deck_2250368 Flashcards
Q1: What kind of intellectual property components grant the right to exclude others from selling an invention in the United States?
A1: Patents. A patent for an invention is the granting of a property to the inventor, issued by the Patent and Trademark Office. The right conferred by the patent grant is in the language of the statute and of the grant itself, the right to exclude others from making, using, offering for sale, or selling the invention in the United States or importing the invention into the United States. Copyrights protect original works of expression, such as novels, fine and graphic arts, music, phone records, photography, software, video, cinema, and choreography by preventing people from copying or commercially exploiting them without the copyright owner’s permission. Trademarks protect brand names and distinctive words, phrases, logos, symbols, slogans, and any other devices used to identify and distinguish products or services in the marketplace. Trade secrets protect sensitive information required for your business..
Q2: Which of the following describes sensitive intellectual property critical for your business?
A2: Trade secrets. Trade secrets protect sensitive information required for your business..
Q3: When a competitor creates a similar-looking but not identical mark, what are they using to attack the trademark?
A3: Confusion. Beyond counterfeiting a mark, an attacker could create a similar-looking mark to achieve confusion. Confusion involves a similarity in the overall impression created by the two marks, including the marks’ looks, phonetics, and underlying meanings..
Q4: What type of intellectual property would be protected by a copyright?
A4: An original artistic or literary work. A trademark prevents someone from using a similar mark. A copyright protects an original artistic or literary work. A patent protects an invention..
Q5: What is fair use of copyrighted material?
A5: An exception to the rights of a copyright holder that permits limited, third-party use of the material. Fair use limits the right of a copyright owner for purposes such as criticism, news reporting, teaching, and research. In general, nonprofit educational use is more acceptable. The amount of material copied is an issue. The economic effects should also be considered..
Q6: Most incident handlers move between two steps in their daily activity. Preparation is one step. What is the other step?
A6: Identification. The steady-state, day-to-day practices of most incident handlers are the first two steps: preparation and identification. Much time is spent getting ready to fight the next battle and looking for events that could be signs of trouble..
Q7: Of the following choices, which is an example of an event?
A7: Packet flooding within a network. Packet flooding within a network (could be bursty legitimate traffic) is an example of an event. Events are observable, measurable, occurrences in computer systems. An event is an occurrence that someone either directly experienced or that can be shown to have actually occurred. An event is something that is seen as a flash on the screen or is heard. It can also be something that is known to have occurred because it was collected in a log or audit file..
Q8: What are the steps of incident handling?
A8: Preparation, identification, containment, eradication, recovery, and lessons learned. The correct steps are preparation, identification, containment, eradication, recovery, and lessons learned..
Q9: In incident handling, what step must precede the containment phase?
A9: Identifying an incident’s existence. Once an incident has been defined, then you can move into the containment phase. Eradicate, recovery, and lessons learned occur after containment..
Q10: What defines a security incident?
A10: Harm done or threatened to a system. An incident refers to harm or the significant threat of harm..
Q11: Why is an incident-handling plan important?
A11: It will help you be prepared when an incident occurs.. All systems on the Internet will be subject to an incident at some point. It is important to have a plan in place for when this happens. Training your team on what to do is important, but it is not the reason for incident handling; instead, it is a form of preparation for incident handling..
Q12: Which of the following is the best choice for inclusion in a policy that governs the handler’s access to production systems during an incident?
A12: A process by which incident handlers can obtain necessary access during an incident. The incident-handling team must be able to access systems without the okay of system administrators. One idea is to keep passwords in a sealed envelope, although handlers should never use a privileged password unless they are qualified on that operating system. As encryption becomes ever more prevalent, an organization must set policy as to who owns secret keys and passphrases..
Q13: What should you consider before electing to use a video camera to record the incident- handling process?
A13: The tape may contain more information than you want to give away if the case goes to court.. Some organizations prefer to use video cameras. However, keep in mind that if your case does go to court, during the discovery process, you may have to turn the tape over to the opposing side. A tape may contain far more information about your operation than you want to give away..
Q14: Which of the following can be used to limit the presumption of privacy?
A14: Warning banners. Warning banners limit the presumption of policy..
Q15: Which of the following would be a reason to notify law enforcement of a security incident?
A15: Threat to public safety. When there is a threat to public safety, you must notify law enforcement..
Q16: When should you first contact local law enforcement regarding incident handling?
A16: Before an incident happens in order to develop contacts. It is important to develop a relationship with your local law enforcement representatives before an incident occurs. This will give you the right contacts so you do not waste time during an incident.\u00a0Having the relationship in place can only help when dealing with legal issues..
Q17: What can be used to reduce stress and the resulting errors on an incident handler during an incident?
A17: A checklist. Contact lists and secure communications are important and useful, but they focus on communications, which may or may not help reduce stress and lead to mistakes. Practice is extremely important, assuming you are correctly practicing the right thing. A checklist, however, provides direction and avoids many anticipated mistakes, which can reduce stress on the handler. Having a checklist to refer to on how to bring down a system or back up a system can help prevent errors and reduce the stress on the handler..
Q18: What is the primary role of management regarding incident handling?
