How do wireless IDSs get their data?

How do wireless IDSs get their data?



Answer: In centralized wireless intrusion detection system, each access point becomes a wireless IDS agent, sending appropriate information to the central wireless IDS console. The console transfers the data to an IDS database. It also sorts through data in the database to find indications of problems.

What is the purpose of a wireless IDS?

What is the purpose of a wireless IDS?



Answer: It is to collect data from wireless access points that can be used to detect attacks.

How long must passphrases be for adequate security?

How long must passphrases be for adequate security?



Answer: Passphrases must be at least 20 characters long for adequate security, but preferably greater than 20 characters.

How are PSK/personal keys generated?

How are PSK/personal keys generated?



Answer: The administrator types a passphrase into every client and into the access point.

Why is using a shared initial key not dangerous?

Why is using a shared initial key not dangerous?



Answer: This key is used only briefly, when a client first authenticates itself to the access point. The access point sends the client a session key for use during the session. With only a few messages transmitted using the shared initial key, it is impossible for a cryptanalyst to discover the shared initial key.

Compare WPA and 802.11i security.

Compare WPA and 802.11i security.



Answer: WPA uses the relatively weak RC4 cipher in encryption for confidentiality and uses the only moderately strong Temporal Key Integrity Protocol (TKIP) for keying and rekeying. Although there have been no published cracks for WPA as a whole, at least at the time of this writing, TKIP has been partially cracked, and security professionals are uncomfortable with WPA's security methods.

What prompted the Wi-Fi Alliance to create WPA?

What prompted the Wi-Fi Alliance to create WPA?



Answer: The inadequacy of WEP (which can be cracked in minutes) caused many companies to freeze WLAN deployment and in some cases turn off existing WLANs. This wide scale lack of trust in WLAN security prompted the Wi-Fi Alliance to create WPA.

Should corporations today use WEP for security today?

Should corporations today use WEP for security today?



Answer: No. Given how easily and quickly WEP can be cracked, it makes no sense for corporations to use WEP today. In fact, it only gives a false sense of security, which may be worse than no security at all.

How long may WEP take to crack today?

How long may WEP take to crack today?



Answer: If a company encrypts a large enough volume of traffic with the same secret key, the attacker can often compute the entire secret key in two or three minutes.

Why are permanent shared keys undesirable?

Why are permanent shared keys undesirable?



Answer: Permanent shared keys are undesirable because in large firms that have many access points sharing the same WEP key, the practical difficulties in changing everyone's key means that shared keys are almost never changed. In addition, because "everybody knows" the key, people share the key freely even when they are told not to. Worst of all, if a company fires a disgruntled employee, it must change the key on every access point for which the employee may know the key. In many cases, changing the key will be prohibitively expensive and will inconvenience many workers.

Is 802.11i security strong? Explain.

Is 802.11i security strong? Explain.



Answer: 802.11i security is very strong. 802.11i not only provides authentication, but it supplies all of the protections expected in a strong cryptographic security system. By using 128bit AES, 802.11i ensures a robust symmetric encryption cipher for confidentiality. 802.11i also uses the strong AES-CCMP standard for automatic and frequent rekeying.

Distinguish between their options for inner authentication.

Distinguish between their options for inner authentication.



Answer: For EAP/TLS, the inner authentication also uses TLS. For PEAP, the client can use any method specified in the EAP standard, ranging from passwords through digital certificates.

For 802.11i, distinguish between outer and inner authentication.

For 802.11i, distinguish between outer and inner authentication.



Answer: Outer authentication in 802.11i consists of the client authenticating itself to the access point by establishing an SSL/TSL connection. Inner authentication follows outer authentication and occurs when the wireless client authenticates itself with the central authentication server using EAP, within the protection of SSL/TLS.

Why is it impossible to extend 802.1X operation using EAP directly to WLANs?

Why is it impossible to extend 802.1X operation using EAP directly to WLANs?



Answer: EAP assumes that the connection between the supplicant and authenticator is secure, which is not the case in wireless transmission. Thus, 802.1X operation using EAP cannot be directly extended to WLANs.

