Self Test | SSCP Study Guide and DVD Training System

A Quick Answer Key follows the Self Test questions. For complete questions, answers, and epxlanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

1.	Systems are having problems where unexplainable events are happening. A system has been reported to have mysterious problems, and worse yet, there are more instances of this throughout the organization. You are concerned because you sense that these are symptoms of an infected system. From the answers below, what three answers resemble systems of an infected system? System will not boot any longer to a prompt There is an entry in the audit log of the system about a driver problem System boots up, but is non-responsive and/or will not load any applications Windows icons change color and position after you open an e-mail
2.	What kind of program is usually installed without the user's awareness and performs undesired actions that are often harmful, although sometimes merely annoying? Viruses Firmware Software Drivers
3.	What kind of virus will infect executable files or programs in the computer typically leaving the contents of the host file unchanged but appended to the host in such a way that the virus code is executed first? Parasitic viruses Bootstrap sector viruses Multi-partite viruses Companion viruses
4.	When dealing with protocols, you know that most of the protocols in the TCP/IP protocol stack are flawed with many problems like the sending of credentials in cleartext. From the list below, which protocol allows this exploit only with the community stings being sent in cleartext? SNMP RIP OSPF ICMP
5.	If a cache has been changed in any way to reflect the wrong addressing, you have an example of what kind of attack? ARP spoofing UDP bomb Rootkits Virus
6.	Wardialing is an attack that will allow you to exploit systems by using the PSTN. Wardialing requires which of the following? An active TCP connection A modem and a phone line A connection to the Internet Knowledge of UNIX systems
7.	Man-in-the-Middle (MITM) attacks are commonly performed when an attacker wants to establish a way to eavesdrop on communications. Which of the following is most likely to make systems vulnerable to MITM attacks? Weak passwords Weak TCP sequence number generation Authentication misconfiguration on routers Use of the wrong OSs
8.	The SYN flood attack sends TCP connections requests faster than a machine can process them. Which of the following attacks involves a SYN flood? DoS TCP hijacking Replay MITM
9.	When working as a security analyst, you need to be aware of the fact that many times you may find yourself in a position where you have programmers to work with as well as the network. Programmers without proper skill, resources, or QA (or maliciously) could do what to cause an exploit? Write a driver Write a virus Write poor code Write a worm
10.	Back doors are commonly found in software packages, applications, and OSs. Which of the following is the most common reason that an attacker would place a back door in a system? To spread viruses To provide an interactive login without authentication or logging To remove critical system files To run a peer-to-peer file-sharing server
11.	Buffer overflow attacks are very common and highly malicious. Buffer overflows can allow attackers to do which of the following? Speak with employees to get sensitive information Run code on a remote host as a privileged user Write viruses that cause damage to systems Crash a hard disk
12.	Which two protocols use port numbers to provide separate methods to identify what service or application incoming information is destined for, or from which outgoing information it originates? UDP IP ARP TCP
13.	While working with a newly implement router, you are asked by senior management to implement security by disabling the HTTP service on the router as well as not letting it through the router with an Access Control List (ACL). From the list below, which port correctly maps to HHTP? TCP/UDP port 80 TCP/UDP port 88 TCP/UDP port 110 TCP/UDP port 119
14.	While configuring a new Web Server, you are asked to set up network news feed. You know that you have to open a port on the firewall to allow the NNTP protocol to pass through in order for the service to work. From the list below, which port will you have to open up on the firewall to allow NNTP to work? TCP/UDP port 119 TCP/UDP port 138 TCP/UDP port 220 TCP/UDP port 389
15.	Sending multiple packets with which of the following TCP flags set can launch a common DoS attack? ACK URG PSH SYN

Answers

1.	þ Answers A, C, and D are correct. All are examples of an obviously affected system. Although they could also be legitimate problems, these are commonly seen as affected systems issues. ý Answer B is incorrect. An entry in an audit log is not necessarily seen as a symptom from some form of malware.
