Which of the following is the best definition for war-driving?
Driving and seeking rival hackers
Driving while hacking and seeking a computer job
Driving looking for wireless networks to hack
Driving while using a wireless connection to hack
In addition to mandating federal agencies to establish security measures, the Computer Security Act of 1987 defined important terms such as:
security information
private information
unauthorized access
sensitive information
What are the three approaches to security?
High security, medium security, and low security
Perimeter, layered, and hybrid
Internal, external, and hybrid
Perimeter, complete, and none
An attack characterized by an explicit attempt by attackers to prevent legitimate users from accessing a system is called:
war-dialing
spoofing
denial of service
social engineering
The first computer incident response team is affiliated with what university?
Harvard University
Princeton
Carnegie-Mellon University
Yale
The process of reviewing logs, records, and procedures to determine whether they meet appropriate standards is called:
auditing
filtering
authenticating
sneaking
Which of the following best defines the primary difference between a sneaker and an auditor?
There is no difference
The sneaker tends to be less skilled
The sneaker tends to use more unconventional methods
The auditor tends to be less skilled
Which of the following types of privacy laws affect computer security?
Any privacy law applicable to your organization
Any privacy law
Any federal privacy law
Any state privacy law
An intrusion-detection system is an example of:
Proactive security
Perimeter security
Good security practices
Hybrid security
Which of the following is the best definition of “sensitive information”?
Any information that is worth more than $1,000
Any information that has monetary value and is protected by any privacy laws
Any information that, if accessed by unauthorized personnel, could damage your organization in any way
Military or defense related information
Which of the following maintains a repository for information on virus outbreaks and detailed information about specific viruses?
F-Secure Corporation
CERT
SANS Institute
Microsoft Security Advisor
Which is a technique used to provide false information about data packets?
Phreaking
Social engineering
Hacking
Spoofing
What is the term for hacking a phone system?
phreaking
Cracking
Telco-hacking
Which is NOT one of the three broad classes of security threats?
Preventing or blocking access to a system
Gaining unauthorized access into a system
Malicious software
Disclosing contents of private networks
Are there any reasons not to take an extreme view of security, if that view errs on the side of caution?
No, there is no reason not to take such an extreme view.
Yes, if you are going to err, assume there are few if any realistic threats.
Yes, that can lead to wasting resources on threats that are not likely.
Yes, that can require that you increase your security skills in order to implement more rigorous defenses.
A text file that is downloaded to a computer by a Web site to provide information about the Web site and online access is called a:
cookie
Trojan horse
script kiddy
key logger
Which of the following is the most basic security activity?
Installing a firewall
Controlling access to resources
Authenticating users
Using a virus scanner
Which of the following is NOT a connectivity device used to connect machines on a network?
Network interface card
Hub
Proxy server
Switch
The process of determining whether the credentials given by a user are authorized to access a particular network resource is called:
accessing
authorization
authentication
Which approach to security is proactive in addressing potential threats before they occur?
Layered security approach
Passive security approach
Dynamic security approach
Hybrid security approach
Those who exploit systems for harm such as to erase files, change data, or deface Web sites are typically called:
gray hat hackers
black hat hackers
white hat hackers
red hat hackers
Encryption and virtual private networks are techniques used to secure which of the following?
Connection points
Data
Firewalls
Proxy servers
Which of the following is the best definition for the term sneaker?
An amateur hacker
A person who hacks a system to test its vulnerabilities
A person who hacks a system by faking a legitimate password
An amateur who hacks a system without being caught
Which of the following is not one of the three major classes of threats?
Online auction fraud
Denial of Service attacks
A computer virus or worm
Actually intruding on a system
What is a computer virus?
Any program that can change your Windows registry.
Any program that self replicates
Any program that causes harm to your system
Any program that is downloaded to your system without your permission
When assessing threats to a system, what three factors should you consider?
How much traffic the system gets, the security budget, and the skill level of the security team
The system’s attractiveness, the information contained on the system, and how much traffic the system gets
The skill level of the security team, the system’s attractiveness, and how much traffic the system gets
The system’s attractiveness, the information contained on the system, and the security budget
Which of the following would most likely be classified as misuses of systems?
