Chapter 11 - Network Security

Question 1

The number of security incidents is growing by about ________ per year.

Answer 1

30%

Question 2

What are the three main reasons why there has been an increase in computer security over the past few years?

Answer 2

1) Hacking into a computer used to be considered a hobby, whereas it is now a profession.

2) hacktivism has become more common

3) increase in mobile devices

Question 3

_____________ are hardware, rules, or procedures that reduce or eliminate the threats to network security. They prevent, detect, and/or correct whatever might happen to the organization because of threats facing its computer-based systems.

Answer 3

Controls

Question 4

_______________ mitigate or stop a person from acting or an event from occurring. Some examples are a password, a guard, or a security lock on a door.

Answer 4

Preventitive controls

Question 5

_______________ reveal or discover unwanted events.

Answer 5

Detective controls

Question 6

___________________ remedy an unwanted event or intrusion.

Answer 6

Corrective controls

Question 7

What are the three risk assessment frameworks that are most commonly used?

Answer 7

1) Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) from the Computer Emergence Readiness Team

2) Control Objectives for Information and Related Technology (COBIT) from the Information Systems Audit and Control Association

3) Risk Management Guide for Information Technology Systems (NIST guide) from the National Institute of Standards and Technology

Question 8

What are the five common steps across the risk assessment frameworks?

Answer 8

1) Develop risk measurement criteria

2) Inventory IT assets

3) Identify threats

4) Document existing controls

5) Identify improvements

Question 9

What are teh five most common impact areas in a risk assessment?

Answer 9

1) financial (revenues and expenses)

2) productivity (business operations)

3) reputation (customer perceptions)

4) safety (the health of customers and employees

5) legal (potential for fines and litigation)

Question 10

A ____________________ is an information system that is critical to the survival of the organization. It is an application that cannot be permitted to fail, and if it does fail, the network staff drops everything else to fix it.

Answer 10

mission-critical application

Question 11

What question should be asked to rank the importance of assets?

Answer 11

What would happen if this information asset’s confidentiality, integrity, or accessibility were compromised?

Question 12

How does one calculate an impact score?

Answer 12

By multiplying the priority of each area by the impact the threat would have, using a 1 for a low value, a 2 for a medium value, and a 3 for a high value, and summing all the results.

Question 13

How does one calcuate the relative risk score?

Answer 13

By multiplying the impact score by the likelihood (using 1 for low likelihood, 2 for medium likelihood, and 3 for high likelihood).

Question 14

A ________________ is the way an organization intends to address a risk.

Answer 14

risk control strategy

Question 15

__________________ involves implementation of some type of a control to counter the threat or to minimize the impact. An organization can implement several types of controls, such as using antivirus software, implementing state-of-the-art firewalls, or providing security training for employees.

Answer 15

Risk mitigation

Question 16

_________________ is configuring the main router that connects your network to the Internet (or firewall) to verify that the source address of all incoming messages is in a valid address range for that connection

Answer 16

Traffic filtering

Question 17

_________________ is configuring the main router (or firewall) to limit the number of incoming packets that could be DoS/DDoS attack packets that it allows to enter the network, regardless of their source

Answer 17

Traffic limiting

Question 18

A _____________________ is a device that monitors normal traffic patterns and learns what normal traffic looks like.

Answer 18

traffic anomaly detector

Question 19

The best way to prevent a failure from impacting business continuity is to build _____________ into the network.

Answer 19

redundancy

Question 20

Most organizations build redundancy into their ______________ and their _______________ but are very careful in choosing which distribution backbones (i.e., building backbones) and access layer LANs will have redundancy

Answer 20

core backbone, Internet connections

Question 21

________________________ is a storage technology that, as the name suggests, is made of many separate disk drives. When a file is written to this device, it is written across several separate, redundant disks.

Answer 21

Redundant array of independent discks (RAID)

Question 22

A critical element in correcting problems from a disaster is the __________________, which should address various levels of response to a number of possible disasters and should provide for partial or complete recovery of all data, application software, network components, and physical facilities.

Answer 22

disaster recovery plan

Question 23

With __________, copies of all data and transactions on selected servers are written to servers as the transaction occurs. This is more flexible than traditional backups that take snapshots of data at specific times or than disk mirroring, which duplicates the contents of a disk from second to second. This enables data to be stored miles from the originating server and time-stamps all transactions to enable organizations to restore data to any specific point in time.

Answer 23

Continuous data protection (CDP)

Question 24

What are the four types of intruders?

Answer 24

1) Novice attackers hwo use hacking tools (script kiddies)

2) hackers/crackers: experts in security, but their motivation is the thrill of the hunt

3) professional hackers

4) organization employees who have legitimate access to the network but who gain access to information they are not authorized to use.

Question 25

In late 1990s, the DoD noticed a small but growing set of intentional attacks that they classify as exercises, exploratory attacks designed to test the effectiveness of certain software attack weapons. Therefore, they established an ___________________ and a new organization responsible for coordinating the defense of military networks under the U.S. Space Command.

Answer 25

information warfare program

Question 26

What are the most common access points for intrusion into networks?

Answer 26

1) Internet connection (70%) 2) LANs and WLANs (30%)

Question 27

_______________ are more likely to intrude via the Internet connection, whereas _________________ are most likely to use the LAN or WLAN.

Answer 27

External intruders, internal intruders

Question 28

A _____________________ examines the source and destination address of every network packet that passes through it. It only allows packets into or out of the organization’s networks that have acceptable source and destination addresses.

Answer 28

packet-level firewall

Question 29

The set of rules for the packet-level firewall so it knows what packets to permit into the network and what packets to deny entry is called a(n):

Answer 29

access control list (ACL)

Question 30

A(n) _______________ is more expensive and more complicated to install and manage because it examines the contents of the application-level packet and searches for known attacks.

