CIS 473 Final Question Set 3

Question 1

What does Pretty Good Privacy (PGP) do ?

Answer 1

-Provides a confidentiality and authentication service that can be used for electronic mail and file storage applications

Selected the best available cryptographic algorithms as building blocks

• Integrated these algorithms into a general-purpose application that is independent of operating system and processor and that is based on a small set of easy-to-use commands
• Made the package and its documentation, including the source code, freely available via the Internet, bulletin boards, and commercial networks
• Entered into an agreement with a company to provide a fully compatible, low-cost commercial version of PGP

Question 2

What is Secure/Multipurpose Internet Mail Extension (S/MIME) ?

Answer 2

Secure/Multipurpose Internet Mail Extension (S/MIME) is a security enhancement to the MIME Internet e-mail format standard based on technology from RSA Data Security

Question 3

What is the traditional e-mail format standard ?

Answer 3

RFC 822

Note: To understand S/MIME, we need first to have a general understanding of the underlying e-mail format that it uses, namely MIME. But to understand the significance of MIME, we need to go back to the traditional e-mail format standard, RFC 822, which is still in common use

Question 4

What is RFC 5322 ?

Answer 4

• Defines a format for text messages that are sent using electronic mail
• Messages are viewed as having an envelope and contents
• The envelope contains whatever information is needed to accomplish transmission and delivery
• The contents compose the object to be delivered to the recipient
• RFC 5322 standard applies only to the contents
• The content standard includes a set of header fields that may be used by the mail system to create the envelope

Question 5

What is Multipurpose Internet Mail Extensions (MIME) ?

Answer 5

• An extension to the RFC 5322 framework that is intended to address some of the problems and limitations of the use of Simple Mail Transfer Protocol (SMTP)
• Is intended to resolve these problems in a manner that is compatible with existing RFC 5322 implementations

Question 6

How can an MIME be secured ?

Answer 6

S/MIME secures a MIME entity with a signature, encryption or both.

• The MIME entity is prepared according to the normal rules for MIME message preparation
• The MIME entity plus some security-related data, such as algorithm identifiers and certificates, are processed by S/MIME to produce what is known as a PKCS object
• A PKCS object is then treated as message content and wrapped in MIME

Question 7

What do IPsec provide ?

Answer 7

provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet

Question 8

What are the exmaples in make use of IPsec ?

Answer 8

• Secure branch office connectivity over the Internet
• Secure remote access over the Internet
• Establishing extranet and intranet connectivity with partners
• Enhancing electronic commerce security

Question 9

In IP security chapter, what are the fucntions of Transport Modes?

Answer 9

• Provides protection primarily for upper-layer protocols•Examples include a TCP or UDP segment or an ICMP packet
• Typically used for end-to-end communication between two hosts
• ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header
• AH in transport mode authenticates the IP payload and selected portions of the IP header

Question 10

In IP Security chapter, What are the fuctions of Tunnel Mode ?

Answer 10

• Provides protection to the entire IP packet
• Used when one or both ends of a security association (SA) are a security gateway
• A number of hosts on networks behind firewalls may engage in secure communications without implementing IPsec
• ESP in tunnel mode encrypts and optionally authenticates the entire inner IP packet, including the inner IP header
• AH in tunnel mode authenticates the entire inner IP packet and selected portions of the outer IP header

Question 11

What are three classes of Intruders ?

Answer 11

1. Masquerader
2. Misfeasor
3. Clandestine user

Question 12

What is Masquerader ?

Answer 12

•An individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account

Question 13

What is Misfeasor ?

Answer 13

•A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges

Question 14

What is Clandestine user ?

Answer 14

•An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection

Question 15

What are Intrusion Detection Systems (IDSs) and Intrusion prevention Systems (IPSs) ?

Answer 15

• are designed to counter hacker threats
• In addition to using such systems, organizations can consider restricting remote logons to specific IP addresses and/or use virtual private network technology

Question 16

What does CERTs stand for ?

Answer 16

• Computer emergency response teams
• These cooperative ventures collect information about system vulnerabilities and disseminate it to systems managers
• Hackers also routinely read CERT reports
• It is important for system administrators to quickly insert all software patches to discovered vulnerabilities

Question 17

What are Intrusion Techniques ?

Answer 17

• Objective of the intruder is to gain access to a system or to increase the range of privileges accessible on a system
• Most initial attacks use system or software vulnerabilities that allow a user to execute code that opens a backdoor into the system

Question 18

What are the Honeypots ?

What is it designed for?

Answer 18

•Decoy systems that are designed to lure a potential attacker away from critical systems

Designed for:

1. divert an attacker from accessing critical systems
2. collect information about the attacker’s activity
3. encourage the attacker to stay on the system long enough for administrators to respond

Question 19

What is Base-Rate Fallacy ?

Answer 19

•To be of practical use, an intrusion detection system should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level

Question 20

What happen if Honeypot deploy outside the firewall ?

