Last Updated on September 20, 2021 by Admin 2
312-38 : Certified Network Defender : Part 03
Which of the following refers to the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system?
- Session hijacking
Session hijacking refers to the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to Web developers, as the HTTP cookies used to maintain a session on many Web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim’s computer (see HTTP cookie theft). TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine.
Answer option A is incorrect. Spoofing is a technique that makes a transmission appear to have come from an authentic source by forging the IP address, email address, caller ID, etc. In IP spoofing, a hacker modifies packet headers by using someone else’s IP address to hide his identity. However, spoofing cannot be used while surfing the Internet, chatting on-line, etc. because forging the source IP address causes the responses to be misdirected.
Answer option B is incorrect. Smurf is an attack that generates significant computer network traffic on a victim network. This is a type of denial-of-service attack that floods a target system via spoofed broadcast ping messages. In such attacks, a perpetrator sends a large amount of ICMP echo request (ping) traffic to IP broadcast addresses, all of which have a spoofed source IP address of the intended victim. If the routing device delivering traffic to those broadcast addresses delivers the IP broadcast to all hosts, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply, which multiplies the traffic by the number of hosts responding.
Answer option D is incorrect. Phishing is a type of scam that entices a user to disclose personal information such as social security number, bank account details, or credit card number. An example of phishing attack is a fraudulent e-mail that appears to come from a user’s bank asking to change his online banking password. When the user clicks the link available on the e-mail, it directs him to a phishing site which replicates the original bank site. The phishing site lures the user to provide his personal information.
George works as a Network Administrator for Blue Soft Inc. The company uses Windows Vista operating system. The network of the company is continuously connected to the Internet. What will George use to protect the network of the company from intrusion?Explanation: A firewall is a set of related programs configured to protect private networks connected to the Internet from intrusion. It is used to regulate the network traffic between different computer networks. It permits or denies the transmission of a network packet to its destination based on a set of rules. A firewall is often installed on a separate computer so that an incoming packet does not get into the network directly.
Which of the following are the common security problems involved in communications and email? Each correct answer represents a complete solution. Choose all that apply.
- Message replay
- Identity theft
- Message modification
- Message digest
- Message repudiation
- False message
Following are the common security problems involved in communications and email:
Eavesdropping: It is the act of secretly listening to private information through telephone lines, e-mail, instant messaging, and any other method of communication considered private.
Identity theft: It is the act of obtaining someone’s username and password to access his/her email servers for reading email and sending false email messages. These credentials can be obtained by eavesdropping on SMTP, POP, IMAP, or Webmail connections.
Message modification: The person who has system administrator permission on any of the SMTP servers can visit anyone’s message and can delete or change the message before it continues on to its destination. The recipient has no way of telling that the email message has been altered.
False message: It the act of constructing messages that appear to be sent by someone else.
Message replay: In a message replay, messages are modified, saved, and re-sent later.
Message repudiation: In message repudiation, normal email messages can be forged. There is no way for the receiver to prove that someone had sent him/her a particular message. This means that even if someone has sent a message, he/she can successfully deny it.
Answer option D is incorrect. A message digest is a number that is created algorithmically from a file and represents that file uniquely.
Which of the following layers of TCP/IP model is used to move packets between the Internet Layer interfaces of two different hosts on the same link?
- Application layer
- Internet layer
- Link layer
- Transport Layer
The Link Layer of TCP/IP model is the networking scope of the local network connection to which a host is attached. This is the lowest component layer of the Internet protocols, as TCP/IP is designed to be hardware independent. As a result, TCP/IP has been implemented on top of virtually any hardware networking technology in existence. The Link Layer is used to move packets between the Internet Layer interfaces of two different hosts on the same link. The processes of transmitting and receiving packets on a given link can be controlled both in the software device driver for the network card, as well as on firmware or specialized chipsets.
Answer option B is incorrect. The Internet Layer of the TCP/IP model solves the problem of sending packets across one or more networks. Internetworking requires sending data from the source network to the destination network. This process is called routing. IP can carry data for a number of different upper layer protocols.
Answer option D is incorrect. The Transport Layer of TCP/IP model is responsible for end-to-end message transfer capabilities independent of the underlying network, along with error control, segmentation, flow control, congestion control, and application addressing (port numbers). End to end message transmission or connecting applications at the transport layer can be categorized as either connection-oriented, implemented in Transmission Control Protocol (TCP), or connectionless, implemented in User Datagram Protocol (UDP).
