Question 1

David is concerned about the security of his organization's web server. He wants to find and block all open, vulnerable ports on his web server. Which of the following tools should he use to find all open ports on the network?

Accepted Answer

Network scanner finds all the open ports on the web server. Protocol analyzer is a software and hardware troubleshooting tool that is used to decode protocol information to try to determine the source of a network problem and to establish baselines.
Key Takeaway: Network Scanners are often used by administrators to verify security policies of their network. A port scan is done when a host scans for listening ports on a single target host. A portsweep is done when multiple hosts are scanned for a specific listening port. The result of a scan on a port is usually categorized as open, closed, or filtered.

Question 2

Which of the following transmission media is least susceptible to a vampire tap placed on the line?

Accepted Answer

Fiber optic media is least susceptible to stealing information using wire taps. Vampire taps are only for 10BASE5, or Thicknet coaxial cables.
Key Takeaway: A vampire tap is a connection to a coaxial cable in which a hole is drilled through the outer shield of the cable so that a clamp can be connected to the inner conductor of the cable. A vampire tap is used to connect each device to Thicknet coaxial cable in the bus topology of an Ethernet 10BASE5 local area network.

Question 3

John has detected a breach in security. A hacker is trying to access confidential data from the company's server. What should be done first?

Accepted Answer

John should disconnect the network cable to prevent the hacker from gaining further data from the server.
Key Takeaway: It is very important to disconnect the path the hacker is using to steal information. If this is not done instantly, it may lead to a situation where the hacker may steal all data before any action is taken, in spite of the fact that the data theft was discovered.

Question 4

Which of the following logs should you look for if you want to find out when the workstation was last shutdown?

Accepted Answer

You would need to check the system logs to see when the workstation was last shutdown. Security logs provide information related to access.
Key Takeaway: The system log contains events logged by Windows operating system components. For example, if a driver fails to load during startup, an event is recorded in the system log. The OS predetermines the events that are logged by system components.

Question 5

Which of the following is a server placed in a corporate network for the purpose of attracting a potential intruder's attention?

Accepted Answer

A honey pot is a system that uses a fake server and sends alarms when an intruder tries to attack the network.
Key Takeaway: A honey pot is a trap set consisting of an monitored and isolated computer, network site, or data, designed to appear to be a part of the network and containing information of value to attackers. Honey pots serve as a valuable surveillance and early-warning tool by being able to detect, deflect, or counteract attempts at unauthorized use of information systems.

Question 6

Which of the following terms describes the process of improving security?

Accepted Answer

Hardening is the process of improving the security of an operating system, application, or network.
Key Takeaway: Hardening is the process of improving security and reducing the susceptibility to attack. Reducing known routes of attack typically includes the removal of unnecessary software, unnecessary usernames or logins, and the disabling or removal of unnecessary services. Eliminating the use of unneeded protocols is also a good method of hardening a system or network.

Question 7

John is a security advisor at his organization. A number of anonymous users are complaining about data being stolen from their computers. Which of the following should he enforce to avoid data theft?

Accepted Answer

To avoid data theft, John should enforce a policy that states that no removable media be used on the office computers.
Key Takeaway: Use of removable media is the easiest and most common method of stealing data. Organizations should block or remove all removable drive media, slots, and ports. Biometric, smart card, and tokens should be used to authenticate employees. However, these cannot be used as the only means of protection from data theft in the organization.

Question 8

David has just switched on his system and opened a word document. Surprisingly, the dialer started dialing the internet. What kind of an attack has probably occurred?

Accepted Answer

A logic bomb notifies an attacker when a certain set of circumstances has occurred. This triggers an attack on the system.
Key Takeaway: A logic bomb is a piece of code intentionally inserted into software that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files, should they ever be terminated from the company. Software that is inherently malicious, such as viruses and worms, often contain logic bombs that execute a certain payload at a pre-defined time or when some other condition is met. This technique can be used by a virus or worm to gain momentum and spread before being noticed. To be considered a logic bomb, the payload should be unwanted and unknown to the user of the software.

