Appendix A: Questions and Answers

Appendix A

Questions and Answers

Chapter 1: General Networking and Security Concepts

Lesson 1: The Big Picture

Lesson Review

1. Although there is a need for information security, and there is a small chance of getting hacked, there is not normally any damage done and the cost to the company that is hacked is relatively minor. (True or False?)

   False. Most computers that are connected to the Internet have been scanned, and many have been attacked. Recent studies show that computer hackers cost U.S. businesses almost 6 cents of every dollar of revenue.

2. You work for a company that sells tea and tea supplies. The total annual sales for the company are $5 million. The sales of tea total $2 million and the sales of tea supplies total $3 million. The tea has a very interesting taste that cannot be duplicated. Which of the following should be considered when placing a value on the tea formula, and why?

   1. How the tea is produced

   2. What the total annual sales of the tea is

   3. Where the tea formula is stored

   4. How many people in the company have access to the tea formula

   b. In this case, the value of the asset can be based on the total sales of the tea. The sales of tea supplies would not be included in the worth of the tea formula.

3. You work for a company that sells tea and tea supplies. The total annual sales for the company are $5 million. The sales of tea total $2 million and the sales of tea supplies total $3 million. The tea has a very interesting taste that cannot be duplicated. The marketing group for your company has a marketing plan that is expected to double the sales of the tea from $2 million to $4 million. What is the real value of the tea formula? What is the perceived value of the marketing plan?

   The real value of the tea formula is $2 million because that is the current sales of the tea. The perceived value of the marketing plan is $2 million because that is the projected increase the market plan is expected to provide.

4. When talking about information security, what are the three cornerstones of the C-I-A triad?

   The three cornerstones of the C-I-A triad are confidentiality, integrity, and availability.

5. List the sequence in which you perform the following steps when creating a risk management plan.

   1. Identify the vulnerabilities to your C-I-A triad

   2. Identify the value of your C-I-A triad

   3. Identify the threats to your C-I-A triad

   4. Identify how you can mitigate the risks

   b, c, a, d

Lesson 2: Identifying Threats

Lesson Review

1. You are responsible for creating a mitigation plan for threats to your company's information security. Which of the following should your mitigation plan identify as threats from fabricated and natural disasters? (Select all that apply.)

   1. Incomplete backups

   2. Power outages

   3. Your building flooding

   4. A virus infecting the servers at your company

   5. A fire in your building

   b, c, e. Although all of these are threats that should be considered in your mitigation plan, the ones that can be identified as fabricated or natural are power outages, flooding, and fire. Each of these could be man-made or could occur naturally.

2. When determining the risk posed by a threat, external threats are more dangerous than internal threats. (True or False?)

   False. Threats from internal sources can be just as damaging to your C-I-A triad as threats from external sources, so the risk is the same.

3. Select all the attacks that are based on using malicious code:

   1. Trojan horse

   2. Social engineering

   3. Virus

   4. Novice

   5. Worm

   a, c, e. A Trojan horse, virus, and worm are all examples of malicious code. Social engineering is an attack type, but is based on a person gaining access to your information using trickery of some sort. A novice is a hacker want-to-be that does not have the talent of a hacker.

Lesson 3: Intrusion Points

Lesson Review

1. Your company has a high-speed Internet connection that can be used to access the Internet and allows people on the Internet to access your company's Web site. Each user also has a modem that he or she can use for Internet access in case the high-speed connection fails. Users can select the Web browser they want to use and are allowed to manage their own computers. Which of the following are intrusion points for the hacker?

   1. The high-speed connection

   2. The Web browser on each of the client's computers

   3. The modem that each user has

   4. The Web server for your company's Web site

   a, b, c, d. All of these are intrusion points that can be used to gain access to your company's information.

2. When accessing Web sites, an intruder might exploit a Web server using the HTTP protocol. (True or False?)

   True. HTTP is a protocol used to access a Web server. An intruder might be able to exploit the Web server using the HTTP protocol.

3. It is always better to have several access points to the Internet so that if a hacker takes one down your company still has access. (True or False?)

   False. The fewer the connections to the Internet, the fewer intrusion points a hacker can use to gain access to your company's information.

Lesson 4: Defending Against Threats

Lesson Review

1. Your company has a high-speed Internet connection that can be used to access the Internet and allows people on the Internet to access your company's Web site. Each user also has a modem that he or she can use for Internet access in case the high-speed connection fails. Users can select the Web browser they want to use and are allowed to manage their own computers. Which of the following are things you could do to defend against intrusion?

   1. Increase the number of Web browsers that can be used to make it more difficult for a hacker to identify and exploit the Web browser application.

   2. Limit the number of Web browsers that can be used to one or two so that you can better manage application updates.

   3. Have each user access the Internet using his or her modem so that hackers will be confused by the number of physical connections your company has to the Internet.

   4. Minimize the number of physical connection points to the Internet by removing the modem connections.

   b, d. One way is to limit the types of applications that are used. This makes keeping up with current security patches and service packs easier. Another way to defend against intrusion is to minimize the number of intrusion points available to a hacker.

2. Your company wants to make sure that anyone with an administrator account for the network requires a more stringent form of user authentication than regular users. Name three methods that can be used.

   Biometric authentication, smart card authentication, or certificate-based authentication.

3. Auditing is used to secure the network and systems on your network. (True or False?)

   False. Auditing does not secure the network and systems, but does record information that can be used to secure a network or system. By auditing, you record certain activity. This record can then be used to identify attack types and secure against them.

Lesson 5: Organizational and Operational Security

Lesson Review

1. You discover that an intruder has compromised your company's C-I-A triad. Of the choices listed below, which is the most appropriate action you should take in response to this threat, and why?

   1. Attempt to identify the person that compromised the system.

   2. Preserve the log files for a forensics expert.

   3. Empty the log files so that you can try to capture specific data if another attack occurs.

   4. Leave any log files with the company's receptionist so that the forensics expert can find them.

   b. If your C-I-A triad is compromised, then your job is to secure potential evidence and not destroy any of the evidence. A forensics expert should be called in to attempt to identify the person who breached security and ensure that the chain of custody for the evidence is not broken.

