Quiz:
1 A remote user tries logging into a remote network but fails after three additional tries and
is disconnected. What useful information should the network administrator gather?
(Select the best two answers.)
a. Username
b. Invalid password
c. Invalid username
d. Valid username
Network administrators need the invalid username (because it is not an allowable
username) and the invalid password used to see if the intruder is using a text-based
algorithm to generate passwords.
2 What is the first step that should be implemented in securing any network?
a. Create a database of secure passwords.
b. Create the IP address scheme.
c. Run NetRanger or NetSonar.
d. Define a security policy.
e. Configure access lists on all routers.
The first step in securing any network must be to define the security policy.
3 What primary security method can be designed and deployed to secure and protect any
IP network after an attack has been documented?
a. Security policy
b. IP policy
c. Countermeasures
d. Measurement
e. Logging passwords
Countermeasures should be in placed in every IP network. For example, back up
sensitive data or application software and apply all the required patches.
4 A security administrator notices that a log file stored on a local router has increased in size
from 32 k to 64 k in a matter of seconds. What should the network administrator do?
a. Increase the buffer to 64 k.
b. Decrease the buffer to 16 k.
c. Log the event as suspicious and notify the incident response team.
d. Nothing, this is normal.
e. Both a and b are correct.
Any log file that increases (more data to view) or decreases (for example, cleared by
the intruder to hide his actions) should be regarded as suspicious activity.
5 What is the primary responsibility of CERT/CC?
a. Define access lists for use on routers
b. Set security standards
c. Coordinate attacks on secure networks
d. Maintain a security standard for networks
e. Nothing to do with security
CERT/CC’s primarily responsibility is to aid in the security of any public network;
go to www.cert.org for more details.
6 Who can use network scanners and probes? (Select the best two answers.)
a. Intruders
b. Security managers
c. End users
d. Cable service providers
Network scanners are used by intruders just as network administrators use them.
7 What is a bastion host?
a. Firewall device supported by Cisco only
b. Network’s last line of defense
c. Network’s first line of defense
d. IP host device designed to route IP packets
Bastion hosts are typically the first line of defense. Sometimes, they are sacrificed
because they are typically public domain servers and can be quickly restored using
backup methods.
8 A TCP SYN attack is what type of attack?
a. ICMP
b. DoS
c. Telnet/Kerberos attack
d. Ping attack only
A TCP SYN attack is a form of denial-of-service attack.
9 When an intruder sends a large amount of ICMP echo (ping) traffic using IP broadcasts,
this type of DoS attack is known as what?
a. Bastion
b. Land.C
c. Man in the middle
d. Smurf
e. Ping of death
A Smurf attack sends large ICMP or ping requests via a broadcast address, ensuring
that all devices on the remote network respond and enabling the intruder to list the
IP address that is connected to the network for further DOS-based attacks.
10 What kind of attack sends a large ICMP echo request packet with the intent of overflowing
the input buffers of the destination machine and causing it to crash?
a. Ping of death
b. Smurf
c. Land.C
d. Man in the middle
e. Birthday attack
A ping of death sends a large number of ICMP echo request packets causing the end
device to overflow, and can cause a remote server to stop functioning for legitimate
requests.
11 In the context of intrusion detection, what is an exploit signature?
a. DoS attack
b. An attack that is recognized and detected on the network
c. The same as a Smurf attack
d. The same as a man in the middle attack
An exploit signature is an attack that is readily detected.
12 To stop spam e-mail from overwhelming an e-mail server, what step can you take?
a. Ask the ISP for help.
b. Nothing, because spam e-mail is too difficult to stop to be worth the effort.
c. Install an intrusion detection system that has a signature for spam e-mail.
d. Nothing, because the client software takes care of this.
e. Change the IOS code.
f. Configure the bastion host to stop spam e-mail.
Spam e-mail can be controlled with an IDS server.
Q & A
1 Define four reasons networks should be secured.
Answer: IP networks must provide a network security policy for the following
reasons:
Inherent technology weaknesses—All network devices and operating systems have
inherent vulnerabilities.
Configuration weaknesses—Common configuration mistakes can be exploited to
open weaknesses.
Security policy vulnerabilities—The lack of security policies can lead to
vulnerabilities, such as password security.
Outside/inside intruders—There are always internal and external people wanting to
exploit network resources and retrieve sensitive data.
