoring, sniffing and fingerprinting(or footprinting).

Intrusion Prevention System (IPS)

An intrusion prevention system (IPS) that can stop the malicious traffic before it makes it to the rest of your network.

Operations penetration

An operations penetration test is where the tester attempts to gain as much information as possible using methods, such as dumpster diving, over the shoulder reconaissance, and social engineering.

You are concerned about protecting your network from network-based attacks from the internet. Specifically, you are concerned about zero day attacks (attacks that have not yet been identified or that do not have prescribed protections). Which type of device should you use? Host-based firewall Anti-virus scanner Signature-based IDS Anomaly-based IDS Network-based firewall

Anomaly-based IDS

What does a tarpit specifically do to detect and prevent intrusion into your network? Answers connection requests in such a way that the attacking computer is stuck for a period of time. Passively monitors and logs suspicious activity until it detects a known attack pattern, then shuns the intruder by dropping their connection. Uses a packet sniffer to examine network traffic and identify known attack patterns, then locks the attacker's connection to prevent any further intrusion activities. Entices intruders by displaying a vulnerability, configuration flow, or data that appears to be of value.

Answers connection requests in such a way that the attacking computer is stuck for a period of time.

You are the network administrator for a city library. Throughout the library, there are several groups of computers that provide public access to the internet. Supervision of these computers has been difficult. You've had problems with patrons bringing personal laptops into the library and disconnecting the network cables from the library computers to connect their laptops to the internet. The library computers are in groups of four. Each group of four computers is connected to a hub that is connected to the library network through an access port on a switch. You want to restrict access to the network so only the library computers are permitted connectivity to the internet. What can you do to fix this problem? Configure port security on the switch. Remove the hub and place each library computer on its own access port. Create a VLAN for each group of four computers. Create static MAC addresses for each computer and associate them with a VLAN.

Configure port security on the switch.

control and reporting

Control and reporting is the process of documenting the following in as much detail as possible: -the level of access or control that was gained during the test. -Methods used during the penetration test. -Services and systems exploited.

A network switch detects a DHCP frame on the LAN that appears to have come from a DHCP server that is not located on the local network. In fact, it appears to have originated from outside the organization's firewall. As a result, the switch drops the DHCP message from that server. Which security feature was enabled on the switch to accomplish this? IGMP snooping Port security Dynamic ARP inspection DHCP snooping

DHCP snooping

What does DHCP snooping do on your network?

DHCP snooping filters out untrusted DHCP messages. An untrusted DHCP message is received from outside the network or firewall.

Which of the following actions should you take to reduce the attack surface of a server? Disable unused services. Install the latest patches and hotfixes. Install anti-malware software. Install a host-based IDS.

Disable unused services.

A network switch is configured to perform the following validation checks on its ports: *All ARP requests and responses are intercepted. *Each intercepted request is verified to ensure that it has a valid IP-to-MAC address binding. *If the packet has a valid binding, the switch forwards the packet to the appropriate destination. *If the packet has an invalid binding, the switch drops the ARP packet. Which security feature was enabled on the switch to accomplish this task? IGMP snooping DHCP snooping Port security Dynamic ARP Inspection

Dynamic ARP Inspection

Enforcement Server (ES)

ES( also called an enfortcement point) is the connection point for clients to the network. Clients connect to the ES, submitting the SoH for validation. The ES forwards the SoH to the NAP server for validation. When the response from the NAP server is received, the ES allows or denies network access.

Fingerprinting

Fingerprinting(also called footprinting) scans a target system to identify the operating system, the patch level, and the applications and services available on it.

gaining access

Gaining acces is the act of performing the exploit. A successful exploit on a service or application typically leads to an attempt to elevate privilege to local administrator or domain administrator and grant more privileges to the system or the entire network.

Match the network access protection (NAP) component with its description: -NAP Client -NAP server -Enforcement Server(ES) -Remediation server =================================== -Generates a statement of health (SoH) that reports the client configuration for health requirements. -Runs the System Health Validator (SHV) program. -Is clients' connection point to the network -Contain resources accessible to non-compliant computers on the limited-access network.