Answer option is incorrect. The Application Layer of TCP/IP model refers to the higher-level protocols used by most applications for network communication. Examples of application layer protocols include the File Transfer Protocol (FTP) and the Simple Mail Transfer Protocol (SMTP). Data coded according to application layer protocols are then encapsulated into one or more transport layer protocols, which in turn use lower layer protocols to affect actual data transfer.
Fill in the blank with the appropriate term. ________________ is the process, policies, and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster.
Explanation: Disaster recovery is the process, policies, and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Disaster recovery planning is a subset of a larger process known as business continuity planning and should include planning for resumption of applications, data, hardware, communications (such as networking) and other IT infrastructure. A business continuity plan (BCP) includes planning for non-IT related aspects such as key personnel, facilities, crisis communication and reputation protection, and should refer to the disaster recovery plan (DRP) for IT related infrastructure recovery / continuity.
- Disaster recovery
You are advising a school district on disaster recovery plans. In case a disaster affects the main IT centers for the district they will need to be able to work from an alternate location. However, budget is an issue. Which of the following is most appropriate for this client?
- Warm site
- Cold site
- Hot site
- Off site
A cold site provides an office space, and in some cases basic equipment. However, you will need to restore your data to that equipment in order to use it. This is a much less expensive solution than the hot site.
Answer option C is incorrect. A hot site has equipment installed, configured and ready to use. This may make disaster recovery much faster, but will also be more expensive. And a school district can afford to be down for several hours before resuming IT operations, so the less expensive option is more appropriate.
Answer option A is incorrect. A warm site is between a hot and cold site. It has some equipment ready and connectivity ready. However, it is still significantly more expensive than a cold site, and not necessary for this scenario.
Answer option D is incorrect. Off site is not any type of backup site terminology.
Which of the following techniques uses a modem in order to automatically scan a list of telephone numbers?
- War driving
- War dialing
War dialing is a technique of using a modem to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for computers, BBS systems, and fax machines. Hackers use the resulting lists for various purposes, hobbyists for exploration, and crackers (hackers that specialize in computer security) for password guessing.
Answer option C is incorrect. Warchalking is the drawing of symbols in public places to advertise an open Wi-Fi wireless network. Having found a Wi-Fi node, the warchalker draws a special symbol on a nearby object, such as a wall, the pavement, or a lamp post. The name warchalking is derived from the cracker terms war dialing and war driving.
Answer option A is incorrect. War driving, also called access point mapping, is the act of locating and possibly exploiting connections to wireless local area networks while driving around a city or elsewhere. To do war driving, one needs a vehicle, a computer (which can be a laptop), a wireless Ethernet card set to work in promiscuous mode, and some kind of an antenna which can be mounted on top of or positioned inside the car. Because a wireless LAN may have a range that extends beyond an office building, an outside user may be able to intrude into the network, obtain a free Internet connection, and possibly gain access to company records and other resources.
Answer option D is incorrect. Warkitting is a combination of wardriving and rootkitting. In a warkitting attack, a hacker replaces the firmware of an attacked router. This allows them to control all traffic for the victim, and could even permit them to disable SSL by replacing HTML content as it is being downloaded. Warkitting was identified by Tsow, Jakobsson, Yang, and Wetzel in 2006. Their discovery indicated that 10% of the wireless routers were susceptible to WAPjacking (malicious configuring of the firmware settings, but making no modification on the firmware itself) and 4.4% of wireless routers were vulnerable to WAPkitting (subverting the router firmware). Their analysis showed that the volume of credential theft possible through Warkitting exceeded the estimates of credential theft due to phishing.
Fill in the blank with the appropriate file system. Alternate Data Streams (ADS) is a feature of the______________ file system, allowing more than one data stream to be associated with a filename.
Alternate Data Streams (ADS) is a feature of the NTFS file system that allows more than one data stream to be associated with a filename, using the filename format “filename:streamname”. Alternate streams are not listed in Windows Explorer, and their size is not included in the file size. ADS provides the hacker a place to hide root kits or hacker tools, which can be executed without being detected by the system administrator. Alternate Data Streams are strictly a feature of the NTFS file system. Alternate Data Streams may be used as a method of hiding executables or proprietary content.
Which of the following policies is used to add additional information about the overall security posture and serves to protect employees and organizations from inefficiency or ambiguity?
- User policy
- IT policy
- Issue-Specific Security Policy
- Group policy
The Issue-Specific Security Policy (ISSP) is used to add additional information about the overall security posture. It helps in providing detailed, targeted guidance for instructing organizations in the secure use of tech systems. This policy serves to protect employees and organizations from inefficiency or ambiguity.