What would happen if a wireless network were flooded with CTS frames?

What would happen if a wireless network were flooded with CTS frames?



Answer: A flood of CTS frames with long transmission durations keeps other clients waiting. A flood of RTS frames produces a flood of CTS frames. Both produce an effective DoS attack on the wireless network. Again, these messages are not authenticated.

What type of attack commands could be sent to cause a wireless DoS attack?

What type of attack commands could be sent to cause a wireless DoS attack?



Answer: An attacker could use packet injection to send spoofed deauthenticate messages to the AP. The spoofed source addresses would correspond to each wireless client on the WLAN. The deauthenticate message says that the sender wants to terminate the authenticated connection. The victim must reauthenticate with the AP before it can communicate.

How would a wireless DoS attack be carried out?

How would a wireless DoS attack be carried out?



Answer: Wireless DoS attacks can be carried out by 1) flooding the frequency being used, 2) flooding the AP with too many packets, and 3) continually sending "disassociate" packets to all internal wireless clients.

How can the danger of evil twin attacks be addressed?

How can the danger of evil twin attacks be addressed?



Answer: The danger of evil twin attacks can be eliminated by requiring remote clients to establish VPN connections with VPN gateways prior to gaining access to network resources. Remote access VPN connection setup requires a pre-shared key on the client and VPN gateway, and this pre-shared key is never transmitted during authentication, thus defeating the evil twin's ability to copy credentials and keying information.

In what two types of attacks can the evil twin engage?

In what two types of attacks can the evil twin engage?



Answer: It can capture credentials transmissions and keys and it can also send packets of its own, impersonating the victim client.

Physically, what is an evil twin access point?

Physically, what is an evil twin access point?



Answer: An evil twin access point is simply a PC that has software to allow it to masquerade as an access point.

What man-in-the-middle attack is a danger for 802.11 WLANs?

What man-in-the-middle attack is a danger for 802.11 WLANs?



Answer: The most dangerous man-in-the-middle attack for 802.11 WLANs is the evil twin access point. An evil twin access point is simply a PC that has software that allows it to masquerade as a legitimate access point. The evil twin will pass traffic to legitimate access points transparently, retaining copies of important data sent from the host and a legitimate access point. Evil twin access points can intercept messages during and after security setup, allowing the evil twin to have the necessary keys to decrypt all traffic during a specific session.

Are you liable if someone else uses your wireless network to commit a crime? Why, or why not?

Are you liable if someone else uses your wireless network to commit a crime? Why, or why not?



Answer: At the time of this writing, it appears that you are likely not liable for crimes committed by criminals using your wireless network if you attempted to secure it. However, it's unknown if you could be liable for criminal acts performed through an unprotected network. In either case, your ISP can immediately discontinue your service.

Give examples of both internal and external harm caused by unauthorized wireless access.

Give examples of both internal and external harm caused by unauthorized wireless access.




Internally, attackers have greater access to information, resources, and other network traffic. They can covertly steal confidential information, read and record network traffic, alter network devices, or plant malware on targeted clients or servers. They may also have access to network shares that were assumed to be protected behind the firewall.
An attacker could anonymously download, upload, and store illegal content via the wireless network. Even worse, the network could be used as a launching pad for an external attack.

Who would set up a rogue access point? Why?

Who would set up a rogue access point? Why?



Answer: Rogue access points are unauthorized access points set up by individuals or departments with little or no security. They are typically set up by internal employees for convenience, without knowing the ramifications of an unsecured wireless AP.

What is the typical range of a WLAN?

What is the typical range of a WLAN?



Answer: Wireless 802.11 networks typically have a range of 30 to 100 meters extending in all directions from the AP.

Why is there no need to change the operation of the authenticator when a new EAP authentication method is added or an old EAP authentication mode is dropped?

Why is there no need to change the operation of the authenticator when a new EAP authentication method is added or an old EAP authentication mode is dropped?