Using your business computer to conduct your own (non-company) business
Getting an occasional personal email
Looking up information on a competitor using the Web
Shopping on the web during lunch
What is a technique used to determine if someone is trying to falsely deny that they performed a particular action?
Non-repudiation
Access Control Authorization
Audiiting
Sneaking
Which approach to security addresses both the system perimeter and individual systems within the network?
Perimeter security approach
Hybrid aecurity approach
Which of the following gives the best definition of spyware?
Any software that monitors which Web sites you visit
Any software or hardware that monitors your system
Any software that logs keystrokes
Any software used to gather intelligence
Which of the following is the best definition for non-repudiation?
It is another term for user authentication
Processes that verify which user performs what action
Security that does not allow the potential intruder to deny his attack
Access control
Blocking attacks seek to accomplish what?
Prevent legitimate users from accessing a system
Breaking into a target system
Shut down security measures
Install a virus on the target machine
Which term is generally used by hackers to refer to attempts at intrusion into a system without permission and usually for malevolent purposes?
Blocking
The most desirable approach to security is one which is:
Layered and dynamic
Perimeter and static
Layered and static
Perimeter and dynamic
Which of the following activities do security professionals recommend to limit the chances of becoming a target for a Trojan horse?
Prevent employees from downloading and installing any programs
Download and install Windows updates and patches monthly
Only open e-mail attachments from friends or co-workers
Only download jokes, animated Flash files, or utility programs from popular sites
Which method of defense against a SYN flood involves altering the response timeout?
Micro blocks
SYN cookies
RST cookies
Stack tweaking
Which created a buffer overflow attack against a Windows flaw called the DCOM RPC vulnerability?
Blaster
MyDoom
SoBig
Slammer
What do many analysts believe was the reason for the MyDoom virus/worm?
A DoS attack against Microsoft.com
A DoS attack targeting Microsoft Windows IIS servers
An e-mail attack targeting Bill Gates
A DDoS attack targeting Santa Cruz Operations
Which is NOT true about a buffer overflow attack?
Susceptibility to a buffer overflow is entirely contingent on software flaws.
A hacker does not need a good working knowledge of some programming language to create a buffer overflow.
A buffer overflow can load malicious data into memory and run it on a target machine.
A careful programmer will write applications so the buffer will truncate or reject data that exceeds the buffer length.
What is the name for a DoS defense that is dependent on sending back a hash code to the client?
Server reflection
RST cookie
SYN cookie
What is the best way to defend against a buffer overflow?
Stopping all ICMP traffic
Using a robust firewall
Keeping all software patched and updated
Blocking TCP packets at the router
The spread of viruses can be minimized by all of the following EXCEPT:
using a code word with friends to determine if attachments are legitimate
using a virus scanner
immediately following instructions in security alerts e-mailed to you from Microsoft
never opening attachments you are unsure of
Which of the following is NOT a denial of service attack?
Ping of Death
SYN flood
Smurf attack
Which of the following is the best definition for IP spoofing?
Sending packets that are misconfigured
Sending a packet that appears to come from a trusted IP
Setting up a fake Web site that appears to be a different site
Rerouting packets to a different IP
Which attack relies on broadcast packets to cause a network to actually flood itself with ICMP packets?
Tribal flood
ICMP flood
Which attack occurs by sending packets that are too large for the target machine to handle?
Ping of death
One of the most common types of attacks via the Internet is:
Buffer overflow
IP spoofing
Session hacking
Denial of service
Which of the following virus attacks initiated a DoS attack?
Walachi
Bagle
Faux
Which router configuration is potentially least vulnerable to an attack?
Routers that filter packets with source addresses in the local domain
Proxy firewalls where the proxy applications use the source IP address for authentication
Routers to external networks that support multiple internal interfaces
Routers with two interfaces that support subnetting on the internal network
What is a technical weakness of the Stack tweaking defense?
It only decreases time out but does not actually stop DoS attacks
It is complicated and requires very skilled technicians to implement
It is resource intensive and can degrade server performance.
It is ineffective against DoS attacks
Which created a domestic “cyber terrorism” attack against a Unix distributor?
W32.Storm.Worm
What is the name for a DoS attack that causes machines on a network to initiate a DoS against one of that network’s servers?
