46 terms

CIW Web Security 1.6 Review

STUDY
PLAY

Terms in this set (...)

Why is it so important to audit authentication databases, such as directory servers?
Because if authentication information is obtained, the hacker will have ready access to network resources.

Auditing is the primary means of protecting yourself against malicious code. Through regular system scanning, you can identify open ports and suspicious activity. Critical steps to perform include checking password databases regularly. Create a regular schedule to help you make sure that your authentication databases are current. Look for suspicious additions and even deletions.
Which of the following can specify the route by which a packet of information has traveled?
A packet trace

A packet trace allows you to trace the route by which a packet of information traveled. This information is important because any information sent across the Internet has probably passed through at least five or six computers before reaching its destination.
Which of the following could be mistaken for a malicious attack but is probably not?
An employee attempting to open an unauthorized file on a server

An employee attempting to open an unauthorized file does not necessarily have malicious intent, and such activity would not constitute a true security "attack." He or she could just be misinformed or careless. However, generating a SYN or ping flood always constitutes malicious activity. Whenever a login shell is generated due to a daemon or system crash, a buffer overflow has been exploited. If an end user uses this strategy to gain a login shell, he or she is acting maliciously.
Which of the following is true of dropping a connection between a hacker and your system?
Dropping the connection limits information you can gather.

As long as the hacker is not damaging your system, or destroying or obtaining sensitive information, keeping the connection open might allow you to learn information that could help you catch the perpetrator.
Which of the following can be considered a vulnerability of using a VPN?
Illicit use of VPN connections can be used to avoid compliance with the company's security policy.

VPNs of any type can present the following vulnerabilities: 1) man-in-the-middle attacks; 2) old access accounts and permissions; 3) access from unsecured systems; and 4) rogue VPN servers, in which illicit use of VPN connections can be used to avoid compliance with the company's security policy.
You want to allow end users to have access to a video server. They currently cannot access this server. Which of the following devices will you most likely need to configure to allow access?
Firewall

The more secure option is to configure the firewall deny all traffic by default. After you install the firewall, you will need to open the necessary ports so users inside the firewall can access the systems they are authorized to use. In other words, if you want your employees to be able to access a video server, then you will have to create rules that allow this.
When Tripwire discovers that a file or database has been altered, how will it alert you?
Via e-mail or a log file entry

When Tripwire discovers that a file or database has been altered, it will notify you via an e-mail message or a log file entry, depending on how you configure the application.
Considering physical security, which of the following should you look for when identifying a room that will act as a server room?
False ceilings

A common physical security problem faced by networks is false ceilings. Many buildings use removable tiles instead of solid ceilings. In many cases, the false ceilings can be removed, allowing access into locked rooms. If false ceilings are used, make sure that rooms are truly separated from the rest of the office.
Which security component helps to prove that a hacker has infiltrated the system, enables you to fix problems in your security system, and helps you retrace your own steps after a crisis?
System logs

System logs help to prove that a hacker has infiltrated the system, enable you to fix problems in your security system, and help you retrace your own steps after a crisis.
Why should you notify the hacker's ISP if you have successfully identified a hacker?
You can have the ISP terminate the connection so the attack can be stopped.

If you have determined the identity of a hacker, you can notify the hacker's ISP, which can terminate the connection so the attack can be stopped.
Which of the following best describes this ruleset?
It is allowing any e-mail server to send e-mail to the 192.168.10.0/24 network.

Packet filters use rules to determine what packets are allowed to traverse the firewall. A rule is composed of several fields. Specific implementation involves telling the router to filter the content of IP packets based on the fields. Packet filters work best for restricting certain IP addresses and TCP and UDP applications from entering or leaving your network. For example, to enable or disable the ability to send e-mail to or from a network, you could create a packet filter rule using Port 25.
Which of the following can be used to mislead or misinform hackers?
A dummy file

You can create intentionally misleading files, called dummy files, to misinform a potential hacker or simply distract a thrill seeker. After creating a dummy file, you should also create an alarm to inform you whenever the file has been accessed.
Which of the following allows a security administrator to be alerted to a change in system state?
A tripwire

Security tools can alert you that a hacker has broken in, or is trying to do so. An alerting tool is often known as a "tripwire." A tripwire can do a variety of things, such as page or send the security administrator an e-mail message, drop the hacker's network connection, or create a database of changes that have occurred.
Which of the following is a package commonly used to detect file tampering?
Tripwire

Tripwire, available at www.tripwire.com, is an application designed to inform you when a directory or file has been altered or removed. It performs this task by automatically creating checksums and storing these values in a database. When Tripwire is first run, it creates a database of system files. You can then configure Tripwire to conduct automatic checks of the file system. During a check, if Tripwire discovers that a file has been altered, it will alert you. Alerts can be made via e-mail or in log files.
When Tripwire is first run, it:
creates a database of system files.

