ITN 266 - Test Your Understanding
In directory access commands and URLs, what does ".." represent?
the parent directory
In PKE, what combined message does the supplicant send?
the plaintext plus the digital signature
What are the odds of correctly identifying a person based on their ZIP code, date of birth, and gender? Why?
87%. Given enough linking attributes you will form a statistically unique profile. It doesn't take many, as was demonstrated by just these 3 elements.
What is a DMZ?
A subnet that contains all of the servers and proxy firewalls that must be accessible to the outside world.
Who is likely to engage in espionage against a firm?
Competitors and advanced persistent threats from outside nations.
Distinguish between Trojan Horses and Rootkits
A Trojan is malware that pretends to be another program to sneak onto a device. A rootkit is a program that takes over root access privileges and hides its own presence. A rootkit may or may not start out as a Trojan.
What is shadowing?
A backup copy of every file being worked on is written every few minutes to a storage location.
What is incremental backup (be precise)?
A backup of all changes that have occurred since the last incremental backup, or full backup if that was most recent.
Where is the heavy authentication work done in 802.1X?
A central authentication server.
In codes, what do code symbols represent?
A code symbol will represent complete words or phrases.
What are the two advantages of quantum key distribution?
A message encrypted with a key as long as itself is not subject to cryptanalysis, quantum key cracking can be used to crack traditional keys quickly
What is quantum key distribution?
A method that creates a one-time key that is as long as the entire message
How long may WEP take to crack today?
A minute or two
What is parity?
A parity drive stores the result of XORing the bits on all of the other drives.
What is multilevel security?
A system that rates documents by sensitivity (confidential, secret, top secret, etc.)
What is spyware?
A term that refers to a broad spectrum of Trojan horse programs that gather information on the user and make it available to an attacker.
In the world of firewalls, what is a state?
A time period or phase of a connection.
Name three terms that successful attacks are commonly called
Security incidents, breaches, compromises
Which strong symmetric key encryption cipher can be used with small mobile telephones?
AES is efficient enough to be used on cellphones.
Can ARP poisoning be used outside the LAN? Why or Why not?
ARP only extends to a switch for the LAN; thus it can only work within the LAN.
Could a honeypot attract unwanted attention from attackers?
Absolutely, by all appearances it is a vulnerable server, so it is ripe for attack as far as the outside world is concerned.
What is Microsoft's directory server product?
Active Directory
What are some of the advantages of using virtual machines?
Allows sys admins to create a single security baseline for each host within the organization. Additional machines can be cloned in a matter of minutes instead of hours or days and cloning minimizes the risk of something being incorrectly configured during setup. It eliminates the need to install applications, patches or service packs to multiple machines. Reduces labor costs associated with server administration, development, testing and training. Increases fault tolerance and availability and can reduce energy costs.
How can terrorists use IT?
Allows the terrorists to damage a nation financial, communication, and utilities infrastructure. More commonly, they use the internet for recruitment and to coordinate activities. Also reinforces physical attacks, by disrupting communications to make response more difficult.
Which security concerns are specific to cloud computing? Why?
Almost all cloud deployments rely upon a third-party service provider, and this often gives them access and control over critical systems and data. It can be difficult to verify a service provider's compliance with industry standards.
What can users do to enhance browser security?
Always apply patches and upgrades.
Why is limiting the size of log files necessary but unfortunate?
An event that spans log files is much more difficult to detect and analyze
Give two reasons why assigning security measures to groups is better than assigning security measures to individuals within groups
Applying security changes to groups requires less labor than redoing accounts individually. Applying security measures to groups tends to produce less errors.
What are jurisdictions?
Areas of responsibility within which different government bodies can make and enforce laws, but beyond which they cannot.
When is the best time to create a technical security architecture?
As early as possible
Where is an application proxy firewall placed relative to the webserver?
It sits between the webserver and the rest of the network.
Compare the focus of COSO with that of CobiT
COSO focuses broadly on corporate internal and financial controls whereas CobiT specifically focuses more on controlling the entire IT function
What are the main goals of DoS attacks?
Cause harm in the form of lost sales, productivity, industry reputation or customer loyalty.
Name the three common security goals.
Confidentiality, Integrity, Availability
Briefly explain each security goal.
Confidentiality- Preventing unauthorized parties from reading information either at rest or in transit. Integrity- Preventing unauthorized parties from altering or destroying information. Availability- Ensuring those that are authorized to access information will be able to do so.
How can disk arrays ensure data reliability and availability?
Configure multiple hard drives as an array within a single system. (RAID).
What is DRM? Give an example of how DRM works
Digital Rights Management. it restricts what people can do with data.
Is encryption widely used in e-mail?
End-to-end email encryption is not often employed by corporations.
How can information be gathered from encrypted network traffic?
Even encrypted traffic can reveal the sender's IP and target IP as well as the DNS used to resolve the host name.
What is the Danver's Doctrine?
It is a long-term program of the IETF with the goal of adding strong security to all of its supervisory and application protocols.
Are most packets part of the connection-opening state or the ongoing communication state?
Most packets are part of the communication state.
Give some examples of use restrictions that a company may wish to impose on a document
Prevent music files from being copied to another storage medium
Why are MSSPs likely to do a better job than IT security department employees?
Given the idle time of an in-house security team, they are less likely to be well practiced and execute a proper response to an incident. An MSSP, on the other hand, will have a full team of well experienced individuals who deal with real-world incident response every day.
List the four steps in business process analysis
Identify a firm's major processes and rate the importance of each, Prioritize business processes, Specify which resources each process needs, Specify actions and sequences.
Why is it usually not a problem that HMACs fail to provide non-repudiation?
HMAC is usually used in conversations that both parties enter to willingly, and for more secure matters like contracts then PKE authentication could be used to ensure non-repudiation.
What should you tell employees before you begin electronic monitoring?
Inform them ahead of time and explain why it is being done.
Why can a firewall keep up with traffic in general but fail to do so in a major attack?
Firewalls have a limited capacity. Some major attacks can exceed this capacity
What is piggybacking?
Following someone through a secure door without your own access code. Often called tailgating as well.
Distinguish between ingress and egress filtering
Ingress filtering examines packets coming in from outside the network, egress filtering examines packets exiting the internal corporate network
What two protections should be applied to spreadsheets?
Extensive testing for both errors and fraud indicators. Also, the use of spreadsheet vault servers.
How can SQL injection be prevented?
Input validation/ sanitizing input
At what layer does IPSec operate?
Internet layer
Are antivirus servers limited to looking for viruses? Explain
It is processing intensive
In a stack overflow, what is overwritten by the overflow?
It overwrites the return address.
What two types of communication does the media gateway translate between the VoIP network and the PSTN?
It translates the different codecs, transport technologies and signaling systems
Why is it called mobile code?
It travels from the webserver to the user's PC.
What is blind SQL injection?
It uses a series of SQL statements that produce different responses based on true/false questions, or timed responses.
How does a reflected attack work?
It uses responses from legitimate services to overwhelm a victim. The attacker sends spoofed requests to legitimate servers, and they all send responses to the victim device.
What does degaussing do?
It utilizes a very strong magnetic field to destroy the data stored on hard drive platters
How do companies address the risk of losing encryption keys?
Key escrow
What two cryptographic protections does an HMAC provide?
Message integrity, and authentication
What are the two most critical fields in a digital certificate?
Name of the true party, True party's public key.
Is JavaScript a scripted form a Java?
No, it's a different language
Why is it less error prone?
Once you have a working set of permissions for a role the permissions will not need to be tampered with.
What standard do most central authentication servers follow?
RADIUS
What are the four ways of responding to risk?
Reduce, Accept, Transfer, Avoid
What are the advantages of cloud computing?
Reduced costs, reliability, disaster recovery, lower chance of data loss, scalability, agility, and accessibility.
What authentication mechanisms are common on IP telephones?
Requiring a username/password or PIN.
What authentication method or methods does outer authentication use?
SSL/TLS
How can many DRM protections against unauthorized printing be circumvented?
Take a screenshot of the document
What does a system administrator manage?
They manage hosts or individual groups of hosts.
What is VoIP?
Voice over IP
What was the first core wireless security standard?
WEP
List the four types of fixes for vulnerabilities
Workarounds, Patches, Service Packs, Upgrading to a new version of the program.
Which device acts as a relay between wired and wireless networks?
an access point
Why is it important to get approval in writing before conducting a vulnerability test?
You are intentionally running attacks against your systems. This may be against company policy or even illegal if done without permission. It may also damage systems.
Why are interorganizational systems dangerous?
You are linking some of your assets to a company in which you have no control or oversight. However, this is often done in a way such that you cannot even learn the details of the other company, nor they yours.
How can inheritance be modified?
You must check the "Include inheritable permissions from this object's parent" box in the folder's properties.
How can a Trojan defeat 2FA's promise?
a Trojan can send transactions once a user has already authenticated themselves.
How much data can be stored on a dual-layer DVD?
about 8GB
What is another name for authorizations?
permissions
Why is hard-headed thinking about security ROI dangerous?
"numbers drive out thinking". In other words, focusing too hard on firm numbers allows the realities of security threats that can't be quantified to go ignored.
If a key is 40 bits long, how many keys must be tried, on average, to crack it?
(2^40)/2
Despite its security weaknesses, why do many companies continue to use WPA instead of 802.11i?
(they don't anymore, but according to the book...) To avoid the cost of reconfiguring all their access points.
What institutions are subject to the Gramm-Leach-Bliley Act?
Financial Institutions
Why do firewalls have problems with typical VoIP traffic?
Firewall filtering must be able to prioritize VoIP and filter it without adding appreciable latency. Some firms approach this by focusing on filtering only signaling messages and applying no filtering to transport messages.
Distinguish between firewalls and IDSs
Firewalls stop provable attack packets and pass the rest. IDSs identify suspicious packets and raise alarms based off if this inspection.
In SSL/TLS remote access VPNs, to what device does the client authenticate itself?
First the gateway authenticates itself to the client. Then the user authenticates to the gateway.
Why is NAT traversal problematic?
Firstly, it takes time and increases latency. The bigger problem is that if NAT changes the Layer 3 IP address in the protocol the protocol no longer works properly.
Why are central security management consoles dangerous?
For all their benefits, they represent a single point of failure. If a central security management console is breached, then the attacker has gained access to (likely) the entire security plan for the network.
Give the simple stateful packet inspection firewall rule for packets that do not attempt to open connections
For ingress packets, it checks to see if it is part of an existing connection in the connection table. If so, it is passed, otherwise it is dropped and logged.
What is the purpose of data extrusion management?
It attempts to prevent restricted data files from leaving the firm without permission. DRM builds restrictions into document files, whereas extrusion prevention applies filtering whenever an attempt is made to send a file outside a firm.
How can inheritance reduce labor costs in assigning permissions?
It automatically applies permissions to the numerous sub-folders of a directory, thus saving time. Any sub-folders that differ from their parents can be altered manually, but this number will be far smaller than the total number of directories that would need manual configuration otherwise
Why should policies not specify implementation in detail?
It avoids errantly constraining your team, and allows future implementation of policies without changes, even as technology evolves.
For what type of VPN was SSL/TLS developed?
It began as a host-to-host standard
Describe vault server auditing
It begins with check-out/check-in, and it continues down to the level of individual cell changes.
In Windows Server 2003 and 2008, how automatic can patching be?
It can be fully automatic
Why is DRM desirable?
It can be used to protect intellectual property and trade secrets
What impacts can buffer overflows have?
It can do anything from crashing the server to allowing the attacker to execute any command on the server
What financial burdens can the FTC place on companies that fail to take reasonable precautions to protect private information?
It can enact fines as well as require the firm, to be audited annually by a 3rd party, and respond to those audits.
What does SIP Identity ensure?
It can ensure that SIP messages are coming from the second-level domain they claim to be from by checking the digital signature with the second-level domain's public key found in its digital certificate.
How could SQL triggers be used to secure a database?
It can help form a log that will reveal noncompliance with security policies.
What are some negative consequences of IT security?
It can impede functionality. Also, it is never free, and seldom cheap.
Comment on vault server authentication
It can not only limit what a user can do with a file, it can even limit what a user can see on the spreadsheet itself.
When can the Federal Trade Commission act against companies?
It can prosecute any firm that fails to take reasonable precautions to protect PII.
How can countries use cyberwar attacks?
It can reveal an adversary's secrets before they ever begin a physical battle. Alternatively, it can do tremendous damage without ever going into physical battle.
What are the technical challenges of mesh backup?
It can slow down the computer to which packets are being written or from which packets are being retrieved. Second, specific client PCs are not always available for packet retrieval, so it requires redundancy. It also prevents security issues, in that when a PC receives a backup parcel, its user must not be able to read, modify or delete the backup.
What is the promise of anomaly detection?
It can stop new attacks that have no well-defined signatures
Why is magnetic tape desirable as a backup medium?
It can store vast amounts of data at the lowest cost per bit stored.
How does IPsec set and enforce policies?
It can use and reference an IPsec policy server
What three problems does spam create?
It clogs mailboxes, slows user computers, annoys users, and requires users to spend their time deleting the unwanted messages.
List what centralized firewall management systems do
It consolidates the management of multiple firewalls to a single point
Why would a database administrator want to restrict access to certain tables?
It contains data and calculations well outside the scope of a person's duties. Such as a medical doctor being restricted from a table designed for the accounting team.
Why is 802.1X called Port-based access control?
It controls the access for each individual port of a switch, disabling every port by default until the user is authenticated.
What may happen on a compromised computer if a user mistypes the host name in a URL?
It could redirect them to a site of the attacker's choosing because they compromised the browser's DNS error handling
What standard did the 802.3 working group create to extend 802.1X operation to WLANs with security for EAP?
It created 802.11i. The first step is to establish an SSL/TLS tunnel between the authenticator and the wireless supplicant. This gives EAP the security it needs to proceed as usual.
Why is website defacement damaging?
It damages a company's reputation or may communicate false information that damages a company such as improper business hours.
In MMC, what does selecting 'Action' do?
It displays the sub-objects for a selected tool (shows you what the snap-in can do)
Comment on the cost of Linux
It is technically free, but some versions require service fees, and the overall cost of administration may be high due to inconsistencies across the multiple distros.
Why is reading firewall logs important?
It is the best way to develop an understanding of the changing threat environment
Would it be possible to create rainbow tables for all possible passwords with 1-20 characters? Would it be practical?
It is theoretically possible, but it would take an incredible amount of time (more than the lifespan of the hacker themselves).
Why may black-holing only be a temporary containment solution?
It is typically easy for attackers to utilize an alternate IP address. Additionally, after the initial black-holing, they are now aware that they have been detected and their next breach may be more careful/stealthy.
What is LDAPs purpose?
It is used to retrieve data from the directory server. It can also be used to update the directory server.
For watch lists of criminals, what is a false acceptance?
It is when a non-suspect is placed on the list by the scan
What is a SLAAC attack?
It is when a rogue IPv6 router is introduced to an IPv4 network. Microsoft and Apple devices automatically prefer IPv6 routers, thus all traffic will be automatically redirected to the rogue access point.
In incident response, for what two reasons is repair during continuing operation good?
It keeps the server available to users. It also means that no data is lost because there is no need to resort to backup tapes.
What information does the service ticket give the verifier?
It lets the verifier know that the supplicant was authorized by the central authentication server.
What are the two limitations of static packet filtering? Explain why each is bad
It looks at packets one at a time, in isolation. This means it is not getting the full picture of the behavior of the packet. Additionally, it only looks at the internet and transport layer headers, which does not give this method a view of the contents of the packet.
What is IT disaster recovery?
It looks at specifically at the technical aspects of how a company can get IT back into operation.
What is error-based inference?
It makes assumptions about the underlying database based on the error messages received from a query.
How can sanitation protect against an SQL Injection attack?
It makes sure that incoming entries do not contain any control strings or unacceptable characters
Comment on a corporate policy of deleting all e-mail after 30 days
It may be illegal, and even if it is deleted much of it may still remain in different locations within the network.
If a PC fails its initial health assessment, what are a NAC system's two options?
It may forbid access until the problems are fixed, or it may refer the PC to a remediation server where it can download and apply the updates necessary to pass the NAC check.
Why is rate limiting a good way to reduce the damage of some DoS attacks?
It may reduce a certain type of traffic to a manageable amount, such as in response to a smurf attack (limit ICMP traffic on the network). ICMP could still be used, but it will be limited and slower.
Why is spam filtering dangerous?
It may remove legitimate email
Can antivirus software detect keystroke capture software?
It may, but this should not be considered a guarantee, especially if a rootkit is present.
Why is defense in depth important?
It means an attacker must break through multiple countermeasures to succeed.
For computer access, why is a false rejection bad?
It means an authorized user can't access resources they are allowed to use
For computer access, why is a false acceptance bad?
It means an unauthorized person has gained access to the computer system
What is due diligence when it comes to working with business partners?
It means investigating the IT security implications of any business partner relationships extensively before beginning them.
Why would limiting local access prevent DoS attacks?
It means the only people cable of launching an ARP poisoning attack would be insiders.
Why is application proxy firewall operation processing-intensive?
It must fully decapsulate every packet, inspect it, then recapsulate. The inspection process is processor intensive as well
What is backscatter?
It occurs when a victim attempts to send responses to a spoofed IP address used by an attacker and inadvertently flood an unintended victim.
Why are business partners dangerous?
It often means poking holes in your firewall and granting access to outsiders.
What does it mean that a firewall should operate at wire speed?
It operates at the maximum speed of the lines connected to it.
Why can it be good that a firewall fails closed when overwhelmed with traffic?
It prevents exposure of the internal network in the event that a firewall is overwhelmed. From a security standpoint, this is safer than allowing admittance when overwhelmed.
What types of acts does 10 USC sec 2511 prohibit?
It prohibits the interception of electronic messages, both en route and after the message is received and stored.
Compare the amount of cryptographic security in IPsec with that of SSL/TLS
It protects the IP packet and everything in an IP packet's data field. Also this protection is completely transparent.
What is an electronic signature?
It proves the message received is the same as the message that was sent as well as that it came from the intended party
How could a multi-tiered architecture stop or mitigate the effects of an attack?
It provides a greater level of protection to the database because vulnerabilities or attacks on one layer won't necessarily affect other layers. It also allows you to configure portions of your database to refuse outside connections, such as the database server and middleware server.
What are the advantages of RAID 5 over RAID 1?
It provides increased performance by striping data across multiple disks and provides reliability by utilizing parity.
What are the purposes of requiring users to sign the AUP?
It provides legal protection for the company, as well as making the ceremony of it memorable to the user.
Briefly list the functions of a vault server
It provides strong access control, including authentication of suitable strength, authorizations and auditing.
How does the supplicant create the response message for MS-CHAP?
It receives the challenge message from the verifier (a random string of bits), appends its password to that string, then hashes it and returns that hash as the response message.
Why is 802.1X unsuitable for homes and small offices?
It requires a central authentication server, and this would be excessive for homes and small offices.
Why is ISO/IEC 27000 certification more attractive to firms than COSO or CobiT certification?
It requires a third-party certification process, whereas the other two are self-implemented and internally audited.
Explain RAID 5
Distributed Parity.
Why is it important never to diverge from the test plan when running vulnerability tests?
Diverging from the plan removes the protection of the pre-signed agreement.
Do SPI firewalls automatically do application content filtering? Explain
Most have started to include this feature. SPI firewalls do not need to implement relay operation like application firewalls do. Thus, they can filter more economically. However, it lacks some of the protections offered by application proxy firewalls.
Why is extrusion prevention needed for intellectual property?