Answer 20

A honeypot outside the external firewall (location 1 ) is useful for tracking attempts to connect to unused IP addresses within the scope of the network. A honeypot at this location does not increase the risk for the internal network. The danger of having a compromised system behind the firewall is avoided. Further, because the honeypot attracts many potential attacks, it reduces the alerts issued by the firewall and by internal IDS sensors, easing the management burden. The disadvantage of an external honeypot is that it has little or no ability to trap internal attackers, especially if the external firewall filters traffic in both directions

Question 21

What happen if Honeypot deploy near Servic Network ?

Answer 21

The network of externally available services, such as Web and mail, often called the DMZ (demilitarized zone), is another candidate for locating a honeypot (location 2 ). The security administrator must assure that the other systems in the DMZ are secure against any activity generated by the honeypot. A disadvantage of this location is that a typical DMZ is not fully accessible, and the firewall typically blocks traffic to the DMZ that attempts to access unneeded services. Thus, the firewall either has to open up the traffic beyond what is permissible, which is risky, or limit the effectiveness of the honeypot

Question 22

What happen if Honey is deployed ar Internal Network ?

Answer 22

A fully internal honeypot (location 3 ) has several advantages. Its most important advantage is that it can catch internal attacks. A honeypot at this location canalso detect a misconfigured firewall that forwards impermissible traffic from the Internet to the internal network. There are several disadvantages. The most serious of these is if the honeypot is compromised so that it can attack other internal systems. Any further traffic from the Internet to the attacker is not blocked by the firewall because it is regarded as traffic to the honeypot only. Another difficulty for this honeypot location is that, as with location 2, the firewall must adjust its filtering to allow traffic to the honeypot, thus complicating firewall configuration and potentially compromising the internal network.

Question 23

What are Firewall Characteristics ?

Answer 23

•Design goals for a firewall:

• All traffic from inside to outside, and vice versa, must pass through the firewall
• Only authorized traffic, as defined by the local security policy, will be allowed to pass
• The firewall itself is immune to penetration

Question 24

What are the techniques that Firewall use ?

Answer 24

• Service Control: Determine the types of Internet services that can be accessed, inbound or outbound
• Direction control: Determine the direction in which particular service requests may ne intiated and allowed to flow through the firewall
• User Control: Controls access to a service according to which user is attempting to access it
• Behavior control: Controls how particular sevices are used

Question 25

What is a packet filtering ?

Answer 25

A packet filtering firewall applies a set of rules to each incoming and outgoing IP packet and then forwards or discards the packet. The firewall is typically configured to filter packets going in both directions (from and to the internal network)

Question 26

What is the **strengths** of Packet Filering Firewalls ?

Answer 26

* Its simplicity * Transparent to users and are very fast

Question 27

What is the weakness of Packet Filtering Firewalls ?

Answer 27

* Because packet filter firewalls do not examine upper-layer data, they cannot prevent attacks that employ application-specific vulnerabilities or functions * Because of the limited information available to the firewall, the logging functionality present in packet filter firewalls is limited * Most packet filter firewalls do not support advanced user authentication schemes * Packet filter firewalls are generally vulnerable to attacks and exploits that take advantage of problems within the TCP/IP specification and protocol stack * Due to the small number of variables used in access control decisions, packet filter firewalls are susceptible to security breaches caused by improper configurations

Question 28

What is Bastion Host ?

Answer 28

is a system identified by the firewall administrator as a critical strong point in the network’s security. Typically, the bastion host serves as a platform for an application-level or circuit-level gateway

Question 29

What is Host-Based Firewall ?

Answer 29

firewall is a software module used to secure an individual host. Suchmodules are available in many operating systems or can be provided as an add-on package. Like conventional stand-alone firewalls, host-resident firewalls filter and restrict the flow of packets. A common location for such firewalls is a server.

Question 30

How many Firewall is need for a proper protection?

Answer 30

2

Question 31

What is Virus ?

Answer 31

Malware that, when executed, tries to replicate itself into other executable code; when it succeeds the code is said to be infected. When the infected code is executed, the virus also executes.

Question 32

What is Worm ?

Answer 32

A computer program that can run independently and can propagate a complete working version of itself onto other hosts on a network.

Question 33

What is Trojan Horse ?

Answer 33

A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanism, somtimes by exploiting legitimate authorizations of system entity that invokes the Trojan horse program,

Question 34

What is Mobile Code ?

Answer 34

Software (e.g script, macro, or other portable instruction) that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics.

Question 35

What is Rootkit ?

Answer 35

Set of hacker tools used after attacker has broken into the computer system and gained root-level access.

Question 36

What is Zombie, bot ?

Answer 36

Program activated on an infected machine that is activated to launch attacks on other machines.

Question 37

Keylogger

Answer 37

Captures keystrokes on a compromised systems

Question 38

What are the four Virus phrases ?

Answer 38

**Dormant Phase** * This virus is idle * Will eventually be activated by some event * Not all viruses have this stage **Propagation Phase** * This virus places a copy of itself onto other programs or into certain system area on the disk **Triggering Phase** * **The virus is activated to perform the function for which it was intended.** **Execution Phase** * **The function is** **performed**