2. If an employee is fired, what should you do as an information security specialist?

   You should ensure that the user cannot access the network and systems. You can do this by disabling the user's account or by changing the password on the account.

Chapter 2: TCP/IP Basics

Lesson 1: Basic TCP/IP Principles

Exercise 2: Identifying Information Captured Using Network Monitor

1. In this exercise, you will view and identify information captured using Microsoft Network Monitor on a system running the Microsoft Windows XP operating system. Figure 2-11 shows the results of a network capture when viewing the home page at http://www.ietf.org.

   Refer to Figure 2-11 and provide the missing information in the list below.

   • Ethernet frame length: 365 (0x016D)

   • IP version: 4 (0x4)

   • Application-level protocol in use: HTTP

   • First octet of the source IP address: 12

   • First octet of the destination IP address: 132

   

Lesson Review

1. After each layer of the DARPA communications model shown below, list the TCP/IP protocols that that particular layer uses.

   Application Layer

   Telnet, FTP, SMTP, NetBios

   Transport Layer

   TCP, UDP

   Internet Layer

   IP, ICMP, IGMP, ARP, RARP

   Network Interface Layer

   Ethernet, Token Ring, FDDI

2. Place the following TCP/IP communications steps in the correct order:

   1. The IP protocol adds a header to the packet and passes the packet to the next lower layer.

   2. The Transport layer protocol adds a header to the Application layer request and passes the packet to the next lower layer.

   3. The network interface adds header and trailer information to the packet and places it on the network.

   4. An application is started that requests communications with a computer on the network. The application forms a packet and passes the request to the next lower layer.

   5. The Transport layer strips the header and passes the packet to the next higher layer.

   6. The Network Interface layer receives the packet from the network, strips the header and trailer information, and passes the packet to the next higher layer.

   7. The Internet layer strips the header and passes the packet to the next higher layer.

   8. The Application layer strips the header and passes the information to the application.

   Correct order is d, b, a, c, f, g, e, h

3. What protocol and field store the address of the destination computer?

   1. The source address of the Ethernet II frame

   2. The destination address of the Ethernet II frame

   3. The source address of the IP datagram

   4. The destination address of the IP datagram

   d

4. Which header contains a field that specifies the total size of a frame?

   1. Transport layer header

   2. Internet layer header

   3. Network Interface layer header

   4. All of the above

   c

Lesson 2: TCP/IP Layers and Vulnerabilities

Lesson Review

1. At what layer of the DARPA communication model can a DoS attack occur?

   1. Network Interface layer

   2. Internet layer

   3. Transport layer

   4. Application layer

   5. All of the above

   6. None of the above

   e. DoS attacks can occur at any layer. The DoS attack overloads the system that is being attacked.

2. An attack occurs that attempts to disrupt a computer by sending TCP handshake packets in the wrong order. At what communications layer would this attack occur?

   1. Network Interface layer

   2. Internet layer

   3. Transport layer

   4. Application layer

   c

Chapter 3: Certificate Basics

Lesson 1: Understanding Cryptography

Lesson Review

1. Select the answer that best describes cryptography.

   1. Cryptography is encrypting messages with a secure hash function to provide information security.

   2. Cryptography is decrypting messages with a secure hash function to provide information security.

   3. Cryptography is encrypting and decrypting data to provide information security.

   4. Cryptography is providing information confidentiality using a shared secret, also known as an asymmetric key pair.

   c

2. Which of the following best describes a key?

   1. A procedure for solving a mathematical problem in a fixed number of steps

   2. A set of instructions that govern ciphering or deciphering messages

   3. A one-way mathematical function that creates a fixed-sized representation of data

   4. An algebraic equation for solving a mathematical problem in a fixed number of steps

   b

3. What is a procedure for solving a mathematical problem in a fixed number of steps?

   1. A secure hash function

   2. A symmetric key

   3. An asymmetric key

   4. An algorithm

   d

4. Match the term to the definition:

   Symmetric key Asymmetric key pair Secure hash function Algorithm

   A procedure for solving a mathematical problem in a fixed number of steps A one-way mathematical function that creates a fixed-sized representation of data Two keys that form a key pair; one key is used to encrypt data, and the other key is used to decrypt data A single key is used for encrypting and decrypting data, and everyone that is allowed to encrypt and decrypt the data has a copy of the key

   1-d; 2-c; 3-b; 4-a

Lesson 2: Using Cryptography

Lesson Review

1. Which is the best mechanism for providing confidentiality?

   1. Secure hash function

   2. Symmetric key

   3. Asymmetric key

   4. Algorithm

   b

2. You need to send an e-mail message to someone and ensure that the integrity is verifiable when it arrives. Which would best provide that capability?

   1. Using a secure hash function to create a message digest

   2. Using an asymmetric public key to create a digital signature

   3. Using a symmetric key to create a digital signature

   4. Using an algorithm to create a message digest

   a

3. You need to provide a method to allow the receiver of an e-mail to be able to authenticate that a message came from a specific person. Which would best provide that capability?

   1. Using a secure hash function to create a message digest

   2. Using an asymmetric key pair to create and validate a message digest

   3. Using a symmetric key to create and validate a message digest

   4. Using an algorithm to create a message digest

   b

4. You need to provide a mechanism that can establish nonrepudiation when sending e-mail to a business partner. Which would best provide that capability?