Answer option A is incorrect. A user policy helps in defining what users can and should do to use network and organization’s computer equipment. It also defines what limitations are put on users for maintaining the network secure such as whether users can install programs on their workstations, types of programs users are using, and how users can access data.
Answer option B is incorrect. IT policy includes general policies for the IT department. These policies are intended to keep the network secure and stable. It includes the following:
Virus incident and security incident
Client update policies
Server configuration, patch update, and modification policies (security)
Dmz policy, email retention, and auto forwarded email policy
Answer option D is incorrect. A group policy specifies how programs, network resources, and the operating system work for users and computers in an organization.
Which of the following statements best describes the consequences of the disaster recovery plan test?
- The plan should not be changed no matter what the results of the test would be.
- The results of the test should be kept secret.
- If no deficiencies were found during the test, then the test was probably flawed.
- If no deficiencies were found during the test, then the plan is probably perfect.
The chief objective of a disaster recovery plan is to provide a planned way to make decisions if a disruptive event occurs. The reason behind the disaster recovery plan test is to find flaws in the plan. Every plan has some weak points. After the test has been conducted, all parties are informed of the results and the plan is updated to reflect the new information.
Fill in the blank with the appropriate word. The primary goal of _________________ risk analysis is to determine the proportion of effect and theoretical response.
Qualitative risk analysis uses the likelihood and impact of the identified risks in a fast and cost-effective manner. Qualitative risk analysis establishes a basis for a focused quantitative analysis or risk response plan by evaluating the precedence of risks with a view to impact on the project’s scope, cost, schedule, and quality objectives. Qualitative risk analysis is conducted at any point in a project life cycle. The primary goal of qualitative risk analysis is to determine the proportion of effect and theoretical response. The inputs to the qualitative risk
analysis process are as follows:
Organizational process assets
Project scope statement
Risk management plan
Which of the following topologies is a type of physical network design where each computer in the network is connected to a central device through an unshielded twisted-pair (UTP) wire?
- Mesh topology
- Star topology
- Ring topology
- Bus topology
Star topology is a type of physical network design where each computer in the network is connected to a central device, called hub, through an unshielded twisted-pair (UTP) wire. Signals from the sending computer go to the hub and are then transmitted to all the computers in the network. Since each workstation has a separate connection to the hub, it is easy to troubleshoot. Currently, it is the most popular topology used for networks.
Answer option A is incorrect. Mesh network topology is a type of physical network design where all devices in a network are connected to each other with many redundant connections. It provides multiple paths for the data traveling on the network to reach its destination. Mesh topology also provides redundancy in the network. It employs the full mesh and partial mesh methods to connect devices. In a full mesh topology network, each computer is connected to all the other computers. In a partial mesh topology network, some of the computers are connected to all the computers, whereas some are connected to only those computers with which they frequently exchange data.
Answer option D is incorrect. Bus topology is a type of physical network design where all computers in the network are connected through a single coaxial cable known as bus. This topology uses minimum cabling and is therefore, the simplest and least expensive topology for small networks. In this topology, 50 ohm terminators terminate both ends of the network. A Bus topology network is difficult to troubleshoot, as a break or problem at any point along the cable can cause the entire network to go down.
Answer option C is incorrect. Ring topology is a type of physical network design where all computers in the network are connected in a closed loop. Each computer or device in a Ring topology network acts as a repeater. It transmits data by passing a token around the network in order to prevent the collision of data between two computers that want to send messages at the same time. If a token is free, the computer waiting to send data takes it, attaches the data and destination address to the token, and sends it. When the token reaches its destination computer, the data is copied. Then, the token gets back to the originator. The originator finds that the message has been copied and received and removes the message from the token. Now, the token is free and can be used by the other computers in the network to send data. In this topology, if one computer fails, the entire network goes down.
Fill in the blank with the appropriate term. A _____________ is a technique to authenticate digital documents by using computer cryptography.
A digital signature is a technique to authenticate digital documents by using computer cryptography. A digital signature not only validates the sender’s identity, but also ensures that the document’s contents have not been altered. It verifies that the source and integrity of the document is not compromised since the document is signed. A digital signature provides the following assurances: Authenticity, Integrity, and Non-repudiation. Microsoft Office 2007 Excel and Word provide a feature known as Signature line to insert a user’s digital signature on a document.
Which of the following is an intrusion detection system that reads all incoming packets and tries to find suspicious patterns known as signatures or rules?
