Ch12 - Ch14

Question 1

standards‐based mechanism for providing encryption for point‐to‐point TCP/IP traffic; operates at the Network layer (layer 3)

Answer 1

IPSec

Question 2

needed to allow an outside entity to initiate communications with an internal system behind a NAT proxy

Answer 2

static mode NAT

Question 3

the least important aspect of security systems for Internet‐delivered email.

Answer 3

Availability, but yet in general availability is important

Question 4

use of email as an attack mechanism by flooding a system with messages causing a denial of service

Answer 4

Mail-Bombing

Question 5

Why is it difficult to stop spam

Answer 5

because source of messages are usually spoofed

Question 6

encryption tool used to protect sessionless datagram protocols; was designed to integrate with IPSec. replaced by IKE

Answer 6

Simple Key Management for Intenet Protocol (SKIP)

Question 7

provides authentication, integrity, and confdentiality using an encapsulation protocol.

Answer 7

Software IP Encryption (SWIPE)

Question 8

authentication service and is simply a means to prevent unauthorized execution of code on remote systems.

Answer 8

Secure Remote Procedure Call (S-RPC)

Question 9

encryption protocol developed by Netscape to protect the communications between a web server and a web browser; used to secure web, email, FTP, or even Telnet traffc. deployed using a 40-bit key or a 128-bit key

Answer 9

Secure Sockets Layer (SSL)

Question 10

security protocol for the transmission of transactions over the Internet; based on RSA encryption and DES; not been widely accepted by the Internet in general; instead, SSL/TLS encrypted sessions are the preferred mechanism for secure e-commerce.

Answer 10

Secure Electronic Transaction (SET)

Question 11

What tool is used to crack LEAP protocol

Answer 11

asLEAP

Question 12

used to manipulate line voltages to steal long-distance services. They are often just custom-built circuit boards with a battery and wire clips

Answer 12

Black Boxes

Question 13

used to simulate tones of coins being deposited into a pay phone. They are usually just small tape recorders

Answer 13

Red Boxes

Question 14

used to simulate 2600 Hz tones to interact directly with telephone network trunk systems (that is, backbones). This could be a whistle, a tape recorder, or a digital tone generator

Answer 14

Blue Boxes

Question 15

used to control the phone system. can use a dual-tone multifrequency (DTMF) generator (that is, a keypad). It can be a custom-built device or one of
the pieces of equipment that most telephone repair personnel use.

Answer 15

White Boxes

Question 16

SMTP server that does not authenticate senders before accepting and relaying mail.

Answer 16

open relay agent

Question 17

what standard is used standard for email addressing and message handling.

Answer 17

X.400

Question 18

email security standard that offers authentication and confidentiality to email through public key encryption and digital signatures.

Answer 18

Secure Multipurpose Internet Mail Extensions (S/MIME)

Question 19

can provide authentication, confidentiality, integrity, and nonrepudiation for email messages; employs MD2, MD5 algorithms; RSA public key; and DES to provide authentication and encryption services.

Answer 19

MIME Object Security Services (MOSS)

Question 20

email encryption mechanism that provides authentication, integrity, confdentiality, and nonrepudiation. uses RSA, DES, and X.509.

Answer 20

Privacy Enhanced Mail (PEM)

Question 21

assert that valid mail is sent by an organization through verifcation of domain name identity

Answer 21

DomainKeys Identified Mail (DKIM)

Question 22

another name for dial-up connectivity

Answer 22

Remote Node Operation

Question 23

what security border devices support NAT

Answer 23

firewalls, routers, proxies & gateways

Question 24

Most WAN technologies require a “WAN switch”

Answer 24

channel service unit/data service unit CSU/DSU

Question 25

some WAN technologies require additional specialized protocols to support specialized systems or devices. what are they

Answer 25

SDLC, HDLC, HSSI

Question 26

offered no authentication, supported only half-duplex communications, had no error detection capabilities, and required manual link establishment and teardown

Answer 26

Serial Line Internet Protocol (SLIP)

Question 27

encapsulation protocol designed to support the transmission of IP traffic over dial-up or point-to-point links.