   1. Using a secure hash function to create and validate a digital signature

   2. Using an asymmetric key pair to create and validate a digital signature

   3. Using a symmetric key to create and validate a digital signature

   4. Using an algorithm to create and validate a digital signature

   b

Lesson 3: Identifying the Components of a Public Key Infrastructure

Lesson Review

1. Which best describes a PKI?

   1. A digital representation of information that identifies you as a relevant entity by a TTP

   2. An entity that is recognized as an authority trusted by one or more users or processes to issue and manage a certificate

   3. Uses asymmetric key pairs and combines software, encryption technologies, and services to provide a means of protecting the security of communications and business transactions

   4. A list of certificates issued by a CA that are no longer valid

   c

2. Which best describes a certificate?

   1. A digital representation of information that identifies you as a relevant entity by a TTP

   2. An entity that is recognized as an authority trusted by one or more users or processes to issue and manage a certificate

   3. Uses asymmetric key pairs and combines software, encryption technologies, and services to provide a means of protecting the security of communications and business transactions

   4. A list of certificates issued by a CA that are no longer valid

   a

3. Which best describes a CA?

   1. A digital representation of information that identifies you as a relevant entity by a TTP

   2. An entity that is recognized as an authority trusted by one or more users or processes to issue and manage a certificate

   3. Uses asymmetric key pairs and combines software, encryption technologies, and services to provide a means of protecting the security of communications and business transactions

   4. A list of certificates issued by a CA that are no longer valid

   b

4. What are some reasons a certificate might be placed on a CRL? Select all correct answers.

   1. The certificate owner lost the private key.

   2. The certificate owner is going on a business trip and wants the certificate expiration refreshed so it does not expire.

   3. The certificate owner left the company.

   4. The certificate owner changed names.

   5. The certificate owner lost the public key.

   a, c, d

Lesson 4: Understanding CA Trust Models

Lesson Review

1. You are the security specialist for your company and you have just installed a third CA. Each CA supports three different geographical locations. You are attempting to access a server that was issued a certificate by the new CA, but your certificate is not being accepted. Which is the best way to solve the problem?

   1. Have the new CA issue you a certificate

   2. Have the new CA and each of the old CAs issue a certificate to each other

   3. Reinstall the software on the new CA

   4. Make the new CA a bridge CA

   b

2. Which statements are true of a mesh architecture? Select all that apply.

   1. Connects mesh and hierarchical architectures together.

   2. There is a top-level CA known as a root CA.

   3. Multiple peer CAs issue certificates to each other.

   4. Does not issue certificates to end users.

   c

3. Which statements are true of a hierarchical architecture? Select all that apply.

   1. Connects mesh and hierarchical architectures together.

   2. There is a top-level CA known as a root CA.

   3. Multiple peer CAs issue certificates to each other.

   4. Does not issue certificates to end users.

   b

4. Which statements are true of a bridge CA? Select all that apply.

   1. Connects mesh and hierarchical architectures together.

   2. There is a top-level CA known as a root CA.

   3. Multiple peer CAs issue certificates to each other.

   4. Does not issue certificates to end users.

   a, d

Lesson 5: Understanding Certificate Life Cycle and Key Management

Lesson Review

1. Match each portion of the certificate life cycle with the answer that best describes it.

   Enrollment Distribution Validation Revocation Renewal Destruction Auditing

   CA distributes the CA to the user Involves tracking the creation, expiration, and revocation of certificates A request is initiated by users requesting certificates from a CA Occurs when a certificate reaches the expiration date CA adds the certificate to its certificate revocation list Verifying that the signature is valid, that a trusted CA has issued the certificate, that the certificate can be used for its intended purpose, and determining if the certificate has been revoked. The process of deleting the certificate after it has been published on the CRL.

   1-c; 2-a; 3-f; 4-e; 5-d; 6-g; 7-b

Chapter 4: Network Infrastructure Security

Lesson 1: Understanding Network Infrastructure Security

Review Questions

1. List three or more items that are considered part of a network infrastructure.

   Cables, connectivity devices such as hubs, routers, switches, firewalls, and hosts, and servers on the network.

2. What are some of the actions you might take to secure your physical network infrastructure?

   You could hire security guards; install sensors, alarms, and closed-circuit TV cameras and monitors; use physical access badges and security cards; install backup electrical power; protect network cables; lock wiring closets and server rooms; encase equipment in protective housings; use tamper-proof seals on equipment casing; install fences and parking lot gates; maintain fire-extinguishing and detection systems appropriate for your equipment and facility; and ensure that buildings meet appropriate construction standards.

3. In addition to physical attacks, what other types of attacks might be directed against your network infrastructure?

   Attacks against the electronic configuration of equipment are also possible. For example, an attack against a router might involve rewriting the routing table.

4. Name other security threats that are not related to people attacking your network.

   Other security threats not related to people attacking your network are fires, floods, tornadoes, earthquakes, mudslides, volcanic eruptions, and other natural disasters.

Lesson 2: Securing Network Cabling

Exercise: Identifying Cable Vulnerabilities

1. Match the cable type in the left column with the compromise it's susceptible to in the right column. More than one compromise might apply to any given cable type.

   Fiber optic Twisted-pair Coaxial

   EMI and RFI Breaking or cutting Eavesdropping

   1-b

   2-a, b, c

   3-a, b, c

Lesson Review

1. What techniques can be used to sabotage coaxial and twisted-pair networks?

   Removing terminators, cutting the cable, or using heat or an energy-generating motor or device to disrupt communications with EMI and RFI.

2. Which coaxial and twisted-pair sabotage methods do not work on fiber optic cable?

   EMI and RFI don't affect fiber optic cable. Fiber optic cable doesn't use terminators either, so you cannot simply remove a terminator to disrupt communications (as you could on a coaxial network cable).

3. List eavesdropping methods for each type of cable: twisted-pair, coaxial, and fiber optic.

   Twisted-pair cable can be eavesdropped on by adding a hub (or adding a cable to an existing hub). Coaxial cable can be eavesdropped on by adding a station to the bus. Also, more sophisticated technology would allow you to collect data transmissions by tapping into either the twisted-pair cable or coaxial cable. Fiber optic cable cannot be easily eavesdropped on. Someone would have to insert a station or signal-repeating device (repeater) to compromise a fiber optic connection between two points. This would result in some type of outage, making it easily detectable.