Answer: The software on the authenticator (workgroup switch) does not have to be changed. It merely passes request and response messages through. This is good because a network will have many workgroup switches.

Why is this freedom from the need to make changes in the switch beneficial?

Why is this freedom from the need to make changes in the switch beneficial?



Answer: The freedom to make changes in authentication protocols is beneficial because it reduces costs that would normally be associated with upgrading authenticators if they were tied to specific authentication methods.

In what sense is EAP extensible?

In what sense is EAP extensible?



EAP is considered extensible because it is easy to add new authentication methods to EAP (such as smart cards, MS-CHAP, Diffie-Helman, etc.) without modification of the general format of the underlying EAP messages. Only the contents are modified by the authentication method chosen.

How does an EAP session start?

How does an EAP session start?



Answer: When a switch senses a connection, it sends an EAP Start message to the RADIUS server. This begins the EAP session.

Which device is the verifier? Explain. (Tricky question.)

Which device is the verifier? Explain. (Tricky question.)



There is no verifier in 802.1X. Instead, the verifier responsibilities are shared between the workgroup switch, known as the authenticator, and the central authentication server.

What are the three benefits of using a central authentication server?

What are the three benefits of using a central authentication server?



Reduced cost: Having a central authentication server reduces the work required to maintain multiple authentication databases updated, as well as reduces the authentication processing on individual switches.
Consistency: Credentials are checked against the same authentication database every time, versus relying on possibly outdated authentication databases residing on switches throughout the network.
Immediacy: Central authentication allows the ability to rapidly change access controls, which is especially important when trying to restrict access to a recently fired employee or rogue PC that may be negatively impacting the network.

Where is the heavy authentication work done?

Where is the heavy authentication work done?



The heavy authentication work is done on a central authentication server, rather than on the switch.

Why is 802.1X called Port-Based Access Control?

Why is 802.1X called Port-Based Access Control?



802.1X is called Port-Based Access Control because security is implemented on specific ports of an Ethernet workgroup switch.

Why is the access threat to wireless LANs more severe? The intruder does not even have to enter the building, as he or she needs to do in wired LANs. In WLANs, attackers can connect to unprotected (or poorly protected) wireless access points and bypass border router security from outside of the physical premises of the company.

Why is the access threat to wireless LANs more severe?



The intruder does not even have to enter the building, as he or she needs to do in wired LANs. In WLANs, attackers can connect to unprotected (or poorly protected) wireless access points and bypass border router security from outside of the physical premises of the company.

What is the main access threat to Ethernet LANs?

What is the main access threat to Ethernet LANs?



Traditionally, Ethernet LANs offered no access security. Any intruder who entered a corporate building could walk up to any wall jack and plug in a notebook computer. The intruder would then have unfettered access to the LAN's computers, bypassing the site's border firewall. This was a complete breakdown in access control.

Could a rogue router direct internal traffic to an outside rogue DNS server? How?

Could a rogue router direct internal traffic to an outside rogue DNS server? How?



Yes, the rogue router can assign a false DNS server to internal hosts as part of the SLAAC attack. A false DNS server would allow an attacker to redirect all internal traffic to any number of phishing sites.

Would a SLAAC attack work on an existing IPv6 network? Why not?

Would a SLAAC attack work on an existing IPv6 network? Why not?



No, the attack would only work on existing IPv4 networks. If the attack were tried on an existing IPv6 network, the network administrator would immediately see conflicts. The network administrator could also assign a specific (legitimate) internal DHCP server (IPv6) to each host.

What has to be introduced to a network for a SLAAC attack to work?

What has to be introduced to a network for a SLAAC attack to work?



With the physical introduction of a rogue IPv6 router, all internal traffic is automatically rerouted (Step 1). This happens because the rogue router advertises its presence on the network using Router Advertisement (RA) messages over ICMPv6 (Step 2). Hosts receive RAs and automatically derive their IPv6 address using a process called Stateless Address Auto Configuration (SLAAC).

Why do host automatically prefer IPv6 addressing?

