A typical operating system configuration baseline would include each of the following except _______.
A. changing any default settings that are insecure B. eliminating any unnecessary software
C. enabling operating system security features
D. performing a security risk assessment
D. performing a security risk assessment
True or False- In the virus dictionary approach, the anti-virus monitors the behavior of all programs and flags suspicious behavior.
False
Which of the following is a list of approved e-mail senders?
A. Whitelist
All of the following are techniques and approaches used by anti-virus software, except:
C. code filtering
Which is the preferred means of trapping user input for errors?
C. Escaping
Which of the following is NOT an advantage to an automated patch update service?
A. Administrators can approve or decline updates for client systems, force updates to install by a specific date, and obtain reports on what updates each computer needs.
B. Downloading patches from a local server instead of using the vendor’s online update service can save bandwidth and time because each computer does not have to connect to an external server.
C. Users can disable or circumvent updates just as they can if their computer is configured to use the vendor’s online update service.
D. Specific types of updates that the organization does not test, such as hotfixes, can be automatically installed whenever they become available.
C. Users can disable or circumvent updates just as they can if their computer is configured to use the vendor’s online update service.
True or False- One of the problems with code emulation approach to anti-virus is that it requires periodic online downloads of updated virus signatures.
False
True or False- Training a Bayesian filter using spam and non-spam messages from your site can reduce the number of false positives.
True
Ture or False- A spamicity value less than 0.5 means that a message containing the word is likely to be spam.
False
A stateful firewall can use all of the following to monitor the state of communication session, except:
A. Port Pairing
True or False- Securing the host involves protecting the physical device itself, securing the operating system software on the system, using security-based software applications, and monitoring logs.
True
____ use multiple infrared beams that are aimed across a doorway and positioned so that as a person walks through the doorway some beams are activated.
B. Tailgate sensors
The signal from an ID badge is detected as the owner moves near a ____, which receives the signal.
A. proximity reader
In ____, a virtualized environment is created that simulates the central processing unit (CPU) and memory of the computer.
C. heuristic detection
A ____ is designed to separate a nonsecured area from a secured area.
C. mantrap
A ____ is software that is a cumulative package of all security updates plus additional features.
B. service pack
A(n) _____ can provide details regarding requests for specific files on a system.
D. access log
A(n) ____ is hardware or software that is designed to prevent malicious packets from entering or leaving computers.
D. firewall
________ allows for a single configuration to be set and then deployed to many or all users.
D. Group Policy
Which is the first step in securing an operating system?
B. Develop the security policy
What are the 3 important elements to secure?
-Host (network server or client)
-Applications
-Data
What does securing the host involve?
-Protecting the physical device
-Securing the OS software
-Using security-based software applications
-Monitoring logs
What are the recommended key management procedures?
-Change locks after key loss or theft
-Inspect locks regularly
-Issue keys only to authorized users
-Keep records of who uses and turns in keys
-Keep track of issued keys
-Master keys should not have identifying marks
-Secure unused keys in locked safe
-Setup key monitoring procedure
-Mark duplicate master ksy with "Do not duplicate"
What is a Cipher Lock?
-More sophisticated alternative to key lock
-Combination sequence necessary to open door
-Can be programmed to allow individual's code to give access at only certain days or times
-Records when door is opened and by which code
-Can be vulnerable to shoulder surfing
-Often used in conjunction with tailgate sensor
What is a Hardware Lock?
Standard keyed enry lock, provides minimal security.
What is a Physical Token in terms of securing devices?
ID badge with bearer's photo.
ID badge emits a signal identifying the owner.
Proximity reader receives signal.
What is an Access List in terms of securing devices?
Record of individuals who have permission to enter secure area.
Records time they entered and left.
What is a Mantrap in terms of securing devices?
Separates a secured from a unsecured area.
Device monitors and controls two interlocking doors. (only one door may open at any time)
What is Video Surveillance in terms of securing devices?
Closed ciruit television (CCTV).
Video cameras transmit signal to limited set of receivers.
Cameras may be fixed or able to move.
What is Fencing in terms of securing devices?
Barrier around secured area.
Modern perimeter fences are equipped with other deterrents.
What are some Mobile Device unique security features?