4. What methods can you use to help protect your network from eavesdropping?

   Documentation and routine checks are the best method for protecting your network from eavesdropping. In addition, network-monitoring equipment can alert you to the presence of rogue connections. Be sure to investigate all outages because an outage might be used to insert a rogue device on the network.

Lesson 3: Securing Connectivity Devices

Exercise: Identifying Network Infrastructure Exploits

1. Match the equipment exploits in the left column with the appropriate devices in the right column. Some exploits can be used on multiple device types.

   Physical sabotage Overwriting MAC-to-IP address mappings Rerouting cables Packet sniffing EMI and RFI

   Routers Switches and bridges Hubs Hosts on the network Wireless AP ARP cache

   1-a, b, c, d, e

   2-a, d, e

   Overwriting MAC-to-IP address mappings applies to the ARP cache. Routers, wireless APs, and hosts on the network maintain ARP caches, so they are also vulnerable to ARP cache poisoning.

   3-a, b, c, d, e

   4-a, b, c, d, e

   5-a, b, c, d, e

Lesson review

1. List security issues that are common to managed hubs, switches, and routers.

   Hubs, switches, and routers are all physical devices. They can be disrupted by power outages and physical sabotage. This includes damaging the devices and rerouting cables to the devices.

2. Describe security issues that are common to switches and routers.

   Switches and routers maintain tables, which could be potentially exploited and incorrectly configured. Also, switches and routers are physical devices (as previously mentioned), so they are vulnerable to all of the issues stated in the answer to question 1.

3. How might an attacker compromise a firewall implementation?

   Attackers could find an exploit in the firewall software, determine a way to circumvent the firewall, or discover an incorrectly configured firewall.

4. List ways in which a PBX can be compromised.

   PBXs are often compromised because they are left with default passwords. Other vulnerabilities might include problems with PBX software that has not been updated, maintenance or remote administration back doors that have not been plugged, and passwords that are easy to guess.

5. What are the security implementations available for wireless networks?

   802.11b authentication, Extensible Authentication Protocol over LANs (EAPOL), and Wired Equivalent Privacy (WEP) encryption.

Lesson 4: Exploring Secure Topologies

Exercise: Selecting Infrastructure Security Measures

1. Each of the statements in the left column describes a technology discussed in this chapter. Match the terms in the right column with the descriptions in the left column.

   Used to secure and encrypt network data transmitted between partner networks The area between the internal and external network typically used to provide semisecure services to the external network A device that can be used to create screened subnets and separate the internal network from the external network Can mask your internal IP address range and allow multiple hosts to share a single IP address

   Perimiter NAT VPN Firewall

   1-c; 2-a; 3-d; 4-b

Lesson Review

1. What is the purpose of dividing a network into security zones?

   Security zones enable administrators to better protect internal resources from external attacks. Different security measures can be used to protect resources based on the function they are expected to provide.

2. What are the major benefits of a perimeter network?

   The main benefit of a perimeter network is that it separates the services that your organization provides to external customers from those provided to internal customers and employees. By making this separation, you can use tighter security controls to secure the internal network and place appropriate focus on securing and monitoring resources in the perimeter network.

3. How can NAT be used to protect your network?

   NAT can protect your internal addressing schedule (and even individual hosts) from attackers on the external network. This doesn't mean that NAT protects individual hosts from attack, but it can make the job of mapping your internal network more difficult for attackers.

4. How are VPNs used?

   VPNs are used to encrypt communication (data) over networks. They are typically used between partner networks or for secure remote connections.

5. What are the benefits of VLANs?

   VLANs reduce broadcast traffic and make it easier for you to reconfigure your network. From a security standpoint, VLANs can make it more difficult for an attacker to map your network.

Lesson 5: Securing and Monitoring Network Resources

Exercise: Identifying Security Devices

1. Match the term in the right column with the most appropriate statement in the left column:

   Can help to secure your data if your laptop is stolen Helps you to learn attacker techniques and potential future exploits Alerts you when a recognized attack is underway Helps you to keep your laptop from being stolen

   Honeypot IDS Motion-sensing alarm Data encryption

   1-d; 2-a; 3-b; 4-c

Lesson Review

1. What security methods are common to workstations and servers?

   Install virus-scanning software and keep virus definition files up to date, monitor system logs for errors, configure logging or auditing for critical system resources and data, limit access to workstations to a specific user or set of users, control access to local and shared resources, remove unnecessary applications and services, configure automated or centralized backup systems, and ensure the latest operating system and application security fixes are applied and kept current.

2. What security steps are typically implemented on mobile devices that aren't usually necessary on workstations and servers?

   Antitheft devices, additional identifying marks or colors, and data encryption.

3. What tools can you use to monitor your network infrastructure devices?

   SNMP management devices, intrusion detection systems, and honeypots.

4. What security benefits does an intrusion detection system provide?

   Warnings about possible attacks, protection from known or recognized attacks, protection of critical system files, and logging of attack information.

5. How can you use a honeypot to help protect your network?

   You can use a honeypot to learn about new exploits that an attacker might soon attempt. You can also prove that attackers are after your network, which might motivate you and those who control your budget to implement tighter (and possibly more expensive) security measures.

Chapter 5: Communications Security

Lesson 1: Understanding Remote Access Connectivity

Lesson Review

1. What are two types of remote access connectivity solutions?

   Remote access connectivity can be provided through telephone lines and the Internet.

2. What security concerns must you consider when providing remote access connectivity solutions?

   The security concerns you must consider are how to manage devices not physically connected to your network, and how to secure the communications link between the remote computer and your network.