When Tripwire is first run, it creates a database of system files. This database is checked at a later time to determine if improper access has occurred.
After conducting an audit, you have noticed that end users are placing their passwords under keyboards and other areas of their work environment. Which of the following steps can help you improve password security?
End user training and reasonable password expiration policies

The most important step in the response process is to learn from the incident. To best analyze your response, ask questions such as the following of everyone involved after the attack has occurred: What security policy changes are necessary? You may need to establish mandatory continual training sessions and set passwords to expire at specific intervals.
You are reasonably sure that you have identified a server that is involved in an attack against your database server. The offending server belongs to a large ISP. What should you provide when contacting this ISP?
Log files showing connections from the offending server

In this scenario, when contacting the ISP that owns a server involved in attacking your database server, you should provide log files that show the connection from the offending server.
Which of the following constitutes a problem when conducting a reverse scan?
IP address spoofing

Carefully consider the use of retaliatory measures such as reverse scans and contacting a person's ISP. Although they can help stop many hackers, such strategies could also lead to negative consequences for your company. Remember that hackers often spoof IP addresses, so you may end up retaliating against the wrong host.
Marja wants to drop a connection coming from a remote IP address on a specific interface. She wants to keep all other connections active on that interface. Which command can she use to close a specific connection on a Linux system?
iptables

The iptables and ipchains commands can be used to drop a specific connection to a Linux system. The route command can also be used. The netstat command reports current connections to the system, and does not block hosts. You can use the ifconfig command to close down an interface, but doing so would end all network connections on that interface, and not the one IP address mentioned. There is no netapp command.
What is the most important step in the security response process?
Learning from the incident

The most important step in the security response process is to learn from the incident. Questions to ask include how the hacker entered the system, what tools he or she used, what directories or files were affected, how well the security policy responded to the attack, what personnel and/or software or hardware could have helped prevent the attack, and what could be improved to guard against future attacks.
Which of the following can shut down a connection between a hacker and a Windows Server 2003 server?
A firewall

When an attack is discovered, the firewall can be directed to alter its configuration so that it shuts down the connection.
"On September 13, 2009, at 8:06 a.m. Pacific Standard Time, I noticed that certain administrative permissions on the Web server had been reset by account ty2, which was still active at the time. I called my supervisor, Bill Evans, who instructed me to conduct a trace route, which I did at 8:10 using the Winfingerprint program. Waiting for the program to finish, I began looking through the auditing logs." This statement is an example of which of the following?
A security breach report

The following is an example of a security breach report: "On September 13, 2009, at 8:06 a.m. Pacific Standard Time, I noticed that certain administrative permissions on the Web server had been reset by account ty2, which was still active at the time. I called my supervisor, Bill Evans, who instructed me to conduct a trace route, which I did at 8:10 using the Winfingerprint program. Waiting for the program to finish, I began looking through the auditing logs." A similar report should be made by the person or persons responsible for investigating a security breach.
Which of the following is a benefit to using a network analyzer?
Testing network connections devices and cables

Network or protocol analyzers allow network administrators to analyze data traversing their networks. The data is "captured" by the network analyzer as it is transmitted across the network. Once captured, the data can be closely studied. A network analyzer can help troubleshoot and manage a network by providing several services, including testing network connections, devices and cables. Network analyzers can send test packets over the network. The packets can be traced to discover faulty components or cables.
Which of the following is most often used by PCs and firewalls to tunnel and encrypt connections across multiple networks?
Point-to-Point Tunneling Protocol (PPTP)

The Point-to-Point Tunneling Protocol is used to create VPN connections, and is capable of tunneling and encrypting connections across multiple networks. Although SSL can also encrypt transmissions across multiple networks, it is not commonly used by firewalls to connect entire networks.
Which term describes an outer corporate network, created using VPN technologies, that extends the corporate network to include suppliers and customers?
Virtual network perimeter

An outer corporate network created using VPN technologies, which extends the corporate network to include suppliers and customers, is called a virtual network perimeter. One advantage of this kind of network is that it supports remote users with full security.
Which of the following security measures presents the most risk?
A jail

Jails are separate systems containing dummy files and tripwires. Jails are designed to alert systems administrators and delay or distract hackers. Jails can be a dangerous way to contain hacker activity, however, because of the potential for a hacker to "break out" of the jail and into your actual system.
Which of the following can help determine whether a file has been altered on a hard drive?
A hash value

A hash value taken from the file's original state is the best way to determine whether a file as been altered. The CRC applies to data sent across a network using a modem, and is not a way to determine whether a file has been altered on a hard drive. A file's place on the hard drive is not a direct indicator of whether the file has been altered or not. A text file can contain important information, but in and of itself, a text file cannot determine whether another file has been altered or not.
Which term describes a dedicated system meant only to house firewall software?
Firewall appliance

A dedicated system meant only to house firewall software is called a firewall appliance. Generally, a firewall appliance is not suitable for any other network application because the firewall software will prohibit installation and execution of all programs that it does not specifically recognize.
You have established a network between one workstation and a central VPN server. What term can be used to describe this type of VPN?
Host-to-host VPN

There are three types of VPNs: 1) workstation-to-server (also called host-to-host), whereby a network is established between one workstation and a central VPN server; 2) firewall-to-firewall (also called site-to-site), whereby a tunnel is created between two distinct networks and used to securely connect remote LANs over unsecured networks; and 3) workstation-to-workstation, whereby workstations encrypt communications between each other on the same LAN, or on a local enterprise network.
What is a Virtual Private Network (VPN)?
A tunnel encrypted with public keys that provides secure access between two hosts across an non-secure network