A18: To approve procedures and policy before an incident occurs. The most important job that management has is to review the Incident Handling process during the Preparation phase and give their buy-in to the procedures. Management should also be given a status during the incident, but it is rare for a manager to be doing the hands-on work during an incident..
Q19: How would an incident handler define a war room?
A19: A secure room with copies of evidence from relevant incidents. A war room is a secured location where the incident handling team can display evidence for analysis..
Q20: Why might an organization decide against involving law enforcement after a computer security incident?
A20: Loss of control over how the incident is handled. Law enforcement may compel an organization to keep systems open and exposed to continued hacking. Law enforcement may have different goals in the case, and the organization could lose some control of how the incident is handled..
Q21: What part of an organization is an attacker most likely to target when attempting to socially engineer the organization?
A21: The help desk. If an attacker attempts to socially engineer an organization, one likely group is the help desk..
Q22: What must an incident handler do during the initial phases of an incident?
A22: Be calm and methodical about taking notes.. It is extremely important to remain calm and not rush yourself when handling an incident. Taking notes is very important and should not be put off until you have time, as your memory may not be 100% after working on the incident..
Q23: Which of the following organizations support interaction between law enforcement and commercial companies?
A23: HTCIA and Infragard. Contact local law enforcement before there is an incident. Get to know them through a local chapter of the HTCIA, ECTF, or Infragard, if such chapters exist in your area. Do a joint exercise with them and ask them questions in advance to try to determine what they are and are not interested in..
Q24: At what levels can events be detected during the identification phase?
A24: The network perimeter, the host perimeter, and the system level. Identification can occur at any of the following three levels: (1) the network perimeter, (2) the host perimeter, and (3) the host (or system) level..
Q25: Your incident-handling team has determined your organization has been hit by a virus that takes advantage of a specific version of a PDF reader. Your team is gathering a list of potentially affected users based on your software inventory. What stage of the incident-handling process is occurring?
A25: Identification. There are many questions that need to be asked during the initial assessment of an incident in order to determine whether it is an actual incident or an event and to assess the severity of the incident. One way to determine the severity is to ask yourself how widely the affected application or system is deployed in your environment. Deciding if an application should be ported to another operating system is important in the recovery and lessons-learned phases. Jump bag contents should be decided upon early in the preparation phase and realizing what you have learned is the last step, the lessons-learned phase..
Q26: What can be monitored using personal firewalls and host-based intrusion prevention systems, local firewalls, and port sentry tools?
A26: Host perimeter. The host perimeter border can be monitored using personal firewalls and host-based intrusion prevention systems, local firewalls, and port sentry tools..
Q27: Which port does the Tini Trojan horse command shell tool listen on, by default?
A27: TCP\/7777. Tini, a common Trojan horse backdoor remote command shell tool, listens on TCP port 7777 by default..
Q29: What would you use in conjunction with the tasklist command to determine which services have started?
A29: Net start. At the command line, to get a list of running services, you could execute the following command: C: \> net start..
Q30: In order to identify an incident, what devices on the network perimeter would you examine?
A30: Routers. The network perimeter is monitored by firewalls, routers that generate logs, external-facing intrusion detection systems, intrusion prevention systems, and other machines on the DMZ. These systems can provide earlier warnings about attacks as they monitor your borders with the Internet and other external networks..
Q31: In order to identify an incident, what devices at the host perimeter would you examine?
A31: Port sentry tools. The host perimeter is where you monitor activities across each host system’s interface, analyze what the machine is sending out to, and receive from the network. This border can be monitored using personal firewalls and host-based intrusion prevention systems, local firewalls, and port sentry tools..
Q32: In order to control the flow of information during an incident and\/or investigation, what process or policy must you follow?
A32: Need to know. The minimum people with the absolute need to know about an incident stops the rumor mill and stops the legal ramifications and\/or tipping of a potential insider perpetrator..
Q33: When dealing with an incident, which form of communication should be used to keep from tipping off the perpetrator?
A33: Out of band. Make sure to use out of band communications when dealing with an incident. If you use the same channels in which an incident occurred, you could tip off the perpetrator and\/or continue the incident by using compromised channels..
Q34: What is the goal of the identification phase of incident handling?
A34: Gather events, analyze them, and determine whether an incident exists.. The goal of the identification phase is to gather events, analyze them, and determine whether an incident exists..
Q35: How many individuals should be in charge of managing an incident?
A35: One. If one person is not in charge, no person is in charge. For an incident to be successfully managed, one person always needs to be in charge and accountable..
Q36: If an incident has two handlers, what is the preferred approach to note taking?
A36: Both people take notes, because two accounts of the incident are better than one.. During an incident, you should always take notes. Having an assistant take notes as well is important, but it does not relieve you of the responsibility..
Q37: Which tool can be used to make a complete bit-by-bit backup of a system’s hard drive?
A37: Dd. If possible, make a binary or bit-by-bit backup using dd..
Q38: To keep from losing valuable data, which of the following will a handler need to collect for incident handling or forensics?
A38: Both memory and file-system images. Grab an image of memory as well as the file system. The ideal image is the binary, bit-by-bit image; this gets everything on the disk, including deleted and fragmentary files..