Most leaks of intellectual property come from within a corporation, executed by internal threats.
Why is mesh backup desirable?
Most organizations have little success getting users to backup data, but mesh backup could make PC backups automatic and eliminate user failures
Describe a SYN flood
Multiple SYN requests without a final ACK so a connection is held open that will never resolve.
List some things at which host operating system monitors look.
Multiple failed logins, creating new accounts, adding new executable, modifying executables, adding registry keys, changing or deleting system logs and audit files, changing audit policies, accessing critical system files
What is the dominant type of attacker today?
The career criminal.
When a new authentication method is added, what device software must be changed to use the new method?
The central authentication's server needs to understand the new protocols.
What is the main drawback to public key encryption?
The ciphers used are extremely complex therefore slow and expensive to use.
What are the disadvantages of codes?
The codebook must be distributed ahead of time, and if one code book is intercepted the entire code becomes useless, even retroactively.
Why is DoS protection a community problem, not just a problem for individual victim firms to solve?
Often the only way to stop a DoS is with the help of an ISP, as well as other firms whose devices may have been controlled to launch the attack.
Why is it important to destroy data on backup media and PCs before discarding them or transferring them to someone else?
The company gives up all control of where the data goes, and how it will be utilized once this occurs
Why do companies want to create policies that define security methods and options for a application that is used between corporate partners?
There is wide variation in the strengths of SSL/TLS security suites, thus companies must establish their own policies on which ones they will accept.
What things can Windows GPOs restrict?
They can prevent the alteration of a desktop, restrict connected USB devices, prevent the attachment of removable media, and can enforce standard configurations
What are the strengths of NIDSs?
They can see all packets passing through some locations of the network.
How does having a disk image reduce the problems of total software re-installation?
They can simply restore the image instead of restoring individual files and applications.
Why do attackers want to get domain names such as Micosoft.com?
They can take advantage of the similarity to a real website and trick people into visiting their malicious website.
How do criminals engage in online extortion?
They can threaten an online attack unless protection money is paid. Alternatively, they can steal information and threaten its release unless they are paid.
Why does malware that allows an attacker to execute a single command on a user's computer not really be limited to executing a single command?
They can use it to open a command shell, which means they now have access to run any command they wish
Distinguish between UNIX and Linux
They say Linux is a version of UNIX for PCs, that is actually only a Kernel that is packaged with other software to make distributions. That is inaccurate.
On what servers does a program tester have access permissions?
They should have access to the testing server and the production server (read only for the production server)
What permissions does the developer have on the production server?
They should not have any permissions on the production server. Only system administrators who run the production server should have permissions beyond read and execute.
Why don't most companies do a full back up every night?
They take a very long time, and overnight may not be enough. Also, they will usually do daily incremental backups which helps cover any changes.
Describe how directly propagating worms move between computers.
They take advantage of security weaknesses within software to allow it to jump to another computer.
How do international gangs use money mules?
They transfer the money to the foreign criminal gang in exchange for a percentage of that money.
Give four reasons employees are especially dangerous
They usually have extensive knowledge of systems, they often have the credentials needed to access sensitive parts of systems, they know corporate control mechanisms and so often know how to avoid them, companies trust their employees.
Why are screening routers used in a firewall architecture?
They utilize static packet filtering and help handle simple, high-volume attacks and lower the load on the border firewall.
What were the motivations of traditional hackers?
They were motivated primarily for the thrill of break-ins, by the validation of their skills and by a sense of power.
How can static IP and ARP tables be used to prevent ARP poisoning?
They will not update based off the ARP replies.
Why are custom programs especially vulnerable?
Two things combine to create issues. Firstly, companies rarely oversee the development of these programs to ensure that proper security measures are taken within the program. Secondly, even though these programs may not have much visibility to attackers, programming languages in general tend to produce common security failure modes that are well known to hackers.
What two parties want to communicate in both directions with security, how many IPsec SAs are necessary?
Two, one in each direction.
What are directory traversal attacks?
Typing a URL that include the ".." characters to try and move to a parent directory
Distinguish between transport and signaling
Transport is the carriage of voice between the two parties. Signaling is communication to manage the network. For example, when you dial another number on an ordinary telephone, it initiates a signaling process to let the other party's phone know to ring. Signaling handles call setup, billing information, terminates the call cleanly, and does several other things
At what layer does SSL/TLS operate?
Transport layer
Distinguish between transport and tunnel modes in IPsec in terms of packet protection
Transport mode is designed for host to host connections, and both hosts must be configured with IPsec and digital certificates to allow the connection. It gives complete end-to-end encryption. Tunnel mode allows for a site to site connection, where the IPsec tunnel operates between two IPsec servers, with one at each site. It is easier to manage and less costly but does not provide true end to end encryption.
What are benefits and advantages of transport mode as opposed to tunnel mode in IP sec? Advantages of tunnel mode?
Transport mode is full end to end encryption, tunnel mode is easier to deploy and manage
What are the problems with transport mode as compared to tunnel mode in IP sec? problems with tunnel mode?
Transport mode is more costly to roll out and manage, tunnel mode does not provide end-to-end encryption
How can tuning reduce the number of false positives in an IDS?
Turning off unnecessary rules and reducing the severity level in the alarms generated by other rules
UDP is connectionless. How is it possible for an SPI firewall to handle UDP connections?
UDP packets will only be legitimately transmitted as a result of previous traffic. The firewall can see this previous connection-oriented traffic, and then allows the UDP packet to pass.
Compare the number of UNIX directory and file permissions with that of Windows
UNIX has 3, Windows has 13
How does the administrator get to the super user account in Windows? In UNIX?
UNIX uses the 'su' command in terminal, with Windows you right-click and select 'Run As...'
Which levels of US federal courts can create precedents?
US Circuit Courts of Appeal
What section of which title of the US code prohibits hacking?
US Code Title 18, Part 1 Section 1030 ( 18 U.S.C. sec 1030)
What are the three levels of US federal courts?
US District Courts, US Circuit Courts of Appeal, US Supreme Court
What is the advantage of USB tokens compared to cards?
USB tokens give many of the advantages of smart cards without the need to install a card reader for each PC
What type of firewall does both traditional firewall filtering and antivirus filtering?
UTM firewalls
What is the most common attack against wireless networks? Why?
Unauthorized network access, because people fail to properly configure their access points with secure passwords.
Why is it necessary not to make plans and processes for crisis recovery too rigid?
Unexpected situations will arise, requiring flexibility to respond to.
What is the prime authentication problem?
Unless individuals are carefully vetted before being allowed into the system, impostors can simply enroll through social engineering
Why is log reading important?
Unless logs are studied, they become useless. The more you study logs, the more you will understand what is normal, and what is unusual.
Why is host hardening necessary?
Unnecessary applications and services, as well as default passwords, increase the attack surface of our hosts.
What is spam?
Unsolicited commercial e-mail.
What is spam?
Unsolicited commercial email
What is phishing?
When a victim receives messages that appear to come from a legitimate bank or other firm with which a victim does business, but the email is not legitimate.
what is pretexting?
When an attacker calls claiming to be a certain customer in order to get certain information about that customer.
What is fraud? Be specific
When an attacker deceives a victim into doing something against the victim's financial self-interest.
What does "owning" a computer mean?
When an attacker gains access to an account on a computer and may operate with all the privileges of that account. "Owning" an entire computer usually means the hacker has accessed an account with root privileges.
What is corporate identity theft?
When an attacker obtains a corporate credit card, or even files documents to change the legal address of a victim company to one of their choosing and takes over control of the company.
What is a buffer overflow attack?
When an attacker sends a message with more bytes than the buffer can contain. This can cause that information to spill into other areas of RAM.
What is IP address spoofing?
When attackers place a different IP in the source IP field than their actual IP address.
What is mutual authentication?
When both parties authenticate themselves
What is virtualization?
When multiple operating systems and their associated applications run independently on a single physical machine.
What is shoulder surfing?
When someone watches as you enter a password
What are weakest-link failures?
When the failure of a single element will ruin the system entirely.
What does computer recovery software do?
When the lost notebook/mobile device connects to the internet the computer recovery software reports its IP address to a recovery company. The recovery company then works with local police to recover the device.
What is a login screen bypass attack?
When the user enters a URL that should technically be accessible only though a login screen, but their access is not filtered any the URL loads.
When can an attacker not use IP address spoofing?
When they must receive a reply from the packets they send.
Can a DBMS manage multiple databases? Why?
Yes, they can utilize access control such as Active Directory or Kerberos to authenticate and authorize users for the databases they should be allowed to utilize
Do most message-by-message authentication methods provide message integrity as a byproduct?
Yes.
In PKE for authentication, does the verifier decrypt the ciphertext with the supplicant's public key?
Yes.
In ingress and egress filtering, does an SPI firewall always consider its ACL rules when a new packet arrives that attempts to open a connection?
Yes.
What security risk does backing up over the internet create?
You are technically giving away control of your data, which could be disastrous
What is caller impersonation especially dangerous in VoIP?
You can configure a VoIP system to output false information such as a fake name, or organizational position.
Why must you know a server's role to know how to protect it?
You can tailor the running applications to minimize the attack surface. But if you remove a necessary application or prevent a required service from starting the server will encounter issues.
Why is RBAC less expensive than access control based on individual accounts?
You do not need to micromanage every account. You properly tailor the roles, then simply add and drop users from the roles as needed.
What is the strongest form of authentication?
cryptographic authentication
Distinguish between error rates and deception in biometrics
deception is when an attacker deliberately tries to fool a system. an error rate is an innate shortcoming of the system
What is two-factor authentication's promise?
defense in depth.
Distinguish between magnetic stripe cards and smart cards
magnetic stripe cards have a strip of magnetically encoded data running down one side. Smart cards look like magnetic stripe cards, and may even have a magnetic stripe, but they also have a built-in microprocessor. This allows them to do processing for more sophisticated authentication.
What is the best way to thwart exhaustive searches by cryptanalysis?
make the key so long that the time needed for attackers to crack the key is too long to be practical.
Why are password reset questions difficult to create?
many of them can be guessed or researched through things like social media
Why is it important to not simply use all lower-case letters in passwords?
increasing the characters used
What is the advantage of having different SAs in the two directions of IPsec communication?
it allows customization
What are the disadvantages of voice print recognition?
it can easily be faked
In what two types of attacks can the evil twin engage?
it can either record all traffic to be deciphered later, or actively impersonate a client on the network
What types of applications can SSL/TLS protect?
it can only protect applications that are SSL/TLS aware, meaning those applications specifically have been written to work with SSL/TLS.
Why is SSL/TLS attractive as a remote access VPN technology?
it can provide secure remote access to almost any PC without modification or configuration
What is the role of the central authentication server in a RADIUS system?
it checks the credentials and sends a message to the authenticator
Besides authentication, what security benefit does a digital signature provide?
message integrity and non-repudiation.
For what type of authentication is a digital signature used-- initial authentication or message-by-message authentication?
message-by-message authentication
How long are strong ECC keys?
minimum ECC key length is recommended to be 512 bits
How long are strong RSA keys?
minimum RSA key length is recommended to be 1024 bits
Why are stateful packet inspection firewalls inexpensive?
most packets are not part of the connection state, so it does not take much processing power to check the ACL for connection attempts.
Distinguish between mutual and one-way trust among AD domains
mutual trust is bidirectional, but one-way trust is when one server trusts another, but this trust is not reciprocated
Is the verifier notified explicitly that the supplicant has been authenticated? Explain
no, it just receives a service ticket, which implies it was verified, but not explicit.
Do directory servers only hold information about people?
no, they can hold information about all kinds of objects
Does iris scanning shoot light into your eye?
no, you look directly into an ordinary camera
Distinguish between normal phishing and spearfishing
normal phishing canvases as many targets as possible, spear phishing is tailored to a specific individual or small group of individuals.
Why are authorizations needed after a person is authenticated?
not everyone who is authenticated will have permission to do everything within a system. Authorizations check the permissions of authenticated individuals.
What does failing safely mean in a security system?
not giving each user too many permissions if an error is made
Before you run a password-cracking program on your company's computer to check for weak passwords, what should you do?
obtain explicit permission to do so
Which of the two methods of password cracking programs is safer for the cracker? Why?
copying the file and attacking it later on their own machine.
Does section 1030 of the US code protect all computers?
it covers "Protected Computers" which include government computers, financial institution computers, and any computer which is used in interstate or foreign commerce or communications. Therefore, it does not technically cover all US computers
What does a firewall do if it cannot keep up with traffic volume?
it drops all packets it cannot handle
In AD, what is the advantage of having multiple domain controllers?
it gives reliability in the event that one domain controller crashes or is attacked.
How does a SQL injection attack work?
it involves sending modified SQL statements to a web application that will, in turn, modify the database
Compare identification with watch list matching
it is a form of identification where the supplicant is identified as part of a group. It makes more access data-template comparisons than normal identification
What are the disadvantages of fingerprint recognition?
it is easy to deceive
What is the biggest benefit of using XML for security assertions?
it is platform-independent
What are the disadvantages of iris recognition?
it is quite expensive
Who creates a computer's private key-public key pair?
it is typically done by the client or non-PKI server rather than by the PKI server then the public key is sent to the PKI server
What is the advantage of fingerprint recognition?
it is well developed and inexpensive.
What does the firewall do about packets that it suspects (but cannot prove) are attack packets?
it passes them
In incident response, why is disconnection undesirable?
it prevents the server from serving its legitimate users and disrupts business.
Why are password resets dangerous?
it represents an opportunity for social engineering to breach the system
In EAP, describe how the central authentication server tells the authenticator that the supplicant is acceptable
it sends an EAP success message back to the authenticator.
What does the server do with key features created by the enrollment scan?
it uses them to generate the template
In EAP, how does the authenticator pass information to the supplicant?
it works on a pass-through operation. All messages between the supplicant and central authentication server flow straight through the authenticator (switch).
Why is retaining email for a long period of time dangerous?
lawyers can use the legal discovery process in lawsuits to find messages in which an employee has said something embarrassing or even obviously illegal. Additionally, if archived messages exist, they must be searched at the company's own expense.
why are directly propagating worms especially dangerous?
the propagation can be extremely rapid and uncontrolled allowing it to do tremendous damage before it is detected and stopped.
Why is the word symmetric used in symmetric key encryption?
the same key is used to encrypt and decrypt the message.
What can be done to reduce the dangers of desktop PC theft and unauthorized use?
lock computers to the desks. every PC should have a login screen and be logged out when not actively in use.
How does the supplicant get the symmetric session key?
the service ticket had the session key in it, but it was encrypted by a symmetric key that only the Kerberos server and the verifier share
What per-frame key does a WEP computer or access point use to encrypt when it transmits?
the shared RC4 key plus a 24 bit IV.
In biometrics, what are match indices, and how are they related to decision criteria?
the difference between the access scan's key features and the template. If the difference between the scan's key features and the template is smaller than a value called the decision criteria the user will be granted access.
In hashing, what is the hash?
the digest that results from a hash algorithm
What are key features?
the few selected features from the entirety of the scanned data that are deemed identifiable and will be used to verify the user in the future
Why are key features necessary to biometrics?
the full amount of data from the enrollment scan is too much data to be usable.
What must be kept secret in encryption for confidentiality?
the key must remain secret, according to Kirchhoff's law.
What is the advantage of iris recognition?
the most precise form of biometric authentication, with very low FARs
How many supplicants and verifiers are there in mutual authentication between two parties? Explain
two of each, as each party takes a turn in each role.
How do scripting languages compare to full programming languages?
Languages considered easier to learn than full programming languages. VBScript and JavaScript are popular examples.
Does NAC control usually stop after access is granted?
Most NAC software will continue to monitor connected PCs. If a connected device sends suspect traffic it will be switched to the remediation server
Distinguish between policies and implementation
Policies are what should be achieved, with no direction on how it should be done. Implementation is the practical 'how' of how a policy will be followed.
What four policies are necessary to protect sensitive information?
Policies should strongly limit what sensitive data can be stored on mobile PCs. Encryption must be required on all mobile computers. Notebook computers must be protected by strong passwords or biometrics. Require the use of auditing for the previous three policies.
What security functions are not usually outsourced?
Policy and planning are not usually outsourced.
What columns does the firewall policy database described in the text contain? Describe each and what options it offers
Policy number, Source, Destination, Service, Action, Track, Firewalls
For SIP signaling, what port has to be opened on firewalls?
Port 5060
Could web scraping be a threat to a corporation? Why?
Potentially, it is pulling data from a site to be represented on another page at the discretion of the person creating that page. The opportunity for misrepresentation or fraudulent presentation of that information is very real.
What mode was created for homes or very small businesses with a single access point?
Pre-shared Key Mode (PSK) aka personal mode.
What do most IT security analysts recommend about placing or not placing IT security within IT?
Most analysts recommend placing Security outside of the IT department, despite the difficulties it introduces. Independence from the IT department ensures oversight to an extent that justifies the difficulties.
Why is packet stream analysis important?
Most attacks are not apparent from an individual packet. Packet stream analysis gives context across multiple packets to identify an attack. This often requires an IDS to reassemble multiple packets.
Why do employees have to be trained about data security?
Most employees are not intentionally sources of data loss. Training them in how to avoid it and best practices will reduce the overall occurrences.
Distinguish between security in SNMP v1 and SNMP v2
SNMP v1 had no security at all, SNMP v2 introduced the community string. This is a "secret" shared by the manager and all managed devices. However, SNMP v2 sends the secret in the clear in its messages.
Distinguish between security in SNMP v2 and SNMP v3
SNMP v2 had minimal security, all of which was very flawed. SNMP v3 finally added individual secrets shared between the manager and each individual device. It also offered confidentiality (optionally), message integrity, and time stamps to guard against replay attacks.
What is SPIT?
SPAM over IP Telephony.
Why are multiple types of protection necessary?
Same explanation as defense-in-depth
List the three stages of the plan-protect-respond cycle
Planning, Protection and Response
Is electronic monitoring of employees widely done?
Yes, in 2007 66% of companies monitored internet activity.
Do senior officers often get an additional code of ethics?
Yes, there are often additional codes for senior employees.
Which leaves letters unchanged- transposition or substitution ciphers?
transposition ciphers
In AD, into what larger structures are domains organized?
trees
Why is CDP attractive?
If one site fails, the second site can take over the processing load immediately with little or no loss of data.
Why would a database administrator want to restrict access to certain rows?
An example would be an org chart where employees can only see the employees within their department.
Why type of witness is allowed to interpret facts for juries?
An expert witness
Is hashing reversible?
No
Is there only one firewall filtering mechanism?
No
Why is entrusting users to do key escrow risky?
An individual user is unlikely to follow escrow policies. Additionally, an individual user could potentially blackmail the company for the key
For what legal reason should companies filter sexually or racially harassing message content?
If the company does not at least attempt to filter these things they may be liable.
What is the attraction of proximity tokens?
There is no need to make physical contact with the reader, increasing their convenience.
In what sense is encryption usually transparent to the user?
As long as you know the password you can work with the encrypted directories and files exactly as you do on an unencrypted drive.
Why should cryptographic protections be used?
They protect sensitive data as it travels between the user and the application.
Why is it impossible to extend 802.1X operation using EAP directly to WLANs?
It assumes the connection between the supplicant and the central authentication server is secure.
What is confidentiality?
It is an assurance that if a message is intercepted it will still be unreadable
Why do companies often not prosecute attackers?
It is complex and costly. It not guaranteed to succeed. Prosecution is public and may cost the company its reputation.
Why is SPIT more disruptive than e-mail SPAM?
