Topic 14: Network Hardening

Match the network enumeration technique with its correspond description. Technique: a. Wardriving b. War dialing c. Banner grabbing d. Firewalking Description: 1. Identifying phone numbers w/ modems 2. Scanning for wireless access points 3. Identifying operating system type and version number 4. Identifying services that can pass thru a firewall

a -> 1 b -> 2 c -> 3 d -> 4

Match each penetration test characteristic to the appropriate test name Names: a. White box test b. Grey box test c. Black box test d. Single blind test e. Double blind test Characteristic: 1. The tester has no prior knowledge of the system 2. The tester has detailed info about the target system prior to starting the test 3. The tester has the same amount of info that would be available to a typical insider in the organization 4. Either the tester has prior knowledge of the target system, or the administrator knows that the test is being performed 5. The tester does not have prior info about the system and the administrator does not know the test is being performed

a -> 2 b -> 3 c -> 1 d -> 4 e -> 5

A security administrator is conducting a penetration test on a network. She connects a notebook system running Linux to the wireless network then uses NMAP to probe various network hosts to see which operating system they are running. Which process did the administrator use in the penetration test in this scenario? a. Active fingerprinting b. Passive fingerprinting c. Firewalking d. Network enumeration

a. Active fingerprinting

Which of the following actions should you take to reduce the attack surface of a server? a. Disable unused services b. Install the latest patches and hotfixes c. Install anti-malware software d. Install host based IDS

a. Disable unused services

You have decided to perform a double blind penetration test. Which of the following actions would you perform first? a. Inform senior management b. Run system fingerprinting software c. Perform operation reconnaissance d. Engage in social engineering

a. Inform senior management

You are concerned about protecting your network from network-based attacks through the Internet. Specifically, you are concerned about zero day attacks (attacks that have not yet been identified or that do not have prescribed protections). What type of device should you use? a. Anti-virus scanner b. Anomaly based IDS c. Host based firewall d. Signature based IDS e. Network based firewall

b. Anomaly based IDS

What does an IDS that uses signature recognition use for identifying attacks? a. Exceeding threshold values b. Comparison to a database of known attacks c. Statistical analysis to find unusual deviations d. Comparison of current statistics to past statistics

b. Comparison to a database of known attacks

If maintaing confidentiality is of the utmost importance to your organization, what is the best response when an intruder is detected on your network? a. Monitor the intruder's actions b. Disconnect the intruder c. Record audit trails about the intruder d. Delay the intruder

b. Disconnect the intruder

Which of the following intrusion detection and prevention systems use fake resources to entice attackers by displaying a vulnerability, a configuration flaw, or valuable data? a. Botnet b. Honeypot c. Zombie d. Trojan horse

b. Honeypot

Which of the following activities are considered passive in regards to the functioning of an intrusion detection system? (Select two) a. Disconnecting a port being used by a zombie b. Monitoring the audit trails on a server c. Listening to network traffic d. Transferring FIN or RES packets to an external host

b. Monitoring the audit trails on a server c. Listening to network traffic

A security administrator is conducting a penetration test on a network. She connects a notebook system to a mirror port on a network switch. She then uses a packet sniffer to monitor network traffic to try and determine which operating systems are running on network hosts. Which process did the administrator use in the penetration test in this scenario? a. Active fingerprinting b. Passive fingerprinting c. Firewalking d. Network enumeration

b. Passive fingerprinting

An active IDS system often performs which of the following actions? (Select two.) a. Request a second logon test for users performing abnormal activities b. Update filters to block suspect traffic c. Trap and delay the intruder until the authorities arrive d. Perform reverse lookups to identify an intruder

b. Update filters to block suspect traffic d. Perform reverse lookups to identify an intruder

Which of the following activities are typically associated w/ a penetration test? (Select two) a. Running a vulnerability scanner on network servers b. Interviewing employees to verify the security policy is being followed c. Attempting social engineering d. Running a port scanner e. Creating a performance baseline

c. Attempting social engineering d. Running a port scanner

What security mechanism can be used to detect attacks originating on the Internet or from within an internal trusted subnet? a. Security alarm b. Firewall c. IDS d. Biometric system

c. IDS

Which of the following are security devices that perform stateful inspection of packet data, looking for patterns that indicate malicious code? (Select two.) a. Firewall b. ACL c. IPS d. IDS e. VPN

c. IPS d. IDS

You have worked as the network administrator for a company for seven months. One day all the picture files on a server become corrupted. You discover that a user downloaded a virus from the Internet onto a workstation, and it propogated to the server. You successfully restore all the files from backup, but your boss is adamant that this situation does not re-occur. What should you do? a. Disconnect the user from the Internet b. Allow users to access the Internet only from terminals that are not attached to the main network c. Install a network virus detection software solution d. Install a firewall

c. Install a network virus detection software solution

What does a tarpit do to detect and prevent intrusion into your network? a. Passively monitors and logs suspicious activity until it detects a known attack pattern then shuns the intruder by dropping their connection b. Entices an intruder by displaying vulnerability, configuration flow, or valuable data c. Uses a packet sniffer to examine traffic and identify known attack patterns then locks the attacker's connection to prevent any further intrusion activities d. Answers connection requests in such a way that that attacking computer is stuck for a period of time

d. Answers connection requests in such a way that that attacking computer is stuck for a period of time

You are concerned about attacks directed at your network's firewall. You want to be able to identify and be notified of any attacks. In addition, you want the system to take immediate action when possible to stop or prevent the attack. Which tool should you use? a. Packet sniffer b. IDS c. Port sniffer d. IPS

d. IPS

Properly configured passive IDS and system audit logs are an integral part of a comprehensive security plan. What step must be taken to ensure that the information is useful in maintaining a secure environment? a. The account department must compress the logs on a quarterly basis. b. All logs should be deleted and refreshed monthly. c. All files must be verified with the IDS checksum. d. Periodic reviews must be conducted to detect malicious activity or policy violations.

d. Periodic reviews must be conducted to detect malicious activity or policy violations.

Which of the following types of penetration test teams will provide you with information that is most revealing of a real-world hacker attack? a. Partial knowledge team b. Split knowledge team c. Full knowledge team d. Zero knowledge team

d. Zero knowledge team

As a security precaution, you have implemented IPSec that is used between any two devices in your network. IPSec provides encryption for traffic between devices. You would like to implement a solution that can scan the contents of the encrypted traffic to prevent any malicious attacks. Which solution should you implement? a. VPN concentrator b. Port scanner c. Network based IDS d. Protocol analyzer e. Host based IDS

e. Host based IDS

You want to make sure that a set of servers will only accept traffic for specific network services. You have verified that the servers are only running the necessary services, but you also want to make sure that the servers will not accept packets sent to those services. Which tool should you use? a. IDS b. IPS c. System logs d. Packet sniffer e. Port scanner

e. Port scanner