Q39: When extended downtime is acceptable, what phase can you move into from containment?
A39: Eradication. After creating forensics images, you move onto the eradication phase when extended downtime is acceptable..
Q40: Who is the most appropriate sponsor for an incident-handling team?
A40: Senior legal counsel. Your incident-handling team should have a senior member of management as its sponsor. This manager can help to clear out obstacles when you are under fire. To do that, you should strive to find a sympathetic senior manager, such as a chief information security officer (CISO), Chief information officer (CIO), senior legal counsel, or another related position that makes most sense in your organizational structure..
Q41: Before dropping or pulling a system from the network, who do you need to inform and obtain approval from?
A41: Business unit. Containment (both short- and long-term) might stop the system from performing various business actions. Therefore, make sure you get approval before taking action that will impact business. Call the business unit teams before dropping a system..
Q42: What three areas does FIRST recommend using to characterize incidents?
A42: General category, criticality, and sensitivity. The FIRST organization distributes an incident case classification document that recommends characterizing incident based on three areas: (1) its general category, (2) the criticality of impacted systems and data, and (3) the sensitivity with which information about the case itself should be treated..
Q43: What is the goal of the containment phase of incident handling?
A43: Minimize the damage. The goal for containment is to stop the bleeding..
Q44: During the containment phase, why should an incident handler carefully avoid blaming any individual for an incident?
A44: Initial assumptions are often wrong and a handler needs cooperation at this phase of an investigation.. Often the facts change as more information becomes available during an incident. Early assumptions are often proved wrong. If you were to blame an individual and the facts later showed that the person was not at fault, your credibility would be lost, at least in that part of the organization..
Q45: What are the three subphases of containment?
A45: Short-term, system backup, and long-term. Containment includes three subphases: (1) short-term containment just to stop the damage, (2) system back-up, and (3) long-term containment to make sure the bad guy is denied access..
Q46: In what type of incident can coordination with an ISP be especially helpful for containment?
A46: Denial-of-service packet floods. ISPs are the only ones who can reliably stop a DoS attack before it hits your network since they are upstream..
Q47: Which activity is a sure sign of an inexperienced incident handler and should be avoided during the initial analysis portion of the containment phase?
A47: Sending an ICMP echo request to the source machine. Rookie incident handlers can be spotted a mile away with a network-logging system. They find an attack apparently coming from some IP address. So they ping the address, then they do an nslookup. Sometimes, they even Telnet to it..
Q48: Who on the incident handling team will actually write the incident report?
A48: On-site handler. The only one that can or will write the report is the on-site handler. The handler submits the draft to the head of the incident handling team..
Q49: How soon after resuming production should a lessons-learned meeting be conducted?
A49: Two weeks. The lessons-learned meeting should occur within two weeks of resuming production, while the events and report are still fresh in people’s minds..
Q50: What does an incident response team do during the lessons-learned phase?
A50: Develop a report based on the incident.. The lessons-learned phase requires the person handling the incident to document the findings and issue a report. Everyone involved in handling the incident should sign off on the report, agreeing to its contents..
Q51: What is the purpose of lessons learned?
A51: To learn from our mistakes and provide continuous process improvement.. The main purpose of lessons learned is to learn from our mistakes and to improve the process of incident handling and report creation..
Q52: What will you find when you examine the trust relationships of an affected system during an incident?
A52: Which additional systems may be affected by the incident. Trust model is a term used to refer to the set of permissions or trusts between systems. Which systems can the affected system access? Which systems can be used to access the affected system? Determining the trust model gives you an idea of the possible scope of the problem, as well as an idea of possible attack vectors..
Q53: You discover that some of your users have received an e-mail claiming to be from Microsoft telling them to install the Windows OS patch attached. How should you react?
A53: Find out how many users received the e-mail and spread the word that it is not to be installed.. It is important to not spread rumors or unnecessary information during an incident. If your users are all receiving e-mail such as this, they are all possible victims and they should all be warned. This is an example of when it is important to spread the word to avoid possible exploitation of users’ workstations. For the record, Microsoft does not send out patches via e-mail. You should also educate your users to never install software or patches they receive in e-mails, no matter who the sources claim to be..
Q54: For any business, which of the following is the most likely target of an espionage attack?
A54: Intellectual property. The physical differences between your organization and your competition are probably minimal. The trade secrets, marketing contacts, business plans and other intellectual property make all the difference. The odds are fairly high that these crown jewels are the target..
Q55: What threat can an active security awareness program address most effectively?
A55: Casual, nondestructive insider. Many casual threats come down to a lack of awareness on the employee’s part. You must make sure your awareness activities deal with each of these aspects of security..
Q56: What kind of threat is posed by an insider who sells company secrets to the competition?
A56: Intentional, nondestructive. A casual threat usually stems from the employee’s lack of understanding. The employee does not mean to cause any harm and if the employee realized his or her actions were causing harm, he or she would stop. Acts with a nondestructive intent are usually perpetrated by those that do not want to draw attention to the intrusion. They plan to gather data for a long period of time, may plant a backdoor for later use, and are careful to cover their tracks..
Q57: What type of insider threat disables antivirus and downloads untrusted programs?