It is considered more disruptive than email spam because a ringing telephone is difficult to ignore
What host names does the external DNS server know?
It is created to be accessed by the outside world, so it only knows the host names and IP addresses of items in the DMZ.
Why is IT disaster recovery a business concern?
It is critical to rapid and successful business continuity recovery
How does the XOR operator work?
1+0=1, 0+1=1, 1+1=0, 0+0=0
What is the hash size of MD5?
128 bits
What are the three key lengths offered by AES?
128bit, 192bit and 256bit.
What is the hash size of SHA-1?
160 bits
What are the two common effective key lengths in 3DES?
168bit 3DES, which applies DES three times with three different keys. This is quite strong. 128bit 3DES applies DES three times but uses only two different 56 bit keys.
What is the hash size of SHA-256?
256 bits
What is the typical range of a WLAN?
30 to 100 meters
How many high-level control objectives does CobiT have?
34 high-level control objectives. Below that are more than 300 detailed control objectives.
If a key is 43 bits long, how much longer will it take to crack it by exhaustive search if it is extended to 45 bits?
4 times longer
How long is a DES key?
56 bits.
Which IEEE standard governs WLAN transmission?
802.11
Why can it be bad that a firewall fails closed when overwhelmed with traffic?
It is cutting off legitimate users and partners.
What is the major attraction of a HIDS?
A HIDS is a Host IDS. The major attraction is that they provide highly specific information about what happened on a particular host.
What are the advantages of centralized backup compared with local backup?
A centralized backup allows a corporation to control backup policies and ensure that they are being followed. It also tends to bring the benefits of a single, well-organized, and well-maintained repository for backup media
What is a service pack in MS Windows?
A collection of patches and updates (improvements to the system)
How are linking attributes used to connect disparate databases?
A common field across two databases can be used to combine those databases. This common field would be a linking attribute.
What is a Trojan Horse?
A common type of non-mobile malware, it is a program that pretends to be one thing but is malware.
Physically, what is an evil twin access point?
A computer configured to allow it to masquerade as an access point
What is the definition of a VPN?
A connection that is created by using a cryptographic system to secure communication over an untrusted network.
Why is the standardized layout of MMC beneficial?
A consistent user interface makes it easier to learn how to use new MMCs and snap-ins.
Distinguish between the corporate security policy and major security policies
A corporate security policy is the top-level policy that emphasizes a corporation's commitment to strong security. It is brief and to the point. Major security policies are specific policies about major concerns. These may include Email policies, hiring and termination policies, and a policy on PII.
What is a multi-tiered architecture? Why is it important?
A database architecture that separates a database into multiple individual databases with their own functions. For example, you could separate a database into presentation (webserver), application processing (middleware server) and database management (database server) functions.
What is a DBMS?
A database management system. It is a program designed to manage database structures, as well as provide access control to databases. Microsoft SQL server is one example.
What is a relational database? Explain.
A database that stores its data in relations often called tables. Every entry will consist of a field (column) and a record (row). Records are also called tuples. Fields are also called attributes.
What two requirements in the US Rules of Civil Procedure are likely to cause problems for firms that do not have a good archiving process?
A defendant must specify what information is available for the legal discovery process. Another rule requires companies to take a number of actions in the event of a lawsuit, including placing a hold on the destruction of potentially relevant information.
Explain ARP poisoning
A device continuously sends false ARP information to computers on the LAN, even though they have not requested it. Since ARP has no authentication, they will take this spoofed information into their host tables.
What are hybrid dictionary attacks?
A dictionary attack that tries simple modifications to the list of dictionary words. The pre-defined modifications utilized are called 'mangling rules'.
How are digital signatures and digital certificates used together in authentication?
A digital signature is used to authenticate that the applicant, and the digital certificate is used to provide the public key that authentication will require.
What is a DRDoS attack, and how does it work?
A distributed redirected DoS attack (DRDoS) occurs when a victim of a reflected DoS attack unwittingly blocks a corporate partner, DNS service, its email provider or other critical services in response to the reflected DoS attack
What is a governance framework?
A document that specifies how to do security planning and implementation.
What is the main access control threat to wireless LANs?
A drive-by hacker.
What is a honeypot?
A fake server or entire network segment with multiple clients and servers. It is designed to be vulnerable and gives researches an opportunity to study attacker behavior. Since they house no actual company resources no legitimate employee would have a reason to try and reach them. Any traffic sent to them is likely an attack
How should the IT security staff view its list of possible remediation plans as a portfolio?
A list of priorities, with the focus on those that will bring the greatest gains.
What two things should this written approval specifically mention?
A list of what will be done, an acknowledgment that system crashes or damage may result from the testing
What are security metrics?
A few well-chosen measurable indicators of security success or failure that are measured periodically.
What are keystroke loggers
A form of spyware that records and sends all of your keystrokes to an attacker. Can also record the websites you visit, programs your run and even take screenshots.
what is data mining spyware?
A form of spyware that searches through your disk drives for the same types of information that would have been sought by keystroke loggers.
What is password-stealing spyware
A form of spyware that tells you that you have been logged out of a server and asks for your password. It then transmits your username and password to the attacker
What is malware?
A generic term for "evil software".
What is driving firms to use formal governance frameworks to guide their security processes?
A growing number of compliance laws and regulations.
How can non-mobile malware be delivered to computers?
A hacker can place it on a computer, it can be the payload of a worm or virus, a victim can be tricked into downloading it, the hostile code can be attached to a web page (cross site scripting).
In incident response, why is accuracy of response important?
A hasty response may blind people to the real root of the problem, allowing the threat to continue doing damage while those that try and solve the problem work on a different task
What is the chain of evidence, and why is documenting it important?
A history of all transfers of the evidence between people and all actions taken to protect the evidence within each individual's possession. Documenting it is the only way to ensure that evidence was not altered and is still admissible in court.
What are the two weaknesses of HIDS?
A host IDS has a limited view of what is happening on the network. Host IDSs are subject to attack and can be compromised in the event of a breach.
What are reusable passwords?
A password you know and keep secret because you reuse it until you change it
what is a virus or worm payload?
A piece of code that does damage and is injected by a virus or worm after it propagates. Remember, the core function of a virus or worm is propagation, the payload is its secondary function.
What is a firm's technical security architecture?
A plan for all a company's technical countermeasures- including firewalls, hardened hosts, IDS's, and other tools- as well as how these countermeasures are organized into a complete system of protection.
What are rainbow tables?
A pre-generated list of hashes for popular passwords
What is oversight?
A process, function, or group of tools that are used to improve policy implementation and enforcement.
What is a computer forensics expert?
A professional who is trained to collect and evaluate computer evidence in ways that are likely admissible in court.
What type of packet does a firewall drop and log?
A provable attack packet
What is a key (in cryptographer)?
A random string of 40 to 4000 bits. These are used to generate the ciphertext.
How does the textbook define response?
A recovery according to plan.
In what sense is EAP extensible?
It is easy to add new authentication methods to EAP. EAP specifies the process, not the protocols used for each step.
What is a multihomed router?
A router that connects to multiple subnets.
What is a client-side script?
A script downloaded from a web page then executed on the client PC
What does an SA specify?
A security association (SA) is an agreement about what IPsec security methods and options the two hosts or two IPsec gateways will use.
Who should make decisions about letting an attack continue or disconnecting an important system?
A senior business executive who has been well informed and is knowledgeable of the possible scenarios.
Who should head the business continuity team?
A senior manager
What is data loss prevention (DLP)?
A set of policies, procedures, and systems designed to prevent sensitive data from being released to unauthorized persons.
Why is a security baseline, and why is it important?
A set of specific actions to be taken to harden all hosts of a particular type and of particular versions within each type.
How do users in this mode authenticate themselves to an access point?
A shared passphrase that acts as the key
What are mashups? Give an example
A site that allows you to bring together data from multiple web pages, CSV files, RSS feeds, and other data sources. Yahoo Pipes is mentioned.
What is a cipher?
A specific mathematical process used in encryption and decryption.
What is a RAT?
A specific type of Trojan that gives an attacker remote control over your computer
What device could be used to identify a DoS flood if the entire frequency is being flooded by EMI?
A spectrum analyzer
What is the difference between a spider and a webscraper?
A spider follows links with the intention of gathering as much information as possible and discovering multiple sites. A webscraper focuses on specific pieces of information as opposed to the quantity of information.
Describe bank account theft and online stock account theft
A thief steals the authentication information required to engage in online banking transactions in the victim's name.
In MMC, what is in the tree pane?
A tree of administrative applications.
What is a downloader?
A type of small Trojan that downloads a much larger Trojan after it infects your system. Also called a dropper.
Why is it easier to create appropriate ACL rules for server host firewalls than it is for border firewalls?
A typical server only has one (or a handful) of applications you need to tailor the ACL to handle, whereas the border firewall must handle every possible kind of traffic
Which method of responding to risk involves doing nothing?
Accepting a risk
Why should a senior manager head the CSIRT?
All security decisions made during an incident are, in fact, business decisions.
In incident response and recovery, what are the three rules for apologies?
Acknowledge responsibility and harm, explain what happened, explain what action will be taken to compensate the impacted parties (if any)
What three things must top management do to demonstrate support?
Adequate budget, support security when there are conflicts with other departments, top level managers must follow security procedures themselves.
Why should companies work with forensics professionals before they have a need for them?
Admissibility of evidence is critical, and the timeline to obtain it will be short. Working with a forensics expert ahead of time will ensure both of these factors if the need arises.
Name the elements in a distributed IDS
Agents, The Manager with integrated log files
In incident response and recovery, why is the restoration of data files from backup tapes undesirable?
All data that had been collected since the last backup will be lost. Also, if the attack began earlier than believed the backup may restore the attacker's trojans and other artifacts.
Why is it important to replace default passwords during configuration?
All default passwords are public knowledge and present an easy attack vector to threat actors.
How do firewalls and antivirus servers work together?
All major firewall vendors have protocols for working with antivirus software.
To what should security policies for protecting sensitive information be applied?
All mobile data on notebook disk drives, USB RAM drives, MP3 players, and mobile phones that can store data.
Why do hosts automatically prefer IPv6 addressing?
All newer (and non-Linux) OS programs ship auto configured to prefer IPv6 networks by default. You can change this setting, but that is the default.
For what should a company develop remediation plans?
All resources unless they are already well protected.
Distinguish between IDSs and IPSs
An IDS will sound an alarm when it suspects an attack. An IPS will drop packets if it thinks an attack is severe enough
Distinguish between IP telephones and soft phones
An IP telephone is a dedicated piece of hardware that uses VoIP instead of traditional telecom phone lines. Soft phones are computers with VoIP software installed.
Distinguish between major security policies and acceptable use policies
An acceptable use policy (AUP) is a specific policy regarding the key points of special interest to users. It notes the resources are company property and not for personal use. It should also note there is not an assumed right to privacy, and that specific types of behavior will not be tolerated.
What is a rogue access point?
An access point that was not supposed to be on the network.
What is a buffer?
An area of RAM that temporarily holds information for a program.
What is a cross-site scripting (XSS) attack?
An attack in which one user's input can appear on the screen of another user.
Why is it bad to go to a malicious website?
An attack script on the malicious website may download and execute on the client PC. This may occur without user interaction once they navigate to the malicious URL.
What is a denial-of-service attack?
An attack that attempts to make a resource unavailable to legitimate users.
What is a DoS attack?
An attack that attempts to make a server or network unavailable to legitimate users.
What is a dictionary attack?
An attack that compares passwords to lists of common words.
What is a zero-day attack?
An attack that occurs with no notice that a vulnerability exists
What is a SQL Injection?
An attack that sends modified SQL statements to a web application that will modify or access a database that lacks the proper countermeasures.
What is social engineering?
An attack that takes advantage of flawed human judgment.
How does a DDoS attack work?
An attacker assumes control of multiple computers known as zombies/bots and uses a command and control computer to launch simultaneous DoS attacks from all the bots in its control.
How are mangling rules applied to a list of dictionary words?
An attacker defines a list of modifications that the cracking program will try, such as 1337-speak character swaps or even simple capitalization rules.
Describe a DDoS attack
An attacker places a special program called a bot on numerous Internet hosts. Later, the bot-master/bot-herder sends a message to all the bots to launch an attack. The bots then begin to flood the target with attack packets.
What man-in-the-middle attack is a danger for 802.11 WLANs?
An evil twin attack
Why is image backup attractive as compared to file/directory data backup?
An exact replica including all data and settings can be restored to the same or a different machine (as long as the machine hardware is close enough to the original machine)
How is a connection between two programs on different computers represented?
An internal socket and an external socket.
Distinguish between resource owners and trustees in terms of accountability
An owner is ultimately responsible for a job, but they may delegate that job to a trustee. They are still responsible for its execution, even though someone else is executing it.
How do you compute the ALE?
Annualized probability of occurrence times the single loss expectancy gives Annualized Loss Expectancy
What is carding?
Another name for credit card number theft. Ideally 'carders' target the card number, card owner's name, and 3-digit card verification number.
In an IDS, what are false positives, and why are they bad?
Another word for a false alarm. Excessive false positives train employees to ignore alarms
What are false positives?
Another word for false alarms.
What are the two advantages of RC4?
It is extremely fast and uses little RAM. It can use a broad range of key lengths, from 40 bits and up.
Why should general employee misbehavior be a concern?
Any abusive employee behavior should be taken as a red flag because in many cases of serious security violations the perpetrator heads a history of unacceptable behavior.
What are business partners?
Any buyer organization, customer organization, service organization or competitor that may have a close integration or interaction with your company.
What companies does PCI-DDS affect?
Any company that accept digital payments.
Why should members of affected line departments be on the CSIRT?
Any decisions that impact a line department during an incident should include a representative of that department.
What is our definition of a host?
Any device with an IP address
What is the main access control threat to Ethernet LANs?
Any intruder who walks in and plugs into an Ethernet port.
What is cyberlaw?
Any law dealing with information technology
In public key encryption, what is "signing"?
Appending the digital signature (message digest encrypted with the sender's private key) to the plaintext message
Distinguish between proxy programs and application proxy firewalls
Application proxies use application-specific relaying in which they act as both a client and host when packets arrive. This the firewall needs a separate application proxy program for each application protocol
How long would it take to recalculate the data on a lost disk?
As long as it takes to retrieve all data from the remaining disks, XOR each bit, then write that result to the replacement drive.
What is stinging employees?
Asking an employee to do something against a policy to test if they will break policy or not.
In developing an IT security plan, what should a company do first?
Assess the company's current security.
What is data masking?
Assign private information an alternative ID, like a using a Customer ID instead of a name or SSN.
How long must passphrases be for adequate security?
At least 20 characters long
Where should backup media be stored for the long term?
At the very least, the backup media should be stored at a separate site.
Why is password cracking over a network difficult to do?
Attackers are usually logged out after a few failed attempts
In incident response, why is speed of response important?
Attackers continue to do damage until stopped. They will also take steps to make sure their actions will be more difficult to detect and analyze. Beyond that, critical systems may have failed as a result of the incident, and this can cost the company money.
Why should companies that do business only within a country be concerned about international cyberlaw?
Attackers often live in a different country than the victim.
Why is changing the default database listening port important?
Attackers typically use automated port scanners. If they detect the default port as open, they will immediately be able to identify it as a SQL server.
What is a vulnerability test?
Attacking a system yourself to see if you can find vulnerabilities before attackers do.
What is a zero-day attack?
Attacks that come before fixes are released to the public.
What risks do web service and e-commerce services create for corporations?
Attacks to these services can disrupt service, harm a company's reputation, and expose PII. It can also enable customer fraud against the firm to succeed more effectively.
List the AAA access controls
Authentication, Authorization and Auditing
Explain each AAA access controls in a sentence
Authentication- The process of assessing the identity of each individual claiming to have permission to a resource. Authorization- Specific permissions that a authenticated user should have. Auditing- Collecting information about an individual's activities in log files.
Explain the four general goals for secure networking
Availability- Authorized users have access to desired resources. Confidentiality- preventing unauthorized users from gaining information about the network. Functionality- preventing attackers from altering the capabilities or operation of the network. Access Control- the policy driven control of access to systems, data and dialogues.
List the elements of host hardening
Back up hosts regularly, restrict physical access to hosts, install the OS with secure configuration options (especially replacing all default passwords), minimize the number of applications and OS services that run on the host (minimize the attack surface), Harden the remaining applications, download and install patches for known vulnerabilities, manage users and groups, encrypt data when appropriate, add a host firewall, read OS logs regularly, run vulnerability tests against the system regularly.
Why is the encryption of backup media critical?
Backup media should be moved to a storage location. This presents an opportunity where the backups may be lost or released through other means. Encrypting the data will protect it if this happens.
How do baselines differ from procedures and processes?
Baselines describe the details of what is to be achieved without specifically describing how to do it.
What is the difference between basic file deletion and wiping?
Basic file deletion just marks the cluster as available for use without removing any of the data. Wiping overwrites the data in a manner that makes it almost completely unrecoverable.
Distinguish between batch and real-time transfers for IDS event data
Batch transfers occur at a set frequency, real-time constantly transmits every log entry from agents.
What is the advantage of a batch transfer for IDS event data? For real-time transfers?
Batch-transfers are less burdensome on the agents, and less disruptive to the users, as they allow the agent to wait for an opportune moment of low activity to transmit. It is also less expensive. Real-time transfers go to the manager immediately. One of the first things a hacker will try and do upon taking control is delete log entries, thus they may never make it to the manager in a batch-transfer system.
Why should updating be done completely automatically on client PCs?
Because of the short time between the release of patches and the widespread use of exploits.
Why shouldn't exceptions from policies be absolutely forbidden?
Because situations can be unpredictable, and policies and procedures can't possibly cover all circumstances.
In MMC, why are snap-ins called snap-ins?
Because they can be added or dropped from the tree list easily
When should backup be done for mobile computers?
Before being taken off-site. If it is off-site for more than a few hours, it should be backed up frequently while off-site as well.
How can attackers avoid the border firewall?
Being an internal attacker, compromising internal hosts, wireless LAN hacking, external devices brought into the site
Distinguish between best practices and recommended practices
Best practices are descriptions of what the best firms in the industry are doing about security. Recommended practices are prescriptive statements about what all companies should be doing.
What part of the e-mail process does SSL/TLS usually secure?
Between the email client and the mail server
In PKE, Bob has received an encrypted message from Alice, what key will Bob use to decrypt the message?
Bob's private key
In PKE, when Alice sends a message to Bob, what key will she use to encrypt the message?
Bob's public key
Is eavesdropping usually a concern for wired LANs, wireless LANs or both?
Both.
Why is encryption usually attractive for sensitive data from a legal standpoint?
Breaches are inevitable. If sensitive data is lost through a breach, having it encrypted in place will minimize the damage, both in terms of PR as well as lost proprietary information. Additionally, if the information is encrypted when stolen you may not be required to give notice as the data presumable cannot be read.
What is the most popular way for hackers to take over hosts?
Breaking in by taking over applications.
What is toll fraud?
Breaking into a corporate VoIP system in order to place free long-distance and international phone calls.
Why is frequent plan updating important?
Business conditions change constantly because businesses reorganize constantly.
What do data breach notification laws require?
Companies must notify those affected if a breach of their PII occurs.
Why is ethics unpredictable?
Complex situations present positions where hard and fast guidance would be impossible to come up with beforehand.
Distinguish between cyberwar and cyberterrorism
Computer based attacks made by national governments vs computer-based attacks made by a terrorist or a group of terrorists.