2.	þ Answer A is correct. Viruses are programs that are usually installed without the user's awareness and perform undesired actions that are often harmful. ý Answer B is incorrect. Firmware usually refers to BIOS software or chip-based software on most hardware. Answer C is incorrect. Although viruses are technically software, this does not match the exact definition of a virus. Answer D is incorrect. It is simply a driver which although it is software, it is not technically the term used for a virus.
3.	þ Answer A is correct. Parasitic viruses infect executable files or programs in the computer. This type of virus typically leaves the contents of the host file unchanged but appends to the host in such a way that the virus code is executed first. ý Answer B is incorrect. Bootstrap sector viruses live on the first portion of the hard disk, known as the boot sector (this also includes the floppy disk). This virus replaces either the programs that store information about the disk's contents or the programs that start the computer. This type of virus is most commonly spread via the physical exchange of floppy disks. Answer C is incorrect. Multi-partite viruses combine the functionality of the parasitic virus and the bootstrap sector viruses by infecting either files or boot sectors. Answer D is incorrect. Companion viruses create new programs with the same name as already existing legitimate programs. It then tricks the OS into running the companion program instead of modifying an existing program.
4.	þ Answer A is correct. SNMP is used to monitor network devices and manage networks. It is a set of protocols that uses messages called PDUs over the network to various machines or devices that have SNMP agent software installed. These agents maintain MIBs that contain information about the device. When agents receive the PDUs, they respond with information from the MIB. It is sent over the network in cleartext, open to exploitation. ý Answer B is incorrect. RIP is a distance vector-based routing protocol used for devices like servers and routers to dynamically build routing tables to know where to forward packets on the network. Answer C is incorrect. OSPF is also a routing protocol but is more advance and is link state-based which allows it to make better routing decision and is a lot less bandwidth intensive from not having to send out as many updates to keep its tables updated. Answer D is incorrect. ICMP is an error-reporting protocol used to find problems or paths on a network. Ping and Traceroute are two utilities that use ICMP.
5.	þ Answer A is correct. The ARP maintains the ARP cache. This is a table that maps IP addresses to MAC (physical) addresses of computers on the network. ý Answer B is incorrect. A UDP bomb is used by sending a UDP packet constructed with illegal values in certain fields, and by doing this, an attacker can crash a system. Answer C is incorrect. Rootkits contains a variety of malicious utilities, which allow an attacker to create Trojan horse programs that hide themselves from the legitimate user. It also includes the functionality to remotely apply patches to existing programs, allowing you to hide processes on the system. Answer D is incorrect. A virus is a program that will cause malicious issues once executed. DoS attacks, if performed correctly, are able to completely disable hosts and systems.
6.	þ Answer B is correct. Wardialing uses a modem and phone line to dial banks of phone numbers to look for modems that are available for connections. ý Answers A and C are incorrect. Wardialing is just the act of dialing thousands of phone numbers, therefore neither a TCP connection nor an Internet connection are required. Answer D is also incorrect. There are many wardialing programs that will run on almost any platform, so specific knowledge of UNIX is not necessary.
7.	þ Answer B is correct. TCP sequence number prediction is the basis for many TCP/IP-based attacks, including MITM attacks. ý Answer A is incorrect. While weak passwords increase vulnerability to many types of attacks, the MITM attack specifically exploits the TCP sequencing numbers. Answer C is incorrect. Misconfiguration of authentication on routers will open up the network to a variety of attacks, but is not directly connected to MITM attacks. Answer D is incorrect. MITM attacks can be launched regardless of the OS if the TCP/IP protocol stack is used; it is protocol vulnerability rather than OS vulnerability.
8.	þ Answer A is correct. Creating a SYN flood will be seen as a DoS attack. A SYN flood sends thousands of SYN packets to a victim computer, which then sends the SYN/ACK back, and patiently waits for a response that never comes. While the server waits on thousands of replies, the resources are consumed in such a way as to render the machine useless. ý Answer B is incorrect. TCP hijacking deals with stealing a user's session rather than flooding the target. Answer C is incorrect; Replay attacks do just what the name implies-they replay already used data in an attempt to trick the victim into accepting it. Answer D is incorrect. MITM attacks are listening/sniffing-based and do not involve flooding a machine with packets.
