Question 15 pts
(TCO A) During the phase of the attack process, the attacker attempts to look for an easy way
... [Show More] in.
reconnaissance
footprinting
scanning
enumeration
Flag this Question
Question 25 pts
(TCO A) Which is the biggest cause of data loss for most organizations?
Hackers
Natural disasters
User error
Hardware failure
Flag this Question
Question 35 pts
(TCO B) When and under what circumstances should you reveal your password to someone?
Under no circumstancesTo IT when they are troubleshooting a problem
To anyone who asks for it, and then immediately change it
To your supervisor
Flag this Question
Question 45 pts
(TCO B) An extranet provides access to .
resources for an organization’s suppliers
an e-commerce web site
personnel policies
travel requests
Flag this Question
Question 55 pts
(TCO C) The 3DES algorithm uses separate keys.
three
fourone
five
Flag this Question
Question 65 pts
(TCO C) A message-digest algorithm such as MD5 is designed to .
accept a hash and produce variable output
accept a date and generate fixed length output
create AES keys
rehash a string
Flag this Question
Question 75 pts
(TCO D) A DMZ is used to isolate
an interior routing protocol
the inside from the outside
HIDS
a trusted from an untrusted networkFlag this Question
Question 85 pts
(TCO E) With split tunneling, a VPN can connect and in order to not have to place the
traffic in the tunnel first.
inside; sector
VPN; VPN
inner; outer
public network; private VPN
Flag this Question
Question 95 pts
(TCO F) To achieve better security, WPA is an improvement on .
frequency stability
key management and authentication
64 K or 128 K bit static secret key
SSID beacon frame channelization
Flag this Question
Question 105 pts
(TCO G) The three basic attack vectors are internal, external, and .internal external
physical security
outside in
protected mode
(TCO A) Discuss the following.
(a) How does a man-in-the middle attack objective differ from a distributed denial-of-service
(DDoS) attack objective?
Man-in-the-middle attack (MitM) involves an attacker intruding on an existing connection or someone
who was able to intercept and modify all network traffic between two communicating devices. For
example, an attacker can intercept the victim’s network connection and sends a message to make the
victims believe they are talking to each other over a private network, when in fact they are being
manipulated by the hacker to provide sensitive information. However, distributed denial-of-service
(DDoS) is a type of attack where multiple incoming network traffic flooding the victim’s private network.
This effectively makes it impossible to stop the attack simply by blocking a single IP address; plus, it is
very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points
of origin.
(b) What are the similarities?
Man-in-the-middle attack (MitM) can be part of a denial-of-service attack, it can capture the information,
it can corrupt it, and then it can reinject it back into the flow. In other words, it can break down your trust
identity to modify traffic in a malicious way. It can also introduce new information into network sessions.
(c) How are each of the attacks mitigated?
There are a few ways to mitigate MitM attacks, one way is to employ data encryptions. At a minimum,
this means that any and every enterprise application, including web, email and voice traffic, should be
encrypted, not just sensitive communications. Because if an active MITM attacker can intercept
unencrypted, “unimportant” communications, they can insert data as well — changing DNS responses to
send the user to an impersonating server or sending down malware towards the mobile device or injecting
Javascript that steals cookies. Also, there is TLS/SSL verification and Enterprise-wide certificates as
mitigation tools to battle MitM attacks. An example of DDos mitigation is isolate the attacked network
and redirect it to an isolated network which will not impact business productivity. DDoS mitigation
allows the business to identify network traffic patterns which is necessary to detect threats. DDoS
mitigation also requires identifying incoming traffic to separate human traffic from human-like bots and
hijacked web browsers. The process is done by comparing signatures and examining different attributes ofthe traffic, including IP addresses, cookie variations, HTTP headers, and JavaScript footprints. After a
detection is made filtering out traffic using anti-DDoS technology connection is then blacklisted or
purged completely from the network.
(TCO A) What is the purpose of footprinting?
Footprinting is a reconnaissance technique used to gather information about computers systems and
sensitive information. Footprinting enables the attackers to limit the scope of their activities to those
systems that are potentially the most promising targets to vulnerabilities they plan on running against the
server. Scanning told the attackers what ports open and what services are running.
(TCO B) Explain how a TCP/SYN attack works and what can be done about it.
TCP/SYN is a type of DDoS attack which aims to make server unavailable to legitimate traffic by
consuming all available server resources. By repeatedly sending initial connection request (SYN) packets,
the attacker can overwhelm all available ports on a targeted server machine, causing the targeted device
to respond to legitimate traffic sluggishly or not at all. TCP/SYN exploits the “handshake” process of a
TCP connection, and exhibits 3 process in order to make the connection.
• First, the client sends a SYN packet to the server in order to initiate the connection.
• The server than responds to that initial packet with a SYN/ACK packet, in order to acknowledge
the communication.
• Finally, the client returns an ACK packet to acknowledge the receipt of the packet from the
server. After completing this sequence of packet sending and receiving, the TCP connection is
open and able to send and receive data.
TCP/SYN flood vulnerability has been known for a while and several mitigation pathways can be utilized.
One way is increasing Backlog queue, each operating system on a targeted device has a certain number
of half-open connections that it will allow. One response to high volumes of SYN packets is to increase
the maximum number of possible half-open connections the operating system will allow. In order to
successfully increase the maximum backlog, the system must reserve additional memory resources to
deal with all the new requests. If the system does not have enough memory to be able to handle the
increased backlog queue size, system performance will be negatively impacted, but that still may be
better than denial-of-service. Another is recycling the oldest Half-Open TCP connection; this strategy
requires that the legitimate connections can be fully established in less time than the backlog can be
filled with malicious SYN packets. This defense fails when the attack volume is increased, or if the
backlog size is too small to be practical.