Distinguish between the focuses of COSO and CobiT
COSO is more of a general control planning and assessment tool. CobiT is a more specific framework focusing on IT controls.
What do Trojan Horse password capture programs do?
Captures passwords as the user types them and sends them to an attacker. Alternatively, it may present a fake login screen to record the username and password then send it to the attacker,
A company does a full back up one night. Call this backup Cardiff. On three successive nights it does incremental backups, which it labels Greenwich, Dublin and Paris. In restoration, what backups must be restored first and second?
Cardiff, then Greenwich, then Dublin, then Paris.
What is the normal standard for deciding a case in civil and criminal trials?
Criminal cases require guilt to be proven beyond a reasonable doubt. Civil cases only must prove a preponderance of the evidence (more than 50 percent) that the defendant is liable for damages.
Why should companies install anonymous protected hotlines?
Often it is a coworker who first discovers a violation. Giving them a way of reporting that is critical.
What different actions do criminals and civil law deal with?
Criminal law deals with criminal statues, which are laws that specify proscribed behavior. Civil law deals with interpretations of rights and duties that companies or individuals have relative to each other.
What three things should a firm do about disaster recovery planning for office PC's?
Centralized data backup with up-to-date synchronization, Prior arrangements with equipment vendors to replace lost equipment, have an alternative work environment ready to go.
What is another common title for the CSO?
Chief Information Security Officer (CISO)
What is the manager of the security department usually called?
Chief Security Officer (CSO)
Under what conditions will you need to hire a forensics expert?
Civil lawsuits (torts) require the company to use a certified forensics expert to collect data and interpret it in court.
Why is it not possible to use classic risk analysis calculations for firewalls?
Classic risk analysis assumes a one-to-one ratio between the countermeasure and the resources they protect. A border firewall, however, protects all the resources behind it. Often an entire network. In other words, a single countermeasure can protect many assets, and a single asset can be protected by numerous countermeasures (defense in depth).
Why do we annualize costs and benefits in risk analysis computations?
Classic risk analysis calculations
What is mesh backup?
Client PCs within an organization back up each other.
What is comprehensive security, and why is it needed?
Closing all routes of attack to a system to attackers. Attackers only need one way in to cause damage.
Compare the focus of CobiT with that of the ISO/IEC 2700 family of standards
CobiT specifically focuses on controlling the entire IT function whereas ISO/IEC 27000 specifically addresses IT security.
What are the main alternatives for backup sites?
Cold site, hot site
What is mobile code?
Commands written into a web page
What types of packets can be sent as part of a DoS attack? .
Common packets include SYN flood packets, Ping flood ICMP packets or HTTP flood packets
Why is central PC security management desirable?
Companies must be able to centrally manage host PCs to ensure compliance with good practice and corporate policies. Additionally, it automates much of the labor, lowering the cost of enforcing security.
How do punishments differ in civil and criminal law?
Criminal cases may involve jail time and fines, whereas civil cases involve compensation or orders to avoid taking certain actions.
Distinguish between business continuity plans and IT disaster recovery plans
Continuity plans cover what business actions will be taken, not just limited to the IT department. IT disaster recovery plans focuses on restoring IT operations after a disaster
Define CDP
Continuous Data Protection. It is a system in which each site backs up another site of the company. Furthermore, it does backup in real time.
Why is CDP necessary?
Continuous Data protection allows for near instantaneous recovery, with no lost information.
Who besides employees constitute potential "internal" threats?
Contract workers and workers with temporary credentials.
Why can cookies be dangerous?
Cookies make information about you available to others. If they record excessive amounts of information, they basically become spyware.
What dangers do cookies create?
Cookies store private information that you will not want an attacker to learn if they compromise your system. Once compromised, it can be a treasure trove of data.
Why is good incident analysis important for the later stages of handling an attack?
Correctly understanding the situation is critical to determining what actions will be effective in addressing the incident.
What are the three benefits of using a central authentication server?
Cost savings, consistency, immediate changes and updates.
Distinguish between credit card theft and identity theft
Credit card theft just steals a card number and the information required to use that card. Identity theft steals extensive PII from a victim and opens multiple accounts in their name such as credit cards, or even a mortgage.
In what type of trial is mens rea important?
Criminal cases
Who brings lawsuits in civil and criminal cases?
Criminal cases are brought by a prosecutor against a defendant. Civil cases are brought by a plaintiff against a defendant
Distinguish between cryptography and cryptographic systems
Cryptography is an entire field of study; a cryptographic system is a packaged set of cryptographic countermeasures for protecting communication.
What is a DDL trigger?
Data Definition Language trigger. A trigger used to produce an automatic response if the STRUCTURE of the database has been altered. These changes can be legitimate or illicit
What is a DML trigger?
Data Manipulation Language trigger. A trigger used to produce an automatic response if the DATA of the database has been altered. These changes can be legitimate or illicit.
What is the difference between data and information?
Data is referred to in the text as "raw facts" but it is the actual bits themselves, the 1's and 0's. Information is the meaning that is extracted from the data.
Why are business continuity plans more difficult to test than incident response plans?
Disasters have a much broader impact and involve many more people.
What is case law?
Decisions made by federal courts in which judicial decisions in individual cases set precedents for how laws will be interpreted in subsequent trials
What two types of filtering do IDSs use?
Deep packet inspection and packet stream analysis
Why is deep packet inspection important?
Deep packet inspection looks at all fields in a packet from IP all the way to the application message. This gives a complete picture of what the packet is doing
Which domain of CobiT has the most control objectives?
Deliver and Support, with 13 control objectives
Distinguish between incident detection and analysis
Detection is uncovering the fact that an incident occurred. Analysis is understanding the incident to be sure that it was real, determine its damage potential, and to gather the information needed to begin planning for containment and recovery.
What is the purpose of auditing?
Develop opinions on the health of controls, not to find punishable instances of noncompliance.
What is the purpose of Diffie-Hellman key agreement?
Diffie-Hellman allows for the secure exchange of symmetric keys without a PKE system in place.
How does encryption make file sharing more difficult?
Files usually must be decrypted to be moved to another computer. Overall, it takes more time and effort to move encrypted files.
What is black holing?
Drop all packets from an attacking IP address.
What two actions can IPSs take when they identify an attack?
Drop traffic or limit traffic
Which can do the most damage?
Dropping traffic can do the most damage.
Which can be the most effective?
Dropping traffic is the most effective.
What software must be patched on an e-commerce server?
E-commerce software is complex and has many subsystems. Much of this software runs as root and all of it needs to be patched.
What two extended EAP protocols are popular today?
EAP-TLS and PEAP (protected EAP)
How do wireless IDSs get their data?
Each access point becomes a wireless IDS agent, sending relevant info to the central wireless IDS console.
Why are anonymity and protection against reprisals important when hotlines are used?
Employees may otherwise be reluctant to speak for fear of reprisals.
How can eavesdropping be thwarted?
Encrypt both transport traffic and signaling messages. Alternatively, a company may only encrypt traffic passing over nonsecure links such as the internet. This can be done with a VPN
What sound quality problem may encryption create?
Encryption always adds a small delay with a latency of 5ms to 15ms for software encryption. This can harm voice quality, so hardware encryption is preferable.
What is a data model?
Entity names, attributes, and the structure of relationships between entities.
List the four elements of entry authorization in CobiT
Entry must be justified, authorized, logged and monitored.
What should the company do for each resource?
Enumerate them and classify them by sensitivity to threats and change factors.
What four protections can firms provide for people during an emergency?
Evacuation plans and evacuation drills, never allow staff members into an unsafe environment, have a systematic way to account of all staff immediately, provisions for counseling in the event of an incident
What is extrusion prevention?
Filtering that prevents employees from sending intellectual property out of the corporation
What is accidental retention (of email)?
Even if mail is deleted from the main server it may still exist on a backup of that server, or in a form such as a local copy on an employee's workstation.
In terms of a VoIP system, why can DoS attacks be successful even if they only increase latency slightly?
Even slight increases in latency, jitter or reduced bandwidth can make a call unintelligible. VoIP is especially sensitive to latency
Why is vulnerability testing desirable?
Even the most diligent companies make mistakes due to the complexities of the many protections they need to implement.
What is forensic evidence? Contrast what cybercrimes the FBI and local police investigate
Evidence that is acceptable for court proceedings. The FBI will investigate matters of interstate commerce and some other attacks. Police investigate violations of local and state law.
Why is implementation guidance for policy exception handling necessary?
Exceptions are dangerous so they must be tightly controlled and documented.
Why would documentation and periodic auditing of policy exceptions be important?
Exceptions are dangerous, so all occurrences and their justifications should be documented as well as the parties involved.
Why are false positives problems for IDSs?
Excessive alarms, especially since most will be false alarms, from an IDS train users to ignore the alarms. Thus, when a real alarm is generated it is less likely to be noticed
What is mobile code?
Executable code found within a webpage.
How can a social engineering be used to trick a victim to go to a malicious website?
Fake emails with fraudulent links, Website popups saying you have a virus and need to follow a link to clean it, etc.
For computer access, which is worse, high FAR or FRR?
False acceptance is worse, as it exposes secure resources
What are the FARs and FRRs?
False acceptance rate and false rejection rate
What are the four levels of incidents?
False alarms, Minor incidents, Major Incidents, Disasters
In an IDS, what are false negatives, and why are they bad?
False negatives are when an attack event is accepted as normal behavior. This means the IDS failed to catch the attack
For computer access, is FRR or FAR worse from a user acceptance viewpoint?
False rejection is worse, as it makes the authorized users dislike the technology
For watch lists of criminals, which is worse from a security standpoint? False acceptance or false rejection? Explain
False rejection is worse, as it means a real suspect is being overlooked
Distinguish between file/directory backup and image backup
File/directory backup protects data on the computer, but not programs, registry settings, and other customization information. Image backups save the entire contents of the hard drive including programs, data, personalization settings, and everything else on the drive.
Which versions of IP can use IPsec?
IPv4 and IPv6
What is promulgation?
Formally announcing, publishing or making users aware of a new policy.
If you will proxy four different applications, how many proxy programs will you need?
Four
How are permissions applied to a directory in Windows? List each standard Windows privilege and explain briefly
Full Control- Can see everything and make any changes, Modify- Can delete move and rename files, Read & Execute- can view file contents and run any programs, List folder contents- can view all the contents of the directory but not necessarily open or modify, Read- can view contents of all files within the directory, Write- can view and modify contents of a directory
What is the key to being an enabler?
Get security involved early, in all projects.
Why is vulnerability testing necessary?
Given the complexity of firewalls and ACLs, errors are inevitable. Detecting them for yourself before attackers do is the ideal solution.
How would you set up a top-level directory for a firm's public policy documents which should be readable by all logged-in users?
Grant permissions to the 'all logged in users' group for read permissions
Why is HR important to IT security?
HR is responsible for training, security hiring, as well as discipline in the event of a security breach or misuse of resources.
How do criminals usually get the information they need for credit card theft and identity theft?
Hackers break into poorly protected corporate computers and steal the require information. Alternatively, they may get it from a lost or stolen computer or from a dishonest insider.
What institutions are subject to HIPAA?
Health care organizations.
What three advantages do application proxy firewalls have in protection that SPI firewalls with content inspection do not have
Hiding of internal IP addresses, header destruction, protocol fidelity
Why are hoaxes bad?
Hoaxes aren't all harmless. Some try to persuade the victim to do something that would be legitimately damaging to their system.
Distinguish between the three types of VPNs
Host-to-host connects a single client to a single server. Remote Access connects a single remote PC to a site network. Site-to-Site, connects a pair of sites over an untrusted network
Why do hosts use ARP?
Hosts on a network must know each other's MAC address before they can send and receive packets using IP addresses. They use ARP to build their host tables.
What problems does each type of alternative backup site raise?
Hot sites are extremely expensive and ensuring that the software at the backup site is configured in the same way as the main site is difficult. Cold sites have the most downtime, and a full recovery of data may not be possible.
What is the strength of each type of alternative backup site?
Hot sites have full systems and current backup data ready to go requiring little downtime with little productivity losses. Cold sites are the least expensive to maintain but have the most downtime and will not recover as much data.
What do business continuity plans specify?
How a company will maintain or restore core business operations after disasters.
Why does human cognition in crises call for extensive pre-planning and rehearsal?
Human cognition is not at its best during a crisis
How can social engineering be used to get access to a sensitive file?
Human gullibility is easier to exploit than IT security.
Why do technologically strong access controls not provide strong access control in real organizations?
Human interaction always provides an opportunity to bypass controls or grant excessive control to an unauthorized party (a manager logs in for an employee who forgot their own password for example)
How long must an encryption key be to be considered strong today?
I believe the book says 8 or 12 characters, but real modern standards hold 20 characters as a minimum secure passphrase
What type of packet is sent in a Smurf flood? Why?
ICMP, this allows the reflection to be amplified by all the hosts on the internal network who then receive the ICMP message and attempt to reply to the victim computer
What is the purpose of and IDS log summary report?
IDSs only send alarms for high-risk threats. However, they detect many other threats, and these are placed in the log file. This log also indicates threat priority by type or by statistical analysis indicating the frequency of the attack type. This gives the admin a way to drill down manually.
In what two ways have attackers circumvented filtering designed to stop directory traversal attacks?
IIS allows hexadecimal input, so they were able to utilize the hex equivalent of ".." to get their request to process. This has since been patched as well. There was an alternate UNICODE representation of ".." as well, which was processed by the webserver until this alternate version was patched.
In the IIS IPP buffer overflow attack, what buffer is overflowed?
IIS= Internet Information Server, IPP= Internet Printing Protocol. IPP is a service of Microsoft's IIS webserver software. It is a print buffer associated with the IPP service.
List, in order of appearance at the receiver, the headers and message of a packet carrying voice between phones
IP header, UDP header, RTP header, and then a group of voice octets.
Distinguish between IP address scanning and port scanning
IP scanning scans a range of IPs to determine what hosts exist. Port scanning targets an individual host and scans a range of ports to determine what services may be operating on that host
Compare centralized management in IPsec to that of SSL/TLS
IPsec is more complex and costly to install.
What are the advantages of placing security within IT?
IT and Security share many of the same technical skills. Also, this means that IT reports to the firm's Chief Information Officer (CIO) and the CIO would be accountable for breaches. This means the CIO is likely to back security efforts.
What type of employee is the most dangerous?
IT employees (especially IT Security Staff)
What is integrated log file difficult to create?
If a company has NIDs and HIDS from different vendors, each is likely to have a different log format. This can be difficult or even impossible to integrate
How can a man-in-the-middle attack defeat 2FA's promise?
If a user logs into a fake site, while the user authenticates, the fake site can also get itself authenticated and execute transactions of their own.
How can honeypots help companies detect attackers?
If an alarm is sent with every non-transient access attempt the security administrator has a good chance of catching attackers.
Why are permanent shared keys undesirable?
If an attacker learns the key, all security is lost.
How does the use of border, internal, and host firewalls provide defense in depth?
If any of the firewalls has an error or misconfiguration, ideally the other firewalls will continue to protect the hosts.
Why is it important to minimize permissions for application programs?
If attackers can take over a program, they can execute commands with that program. Requiring a password to access the program is another way of stopping an attacker. This way they need both an exploit and a compromised account, increasing the difficulty of their attack.
How can parity be used to restore lost data?
If one drive fails, the remaining drives can be XORed with the parity drive to return the bit that was on the lost drive
Give the two simple default SPI firewall rules for packets that attempt to open connections
If the packet is an egress packet attempting to open a connection, it is passed. If the packet is an ingress packet attempting to open a connection it is dropped.
What is the advantage of burning backup data onto optical disks?
It is convenient as most PCs have DVD burners (or at least they did back when this book was written). Also, DVDs can be located off-site, protecting data in the event of a disaster.
Why is a negative view of users bad?
It is corrosive and exclusive. View them as resources and promote inclusion so that they are eager to participate and seek to give early warnings to issues they notice.
How could a malformed packet cause a host to crash?
If the packet is formed in a way such the application or host operating system was never designed to process it may cause the application or OS to crash. Examples have been ping packets that are larger than the OS ever expected (ping of death) or a TCP packet that has bot SYN and RST switched on.
Explain the time synchronization issue for integrated log files
If the times on the various devices are off by even a few milliseconds it will be much more difficult to correlate the logs, especially if an attack is automated.
What can hackers gain by taking over application programs?
If they can control the application, they can usually execute commands with whatever permissions that application has within the system. Often, programs run with root access, thus taking over the program effectively gives the attacker root access as well.
In the Local Users and Groups snap-in, if the administrator clicks on an account, what may they do?
If they select 'Action' or right-click the account they can rename the account, delete it, modify its security properties, or take other actions
Why is it important to sanction violators of security protocols?
If this does not happen, the firm's lack of intention to follow up on security quickly becomes well known.
Why is it Important to understand the threat environment?
If you do not know how you may be attacked, you cannot plan to defend yourself.
How can you quickly assess the security posture of your Windows PCs?
In Windows XP and Vista- Windows Security Center, Since Windows 7- Windows Action Center
What is employee computer and Internet abuse?
In a corporate world, abuse is any activity that violates the company's IT use policies or ethics policies. Thus, they encompass any use of corporate Internet outside of their internet usage policies or that violates their ethics, or any use of a computer outside of the employee's authorization, such as accessing files an employee is not authorized to view.
What is the advantage of a distributed IDS?
In a simple IDS all 4 elements are on one device (a stand-alone IDS). However, you generally need a broad picture of network activity to understand an attack. For example, a single host rebooting is normal, 25% of your hosts rebooting at once is a sign of a problem.
how do cloud computing and client-server architectures differ?
In client-server the host and a single server both need applications installed, and they can share processing and data storage. In cloud computing the host does not need additional applications installed, just a web browser. Additionally, almost all processing and storage may be executed by the server. Beyond that the host may be connecting to a network of multiple servers as opposed to a single client-server connection.
When are guidelines appropriate?
In complex and uncertain situations for which rigid standards cannot be specified.
How do cloud computing and mainframe architectures differ?
In mainframe computing the thin clients were essentially a screen, keyboard and monitor that all had a connection to the single, central, mainframe. With cloud computing the thin client still has a CPU, storage and they are not limited to a single location they can access the cloud servers from anywhere with an internet connection.
Distinguish between mandatory access control and discretionary access control
In mandatory access control departments have no ability to alter rules set by higher authorities. In discretionary access control the department has discretion over giving access to individuals, within the policy standards set by higher authorities.
What are the two main benefits of using an MSSP?
Internal security is often idle, outsourcing it is a more cost-effective approach. It also grants full independence, allowing them to blow the whistle on anyone in the company including the CISO or CIO.
How can ARP poisoning be used as a DoS attack?
In the same way that an attacker can direct all network traffic to themselves by using their MAC address, they could direct all network traffic to a nonexistent MAC address. Since the switch will not be able to resolve this MAC, it will simply drop all packets, causing a DoS.
Distinguish between verification and identification
In verification, a supplicant claims to be a particular person and the challenge is to measure their data against the template of who the person claims to be. In identification the supplicant does not claim to be a particular person, but they must be compared against all templates to find a match.
What is the difference between in-band and out-of-band SQL injection?
In-band extracts data directly from the database and displays it in a web browser. Out-of-band SQL injection uses malformed statements to extract data through a different application such as email.
What two risks does patching raise?
Increased security usually means reduced functionality. Some patches may freeze or damage machines.
How long can third-party email providers keep your email?
Indefinitely
In MMC, what is a snap-in?
Individual applications on the tree pane.
Who would set up a rogue access point? Why?
Individuals or departments with little or no security. They think it may make their access easier, even if there is no malicious intent it is still a problem.
