401_3 Flashcards
Internet Security Technologies (141 cards)
1
Q
What is Kevin Mitnick vs. Tsutomu Shimomura
A
Famous example of attack
Compromised 3 major tenant of security CIA (confidentiality, integrity and availability)
Accessing files that were not his (confidentiality)
penetrating network resources he was not granted access (confidentiality)
Executing a SYN flood as a DoS (availability)
3-6
2
Q
What is a trust relationship?
A
Means that a computer is familiar with another computer and trusts the information that is coming from it.
3-8
3
Q
How do complex attacks against specific target usually start?
A
With a reconnaissance phase in which the attacker maps out the lay of the LAN.
3-8
4
Q
What is the reconnaissance phase of an attack?
A
Phase in which attacker determines which hosts are present and gathering as much information about them as possible.
3-8
5
Q
What is finger?
A
A Unix service that can return information about users.
3-9
6
Q
What is the use of a .rhost file?
A
It directs one computer to accept incoming login connections from the other computer on trust and not prompt for a password.
3-9
7
Q
What is the use of a hosts.equiv file?
A
Directs one computer to accept logins for all users on a machine on trust and not prompt for a password.
3-9
8
Q
What is showmount?
A
Unix command to lists the file system exported by an NFS file server.
3-9
9
Q
What is rpcinfo?
A
Unix command to enumerate the various RPC-based services on a remote machine.
3-10
10
Q
What is Sun’s Network Information Service (NIS)?
A
Network user database included with most varieties of Unix.
3-10
11
Q
What is IP spoofing?
A
Sending packets to a remote computer but lie about your source IP address.
3-11
12
Q
What is SYN flooding?
A
Sending numerous SYN packets to the machine to be silenced but never completing the TCP handshake protocol.
3-12
13
Q
What is the role of the initial sequence number in negotiating a TCP connection?
A
To indicate the next byte the ACKer expects to receive.
3-13
14
Q
The information security cycle (also known as the risk management cycle) consists of what three parts?
A
- Prevention
- Detection
- Response
15
Q
In modern-day information security what is often considered to be one of the most important tasks for system administrators and security professional alike.
A
Patching of systems and applications.
16
Q
What two helpful functions does a firewall provide?
A
- Prevents outsiders from accessing internal network services
- Prevents outsiders from using spoofed IP addresses that should only appear inside your own network.
17
Q
What are three fairly common types of malicious code?
A
- Logic bombs
- Trojan horses
- Trap doors or back doors
18
Q
What are some of the more interesting DoS attacks?
A
- smurf
- SYN floods
- DDoS
19
Q
When does a DoS attack occur?
A
When a user is deprived of the use of some data, computing resource, or service due to malicious actions on the part of an attacker.
20
Q
What happens to the number of possible keys for every bit you add to the key length?
A
It doubles
21
Q
What is probably the least efficient attack?
A
Brute force
22
Q
What is the primary purpose of a browsing attack?
A
Reconnaissance
23
Q
What are race conditions also know as?
A
Time of Check/Time of Use or TOC/TOU attacks
24
Q
What is a firewall?
A
A means to control what is allowed across some point in a network as a mechanism to enforce policy.
25
Firewalls are utilized at a variety of network locations, name two of them.
1. Between the public internet and an organization's private internal network
2. Between a PC's network interface card (NIC) and the rest of the PC
26
Firewalls may be implemented as what?
Dedicated network appliances
Hardware or software inserted into a network device such as a router
Software running on a general purpose computer
27
Where is a firewall most commonly deployed?
At boundaries between you site and the internet
28
Which of the following is not a primary benefit of a firewall?
(Answers)
A. Protect internal/external systems from attack
B. Help detect problems with network operations
C. Perform NAT (Network Address Translation)
D. Encrypt communications for VPN (IPSec)
E. Logging to aid in intrusion detection and forensics
B. Help detect problems with network operations
29
Firewalls can have the following shortcomings.