Why do host automatically prefer IPv6 addressing?



Traffic on the existing IPv4 network is rerouted through the rogue IPv6 router because all newer operating systems are configured by default to prefer IPv6 networks. Microsoft Windows 7, Microsoft Server 2008, and Apple OS X all ship with IPv6 fully enabled.

What is a SLAAC attack?

What is a SLAAC attack?



A Stateless Address Auto Configuration (SLAAC) attack is an attack on the functionality and confidentiality of a network. This attack occurs when a rogue IPv6 router is introduced to an IPv4 network. All traffic is automatically rerouted through the IPv6 router, creating the potential for a MITM attack.

Why would limiting local access prevent DoS attacks?

Why would limiting local access prevent DoS attacks?



Limiting local access would prevent ARP DoS attacks because foreign hosts would not be able to send packets to internal hosts.

How can static IP and ARP tables be used to prevent ARP poisoning?

How can static IP and ARP tables be used to prevent ARP poisoning?



ARP poisoning can be prevented by using static IP tables and static ARP tables. Static ARP tables are manually set and cannot be dynamically updated using ARP. Each computer has a known static IP address that does not change. All hosts on the LAN know which IP address is assigned to each MAC address (host).

How can ARP poisoning be used as a DoS attack?

How can ARP poisoning be used as a DoS attack?



Spoofed ARP replies can be used to stop all traffic on the local network as part of an ARP DoS attack. The attacker sends all internal hosts a continuous stream of unsolicited spoofed ARP replies, saying the gateway (10.0.0.4) is at E5-E5-E5-E5-E5-E5 (Step 1). Hosts record the gateway's IP address and nonexistent MAC address (Step 2).

Why does all network traffic go through the attacker after poisoning the network?

Why does all network traffic go through the attacker after poisoning the network?



If the attacker has successfully used spoofed ARP replies to record false entries in the ARP tables for all internal hosts and the gateway, all traffic sent from internal hosts to the gateway will go to the attacker (Step 4). All traffic from the gateway will also go through the attacker and is now redirected through the computer as part of a MITM attack (Step 5).

Does the attacker have to poison the gateway's ARP tables too? Why?

Does the attacker have to poison the gateway's ARP tables too? Why?



Yes, after the attacker has successfully rerouted the host traffic, it needs to reroute the traffic coming to, and from, the gateway. It uses a similarly spoofed ARP reply to poison the gateway. The attacker sends a continuous stream of spoofed ARP replies to the gateway, telling it that all other internal hosts are at C3-C3-C3-C3-C3-C3 (Step 3).

Do switches record IP addresses? Why not?

Do switches record IP addresses? Why not?



Switches only look at MAC addresses. They cannot identify the incorrect ARP resolution being pushed out to all other hosts. They merely forward all packets based on the MAC address. They do not look at the IP address on the packet.

Explain ARP poisoning? ARP poisoning can be used to reroute traffic for a MITM attack by sending unsolicited false ARP replies to all other hosts. An attacker can force hosts to erroneously mismatch MAC addresses and IP addresses. Essentially, the attacker can reroute all internal traffic as desired.

Explain ARP poisoning?



ARP poisoning can be used to reroute traffic for a MITM attack by sending unsolicited false ARP replies to all other hosts. An attacker can force hosts to erroneously mismatch MAC addresses and IP addresses. Essentially, the attacker can reroute all internal traffic as desired.

How could an attacker use ARP spoofing to manipulate host ARP tables?

How could an attacker use ARP spoofing to manipulate host ARP tables?



ARP requests and replies do not require authentication or verification. All hosts trust all ARP replies. Spoofed ARP replies are broadcast to other hosts on the LAN. This allows an attacker to manipulate ARP tables on all LAN hosts.

What is ARP spoofing?

What is ARP spoofing?



ARP spoofing uses false ARP replies to map any IP address to any MAC address. Spoofed ARP replies can be broadcast to other hosts on the LAN

Why do hosts send ARP requests?

Why do hosts send ARP requests?