What is intellectual property?
Information owned by the company and protected by law. Includes formally protected information such as copyrights, patents, trade names and trademarks. Also includes trade secrets.
Is MS-CHAP used for initial authentication or message-by-message authentication?
Initial authentication
How would you detect a physical key-logger?
Inspect the USB ports or PS/2 ports (on older computers).
In what two ways can password-cracking programs be used?
Install a password cracking program directly onto a server, copy the password file and access it later another machine
In IM, what does a relay server do?
Instead of establishing peer-to-peer IM communication, all messages pass through the relay server allowing corporations to filter IM for inappropriate content.
Give the textbook's definition of hacking
Intentionally accessing a computer resource without authorization or in excess of authorization.
What is webification?
Intercepting and converting replies from a server to a format that can be processed by a web browser.
List COSO's eight components
Internal Environment, Objective Setting, Event Identification, Risk assessment, Risk Response, Control Activities, Information and Communication, Monitoring
What three automatic protections do application proxy firewalls provide simply because of the way in which they operate?
Internal IP address hiding, header destruction, protocol fidelity.
Distinguish between the three main types of corporate auditing units
Internal auditing- examines organizational units for efficiency, effectiveness, and adequate controls, financial auditing- does the same for the financial processes, IT auditing- examines the efficiency, effectiveness and controls of processes involving information technology. Often security auditing is under one of these departments to bring more independence to security auditing.
Distinguish between internal and external monitoring
Internal audits are done by the company itself; external audits are done by a third party.
Give examples of both internal and external harm caused by unauthorized wireless access
Internal harm can come from the fact that whoever accesses your network has full access to any resources available and may bypass any additional security. External harm comes from the fact that they may launch attacks from your network, using your WLAN to mask their identity
Why is central security management attractive?
It allows you to enforce policies directly on a firm's devices, bringing consistency to security. Also reduces travel for your security team.
How are VLANs useful in VoIP?
It allows you to place voice and data on separate VLANS which makes it difficult for attackers coming through the data side to attack VLAN services.
To whom do codes of ethics apply?
It applies to every individual working for the company.
What are your computer's settings for the four zones?
Internet, intranet, trusted websites, restricted websites
What is watermarking?
Invisible information stored in files.
What might the antivirus server do after it performs filtering?
It Will either return it to the firewall or pass it directly to the client
What is the purpose of a wireless IDS?
It allows central management of many wireless access points.
Why is a technical security architecture needed?
It allows the company to know that technical security protections are well matched to corporate asset protection needs and external threats.
Why might a company allow an attacker to continue working in the system for a brief period of time?
It allows the company to observe what the attacker does. This information may aid in analysis and may be needed to collect evidence for prosecution.
How can good security be an enabler?
It allows the company to use tools, and communication techniques freely, with the expectation that the security in place will keep everyone safe as opposed to shutting those systems down and avoiding their usage for fear of weak security allowing an attack from those systems and techniques.
What is the advantage of placing IT security auditing under either the IT auditing, Financial Auditing or Internal Auditing departments?
It allows the security auditing to blow the whistle on the security department or even the CSO if necessary.
Why is transparent encryption attractive?
It allows the user to access encrypted files and directories just as they normally would on an unencrypted drive. They may not even realize the drive is encrypted
For corporate IM, what are the advantages of using a relay server instead of only a presence server?
It allows them to filter inappropriate content
Why is it necessary to prevent piggybacking?
It allows unauthorized personnel to bypass physical access controls at entry points
What is an IDS?
It is an intrusion detection system. This encompasses software and hardware that captures suspicious network activity and host activity data in event logs. It can also send automated alarms and prove administrators with reporting tools that help analyze data interactively during and after incidents.
In incident response and recovery, what are the potential problems with total software re-installation?
It is an involved process and does not address data loss. Additionally, the company must retain and have ready its original installation media and product keys.
Is 802.11i security strong? Explain.
It is as strong as EAP, as it uses TLS (which is quite trustworthy) to provide a secure connection to the Authenticator, similar to a wired LAN in traditional EAP.
What are the disadvantages of placing security within IT?
It does not give security any independence from IT. A large fraction of attacks come from within the IT department, and lumping security in with IT lowers the protection against an insider attack. It also lowers the Security department's ability to oversee the actions of the CIO. Also, Security is much broader than IT.
Can companies create policies in SSL/TLS?
It does not have a way to enforce policies centrally
Why is it a problem if benefits and costs both occur over several years?
It doesn't allow traditional risk assessment to apply. The costs of most IT security start high, then drop. However, over time, the costs go up as antiquated tech is more expensive to maintain. Additionally, antiquated equipment is less effective, thus its effectiveness varies over time as well, further discrediting traditional risk assessment calculations
What type of encryption does MS-CHAP use?
It doesn't encrypt anything, it relies upon hash algorithm digests to authenticate
How does backup ensure availability?
It ensures that data will still be available in the event of catastrophic failure of a host.
How does 3DES work?
It extends the DES key length by applying DES three times in a row.
In the 27000 standards family, what is the function of ISO/IEC 27002?
It focuses in detail on IT security, with 11 broad security areas that are then subdivided into more specific elements.
Why has FISMA been criticized?
It focuses on documentation instead of protection.
What does NAC do when a computer attempts to connect to the network?
It focuses primarily on controlling initial access to the network. It inspects the security health of a client PC before giving it access to a network. If the client does not meet the standards required, it is referred to a remediation server which provides the updates required to bring the client up to the standards required. Once updated it goes through NAC again.
Why is creating firewall policies desirable compared to just creating a list of ACL rules?
It frees the implementer to choose the best approach to reach the underlying goal of the policy
Why is rate limiting limited in effectiveness against DoS attacks?
It frustrates both attackers and legitimate users. Also, if the DoS traffic fully clogs access to the internet, even rate limiting wont alleviate issues.
Why are integrated log files good?
It gives a more accurate picture of network activity overall, and is often a better way of revealing an attack
Why does the firewall log information about dropped packets?
It gives the admin a chance to review the dropped packets and try to spot any trends or issues
Why should companies undertake a postmortem evaluation after an attack?
It gives you the opportunity to refine and improve your response.
Why is Microsoft Windows Server easy to learn?
It has an interface that is very similar to Windows client.
How does the city model relate to secure networking?
It has no distinct perimeter, and there are multiple ways in, but each resource requires authentication like every building in a city requires a key
How does the castle model relate to secure networking?
It has the good guys on the inside and the attackers on the outside with a single well-guarded point of entry.
Why does packet stream analysis place a heavy load on IDSs
It has to reassemble multiple packets.
What privileges does the super user account have?
It has total control over the computer
What are the advantages of implementing audit policies?
It helps administrators track and enforce other policies as well as determine the effectiveness of each policy. Additionally, it gives them information in the event of an attack which can help them harden their systems or be used as evidence. Letting users know auditing logs exist may act as a deterrent against misbehavior as well.
Why are internal firewalls desirable?
It helps control the flow within the department. This can be useful for access control, or damage mitigation in the event of a successful attack in one department.
Why is IP address spoofing done?
It helps mask the source of the attack, thus hiding the hacker.
How can companies be harmed if they allow personal information in their control to be stolen?
It hurts their reputation, and there are numerous government actions that may hold them responsible for the losses.
In SSL/TLS what is a cipher suite?
It includes standards for key negotiation, digital signature method, key encryption method, and hashing method
Why is the avoidance of compliance a serious red flag?
It indicates a deliberate circumvention of security, and always calls for a follow-up investigation.
Why is periodic measurement of security measurements beneficial?
It indicates whether a company is doing better or worse in implementing policies.
Is an IDS a preventative, detective, or restorative control?
It is a detective control.
Why is Active-X dangerous?
It is a powerful technology that can do almost anything on the client machine. This power, combined with the fact that ActiveX offers almost no protection from misuse, makes it dangerous.
What is Skype?
It is a public VoIP service that offers free calling among Skype customers over the internet and reduced cost calling to and from PSTN customers.
Why is backing up over the internet to a backup storage provider attractive for client PC users?
It is a relatively convenient option for PC users, but not fast enough for corporations.
What is a security assertion?
It is an assertion from Firm A that Firm B should believe the assertion if Firm B trusts Firm A
How would rainbow tables reduce the time needed to crack a password?
It is faster to compare a list of hash values to your precomputed-hash values than it is to generate hash values on the fly with a brute force or dictionary attack. It takes more time to prepare, but once generated it is quick to find a match (if one exists on the table). The book refers to this as a 'time-memory' trade off
Why is insurance not a way to avoid dealing with security?
It is good for attacks that are rare but extremely damaging. However, you often need quality countermeasures to even qualify for insurance, thus even in an extreme case you can't avoid security entirely.
What can a resource owner delegate to a trustee?
It is ideal to delegate a job to someone with greater technical skill or a better understanding of the details of the situation than the owner.
On which MMC is the Windows Snap-in used to manage users and groups available?
It is in the Computer Management MMC
For guidelines, what is mandatory?
It is mandatory to consider guidelines, but not to follow them.
Why is identity theft more serious than credit card theft?
It is more difficult to resolve, not fully insured, may end up with criminal charges against the victim, and can take years to resolve.
Is it easier to punish employees (who commit insider attacks) or prosecute outside attackers?
It is much easier to punish employees. Legal prosecution of an attacker is complex and costly, punishing employees usually requires a much lower standard of evidence
Why is backup onto another hard drive attractive?
It is much faster than reading/writing to magnetic tape
What is the big advantage of AES over 3DES?
It is much more efficient than DES in terms of processing power.
Why should both local police and the FBI called when a cybercrime incident is detected?
It is not always certain which agency will have jurisdiction over a particular crime.
Why is viewing the security function as a police force or military organization a bad idea?
It is not an effective way to establish a relationship with the users of the company or make them feel included in the process.
Why is analyzing log file data difficult?
It is often difficult to distinguish between human error and an attack. Additionally, the sheer number of entries can be overwhelming
Why does risk avoidance not endear IT security to the rest of the firm?
It is often the view of the rest of the company that they lost an opportunity because the security team "killed" it.
In what two secondary ways do corporations sometimes use static packet filtering?
It is often used to stop ICMP messages from entering or leaving a network and is used to stop spoofed internal IPs from entering the network. Thus, border firewalls employ static filtering as a secondary method to stop some specific attacks, and sometimes border routers will be configured to do static filtering and lighten the load on the main border firewall.
In incident response, why may repair during continuing operations not work?
It is often very difficult to discover all trojans and backdoors, registry entries, rootkits and other problems introduced from the attack
Can you create a truly random password? Will it be used?
It is possible, but it is nearly impossible for the typical user to remember it
Are the key lengths commonly used in 3DES strong enough for communications in corporations?
It is probably strong enough, but it is slow and therefore expensive.
Why is message authentication important in an archiving system?
It is quite easy to fabricate a message so that it appears to come from someone else.
What is the worst problem with the classic approach to risk analysis and ROI?
It is rarely possible to estimate the annualized rate of occurrence for IT security threats. There is simply no good source for this information, and the threat landscape changes too quickly to evaluate it properly.
What principle should companies follow in making trust assignments?
It is safer to give too little trust than too much
What is an MSSP?
It is short for Managed Security Service Provider. It is a way of outsourcing some or all IT security. It places a central logging server on your network and the server uploads all events to the MSSP site.
What is the disadvantage of 3DES?
It is slow and therefore expensive.
Why is information assurance a poor name for IT security?
It is somewhat deceptive in that it implies that a company can fully guarantee C.I.A.
What is a control activity, and why is it important?
Policies and procedures are established and implemented to help ensure risk responses are effectively carried out.
Describe the firewall port openings for VoIP transport
It requires opening separate ports for each transport connection between users. Firewalls must be able to read the SIP and H.323 protocol to learn what port the signaling protocol assigns to each transport connection. It must then open that port for a very short time, closing that port as soon as the call terminates.
Why is CDP expensive?
It requires very high speed, and therefore very expensive, data transmission links between the two sites.
What two things does vulnerability testing software do?
It runs a battery of attacks against the servers, then generates reports detailing the security vulnerabilities it found.
Why is the downloading of disk images of the operating system desirable compared to configuring each host individually?
It saves money on every installation and ensures the host is properly configured according to the firm's security baselines and general security policies.
What type of SIP message does a VoIP phone use when it wants to connect to another VoIP phone?
It sends a SIP INVITE message to the PC soft phone
Why is border management important?
It separates internal, trusted networks from external, untrusted networks.
What does a handler do? (in a DDoS attack)
It serves as an additional layer of compromised hosts, and are used to manage large numbers of bots
What should be done about backup media until they are moved?
It should be stored in fireproof and waterproof containers.
When should a Windows systems administrator use the Administrator account?
It should be used as little as possible and only accessed when they must utilize super user permissions
What different baselines does a company need for its client PCs?
It should have a baseline for every version of an Operating System in use. In other words, a baseline for Win 8, a baseline for Win 10, a baseline for Ubuntu, etc. It may want to have baselines depending on the type of PC and what it is deployed for (laptop vs desktop, in-site vs off-site)
What controls should be placed over employees taking equipment off-site?
It should only be done with proper authorization, and only be select personnel. This should be logged.
What should be in the contract for a vulnerability test?
It should specify what will be done in detail and when it will be done.
In the 27000 standards family, what is the function of ISO/IEC 27001?
It specifies how to certify organizations as being compliant with ISO/IEC 27002
What does an IDS do if it cannot process all of the packets it receives?
It starts to skip packets
What does the registrar server do in VoIP?
It stores the user's credentials like a password or a PIN, which is utilized to route calls later.
Why is file/directory backup attractive compared to image backup?
It takes up less space, it is easy to set up, it takes less time to execute, the data can be restored to any machine.
What does RTP add to compensate for the limitations of UDP?
It utilizes RTP (Real Time Protocol), which contains a sequence number so that the voice octets will be played in order if the packets arrive out of order. Additionally, the RTP header contains a time-stamp so that the receiver will play the sound at the right time as compared to the previous packet's sounds.
Why is CobiT strongly preferred by US IT auditors?
It was created by the Information Systems Audit and Control Association; thus it was made with auditing in mind.
In a stack overflow, to where does the overwritten return address point?
It will point back to "data" in the buffer. If the attacker is skillful enough this data could be program code written by the attacker. Thus, instead of executing a legitimate program control is transferred to the attacker's code.
What problem is there with Skype's encryption for confidentiality?
Its encryption method is unknown. Even worse, Skype controls all of the encryption keys so that it can read all of the traffic it wants.
How is oversight related to policy?
Just as a policy drives implementation, the same policy drives oversight.
How could attackers use cloud computing?
Just as cloud services offer benefits to large corporations, they can benefit attackers too. Attackers can access large amounts of storage to trade stolen goods, or purchase access to additionally computing cycles to crack passwords.
How should trash bins be protected?
Keep them on company premises because once they are moved off premises the contents are considered abandoned and have no legal protection
What can the security staff do to get along better with other departments in the firm?
Learn to speak the languages of the other departments and understand their situations. Security should always accompany policies with financial benefit analysis and realistic business impact statements.
What is eavesdropping?
Listening to a voice call without permission
What Windows snap-in is used to manage users and groups?
Local Users and Groups
Distinguish between log files and documentation
Log files are generated by the computer, documentation is generated by the employees.
What are the four functions of IDSs?
Logging (data collection), automated analysis, administrator actions, management.
What types of database events should be audited?
Logins, changes, warnings, exceptions, special access. These are examples of items that are commonly audited, what should be audited will vary from company to company
what is shoulder surfing?
Looking over someone's shoulder to see their password as they enter it, or other sensitive data.
What filtering action was mentioned to prevent internal client misbehavior in HTTP?
Looks for HTTP POST methods that can send files out of the firm
What are the three dangers created by notebook computer loss or theft?
Loss of a significant capital investment in terms of the notebook itself and the software on it. All data that was not backed up on the laptop will be lost. The computer may contain sensitive data which may be obtained by whoever steals/finds the laptop.
Which hashing algorithms should not be used because they have been found to be vulnerable?
MD5 and SHA-1
Why is magnetic tape not desirable as a backup medium?
Magnetic tape recording and read back is excruciatingly slow.
For what reasons is security management hard?
Management is an abstract concept. There are fewer general principles to discuss and they cannot be put into practice without well-defined and complex processes. Also, there is a need for comprehensive security, and you must avoid weakest-link failures, and companies must protect many resources. All of this is a daunting task.
What is a walkthrough or table-top exercise?
Managers and other key players get together and discuss, step by step, what each will do during an incident.
Distinguish between the IDS manager and IDS agents
Managers gather all log data from agents, assembles and organizes that data, and analyzes it.
Why are the two alternatives to using centralized wireless IDS not attractive?
Manual sweeps can easily miss problems and doing nothing is unacceptable.
What are the two alternatives to using centralized wireless IDS?
Manual sweeps or doing nothing at all.
Why is the quick application of critical fixes important?
Many exploits are actually developed by reverse engineering a patch. Therefore, the most dangerous time is often right after a patch is released.
Why do international gangs use transhippers?
Many online retailers will not ship outside of the US, so they use transhippers.
Why are dictionary attacks faster than brute-force guessing?
Many users choose common-word passwords. A dictionary attack identifies these quickly.
Why is UNIX systems security difficult to describe generally?
Many versions of UNIX exist, (They say it is not a single OS like Windows).
What two types of communication must be secure?
Master-agent communications. Vendor-manager updates.
List the ways in which data can be lost, adding some of your own
Mechanical drive failures, fires and floods, malware may delete or alter data, mobile devices can be stolen or lost.
What are damage thresholds?
Minimum amounts of damage that must occur before attackers are in violation of the law.
Explain RAID 1
Mirrored
what two types of things are employees likely to steal?
Money and Intellectual property
As processing power increases, what will this mean for firewall filtering?
More sophisticated filtering methods will become possible.
How many detailed control objectives does CobiT have?
More than 300
Is there a specific law that specifies what information must be retained for legal purposes?
Numerous laws include requirements for retention and archiving communication, including email. These laws span all corporations, with some specifically written for government and financial institutions.
Why is it important to minimize both main applications and subsidiary applications?
Obscure applications often prevent unexpected attack vectors, primary applications are usually popular, thus prevent a more likely attack vector.
Why is an RC4 key length of 40 bits commonly used?
National export restrictions in many countries once limited commercial products to 40-bit encryption.
Could a rogue router direct internal traffic to an outside rogue DNS server? How?
Networks are often configured to allow the router to set the DNS server.
Should corporations today use WEP for security?
Never
What should employees be trained not to put in e-mail messages?
Never put anything in a message they would not want to see in court, printed in newspapers, or read by their boss
What attitude should programmers have about input?
Never trust user input
What special controls are required by terrorism threats?
New buildings should be set back from streets and have rolling hill landscaping. When appropriate, armed guards should be in place.
Are most CAs regulated?
No
Do SPI firewalls have the slow speed of relay operation?
No
Does the use of spread spectrum transmission in 802.11 create security?
No
In MS-CHAP, does the server authenticate itself to the client?
No
Why do firms not simply replace their legacy security technologies immediately?
No company can afford to replace its legacy security tech all at once. Thus, only critically outdated tech must be replaced at once, and the rest of the security architecture needs to be designed so that new additions compensate for the weaknesses of existing security tech.
What are the two weaknesses of NIDSs?
No firm can afford to operate agents on all internal switches and routers, this means all firms have some blind spots. Secondly, NIDs can't scan encrypted data.
Does the shoulder surfer have to read the entire password to be successful? Explain.
