Security Flashcards

Question

MAC Spoofing

Answer 1

MAC spoofing occurs when an attacking device spoofs the MAC address of a valid host currently in the MAC address table of the switch. The switch then forwards frames destined for that valid host to the attacking device. This can be used to bypass: • A wireless AP with MAC filtering on a wireless network • Router ACLs • 802.1x port-based security

Answer 2

``` ARP spoofing (also known as ARP poisoning) uses spoofed ARP messages to associate a different MAC address with an IP address. ARP spoofing can be used to perform a man-in-the-middle attack as follows: 1. When an ARP request is sent by a client for the MAC address of a device, such as the default gateway router, the attacker's system responds to the ARP request with its own MAC address. 2. The client receives the spoofed ARP response and uses that MAC address when communicating with the destination host. For example, packets sent to the default gateway are sent instead to the attacker. 3. The attacker receives all traffic sent to the destination host. The attacker can then forward these packets on to the correct destination using its own MAC address as the source address. ARP spoofing can also be used to perform Denial of Service (DoS) attacks by redirecting communications to fake or nonexistent MAC addresses. ```

Answer 3

* Firewall and router filters to prevent spoofed packets from crossing into or out of your private secured network. Filters will drop any packet suspected of being spoofed. * Certificates to prove identity * Reverse DNS lookup to verify the source email address * SecureDNS to identify emails with malicious domains. SecureDNS will redirect the user to a safe landing page or send the bad traffic to a sinkhole. * Encrypted communication protocols, such as IPsec * Ingress and egress filters to examine packets and identify spoofed packets. Ingress filters examine packets coming into the network, while egress filters examine packets going out of the network. Any packet suspected of being spoofed on its way into or out of your network will be dropped.

Answer 4

A virtual private network (VPN) is a type of network that uses encryption to allow IP traffic to travel securely over the TCP/IP network. A VPN is used primarily to support secure communications over an untrusted network. • VPNs work by using a tunneling protocol that encrypts packet contents and wraps them in an unencrypted packet. • Tunnel endpoints are devices that can encrypt and decrypt packets. When you create a VPN, you establish a security association between the two tunnel endpoints. The endpoints create a secure, virtual communication channel. Only the destination tunnel endpoint can unwrap packets and decrypt the packet contents. • Routers use the unencrypted packet headers to deliver the packet to the destination device. Intermediate routers along the path cannot read the encrypted packet contents. • A VPN can be used over a local area network, across a WAN connection, over the internet, and even over a dial-up connection. Ports must be open in firewalls to allow VPN protocols. For this reason, using SSL for the VPN often works through firewalls when other solutions do not. Additionally, some NAT solutions do not work well with VPN connections.

Answer 5

• VPNs can be implemented in the following ways: o With a host-to-host VPN, two hosts establish a secure channel and communicate directly. With this configuration, both devices must be capable of creating the VPN connection. o With a site-to-site VPN, routers on the edge of each site establish a VPN with the router at the other location. Data from hosts within the site are encrypted before being sent to the other site. With this configuration, individual hosts are unaware of the VPN. o With a remote access VPN, a server on the edge of a network (called a VPN concentrator) is configured to accept VPN connections from individual hosts in a client-to-site configuration. Hosts that are allowed to connect using the VPN connection are granted access to resources on the VPN server or the private network.

Answer 6

PPTP was developed by Microsoft as one of the first VPN protocols. PPTP: • Uses standard authentication protocols, such as CHAP and PAP • Supports TCP/IP only • Is supported by most operating systems and servers • Uses TCP port 1723

Answer 7

L2TP is an open standard for secure multiprotocol routing. L2TP: • Supports multiple protocols (not just IP) • Uses IPsec for encryption • Is not supported by older operating systems • Uses TCP port 1701 and UDP port 500

Answer 8

IPsec provides authentication and encryption, and it can be used in conjunction with L2TP or by itself as a VPN solution. IPsec includes the following three protocols for authentication, data encryption, and connection negotiation: • Authentication Header (AH) enables authentication with IPsec. • Encapsulating Security Payload (ESP) provides data encryption. • Internet Key Exchange (IKE) negotiates the connection. IPsec can be used to secure the following types of communications: • Host-to-host communications within a LAN • VPN communications through the internet, either by itself or in conjunction with the L2TP VPN protocol • Any traffic supported by the IP protocol, including web, email, Telnet, file transfer, SNMP traffic, as well as countless others IPsec uses either digital certificates or pre-shared keys

Answer 9

The SSL protocol has long been used to secure traffic generated by IP protocols such as HTTP, FTP, and email. SSL can also be used as a VPN solution, typically in a remote access scenario. SSL: • Authenticates the server to the client using public key cryptography and digital certificates • Encrypts the entire communication session • Uses port 443, which is already open on most firewalls Implementations that use SSL for VPN tunneling include Microsoft's SSTP and Cisco's SSL VPN.

Answer 10

GRE is a tunneling protocol that was developed by Cisco. GRE can be used to route any Layer 3 protocol across an IP network. GRE: • Creates a tunnel between two routers. • Encapsulates packets by adding a GRE header and a new IP header to the original packet. • Does not offer any type of encryption. • Can be paired with other protocols, such as IPsec or PPTP, to create a secure VPN connection.

Answer 11

A proxy server is a device that stands as an intermediary between a host and the internet. A proxy server is a specific implementation of a firewall that uses filter rules to allow or deny internet traffic. With a proxy, every packet is stopped and inspected, which causes a break between the client and the server on the internet.

Answer 12

* Control internet access based on user account and time of day. * Prevent users from accessing certain websites. For example, proxy servers used in schools or at home protect children from viewing inappropriate sites. * Restrict users from using certain protocols. For example, a proxy server at work might prevent instant messaging, online games, or streaming media. * Cache heavily accessed web content to improve performance.

Answer 13

* Configure a proxy server as a firewall device between the private network and the internet to control internet access based on user account. * You can use a third-party service that uses proxy servers at your ISP or on the internet for content filtering. * When using a proxy server, all traffic must be sent to the proxy server first before being forwarded to the destination device. This redirection is typically done by configuring the client to use the proxy server. * Content filtering solutions reconfigure the client such that the redirection is done automatically and cannot be bypassed. * Internet Explorer automatically detects and uses a proxy server if one is on the network. If the proxy server is not detected, use Internet Options to identify the proxy server IP address and port number.

Answer 14