If a host (gateway) receives a packet addressed to an internal host (10.0.0.1) it sends an ARP request to every host on the LAN, asking if they have that IP address (Step 1). Only the host that has the requested IP address responds. All other hosts ignore the request (Step 2). Thus, hosts use ARP requests to resolve IP addresses into MAC addresses.

Can ARP poisoning be used outside the LAN? Why not?

Can ARP poisoning be used outside the LAN? Why not?



Typically not. Packets with IP addresses not on that LAN are redirected out of the network. ARP requests are only sent on the LAN.

Why do hosts use ARP?

Why do hosts use ARP?



Address Resolution Protocol (ARP) is used to resolve 32-bit IP addresses (e.g., 55.91.56.21) into 48-bit local MAC addresses (e.g., 01-1C-23-0E-1D-41). Hosts on the same network must know each other's MAC addresses before they can send and receive packets using IP addresses. Hosts build ARP tables by sending ARP requests and replies to each other.

Why is DoS protection a community problem, not just a problem for individual victim firms to solve?

Why is DoS protection a community problem, not just a problem for individual victim firms to solve?



DoS attacks are community problems that can only be stopped with the help of ISPs and organizations whose computers are taken over as bots and used to attack other firms. DoS attacks may unintentionally originate from an unsuspecting firm. Working together, firms can stop attacks from leaving their organizations, before they even reach their target.

Why is it limited in effectiveness?

Why is it limited in effectiveness?



Rate limiting frustrates both attackers and legitimate users. It helps, but it does not solve the problem.

Why is rate limiting a good way to reduce the damage of some DoS attacks?

Why is rate limiting a good way to reduce the damage of some DoS attacks?



Rate limiting can be used to reduce a certain type of traffic to a reasonable amount. This is good if an attack is aimed at a single server because it keeps transmission lines at least partially open for other communication.

What is a false opening?

What is a false opening?



False opens occur when a SYN segment arrives and the firewall itself sends back a SYN/ACK segment without passing the SYN segment on to the target server.

How can the effects of SYN floods be mitigated?

How can the effects of SYN floods be mitigated?



The effects of SYN floods can be mitigated by validating the TCP handshake, rate limiting, or even black holing.

What is black holing?

What is black holing?



Black holing is when a firm drops all IP packets from an attacker.

How could a malformed packet cause a host to crash?

How could a malformed packet cause a host to crash?



An attacker could send a malformed packet that will cause the victim to crash. For example, ping of death is a well-known older attack that uses an illegally large IP packet to crash the victim's operating system.

What type of packet is sent in a Smurf flood? Why?

What type of packet is sent in a Smurf flood? Why?



ICMP, the attacker benefits from a multiplier effect because a single ICMP request is responded to by multiple hosts (Step 4).

What is a Smurf flood?

What is a Smurf flood?



A Smurf flood is a variation of a reflected attack that takes advantage of an incorrectly configured network device (router) to flood a victim. The attacker sends a spoofed ICMP echo request to a network device (Step 1) that has broadcasting enabled to all internal hosts. The network device forwards the echo request to all internal hosts (Step 2). All internal hosts respond to the spoofed ICMP echo request (Step 3) and the victim is flooded

What is a DRDoS attack, and how does it work?

What is a DRDoS attack, and how does it work?



Using a botnet in a reflected attack using legitimate services is known as a distributed reflected denial-of-service (DRDoS) attack.

How does a reflected attack work?

How does a reflected attack work?



A reflected attack uses responses from legitimate services to flood a victim. The attacker sends spoofed requests to existing legitimate servers (Step 1). Servers then send all responses to the victim (Step 2). There is no redirection of traffic.

How does a P2P attack work?

How does a P2P attack work?



A peer-to-peer (P2P) redirect attack uses many hosts to overwhelm a victim using normal P2P traffic (Figure 4-7, Step 1). A P2P redirect attack differs from a traditional DDoS attack in several ways. The attacker does not have to control each of the hosts (i.e., make them bots) used to attack the victim. The attacker just needs to convince the hosts to redirect their legitimate P2P traffic (Step 2) from the P2P server to the victim (Step 3).