Answer 30

application-layer firewall

Question 31

____________________ is the process of converting between one set of public IP addresses that are viewable from the Internet and a second set of private IP addresses that are hidden from people outside of the organization.

Answer 31

Network address translation (NAT)

Question 32

The ___________________ uses an address table to translate the private IP addresses used inside the organization into proxy IP addresses used on the Internet. When a computer inside the organization accesses a computer on the Internet, the firewall changes the source IP address in the outgoing IP packet to its own address.

Answer 32

NAT firewall

Question 33

The _____________________ is a physical or logical subnetwork that exposes an organization’s external-facing servers (such as Web Server, DNS Server, Mail Server) to the Internet.

Answer 33

DMZ (demilitarized zone)

Question 34

Wireless LANs are the easiest target for _________________ because they often reach beyond the physical walls of the organization.

Answer 34

eavesdropping

Question 35

Attacks that take advantage of a newly discovered security hole before a patch is developed are called __________________.

Answer 35

zero-day attacks

Question 36

The American government requires certain levels of security in the operating systems and network operating systems it uses for certain applications. The minimum level of security is:

Answer 36

C2

Question 37

Spyware, adware, and DDoS agents are three types of ______________.

Answer 37

Trojans

Question 38

One of the best ways to prevent intrusion is ____________, which is a means of disguising information by the use of mathematical rules known as cryptography.

Answer 38

encryption

Question 39

_______________ is the process of disguising information, whereas _____________ is the process of restoring it to readable form.

Answer 39

Encryption, decryption

Question 40

When information is in readable form, it is called _____________; when in encrypted form, it is called ______________.

Answer 40

plaintext, ciphertext

Question 41

With ____________________, the key used to encrypt a message is the same as the one used to decrypt it. With ___________________, the key used to decrypt a message is different from the key used to encrypt it.

Answer 41

symmetric encryption, asymmetric encryption

Question 42

Symmetric encryption (also called single-key encryption) has two parts:

Answer 42

the algorithm and the key

Question 43

One commonly used symmetric encryption technique is the _____________________, which was developed in the mid-1970s by the U.S. government in conjunction with IBM.

Answer 43

Data Encryption Standard (DES)

Question 44

The NIST’s new standard, called _______________________, has replaced DES. It has key sizes of 128, 192, and 256 bits. NIST estimates that using the most advanced computers and techniques available today, it will require about 150 trillion years to crack AES by brute force.

Answer 44

Advanced Encryption Standard (AES)

Question 45

_____________ can use a key up to 256 bits long but most commonly uses a 40-bit key. It is faster to use than DES but suffers from the same problems from brute-force attacks: Its 40-bit key can be broken by a determined attacker in a day or two.

Answer 45

RC4

Question 46

Because public key encryption is asymmetric, there are two keys. One key (called the _____________) is used to encrypt the message and a second, very different _______________ is used to decrypt the message.

Answer 46

public key, private key

Question 47

Explain asymmetric encryption or public key encryption:

Answer 47

Each user has its public key that is used to encrypt messages sent to it. These public keys are widely publicized (e.g., listed in a telephone-book-style directory)—that’s why they’re called “public” keys. In addition, each user has a private key that decrypts only the messages that were encrypted by its public key. This private key is kept secret (that’s why it’s called the “private” key). The net result is that if two parties wish to communicate with each other, there is no need to exchange keys beforehand. Each knows the other’s public key from the listing in a public directory and can communicate encrypted information immediately. The key management problem is reduced to the on-site protection of the private key.

Question 48

The ________________ is a set of hardware, software, organizations, and polices designed to make public key encryption work on the Internet.

Answer 48

PKI

Question 49

A ___________________ is a trusted organization that can vouch for the authenticity of the person or organization using authentication (e.g., VeriSign).

Answer 49

certificate authority (CA)

Question 50

_______________________ is a freeware public key encryption package developed by Philip Zimmermann that is often used to encrypt email.

Answer 50

Pretty Good Privacy (PGP)

Question 51

______________________ is an encryption protocol widely used on the Web. It operates between the application-layer software and the transport layer (in what the OSI model calls the presentation layer).

Answer 51

Secure Sockets Layer (SSL)

Question 52

_________________ sits between IP at the network layer and TCP/UDP at the transport layer.

Answer 52

Internet Security Protocol (IPSec)

Question 53

More and more organizations are adopting _________________ (also called network authentication, single sign-on, or directory services), in which a log-in server is used to authenticate the user. Instead of logging into a file server or application server, the user logs into the authentication server.

Answer 53

central authentication

Question 54

The most commonly used authentication protocol is ____________________.

Answer 54

Kerberos

Question 55

_________________________ are designed to detect an intrusion and take action to stop it.

Answer 55

Intrusion prevention systems (IPSs).

Question 56

What are the two types of IPSs?

Answer 56

Network-based IPS: An IPS sensor is placed on key network circuits. An IPS sensor is simply a device running a special operating system that monitors all network packets on that circuit and reports intrusions to an IPS management console. Host-based IPS: A software package installed on a host or server. The host-based IPS monitors activity on the server and reports intrusions to the IPS management console.

Question 57

What are the two fundamental techniques that IPSs use to detect an intrusion?

Answer 57

1) misuse detection, which compares monitored activities with signatures of known attacks. Whenever an attack signature is recognized, the IPS issues an alert and discards the suspicious packets. 2) anomaly detection, which works well in stable networks by comparing monitored activities with the “normal” set of activities. When a major deviation is detected (e.g., a sudden flood of ICMP ping packets, an unusual number of failed log-ins to the network manager’s account), the IPS issues an alert and discards the suspicious packets.