2 What is the function of the CERT/CC organization, and what are its primary objectives?
Answer: The CERT Coordination Center (CERT/CC) is a center of Internet security
expertise, located at the Software Engineering Institute, a U.S. federally funded
research and development center operated by Carnegie Mellon University. CERT/CC
provides information ranging from protecting your networks from potential problems,
to reacting to current problems, to predicting and preparing for future problems.
Work involves handling computer security incidents and vulnerabilities, publishing
security alerts, researching long-term changes in networked systems, developing
information, and even providing training to help you improve security. CERT/CC
does not concern itself with the individual or where the intruder is physically located,
but ideally tries to restore and prevent similar attacks in the future. CERT/CC is
regarded as the industry leader in security concerns.
3 What are the primary steps completed by incident response teams?
Answer: Incident responses teams do the following:
Verify the incident.
Determine the magnitude of the incident (hosts affected and how many).
Assess the damage (for example, if public servers have been modified).
Gather and protect the evidence.
4 Name common methods used by intruders to disrupt a secure network.
Answer: Intruders can use the following methods (and many more):
Session hijacking—The intruder defines himself with a valid IP address after a
session has been established to the real IP address by spoofing IP packets and
manipulating the sequence number in an IP packet.
Rerouting—Packets from one source are routed to an intruder source. Routing
updates are altered to send IP packets to an incorrect destination, allowing the
intruder to read and use the IP data inappropriately.
Denial-of-service (DoS) attacks—A service attack that is used in an attempt to deny
legitimate users access to a network they have full rights to.
Probes and scans.
Malicious code.
5 In security, what is session hijacking?
Answer: Session hijacking is where the intruder defines himself with a valid IP
address after a session has been established to the real IP address by spoofing IP
packets and manipulating the sequence number in an IP packet.
6 In security terms, what is a man in the middle attack?
Answer: Just as with packet sniffers and IP spoofing attacks, a brute-force password
attack can provide access to accounts that can be used to modify critical network files
and services. An example that compromises your network’s integrity is an attacker
modifying your network’s routing tables. By doing so, the attacker ensures that all
network packets are routed to him before they are transmitted to their final
destination. In such a case, an attacker can monitor all network traffic, effectively
becoming a man in the middle.
7 What is a Signature Engine?
Answer: A Signature Engine is a component designed to support many signatures in
a certain category. An engine is composed of a parser and an inspector. Each engine
has a set of legal parameters that have allowable ranges or sets of values. Exploit
signatures are an identifiable pattern of attack.
8 What is social engineering?
Answer: Social engineering is the act of tricking or coercing employees into
providing information, such as usernames or mail user identifications and even
passwords. First-level phone support personnel are typically called by intruders
pretending to work for the company to gain valuable information.
9 Describe a ping of death attack.
Answer: A ping of death occurs when a large number of ICMP echo request packets
cause the end device to overflow. For example, a ping of death can cause a remote
server to stop functioning for legitimate requests.
10 What is a Land.C attack?
Answer: A Land.C attack is a program designed to send TCP SYN packets (TCP
SYN is used in the TCP connection phase) that specify the target’s host address as
both source and destination. This program can use TCP port 113 or 139 (source/
destination), which can also cause a system to stop functioning.
11 What does the following IOS code accomplish on a Cisco IOS router?
no service udp-small-servers
no service tcp-small-servers
Answer: These commands disable the minor TCP/UDP servers. When the minor
TCP/IP servers are disabled, access to the Echo, Discard, Chargen, and Daytime
ports causes the Cisco IOS Software to send a TCP Reset packet to the sender and
discard the original incoming packet. When these commands are entered in global
configuration, they do not display when you view the configuration (show runningconfig
or write terminal) because the default is to disable TCP/UDP small servers.
Unlike Cisco Switches, Cisco IOS Software does not display default configuration.
12 What is the secret password for the following IOS configuration?
enable secret %$@$%&^$@*$^*@$^*
enable pass cisco
Answer: Secret passwords are encrypted using the MD5 hashing algorithm, so you
cannot decipher the secret password, which overrides the enable password.
13 What is the purpose of the command service sequence-numbers?
Answer: Essentially, this command enables your syslog entries to be numbered and
ensures that they are not tampered with by external sources.