What does a handler do?

What does a handler do?



Handlers are an additional layer of compromised hosts that are used to manage large groups of bots. Handlers can direct bots to send a variety of different packets depending on the service being targeted.

How does a DDoS attack work?

How does a DDoS attack work?



DDoS attacks are the most common form of DoS attack that uses intermediaries to attack the victim. The attacker's identity can be hidden behind layers of bots that directly attack the victim. Second, the ability to control thousands of bots can give the attacker the resources needed to overwhelm the victim

Describe a SYN flood.

Describe a SYN flood.



A SYN flood, or half-open TCP attack, happens when the attacker sends a large number of TCP SYN segments to the victim server. Each SYN begins a TCP session opening process on the server. The server sets aside RAM and other resources for the connection. The server then sends back a SYN/ACK segment. The attacker never completes the connection opening by sending a final ACK. As the attacker sends more SYN segments, the victim host keeps setting aside resources until it crashes or refuses to provide any more connections, even to legitimate users.

What is backscatter?

What is backscatter?



Backscatter occurs when a victim sends responses to the spoofed IP address used by the attacker, and inadvertently floods an unintended victim.

What is the difference between a direct and indirect DoS attack?

What is the difference between a direct and indirect DoS attack?



A direct attack occurs when an attacker tries to flood a victim with a stream of packets directly from the attacker's computer. An indirect attack tries to flood the victim computer in the same way, but the attacker's IP address is spoofed (i.e., faked) and the attack appears to come from another computer.

Is a slow degradation of service worse than a total stoppage? Why?

Is a slow degradation of service worse than a total stoppage? Why?



An attack that slowly degrades services is more difficult to detect because there isn't an abrupt change in service quality. Network administrators cannot see a clear distinction between genuine growth in network traffic and a progressive DoS attack. They may be forced into unnecessary capital expenditures for additional bandwidth, hardware, and software.

What are the main goals of DoS attacks?

What are the main goals of DoS attacks?



The ultimate goal of a DoS attack is to cause harm. For corporations, this can come in the form of losses related to online sales, industry reputation, employee productivity, or customer loyalty. DoS attacks can cause harm by (1) stopping a critical service or (2) slowly degrading services over time.

What is a denial-of-service attack?

What is a denial-of-service attack?



A DoS attack attempts to make a server or network unavailable to legitimate users. In terms of the general goals discussed earlier, DoS attacks are ways of reducing availability.

How does the city model relate to secure networking?

How does the city model relate to secure networking?



The city model has no distinct perimeter, and there are multiple ways of entering the network. Like a real city, who you are will determine which buildings you will be able to access. In technical terms, this will mean more internal intrusion detection systems, virtual LANs, central authentication servers, and encrypted internal traffic.

What is meant by "death of the perimeter?"

What is meant by "death of the perimeter?"



The "death of the perimeter" is a phrase used by network administrators to convey the idea that creating a 100-percent secure network is impossible. They argue that it is impractical, if not impossible, to force all information in an organization through a single point in the network.

How does the castle model relate to secure networking?

How does the castle model relate to secure networking?



The traditional castle model of network defense had the good guys on the inside, and the attackers on the outside. There was a well-guarded single point of entry. All network administrators had to do was secure this point of entry and attackers

Give an example of how new technology has made networks less secure.

Give an example of how new technology has made networks less secure.



For example, newer cell phones have the ability to allow wireless laptops to tether themselves to the cell phone and share their Internet connectivity. Allowing cell phones into the corporate network completely circumvents access control procedures, firewalls, antivirus protection, data loss prevention systems, and so on.

How can information be gathered from encrypted network traffic?

How can information be gathered from encrypted network traffic?



Information transmitted during an SSL session cannot be viewed. However, the sender's IP address, receiver's IP address, the DNS request to resolve the hostname, the port numbers used, and the quantity of data sent are all visible. Even if the traffic is encrypted, the attacker can still see which websites are visited, how much data is sent or received, and which port numbers are used.

