Midterm Net & Web Security Analysis
The signature of a normal FTP connection includes a three-way handshake.
True
True or False A hybrid IDPS combines aspects of NIDPS and HIDPS configurations.
True
True or False A worm creates fi les that copy themselves repeatedly and consume diskspace.
True
True or False Physical security protects a system from theft, fi re, or environmental disaster.
True
______________ do not require user intervention to be launched; they are self-propagating.
Worms
What is a VPN typically used for? a. secure remote access b. detection of security threats c. block open ports d. filter harmful scripts
a. secure remote access
True or False A packet monkey is an unskilled programmer who spreads viruses and other malicious scripts to exploit computer weaknesses.
False
True or False All devices interpret attack signatures uniformly.
False
True or False An IDPS consists of a single device that you install between your firewall and the Internet.
False
True or False An NIDPS can tell you whether an attack attempt on the host was successful.
False
True or False An atomic attack is a barrage of hundreds of packets directed at a host.
False
______________________ is the capability to prevent a participant in an electronic transaction from denying that it performed an action.
Nonrepudiation
In the three-way handshake, the first packet in the sequence has the ________ flag set.
SYN
In a _______________ based detection system, the IDPS canbegin working immediately after installation.
Signature
__________________ are spread by several methods, including running executable code, sharing disks or memory sticks, opening e-mail attachments, and viewing infected or malicious Web pages.
Viruses
Which of the following is an element of the TCP header that can indicate that a connection has been established? a. Flags b. Stream index c. SEQ/ACK analysis d. Sequence number
a. Flags
Which type of attack causes the operating system to crash because it isunable to handle arbitrary data sent to a port? a. RPC attacks b. ICMP message abuse c. malicious port scanning d. SYN fl ood
a. RPC attacks
What tool do you use to secure remote access by users who utilize the Internet? a. VPN b. IDS c. DMZ d. DiD
a. VPN
Which type of scan has the FIN, PSH, and URG flags set? a. Xmas scan b. Null scan c. FIN scan d. SYN Scan
a. Xmas scan
Which of the following is NOT among the items of information that a CVE reference reports? a. attack signature b. name of the vulnerability c. description of vulnerability d. reference in other databases
a. attack signature
Which security layer verifi es the identity of a user, service, or computer? a. authentication b. repudiation c. physical security d. authorization
a. authentication
Which of the following is true about an HIDPS? a. monitors OS and application logs b. sniff s packets as they enter the network c. tracks misuse by external users d. centralized configurations affect host performance
a. monitors OS and application logs
Where is a host-based IDPS agent typically placed? a. on a workstation or server b. at Internet gateways c. between remote users and internal network d. between two subnets
a. on a workstation or server
What is the typical packet sequence for closing a TCP session? a. FIN, FIN ACK, RST b. FIN, ACK, FIN ACK, ACK c. FIN ACK, FIN, ACK, RST d. FIN, FIN ACK
b. FIN, ACK, FIN ACK, ACK
Defense in depth can best be described as which of the following? a. a firewall that protects the network and the servers b. a layered approach to security c.antivirus software and firewalls d. authentication and encryption
b. a layered approach to security
Which of the following is true about an NIDPS versus an HIDPS? a. an NIDPS can determine if a host attack was successful b. an HIDPS can detect attacks not caught by an NIDPS c. an HIDPS can detect intrusion attempts on the entire network d. an NIDPS can compare audit log records
b. an HIDPS can detect attacks not caught by an NIDPS
What type of attack does a remote-access Trojan attempt to perpetrate? a. worm b. back door c. remote denial of service d. composite attack
b. back door
Which of the following is a type of script that automates repetitive tasks inan application such as a word processor but can also be programmed tobe a virus? a. worm b. macro c. back door d. Trojan
b. macro
Which type of attack works by an attacker operating between two computers in a network and impersonating one computer to intercept communications? a. malicious port scanning b. man-in-the-middle c. denial of service d. remote procedure call
b. man-in-the-middle
Under which suspicious traffic signature category would a port scan fall? a. informational b. reconnaissance c. denial of service d. unauthorized access
b. reconnaissance
Which of the following is NOT one of the three primary goals of information security? a. confidentiality b. integrity c. impartiality d. availability
c. impartiality