-Remote Wipe, Sanitation
-GPS tracking
-Voice encryption
What is the 5 step process for protecting the OS?
-Develop the security policy
-Perform host software baselining
-Configure OS security and settings
-Deploy the settings
-Implement patch management
What is baselining? (#2 in 5 step secure OS)
Perform host software baselining.
Baseline: standard or checklist against which systems can be evaluated.
Describe a typical configuration baseline. (step 3 in 5 steps secure OS)
-Help idetify operational trends and long-term problems
-Provide documentation of regulatory compliance
What are Errors (exceptions) in terms of application development security?
Faults that occur while application is running.
Response should be based on the error.
Improper handling can lead to application failure or insecurity.
What are some Error handling practices to avoid?
Failing to check return codes or handle exceptions or properly checking them.
Handling all return codes or exceptions in the same manner.
Divulging potentially sensitive data in erro information.
What is Input Validation?
Performed after data entered but before destination is known. Not possible to know which characters are potentially harmful.
What is Escaping (output encoding)?
Preferred method for trapping user responses. Ensures characters are treated as data, not relevant to the application.
What is Fuzz testing (fuzzing)?
Software technique that deliberately provides invalid, unexpected, or random data inputs. Monitor to ensure all errors are trapped.
What is Application Hardening?
It intends to prevent exploiting vulnerabilities
Data loss prevention typically examines what?
Data in use (ex: being printed)
Data in motion (being transmitted)
Data at rest (stored)
What is a Firewall?
An integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
Packets flowing through a firewall can have one of three outcomes. Name them.
Accepted: permitted through the firewall
Dropped: not allowed through with no indication of failure
Rejected: not allowed through, accompanied by an attempt to inform the source that the packet was rejected
Policies used by the firewall to handle packets are based on several properties of the packets, such as:
TCP or UDP
the source and destination IP addresses
the source and destination ports
the application-level payload of the packet
Name and describe the 2 fundamental approaches to creating firewall policies (or rulesets).
Blacklist Approach: all packets are allowed through except those that fit the rules defined specifically in a blacklist. This configuration is more flexible in ensuring that service to internal network is not disrupted.
Whitelist Approach: a safer approach to defining a firewall ruleset is the default-deny policy, in which packets are dropped or rejected unless they are specifically allowed by the firewall.
Name the 3 types of firewalls.
Packet filters; stateless
Stateful filters
Application layer
Describe Stateless firewalls.
A Stateless firewall doesn't maintain any remembered context (or "state") with respect to the packets it is processing.
It treats each packet attempting to travel through it in isolation without considering packets that it has processed previously.
Describe Stateful firewalls.
Stateful firewalls can tell when packets are part of legitimate sessions orginating within a trusted network.
They maintain tables containing information on each active connection, including the IP addresses, ports, and sequence number of packets.
Using these tables, stateful firewalls can allow only inbound TCP packets that are in response to a connection initiated from within the internal network.
Describe some components of the Application Layer firewall.
Deep packet inspection.
Looks for telltale signatures inside packets.
Analyzes whehter the behavior of the session is typical of appropriate use of the applicatoin.
What are the aspects of securing applications?
Application development security
Application hardening
Patch management
Coding standards increase applications' ___, ____, and ____.
Consistency
Reliability
Security
True/False - Not all applications are designed, written with security in mind. Network must provide protection.
True
What are the aspects of building a secure network?
Network devices
Network technologies
Design of the network itself
True/False- Security features found in network hardware provide basic level of security.
True
The Open Systems Interconnection (OSI) model illustrates what?
How network device prepares data for delivery.
How data is handled once received.
What are Hubs and what level do they work at?
When you connect multiple Ethernet devices together to function as a single network segment.
Work at Level 1, physical layer.
What are Switches and what level do they work at?
They determine which device is connected to each port; can forward frames sent to that specific device.
Work at Level 2, data link layer.
What are 2 Traffic Monitoring methods?
Port mirroring
Network tap (test access point)
What are Routers and what level do they work at?
Routers forward packets across computer networks; they can be set to filter out specific types of network traffic.
Work at Level 3, network layer.
What are the advantages of load-balancing technology?
Reduces probability of overloading a single server.