Distributed Denial of Service
Which of the following would be the best defense if your Web server had limited resources but you needed a strong defense against DoS?
A firewall
What was the greatest damage from the Bagle virus?
It deleted system files
It corrupted the Windows registry
It was difficult to detect
It shut down antivirus software
How does the SYN cookie work?
Replaces cookies left by virus/worm programs.
Causes server to send wrong SYNACK to the client.
Prevents memory allocation until third part of SYN ACK handshaking.
Enables encryption of outbound packets.
From the attacker’s point of view, what is the primary weakness in a DoS attack?
The attack does not cause actual damage
The attack must be sustained.
The attack is difficult to execute
The attack is easily thwarted
Shutting down router and firewall ports 5554 and 9996 will block most damage from which of these?
Sobig
Trojan horses
Sasser
Which attack causes Internet routers to attack the target systems without actually compromising the routers themselves?
Tribal Flood Network
Distributed Reflection Denial of Service
What DoS attack is based on leaving connections half open?
Smurf Attack
What is the best method of defending against IP spoofing?
Installing a router/firewall that blocks packets that appear to be originating within the network
Blocking all incoming TCP traffic
Blocking all incoming ICMP traffic
Installing a router/firewall that blocks packets that appear to be originating from outside the network
Which of the following best describes session hacking?
Taking over a target machine via a Trojan horse
Taking control of the login session
Taking control of a target machine remotely
Taking control of the communication link between two machines
Which of the following is a recommended configuration of your firewall to defend against DoS attacks?
Block TCP packets that originate outside your network
Block all incoming packets
Block ICMP packets that originate outside your network
Block all ICMP packets
Which copies itself into the Windows directory and creates a registry key to load itself at startup?
Which presented itself as an e-mail from the system administrator informing the user of a virus infection and gave directions to open an e-mail attachment which would then scan for e-mail addresses and shared folders?
Minmail
Which of the following best describes a buffer overflow attack?
An attack that attempts to put misconfigured data into a memory buffer
An attack that attempts to send oversized TCP packets
An attack that attempts to put too much data in a memory buffer
An attack that overflows the target with too many TCP packets
What is a Trojan horse?
Software that deletes system files then infects other machines
Software that self replicates
Software that causes harm to your system
Software that appears to be benign but really has some malicious purpose
Which of the following denial of service attacks results from a client’s failure to respond to the server’s reply to a request for connection?
UDP flood
What is the danger inherent in IP spoofing attacks?
Many of these attacks open the door for other attacks
Many firewalls don’t examine packets that seem to come from within the network.
They can be difficult to stop
They are very damaging to target systems
Which is NOT a typical adverse result of a virus?
Increased network traffic
Changing system settings
Increased network functionality and responsiveness
Deletion of files
What type of firewall is Check Point Firewall-1?
Packet filtering/application gateway hybrid
SPI/application gateway hybrid
Circuit level gateway
Application gateway
What implementation is Check Point Firewall-1?
Switch based
Host based
Network based
Router based
Which is a hardware firewall vendor manufacturing Stateful Packet Inspection units with NAT and DES especially for small offices?
Cisco
Wolverine
D-Link
Check Point
Should a home user with ICF block port 80, and why or why not?
She should not because it would prevent her from using Web Pages
She should not because that will prevent her from getting updates and patches
She should unless she is running a Web server on her machine.
She should because port 80 is a common attack point for hackers
Why is an SPI firewall more resistant to flooding attacks?
It requires user authentication
It examines each packet in the context of previous packets
It automatically blocks large traffic from a single IP
It examines the destination IP of all packets
Snort is which type of IDS?
Client-based
Router-based
OS-based
Host-based
What is one complexity found in enterprise environements that is unlikely in small networks or SOHO environments?
Diverse user groups
Web vulnerabilities
Multiple operating systems
Users running different applications
Which type of IDS is the Cisco Sensor?
Anomaly detection
Intrusion deterrence
Intrusion deflection
Anomaly deterrence
It should be routine for someone in the IT security staff to
Physically inspect the firewall
Review firewall logs
Reboot the firewall
Test the firewall by attempting a ping flood
Using a server running the Linux operating system with its built-in firewall as the network firewall is one example of which firewall configuration?
router-based
dual-homed host
network host-based
screened host
What is an advantage of an enterprise environment?