3. A technique used to identify modems connected to telephone lines is known as

   1. Callback Control Protocol

   2. War dialing

   3. War driving

   4. War walking

   b

Lesson 2: Providing Secure Remote Access

Lesson Review

1. During port-based access control interaction, an authenticator

   1. Enforces authentication before it allows user access to the services

   2. Requests access to the services

   3. Checks the supplicant's credentials

   4. Allows data exchange between two ports

   a

2. Which protocols support VPN tunneling?

   1. PPP

   2. PPTP

   3. TCP

   4. SLIP

   b

3. A RADIUS server can only provide authentication for one remote access server. (True or False?)

   False. A RADIUS server provides centralized authentication for any number of remote access servers.

4. Select all of the following that are advantages of TACACS+:

   1. Provides a standard method for managing dissimilar networks

   2. Provides distributed user validation for users attempting to gain access to a router or access server

   3. Provides centralized validation for users attempting to gain access to a router or access server

   4. Runs over UDP for more efficient communications

   a, c

5. The L2TP protocol uses which port?

   1. 443

   2. 80

   3. 1701

   4. 29

   c

6. Which do SSH protect against?

   1. NFS mounting

   2. Packet spoofing

   3. Password sniffing

   4. Internet attacks

   b, c

Lesson 3: Understanding Wireless Standards and Protocols

Exercise 1: Identifying Maximum Wireless Speeds

1. In this exercise, you match the wireless standard with the maximum speed it supports.

   802.11a 802.11b 802.11c

   22 Mbps transmitting at 2.4 GHz 22 GHz transmitting at 2.4 GHz 54 Mbps transmitting at 2.4 GHz 54 GHz transmitting at 2.4 Mbps 11 Mbps transmitting at 2.4 GHz 11 GHz transmitting at 2.4 Mbps

   1-c; 2-e; 3-a

Exercise 2: Identifying Key Wireless Access Terms

1. Match the term in the left column with the most appropriate statement in the right column.

   ESS WTLS 802.1x BSS WEP WAP

   The mechanism created in the 802.11 standard that utilizes a cryptographic security countermeasure to provide confidentiality, and has the added benefit of becoming an authentication mechanism. Security layer is based on standard Transport Layer Security (TLS). A suite of protocols used for securing communications in layers 3 through 7. The communications model can be compared to the seven-layer OSI model. The APs talk amongst themselves forwarding traffic from one BSS to another, as well as switch the roaming devices from one BSS to another. Wireless devices (notebooks and handhelds) no longer communicate in ad hoc mode. Instead, all traffic from one device destined for another device is relayed through the AP. A standard for port-based network access control that provides authenticated network access to 802.11 wireless networks and wired Ethernet networks.

   1-d; 2-b; 3-f; 4-e; 5-a; 6-c

Lesson Review

1. What is the maximum transport speed supported by the 802.11b standard?

   1. 2.4 GHz

   2. 2 Mbps

   3. 11 Mbps

   4. 10 Mbps

   c

2. What is the encryption method employed by WEP? What is the maximum bit encryption supported?

   1. RC4

   2. RC5

   3. 64-bit encryption

   4. 128-bit encryption

   a, d

Chapter 6: Application Security

Lesson 1: E-Mail Security

Lesson review

1. Name two ways in which you can increase the privacy of e-mail.

   Implement encryption and digital signatures. This can be done using PGP or S/MIME-enabled software.

2. What are some steps you should take to protect your organization from the exploitation of e-mail vulnerabilities?

   Review security alerts and bulletins for information on new exploits and software patches. Install and test new e-mail software security patches as they are made available.

3. What can you do to help your organization combat spam?

   Configure spam filters on mail gateways and clients. Participate in programs to collect and reduce spam (such as those sponsored by the FTC or antispam organizations like spam.org and junkbusters.org). You might also follow the advice of spam.org: Never respond to spam. Don't post your address on a Web site. Use a second e-mail address in newsgroups. Don't provide your e-mail address without knowing how it will be used. Use a spam filter. Don't buy anything solicited through spam.

4. What steps can you take to reduce your organization's exposure to e-mail scams?

   Review common scam postings on Web sites like scambusters.org, ccmostwanted.com, and ftc.gov. Educate your organization's users on ways to identify scams, such as showing them the FTC article titled "FTC Names Its Dirty Dozen: 12 Scams Most Likely to Arrive Via Bulk Email." Create policies that prohibit users from following instructions in common scams, such as giving out account numbers.

5. How can you reduce the propagation of e-mail hoaxes?

   Don't forward any unconfirmed information, especially if it was forwarded to you. Use Web sites like hoaxbusters.org to determine whether such e-mail is a known hoax. Learn to recognize and teach others the five tell-tale signs of an e-mail hoax: an indication of urgent information or request, a request to tell all your friends, some form of bogus corroboration to imply that the hoax isn't a hoax, prognostication of dire consequences if the e-mail is not forwarded or the steps are not followed, and the e-mail has been forwarded to others and has a history or several angle brackets (>>>>) in the message body.

Lesson 2: Web Security

Exercise: Application Security Solutions

Match the security issues in the left column with the products or specifications that address those issues in the right column:

E-mail forgery Clear text e-mail Sniffing Web connection packets Clear text IM Buffer overflows Cleartext cookie transmission

PKI-enabled IM applications Secure coding practices PGP SSL/TLS S/MIME Security patches

E-mail forgery is addressed by PGP and S/MIME, both of which can be used to create digital signatures. Cleartext e-mail is also addressed by PGP and S/MIME, both of which can be used to encrypt e-mail. Sniffing Web connection packets is addressed by SSL/TLS, which can be used to encrypt those communications. Clear text IM is addressed by PKI IM applications. Buffer overflows are rectified by secure coding practices and security patches. Cleartext cookie transmission can be encrypted by SSL/TLS.

Lesson review

1. How might you secure communications between a Web browser and client?

   Web communications are typically secured with SSL/TLS encryption. Another standard (not as popular as SSL/TLS) to secure Web communications is S-HTTP.

2. What is a software developer's defense against buffer overflows? How should a security administrator handle buffer overflows?