A57: Casual, destructive. Casual, destructive insider threats include disabling antivirus programs and downloading untrusted programs..
Q58: Which of the following is a great way to thumbprint critical files?
A58: Invent an acronym that does not actually exist and plant it into the document.. A great way to thumbprint critical files is to invent an acronym that does not actually exist and plant it into the document..
Q59: Which of the following insider threats is potentially the least harmful to the organization?
A59: Casual, nondestructive. Casual, nondestructive insider threats are the least harmful to an organization and generally include forwarding emails and\/or leaving doors open..
Q60: What type of insider threat includes deleting data and website defacement?
A60: Intentional, destructive. Examples of intentional, destructive insider threats include logic bombs, website defacement, and deleting data..
Q61: Who is most likely to be prosecuted for espionage?
A61: Trusted insider. Almost every case of espionage prosecuted by the U.S. government involved a trusted insider..
Q62: Why is it important to hash your log files?
A62: To preserve their integrity. By hashing (file integrity) your log files, you are preserving their integrity to ensure that they have not been altered..
Q63: When handling an incident involving e-mail, which of the following is most important to determine?
A63: Whether the message came from inside or outside of the organization. In order to track down the sender of a message, and to determine the message’s route into an organization, it is important to determine if it was generated internally or externally..
Q64: Unknown to you, a new employee was actually hired by a competitor to obtain your proprietary information. Which type of threat is this?
A64: Intentional threat. The intentional, nondestructive insider threat is the hardest to detect. The goal of this type of threat is usually theft of trade secrets\/proprietary information. The intentional, destructive threat is performed by a disgruntled employee and is considered purposeful sabotage. The casual threat usually stems from an employee’s lack of understanding. The casual, nondestructive threat includes the “forgot to or did not realize I could not do that” threat. The casual, destructive threat includes not utilizing the latest virus detection file..
Q65: What action allows an attacker to grab all records associated with a DNS domain?
A65: Zone transfer. A zone transfer allows an attacker to connect with your DNS server and grab all records associated with a particular domain..
Q66: For what purpose is the following Google search designed? Wireless site: somecompany.net
A66: The purpose is to search for all instances of the term wireless on the somecompany.net website.. The search wireless site: somecompany.net will produce a search result for the term wireless limited to the site somecompany.net..
Q67: What should you do when downloading software from a mirrored site?
A67: Hash and compare signatures.. Make sure you check the PGP signature as well as the MD5 and SHA-1 hashes from multiple mirrors when you download new or existing versions..
Q68: Which of the following sites can provide domain name registration lookup for over 200 countries?
A68: www.uwhois.com. ARIN is the American Registry for Internet Numbers. RIPE NCC is the R\u00e9seaux IP Europ\u00e9ens Network Coordination Centre. APNIC is the Asia Pacific Network Information Centre. www.uwhois.com provides information for over 200 different countries..
Q69: What file would an organization need to alter in order to keep a page on their site from being searched by Google?
A69: Robots.txt. To get Google to remove you, you not only have to request page removal using their form, you also have to alter the website’s robots.txt file or alter the page’s meta tag to indicate that you really want it removed..
Q70: What tool would you use to find the IP address of www.something.com, natively, on a Windows machine?
A70: Nslookup. The nslookup command will reveal the IP address associated with a designated domain name..
Q71: What tool can be used to interrogate DNS servers?
A71: Nslookup. Nslookup is a program that can be used to interrogate DNS servers..
Q72: What tool can no longer perform zone transfers?
A72: Linux nslookup. In the latest versions of Linux nslookup, the command has been stripped so that it cannot perform zone transfers, a useful technique for getting a lot of information about a target domain..
Q73: Which of the following choices is used for reconnaissance?
A73: Whois database. One of the best tools to use for reconnaissance is a whois database, many of which exist on the Internet..
Q74: How can you identify if someone has performed a whois reconnaissance on your organization?
A74: You cannot really tell whether someone has looked you up.. The problem with identification is that you cannot really tell whether someone has looked you up..
Q75: What taxonomy was established by MITRE to help standardize the descriptions of attacks?
A75: Common Vulnerabilities and Exposures. CVE is the Common Vulnerabilities and Exposures taxonomy established and maintained by MITRE. It is used to help identify particular attacks so we are using the same vernacular..
Q76: Which of the following Google directives allows you to search only within a given domain?
A76: Site. The site directive allows an attacker to search for pages on a single site or domain, narrowing down and focusing the search..
Q77: Which of the following Google directives provides the same information already provided by the link or related directives?
A77: Info. The info directive is not very useful. It returns a bunch of data, including results from link and related searches, as well as cached pages..
Q78: When reviewing your Web logs, you notice that someone has accessed all your Web pages in a short time period. Which of the following did the perpetrator use?
A78: Web spider. When a Web admin reviews Web logs an indication that someone has used a Web spider (also known as a Web crawler) to access every page on your site in a short period of time (say within 5 minutes) would show up easily..
Q79: After a perpetrator has completed reconnaissance on a site, what is likely to be the next step in their attack?
A79: Scanning. Once a perpetrator has performed the appropriate level of reconnaissance on a site, his or her next steps are to scan, exploit the system by gaining access, and cover his or her tracks..