Optimizes bandwidth of network computers.
Reduces network downtime.
What do Load Balancers do and how is it achieved?
They evenly distribute work across a network.
Achieved through software or hardware device.
What are the security advantages of Load Balancing?
Can stop attacks directed at a server or application.
Can detect and prevent DoS attacks.
Some can deny attackers information about the network- hide HTTP error pages; remove server ID headers from HTTP respones
What are Proxies?
Devices that substitue for primary devices.
What is a Proxy Server?
Computer or application that intercepts and processes user requests.
What are some Proxy Server advantages?
Increased speed (requests served from the cache).
Reduced costs (cache reduces bandwidth required).
Improved management (block specific web pages).
Stronger security (hide clients IP address).
What is a Reverse Proxy?
It does not serve clients.
Routes incoming requests to correct server.
Reverse proxy's IP address is visible to outside users and internal server's IP address is hidden.
What 2 protocols do email systems use and what kind of mail do they handle?
Simple Mail Transfer Protocol (SMTP) handles outgoing mail.
Post Office Protocol (POP) handles incoming mail.
Describe Spam filters installed with the SMTP server.
Filter configured to listen on port 25.
Pass non-spam email to SMTP server listening on another port.
Method prevents SMTP server from notifying spammer of failed message delivery.
Desribe Spam filters installed on the POP3 server.
All spam must first pass through SMTP server and be delivered to user's mailbox.
Can result in increased costs (storage, transmission, backup, deletion).
What is a Virtual Private Network (VPN)?
Uses unsecured network as if it were secure.
All data transmitted between remote device and network is encrypted.
What are the types of VPNs?
Remote-Access -user to LAN connection.
Site-to-Site -multiple sites can connect to other sites over the internet.
True/False -VPNs can be software based or hardware based.
True
Hardware based generally have better security.
Software based have more flexibility in managing network traffic.
What do Internet Content filters do?
Monitor Internet traffic.
Block access to preselected Web sites adn files.
Unapproved sites identified by URL or matching keywords.
What are examples of blocked Web traffic?
ActiveX objects
Adware, spyware
Peer to peer file sharing
Script exploits
Passive and active security can be used in a network. Which provides higher level of security?
Active measures
What are 2 Passive measures of security?
Firewall
Internet content filter
What is a Intrusion Detection System (IDS)?
Active security measure.
Can detect attack as it occurs.
Describe the 4 Monitoring methodologies.
Anomaly-based monitoring- compares current detected behavior with baseline.
Signature-based monitoring- looks for well known attack signature patterns.
Behavior-based monitoring- detects abnormal actions by processes or programs. Alerts user who decides whether to allow or block activity.
Heuristic monitoring- uses experience based techniques.
Describe a Host Intrusion Detection System (HIDS).
Software based application that can detect attack as it occurs.
Installed on each system needing protection.
Monitors system calls and file system access.
Can recognize unauthorized Registry modification.
Monitors all input and output communications (detects anomalous activity).
What are the disadvantages of HIDS?
Cannot monitor network traffic that does not reach local system.
All log data is stored locally.
Resource-intensive and can slow system.
Describe a Network Intrusion Detection System (NIDS).
Watches for attacks on the network.
NIDS sensors installed on firewalls and routers (gather information and report back to central devices).
Passive NIDS will sound alarm.
Active NIDS will sound alarm and take action (actions may include filtering out intruder's IP address of terminating TCP session).
Describe a Network Intrusion Prevention System (NIPS).
Similar to active NIDS.
Monitors network traffic to immediately block a malicious attack.
NIPS sensors located in line on firewall itself.
What is the recent trend in network security hardware and its advantage?
Combining multipurpose security appliances with traditional evice such as a router.
Advantage:
-network devices already process all packets.
-switch that contains anti-malware software can inspect all packets.
What is a Network Address Translation (NAT)?
Allows private IP addresses to be used on the public internet.
Replaces private IP address with public address.
What is a Port Address Translation (PAT)?
Variation of NAT.
Outgoing packets given same IP address but different TCP port number.
What are the advantages of NAT?
Masks IP addresses of internal devices.
Allows multiple devices to share smaller number of public IP addresses.