9.	þ Answer C is correct. Poor coding is explained very easily. Code is the shortened nickname for programming language code. Poor coding is just that; the poor or lacking creation of production code that does not work as advertised, or worse yet, opens a hole in your systems that can be exploited. ý Answers A, B, and D are incorrect. A driver is nothing to worry about and all the answers in general do not face up to the fact that its poorly written code that caused the possibility of an exploit. Writing poor code or unchecked code (meaning it failed the QA process) is the number one reason why so many bugs exist in software today. All other answers are simply the process that they were going through anyway to create a program whether it is intended to be malicious or not. Writing poor code is common, be it a lack of skill or lack of a QA process.
10.	þ Answer B is correct. Although there are many purposes a back door may serve, providing an interactive login to the system without authentication is one of the most common. ý Answer A is incorrect. Viruses are not directly spread through back doors, although an attacker could gain access to a system through the back door and then upload viruses. Answer C is incorrect. Back doors do not remove files from systems by themselves, although an attacker could remove files after gaining access. Answer D is incorrect. File sharing is not typically done through a back door, and it is certainly not a way to run a peer-to-peer file-sharing server.
11.	þ Answer B is correct. Buffer overflows are a type of software exploit often used by attackers to run code on victim machines. Examples would be xterms or root shells. ý Answer A is incorrect. It refers to a social engineering situation. Answer C is incorrect. Buffer overflows are simply a conduit for an attacker to insert an attack, and has nothing to do with the actual writing of a virus. Answer D is incorrect. While it could be a result of an attack by a buffer overflow, it is not a direct result of the overflow itself.
12.	þ Answers A and D are correct. A port is, in its simplest meaning, a point where information enters or leaves a computer. The TCP and UDP protocols use port numbers to provide separate methods to identify what service or application incoming information is destined for or from which outgoing information originates. The term port scanner, in the context of network security, refers to a software program that hackers use to remotely determine what TCP/UDP ports are open on a given system and thus vulnerable to attack. Administrators to detect vulnerabilities in their own systems, in order to correct them before an intruder finds them, also use scanners. Network diagnostic tools such as the famous Security Administrator's Tool for Analyzing Networks (SATAN), a UNIX utility, include sophisticated port-scanning capabilities. ý Answer B is incorrect. IP is a connectionless protocol that functions on Layer 3 (the Network layer) of the OSI model. IP is responsible for logical addressing and fragmentation. Answer C is incorrect. ARP is a protocol that functions on Layer 2 (the Data Link layer) of the OSI model. ARP is responsible for resolving MAC addressing into IP addressing.
13.	þ Answer A is correct. HTTP is a very common protocol. The correct port number is 80. ý Answer B is incorrect. Port 88 is used for Kerberos. Answer C is incorrect. Port 110 is used for the Post Office Protocol version 3 (POP3). Answer D is incorrect. Port 119 is used for the Network News Transfer Protocol.
14.	þ Answer A is correct. NNTP is a very common protocol. The correct port number is Port 119. ý Answer B is incorrect. Port 138 is used for the NetBIOS datagram service. Answer C is incorrect. Port 220 is used for. Internet Message Access Protocol version 3 (IMAPv3). Answer D is incorrect. Port 389 is used for Lightweight Directory Access Protocol (LDAP). LDAP stands for.
15.	þ Answer D is correct. SYN flags are set on synchronization packets that are sent in overwhelming numbers to a server, to consume its resources and render it useless to legitimate clients that attempt to connect to it. This type of attack is known as a SYN flood. ý Answers A, B, and C are incorrect because these flags do not cause the victim to wait for a reply. There are control bits in the TCP header. The most common ones and what they handle are, U (URG) Urgent pointer field significant, A (ACK) Acknowledgment field significant, P (PSH) Push function, R (RST) Reset the connection, S (SYN) Synchronize sequence numbers, and F (FIN) No more data from sender.