   Applying secure coding practices is the software developer's best defense against buffer overflows. Security administrators should test and apply security patches that correct buffer overflows as soon as they are available. If a security administrator knows of a buffer overflow issue that has not been corrected, he or she should consider disabling that application until a security patch is available.

3. What type of CGI exploits do attackers look for?

   Well-known or sample scripts on Web servers; finding CGI scripts that are in directories to which the attacker can gain access and run; using SSI to compromise CGI scripts; working around a client-side preprocessor (such as a Java applet) and sending data directly to CGI applications in hopes of exploiting them.

4. What types of security issues can arise from cookies?

   Cookies can provide an attacker with a look at how your Web server processes and tracks data. Cookies that are used for authentication, storing private data, or feeding information into other programs might be compromised or stolen.

5. What problems does signing active content seek to solve? What security issues might still exist in signed content?

   Signing active content allows the user to verify the entity that created it. However, simply being able to verify who developed the application is not a guarantee that the creator is honest and used secure coding practices. The security of the application is not guaranteed, just the identity of its creator. Signed content could still be a malicious program or a legitimate program with a security hole.

Lesson 3: File Transfer

Lesson review

1. What are the main security concerns of client/server FTP communications?

   Standard FTP communications use unencrypted authentication and data transfer that can be easily packet sniffed. This could result in a compromise of user names, passwords, and possibly private programs and data.

2. How can you mitigate the security concerns regarding FTP?

   Secure FTP and Kerberized FTP can be used to encrypt FTP authentication and communication.

3. What are some of the dangers of using file-trading utilities?

   File-trading utilities are often used to transfer copyrighted material. Further, they could be used to transfer Trojan horse software.

Chapter 7: User Security

Lesson 1: Understanding Authentication

Exercise 1: Following a Cross-Realm Authentication

In this exercise, place the steps in order as they would occur in the following scenario.

Scenario: You are a user who has authenticated in one realm and you wish to access a service registered in another realm.

1. The client contacts the RTGS and requests a session ticket to access the remote service.

2. The client contacts a TGS and requests a TGT for the remote realm.

3. The client accesses the service.

4. The AS authenticates the client and provides the client with a TGT.

5. The client (user) sends a registration request to an AS.

5, 4, 2, 1, 3

Exercise 2: Reviewing Kerberos Terminology

In this exercise, match the terms in the left column with the correct definitions in the right column.

Realm Authentication server (AS) Ticket-granting ticket (TGT) Ticket-granting service (TGS) Kerberos Distribution Center (KDC)

What a AS and TGS form together The ticket a client receives that allows them to request session tickets The service that a client requests a session ticket from The service that registers a client and provides them with a TGT The logical boundary that is formed by an AS and TGS

a-5; b-4; c-2; d-3; e-1

Lesson Review

1. What type of authentication does Kerberos provide?

   1. One-way authentication

   2. Mutual authentication

   3. Direct authentication

   4. Indirect authentication

   b

2. With CHAP authentication, what information does a client return in response to a challenge? (Select all that apply)

   1. Session ID

   2. Random string of data

   3. User name

   4. Encrypted challenge

   5. Password

   a, c, d, e

3. Select the answer that best describes token authentication:

   1. Something you have

   2. Something you know

   3. Something you are

   a

4. Select the answer that best describes user name and password authentication:

   1. Something you have

   2. Something you know

   3. Something you are

   b

5. Select the answer that best describes biometric authentication:

   1. Something you have

   2. Something you know

   3. Something you are

   c

Lesson 2: Understanding Access Control Models

Exercise: Identifying Authentication Methods

In this exercise, match the authentication methods in the left columns with the correct definitions in the right column.

RBAC DAC MAC

Permits the owner of an object (such as a process, file, or folder) to manage access control at his or her own discretion. Access to an object is restricted based on the sensitivity of the object (defined by the label that is assigned), and granted through authorization (clearance) to access that level of data. Access is based on the role a user plays in the organization.

a-3; b-1; c-2

Lesson Review

1. With discretionary access control (DAC), there is no mechanism for creating and enforcing rules regarding access control. Access is configured at the discretion of the owner of the object. (True or False?)

   True

2. Which description best fits role-based access control (RBAC)?

   1. Access control is configured at the discretion of the object's owner.

   2. Access to an object is restricted based on the sensitivity of the object and is granted through authorization.

   3. Access is granted based on the user's role.

   c

3. Which description best fits discretionary access control (DAC)?

   1. Access control is configured at the discretion of the object's owner.

   2. Access to an object is restricted based on the sensitivity of the object and is granted through authorization.

   3. Access is granted based on the user's role.

   a

4. Which description best fits mandatory access control (MAC)?

   1. Access control is configured at the discretion of the object's owner.

   2. Access to an object is restricted based on the sensitivity of the object and is granted through authorization.

   3. Access is granted based on the user's role.

   b

Chapter 8: Security Baselines

Lesson 1: Network Device and Operating System Hardening

Lesson Review

1. How can you stop certain protocols from traversing your routers?

   Access control lists (ACLs) can be used to prevent specific protocols from traversing your routers.

2. What can you do to make it more difficult for an attacker to sniff your network?

   Permanently disabling the promiscuous mode of the network card makes a network scanner useless on the compromised system. If you cannot permanently disable promiscuous mode, you might be able to disable it temporarily. The attacker would have to be sophisticated enough (and obtain the required access) to re-enable promiscuous mode. Other things that you can do include enabling encryption between connections, using network switching, and physically securing connection points to your network.

3. What can you do to secure your computer's file system?

   Be sure to use a file system that supports file and folder permissions. Configure the permissions according to the rule of least privilege.

4. What is the purpose of disabling unnecessary systems, programs, processes, protocols, and services?

   You should disable all unnecessary systems, programs, processes, protocols, and services to reduce the avenues by which an attacker could potentially exploit your network.

5. Why is it imperative that you monitor security alerts?

   New vulnerabilities are discovered frequently and vendor patches are released to correct them. If you do not monitor vulnerability alerts, you might miss an update and allow your organization to fall vulnerable to an attack that could have been prevented.