Generates a statement of health (SoH) that reports the client configuration for health requirements.---NAP client Runs the System Health Validator (SHV) program.---NAP server Is clients' connection point to the network.---Enforcement server (ES) Contain resources accessible to non-compliant computers on the limited-access network.--- Remediation server

As a security precaution, you have implemented IPsec between any two devices on your network. IPsec provides encryption for traffic between devices. You would like to implement a solution that can scan the contents of the encrypted traffic to prevent any malicious attacks. Which solution should you implement? VPN concentrator Port scanner Host-based IDS Network-based IDS Protocol analyzer

Host-based IDS

What security mechanism can be used to detect attacks originating on the internet or from within an internal trusted subnet? Biometric system IDS Security alarm Firewall

IDS

Which of the following are security devices that perform stateful inspection of packet data, looking for patterns that indicate malicious code? (Select two.) IPS Firewall VPN IDS ACL

IDS IPS

You are concerned about attacks directed at your network firewall. You want to be able to identify attacks and be notified of attacks. In addition, you want the system to take immediate action when possible to stop or prevent the attack. Which tool should you use? Packet sniffer Port scanner IDS IPS

IPS

What is the difference between operations penetration testing and electronic penetration testing?

In operations- the attacker physically goes to places to find out

You have decided to perform a double-blind penetration test. Which of the following actions should you perform first? Engage in social engineering. Run system fingerprinting software. Inform senior management. Perform operational reconnaissance.

Inform senior management.

What should you do regularly when using a signature-based IDS?

Keep it updated

Members of the sales team use laptops to connect to the company network. While traveling, they connect their laptops to the internet through airport and hotel networks. You are concerned that these computers will pick up viruses that could spread to your private network. You would like to implement a solution that prevents the laptops from connecting to your network unless anti-virus software and the latest operating system patches have been installed. Which solution should you use? NAC DMZ NAT NIDS VLAN

NAC

network enumeration

Network enumeration(also called network mapping) involves a thorough and systematic discovery of as much of the corporate network as possible. Vulnerability scanners are an important part of network enumeration.

A security administrator is conducting a penetration test on a network. She connects a notebook system to a mirror port on a network switch. She then uses a packet sniffer to monitor network traffic to try and determine which operating systems are running on network hosts. Which process did the administrator use in the penetration test in this scenario? Network enumeration Firewalking Passive fingerprinting Active fingerprinting

Passive fingerprinting

passive reconnaissance

Passive reconnaissance is an attempt to gain data about targeted network and computers without directly affecting the target.

Which of the following uses hacking techniques to proactively discover internal vulnerabilities? Inbound scanning Passive reconnaissance Reverse engineering Penetration testing

Penetration testing

Properly configured passive IDS and system audit logs are an integral part of a comprehensive security plan. What step must be taken to ensure that the information is useful for maintaining a secure environment? -Periodic reviews must be conducted to detect malicious activity or policy violations. -All logs should be deleted and refreshed monthly. -The accounting department must compress the logs on a quarterly basis. -All files must be verified with the IDS checksum.

Periodic reviews must be conducted to detect malicious activity or policy violations.

You manage a network that uses switches. In the lobby of your building are three RJ45 ports connected to a switch. You want to make sure that visitors cannot plug in their computers into the free network jacks and connect to the network, but you want employees who plug into those same jacks should be able to connect to the network. What feature should you configure? Bonding Mirroring Spanning tree Port authentication VLANs

Port authentication

You want to make sure that a set of servers will only accept traffic for specific network services. You have verified that the servers are only running the necessary services, but you also want to make sure that the servers will not accept packets sent to those services. Which tool should you use? Packet sniffer Port scanner IPS System logs IDS

Port scanner

Which type of security uses MAC addresses to identity devices that are allowed or denied a connection to a switch? Traffic shaping Port security Secure Sockets Layer MAC spoofing

Port security

A network utilizes a network access control (NAC) solution to protect against malware. When a wired or wireless host tries to connect to the network, a NAC agent on the host checks it to make sure it has all of the latest operating system updates installed and that the latest antivirus definitions have been applied. What is this process called? Remediation Quarantine Port security Posture assessment

Posture assessment

You have a company network with a single switch. All devices connect to the network through the switch. You want to control which devices will be able to connect to your network. For devices that do not have the latest operating system patches, you want to prevent access to all network devices except for a special server that holds the patches that the computers need to download. Which of the following components will be part of your solution? (Select two.) Remediation servers DMZ 802.1x authentication Honeypot Extranet

Remediation servers 802.1x authentication

Remediation Server

Remediation servers are a set of resources that a non-compliant computer can access on the limited access network. The purpose of a remediation server is to provide the resources necessary for non compliant clients to become compliant. For example, remediation servers might hold operating system patches or antivirus definition files.