1. Attacks at the application layer may sneak through
2. Dial-up, VPN, extranet connections may bypass firewalls
3. Organizations may let down their guard in other security areas (passwords, patches, encryption)
4. Management sees firewall as a silver bullet
30
What are three methods to circumvent firewall policies?
1. Installing modems
2. Setting up wireless access
3. Implementing peer-to-peer file sharing
31
If a packet doesn't match a firewall rule how is it processed.
Using the default rule which could be either deny all, which is more restrictive, or allow all, which is more permissive.
32
Ingress and egress filtering applies to traffic headed in which directions?
Ingress - inbound traffic
| Egress - outbound traffic
33
What are low-end firewall are also know as?
Stateless Packet Filters
34
What are possible state values in a stateful firewall?
1. SYN_SENT
2. SYN_RECV
3. ESTABLISHED
4. FIN_WAIT1
5. LAST_ACK
6. FIN_WAIT2
7. CLOSED
35
At what network layer do stateless packet filters and stateful firewalls operate?
Stateless operates at Layer 3 (Network)
| Stateful operates at Layer 4 (Transport)
36
What protocol headers are examined by stateful firewalls
IP and TCP
37
Proxy firewall must maintain a complete TCP connection state and sequencing through which two connections?
1. The session user (the source) to the proxy
| 2. The proxy to the destination server
38
What is the difference between operating system control and application control approaches to personal firewalls?
Application control blocks specific applications from accessing system resources such as the internet whereas operating system control blocks programs from running altogether.
39
What are common Linux and Windows 7 personal firewall tools?
Linux - IP Tables
| Windows - Windows 7 Firewall
40
What is the most commonly overlooks feature of a firewall?
Using the logging functionality to generate a forensic trail of evidence.
41
Why is RFC 1918 a very import standard?
Because it sets aside specific networks as private address space.
42
What does Network Address Translation (NAT) enable?
Many more computers to participate in the public Internet than available addresses would otherwise allow and provides a degree of privacy regarding your internal network structure.
43
True of False, generally, NAT is use in the inbound direction, from the Internet to your network.
False - NAT is typically used in the outbound direction, from your network to the Internet.
44
The process of translating traffic from multiple internal hosts to a single external address is called?
Port Address Translation
45
What is a honeypot?
An information system resource whose value lies in unauthorized or illicit use of that resource.
46
What are some system resources that might be used as honeypots?
1. A dedicated server
2. A simulated system or stat machine
3. A service on a selected host
4. A virtual server
5. A single file with special attributes which is sometimes called a honeytoken
47
What are some of the advantages of honeypots?
1. Provides insight into the tactics, motives, and tools of attackers
2. Reduces challenges of false positives, false negatives, and data collection by determining true attack traffic
3. Provides additional Defense-in-Depth for orgainizations
48
What can be said about the use or access of a honeypot or honeytoken?
It could be accidental or hostile but always unauthorized.
49
Why can honeypots capture and identify hostile activity from exploits that are not currently known?
Because all access to this is unauthorized and therefore either hostile or accidental in nature.
50
What is the most significant reasons organizations should not deploy honeypots?
The risk of misconfigured honeypots
51
Why does honeypots become a resource burden for organizations?
Because they require:
1. constant monitoring
2. swift response
3. detailed analysis of attacks
52
What are the four general categories for classifying a honeypot
1. Purpose: Production or Research
2. Location: Internal or External
3. Scope: Honeynet (network), Honeypot (system), Honeytoken (file)
53
During which phase of an attack does the adversary find new systems, map out networks, and prob for specific, exploitable vulnerabilities?
Reconnaissance.
54
Evidence of reconnaissance activity be a clue to what?
A targeted attack may be on the horizon.
55
What are the 3 Rs?
1. Reconnaissance
2. Resource Protection
3. ROI
56
The best use of the security dollar would be to ensure that a scanning program also has what?