Lesson 2: Server Application Hardening

Exercise: Port Matching

Match the services in the left column with the correct TCP/UDP ports on which the service is provided in the right column:

DNS DHCP SMTP POP3 IMAP

143 53 110 25 67/68

1-b; 2-e; 3-d; 4-c; 5-a

Lesson Review

1. What are some ways to secure your network from exploits targeted at servers capable of dynamic DNS (DDNS)?

   There are essentially two methods for protecting your network from DDNS exploits: Disabling DDNSand implementing DNS security, so that client identities can be verified before they can update the DNS server.

2. What steps can you take to secure DHCP servers and clients on your network?

   Configure reservations for DHCP clients on the DHCP server. Configure client options on the client, instead of relying on the DHCP server, which could potentially be replaced by a rogue DHCP server. You should block DHCP requests from traversing the firewall by blocking UDP/TCP ports 67 and 68.

3. How might an attacker use your FTP server to compromise another computer?

   Some FTP servers are susceptible to port bouncing, which allows an attacker to bounce a scan off of your FTP server and direct it to another computer. This enables the attacker to scan another computer without giving away his or her source IP address to that client.

4. What are the differences in authentication support between LDAP v2 and LDAP v3?

   LDAP v2 supports simple, anonymous, and Kerberos version 4 authentication. LDAP v3 supports simple, anonymous, and SASL authentication.

5. What are the components in an LDAP hierarchy?

   LDAP root, organizational units, and objects.

Chapter 9: Operational Security

Lesson 1: Physical Security

Lesson Review

1. Why is a biometric device based on hand geometry suitable only for verifying users and not identifying them?

   Hand geometry can only be used to verify users because the characteristics of the hand that are measured by the device are not unique to each individual.

2. Which of the following attributes of cellular networking products make them a greater security risk than IEEE 802.11b wireless products?

   1. Lower cost

   2. Greater transmission range

   3. Less susceptibility to interference from walls and barriers

   4. Use of higher frequencies

   b

3. What is the difference between a mirrored server stored at a hot site and one stored at a cold site?

   The server at the hot site is running continuously, whereas the server at the cold site is only stored there, and is not running.

Lesson 2: Privilege Management

Lesson Review

1. Which of the following statements about users and groups is true?

   1. A user can only be a member of one group.

   2. A user's effective permissions can be inherited from multiple groups.

   3. Creating groups enables the network administrator to create fewer user accounts.

   4. Groups cannot have conflicting privileges.

   b

2. How does centralized administration reduce the workload of the network administrator?

   1. By reducing the number of resources to which users have to be granted privileges.

   2. By reducing the number of groups that need to be created.

   3. By reducing the number of users accounts that need to be created.

   4. By reducing the number of privileges that have to be granted to each user.

   c

3. When you grant a user account the minimal required permission, what rule are you applying?

   Rule of least privilege.

Lesson 3: Removable Media

Exercise: Identifying Removable Storage Media Types

Match the removable storage media in the left column with the appropriate description in the right column.

Flashcards Magnetic tape Smart cards CD-R Floppy disks

Typically contains encrypted data used to authenticate a user's identity Can only be erased by physical destruction No longer used for backups and data archiving, due to low capacity New storage technologies using very small form factors Traditional medium used for backups

1-d; 2-e; 3-a; 4-b; 5-c

Lesson review

1. Which of the following magnetic tape formats has the greatest storage capacity?

   1. DAT

   2. LTO

   3. DLT

   4. QIC

   b

2. What is the term used to describe a hard disk that you can remove from the computer without shutting the system down?

   Hot pluggable.

3. Which of the following removable media is typically used to carry users' digital certificates?

   1. Flashcards

   2. Smart cards

   3. CD-Rs

   4. Floppy disks

   b

Lesson 4: Protecting Business Continuity

Lesson Review

1. Name a hardware technology that enables a computer to continue operating despite the failure of a hard disk.

   Redundant array of independent disks (RAID).

2. Utilities such as electric power are typically not included as part of a business continuity plan because their reliability rate is so high. (True or False?)

   False. Utilities should be included in a business continuity plan if a business absolutely requires them to operate.

3. Which of the following statements is true about a business continuity management (BCM) effort?

   1. BCM is a company process that must involve all departments and all levels.

   2. BCM is an IT consideration that is devoted to keeping the company's computer network operational in the event of a disaster.

   3. Each department manager in a company should create an individual business continuity plan for that department.

   4. BCM is a government project that dictates preparatory requirements to individual businesses.

   a

Chapter 10: Organizational Security

Lesson 1: Documentation

Exercise: Policy Purposes

Match the policy descriptions in the left column with the appropriate policy in the right column.

More people involved in a process reduce the likelihood that one of them will do something inappropriate. International security standard. Guidelines regarding organization's member privileges to information assets. Defines responsibilities and capabilities of information auditors. Describes hours of operation. Describes the type of network traffic that is allowed into or out of the organization. Policy explaining that employees can be held accountable for negligent actions such as transmitting patient medical records in cleartext instead of an encrypted format.

Firewall policy Accountability policy Common Criteria Separation of duties Access policy Availability statement Due care

1-d; 2-c; 3-e; 4-b; 5-f; 6-a; 7-e

Lesson Review

1. List requirements you might find in a password policy.

   Requirements for password length, complexity, expiration, uniqueness, lockout threshold, and lockout duration.

2. What items might be included in a privacy policy?

   The policy might include information concerning protections for customer, client, and employee data. Descriptions concerning the type of information that can be audited and monitored, such as e-mail and visited Web sites, can also be part of this policy. The policy can be used to inform employees that they are being watched, so they don't expect they have complete privacy at work.

3. What type of policy would typically prohibit playing of computer games on organizational computers?

   Acceptable use policy.

4. What is a computer security incident?

   An actual, suspected, or attempted compromise of any IT system.