Explain the four general goals for secure networking.

Explain the four general goals for secure networking.



These four goals include availability, confidentiality, functionality, and access control.
Availability means that authorized users have access to information, services, and network resources.
Confidentiality means preventing unauthorized users from gaining information about the network's structure, data flowing across the network, network protocols used, or packet header values.
Functionality means preventing attackers from altering the capabilities or operation of the network.
Access control is the policy-driven control of access to systems, data, and dialogues.

Which of the following is not true about one-time passwords?

Which of the following is not true about one-time passwords?



a. Users' pagers can receive them.
b. They can be used in conjunction with a token system.
c. The user must enter the one-time password to gain access or the connection is terminated.
d. This is a good security solution for users who travel frequently and who must have secure dial-in access.
e. They create a packet level firewall on the system.



Answer: e. They create a packet level firewall on the system.

IP Security Protocol:

IP Security Protocol:



a. is focused on Web applications
b. is primarily used to encrypt e-mail
c. is a policy which makes public key encryption work on the Internet
d. sits between IP at the network layer and TCP/UDP at the transport layer
e. operates in entrapment mode


Answer: d. sits between IP at the network layer and TCP/UDP at the transport layer

DES:

DES: 



a. is maintained by ISO
b. refers to Date Electronic Security
c. is a commonly used symmetric encryption algorithm that was developed in the mid-1970s
d. was developed by a joint effort that included Microsoft
e. is an asymmetric algorithm


Answer: c. is a commonly used symmetric encryption algorithm that was developed in the mid-1970s

A brute force attack against an encryption system:

A brute force attack against an encryption system: 



a. tries to gain access by trying every possible key
b. is called RC4
c. is also known as 3DES
d. always uses the Rijndael algorithm
e. is part of the Advanced Encryption Standard



Answer: a. tries to gain access by trying every possible key

Encryption is the process of:

Encryption is the process of: 



a. transmission of information over secure lines in analog form to prevent illegal access
b. detecting errors in messages by means of mathematical rules
c. correcting errors in message by means of mathematical rules
d. disguising information by the use of mathematical rules, known as algorithms
e. preventing errors in messages by means of logical rules



Answer: d. disguising information by the use of mathematical rules, known as algorithms 

Spyware, adware and DDOS agents are three types of:

Spyware, adware and DDOS agents are three types of:



a. IP spoofing attacks
b. Denial-of-service attacks
c. Trojans
d. Physical security threats
e. Intrusion prevention detection approaches


Answer: c. Trojans

A security hole is a(n):

A security hole is a(n): 



a. malfunction or bug in an application program that allows data to be seen or accessed by unauthorized users
b. small peep-hole in a door or wall to allow a security guard to examine an individual before allowing that individual access to a secure area or location
c. packet-level firewall
d. missing or absent protected mode addressing restrictions on user programs during multitasking or multithreaded program execution
e. ANI system


Answer: a. malfunction or bug in an application program that allows data to be seen or accessed by unauthorized users

IP spoofing means to:

IP spoofing means to: 



a. fool the target computer and any intervening firewall into believing that messages from the intruder's computer are actually coming from an authorized user inside the organization's network
b. clad or cover the internal processing (IP) lines with insulating material to shield the IP lines from excess heat or radiation
c. illegally tape or listen in on telephone conversations
d. detect and prevent denial-of-service attacks
e. act as an intermediate host computer between the Internet and the rest of the organization's networks



Answer: a. fool the target computer and any intervening firewall into believing that messages from the intruder's computer are actually coming from an authorized user inside the organization's network

With ANI security control, the network manager:

With ANI security control, the network manager: 



a. uses the Authorization Notation Investigation protocol to trace only authorized user passwords
b. allows the Asynchronous NetWare Interface to act as a firewall
c. can define several remote telephone numbers authorized to access each account
d. assigns selected Access Network Invitations to users cleared for various levels of network access
e. can only define one remote telephone number authorized to access each account


Answer: c. can define several remote telephone numbers authorized to access each account

The use of a(n) _________ prevents unauthorized intruders from accessing a computer network because the host or server will only permit access via inbound calling from prespecified phone numbers.