1 A remote user tries logging into a remote network but fails after three additional tries and
is disconnected. What useful information should the network administrator gather?
(Select the best two answers.)
a. Username
b. Invalid password
c. Invalid username
d. Valid username
Network administrators need the invalid username (because it is not an allowable
username) and the invalid password used to see if the intruder is using a text-based
algorithm to generate passwords.
2 What is the first step that should be implemented in securing any network?
a. Create a database of secure passwords.
b. Create the IP address scheme.
c. Run NetRanger or NetSonar.
d. Define a security policy.
e. Configure access lists on all routers.
The first step in securing any network must be to define the security policy.
3 What primary security method can be designed and deployed to secure and protect any
IP network after an attack has been documented?
a. Security policy
b. IP policy
c. Countermeasures
d. Measurement
e. Logging passwords
Countermeasures should be in placed in every IP network. For example, back up
sensitive data or application software and apply all the required patches.
4 A security administrator notices that a log file stored on a local router has increased in size
from 32 k to 64 k in a matter of seconds. What should the network administrator do?
a. Increase the buffer to 64 k.
b. Decrease the buffer to 16 k.
c. Log the event as suspicious and notify the incident response team.
d. Nothing, this is normal.
e. Both a and b are correct.
Any log file that increases (more data to view) or decreases (for example, cleared by
the intruder to hide his actions) should be regarded as suspicious activity.
5 What is the primary responsibility of CERT/CC?
a. Define access lists for use on routers
b. Set security standards
c. Coordinate attacks on secure networks
d. Maintain a security standard for networks
e. Nothing to do with security
CERT/CC’s primarily responsibility is to aid in the security of any public network;
go to www.cert.org for more details.
6 Who can use network scanners and probes? (Select the best two answers.)
a. Intruders
b. Security managers
c. End users
d. Cable service providers
Network scanners are used by intruders just as network administrators use them.
7 What is a bastion host?
a. Firewall device supported by Cisco only
b. Network’s last line of defense
c. Network’s first line of defense
d. IP host device designed to route IP packets
Bastion hosts are typically the first line of defense. Sometimes, they are sacrificed
because they are typically public domain servers and can be quickly restored using
backup methods.
8 A TCP SYN attack is what type of attack?
a. ICMP
b. DoS
c. Telnet/Kerberos attack
d. Ping attack only
A TCP SYN attack is a form of denial-of-service attack.
9 When an intruder sends a large amount of ICMP echo (ping) traffic using IP broadcasts,
this type of DoS attack is known as what?
a. Bastion
b. Land.C
c. Man in the middle
d. Smurf
e. Ping of death
A Smurf attack sends large ICMP or ping requests via a broadcast address, ensuring
that all devices on the remote network respond and enabling the intruder to list the
IP address that is connected to the network for further DOS-based attacks.
10 What kind of attack sends a large ICMP echo request packet with the intent of overflowing
the input buffers of the destination machine and causing it to crash?
a. Ping of death
b. Smurf
c. Land.C
d. Man in the middle
e. Birthday attack
A ping of death sends a large number of ICMP echo request packets causing the end
device to overflow, and can cause a remote server to stop functioning for legitimate
requests.
11 In the context of intrusion detection, what is an exploit signature?
a. DoS attack
b. An attack that is recognized and detected on the network
c. The same as a Smurf attack
d. The same as a man in the middle attack
An exploit signature is an attack that is readily detected.
12 To stop spam e-mail from overwhelming an e-mail server, what step can you take?
a. Ask the ISP for help.
b. Nothing, because spam e-mail is too difficult to stop to be worth the effort.
c. Install an intrusion detection system that has a signature for spam e-mail.
d. Nothing, because the client software takes care of this.
e. Change the IOS code.
f. Configure the bastion host to stop spam e-mail.
Spam e-mail can be controlled with an IDS server.
Q & A
1 Define four reasons networks should be secured.
Answer: IP networks must provide a network security policy for the following
reasons:
Inherent technology weaknesses—All network devices and operating systems have
inherent vulnerabilities.
Configuration weaknesses—Common configuration mistakes can be exploited to
open weaknesses.
Security policy vulnerabilities—The lack of security policies can lead to
vulnerabilities, such as password security.
Outside/inside intruders—There are always internal and external people wanting to
exploit network resources and retrieve sensitive data.