No, any characters they catch could be beneficial in a brute-force attack or hybrid-dictionary attack.
IS storing backups on optical disks for several years likely to be safe?
No, disks degrade over time, likely starting to degrade within 2 years.
Is cybercrime negligible today compared to noncomputer crime?
No, in fact the profits of cybercrime surpassed the profits of illegal drugs in 2005.
Does Skype control who can register a particular person's name?
No, it does not provide adequate authentication. Initial registration is open and uncontrolled.
Is there a sequential flow between the three stages of the plan-protect-respond cycle?
No, it is cyclical
Does a digital certificate indicate that the person or firm named in the certificate is trustworthy? Explain
No, it just indicates the person is who they say they are, not that they are trustworthy.
Can good planning and protection eliminate security incidents?
No, it just serves to reduce them. The FBI estimates that about 1 percent of concentrated attacks will be successful
Is RAID 5 appropriate for home users? Why or Why not?
No, it requires a fair amount of maintenance and quick reaction in the event of a drive failure.
Can static ARP tables be effectively used in large networks? Why not?
No, networks change too frequently and manually updating these changes would be too time intensive.
Are SIP proxy servers involved during transport transmissions? Explain.
No, once the connection is established the two phones communicated directly in transport mode with RTP packets.
Can nearly all applications be proxied?
No, only a few such as HTTP, or SMTP can be proxied.
Are SPI firewalls limited to SPI filtering?
No, some SPI firewalls can do other types of filtering as well.
Do switches record IP addresses? Why or Why not?
No, switches only look at the MAC address of every packet they process.
Is black holing an effective defense against DoS attacks? Why?
No, the attacker can easily change source IP addresses and may have detrimental effects if it is done automatically, such as blackholing a corporate partner.
In ingress and egress filtering, does an SPI firewall always consider its ACL rules when a new packet arrives that does not attempt to open a connection?
No, the default behavior is to check the connection table for an existing connection.
Is a NAT traversal method easy to select?
No, there are several methods, and all have drawbacks.
Are international laws regarding cybercrime fairly uniform?
No, there is great variability and it changes rapidly
In federated identity management, do firms query one another's identity management databases? What do they do instead?
No, they provide assertions which are statements Firm B should hold true if Firm B trusts Firm A
Do SPI firewalls only do stateful packet inspection?
No, they use other methods as well.
Would a SLAAC attack work on an existing IPv6 network? Why or Why not?
No, they would not respond to the rogue router's Router Advertisement (RA) messages, as they were already on an IPv6 network.
Does federal jurisdiction typically extend to computer crimes that are committed entirely within a state and that do not have a bearing on interstate commerce?
No, this will be handled by a state or local court
Is SSL/TLS end-to-end security? Explain.
No, unless the SMTP server also uses transmission encryption and the recipient communicates securely the email will not have end-to-end encryption
Does a particular version of UNIX have a single user interface?
No, you can download multiple different interfaces. The two most popular are Gnome and KDE
Can an attacker who captures the exchanged keying information from a Diffie-Hellman key exchange compute the symmetric encryption key?
No.
Does a digital certificate by itself provide authentication? Explain why or why not?
No. The verifier can't confirm that the digital certificate is actually coming from the party in question.
Does a digital signature by itself provide authentication? Explain why or why not?
No. The verifier can't confirm the public key being used is the true party's public key just from a certificate.
does a systems administrator generally manage the network?
Not generally.
Does Skype's file transfer generally work with antivirus programs?
Not necessarily.
Did traditional hackers engage in theft?
Not normally.
Why is providing minimum identity data an important principle?
Not revealing more information about a person or resource than is necessary for a particular purpose
What is risk avoidance?
Not taking any action that is deemed excessively risky. Mitigate the risk completely by not getting involved with it.
At what information do NIDs look?
They read and analyze all network frames that pass by them. they are basically corporate owned and operated sniffers.
How many application proxy firewalls with you need at a minimum if you plan to proxy four applications?
One
What is a cryptanalyst?
One who cracks encryption.
Why would a database administrator want to restrict access to certain columns?
Only a few employees may be privy to the information stored in that column, such as salary data. The rest of the fields would be relevant, but that one column would be restricted for most employees.
what are the steps in firewall change management?
Only certain people should be allowed to request changes, the firewall admin should implement the change in the most restrictive way possible, the firewall administrator should document the change carefully, the firewall should be vulnerability tested after every change, the company should audit the entire process frequently.
What are the first three rules for exceptions?
Only some people should be able to request exceptions, even fewer people should be allowed to authorize exceptions, the person who requests an exception must never be the same person who authorizes the exception
Should passwords be tested by systems administrators? Why?
Only with written permission from the sys admin's superior. But, broadly speaking, it is a good practice in order to enforce a password policy and check for violations
Distinguish between plaintext and ciphertext
Plaintext is the original message. Ciphertext is the message after it has been turned into a seemingly random stream of bits by an encryption algorithm.
What is the difference between an open network and a private network?
Open networks can legally be accessed by anyone and are frequently posted as such. Private networks do not allow access unless specifically authorized. To be clear, a WLAN does not require a password to be private, it revolves around permission.
What are the three elements in the fraud and abuse triangle?
Opportunity, Pressure and Rationalization
Distinguish between SSL and TLS
Originally called SSL when Netscape developed it, then renamed TLS when the IETF standardized it.
For 802.11i, distinguish between outer and inner authentication
Outer authentication is the establishment of a TLS tunnel between the authenticator and the supplicant. Inner authentication is when the wireless client authenticates itself to the central authentication server using EAP
Compare PGP and S/MIME in terms of how applicants learn the true party's public key
PGP uses 'circles of trust'. If you trust User A and they trust User B, you will trust User B. S/MIME requires a traditional PKI with a central certificate authority and digital certificates.
Are there some types of data that are too risky to collect?
PII is the main example.
Why can PINs be short-only four to six digits- while passwords must be much longer?
PINs require manual entry, thus the time required to try every combination would be impractical in a real breach attempt
Explain how public key encryption can facilitate symmetric session key exchange
PKE allows for the secure exchange of symmetric keys over public connections like the internet.
List the four CobiT domains
Plan and Organize, Acquire and Implement, Deliver and Support, Monitor and Evaluate
How are a user's effective permissions calculated for a directory?
Parent permissions + additional explicitly allowed permissions - additional explicit deny permissions
What is escalation?
Passing an incident to the CSIRT if current on-duty staff will not be adequate for addressing the situation.
What are complex passwords?
Passwords that use several types of keyboard characters
Why do many firms prioritize patches?
Patches tend to cover critical vulnerabilities
What should backup audits include?
Periodic audits for compliance, including tracing what happened to samples of data that should have been backed up.
What is PII, and why must it be prevented from leaving the firm?
Personally Identifiable Information. A number of laws protect and regulate the loss of PII
What is PII? Give a couple of examples.
Personally Identifiable Information. Personal Identification Numbers (like a Social security number), Names, Address information (street or email), Personal Characteristics, Linking information such as DOB/ place of birth/race/religion, etc.
Why must companies update contact information even more frequently?
Phone numbers and other contact specifics change even more frequently than business structures change.
What access control rules should be applied to loading docks?
Physical entry controls.
Distinguish between intellectual property in general and trade secrets
Pieces of sensitive information the firm acts to keep secret (trade secret) vs the general ideas and representation of the company.
How are security roles allocated in the hybrid solution to placing IT security inside or outside of the IT department?
Place operation aspects of IT within the IT department, while placing planning, policy making and auditing functions outside of IT.
How would limiting data granularity protect the underlying database?
Privacy concerns may restrict how detailed the displayed information could be. For example, it may be acceptable for employees to see the average salary, along with the highest and lowest in the company, but not to see specific salaries for individual employees.
When would procedures be used? When would processes be used?
Procedures should be used when specific actions must be controlled. Processes should be in place for managerial and professional work where guidance needs to be looser and situations are not as cut-and-dry.
Distinguish between procedures and processes
Procedures specify the detailed actions that must be taken by specific employees. Processes are broad descriptions of what should be done.
What is an exploit?
Programs that take advantage of a vulnerability
In authentication, what are credentials?
Proof of identity
What is mens rea?
Proof that the defendant was in a certain mental state, such as having the intention to commit an act. It is relevant to criminal cases.
What must be done to restore data at a backup site via tapes?
Proper equipment to read the tapes must be in place, there must be a way to deliver the tapes to the backup site quickly and securely.
How can data be protected while it is being processed?
Properly hardening hosts and securely coded applications
What are the two main roles of application proxy server firewalls today?
Protect internal clients from malicious external servers, sit between an internal server and external clients.
Distinguish between public intelligence gathering and trade secret espionage
Public intelligence gathering is when a competitor company is scouted for all publicly available information that the victim company itself and its employees divulge. Trade secret espionage is when a competitor intercepts, hacks, or bribes someone in order to obtain information about the victim company.
What still needs to be done for SNMP security?
Public key authentication.
What three types of hosts are placed in the DMZ?
Public webservers, Application proxy firewalls, External DNS server.
Why is quantum key cracking a major threat to many traditional cryptographic methods?
Quantum computers have the potential to try perhaps thousands of keys at once
How are EAP and RADIUS related in terms of functionality?
RADIUS handles authentication, EAP is a method of passing the authentication methods to a new supplicant connecting to an access point.
Which RAID level discussed in this textbook has the fastest read-write speeds?
RAID 0
What encryption algorithms does WEP use?
RC4 symmetric encryption
What patch downloading method is commonly used in Linux?
RPM (Red Hat Package Manager) method.
Why are rationalizations of fraud and abuse important?
Rationalization allows a person to do the wrong thing but still think of themselves as good people.
Define incident response in terms of planning
Reacting to incidents according to a preestablished plan. A rapid and correct response is typically dependent upon a well-conceived and established plan.
Why are automatic alerts desirable?
Reading logs only tells you about the past. Automatic alerts can make you aware of a problem as it happens.
What is black-holing?
Refusing traffic from a specific IP address.
Why are unscheduled audits done?
Regularly scheduled audits can work to the advantage of people who are avoiding security.
Why are incident response rehearsals important?
Rehearsal improves the speed and accuracy of the response.
Why should restrictions on removable media be enforced technologically?
Relying on user behavior is unlikely to be successful. Enforcing it through technological restrictions will have a much lower failure rate
Why is it desirable to prevent a computer from working with removable media?
Removable media serves as both a method of egress for sensitive data, and ingress for malware.
In incident response, what are the three major recovery options?
Repair during continuing server operation Restore from backup tapes Total software re-installation.
What is precision in an IDS?
Reporting all attacks, and generating as few false positives as possible
When someone requests to take an action that is potentially dangerous, what protections should be put in place?
Request/authorization control.
Why is retaining email for a long period of time useful?
Retention allows users to go through their old mail to look for information.
Why are checkouts of backup media suspicious?
Retrieval is rare, and backups are rarely needed. Therefore, checking out backup media should be a rare occurrence, and viewed with suspicion when it occurs.
Why is reasonable risk the goal of IT security?
Risk can never be fully eliminated, thus managing risk down to a reasonable level is a realistic goal
What is RBAC? Explain it
Role-Based access control. It is access control based on roles within the company, then users are assigned the role to gain permissions
What is the super user account in UNIX?
Root
Why are rootkits especially dangerous?
Rootkits are seldom caught by normal antivirus software and can assume complete control of an OS.
What standards provide end-to-end security?
S/MIME and PGP
Describe the advantages and disadvantages of PGP vs S/MIME
S/MIME is a bit more secure but requires a PKI. PGP can be used without a PKI, but it may be compromised because of its 'circles of trust' trust model. PGP has the most success in person-to-person communication outside of a corporate environment.
What is the main standard for one firm to send a security assertion to another firm?
Security Assertion Markup Language (SAML)
Why are processes necessary in security management?
Security is far too complex to be managed informally.
Why is top management support important?
Security is pervasive and impacts multiple departments and aspects of a corporation. Few security efforts will succeed without the support of top-level management.
List the 11 broad areas in ISO/IEC 27002
Security policy, Organization of Information security, Asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development, and maintenance, information security incident management, business continuity, compliance
What is security through obscurity, and why is it bad?
Security that relies on secrecy of the method being used, as opposed to the quality of the method. If any details of the method become known, then the method is compromised.
What is a vulnerability?
Security weaknesses that open a program to attack
How is a SIP message routed to the called VoIP phone?
Sender's phone > Sender's SIP proxy server > SIP proxy checks the IP phone's registration information > SIP proxy contacts a proxy in the called party's network > recipient's proxy passes SIP INVITE to recipients' soft phone >recipient's phone passes back an OK message. Connection is now established
What are SBU documents?
Sensitive but unclassified
In what two ways can watermarking be used in data extrusion management?
Sensitive data can be watermarked for internal use only, and this facilitates DLP filtering. Additionally, every copy of a file can be given a unique watermark, helping to identify the source of the leak
What controls should be applied to equipment disposal or reuse?
Sensitive data should be removed before disposal.
What major categories of hosts were mentioned?
Servers, clients, routers, firewalls, mobile phones
What does a VPN gateway do for a site-to-site VPN?
Serves as a connection point for each site, and each site must have a gateway
What does a VPN gateway do for a remote access VPN?
Serves as a connection point for the remote host
Why are zero-day attacks impossible to stop with attack signatures?
Signatures must be predefined, zero-day attacks do not allow for this
Why is SSL/TLS popular?
Since virtually every web browser and server is already equipped to handle it, it is nearly free, apart from the minimal processing power needed to implement it.
What is SSO?
Single sign on
Overall, what is the big problem with Skype?
Skype can't be controlled by corporate security polices, which makes it unacceptable for use at most firms.
Why do firewalls have a difficult time controlling Skype?
Skype is a peer-to-peer service that uses unknown protocols. These protocols change frequently to avoid analysis.
Who is likely to investigate a cybercrime that takes place within a city?
So long as the crime does not involve interstate commerce, then local law enforcement will investigate
Why is NAT traversal necessary?
Some protocols such as VoIP and IPsec have issues with NAT.
Why do companies wish to create policies for SAs?
Some security methods may be inadequate for a company's needs. Allowing them to define what is acceptable increases their security.
What are the four bases for authentication credentials?
Something you know, something you are, something you have, something you do
What is a false positive for an IDS?
Sounding an alarm when no actual (or no serious) attack is occurring
Why is spreadsheet security an IT security concern?
Spreadsheets are the focus of many compliance laws, like Sarbox and 21 CFR Part 11 rules for pharmaceutical companies doing product testing
Distinguish between stand-alone NIDs and switch-based or router-based NIDs
Stand-alone NIDs are basically sniffers that analyze every frame that comes by. Switch/router-based NIDs have IDS software built into them and can read the information on every port
Distinguish between standards and guidelines
Standards are mandatory, guidelines are suggestions.
What firewall inspection mechanism do nearly all main border firewalls today use?
Stateful Packet Filtering
What filtering mechanisms do almost all border firewalls use?
Stateful Packet Inspection (SPI)
What improvements come with Windows Firewall with Advanced Security?
Stateful Packet Inspection (SPI), ingress/egress rules, separate network profiles, more detailed rules, ability to be managed with Group Policy
What are policies?
Statements of what should be done under specific circumstances.
In incident response, what is containment?
Stopping the damage.
What are the four objectives of COSO?
Strategic, Operations, Reporting, Compliance
Explain RAID 0
Striped
What can be done to reduce the risk of the prime authentication problem?
Strong procedures for who may submit someone for inclusion, who may approve it, what identification is required and how to handle exceptions
What is SQL?
Structured Query Language. It is a language used to access, query and manage databases. It can even execute commands on the server
What is brute-force password guessing?
Systematically trying every possibility within the keyspace
How can data be protected while it is being stored?
TBD
What are some ways that data can be attacked when it is stored?
TBD
What is website defacement?
Taking over a website and putting up a hacker-produced page instead of the original page.
Regarding mobile device and notebook security, what training should be provided to protect sensitive information?
Teach people with portable devices the dangers they create and how to avoid theft and loss
Why is it important to have corporate teams write policies?
Team written policies carry more weight with employees than those written exclusively by IT security. They are also more likely to be effective as they are not limited to IT security's point of view.
Why do communication systems tend to break down during crises?
Technology cannot survive building damage or prolonged periods without power.
What three things must the receiver of a digital certificate check to ensure that a digital certificate is valid?
Test the certificate's digital signature, check the valid period, check for revocation.
What is an authentication?
Testing the identity of a communication partner
In which tab are cookies controlled?
The 'Privacy' Tab
Which symmetric key encryption cipher probably will dominate in the near future?
The AES ciphers will likely dominate
What is the purpose of a CSIRT?
The Computer Security Incident Response Team will respond to major incidents and Disasters
Describe a SYN flooding attack in detail
The DDoS bots send TCP SYN packets, receive the SYN/ACK from the server, but never reply with their own ACK. Thus, the spot is held open until the server reaches its maximum capacity for connections.
Describe block encryption with DES
The DES key is a 64-bit block, of which 56 bits represent the key. The other 8 bits are calculated from the 56-bit key. It then encrypts 64 bits at a time.
To how many accounts and groups can different permissions be applied in Windows?
There is no limit to how many users and groups can be assigned permissions within a directory
What are the two main signaling standards in VoIP?
The H.323 OSI protocol and the Session Initiation Protocol (SIP) from the IETF.
What may happen if a system runs out of storage space?
The IDS transfers the log file to a backup and starts a new log file. This limits the time spanned by each log file.
Why is the attack identification confidence spectrum important in deciding whether to allow IPSs to stop specific attacks?
The IPS is acting on packets that may not be fully provable attacks like a firewall would have responded to. Having a high confidence in dropping a suspect packet minimizes the damage of dropping what is actually legitimate traffic.
What is a Linux distribution?
The Linux kernel packaged with other software
How do companies achieve time synchronization?
The Network Time Protocol (NTP) allows for synchronization by directing all devices to a single internal NTP server
How does this change if a firm uses continuous data protection?
There is no need for these plans as the backup site will have the full data in place at the site already.
What is event correlation?
The analysis of multievent patterns
Why is application-level authentication superior to operating system authentication?
The application password protection can be specific to the application program's needs, preventing widespread access.
How does the sys admin get to most administrative tools of MMC?
The applications on the tree pane, called snap-ins
How does an EAP session start?
The authenticator detects a connection and sends an EAP start message to the central authentication server.
What is the role of the authenticator in a RADIUS system?
The authenticator passes the credentials to the central authentication server, and all messages from the central authentication server to the supplicant.
What is the Linux kernel?
The core operating system that is then combined with other software by Linux vendors to make a distro
What do compliance laws do?
The create requirements for corporate security.
What happens if the encryption key is lost?
The data is lost
What three dangers require control over access to backup material?
The data on backups is typically sensitive. Additionally, if the backup media are stolen the company will have no protection over data loss. Lastly, there have been cases of sys admins stealing the backup data, erasing them, and then deleting the data on the original hard drive, making restoration impossible.
Why does NAT stop scanning probes?
The destination IP and port will not be in the translation table.
What is sabotage?
The destruction of hardware, software or data
What permissions does the developer have on the development server?
The developer will have extensive permissions on the development server
What permissions does the developer have on the testing server?
The developer will have no access permissions on the testing server. Only testers should have access permissions to make changes so that developers do not slip in a backdoor at the last minute
Why do companies use DMZs?
The devices in the DMZ are at the most risk of attack and putting them in the DMZ helps minimize the impact of an incident on the internal network.
What is the advantage of codes?
The encoding can be done manually.
Why should you hire a forensics expert rather than doing your own investigation?