``` Network appliances are devices that are dedicated to providing certain network services. Common network appliances include: • Switches • Wireless access points • Routers • Firewalls • Security threat management devices ```

Answer 15

These devices are unlike common network hosts in that they don't typically provide monitor, keyboard, or mouse connections. Instead, they are designed to be plugged directly into the network and then managed using a web-based interface from the system administrator's workstation.

Answer 16

* An endpoint management server to keep track of various devices, while ensuring their software is secure * A network switch to provide internal network connectivity between hosts * A router to connect network segments together * An ISP interface for connecting the local network to the internet * A firewall to filter network traffic * A syslog server to store event messages * A spam filter to block unwanted emails * A web content filter to prevent employees from visiting inappropriate websites * A malware inspection engine to prevent malware from entering the network * An intrusion detection system (IDS) or intrusion prevention system (IPS) to detect hackers trying to break into systems on the network

Answer 17

* All-in-one appliances perform many tasks adequately. However, they usually can't perform any one task extremely well. If high-performance is a concern, then using dedicated appliances might be more appropriate. * All-in-one devices create a single point of failure. Because so many services are hosted by a single device, then all of the services are affected if that device goes down. * All-in-one devices create a single attack vector that can be exploited by an attacker. Compromising the single device could potentially expose many aspects of the network.

Answer 18

a network gateway defense solution for organizations. UTM is the evolution of the traditional firewall into an all-in-one device that can perform multiple security functions within one single system.

Answer 19

A firewall is a device or software running on a device that inspects network traffic and allows or blocks traffic based on a set of rules

Answer 20

• A network-based firewall inspects traffic as it flows between networks. For example, you can install a network-based firewall on the edge of your private network that connects to the internet to protect against attacks from internet hosts. A network firewall is created using two (or more) interfaces on a network device: one interface connects to the private network, and the other interface connects to the external network. • A host-based firewall inspects traffic received by a specific host. A best practice is to implement both types of firewalls.