A solid prioritized remediation process
57
Scanning without remediating might actually be considered what?
Negligence
58
What is a simple ROI formula?
ROI = (gain - expenditure)/(expenditure) X 100%
59
Why is it important to define ROI when discussing it?
Because ROI can mean different things in different contexts.
60
What are some common uses of ROI?
1. Development of a business case
2. Evaluating whether to go ahead with the purchase of a product/service/line of business
3. Predicting revenue
61
What are the 5 vulnerability axioms?
1. Vulnerabilities are the gateway through whcih threats are manifested
2. Vulnerability scans without remediation have little value
3. A little scanning and remediation is better than a lot of scanning and less remediation
4. Prioritizing systems and vulnerabilities is critical
5. Stay on track
62
Prevention is another type of what?
Countermeasure
63
List 5 threat vectors?
1. Outsider attack from network
2. Outsider attack from telephone
3. Insider attack from local network
4. Insider attack from local system
5. Attack from malicious code
64
How can Firewalls protections be bypassed?
1. Worms and Wireless
2. Modems/Wireless Hot Spots - Restrictive Firewalls
3. Tunnel anything through HTTP
4. Social engineering
65
The more restrictive a site's firewall policy the more likely the employees will use what?
A modem
66
What is social engineering
An attempt to manipulate or trick a person into providing valuable information or access to that information.
The process of attacking a network or system by exploiting the people who interact with that system.
67
What type of social engineering involves one person trying to get valuable information from another person?
Human-based
68
What type of Exploiting human curiosity, gullibility, or greed, even automatically via the use of mass-mail worms, is pure what at work?
Social Engineering
69
What is the best defense against social engineering?
Establish clear security policies and enforce them.
70
What network analysis tool fits ping's ICMP concept to TCP and UDP?
Hping3
71
How does hping3 find silent hosts?
With a repeated TCP ping of a host, followed by examination of that host's returned TCP sequence and IP ID numbers, it is possible to tell if that host is engaged in communication with any other host.
72
What is a TCP version of Ping?
Hping3
73
What is a Port Scan?
The process of enumerating all hosts that respond on a given network and tells you which ports on each machine have listener processes bound to them.
74
What is a popular freeware network mapping tools that supports a large number of scanning techniques including port scanning (TCP and UDP), SYN, FIN, ACK, as well as ICMP ping sweeps?
Nmap
75
How do port scanners often report on the services running on each port?
Usually from a text file that amps ports numbers to their well-known service names.
76
What are the three possible states indicated for each port during an Nmap scan?
1. Open
2. Closed
3. Filtered
77
What are general scan techniques available from Nmap?
1. Full Open
2. Half Open (Stealth Scan)
3. UDP
4. Ping Scans
78
How do scanners identify operating systems?
By performing several different test and correlated the output to develop a fingerprint for each OS.
79
What is the cardinal rule of scanning or vulnerability assessment?
To be certain to only scan systems that you own or are authorized to scan.
80
What are 4 things to consider before you invest money in a vulnerability scanner?
1. How is the product licensed?
2. How interoperable is the product? Does is support the Common Vulnerabilities and Exposures (CVE) standard for cataloging vulnerabilities?
3. Can you easily compare the results of a scan today with the results of one four weeks ago?
4. Does your manager like the report output
81
What is the difference between a penetration tester and a hacker?
Permission
82
How do you do a vulnerability scan?
1. Get permission
2. Put out the word
3. click target selection
4. Heavy scan but do not allow DoS scan
5. Only scan when you are in the office by the phone
6. Fix te red "priority" problems first..
83
```
What is OpenVAS
(Answers)
A. Port scanner
B. Vulnerability scanner
C. Firewall
D. Network intrusion detection system
```
B. Vulnerability scanner
84
What is any point where an attacker can gain access to the network, including wireless called?
A network perimeter
85
What are the two favored tools for wireless network mapping?