Q80: What protocol and port are used by a normal DNS query when resolving the name for a website?
A80: UDP port 53. Normal DNS queries and responses use UDP port 53..
Q81: Which protocol and port are typically used for zone transfers?
A81: TCP port 53. Zone transfers use TCP port 53..
Q82: What is war driving?
A82: Driving around looking for wireless network access points with a laptop and suitable software. War driving is driving around with a computer and a wireless receiver while scanning for available wireless networking carriers. You can also scan while walking (war walking), biking (war biking), etc..
Q83: Which of the following tools can be used to perform highly distributed war-dialing attacks?
A83: THC-Scan Next Generation. THC-Scan Next Generation was written to allow for highly distributed war dialing attacks. An attacker can use a bot-net with 10, 100, 10,000 or more modems on victim machines to do the dialing now..
Q84: When conducting evening desk-to-desk checks for unauthorized modems, the security team should always follow which rule?
A84: Use the buddy system, where two or more people go into each office or cubicle.. When you do desk-to-desk checks, you should always employ the two-person rule (a.k.a. the buddy system). With an explicit two-person team checking for unwanted\/unregistered modems, you will not be subject to claims of unfairness or, worse yet, theft from people’s desks. If a single person checks for modems late at night and something turns up missing from someone’s desk, you may have significant problems..
Q85: What does a war dialer attempt to identify when it dials a phone number?
A85: Modems. War dialers are looking for modem carriers or a secondary dial tone. Once the modem is located, further steps are required in order to exploit..
Q86: Which of the following is an effective way of detecting entry points created by modems connected to computers within the corporate network?
A86: Perform periodic war-dialing scans against the company’s phone numbers.. An effective, nondisruptive way of protecting a network against entry points created by modems connected to computers within the corporate network is to perform periodic war-dialing scans against the company’s phone numbers. In this way, an administrator will see the network from the perspective of someone attempting to compromise the network and be able to detect any rogue modems that exist on the network..
Q87: Which tool can be used to crack WEP keys after the attacker sniffs about 50 to 100 megabytes of data?
A87: Aircrack-ng. With tools like Aircrack-ng, the attacker needs to sniff about 50 to 100 megabytes of data, which can often be done in 10 to 30 minutes. After grabbing this data, the tool cracks the WEP key, and the attacker can view all data on the LAN recorded earlier and sent later, as long as the WEP key remains constant..
Q88: Which WarVOX setting, when defined as the caller ID, can be used in order to bypass PIN authentication settings for some voice mail systems?
A88: SELF. WarVOX can be configured with SELF as the caller ID value, which will make it set the Caller ID value to the same number that it is dialing. This option can be used to bypass PIN authentication in some voice mail systems..
Q89: Which of the following THC-Scan features consists of sending a predefined string of characters to a discovered modem?
A89: Nudging. Nudging sends a predefined string of characters to a discovered modem.
Q90: Which of the following tools will record an MP3 file associated with each number dialed and answered?
A90: WarVOX. WarVOX will record an MP3 file associated with each number dialed and answered..
Q91: Which of the following choices is an effective method of obtaining valid phone numbers for war dialing?
A91: Social engineering. War dialers dial a sequence of telephone numbers in an attempt to locate modem carriers or a secondary dial tone. Social engineering is one of the methods for obtaining phone numbers for war dialing..
Q92: Which of the following dials a single number to conduct a brute-force attack against passwords?
A92: Demon dialers. Demon dialers dial a single number to conduct a brute-force attack against passwords..
Q93: What feature of an access point can be used to omit the SSID from its beacon?
A93: SSID cloaking. You can configure most access points to omit their SSIDs from their beacons, a feature known as SSID cloaking..
Q94: Why is MAC address filtering considered a flawed measure to ensure wireless security?
A94: Addresses can be spoofed.. While you could allow only traffic from registered MAC addresses, such security is deeply flawed. A MAC address can be easily spoofed (either by using the ifconfig command in Linux\/Unix or a free tool called Macshift.exe for Windows)..
Q95: What is the service set identifier (SSID) on a wireless LAN?
A95: The name of a wireless LAN. The SSID is merely the access point(s) identifier. It is not a password, encryption key, or log-in. It helps avoid giving it away to unauthorized users, but it can be discovered easily in any case..
Q96: What tool would you use to find unauthorized wireless access points on the network without alerting the owners?
A96: Kismet. Of the tools listed here, Kismet is the best for the job because it runs in passive mode. This means it does not stimulate the network to get a response. Instead, it patiently waits for messages sent across the network and can detect the presence of an access point, as long as traffic is being sent over the wireless LAN. Netstumbler can also be used to find access points, but it is not passive. ASLEAP does not look for access points; it is used to exploit the Lightweight Extensible Authentication Protocol(LEAP)..
Q97: Which of the following choices is a commonality between TCP and UDP headers?
A97: Both contain source and destination ports. The TCP header includes the source and destination ports, as well as other elements that a port scanner will manipulate as it generates packets, such as the TCP control bits. The UDP packet header is simple. It includes the source port and destination port. No sequence numbers are included..