Which of the following activities are typically associated with a penetration test? (Select two.) -Interviewing employees to verify the security policy is being followed -Running a port scanner -Running a vulnerability scanner on network servers -Attempting social engineering -Creating a performance baseline

Running a port scanner Attempting social engineering

Which of the following is the most common detection method used by an IDS? Anomaly Heuristic Behavior Signature

Signature

What type of recognition method is used by most virus scanning software?

Signature recognition

system enumeration

System enumeration is the process of gaining as much information about a specific computer as possible. System enumeration initiates fingerprinting.

target selection

Target selection is the process of identifying servers that appear available. An attack typically involves targeted servers that present the path of least resistance and are the easiest to exploit.

If maintaining confidentiality is of the utmost importance to your organization, what is the best response when an intruder is detected on your network? Delay the intruder. Monitor the intruder's actions. Terminate the intruder's session. Record audit trails about the intruder.

Terminate the intruder's session.

What is the primary purpose of penetration testing? Test the effectiveness of your security perimeter. Assess the skill level of new IT security staff. Evaluate newly deployed firewalls. Infiltrate a competitor's network

Test the effectiveness of your security perimeter.

NAP Server

The NAP server is responsible for keeping track of health requirements and verifying that clients meet those requirements before gaining access. A Windows server running the Network Protection Service role is a NAP server.

How does an IPS differ from an IDS?

The main difference between them is that IDS is a monitoring system, while IPS is a control system. IDS doesn't alter the network packets in any way, whereas IPS prevents the packet from delivery based on the contents of the packet, much like how a firewall prevents traffic by IP addres

Why should you perform a penetration test on your network?

To identify and address vulnerabilities in your network.

ou have just installed a new network-based IDS system that uses signature recognition. What should you do on a regular basis? Update the signature files. Check for backdoors. Modify clipping levels. Generate a new baseline.

Update the signature files.

Your company is a small start-up that has leased office space in a building shared by other businesses. All businesses share a common network infrastructure. A single switch connects all devices in the building to the router that provides internet access. You would like to make sure that your computers are isolated from computers used by other companies. Which feature should you request to have implemented? Port security VPN Spanning tree VLAN

VLAN

What is the main difference between vulnerability scanning and penetration testing? -Vulnerability scanning uses approved methods and tools; penetration testing uses hacking tools. -Vulnerability scanning is performed with a detailed knowledge of the system; penetration testing starts with no knowledge of the system. -Vulnerability scanning is performed within the security perimeter; penetration testing is performed outside of the security perimeter. -The goal of vulnerability scanning is to identify potential weaknesses; the goal of penetration testing is to attack a system.

Vulnerability scanning is performed within the security perimeter; penetration testing is performed outside of the security perimeter.

In which of the following situations would you use port security? -You want to control the packets sent and received by a router. -You want to restrict the devices that could connect through a switch port. -You want to prevent sniffing attacks on the network. -You want to prevent MAC address spoofing.

You want to restrict the devices that could connect through a switch port.

Which of the following types of penetration test teams will provide you information that is most revealing of a real-world hacker attack? Partial knowledge team Full knowledge team Split knowledge team Zero knowledge team

Zero knowledge team

How does black box testing differ from grey box testing?

black box is zero knowledge on the side of the tester while grey box tester has knowledge similar to a typical insider.

Which type of penetration testing provides you with the most accurate results regarding your network's vulnerabilities?

electronic penetration

What is the difference between enforcement and remediation servers?

enforcement- upholds the rules of the system. Either denies or allows passage into the network. remediation-helps uncompliant systems get fixed up before they can access the network. "set of resources"

Which devices can you use to discover open ports?

port scanner

How does SecureDynamic differ from SecureSticky?

securedynamic- MAC address that has been learned and allowed by the switch. securesticky- MAC address that is manually configured or dynamically learned and saved.

How does DAI validate ARP packets on the network?

switch ports that are connected to other switches are configured as trusted. Switchports connected to network hosts are configured to be untrusted. -When DAI is enabled, the switch performs several validation checks on an untrusted port: *all ARP requests and responses are intercepted. *Each intercepted request is verified to ensure that it has a valid IP-to-MAC address binding. Valid IP-to-MAC address bindings are stored in the DHCP snooping binding database. *If the packet has a valid binding, the switch forwards the packet to the appropriate destination. *If the packet has an invalid binding, the switch drops the ARP packet.

In which stage of penetration testing do you create a fingerprint of your system?

system enumeration