1. NetStumbler
| 2. Kismet
86
What tool is designed to be a passive wireless sniffer, a wardriving tool, a wireless vulnerability assesment tool and an intrusion detection tool?
Kismet
87
What is the difference in the way NetStumbler and Kismet discover wireless networks?
NetStumbler uses an active approach whereas Kismet is completely passive
88
In addition to identifying located wireless networks, what information about discovered wireless networks can Kismet provide?
1. Clients that are on the network
2. Cryptographically weak traffic
3. clear-text strings transmitted over the wireless network
4. factory-default access point configurations
89
Driving, or walking, or busing, or sitting still with equipment to detect wireless networks is called?
Wardriving
90
How can you reduce the range from where an attacker can map a wireless network?
1. By reducing the signal strength
2. Using careful placement techniques to limite RF leakage.
3. RF-barriers such as metal-screening inside exterior walls
91
What is the best defense for a wireless network?
Strong authentication and encryption system
92
What is a simple means of trying to identify modems that may be susceptible to compromise in an attempt to circumvent perimeter security called?
War Dialing
93
What is completed at the conclusion of a vulnerability scan and is used to determine the validity of any identified vulnerabilities?
Penetration Test
94
What is another work for penetration testing?
Ethical Hacking
95
List 6 Pen Test Techniques?
1. War dialing
2. War driving
3. Sniffing
4. Eavesdropping
5. Dumpster diving
6. Social engineering
96
What should organizations consider doing to maintain an audit trail of analysis how and when systems were assessed?
Logging all access to systems through scanning tools, even authorized scans,
97
What is the process of monitoring activity on your network or host and can also be thought of as an alarm system for identifying undesirable activity on your network or hosts?
Intrusion Detection or IDS
98
IDSs should be utilized in conjunction with firewalls, anti-virus software, vulnerability assessment and patch management tool to support a ___________ posture.
Defense-in-Depth
99
What is IDS Not?
1. A replacement for firewalls, strong policies, system hardening, timely patching and other defense-in-depth techniques
2. A low-maintenance tool
3. An inexpensive tool
4. A silver bullet
100
What is IDS in it's most basic form?
Log messages from any device.
101
What generates IDS alerts?
Events of Interest (EOI)
102
What 4 types of IDS events must analysts understand?
1. True Positive
2. False Positive
3. True Negative
4. False Negative
103
What are three different methods used by NIDS devices to identify events of interest on the network?
1. Signature Analysis
2. Anomaly Analysis
3. Application or Protocol Analysis
104
How does signature analysis work to identify of interest on the network?
1. Performs pattern matching
2. Rules indicate criteria in packets that represent EOI
3. Rules are applied to packets as they are received by the IDS
4. Alerts are created when matches are found
105
Most IDS tools will allow the analyst to examine and classify data on what packet characteristics?
1. Protocol, address and port information
2. Payload contents
3. String matching
4. Traffic flow analysis
5. Flags in protocol headers
6. Any fields in the packet
106
What must first be know In order for anomaly analysis to identify events of interest on the network?
A baseline of "normal" network activity/traffic
107
Why is the use of protocol analysis as an IDS technique very powerful?
Because it can detect both known and unknown attacks against a protocol.
108
From a network-based IDS perspective, vendor have implemented what two different mechanisms of inspecting traffic, typically with rule-based analysis measures?
1. Shallow Packet Inspection
| 2. Deep Packet Inspection
109
What are the characteristics of shallow and deep packet inspections?
Shallow Packet Inspection
- Fast, but provides little fidelity
- Examines header information, limited payload data
Deep Packet Inspection
- S l o w, requires stateful tracking of data
- Inspects all fields, including variable-length fields
110
Scalability, insight into traffic on the network, detecting problems with network operations, helping organizations react swiftly to incidents, auditing for other security measure, and providing additional flexibility in securing information asses are advantages to what kind of system tool(s)?