A Virtual Private Network (VPN) is a tunnel encrypted with public keys that provides secure access between two hosts across a non-secure network. For the encryption to occur, the firewalls of the hosts must first exchange public keys.
Which of the following actions ensures that evidence left behind by hackers is not eliminated?
Stopping all server activities

When determining the scope of a security breach, system administrators should immediately stop all server activities because routine activities could destroy evidence of hacker activity.
Why should you use read-only drives and media to store the Tripwire database?
Because if you do not, and if a database or file is altered, subsequent scans will not detect a problem

It is recommended that you use read-only drives and media to store sensitive databases and files when using Tripwire because if you do not, and if the databases or files are altered, subsequent scans will not detect a problem.
Which of the following will best enhance the security of a proxy-oriented firewall device?
Remove IP routing from the device.

An important configuration of proxy-oriented firewall devices is to remove IP routing. If IP routing is enabled in these servers, the bastion host may automatically route packets without first checking to see if they adhere to the security definitions. If you remove IP routing, the bastion host must use the firewall component to route or proxy the incoming and outgoing traffic.
Which of the following is a federally funded organization in the United States that investigates and reports on computer security concerns?
CERT

The Computer Emergency Response Team (CERT) is a U.S. federally funded group that investigates and reports on computer security concerns. It also keeps an extensive database of information about attacks. Whenever you experience a security breach and cannot find information about it on the CERT Web site (www.cert.org), you should consider informing CERT about the incident.
Which of the following best describes the above communication pattern?
The three-way TCP handshake

For the TCP connection to be established, a three-way handshake must be completed. The three-way handshake consists of the following steps: (1) The client (or requesting end) performs an active open by activating the SYN flag in the TCP header. (2) The server performs a passive open by sending its own SYN to the client. (3) The client returns an ACK to the server. The client and server can now transfer data using the bytestream, and the connection is established.
After you have determined that a hacker has entered your system, what is the first step you should take?
Review the pre-written security response policy.

After you have determined that a hacker has entered your system, the first step you should take is to review the pre-written security response policy.
The main reason to distract hackers is to:
keep them on the network long enough for you to find and trace them.

There are many ways to distract hackers. One reason to do this is to keep them on the network long enough for you to find and trace them.
Which term describes the process of removing services, daemons and other applications from the firewall's operating system?
Operating system hardening

Operating system hardening is the process of removing services, daemons and other applications from the firewall's operating system. The most common way for a hacker to penetrate a system is to take advantage of overlooked components installed on the host. Your bastion host should be created with the fewest possible hardware and software components.
Which of the following is a primary weakness of symmetric-key encryption?
It is difficult to transmit the key securely.

The main weakness of a symmetric key is key distribution. That is, all recipients and viewers must have the same key. Therefore, all users must have a secure way to send and retrieve the key. However, if users are going to pass information in a public medium such as the Internet, they need a way to transfer this key among themselves.
What is the main purpose of reviewing a security incident after it has been resolved?
To learn what can be changed or improved in your security policy

The main purpose of reviewing a security incident after it has been resolved is to learn from the incident what can be changed or improved in your company's security policy, hardware and/or software to help prevent another attack in the future.
You have determined that a user account from your own network is responsible for attacking a remote system. What should you do first?
Determine whether the account has been compromised.

If you have determined that a user account from your own network is responsible for attacking a remote system, you should first determine if the account has been compromised.
What type of attack is being shown in the image displayed?
SYN flood

A SYN flood takes advantage of the otherwise normal activity of establishing a TCP handshake. Instead of establishing a complete handshake, the hacker drops the connection after the initial SYN bit is sent. While the target is engaged in creating a port to respond to the active open, the hacker then makes another connection and leaves it, only to make another and another, until the target server has opened thousands of half-open connections. This can cause a system to become sluggish, or even crash.
Which Linux utility could you use to create a packet-filter rule?
iptables

Packet filtering can be administered on a Linux system using various tools, including ipfwadm, ipchains and iptables. Ipchains and iptables are the most common, with iptables becoming the preferred method as of Kernel 2.4.
Which type of encryption poses challenges to key transport?
Symmetric-key encryption

The main weakness of a symmetric key is key distribution. That is, all recipients and viewers must have the same key. Therefore, all users must have a secure way to send and retrieve the key. However, if users are going to pass information in a public medium such as the Internet, they need a way to transfer this key among themselves.
Which of the following provides a reliable method to force a hacker to leave behind evidence of tampering?
A tripwire

Security tools can alert you that a hacker has broken in, or is trying to do so. An alerting tool is often known as a "tripwire." The idea behind a tripwire is that when a potential hacker attacks a system, he or she will either fall into a trap that you have placed, or leave behind unequivocal evidence of tampering.
Which choice lists the designated stages of a hacker attack in the correct order?
Discovery, penetration, control

The three stages of a hacker attack in the order that they occur are: discovery, penetration and control.