Which of the following is the description of a land attack? a. the local host source address occurs in the packet b. source and destination IP address/port are the same c. an illegal TCP flag is found in the segment header d. the attacker uses an undefined protocol number
b. source and destination IP address/port are the same
What is an advantage of the anomaly detection method? a. makes use of signatures of well-known attacks b. system can detect attacks from inside the network by people with stolen accounts c. easy to understand and less difficult to configure than a signature-based system d. after installation, the IDPS is trained for several days or weeks
b. system can detect attacks from inside the network by people with stolen accounts
How does the CVE standard make network security devices and tools more effective? a. the layered approach makes attacks nearly impossible b. they can share information about attack signatures c. it requires you to use compatible devices from one vendor d. it warns an attacker that your site is being monitored
b. they can share information about attack signatures
Which IDPS customization option is a list of entities known to be harmless? a. thresholds b. whitelists c. blacklists d. alert settings
b. whitelists
What is the packet called where a Web browser sends a request to theWeb server for Web page data? a. HTML SEND b. HTTP XFER c. HTTP GET d. HTML RELAY
c. HTTP GET
Which of the following is an accurate set of characteristics you would find in an attack signature? a. IP address, attacker's alias, UDP options b. protocol options, TCP ports, region of origin c. IP address, TCP flags, port numbers d. IP number, MAC address, TCP options
c. IP address, TCP flags, port numbers
What is the sequence of packets for a successful three-way handshake? a. SYN, ACK, ACK b. SYN, SYN ACK, RST c. SYN, SYN ACK, ACK d. SYN, ACK, FIN
c. SYN, SYN ACK, ACK
What is a program that appears to do something useful but is actually malware? a. virus b. logic bomb c. Trojan d. back door
c. Trojan
What can an IDPS check to try to determine whether a packet has beentampered with or damaged in transit? a. parity bit b. CRC value c. checksum d. fragment off set
c. checksum
Which of the following is an advantage of a signature-based detection system? a. the definition of what constitutes normal traffic changes b. it is based on profiles the administrator creates c. each signature is assigned a number and name d. the IDPS must be trained for weeks
c. each signature is assigned a number and name
Which type of IDPS can have the problem of getting disparate systems to work in a coordinated fashion? a. inline b. host-based c. hybrid d. network-based
c. hybrid
Which of the following is NOT a network defense function found in intrusion detection and prevention systems? a. prevention b. response c. identification d. detection
c. identification
Of what category of attack is a DoS attack an example? a. bad header information b. single-packet attack c. multiple-packet attack d. suspicious data payload
c. multiple-packet attack
Which type of firewall policy calls for a firewall to deny all traffic by default? a. permissive policy b. perimeter policy c. restrictive policy d. demilitarized policy
c. restrictive policy
A hactivist can best be described as which of the following? a. An unskilled programmer that spreads malicious scripts b. consider themselves seekers of knowledge c. use DoS attacks on Web sites with which they disagree d. deface Web sites by leaving messages for their friends to read
c. use DoS attacks on Web sites with which they disagree
Which security tool works by recognizing signs of a possible attack andsending notifi cation to an administrator? a. DiD b. DMZ c. VPN d. IDPS
d. IDPS
Which of the following is true about the steps in setting up and using an IDPS? a. anomaly-based systems come with a database of attack signatures b. sensors placed on network segments will always capture every packet c. alerts are sent when a packet doesn't match a stored signature d. false positives do not compromise network security
d. false positives do not compromise network security
Why might you want your security system to provide nonrepudiation? a. to prevent a user from capturing packets and viewing sensitive information b. to prevent an unauthorized user from logging into the system c. to trace the origin of a worm spread through email d. so a user can't deny sending or receiving a communication
d. so a user can't deny sending or receiving a communication
In which type of scan does an attacker scan only ports that are commonly used by specific programs? a. random scan b. vanilla scan c. ping sweep d. strobe scan
d. strobe scan
Why might you want to allow extra time for setting up the database in ananomaly-based system? a. the installation procedure is usually complex and time consuming b. to add your own custom rule base c. it requires special hardware that must be custom built d. to allow a baseline of data to be compiled
d. to allow a baseline of data to be compiled