Skilled technical personnel available
Multiple operating systems to deal with
IDS systems not needed
Lower security needs
Which is true about SonicWALL firewall solutions?
They work on Linux, Unix, Solaris, and Windows platforms.
They are relatively inexpensive.
All models contain built-in encryption.
They include built-in proxy server capabilities.
In which mode of operation does Snort display a continuous stream of packet contents to the console?
Heuristic mode
Network intrusion-detection mode
Packet logger mode
Packet sniffer mode
In comparing a packet filter firewall with a stateful packet inspection firewall (SPI), the SPI firewall is:
LESS susceptible to ping and SYN floods but MORE susceptible to IP spoofing
LESS susceptible to ping and SYN floods and LESS susceptible to IP spoofing.
MORE susceptible to ping and SYN floods and MORE susceptible to IP spoofing
MORE susceptible to ping and SYN floods and LESS susceptible to IP spoofing
Which of the following are four basic types of firewalls?
Screening, bastion, dual-homed, circuit level
Packet filtering, application gateway, circuit level, stateful packet inspection
Stateful packet inspection, gateway, bastion, screening
Application gateway, bastion, dual-homed, screening
In many typical configurations with multiple firewalls, e-mail servers and FTP servers are located in the:
internal corporate network
demilitarized zone
corporate intranet
external network
Which of the following is not an advantage of the Fortigate firewall?
Built-in encryption
Built-in virus scanning
Content filtering
Low cost
Should a home user block ICMP traffic, and why or why not?
It should be blocked because such traffic is often used to transmit a virus
It should be blocked because such traffic is often used to do port scans and flood attacks
It should not be blocked because it is necessary for network operations
It should not be blocked because it is necessary for using the Web
Why might a proxy gateway be susceptible to a flood attack?
It does not require user authentication
It allows multiple simultaneous connections
It does not properly filter packets
Its authentication method takes more time and resources
A standalone technology that hides internal addresses from the outside and only allows connections that originate from inside the network is called:
TFTP
HTTP
DMZ
NAT
What is another term for preemptive blocking?
Banishment vigilance
Intruder blocking
User deflection
Which serves as a single contact point between the Internet and the private network?
Bastion host
Screened host
Dual-homed host
One type of intrusion-detection and avoidance which involves identifying suspect IP addresses and preventing intrusions is called:
anomaly detection
intrusion deterrence
preemptive blocking
intrusion deflection
NAT is a replacement for what technology?
Firewall
IDS
Antivirus software
Which is a robust commercial software firewall solution for Linux operating systems?
SonicWALL
McAfee Personal Firewall
Symantec Norton Firewall
Which is true about Windows XP Internet Connection Firewall (ICF)?
It has a logging feature enabled by default.
It works best in conjunction with a perimeter firewall.
It blocks incoming and outgoing packets.
It is a screened host firewall.
Which of the following is not a profiling strategy used in anomaly detection?
Executable profiling
Threshold monitoring
Resource profiling
System monitoring
Which type of intrusion-detection relies on people rather than software or hardware?
Infiltration
Which type of firewall is included in Windows XP and many distributions of Linux operating systems?
Stateful packet inspection
User authentication
Packet filter
Application proxy
What type of firewall requires individual client applications to be authorized to connect?
Dual-homed
Screened gateway
Which of the following is not one of Snort’s modes?
Network intrusion-detection
Sniffer
Packet logger
Packet filtering
What tool does McAfee Personal Firewall offer?
A visual tool to trace attacks
Strong encryption
Vulnerability scanning
An open source software circuit level gateway is available from which of the following?
Watchguard Technologies
Teros
Amrita Labs
Which type of firewall creates a private virtual connection with the client?
Bastion
Which type of firewall negotiates between the server and client to permit or deny connection based on the type of software and connection requested?
Which firewall configuration would be appropriate within a network to separate and protect various subnets of a network to provide greater security?
bastion host
Which of the following is not a common feature of most single PC firewalls?
Software-based
Ease of use
Built-in NAT
A firewall designed to secure an individual personal computer is a:
screened host firewall
single machine firewall
simple hardware firewall
combination hardware/software firewall
What type of firewall is SonicWALL TI70?