(TCO B) What are three things you should keep in mind when writing or reviewing a security policy?
Determine who gets access to each area of your network.
Determine what they can access and how.
Balance trust between people and resources.Allow access based on the level of trust for users and resources.
Use resources to ensure that trust is not violated.
(TCO C) When a device performs a stateful packet inspection, what characteristics in a packet’s header
are inspected, and why are they important?
Firewalls perform a stateful packet inspection and monitor the IP header information to track the status
of a connection, that is the importance of this technology. Attackers can sometimes get information
through the firewall simply by indicating "reply" in the header. Stateful inspection, on the other hand,
analyzes packets down to the application layer. By recording session information such as IP addresses
and port numbers, a dynamic packet filter can implement a much tighter security posture than a static
packet filter can. Stateful inspection monitors communications packets over a period and examines both
incoming and outgoing packets. Outgoing packets that request specific types of incoming packets are
tracked and only those incoming packets constituting a proper response are allowed through the
firewall.
(TCO D) What is a DMZ? What is it used for?
DMZ (demilitarized zone) protects Internet-accessible servers and services it is also sometimes known as
a perimeter network or a screened subnetwork, is a physical or logical subnet that separates an internal
local area network (LAN) from other untrusted networks, usually the internet. External-facing servers,
resources and services are in the DMZ. So, they are accessible from the internet, but the rest of the
internal LAN remains unreachable. This provides an additional layer of security to the LAN as it restricts
the ability of hackers to directly access internal servers and data via the internet.
(TCO E) What are the three types of VPNs? Describe the characteristics of each one.
Remote Access VPNs: Enables remote users to securely connect to a central site across the Internet. This
type of VPN is a user-to-LAN connection that enables employees who need to do so to connect to the
corporate LAN from the Internet. Their systems use special VPN client software that enables a secure link
between themselves and the corporate LAN. Typically, a corporation that wants to set up a large remote
access VPN provides some form of Internet dial-up account to its users using an ISP. The telecommuters
can then connect to the Internet and use their VPN client software to access the corporate network. A
good example of a company that needs a remote access VPN would be a large firm with hundreds of
salespeople in the field. Remote access VPNs are sometimes referred to as soft (as in software-based)
VPNs, virtual private dialup networks (VPDN), or client-based VPNs. Some of the fastest growing uses of
them are as follows:
▪ VPN-capable mobile devices such as smartphones or tablets.
▪ The Cisco VoIP CIPC (Cisco IP Communicator) SoftPhone application also works well over a VPN,
turning your PC into a secure telephone.
Site-to-site VPNs: Used to extend a company’s private network to other buildings or sites using
dedicated equipment so that remote employees at these locations can use the same network services.These types of VPNs are always considered actively connected. Site-to-site VPNs are sometimes referred
to as hard (as in hardware-based) VPNs, intranet, or LAN-to-LAN (L2L) VPNs.
Extranet VPNs: Enable secure connections with business partners, suppliers, and customers for the
purpose of e-commerce. Extranet VPNs are a type of site-to-site VPN with the addition of firewalls to
protect the internal network. A good example would be companies that work closely with suppliers and
partners to achieve common goals such as supply and demand relationships—for example, when one
company has a demand for supplies and the supplier fulfills the demand based on the company’s needs.
Working across an extranet, these two companies can share information more quickly, and the firewall
rules ensure that access is happening only to the shared resource.
(TCO F) What is a rogue access point and what is it used for?
A rogue access point can be intentional or unintentional which means it was created either by an
employee or a hacker. This unauthorized wireless access point can pose a significant threat by creating a
backdoor into sensitive corporate networks. By having a backdoor in your network, allows attackers to
access the protected network by avoiding all front-door access security measures. Unauthorized rogue
access points installed by employees pose a significant threat because they provide poor security
measures while extending a corporate network’s reach to attackers from the outside, without going
through any security measures.
(TCO G) Define firewalking.
Firewalking is a concept and tool that enables the attacker to send specially crafted packets through a
firewall to determine what ports and services are permitted through the firewall. Attackers with this
knowledge can make their port scans hidden and thus map your network through your firewall.
(TCO B) Discuss the security problems faced by TJX Companies.
According to the book in 2007, TJX Companies (T.J. Maxx, Marshalls, and Bob’s Stores) revealed that
some 45.6 million credit and debit card numbers were stolen from one of its systems over a period of
more than 18 months by an unknown number of intruders. In addition to that, the personal data
provided with the return of merchandise without receipts by an estimated 451,000 individuals in 2003
was also stolen. In addition to poor wireless network security poorly unsecured in-store computer kiosks
are partly to blame. The kiosk enables individuals to electronically apply for jobs and these kiosks was
not isolated from the network. It allowed random people to have direct access to the company’s
network infrastructure. The people who started the breach opened the back of those terminals and used
USB drives to load software onto those terminals. TJX was aware of the security problems and failed to
disclose the risks or remedy those problems; those inactions have increased the company’s liability
under the law. Here are some of the security issues:
▪ An improperly configured/secured wireless network
▪ Failure to isolate and secure cardholder data devices from the rest of the network▪ Failure to properly securely manage the systems used to store, process, and transmit cardholder data
▪ Insecurely storing prohibited cardholder data
▪ Using usernames and passwords that were easy to crack or guess
▪ Weak or nonexistent security software and systems [Show Less]