2 What is the function of the CERT/CC organization, and what are its primary objectives?
Answer: The CERT Coordination Center (CERT/CC) is a center of Internet security
expertise, located at the Software Engineering Institute, a U.S. federally funded
research and development center operated by Carnegie Mellon University. CERT/CC
provides information ranging from protecting your networks from potential problems,
to reacting to current problems, to predicting and preparing for future problems.
Work involves handling computer security incidents and vulnerabilities, publishing
security alerts, researching long-term changes in networked systems, developing
information, and even providing training to help you improve security. CERT/CC
does not concern itself with the individual or where the intruder is physically located,
but ideally tries to restore and prevent similar attacks in the future. CERT/CC is
regarded as the industry leader in security concerns.
3 What are the primary steps completed by incident response teams?
Answer: Incident responses teams do the following:
Verify the incident.
Determine the magnitude of the incident (hosts affected and how many).
Assess the damage (for example, if public servers have been modified).
Gather and protect the evidence.
4 Name common methods used by intruders to disrupt a secure network.
Answer: Intruders can use the following methods (and many more):
Session hijacking—The intruder defines himself with a valid IP address after a
session has been established to the real IP address by spoofing IP packets and
manipulating the sequence number in an IP packet.
Rerouting—Packets from one source are routed to an intruder source. Routing
updates are altered to send IP packets to an incorrect destination, allowing the
intruder to read and use the IP data inappropriately.
Denial-of-service (DoS) attacks—A service attack that is used in an attempt to deny
legitimate users access to a network they have full rights to.
Probes and scans.
Malicious code.
5 In security, what is session hijacking?
Answer: Session hijacking is where the intruder defines himself with a valid IP
address after a session has been established to the real IP address by spoofing IP
packets and manipulating the sequence number in an IP packet.
6 In security terms, what is a man in the middle attack?
Answer: Just as with packet sniffers and IP spoofing attacks, a brute-force password
attack can provide access to accounts that can be used to modify critical network files
and services. An example that compromises your network’s integrity is an attacker
modifying your network’s routing tables. By doing so, the attacker ensures that all
network packets are routed to him before they are transmitted to their final
destination. In such a case, an attacker can monitor all network traffic, effectively
becoming a man in the middle.
7 What is a Signature Engine?
Answer: A Signature Engine is a component designed to support many signatures in
a certain category. An engine is composed of a parser and an inspector. Each engine
has a set of legal parameters that have allowable ranges or sets of values. Exploit
signatures are an identifiable pattern of attack.
8 What is social engineering?
Answer: Social engineering is the act of tricking or coercing employees into
providing information, such as usernames or mail user identifications and even
passwords. First-level phone support personnel are typically called by intruders
pretending to work for the company to gain valuable information.
9 Describe a ping of death attack.
Answer: A ping of death occurs when a large number of ICMP echo request packets
cause the end device to overflow. For example, a ping of death can cause a remote
server to stop functioning for legitimate requests.
10 What is a Land.C attack?
Answer: A Land.C attack is a program designed to send TCP SYN packets (TCP
SYN is used in the TCP connection phase) that specify the target’s host address as
both source and destination. This program can use TCP port 113 or 139 (source/
destination), which can also cause a system to stop functioning.
11 What does the following IOS code accomplish on a Cisco IOS router?
no service udp-small-servers
no service tcp-small-servers
Answer: These commands disable the minor TCP/UDP servers. When the minor
TCP/IP servers are disabled, access to the Echo, Discard, Chargen, and Daytime
ports causes the Cisco IOS Software to send a TCP Reset packet to the sender and
discard the original incoming packet. When these commands are entered in global
configuration, they do not display when you view the configuration (show runningconfig
or write terminal) because the default is to disable TCP/UDP small servers.
Unlike Cisco Switches, Cisco IOS Software does not display default configuration.
12 What is the secret password for the following IOS configuration?
enable secret %$@$%&^$@*$^*@$^*
enable pass cisco
Answer: Secret passwords are encrypted using the MD5 hashing algorithm, so you
cannot decipher the secret password, which overrides the enable password.
13 What is the purpose of the command service sequence-numbers?
Answer: Essentially, this command enables your syslog entries to be numbered and
ensures that they are not tampered with by external sources.
No comments:
Post a Comment