Question 9

John is investigating a situation where an internal user's PC has been hacked by another internal user in the organization. Which of the following locations should he check to determine the source of the attack?

Accepted Answer

To find out the source of the attack, go through the audit logs on the computer which has been attacked.
Key Takeaway: Audit logging events can help you monitor your computer or network and prevent a successful attack. It can also prove very useful in determining how and when an attack occurred if you use the logs as forensic evidence. To enable audit logging in Windows, click Start, click All Programs, click Administrative Tools, select Local Security Policy, and click on the + next to Local Policies and select Audit Policy.

Question 10

Which of the following password-guessing attacks continue attacking until a successful guess occurs?

Accepted Answer

A brute force attack is an attempt to guess passwords until a successful guess occurs.
Key Takeaway: A brute force attack consists of trying every possible code, combination, or password until you find the right one. This type of attack usually occurs over a long period. Some of the steps that can be taken to avert brute force attacks include increasing the length of the PIN or password, allowing the PIN or password to contain characters other than alphanumeric ones, imposing a 30-second delay between failed authentication attempts, and locking the account after 5 failed authentication attempts.

Question 11

Which of the following is a Bluetooth-based attack that relates to gaining unauthorized access through a Bluetooth connection?

Accepted Answer

The attack that relates to gaining unauthorized access through a Bluetooth connection is a Bluesnarfing attack.
Key Takeaway: Bluesnarfing is the gaining of unauthorized access through a Bluetooth connection. This access can be gained through a phone, PDA, or any device using Bluetooth. Once access has been gained, the attacker can copy any data in the same way they would with any other unauthorized access. Blue jacking is the sending of unsolicited messages or spam over the Bluetooth connection.

Question 12

Which of the following best describes domain name kiting?

Accepted Answer

Domain name kiting is the practice of repeatedly registering and deleting a domain name so that in effect, the registrant can own the domain name without paying for it.
Key Takeaway: Domain kiting refers to the method of exploiting loopholes in ICANN's or other domain name registrars' registration procedures. This is often done in order to earn money from temporary domain registration or in order to test salability or marketability of domain names.

Question 13

Jack is investigating the cause of his company's failure in winning the bid for a project. He suspects that a hacker could have intervened in the communication session between his company's employees. Which of the following attack types is he investigating on?

Accepted Answer

A man-in-the-middle attack is a form of active eavesdropping attack that attempts to fool both ends of a communications session into believing the system in the middle is the other end.
Key Takeaway: A man-in-the-middle attack is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them. Both parties involved in communication are made to believe that they are communicating with each other. In reality the entire conversation is controlled by the attacker. These attacks are successful only when the attacker can impersonate each endpoint to the satisfaction of the other.

Question 14

John is a Security Administrator at his organization. He is observing repeated unsuccessful attempts from a hacker to submit a Kerberos certificate and have it be validated by the authentication system. What is this attack called?

Accepted Answer

A replay attack attempts to replay the results of a previously successful session to gain access.
Key Takeaway: Replay attacks involve intercepting data packets and replaying them or resending them to the receiving server. Depending on the context, the hacker could benefit from the actual user's rights. In this case, the hacker is trying to re-use or replay the logon credentials of an authorized session.

Question 15

David is the Security Administrator at his organization. He is investigating an issue where the corporate server will not accept any connections using the TCP protocol. On close inspection he sees that the server indicates that it has exceeded its session limit. Which type of attack is this?

Accepted Answer

A TCP ACK attack creates multiple incomplete sessions, as in this case.
Key Takeaway: When an attack creates multiple incomplete sessions, it exhausts the capacity of the server to service valid requests. Eventually the TCP protocol hits a maximum limit and refuses additional connections. This is the basis for a TCP ACK DoS attack. TCP/IP hijacking is an attempt to steal a valid IP address and use it to gain authorization or information from a network. A smurf attack uses IP spoofing and broadcasting to send a ping to a group of hosts in a network. Both smurf and ACK attacks are generally ineffective in modern networking.

