Review Questions

1.

Matrix Systems wants to open a new office in St. Paul, Minnesota, to serve as the service center for all offices and resellers. There are two other sites, one in Los Angeles and another in Boston. The St. Paul site will be accessible to the other sites using direct link; in addition, the resellers must be able to access the partner extranet to retrieve inventory data. What type of perimeter security configuration should you use to design the new site?

1. Back-to-back configuration

2. Three-pronged configuration

3. Proxy server configuration

4. Bastion host

2.

When an incident occurs, you must initiate a response procedure. The incident response procedure should include the following steps. Place the steps in the order that they will be carried out by the incident response team.

3.

In order to better prepare for a security incident, what actions should you take to predict the threats that your organization could face?

1. Use a threat model to gauge the type of threats and their impact on your organization.

2. Create a security response team.

3. Create a risk and response diagram.

4. Create a threat diagram.

4.

A web server has not properly been patched with a hotfix that alleviates a buffer overrun. In addition, when the server is unable to connect to its database, it displays an error message with the connection information (username and password) that it was using to connect to the database. What parts of the STRIDE threat model describe the threats a situation such as this presents? (Choose all that apply.)

1. Spoofing identity

2. Tampering of data

3. Repudiation

4. Information disclosure

5. Denial of service

6. Elevation of privilege

5.

Sojourn Incorporated has several traveling employees who use laptop computers to access the network. In the past, laptops have been infected with a virus while outside of the LAN and later infected the Sojourn corporate environment. What recommendations would you make to prevent this from occurring in the future? (Choose the best answer.)

1. Require laptop computers to be scanned for viruses by the IT staff prior to accessing the LAN.

2. Install antivirus software with Live Update enabled on all laptops before they are allowed to leave the premises.

3. Don’t allow laptop computers to access the LAN.

4. Install Internet Connection Firewall on all Windows XP laptops.

6.

Your company has workstations in the lobby that allows guests to access the Internet while awaiting meetings and other appointments. You are worried that someone may be able to access sensitive corporate information by installing a program to record the network packets traveling on the network. What can you do to alleviate this potential threat?

1. Remove the computer from the lobby and place it in the conference room.

2. Require users to log in on the workstation.

3. Remove the floppy and CD/DVD drive from the workstations.

4. Place this computer outside the corporate firewall so that it is on a different segment than that of the corporate workstations and servers.

7.

You are the administrator of a large retail chain with offices in more than 40 states. You need to make sure that all computers are kept up-to-date. Which of the following should you do to eliminate network vulnerabilities? (Choose all that apply.)

1. Apply service packs

2. Apply feature packs.

3. Apply hotfixes.

4. Uninstall services that are not being used.

5. All of the above.

8.

Your organization is concerned that users may be running Trojan horse applications that may be exposing your infrastructure to security exploits. You must develop a procedure that will be used to determine what services should be running on a computer. Which of the following steps should you complete? (Choose all that apply.)

1. Create a list of the services that should be running on workstations.

2. Use the Windows Service Challenge and Response (WSCR) utility to design a security authentication scheme that will validate services prior to accessing resources.

3. Compare the services running on the machine with those on the list and remove the services that are not on the accepted list.

4. Remove the user’s permissions to run services on the workstations.

9.

You are designing a new segment to your network that will include an extranet. The extranet will be accessible to partners and must be secured so that its resources cannot be consumed from the Internet. The corporate LAN’s resources should also be inaccessible from both the Internet and the extranet. You want to make sure that all precautions are taken to prevent a breach into your LAN, even if the extranet is breached. Which network segmentation technique should you use?

1. Bastion host

2. Three-pronged configuration

3. Back-to-back configuration

4. DMZ-Aware Tunnel

10.

After an incident occurs and is resolved, which of the following steps should your security response team complete?

1. Evidence preservation

2. Incident Declaration

3. Communication channel exploration

4. Evaluation

1.

B. As a result of having three separate segments that need to be accessed by a variety of different parties, you should use the three-pronged configuration model because it will allow for each network to be protected centrally while still allowing the appropriate level of access to each of the networks.

2.

The first step is to declare the incident. Next you analyze the incident so that you can make well thought out decisions in order to move to the next step. Once analyzed you will next contain the incident to prevent other computers from being compromised, next you will resolve the problem. Once the problem has been resolved you will take the appropriate steps to prevent the problem from reoccurring. Finally you will document the events that took place, make the necessary arrangements to preserve any evidence that was collected and lastly you will review the overall incident response so that any problems detected can be avoided in the future.

3.

A. A threat model, such as the STRIDE model, can be used to gain insight on the type of attacks that you are susceptible to and what the impact to your organization would be. A security response team is useful when responding to an attack but is not necessary when predicting the threats that could be carried out against your organization. Risk and response and threat diagrams don’t exist in this context.

4.

A, B, D, F. In a system such as the one described in the question, an attacker would be able to tamper with the data on the web server and, potentially, the database as well. When errors occur on the server, too much information is displayed, including the username and password used to connect to the database; this constitutes information disclosure. The user may be able to gain access to the account used by the web application to access the database, which constitutes an elevation of privilege. Finally, an attacker who accessed the account the web application uses to access the database can authenticate with those credentials, which constitutes spoofing the identity of the service account.

5.

B. You should install antivirus software on the laptop computers and train the users on how to keep the virus software updated. If you were to require laptops to be scanned by the IT staff, it could interfere with the IT department’s efficiency as well as the efficiency of the user who cannot use their computer while it is being scanned. It is simply unrealistic to forbid the corporate laptops from accessing the network. ICF, or Internet Connection Firewall, doesn’t prevent viruses from infecting a computer.

6.

D. Physically relocating the computer from the lobby would not alleviate the threat unless it is moved to a separate network segment and this is not specified in answer A, so it is therefore incorrect. Requiring users to log in to the workstation doesn’t prevent them from installing software, nor does it provide guests with the ability to access the Internet while waiting for an appointment. Removing the floppy or CD drive will not prevent a user from installing software, that can be downloaded from the internet and installed. The computer must be moved to a segment other than the one that corporate workstations are on. Putting it on the opposite end of a firewall further protects your network from attacks originating from this workstation and therefore answer D is correct.

7.

A, C, D. Feature packs introduce new functionality, which could also introduce new bugs; feature packs should be properly tested and installed only if the feature is a service that is required by the server. Applying service packs and hotfixes will patch or fix a bug in an application or service that would otherwise be exploitable. Uninstalling services that aren’t necessary makes the attack surface of the network much smaller by only needing to track and protect a smaller number of services.

8.

A, C. Your organization is concerned that users may be running Trojan horse applications that may be exposing your infrastructure to security exploits. You must develop a procedure that will be used to determine what services should be running on a computer. Which of the following steps should you complete? (Choose all that apply.)

9.

C. Both a bastion host and a three-pronged configuration would permit a breach to the corporate LAN if the firewall is compromised.. The back-to-back configuration would add another firewall between the extranet and the LAN and is therefore the best choice. There is no such product or configuration as a DMZ-Aware Tunnel.

10.

D. Once the incident has been resolved, a meeting should take place so the security response team can review and evaluate the steps and methods that were used to resolve the problem. It is this stage of incident response that provides the highest degree of learning. There is no step for the security response team that explores the communication channels.