The evidence a company finds will probably not be admissible unless a certified expert collects it.
Who is subject to FISMA?
The federal government and affiliated parties such as government contractors.
Why was Sarbanes-Oxley important for IT security?
The financial reporting process is usually computerized. Anything that jeopardized these computers jeopardized the reporting process, thus violated the law.
During an incident, who is the only person who should speak on behalf of the firm?
The firm's PR team.
Distinguish between certification and accreditation in FISMA
The first step is certification wherein the system is assessed by an outside party. Once the system is certified the documentation is reviewed by an accrediting official. If this official is satisfied, then the system is accredited by issuing an Authorization to Operate (ATO).
For what two reasons is a business continuity staff necessary?
The fluid nature of contact information and business organization requires a small staff to ensure that it is all updated.
What prompted the Wi-Fi alliance to create WPA?
The glaring security flaws of WEP.
Why will courts not admit unreliable evidence?
The goal is to protect the jurors. They are not expected to evaluate the reliability of evidence and must consider all evidence that is considered permissible.
In an ARP poisoning attack, why does the attacker have to send a continuous stream of unrequested ARP replies?
The hosts will correct their host tables over time if they stop receiving the spoofed information
In MMC, On what objects does an icon or bar icon operate?
The icons specify actions that the administrator can take on a selected object. One of the most important choices is 'Action' which is specific to the selected object.
What are the major categories of driving forces that a company must consider for the future?
The increasingly complex and virulent threat environment, the growth of compliance laws and regulations, changes in the corporate structure, mergers, and anything that will change conditions in the future
When NAT is used, why can't sniffers learn anything about the internal IP addresses of internal hosts?
The internal socket (IP + Port number =socket) is replaced with a stand-in socket that reveals nothing about the internal architecture of the network.
Are e-mail messages sent by employees private?
The law does not view corporate emails as private
What is legal discovery?
The legal process and requirement for a company to provide information during a lawsuit
Why is intentionally allowing an attacker to continue working in your system dangerous?
The longer attackers are in a system, the more invisible they become through the deletion of logs, and they may add backdoors or do other damage
Why do firms have a difficult time applying patches?
The main issue is the sheer number of patches that are generated by vendors across all the different software that corporations utilize. This is compounded by the year over year increase in the number of vulnerabilities discovered. Additionally, there is a labor cost associated with installing patches. This cost can be enormous
Why does the textbook focus on defense instead of offense?
The main job of IT professionals is defense. Focusing on attacks pushes out the focus of the job at hand.
What is business continuity?
The maintenance of the day-to-day revenue generating operations of the firm
If Person A wishes to check out backup media, who should approve this?
The manager of the person wishing to access the backup tapes.
From what parts of the firm do CSIRT team members come?
The members come from IT, the legal department, public relations, and senior management
How do sequence numbers thwart replay attacks?
The message being replayed would have a previously used sequence identifier, be identified as fraudulent, and dropped
How do timestamps thwart replay attacks?
The message being replayed would have an old time stamp, outside the time limit, and be dropped
Why do many botnets have multiple owners over time?
The original exploit a botnet was designed for is often patched over time. Thus, they become useless to the original botherder, who then sells the botnet to someone else who may be able to utilize it for their own purposes.
In PKE for authentication, who is the true party?
The person the supplicant claims to be
How does the textbook define protection?
The plan-based creation and operation of countermeasures.
What is identity management?
The policy-based management of all information required for access to corporate systems by people, machines, programs or other resources.
Why is password length important?
The possible combinations of a password are equal to possibleCharacters^passwordLength, increasing password length dramatically increases password security
Why is transparent encryption dangerous?
The protection is only as strong as their password, and anyone who discovers their password will have the same access they do. And users struggle to use quality passwords
What stage of the plan-protect-respond cycle consumes the most time?
The protection stage.
Where are they most frequently encountered?
The protections of WPA and 802.11i are not effective with a well-executed MITM evil twin
What filtering actions were listed to protect clients from malicious webservers?
The proxy can inspect the URL and compare it to a blacklist, it inspects scripts in web pages and drops the page if the script appears malicious, it can inspect the MIME type in a HTTP response message and filter it based on its policy
What two filtering actions were mentioned for protecting webservers from malicious clients?
The proxy can inspect the method in the URL header (specifically looking for HTTP POST messages), the proxy might also filter out HTTP request messages that appear to contain SQL injection attacks
Why can't HMACs provide non-repudiation?
The sender and receiver both know the public key, thus any message could be forged by either party.
What is an identity?
The set of attributes about a person or nonhuman resource that must be revealed in a particular context.
What is an exploit
The specific attack method a hacker uses to break into a computer
How is shadowing limited?
The storage space is limited, therefore as it fills up the oldest files are removed and replaced with the newest file backups.
In authentication, distinguish between the supplicant and the verifier?
The supplicant is the party trying to prove its identity. The verifier is the other party.
Which device is called the authenticator in 802.1x?
The switch.
Distinguish between cryptographic systems and cryptographic system standards
The system standard specifies both the protections to be applied and the mathematical processes that will be used to provide protections.
Why is a live test better than a walkthrough/table-top exercise?
The team actually takes the actions they would take in a real incident instead of just describing what they would do. They are superior for actually training individuals.
What should you look for in an external vulnerability testing company?
The testing company should not employ current or former hackers.
What are driving forces?
The things that require a firm to change its security planning, protections and response.
Define the term threat environment.
The threat environment consists of the types of attackers and attacks that the company faces.
In PKE for authentication, what does the sender attempt to prove it knows that only the true party should know?
The true party's private key
Define cryptography
The use of mathematical operations to protect messages traveling between parties or stored on a computer.
Under Internet Options in IE, what can the user do on the Security tab?
The user can select security settings for general Internet websites, intranet websites, trusted websites, and restricted websites.
How does the verifier check the response message for MS-CHAP?
The verifier appends the supplicant's known password to the challenge message then creates its own hash and compares that to the supplicant's response message. If they match the supplicant is verified
Why is the access control threat to wireless LANs more severe?
The wireless boundary often extends well outside the building and requires no physical infiltration.
Why are restoration tests needed?
The worst-case scenario is to have a failure, then find out restoration will not work for some reason.
In public key encryption for authentication, which key does the supplicant use to encrypt?
Their private key
How does the number of accounts or groups to which permissions can be assigned in UNIX compare with that of Windows?
There are just the three options, vs assigning an unlimited number of users and groups
Why should business units and the legal department be involved in creating retention policies?
There are many business and legal requirements that determine how long certain data must be kept. Therefore, the involvement of these departments in such decisions is required.
Why can compliance laws and regulations be expensive for IT security?
There are many of them coming into effect, and compliance is mandatory.
Why is the first handshaking stage the negotiation of security methods and options?
There are multiple cryptographic methods in the world, and each method has multiple options of its own, so agreeing on which ones will be implemented must be the first step
In EAP, why is the freedom from needing to make changes in the switch beneficial, as in no need to make changes when a new authentication method is made available?
There are numerous workgroup switches on a typical corporate network, so changing them all out would be costly.
Why has the requirements of data breach notification laws caused companies to think more about security?
There are significant repercussions associated with publicizing data breaches, beyond even the government mandated legal ramifications.
In Sarbanes-Oxley, what is a material control deficiency?
There is a deficiency that results in more than a remote likelihood that a material misstatement in the annual or interim financial statements will not be prevented or detected.
Why is patching applications more time-consuming than patching operating systems?
There is a lot of diversity in the way patches are distributed, applied, announced and documented across all the different software vendors. OS patches, on the other hand, are uniformly and centrally documented and distributed.
Why are policies for individual countermeasures and resources needed?
These are the most detailed policies and give guidance on how specific countermeasures such as a firewall or database will be deployed and protected. It clearly outlines the acceptable level of security, and the expected performance of each item without specifying how these standards will be achieved.
Why is Skype's use of proprietary software problematic?
These software and protocols have not been fully studied by security professionals. It leaves open the concern that here are security threats such as vulnerabilities and back doors in the system.
Why are Windows GPOs powerful tools for managing security on individual Windows PCs?
They allow for consistency, reduced administrative costs, compliance with policies and regulations, easier auditing, and a granular level of control over users, computers, applications and tasks.
What are the advantages of implementing password policies?
They allow sys admins to enforce complexity requirements, minimum password length, maximum password age and password history. Overall, it increases the effectiveness of passwords as an access control mechanism
Why are central security management consoles desirable?
They allow the deployment of insistent security policies and central management and coordination for the response to a threat.
In IM, what does a presence server do?
They allow two parties to locate each other for an IM conversation.
What are MMCs? Describe them.
They are Microsoft management consoles, which are the main management/administrative tools for windows server. They have an icon bar, a tree of administrative applications, individual applications which are called snap-ins, and sub objects for each selected tool (service).
Why is loading dock security important?
They are a sensitive zone within a building where physical access must be controlled for both employees and outsiders.
What is the problem with live incident response tests?
They are more costly and time intensive than tabletop exercises.
What relationships can the IT security have to the corporation's uniformed security staff?
They are needed to execute policies regarding building access, as well as to seize computers that IT security believes were involved in abuse.
What are the two primary characteristics of skilled hackers?
They are persistent, and capable of writing advanced scripts of their own.
Why are emergency exits important and what should be done about them?
They are required for safety but need to be monitored and alarmed.
Why do firms not use application proxy firewalls as main border firewalls?
They are slow, and can only filter certain types of traffic
What is a Java applet?
They are small Java programs and are a form of mobile code/client-side scripting
Why do all hosts in the DMZ have to be hardened stringently?
They are the most exposed to the public, and therefore to attacks.
Why is backup onto another hard drive not a complete backup solution?
They are too expensive for long-term storage
What mistake did the 802.11 working group make in selecting the length of the IV for WEP?
They are too short, and many frames will leak a few bits of the secret key.
Describe interactive log file analysis
They are tools that help the administrator to look through log files. This gives the admin a way to drill down manually into log files to better understand what is happening in their system.
Why are IDS alarms often a problem?
They can be too frequent, which will desensitize the administrator to the point of ignoring them
Why are replay attacks attempted?
They can bypass authentication by resending existing credentials.
What is hacking root, and why is it desirable to hackers?
They can change and see everything about a computer
Why are international gangs difficult to prosecute?
They can cross borders easily through the internet to commit their crimes, whereas prosecuting across borders is extremely difficult, costly, and occasionally against the laws of their native land.
What are the costs and benefits of 'stinging' employees?
They can generate resentment if not handled properly.
Why should a firm's HR department be on the CSIRT?
They can offer guidance on labor issues. Additionally, if the perpetrator is an employee, the HR department will implement actions on that employee.
Why are remote connections from home especially dangerous?
They often use their own computers to access the internal network, which means a device with no oversight from your security department is accessing your internal network.
In what types of applications can nonces be used?
They only work well in applications that rely entirely on request-response client/server interactions
When attackers must use valid IP source addresses in probe or exploit packets, how do they conceal their identities?
They pass their attacks through a chain of computers.
Why should the firm's legal counsel be on the CSIRT?
They place everything in the proper legal framework. They may be needed to advise on the legal implications of various actions, including the wisdom of attempting to prosecute.
Why is it important to implement security policy?
They protect computing resources from harm. Some may even be required by Law for certain corporations.
How can DLP systems be effective when placed at the gateway, on clients, and on a database server?
They combine data extrusion protections, extrusion prevention filtering and DLP policies. They are typically hardware systems. At the gateway level they filter ingress and egress data streams for unauthorized content. At the client they prevent content from being copied locally or passed on the local network. At the database sever level they scan for unauthorized content, tag sensitive content and monitors access to these data.
In PKE, how does the verifier check the digital signature?
They decrypt the digital signature with the sender's public key, then compare the message digest for integrity
What did companies discover when they started to examine how the protect PII as a result of recent privacy protection laws?
They discovered their existing access controls and other protections were largely weak or nonexistent.
Why are SPI content filtering firewalls faster than application proxy firewalls?
They do not need to create a relay
Why are script kiddies dangerous? (two reasons)
They don't understand how their tools may impact the target, so they don't understand the damage they may cause. They are numerous, so while one script kiddie is relatively harmless, the sheer volume of them means one may launch a successful attack. Lastly, the volume of script kiddie attacks masks the small number of highly dangerous attacks from skilled hackers.
What do egress ACLs disallow in general in SPI firewalls?
They drop externally initiated connection opening attempts.
In public key authentication, how does the supplicant create a digital signature?
They encrypt the message digest with their private key, then append this signature to the plaintext message
Why are standard configurations attractive?
They enforce corporate security policies, reducing opportunities for user errors and violations. Additionally, they greatly simplify PC troubleshooting and general maintenance.
What distinguishes an application proxy firewall from static packet filtering firewalls and SPI firewalls?
They examine the actual application layer messages within the packets.
What do metadirectory servers do?
They get the multiple different directory servers to share as much information as they can
Why does all network traffic go through the attacker after poisoning the network?
They have essentially assigned their MAC to every IP, thus all IPs redirect to their switch, then to them.
What have privacy protection laws forced companies to do?
They have forced companies to look at how they protect personal information, including where this information is stored and how they control access to it.
Why have document protections not been used heavily in organizations?
They have proven difficult to enforce, and often prove restrictive in ways that hamper productivity
What are the advantages of implementing account policies?
They help harden each account against external attacks. For example, a maximum login attempt count would defend against brute force attacks and password guessing
Why are bribes and kickbacks bad?
They induce employees to favor someone over another without merit that benefits the company.
What security protection do recent versions of Microsoft's server OS offer?
They intelligently minimize the number of running applications and utilities by asking the installer questions about how the server will be used. Also, they simplify the installation of patches and usually make it automatic. They include server software firewalls, the ability to encrypt data, and other enhancements.
How do patch management servers help?
They learn what software a company is using then actively assess what programs on each host need to be patched. The server then pushes that patch to the host. This can greatly reduce the costs associated with patching.
Why are malware and exploit tool kits expanding the danger of script kiddies?
They make advanced attacks and exploits available to script kiddies.
How can validation protect against an SQL injection attack?
They make sure that incoming entries are not of an expected type
Why are hacking and malware dangerous in VoIP?
They may allow an attacker to "own" the VoIP device and phone number. From there additional attacks become trivial.
Why are HTML bodies in e-mail messages dangerous?
They may contain scripts that may execute malicious code.
Why do companies put public servers in the DMZ?
They must be accessible to clients on the internet; thus they are at greater risk.
Why do companies put application proxy firewalls in the DMZ?
They must communicate with the outside world, so the DMZ makes sense for them
Besides HIPPAA, what external compliance rules must hospitals consider when planning their security?
They must have their security standards accredited by a governing body.
What must users do to address the danger of transparent encryption?
They must use strong passwords
What are courts likely to do if it would be very expensive for a firm to discover all of its e-mail pertinent to a case?
They must use their own money to create programs to sort through their archives
How strong do a company's protections of trade secrets need to be if they hope to prosecute the theft of those secrets?
They need to be reasonable, and in proportion to the value and sensitivity of the secret being protected.
What training should programmers who do custom programming have?
They need to be trained in secure programming in general and for their particular programming language and application
Does a webmaster or e-commerce administrator have control over the security of other servers?
They often do not have any control over these external servers
Why are security baselines needed for installing applications?
This allows the installer to know what helper programs to install and which are installed automatically that should be deleted.
Why is it important to disable lost or stolen access devices?
This ensures an unauthorized party does not use the device to gain access.
Why is it important to enforce mandatory vacations or job rotations?
This helps detect any unapproved practices that may be taking place as users taking such actions often need to be present constantly to implement such action.
Why do companies create codes of ethics?
This helps make ethical decision making more predictable.
It is claimed that new and proprietary encryption ciphers are good because cryptanalysts will not know them. Comment on this.
This is security through obscurity, with little peer review into the actual quality of the cipher. If the details of the cipher ever become known than the full encryption will likely be compromised.
How are the risks to firm B reduced?
This method is much less risky than traditional methods that existed before computers.
Why is having a single point of building entry important?
This minimizes the effort necessary to control physical access.
What risk does this method avoid for the firm sending the security assertion?
This prevents the sending firm from giving access to its systems to an outside company.
Why is regularly scheduled auditing good?
This will give enough notice of growing dangers. It allows a company to compare results over time
What are three ways to thwart replay attacks?
Timestamps, sequence numbers, nonces
For what purposes may the client need additional downloaded software?
To allow a client to get transparent access to a subnet and to provide some other services.
Why is it important to minimize the burdens that security places on functional units in the firm?
To some extent, security inherently reduces productivity and may slow down the pace of innovation.
What must a company do to its trade secrets if it wishes to be able to prosecute people or companies who steal it?
Trade secrets are protected by law so long as the owner makes reasonable efforts to protect the trade secrets.
Which method of responding to risk involves insurance?
Transferring a risk
How do international gangs use transhippers?
Transhippers are people who receive the goods from the online retailers then forward them to the international location. They receive a fee for each package they ship.
How can the danger of evil twin attacks be addressed?
Use a VPN
How can data be protected while it is being transmitted?
Use a secure cryptographic system
How does the administrator create a new group?
Use the 'Action' menu in the Local Users and Groups snap-in with the Group folder selected, then select add group.
How does the administrator create a new account?
Use the 'Action' menu in the Local Users and Groups snap-in with the User folder selected, then select add user.
To which three individual accounts or groups can permissions be assigned for a particular directory in UNIX?
User-The account that owns the file, Groups- Others in a single group associated with the directory, Others- Anyone not in the other 2 categories
What can go wrong with antivirus protection?
Users may turn off the program, user may disable automatic downloads for new virus signatures, may schedule updates for the middle of the night when the computer is off, user may not pay the annual fee which means the program looks like it is working but is not updating
What is profiling?
Using statistical methods, algorithms and mathematics to find patterns in a data set which uniquely identify an individual.
How can the limitations of backing up to another hard drive be addressed?
Utilize archiving. You write most backups to hard drives, then do periodic tape backups of those hard drives for long-term storage.
what is cloud computing?
Utilizing processing power, applications, data storage, and other services over the internet.
Why should you never engage in a vulnerability test without a signed contract?
Vulnerability tests look exactly like real attacks and may cause damage. To avoid prosecution for either part of this issue, a clear contract should be in place.
Compare WPA and 802.11i security
WPA is based on an early draft of 802.11i.
What does the Wi-Fi alliance call 802.11i?
WPA2
Distinguish between WWW service and e-commerce service
WWW service refers to the basic functionality of HTTP webserver, including the retrieval of static files and the creation of dynamic webpages. E-Commerce service refers to the additional software needed for buying and selling, including online catalogs, shopping carts, checkout functions, connections to back-end databases within the firm, and links to outside organizations such as banks.
What is unified threat management (UTM)?
When a single firewall handles many types of filtering such as antivirus filtering and spam filtering in addition to its normal filtering methods.
what is an incident?
When a threat succeeds in causing harm to a business.
What is meant by "death of the perimeter"?
We are now accepting that a 100% secure network is impossible, and that a single point of entry is impractical
What are the two commonly used SSL/TLS-aware applications?
Web browsers and web servers
What three other webserver protections are mentioned in the text?
Website vulnerability assessment tools, website error logs, webserver-specific application proxy firewalls.
What should backup creation policies specify?
What data should be backed up, how frequently it should be backed up, how frequently restorations should be tested, and so forth
What is a SQL injection attack?
When a SQL field contains not only a search term, but additional SQL queries that will be processed by the server
What is segregation of duties, and what is its purpose?
When a complete act should require two or more people to complete. It prevents one person from acting alone to do harm.