5. If you sign an agreement with another company to host an e-commerce solution for your organization, the company you signed with is a what?

   Application service provider.

Lesson 2: Risk Assessment

Lesson Review

1. What is the formula for calculating risk?

   Threat Vulnerability Impact = Risk

2. Who is normally responsible for assigning value to assets?

   Accountants.

3. List some resources for collecting technology threat statistics.

   CERT (http://www.cert.org), ICAT (http://icat.nist.gov), Security Statistics (http://www.securitystats.com).

4. What is the purpose of an impact assessment?

   Establish how costly an exploited vulnerability might be for the organization.

5. What is a vulnerability assessment?

   A determination of how susceptible the organization or asset is to a threat.

Lesson 3: Security Education

Exercise: Stages and Delivery Types

Match the numbered security education program stages in the left column to the appropriate lettered delivery types in the right column.

Awareness Training Education

Research projects Demonstrations Logon banners Discussions Hands-on activities

1-c; 2-b, e; 3-a, d

Lesson review

1. Which stage of the security education program is mostly marketing?

   Awareness.

2. At which stage of the security education program are individuals most likely to be self-motivated?

   Education.

3. Security training is most effective when it is __________________?

   Hands-on and related to the person's job.

Chapter 11: Incident Detection and Response

Lesson 1: Attacks and Malicious Code

Exercise: Attacks and Scans

Match the types of attacks or scans in the left column with the appropriate descriptions in the right column.

Ping sweep SYN flood Fraggle POD XMAS Smurf Teardrop Connect Half-open

ICMP attack that involves spoofing and flooding UDP attack that involves spoofing and flooding ICMP echo reply scan Scan that completes the TCP handshake Scan that leaves off the final ACK DoS or DDoS attack that leaves open TCP ports Scan that passes multiple TCP flags Attack with oversized ICMP echo reply packets Attack with IP fragments that cannot be reassembled

1-c; 2-f; 3-b; 4-h; 5-g; 6-a; 7-i; 8-d; 9-e

Lesson Review

1. What are some ways you can combat DoS attacks?

   Configure routers for appropriate ingress and egress filtering and to deny IP-directed broadcasts. Apply all software patches to hosts to protect your IP stack. Coordinate with your ISP to stop or reduce DoS attacks that involve systems outside your organization.

2. How can LSRR be used to avoid security devices?

   Attackers can configure LSRR on client packets to route packets around security devices. To protect your systems from this, configure routers to discard packets that specify LSRRs, if possible.

3. What can attackers use replay attacks to compromise?

   Attackers can use replay attacks to compromise passwords, encryption keys, authentication, VPNs, and sessions.

4. What type of attacks can be waged against encryption keys and secure hashes?

   Replay attacks and mathematical or brute force attacks (birthday attacks).

5. What type of sessions can be hijacked?

   Potentially any session, but the ones discussed in this lesson are TCP, terminal connections, and wireless connections.

Lesson 2: Intrusion Detection Systems

Exercise: IDS Staged Deployment Steps

Place the following staged IDS deployment steps in the appropriate order:

1. Deploy a HIDS to critical hosts

2. Fully deploy a HIDS

3. Fully deploy a NIDS

4. Partially deploy a NIDS

d, c, a, b

Lesson Review

1. What are the main differences between NIDS's, SIVs, and LFMs?

   Network intrusion detection systems (NIDS's) monitor and analyze network traffic for intrusions. System integrity verifiers (SIVs) monitor single systems for changes to files and file structures. Log file monitors (LFMs) monitor log files for intrusions.

2. What are the benefits of NIDS's?

   NIDS's increase overall security. They can protect multiple systems, allow monitoring inside the firewall, and alert you to incoming attacks. These systems also detect slow attacks. NIDS's can take corrective action and they have a low impact on network traffic.

3. What are some problems with NIDS's?

   They have system limitations that might prevent them from collecting and analyzing every event. They only collect the traffic that passes by, so you need to consider how switches and VLANs affect their ability to perform. NIDS's cannot usually decrypt packets for analysis and they cannot typically determine attack success. In addition, they can generate false positives.

4. What are some ways that attackers try to avoid detection?

   There are specific attacks used against IDS systems, such as sending an overabundance of attack signatures. Setting off multiple IDS alarms might give an attacker enough time to bypass the IDS with an undetected attack. Some attackers use fragmentation to disguise the true intention of their packets traversing the network. Others use encryption to obfuscate communications. Further, some attackers might attempt to route packets around the NIDS with LSRR (as described in the previous lesson).

5. What benefits do HIDS's and application-based IDS's have over NIDS's?

   They are not limited by encryption, so they see packets or information before encryption and after decryption. They are closer to the target, which means they can collect more accurate information. They help to detect software integrity breaches, file modifications, Trojan horse software, and other effects of attacks. VPNs don't affect the function of HIDS's either.

Lesson 3: Incident Response

Exercise: Incident Response Priority

Organize the following incident response actions into an appropriate priority:

1. Minimize the effect of the attack on the organization's business activities

2. Protect all other data

3. Protect classified and sensitive data

4. Protect hardware and software

5. Protect human life and prevent people from being injured

e, c, b, d, a

Lesson Review

1. What should you do when organizing a CSIRT?

   Decide whether you should formalize a team or create an ad hoc team as necessary. If you establish a formal team, contact FIRST to identify your team and establish a reporting chain. Ensure your team reviews RFC 2350, CERTs CSIRT FAQ, NISTs SP 800-3, and "Electronic Crime Scene Investigation: A Guide for First Responders."

2. What are the main points you should keep in mind when performing computer forensics?

   Change as little as possible, examine the system from a backup or image if possible instead of using the actual system, document and preserve all evidence, and maintain documented chain of custody.

3. Why is unplugging a compromised system from the network usually a prudent action?

   An attacker or malicious code could cause more damage if a compromised system is left plugged into the network. This could leave the organization and responsible people liable for damages.