Question 16

Which protocol does the smurf attack use to attack a network or system?

Accepted Answer

A smurf attack attempts to use a broadcast ping (ICMP) on a network.
Key Takeaway: In a smurf attack, the attacker sends a broadcast message with a legal IP address. In this case, the attacking system sends a ping request to the broadcast address of the network. The request is sent to all the machines in a large network. The reply is then sent to the machine identified with the ICMP request. The result is a DoS attack that consumes the network bandwidth of the replying system while the victim system deals with the flood of ICMP traffic it receives. This attack is almost completely ineffective today as routers by default do not allow forwarding of packets directed to broadcast addresses. Individual systems can also be configured to not respond to ICMP requests.

Question 17

You are working as a Security Advisor at your organization. On observing an employee's system log files report, you notice unsuccessful ongoing attempts to gain access to a single user account on the computer. What is this attack called?

Accepted Answer

A password guessing attack occurs when a user account is repeatedly attacked using a variety of different passwords to gain access to a system.
Key Takeaway: Although this type of attack could have been any form of password guessing, brute force, or dictionary attacks, this case is a password guessing attack. A brute force attack is the last resort in trying to hack a password. This would work only if there is no limit to the number of password attempts and the password is of manageable length. A dictionary attack makes use of cracking programs that accept personal information about the user being attacked and generate common variations for passwords suggested by that information. A password guessing attack is a bit of both where the user manually guesses the different password combinations possible, based upon a bit of knowledge about the user.

Question 18

Which of the following attacks involves the attacker gaining access to a host on the network and logically disconnecting it?

Accepted Answer

TCP/IP hijacking involves an attack where the attacker gains access to a host in the network by logically disconnecting his connection and using it.
Key Takeaway: TCP session hijacking is a technique that involves intercepting a TCP session initiated between two machines in order to hijack it. The initial authentication is performed by the legitimate machine. Later, the hacker who wishes to launch this attack takes control of the connection for the duration of the session.

Question 19

Which of the following TCP attacks tweaks the TCP three-way handshake process in an attempt to overload network servers, resulting in authorized users being denied access to network resources?

Accepted Answer

The SYN attack tweaks the TCP three-way handshake process, thus overloading servers and leading to DoS attacks.
Key Takeaway: SYN attacks exploit the TCP three-way handshake and overload the servers, resulting in authorized users being denied access to network resources. The attacker uses a spoofed IP address not in use on the Internet and sends multiple SYN packets to the target machine, or has his client never send the ACK. The target machine allocates resources and sends an acknowledgement SYN-ACK to the source IP address. Since the target machine doesn't receive a response from the attacking machine, it attempts to resend the SYN-ACK five times. Effectively, the target machine allocates resources for more than 3 minutes to respond to just one SYN attack. When the attacker uses this technique repeatedly, the target machine eventually runs out of resources and is unable to handle any more connections, thereby denying service to legitimate users. This attack is generally not very effective in modern networking and only works if the server allocates the resources before receiving the ACK.

Question 20

Which of the following defines a condition that can occur when an application receives more data than it is programmed to accept?

Accepted Answer

When a program receives more data than the amount it is designed to receive, a buffer overflow results.
Key Takeaway: Buffer overflows occur when an application receives more data than it is programmed to accept. Buffer overflows can be triggered by inputs that are designed to execute code or alter the way the program operates. A buffer overflow occurs when data written to a buffer corrupt data values in memory addresses adjacent to the allocated buffer due to insufficient bounds checking. This commonly occurs in languages such as C or C++ that does not include automated bounds checking when copying data from one buffer to another.

Quiz 28: Threats