A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic. A NIDS reads all the incoming packets and tries to find suspicious patterns known as signatures or rules. It also tries to detect incoming shell codes in the same manner that an ordinary intrusion detection system does.
Answer option A is incorrect. A host-based intrusion detection system (HIDS) produces a false alarm because of the abnormal behavior of users and the network. A host-based intrusion detection system (HIDS) is an intrusion detection system that monitors and analyses the internals of a computing system rather than the network packets on its external interfaces. A host-based Intrusion Detection System (HIDS) monitors all or parts of the dynamic behavior and the state of a computer system. HIDS looks at the state of a system, its stored information, whether in RAM, in the file system, log files or elsewhere; and checks that the contents of these appear as expected. Answer option B is incorrect. An intrusion prevention system (IPS) is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass.
Answer option C is incorrect. A demilitarized zone (DMZ) is a physical or logical subnetwork that contains and exposes external services of an organization to a larger network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s Local Area Network (LAN); an external attacker only has access to equipment in the DMZ, rather than the whole of the network. Hosts in the DMZ have limited connectivity to specific hosts in the internal network, though communication with other hosts in the DMZ and to the external network is allowed. This allows hosts in the DMZ to provide services to both the internal and external networks, while an intervening firewall controls the traffic between the DMZ servers and the internal network clients. In a DMZ configuration, most computers on the LAN run behind a firewall connected to a public network such as the Internet.
Fill in the blank with the appropriate term. The_______________ is typically considered as the top InfoSec officer in the organization and helps in maintaining current and appropriate body of knowledge required to perform InfoSec management functions.
The Chief InfoSec Officer (CISO) is typically considered as the top InfoSec officer in the organization, though the CISO is usually not an executive-level position and commonly reports to the CIO. Following are the job competencies for the Chief InfoSec Officer (CISO):
Maintaining current & appropriate body of knowledge required to perform InfoSec management functionsEffectively applying InfoSec management knowledge for improving security of open network and associated systems and services Maintaining working knowledge of external legislative & regulatory initiativesInterpreting and translating requirements for implementationDeveloping appropriate InfoSec policies, standards, guidelines, and proceduresProviding meaningful input, preparing effective presentations, and communicating InfoSec objectivesParticipating in short and long term planning
In which of the following types of port scans does the scanner attempt to connect to all 65535 ports?
- FTP bounce
In a vanilla port scan, the scanner attempts to connect to all 65,535 ports.
Answer option B is incorrect. The scanner attempts to connect to only selected ports.
Answer option A is incorrect. The scanner scans for open User Datagram Protocol ports.
Answer option C is incorrect. The scanner goes through a File Transfer Protocol server to disguise the cracker’s location.
Which of the following is a firewall that keeps track of the state of network connections traveling across it?
- Stateful firewall
- Stateless packet filter firewall
- Circuit-level proxy firewall
- Application gateway firewall
Fill in the blank with the appropriate term. ______________ encryption is a type of encryption that uses two keys, i.e., a public key and a private key pair for data encryption. It is also known as public key encryption.
Asymmetric encryption is a type of encryption that uses two keys, i.e., a public key and a private key pair for data encryption. The public key is available to everyone, while the private or secret key is available only to the recipient of the message. For example, when a user sends a message or data to another user, the sender uses the public key to encrypt the data. The receiver uses his private key to decrypt the data.
Fill in the blank with the appropriate term. ______________is a protocol used to synchronize the timekeeping among the number of distributed time servers and clients.
Network Time Protocol (NTP) is used to synchronize the timekeeping among the number of distributed time servers and clients. It is used for the time management in a large and diverse network that contains many interfaces. In this protocol, servers define the time, and clients have to be synchronized with the defined time. These clients can choose the most reliable source of time defined from the several NTP servers for their information transmission.
Fill in the blank with the appropriate term. The ______________is a communication protocol that communicates information between the network routers and the multicast end stations.
The Internet Group Management Protocol (IGMP) is a communication protocol that communicates information between the network routers and the multicast end stations. It allows the receivers to request a multicast data stream from a specific group address. However, multicast traffic is sent to a single MAC address but is processed by multiple hosts. The IGMP allows an end station to connect to a multicast group and leave it, while being connected to the group address. It can be effectively used for gaming and showing online videos. Although it does not actually act as a transport protocol, it operates above the network layer. It is analogous to ICMP for unicast connections. It is susceptible to some attacks, so firewalls commonly allow the user to disable it if not needed.