Answer 27

Point to Point protocol (PPP)

Question 28

PPP was originally designed to support CHAP and PAP for authentication. However, recent versions of PPP also support 3 newer protocols...

Answer 28

MS-CHAP, EAP & SPAP

Question 29

What security issues are related to VoIP

Answer 29

caller ID spoofing, vishing, SPIT, call manager software/firmware attacks, phone hardware attacks, DoS, MitM,

Question 30

Are plain old telephone service (POTS) and public switched telephone network (PSTN) the same

Answer 30

yes

Question 31

is NAT directly compatible with IPSec

Answer 31

No because it modifies packet headers

Question 32

What version of NAT proxies are designed to support IPSec over NAT.

Answer 32

NAT-Traversal (RFC 3947) was designed to support IPSec VPNs through the use of UDP encapsulation of IKE

Question 33

``` active entities (such as users) that access passive objects (such as files) ```

Answer 33

subjects

Question 34

Does accountability include authorization

Answer 34

No

Question 35

Does accountability require proper identification and authentication

Answer 35

Yes

Question 36

to stop unwanted or unauthorized activity from occurring

Answer 36

Preventative

Question 37

to discover unwanted or unauthorized activity

Answer 37

Detective

Question 38

restore systems to normal after an unwanted or unauthorized activity has occurred

Answer 38

Corrective

Question 39

attempt to discourage violation of security policies, by encouraging people to decide not to take an unwanted action

Answer 39

Deterent

Question 40

attempt to repair or restore resources, functions, and capabilities after a security policy violation

Answer 40

Recovery

Question 41

attempt to direct, confine, or control the action of | subjects to force or encourage compliance with security policy

Answer 41

Directive

Question 42

provide options or alternatives to existing controls to aid in enforcement and support of a security policy

Answer 42

Compensation

Question 43

generates and displays one‐time passwords, which work with an authentication server

Answer 43

synchronous token

Question 44

uses a challenge‐response process to generate the one‐time password

Answer 44

asynchronous token

Question 45

XML‐based framework used to exchange user information for single sign‐on (SSO) between organizations within a federated identity management system

Answer 45

Security Assertion Markup Language (SAML)

Question 46

supports SSO in a single organization, not a federation.

Answer 46

Kerberos

Question 47

combination of effective identification, authentication, and auditing provides for

Answer 47

accountability

Question 48

most common SSO method used within organizations, and it uses symmetric cryptography and tickets to prove identification and provide authentication.

Answer 48

Kerberos

Question 49

Other SSO methods include

Answer 49

scripted access, SESAME and KryptoKnight. OAuth and OpenID are two newer SSO technologies

Question 50

uses UDP and encrypts passwords only to provide AAA services

Answer 50

RADIUS

Question 51

uses TCP and encrypts entire session to provide AAA services

Answer 51

TACACS+

Question 52

becoming more popular with smart phones, but is not compatible with RADIUS

Answer 52

Diameter

Question 53

principle ensures that access to an object is denied unless access has been explicitly granted to a subjec

Answer 53

Implicit Deny not explicit

Question 54

table that includes subjects, objects, and assigned privileges

Answer 54

Access Control Matrix

Question 55

another way to identify privileges assigned to subjects. focused on subjects (such as users, groups, or roles)

Answer 55

Capability Table

Question 56

list all the users and/or groups that are authorized | access to the file and the specific access granted to each; focused on objects

Answer 56

Access Control List

Question 57

restricted interfaces to restrict what users can do or see based on their privileges

Answer 57

Constrained Interface

Question 58

restrict access to data based on the content within an object

Answer 58

Content-Dependent Control

Question 59

require specific activity before granting users access such as going thru the purchasing process on a website

Answer 59

Context-Dependent Control

Question 60

access control model is prohibitive and it uses an implicit‐deny philosophy (not an explicit‐deny philosophy). It is not permissive and it uses labels rather than rules.

Answer 60

Mandatory Access control model

Question 61

should threat modeling or asset value be done first?

Answer 61

Asset value, so that the focus on threats are set to high value items

Question 62

what is an effective tool to prevent the success of social-engineering

Answer 62

user education