Q98: Which of the following Transmission Control Protocol (TCP) flags is used to indicate that data has been received?
A98: ACK. Transmission Control Protocol (TCP) has multiple flags that specify how data is handled. The SYN flag is used for synchronization. The ACK flag is used for acknowledgement. The FIN flag is used to end a connection gracefully. The RESET flag is used to tear down a connection. The URG flag is used to send urgent data, and finally, the PUSH flag is used to push data through the TCP stack..
Q99: You are analyzing the behavior of a backdoor Netcat listener you started on your local machine using the command: c: \>nc.exe -l -p 34567 -e cmd.exe. You have not yet connected to the listener. You next run the command “C: \> netstat -na | find “34567”” What output should you expect to see as a result?
A99: TCP 0.0.0.0: 34567 0.0.0.0: 0 LISTENING. You will be able to observe the listening port using the netstat command: c: \> netstat -na. More specifically, look for port 2222 using the netstat command: c: \> netstat -na | find “34567”. Since it is simply in a listening state, the addresses will be shown as 0.0.0.0. The lines with nc.exe are generated with the -nab netstat option that additionally shows the process ID and the executable to which it belongs..
Q100: Which of the following fields do the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) headers have in common?
A100: Source port. A source port-the User Datagram Protocol (UDP) has no three-way handshake, sequence numbers, acknowledgment numbers, or control bits; therefore it is a stateless protocol. The UDP packet header is simple. It includes the source port and destination port. No sequence numbers are included..
Q101: Which of the following is a characteristic of the User Datagram Protocol (UDP)?
A101: It is sessionless. Transmission Control Protocol (TCP) is session-oriented, in that it applies sequence numbers to messages and tries to deliver them in an appropriate order and resends dropped messages. UDP (User Datagram Protocol) makes best-effort delivery, but messages may be dropped or delivered out of order. This makes UDP sessionless..
Q102: A legitimate TCP connection is established once the server receives a packet with which of the following?
A102: The ACK bit set. All legitimate Transmission Control Protocol (TCP) connections (e.g. Telnet and FTP) are established through this three-way handshake. For the TCP three-way handshake, the client first sends a SYN flag. If the client receives the server’s SYN and ACK, it sends a final, lone ACK. Once the server receives and accepts the ACK, the connection has been established..
Q103: What feature of FTP is utilized in an Nmap FTP bounce scan?
A103: The ability to forward a file to another system. FTP proxy bounce attacks utilize an ancient feature of FTP servers. These servers allow a user to tell the server to send the file to another system. Using this capability, an attacker can bounce an Nmap port scan off of someone’s FTP server, to help obscure the source of the attack. Make sure that you disable the FTP bounce capability from your public FTP servers..
Q104: Which of the following is correct for UDP?
A104: It is a stateless protocol.. The User Datagram Protocol (UDP) does not have a three-way handshake or sequence numbers; therefore, it is a stateless protocol..
Q105: Which tool produced the following output? “ (tcp) 10.0.0.17: 7855 -> 10.0.0.1: 22 Observed for: 584B, 9 packets, spans 5 seconds Matches: SSH1 - client manually accepted key (hit: 1)”
A105: Fl0p. Fl0p focuses on passive layer 7 fingerprinting of attack patterns. It helps to identify manual interactions vs. automated attacks..
Q106: Which of the following commands may be used to disable the ‘Bonjour Service’ service on a Windows machine?
A106: sc config “Bonjour Service” start= disabled. The following command may be used to disable the ‘Bonjour Service’ on a Windows machine: sc config “Bonjour Service” start= disabled.
Q107: Which TCP control bit is used to cleanly end a TCP connection?
A107: FIN. The TCP FIN bit is used to cleanly end a TCP connection..
Q108: Which type of Nmap scan will not work through a properly configured stateful packet- filtering device?
A108: ACK. A stateful packet filter remembers the outgoing SYNs, so it will only allow the incoming packet if it is tied to an earlier outgoing packet. Therefore, an ACK scan will not work through a properly configured stateful packet-filtering device..
Q109: Nmap sweeps through each target address before it launches a port scan.\u00a0 When running without root privileges on a Linux machine, what type of TCP packet will it send to port 80?
A109: SYN. When Nmap is running without root privileges (UID 0), Nmap sends a SYN to port 80 instead of an ACK..
Q110: What four packets does Nmap send by default to identify which addresses are in use?
A110: ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request.. By default, to identify which addresses are in use, Nmap sends the following four packets to each address in the target range: (1) ICMP echo request, (2) TCP SYN to port 443, (3) TCP ACK to port 80, and (4) an ICMP timestamp request..
Q111: What is the identification field in the IP header used for?
A111: Packet fragmentation. The IP identification field in the IP header is used for packet fragmentation..
Q112: What type of connection does FTP use to send commands?
A112: Control connection. The FTP control connection, from client to server, is used to send commands..
Q113: Which of the following is an ideal use for UDP?
A113: Voice or video transmissions. UDP is useful for applications that value speed over reliable delivery, such as voice or video transmissions..
Q114: When using Nmap, what is the purpose of running an ARP scan?