What is click fraud?
When a criminal website owner creates a program to click on a link repeatedly and receives financial gain from the traffic generated.
What is a pass/deny decision?
When a firewall decides to drop a packet or allow it to pass
What is a false opening?
When a firewall replies to a SYN request with a SYN/ACK without passing the initial SYN to the server
What is a replay attack?
When a message is intercepted by a MITM and sent again later
What is extortion?
When a perpetrator attempts to obtain money or other goods by threatening to take actions that would be against the victim's interest.
In biometrics, what is user access data?
When a user is scanned in an access attempt, the key features that are compared against the template.
How are PSK/personal keys generated?
Whoever sets up the router establishes the key.
What provides a quick summary of security components needed to harden a client PC?
Windows Action Center
What SPI firewall has come with the client version of Windows since Windows XP SP2?
Windows Firewall
What is the name of Microsoft's server operating system?
Windows Server
Distinguish between their options for inner authentication
With EAP-TLS, the inner authentication also uses TLS. This requires the supplicant to have a digital certificate. With PEAP, the inner auth method can use any method specified in the EAP standard.
Why should the total cost of an indent (TCI) be used in place of exposure factors and asset values?
With IT security breaches the loss of something such as customer PII does not reduce the value of that information to the company in any way, but it still carries a tremendous cost.
Distinguish between defense in depth and weakest link problems
With defense in depth, multiple countermeasures are in place that must be broken in series. Breaking the first countermeasure only means the attacker will then face the next countermeasure in the series. In a weakest-link failure compromising a single countermeasure composed of multiple interdependent components allows the countermeasure to be bypassed.
What is the advantage of shadowing over file/directory data backup?
With shadowing the time window of data lost in the event of an incident is very brief.
In PKE, how is the combined message encrypted for confidentiality?
With the receiver's public key
Distinguish between workarounds and patches
Workarounds are actions you can take to prevent the issue, but no new software or revisions to software are issued. A patch is a small program that actually fixes the vulnerability
Is encryption reversible?
Yes
Is hashing repeatable?
Yes
Is SPI filtering for packets that are part of ongoing communications usually simple and inexpensive? Explain
Yes, SPI can identify that they are part of an existing connection, so it passes them along quickly.
In practice, are SPI firewalls fairly safe?
Yes, attacks other than application layer attacks rarely get through an SPI firewall.
Are evil twin attacks frequent?
Yes, especially in hot spots.
Can IT security be too secure? How?
Yes, if it is applied too rigorously it may get in the way of a corporation's main task, generating profit.
Why isn't border management a complete security solution?
You must maintain oversight of the internal network, as threats can arise there too. Additionally, most businesses must allow for remote connections and access to the internal network, blurring the actual "border". Additionally, inter-organizational systems often require companies to which your security has no oversight to gain some level of access to your systems.
Explain information triangulation
You take two compliant "anonymous" data sets and combine them in a manner that creates a third data set. This data set may be non-compliant and possibly illegal.
Why is cryptography not an automatic protection?
a sender or receiver could fail to keep the key secret. poor communications discipline can compromise encryption as well.
Distinguish between bribes and kickbacks
a bribe is compensation to persuade an action to occur, a kickback is compensation after an action has occurred to encourage it to happen again in the future.
From what kind of organization can a verifier receive digital certificates?
a certificate authority
What is the difference between a direct and indirect DoS attack?
a direct attack occurs when an attacker tires to flood a victim with a stream of packets directly from the attacker's computer. An indirect attack tires to flood the victim computer, but the attacker's IP is spoofed, and the attack appears to come from another computer.
In the world of firewalls, what is a connection?
a link between programs on different machines
What must be introduced to a network for a SLAAC attack to work?
a rogue IPv6 router.
What is a PIN?
a short number that only the authorized user should know.
Distinguish between signature detection and anomaly detection?
a signature is a predefined pattern of traffic data, an anomaly is a behavior that is outside a baseline
When two parties communicate with each other using symmetric key encryption, how many keys are used in total?
a single key is used
What is reduced sign on?
a single sign on grants access to the majority of services, so the few instances where the user must login to another server are not too burdensome
What are USB tokens?
a small device that plugs into a computer's USB port to identify the owner.
What are one-time-password tokens?
a small device with a display that has a number that changes frequently.
In biometrics, what is a template?
a template is a baseline against which all future scans will be compared
What is a Smurf Flood?
a variation of a reflected attack where spoofed ICMP echo requests are sent to a network device that has broadcasting enabled and the echo request is forwarded to all internal hosts, who then flood the victim
What software does the client need for basic SSL/TLS VPN operation?
a web browser
What layers does IPSec protect?
all higher-layer traffic
What three services do SSL/TLS gateways commonly provide?
allows the client to connect to multiple internal webservers, connects the client PC to a database or other server that does not know how to work with browsers as clients, connects the client PC to an entire subnet of a network
What types of devices could be used to flood the transmission frequency for a WLAN?
altered wireless devices that flood EMI, RFI or noise on the spectrum
SSL/TLS was created for host-to-host (browser-webserver) communication. What device can turn SSL/TLS into a remote access VPN?
an SSL/TLS gateway at the border of the corporate network.
What two things does an AD domain controller contain?
an active directory database and a Kerberos authentication server program
What three protections do cryptographic systems provide on a message-by-message basis?
an electronic signature for each message thus allowing the receiver to authenticate the message, provides message integrity, encrypts for confidentiality
In identity management, what changes should be made through self-service functions?
anything that would have security implications, for example marital status
Why do hackers attack browsers?
as firms tighten down on servers, browser attacks have become more popular. A client compromised through its browser may give access to other systems for which the client has credentials.
How long must a symmetric encryption key be to be considered strong today?
at least 100 bits long
What is the book's recommended password policy for length and complexity?
at least 8 characters, have at least one change of case not at the start of the word, have at least one numeral not at the end of the word, have at least one non-alphanumeric character not at the end of the word
What are the two types of analysis that IDSs usually do?
attack signatures and anomaly detection.
What two protections do electronic signatures usually provide?
authentication and integrity
What is biometric authentication?
authentication based on something you are, like your fingerprint, iris pattern, face or hand geometry. can also be based on something you do, like your voice pattern, the gait of your walk, or typing patterns
What three things may a security assertion contain?
authenticity information, an authorization, attributes that describe the party in question (such as purchase limits)
Why is it difficult to enforce a policy of using a different password at each site?
because the human memory is limited, and multiple passwords are tough to remember.
Distinguish between border firewalls and internal firewalls
border firewalls sit at the boundary between the corporation's internal network and the internet. Internal firewalls filter traffic passing between different part of the corporation's internal network.
How can password resets be automated?
challenge questions to authenticate a user before allowing them to choose a new question
Which is transmitted across the network-plaintext or ciphertext?
ciphertext.
What authentication method does RADIUS use?
client/server authentication
Where is hand geometry recognition used?
commonly used in door access
What types of information should an employee not reveal?
confidential information, private information or trade secrets.
Why is a secure keying phase necessary?
confidentiality ciphers require keys, and those must be kept secret for encryption to work.
What advice would you give a company about CCTV?
consider image resolution as well as storage capacity, and motion detection
Name some effective methods of data destruction
degaussing, melting, shredding
In staged development, what three servers do companies use?
deployment servers, testing servers, production servers
Describe replication between a domain controller in one domain and the domain controller in the parent domain
domain controllers replicate some but not all data to higher level controllers, but even less among same level controllers
What are the two ways to check a certificate's revocation status?
download the server's CRL (certificate revocation list) or use OCSP (online certificate status protocol) to contact the CA and verify the certificate.
What packets are usually logged in log files?
dropped packets.
What is the principle of least permissions?
each person should only get the permissions they absolutely must have to do their job
How do nonces thwart replay attacks?
each request and response will have the same randomly generated nonce. If that same nonce is seen again, it is identified as fraudulent, and dropped
Distinguish between UPS and Electrical generators
easy
What is dumpster diving?
easy
How may password resets be handled in high-risk environments?
eliminate self-service password resets for high security accounts.
How do most viruses spread between computers today?
email with infected attachments, instant messaging, file sharing programs, and infected programs from malicious websites.
How much should companies spend on identity management?
enough that they balance the risk reductions with the amount of money that identity management will cost to implement over their entire life cycle
Describe the three scanner actions in the enrollment process
enrollment scan, identify key features, generate a template
What controls should be applied to off-site equipment maintenance?
equipment should be maintained according to the supplier's recommendations.
What would happen if a wireless network were flooded with CTS frames?
every device thinks it is OK to transmit so they flood the access point
What field in a digital certificate allows the receiver of a certificate to determine if the certificate has been altered?
every digital certificate contains a digital signature. This can be tested to determine the integrity of the certificate.
For watch lists of people who should be allowed to enter a room, which is worse from a security viewpoint? A false acceptance or false rejection? Explain
false acceptance would be worse, as it means an unauthorized individual has gained access to a secure resource.
Distinguish between false acceptances and false rejections
false acceptances are when an unauthorized person is admitted by a scan, a false rejection is when an authorized person is rejected by a scan
Other than a DoS attack, what could cause a company's webserver to crash?
faulty coding.
What is the most widely used form of biometrics?
fingerprint recognition
What are the most widely used forms of biometric authentication?
fingerprint, iris, face and hand geometry
For what type of VPN is SSL/TLS increasingly being used?
remote access VPNs
Compare firewall hardening needs for firewall appliances, vendor-provided systems and firewalls built on general-purpose computers
firewall appliances are prepackaged so no real hardening is necessary. Vendor-provided systems are prehardened and configured so little additional configuration or hardening is necessary. Firewalls on general purpose computers require strong actions to properly harden the system.
When a hashing algorithm is applied, does the hash have a fixed length or a variable length?
fixed length
When would fingerprint scanning be insufficient?
for highly secure areas
In identity management, why are self-service functions desirable?
for nonsensitive information, people can do their own updating.
In AD, into what larger structures can trees be organized?
forests
What are password resets?
forgetting a password and having IT assist you in setting a new one
How can the effects of SYN floods be mitigated?
get a firewall that prevalidates the handshake before forwarding it to the server.
Why is anomaly detection becoming critical for firewalls?
given the speed at which new attacks are developed and deployed, anomaly detection is a critical line of defense.
Aside from hacking, what other attacks does section 1030 of the US code prohibit?
hacking, malware and DOS attacks
Distinguish between the handshaking stages and ongoing communication
handshaking authenticates at least one party, as well as establishing the protocols to be used and trading keys. Once this is established all messages are then encrypted with the protocols and keys that were previously established during ongoing communication
Do HMACs use symmetric key encryption, public key encryption, or hashing?
hashed method authentication code (HMAC) uses all three.
What steps should be taken to reduce the danger of environmental damage?
hazardous and combustible material should be located away from sensitive areas. There should be adequate equipment for firefighting. Disaster response facilities and backup media should be located safely away from the main building.
Which of the three types of VPNs can SSL/TLS support?
host to host and remote access
What should be done to protect laptops taken off-premises?
ideally the equipment should never be left unattended and should be locked up at home when not in use.
Which is more likely to generate a false acceptance, verification or identification? Why?
identification is more likely to generate false acceptance as the supplicant is being compared against many templates
Which requires more matches against templates, verification or identification?
identification requires more matches
In identity management, why is decentralized management desirable?
identities should be managed by those closest to the situation
Why are password duration policies important?
if an attacker learns a password, they will only be able to use it for a limited time
Why is it a problem to use the same password at multiple sites?
if one site is breached then the other sites could be compromised quickly as well.
How can firms react to this decline in the effectiveness of border firewall filtering?
implement internal firewalls, and harden hosts against attacks
How is information in directory servers organized?
in a hierarchical database
Why is using a shared initial key not dangerous?
in homes and small firms, the key can be kept secret among a small group of users, and can easily be changed if necessary.
Is a slow degradation of service worse than a total stoppage? Why?
in many ways it is worse as it may remain undetected while forcing the company to increase spending for additional bandwidth, hardware and/or software.
For what type of use is fingerprint recognition sufficient?
only in applications where there is little danger of serious deception.
List rules for working in secure areas
photographic equipment, data recording equipment and unauthorized devices should be banned. There should be inspections of all individuals entering and leaving the area.
What is siting?
placing sensitive equipment in secure areas to minimize access.
Distinguish between firewall policies and ACL rules
policies are high level statements to guide firewall implementers. ACL rules are specific items that a firewall can understand.
In PKE, does the verifier use the senders public key or the true party's public key to test the digital signature?
public key
Which need to be longer- symmetric keys or public keys? Justify your answer.
public keys must be longer as they are rarely changed, whereas symmetric encryption keys change every session
How would a wireless DoS attack be carried out?
radio jammers, flooding the access point or using packet injection to send spoofed messages
What are the three types of actions that should be taken on log files?
read them regularly, periodic external audits of log file entries, automatic alerts.
What are the three UNIX permissions?
read, write, execute
Briefly characterize each of the three UNIX permissions
read- view contents of a file, write- add or modify contents of a file, execute- run a program or script
What is the most time-consuming part of firewall management?
reading logs.
What is auditing?
recording and analyzing what a person or program actually did.
What must an employee do if he or she observes unethical behavior?
report it to the corporate ethics officer.
What kinds of external access are needed for e-commerce?
servers within firms for actions like order entry, accounting, shipping, etc. Also, servers outside the firm like banks and companies that check credit card numbers.
In MMC, to what things do items in the sub object pane refer?
services for the currently selected tool
What are UNIX CLIs called?
shells.
How can optical disks be destroyed?
shredding or melting
Which types of VPNs use VPN gateways?
site to site and remote access
What does surreptitious mean?
something done without the subject's knowledge
On what two things about you is biometric authentication based?
something you are or something you do
What type of attack commands could be sent to cause a wireless DoS attack?
spoofed deauthenticate messages
Which leaves letters in their original positions- transposition or substitution ciphers?
substitution ciphers
What are the three devices in central authentication using RAIDUS servers?
supplicant, authenticator, central authentication server
What type of encryption cipher is almost always used in encryption for confidentiality?
symmetric encryption.
What is the smallest organizational unit in active directory?
the AD domain
What is the other commonly used public key encryption cipher?
the ECC public key cipher.
What are the top two levels of the organization of a directory server?
the Organization is the top level. The next level down is the organizational unit (OU)
What is the most popular public key encryption cipher?
the RSA cipher.
What is provisioning?
the accepting of public keys and the providing of new digital certificates to users
Why is there no need to change the operation of the authenticator when a new EAP authentication method is added or an old EAP authentication mode is dropped?
the authenticator is just designed to pass through EAP messages during authentication, it does not actually deal with the authentication mode or technique. Thus, EAP can works with any authentication protocol the EAP central authentication server can handle.
Why can fingerprint scanning, which is often deceived, be acceptable for entry into a supplies cabinet?
the contents of the supply cabinet are not valuable enough to justify the effort it would take to deceive the system
Distinguish between transitive and intransitive trust
transitive trust is if A trusts B and B trusts C then A trusts C. Intransitive means that A would not trust C.
In Kerberos, distinguish between the ticket granting ticket and the service ticket
the ticket granting ticket (TGT) is granted when a device succeeds in logging in. It is like a wrist bracelet at a concert. A service ticket is sent to an authenticated supplicant (a supplicant with a TGT) which then sends that service ticket to the verifier to show that it has proper credentials.
In public key authentication, what must the sender know that an impostor should not be able to learn?
their private key
Describe replication among domain controllers within a single AD domain
there is total replication between domain controllers within a single AD domain.
What is the advantage of face recognition?
they can be read from several meters away
What can happen if a firm fails to retain required e-mail?
they can face severe fines and be forced to pay out-of-pocket for mandatory auditing from third party companies
List the functions of a PKI
they create and manage public key-private key pairs and digital certificates.
In public key authentication, how does the supplicant create a message digest?
they hash the plaintext message. This is the message digest.
What is the advantage of a firm being its own CA?
they have control of trust in their entire public key infrastructure
What are CLIs difficult to use?
they have picky syntax and require memorizing a large number of commands.
Why is upgrading to a new version of an operating system usually good for security?
they often fix security vulnerabilities, and older versions of a program may stop receiving updates and patches.
How do central authentication servers often get their authentication information?
they often retrieve it from a directory server
For stateful packet inspection firewalls, what do ingress ACLs permit in general?
they permit internally initiated connection opening attempts.
What information should IDS alarms contain?
they should be as specific as possible, there should be a way to test the alarm for accuracy, the alarm should give advice about what the security administrator should do.
If wiring cannot be run through walls, what should be done to protect the wiring?
they should be run in (preferably armored) conduits
How are CLIs beneficial?
they use fewer system resources than a GUI, and any process that requires a sequence of commands can be combined into a script. Also, many security tools only work in the Command Line Interface (CLI).
What is the benefit of HMACs over digital signatures?
they use much less processing power and do not require the infrastructure of a full digital certificate
What is the likely future of passwords?
they will likely be phased out.
Why are metadirectory servers needed?
this allows directory servers using different software (AD, Novell, Sun, Solaris, etc.) all to exchange information and synchronize in a variety of ways.
Is a 56-bit key, like in DES, a strong length?
this is no longer considered a strong key length.
What is the advantage of the way central authentication servers get their information?
this provides a higher level of centralization and simpler management of the system
What is the major promise of biometrics?
to make reusable passwords obsolete.
When a remote client transmits in an SSL/TLS VPN, how far does confidential transmission definitely extend?
to the gateway. beyond that how traffic is handled is up to the network they are connecting to
How does a P2P attack work?
uses many hosts to overwhelm a victim with normal P2P traffic. The attacker spoofs the victim's IP address to redirect legitimate P2P traffic to the victim computer.
Which device is the verifier in a 802.1x situation? Explain.
verification is spread across the switch and the central authentication server. As such the switch is called the Authenticator, and the server is called the central authentication server.
How do CAs distribute public keys?
via digital certificates
Distinguish between viruses and worms
viruses rely upon another program for transmission whereas worms are stand-alone programs that do not (necessarily) attach to other programs.
Which is more likely to generate a false match, identification or watch list matching? Why?
watch list matching, the cost of false rejection is greater than with normal identification
What is ARP spoofing?
when a device uses false ARP replies to map any IP address to any MAC address
In biometrics, what is failure to enroll?
when a person can't meet the criteria to form a template, such as a person missing a hand being unable to do a fingerprint scan.
In biometrics, what is a match?
when an access's scans key features are close enough to the template that the difference is within the decision criteria value.
How has the perimeter extended outside the site?
wireless LANs, remote access, partners and customers
Why is the fact that most packets occur in the ongoing communication state important to stateful packet filtering? How does it impact its efficiency?
with SPI the most work is done when establishing a connection. Once the connection is established the packets are quickly passed. Since most packets exist in the ongoing communication state, the load on the firewall from examining the connection state packets is not excessive
Why is auditing necessary?
without auditing improper behavior can continue for far too long
Can a firm be its own CA?
yes
In AD, can a domain have multiple domain controllers?
yes
May there be different SAs in the two directions of IPsec communication?
yes, each direction can have its own level of security, if desired
In an ARP poisoning attack, does the attacker have to poison the gateway's ARP table too? Why or Why not?
yes, this ensures that the network traffic is redirected to the switch the attacker is on, and then to their sniffer.
Can a person be tried separately in a criminal trial and later in a civil trial?
yes.
How can password-cracking programs be used to enforce password strength policy?
you can audit your own corporation's password file by trying to crack it yourself
What is bad about assigning all permissions then taking away the permissions a user does not need?
you may overlook something and leave the user with access to a resource they were not authorized to access