Circuit-level gateway
Packet screening
Stateful Packet Inspection
Which of the following is an advantage of the network host-based configuration?
It is resistant to IP spoofing
It has user authentication
It is inexpensive or free
It is more secure
Which of the following is a benefit of Cisco firewalls?
Very low cost
Built-in virus scanning on all products
Built-in IDS on all products
Extensive training available on the product
Once a circuit level gateway verifies the user’s logon, it creates a virtual circuit between:
the internal client and the external server
the external server and the proxy server
the external server and the firewall
the internal client and the proxy server
At what OSI layer do packet filters function?
Physical layer
Transport layer
Network layer
Data link layer
Which is NOT a function of an intrusion-detection system?
Inspect all inbound and outbound port activity
Notify the system administrator of suspicious activity
Infiltrate the illicit system to acquire information
Look for patterns in port activity
What might one see in an implementation of intrusion deterrence?
Real resources with fake names
Fake resources with legitimate-sounding names
Blocking of legitimate users by mistake
Profiling of users, resources, groups, or applications
A system that is set up for attracting and monitoring intruders is called what?
Fly paper
Honey pot
Hacker cage
Trap door
A device that hides internal IP addresses is called
Bastion firewall
A screened host
Medium-sized networks have what problem?
Low budgets
Diverse user group
Need to connect multiple LANs into a single WAN
Lack of skilled technical personnel
A firewall that uses a combination of approaches rather than a single approach to protect the network is called:
multi-homed
dual-homed
open source
hybrid
How can vulnerability to flooding attacks be reduced with an application gateway?
Packets are continually checked during the connection
Vulnerability to flooding attacks with an application gateway cannot be mitigated
External systems never see the gateway
Identifying abnormal activity on a firewall requires that one establish a:
baseline
proxy server
An intrusion-detection system detecting a series of ICMP packets sent to each port from the same IP address might indicate:
scanning of the system for vulnerabilities prior to an attack
Trojan horse/virus infection sending information back home
a Distributed Denial of Service attack in progress
the system has been infiltrated by an outsider
Why is an SPI firewall less susceptible to spoofing attacks?
It requires client application authentication
It automatically blocks spoofed packets
It examines the source IP of all packets
What is ICF?
Windows XP Internet Connection Firewall
Windows 2000 Internet Connection Firewall
Windows 2000 Internet Control Firewall
Windows XP Internet Control Firewall
Which is a firewall vendor manufacturing a host-based firewall for Windows 2000 Server, Sun Solaris, and Red Hat Linux environments?
Which of the following is not a reason to avoid choosing infiltration as part of an IDS strategy?
It can be time consuming
It requires knowledge of the target group
It can be expensive
The group may retaliate
A series of ICMP packets sent to your ports in sequence might indicate what?
A packet sniffer
A port scan
A DoS attack
A ping flood
An intrusion-detection method that measures and monitors how programs use system resources is called:
user/group profiling.
resource profiling.
executable profiling.
threshold monitoring.
Which strategy is used in the implementation of intrusion deterrence?
Installing honey pots to pose as important system
Monitoring connection attempts to identify IP addresses of attackers
Using fake names to camouflage important systems
Infiltrating online hacker groups
Which method of intrusion-detection develops historic usage levels to measure activity against?
Application profiling
Infiltration profiling
What is the greatest danger in a network host-based configuration?
SYN flood attacks
Operating System Security flaws
Ping flood attacks
Which type of firewall is generally the simplest and least expensive?
Implementation of intrusion deflection as a strategy requires the use of:
fake targets
blocking software
warnings to intruders to leave
innocuous names for sensitive targets
Which of the following is found in Norton’s personal firewall but not in ICF?
Which of the following is a common problem when seeking information on firewalls?
Unbiased information may be hard to find.
It is difficult to find information on the Web.
Information often emphasizes price rather than features.
Documentation is often incomplete
Which of the following can be shipped preconfigured?
Router-based firewalls
Stateful packet inspection firewalls
Dual-homed firewalls
Network host-based firewalls
Which is a term used to refer to the process of authentication and verification?
Filtering
Negotiation
Connecting
Screening
Which intrusion detection strategy monitors and compares activity against preset acceptable levels?
