Security Exam ch 7/8
Describe the three control strategies proposed for IDPS
1. Centralized: functions are managed in a central location 2. Fully distributed: Each monitoring site uses its own paired sensors and controls. 3. Partially Distributed: Combines the other two. Individual agents respond to threats still, but also report to a centralized facility. (More effective)
What is an open port?
A TCP or UDP service port that accepts traffic and responds with services at that port address
What are the components of PKI?
A certificate authority A registration authority Certificate directories Management Protocols Policies and Procedures
What does it mean to be "out of band"? Why is it important to exchange keys out of band in symmetric encryption?
A channel of communication that does not carry the ciphertext. Key exchange must either be done out of band or using a secured method so that the key is not intercepted and used to read the secret message.
18. What is Metasploit Framework? Why is it considered riskier to use than other vulnerability scanning tools?
A class of scanners that exploit a remote machine and allow a vulnerability analyst to create accounts, and modify information
What is a honeynet?
A collection of honeypot systems connected on a subnet
What is a monitoring (or SPAN) port? What is it used for?
A data port of a switched device that replicates all designated traffic from the device so that the traffic can be stored or analyzed by am IDPS
What is the difference between a digital signature and a digital certificate?
A digital certificate is a wrapper for a key value. A digital signature is a combination of a message digest and other information used to assure nonrepudiation.
What critical issue in symmetric and asymmetric encryption is resolved by using a hybrid method like Diffie-Hellman?
A hybrid system can be used without the need for out-of-band key exchange.
How does a padded cell system differ from a honeypot?
A protected honeypot. In addition to attracting attackers with tempting data, a padded cell operates in tandem with a traditional IDPS. When the IDPS detects attackers, it seamlessly transfers them to a special simulated environment where they can cause no harm
What is a vulnerability scanner? How does it improve security?
A software program that scans a range of network addresses and port numbers for open services. When a port is found, it is scanned for security, when a weak port is found it can be repaired or removed.
What is the difference between active and passive vulnerability scanners?
Active scanner: initiates network traffic to find and evaluate service ports. Passive scanner: uses traffic from the target network segment to evaluate the service ports available from hosts on that segment
What is the fundamental difference between symmetric and asymmetric encryption?
Asymmetric encryption is also known as public-key encryption. It uses two different keys to encrypt messages: the public key and the private key. Symmetric encryption is different because it uses only one key to encrypt and decrypt messages. Symmetric encryption is much faster for the computer to process, but it raises the costs of key management.
What common security system is an IDPS most like? In what ways are these systems similar?
Burglar alarms; both monitor an area for actions that represent a threat, and sound an alarm
If you were setting up an encryption-based network, what key size would you choose and why?
Choose the largest key size consistent with the tools being used and the overhead performance burden it would impose on the environment. The current "gold standard" is to ensure that all computing devices are capable of AES 256-bit encryption.
What was the earliest reason for the use of cryptography?
Concealing military and political secrets while they were transported from place to place
What is a honeypot?
Decoy systems used to deceive potential hackers by luring them away from critical systems, and encouraging them to attack themselves. AKA: decoys, lures, flytraps
Which security protocols are used to protect e-mail?
E-mail security is most often provided using the S/MIME, PEM, and PGP protocols.
What are the three basic operations in cryptography?
Encrypting, decrypting, hashing
How does a false positive alarm differ from a false negative alarm? From a security perspective, which is less desirable?
False positive: alert that occurs as a false reaction to routine activity False negative: failure of a security device to detect an actual threat From a security viewpoint, false positives are just a nuisance, but false negatives are a failure of the system.
What kind of data and information can be found using a packet sniffer?
Find all visible traffic on the network connection where the sniffer is installed.
What is network footprinting?
Footprinting is organized research of the Internet addresses owned or controlled by a target organization. The attacker uses public Internet data sources to perform keyword searches that identify the network addresses of the organization
IPSec can be implemented using two modes of operation. What are they?
IPSec is provisioned using the transport and tunnel modes.
What is a more formal name for a cryptographic key?
In cryptosystems, a key, also known as a cryptovariable
Which security protocols are predominantly used in Web-based electronic commerce?
Many Web-based technologies make use of the S-HTTP, SET, SSL, SSH-2, and IPSec protocols.
What is a hash function and what can it be used for?
Mathematical algorithms that generate a message summary or digest to confirm the identity of a specific message and confirm that the content has not changed.
How does a network-based IDPS differ from a host-based IDPS?
Network-based: monitors traffic on a network segment Host-based: monitors a single host system for changes
How does Public-key Infrastructure add value to an organization seeking to use cryptography to protect information assets?
PKI makes the use of cryptographic systems more convenient and cost-effective.
Why would ISPs ban outbound port scanning by their customers?
Port scanning is most often used by attackers as a prelude to a concerted attack. ISPs do not want to be liable for the actions of attackers who may use their network resources.
Why is it important to limit the number of open ports to those that are absolutely essential?
Ports that are not required are often poorly configured and subject to misuse. Only essential services should be offered on secure networks.
How does a signature-based IDPS differ from a behavior-based IDPS?
Signature-based: looks for patterns of behavior that match a library of known behaviors behavior-based: watches for activities that suggest an alert-level activity occurring, based on sequences of actions or timing between events
What is steganography, and what can it be used for?
Steganography is a process used to hide messages within digital encoding of pictures and graphics. It is a concern for security professionals because hidden messages can contain sensitive information that needs to be protected.
What capabilities should a wireless security toolkit include?
The ability to sniff wireless traffic, scan wireless hosts, and assess the level of privacy or confidentiality afforded on the wireless network.
What is a system's attack surface?
The attack surface represents all functions and features that a system makes available to unauthenticated users.
What encryption standard is currently recommended by NIST?
The current recommendation is to use AES, the Advanced Encryption Standard.
What are the most popular encryption systems used over the Web?
The dominant Web encryption systems include SSL, 3DES, and PGP. Alternate answers could include RSA, AES, and RC6.
How are network footprinting and network fingerprinting related?
The fingerprinting phase uses the TCP/IP address ranges that were collected during the footprinting phase.
Which kind of attack on cryptosystems involves using a collection of pre-identified terms? Which kind of attack involves sequential guessing of all possible key combinations?
The form of attack that uses pre-identified terms is called a dictionary attack. A brute force attack tries all possible combinations.
Why do many organizations ban port scanning activities on their internal networks?
There are few legitimate business reasons for port scanning; also, it is a high-impact and highly intensive use of network resources.
What is network fingerprinting?
This is a systematic survey of all of the target organization's Internet addresses to ascertain the network services offered by the hosts in that range.
Why should a system's attack surface be minimized when possible?
To minimize the risk of loss from unintended use or unforeseen vulnerabilities, all functions and features that are not required for business purposes should be disabled and uninstalled.
What are cryptography and cryptanalysis?
Two topic areas within cryptology.
What is the typical key size of a strong encryption system used on the Web today?
Web-based SSL standardized on 128 bits in 2004. Newer versions (circa 2008) are 256 bit.
What is a cryptographic key, and what is it used for?
the information used in conjunction with an algorithm to create the ciphertext from the plaintext or derive the plaintext from the ciphertext.