A Network Intrusion Detection System (NIDS)
111
When cryptography is used heavily on the network, where is the only useful place to put a sensor?
A host at either end of the encrypted channel, capturing the traffic before it is encrypted or after it is decrypted.
112
A common mistake made in evaluating IDS tools is using the ______________ as a guide for selecting a vendor's product.
number of rules or signatures
113
Additional processing burdens on the IDS include what?
1. Decryption of traffic
2. Packet and Stream reassembly
3. Data normalization
114
What happens when you IDS is overloaded with more throughput than it can handle?
Performance tends to degrade rapidly, not just discarding excess packets, but thrashing from resource exhaustion.
115
What can be done to lessen the aggregate bandwidth a NIDS device needs to process?
Move it downstream
116
What is the financial reality behind deploying an IDS?
The capital cost is a small fraction of the overall cost.
117
To get the most benefit from an ______ system, organizations must have analysts that are well-trained in te necessary skill of intrusion analysis and incident handling.
IDS
118
What kind of tool is Snort?
Lightweight NIDS
119
What are some recent advance in NIDS technology?
1. Reduction of false-positive reporting through target OS identification
2. Integrated vulnerability assessment for threat profiling/alert prioritization
3. Integration in networking devices
4. IDS for wireless networks
120
How do HIDS tools identify events of interest?
1. File integrity checks
2. Log file monitoring
3. Individual network monitoring
121
Where do host-based intrusion detection work?
On a single host
122
How does a HIDS provide File Integrity Checking?
By regularly checking the hashes of monitored files against an index of known hashes.
123
What mechanism does log monitoring use to define events of interest from log files?
Inclusive or exclusive analysis
124
What do vendors make use of to identify host operating systems, network architecture and what vulnerabilities are present on the network?
Passive analysis techniques
125
What is easily the most widespread tool in information security?
Anti-virus software
126
What is the art of analyzing threats and vulnerabilities, and determining the impact these risks have on your enterprise?
Risk management
127
What is risk management's main focus?
1. To reduce the risk until its at an acceptable level
| 2. To identify, control, and minimize the loss associated with each risk.
128
What are the steps for an effective risk management process
1. Identify threats, vulnerabilities and analyze risks
| 2. Validate due care by using industry best practices.
129
What is the classic definition of risk?
Risk = Threat X Vulnerability
130
What is a threat?
Any event that can cause an undesirable outcome
131
What is a vulnerability?
A weakness in a system that could be exploited
132
When evaluating risk, it is helpful to ask yourself what key questions?
1. What could happen?
2. If it happened, how bad could it be?
3. How often could it happen?
4. How reliable are the answers to the previous questions?
133
What is the formula for SLE?
Single Loss Expectancy = Asset Value ($) X Exposure Factor (EF)
134
When computing single loss expectancy what is the percentage of loss a threat event would have on the asset called?
Exposure Factor (EF)
135
What is the formula for ALE?
Annualized Loss Expectancy = SLE X Annualized Rate of Occurrence (ARO)
136
When computing annualized loss expectancy what is the estimated frequency at which a threat is expect to occur called?
Annualized Rate of Occurrence (ARO)
137
What are the two risk assessment approaches?
Qualitative and Quantitative
138
Which risk assessment approach is more valuable as a business decision tool?
Quantitative since it works in metrics, usually dollars.
139
The process of determining what is at risk and what is the impact if the identified threats materialize is known as?
Risk Analysis
140
```
What types of scans are often referred to as stealth scans?
(Answers)
A. UDP scan
B. TCP scan
C. FIN scan
D. SYN scan
```
D. SYN scan
140
What is the purpose of risk analysis?
1. Identify existing countermeasures, threats, and vulnerabilities
2. Support the expenditure of resources and to determine the most cost-effective safeguards to offset the risks
3. Aid in the selection of cost-effective countermeasures that will reduce existing risks to an acceptable level