The use of a(n) _________ prevents unauthorized intruders from accessing a computer network because the host or server will only permit access via inbound calling from prespecified phone numbers.



a. Automatic number identification
b. network cloaking device
c. call-back codec
d. Trojan horse
e. call-forward modem



Answer: a. Automatic number identification

A sniffer program is a:

A sniffer program is a: 



a. type of macro-virus
b. small peep-hole in a door or wall to allow a security guard to sniff the area with his or her nose before entering a secure area or location
c. used in a call-back modem
d. a program that records all LAN messages received for later (unauthorized) analysis
e. secure hub program


Answer: d. a program that records all LAN messages received for later

Which of the following is not a method for deterring outside intruders from gaining access to the organization's office or network equipment facilities?

Which of the following is not a method for deterring outside intruders from gaining access to the organization's office or network equipment facilities? 



a. locks on network circuits after working hours
b. passwords that disable the screen and keyboard of a computer
c. secured network cabling behind walls and above ceilings
d. use of armored cable
e. unlocked wiring closet for network devices


Answer: e. unlocked wiring closet for network devices

Which of the following is not a method for deterring intrusion?

Which of the following is not a method for deterring intrusion? 



a. training end users not to divulge passwords
b. using a smart card in conjunction with a password to gain access to a computer system
c. using biometric devices to gain access to a computer system
d. using a security software package that logs out users if that user is 'idle' for a certain amount of time
e. performing social engineering



Answer: e. performing social engineering

A ____________ is a situation in which a hacker attempts to disrupt the network by sending messages to the network that prevent normal users' messages from being processed.

A ____________ is a situation in which a hacker attempts to disrupt the network by sending messages to the network that prevent normal users' messages from being processed.



a. denial-of-service attack
b. service level agreement
c. virus
d. spamming
e. scamming



Answer: a. denial-of-service attack

Threat of intrusion comes from ____________.

Threat of intrusion comes from ____________.



a. the government
b. crackers
c. outside of the organization
d. both inside and outside of the organization
e. inside of the organization


Answer: d. both inside and outside of the organization

A ___________ assigns levels of risk to various threats to network security by comparing the nature of the threats to the controls designed to reduce them.

A ___________ assigns levels of risk to various threats to network security by comparing the nature of the threats to the controls designed to reduce them.



a. risk assessment
b. backplane
c. mitigating control factor analysis
d. control verification worksheet
e. control test plan


Answer: a. risk assessment

________ controls discover unwanted events.

________ controls discover unwanted events.



a. preventive
b. corrective
c. detective
d. mitigating
e. backup


Answer: a. preventive

Developing _______ helps develop a secure network.

Developing _______ helps develop a secure network.



a. rules
b. controls
c. network maps
d. vendor documentation
e. service level agreements



Answer: b. controls

In recent years, management's concern about the adequacy of current control and security mechanisms used in a data communications environment has:

In recent years, management's concern about the adequacy of current control and security mechanisms used in a data communications environment has: 



a. decreased because the new sophisticated technology is far more secure than the old manual methods
b. remained the same because management was always deeply interest in control and security
c. decreased because of the change in moral and ethical codes in the U.S. to a kinder and gentler society
d. increased because this commitment to data communications has changed the potential vulnerability of the organization's assets
e. remained the same because there are very few threats to data communications


Answer: d. increased because this commitment to data communications has changed the potential vulnerability of the organization's assets

The best solution for planning for disaster recovery is to have a fully redundant backup network placed in a different location that would not be threatened by the same natural or man-made disaster that would destroy the original network.

The best solution for planning for disaster recovery is to have a fully redundant backup network placed in a different location that would not be threatened by the same natural or man-made disaster that would destroy the original network.



Answer: True