A114: Identify which hosts are on the same LAN.. ARP scans identify which hosts are on the same LAN as the machine running..
Q115: Which Snort preprocessor uses multiple virtual defragmentation buffers for reassembling packets?
A115: Frag3. Different operating systems reassemble packets differently. The IDS does not necessarily know which method the end system will use, so it could get confused. For example, Snort reassembles packets in the same way as Linux, using the earlier Frag2 fragmentation preprocessor. In November 2004, the Frag3 preprocessor was released, which included multiple virtual defragmentation buffers, making Snort better at handling fragmentation attacks..
Q116: Which of the following attacks creates fragments so small that no one fragment contains enough information to match an IDS signature?
A116: Tiny fragment attack. Tiny fragment attacks attempt to bypass an IDS sensor by breaking up the packet into multiple fragments, the first being so tiny that it will not match any signatures on the IDS. This attack is detected by most IDS sensors today. The fragment overlap attack is another common fragmentation attack, which is not caught as often..
Q117: What type of firewall replaces the headers in packets from the client and then makes a separate connection to the receiver?
A117: Proxy. Proxy firewalls make a separate connection to the receiver and the packet header information is annihilated..
Q118: What should an intrusion detection system look at from a fragmented packet?
A118: All of the fragments. An intrusion detection system should reassemble the packet to determine if an attack is underway. To do this, they must have adequate resources to maintain the state of all sessions that may be fragmented..
Q119: When packets are fragmented on a network, where are they normally reassembled?
A119: At the destination host. When IP packets are fragmented on a network, they are typically reassembled when they reach the destination host. The other devices listed typically allow the data to pass through fragmented..
Q120: What tool is used to determine which ports are open on a packet-filtering device like a firewall or router?
A120: Firewalk. Firewalk is used to send packets through a packet filter device to determine which ports are open..
Q121: What does the IP use in order to know how to reassemble packet fragments?
A121: Fragmentation offset. The fragmentation offset tells the IP where in the packet the fragment belongs. The offset indicates how far into the packet the fragment should be placed..
Q122: When using Fragrouter, which of the following switches sends data in ordered, 8-byte IP fragments, with one fragment sent out of order?
A122: -F3. Fragrouter uses the -F3 switch to send data in ordered, 8-byte IP fragments, with one fragment sent out of order. The other switches are actual switches used by Fragrouter, but they utilize different techniques for fragmenting IP packets..
Q123: What does Firewalk do in its network discovery phase?
A123: It determines the number of hops between the attacker and the filtering device. During the network discovery phase, Firewalk sends packets with incrementing TTLs to determine how many network hops exist between the tool and the firewall. When a packet reaches its maximum TTL (which is decremented by each hop), the final gateway sends back a time-to-live exceeded message. This is essentially the same function as traceroute, which is used to determine the hop count..
Q124: Which of the following choices should you use to edit \/etc\/inetd.conf or \/etc\/xinetd.d to stop or delete services?
A124: Chkconfig. Redhat based versions of Linus leverage chkconfig to edit \/etc\/inetd.conf or \/etc\/xinetd.d, as well as your rc.d files..
Q125: What Whisker\/Nikto Intrusion Detection System evasion technique is shown below? “ GET \/%63%67%69%2d%62%69%6e\/broken.cgi HTTP\/1.0”
A125: URL encoding. URL encoding converts the HTTP request into a different representation by changing ASCII characters into their hexadecimal or other values and prepending them with a % character..
Q126: What kind of password attack does the Enum tool perform?
A126: Dictionary. Enum performs rudimentary dictionary password attacks using a supplied password list..
Q127: CGI programs usually run with which privileges?
A127: The privileges of the Web server that initiated the program. CGI\/ASP\/JSP programs usually have the privileges of the Web server that called them..
Q128: What tool can an attacker use to guess user IDs and passwords in a Web application that supports basic authentication?
A128: Nikto. For websites that require basic authentication, Nikto offers guessing from a standard list of users and passwords as well as complete brute-force password guessing..
Q129: What is the main drawback of a vulnerability scanner?
A129: It only detects vulnerabilities it knows about.. A vulnerability scanner, like antivirus software, can only detect those vulnerabilities that it knows about. This can sometimes give a false sense of security, due to the misconception that the scanner will provide 100% protection..
Q130: Which type of password attack does Nikto use against websites?
A130: Dictionary. An attacker can use Nikto to launch a password-guessing attack. Password guesses are based on a dictionary\/wordlist file. A hybrid attack is a mixture of a dictionary and brute-force attack. A brute-force attack tries to guess your password by trying every single combination of characters until your password is found..
Q131: Which of the following tools can you use to apply a source route to data and send it across the network?
A131: Netcat. Netcat can be used to set the route a packet will take at the source, and store that information along with the packet..
Q132: In order to spoof a UDP packet, which of the following steps is required?
A132: Generate traffic with spoofed source IP address.. Spoofing datagram protocols is trivial because there is no concept of a session. An attacker can simply generate spoofed UDP or ICMP packets and send them into most networks, where they will be accepted by destination hosts that are waiting for the given UDP or ICMP packets. Of course, the attacker likely will not see the response to those packets, which will be routed to the address that the attacker spoofed..