Infiltration monitoring
Application monitoring
Which of the following is a problem with the approach of a profiling strategy that is used in anomaly detection?
It misses many attacks
It is resource intensive
It yields many false positives
It is difficult to configure
What is the purpose of the warning configuration for Specter’s email file?
To scare off at least novice hackers
To keep your normal users honest
To deter highly skilled hackers
To track hackers back to their source IPs
Regarding the Firewall-1 firewall, which of the following is NOT true?
It is particularly vulnerable to SYN floods.
It is a packet filtering, application gateway hybrid.
It uses Stateful Packet Inspection.
It automatically blocks and logs oversized packets.
IDS is an acronym for:
Intrusion deterrence service
Intrusion-detection service
Intrusion deterrence system
Intrusion-detection system
What is the most important security advantage to NAT?
It hides internal network addresses
By default it blocks all ICMP packets
It blocks incoming ICMP packets
By default it only allows outbound connections
Which is true about the Wolverine firewall solution?
It includes built-in VPN capabilities.
It works on Linux, Unix, Solaris, and Windows platforms.
Encryption can be added with a free Web download.
It is expensive.
What four rules must be set for packet filtering firewalls?
Username, password, protocol type, destination IP
Source IP, destination IP, username, password
Protocol type, source port, destination port, source IP
Protocol version, destination IP, source port, username
Setting up parameters for acceptable use, such as the number of login attempts, and watching to see if those levels are exceeded is referred to as what?
Attempts by an intruder to determine information about a system prior to the start of an intrusion attack is called:
foot printing
infiltration
deflecting
detecting
Which is NOT a service included in the Norton single machine firewall?
Data recovery
Popup ad blocking
Blocking of outgoing traffic
Privacy protection
Banishment vigilance is another name for:
Which type of encryption is included with the T170?
PGP and AES
WEP and DES
WEP and PGP
AES and DES
Which is a unique feature of the McAfee Personal Firewall that is not found on most personal firewalls?
Blocking incoming traffic on selected ports
Online scanning of system for vulnerabilities
Performing traceroute to show the source of incoming packets
Recording a log of all attempts at incoming packets
Why might you run Specter in strange mode?
It will be difficult to determine the system is a honey pot
It will deter novice hackers
It may fascinate hackers and keep them online long enough to catch them
It may confuse hackers and deter them from your systems
A firewall configuration using a server as a router and running multiple network interfaces with automatic routing disabled is an example of a:
Which intrusion-detection method measures activity levels against known short-term and/or long-term work profiles?
User/group work profiling
Why might a circuit level gateway be inappropriate for some situations?
It blocks web traffic
It is simply too expensive
It has no user authentication
It requires client side configuration
Which is NOT true about enterprise networks and firewall solutions?
They are likely to be supported by multiple network administrators.
They are usually made up of several interconnected networks.
They are usually easier to manage and secure.
They are likely to contain several different operating systems.
Attempting to make your system appear less appealing is referred to as what?
System deterrence
System camouflage
Which of the following is an important feature of D-Link DFL 300?
Liberal licensing policy
WEP encryption
Built-in IDS
Which firewall solution would be best for a large enterprise running Windows XP Professional and Linux operating systems, using the Internet, and requiring remote access to their Intranet server for field sales people?
Check Point Firewall-1
Cisco PIX 515E
Fortigate 3600
A profiling technique that monitors how applications use resources is called what?
Symantec Decoy Server does all of the following EXCEPT:
simulate incoming mail server functions
record all traffic related to an intrusion attack
simulate outgoing mail server functions
track attacking packets to their source
Attempting to attract intruders to a system set up to monitor them is called what?
Intrusion routin
Intrusion banishment
Which type of firewall is considered the most secure?
Following rules and learning from experience as part of the process to identify and notify an administrator about an intrusion are typical when Snort is operating in which mode?
Sniffer mode
Command mode
Which of the following solutions is actually a combination of firewalls?
Screened firewalls
Bastion host firewalls
Which is NOT one of the basic premises under which a honey pot functions?
Intruders will tend to go for easy targets with valuable data
Any traffic to the honey pot is suspicious
Security must allow attackers inside
Only legitimate users have a reason to connect to it
corporate Intranet