Q133: To attack a Unix machine through its configured trust relationships, it will be necessary to predict future TCP sequence numbers. How can the sequence numbers be calculated?
A133: Have normal interactions with the victim while keeping a close record of how sequence numbers change with time. Recording sequence numbers of same sized packets from previous connections’ TCP sequence numbers can be predicted by maintaining normal communications with the targeted host and watching how the sequence numbers are generated. That will make it easier to predict the upcoming sequence number..
Q134: What can be used to drop packets that come in on one interface but have the source address of a network connected to a different interface?
A134: Router\/Firewall anti-spoof filter. An anti-spoof filter drops (and should log) all packets coming on one interface with source IP addresses found on the other interface. For containment on incoming spoofed packets, you can apply temporary filters explicitly blocking the incoming packets, if someone is spoofing your addresses on the Internet, or you can rely on your anti-spoof filters to catch the data..
Q135: What is the third stage of the TCP three-way handshake?
A135: ACK. The TCP three-way handshake consists of three steps: 1) SYN, 2) ACK-SYN, and 3) ACK..
Q136: If a new entry is found in the Unix \/etc\/hosts.equiv file, what does this mean?
A136: Another remote host is considered trusted.. A new entry in the Unix \/etc\/hosts.equiv file means that another remote host is considered trusted. The hosts.equiv file will list the hosts that are trusted by the local machine..
Q137: Which of the following defines a monkey-in-the middle attack?
A137: The attacker is inserted between the source and destination of a connection.. Monkey-in-the middle according to the dsniff README, refers to an attacker inserting himself between the source and destination of the packets to gather information..
Q138: Which of the following is a valid MAC address?
A138: 00.80.AD.45.CD.47. A MAC address is a 48-bit globally unique address that is hard coded into the network card. A MAC address looks something like 00.80.AD.45.CD.47 and is used to tell one network card from another..
Q139: How long is a MAC address?
A139: 48 bits. A MAC address is 48 bits long and identifies each network card on the Internet..
Q140: A sniffer requires an Ethernet interface to be in what mode in order to collect all packets off the network?
A140: Promiscuous. When an Ethernet interface is gathering all traffic, it is said to be in promiscuous mode..
Q141: Which of the following is an active sniffer that sends packets out on the network in order to redirect traffic to itself?
A141: Dsniff. “Dsniff” is an active network sniffer and will inject packets onto the network to redirect traffic back to the sniffer. An active sniffer, such as Dsniff, injects packets into the network to redirect traffic to it. Dsniff offers a variety of techniques for redirecting traffic..
Q142: What is the purpose of activating IP forwarding when conducting an ARP cache-poisoning attack?
A142: IP forwarding routes the packets intercepted by the attacker’s machine to the desired destination.. An attacker can use dsniff’s arpspoof component to inject spurious ARP responses into a LAN. This will redirect all traffic from its intended destination and forward it to the attacker running a sniffer. Then, if IP forwarding is activated, the packet will route through the attacker’s machine and get forwarded to the true destination..
Q143: Which Dsniff tool can an attacker use to drop live connections forcing the victim to setup a new connection, whereby authentication credentials can be obtained by the attacker?
A143: Tcpkill. Tcpkill just injects resets into the conversation. It is not elegant, but it is highly useful. Using this tool, an attacker can drop live connections in a denial-of-service attack. More, interestingly, an attacker can drop a connection, forcing the victims into setting up a connection again. When they set up a new connection, they will likely reauthenticate, giving the attacker a chance to grab authentication information..
Q144: Which of the following tools can you use to monitor HTTP looking for JPEG images?
A144: Driftnet. Driftnet monitors HTTP looking for JPEG images, which it sniffs and reconstitutes on the screen. A commercial tool, Niksun, can reconstitute an entire browsing session (as well as numerous other application-layer interactions) from captured traffic..
Q145: What can allow you to redirect information to a different system on the LAN?
A145: ARP cache poisoning. ARP cache poisoning or spoofing is a technique where an attacker sends fake Address Resolution Protocol (ARP) messages onto a Local Area Network. Generally, the aim is to associate the attacker’s MAC address with the IP address of another host (such as the default gateway), causing any traffic meant for that IP address to be sent to the attacker instead..
Q146: Which Dsniff component manipulates the MAC to physical plug mapping?
A146: Macof. Macof manipulates the MAC to physical plug mapping. It floods the switch with traffic containing many bogus MAC addresses..
Q147: What is one disadvantage of using a sniffer on a switched LAN?
A147: You can only capture traffic from the system in which you are sniffing.. One advantage to a non-switched network from a sniffing perspective is that all traffic is forwarded to all ports making all traffic visible to the sniffer. In a switched LAN, you can only capture traffic from the system in which the sniffer is running..
Q148: What layer of the OSI model do the MAC addresses belong to?
A148: Data link. The MAC address maps to the data link layer (layer 2) in the OSI Model..
Q149: What defensive measure would protect a network from an Address Resolution Protocol (ARP) spoofing attack?
A149: Activating port-level security on the switch.. Activating port-level security on a network’s switch will help protect it against an ARP-spoofing attack generated by Dsniff..