Answer 21

* The interface the rule applies to * The direction of traffic (inbound or outbound) * Packet information such as the source or destination IP address or port number * The action to take when the traffic matches the filter criteria

Answer 22

* By default, the firewall allows all outgoing web traffic and responses but blocks all other traffic. * You can configure exceptions to allow specific types of traffic through the firewall. * When you turn on the firewall, you can block all incoming connections or allow exceptions. If all incoming connections are blocked, any defined exceptions are ignored.

Answer 23

Program: Configuring an exception for a program automatically opens the ports required by the application only while the application is running. Be aware of the following: o You can select from a list of known applications or browse to and select an unlisted application. o You do not need to know the port number used; the firewall automatically identifies the ports used by the application when it starts. o After the application is stopped, the required ports are closed. Port: Configuring an exception for a specific port and protocol (either TCP or UDP) keeps that port open all the time. Be aware of the following: o You must know both the port number and the protocol. o Some services require multiple open ports, so you must identify all necessary ports and open them. o Ports stay open until you remove the exception.

Answer 24

• Most SOHO routers and access points include a firewall to protect your private network. • By default, most SOHO routers allow all traffic initiated on the private network to pass through the firewall. Responses to those outbound requests are typically also allowed. For example, a user browsing a website will receive the web pages back from the internet server. • All traffic initiating from the external network is blocked by default. • You can configure individual exceptions to allow or deny specific types of traffic. A best practice is to block all ports, then open only the necessary ports. • Some firewalls support port triggering, which allows the firewall to dynamically open incoming ports based on outgoing traffic from a specific private IP address and port. o On the firewall you identify a private IP address and port, then associate one or more public ports. o When the router sees traffic sent from the private network from that host and port number, the corresponding incoming ports are opened. o The incoming ports remain open as long as the outgoing ports show activity. When the outgoing traffic stops for a period of time, the incoming ports are automatically closed. o Use port triggering to open incoming ports required for specific applications (such as online games). • Some applications identify incoming ports dynamically once a session is established with the destination device. The ports that the application might use are typically within a certain range. o For some applications, you can configure the application to use a specific port instead of a dynamic port. You can then open only that port in the firewall. o If you are unable to configure the application, you will need to open the entire range of possible ports in the firewall. o Use port triggering to dynamically open the ports when the application runs instead of permanently opening all required ports. • Configure port forwarding to allow incoming traffic directed to a specific port to be allowed through the firewall and sent to a specific device on the private network. o Inbound requests are directed to the public IP address on the router to the port number used by the service (such as port 80 for a Web server). The port number is often called the public port. o Port forwarding associates the inbound port number with the IP address and port of a host on the private network. This port number is often called the private port. o Incoming traffic sent to the public port is redirected to the private port.

Answer 25

20 TCP | 21 TCP

Answer 26

22 TCP and UDP

Answer 27

137 TCP 138 TCP 139 TCP

Answer 28

143 TCP and UDP

Answer 29

443 TCP and UDP

Answer 30

427 TCP and UDP

Answer 31

BitLocker protects against unauthorized data access on lost or stolen laptops and on other compromised systems. • BitLocker encrypts the entire contents of the operating system partition, including operating system files, swap files, hibernation files, and all user files. A special BitLocker key is required to access the contents of the encrypted volume. • BitLocker uses integrity checking early in the boot process to ensure that the drive contents have not been altered and that the drive is in the original computer. If any problems are found, the system will not boot and the drive contents remain encrypted. The integrity check prevents hackers from moving the hard disk to another system in order to try to gain access to its contents. • BitLocker requires data to be decrypted before it can be used, which reduces disk I/O throughput. • BitLocker is available only on Ultimate and Enterprise editions of Windows. • In Windows 8 and later, you can choose to encrypt the entire volume or just the used space on the volume.

Answer 32

BitLocker partition; Trusted Platform Module (TPM); Non-TPM Security

Answer 33

Implementing BitLocker requires two NTFS partitions: • The system partition is a 100 MB volume that contains the boot files. This partition is set to active, and is not encrypted by the BitLocker process. • The operating system partition must be large enough for the operating system files. This partition is encrypted by BitLocker. Be aware of the following: • A new Windows installation creates both partitions prior to the installation of the operating system files. • For operating systems already installed on a single partition, you may need to resize the existing partition and create the system partition required by BitLocker.

Answer 34

A Trusted Platform Module (TPM) is a special hardware chip included on the computer motherboard that contains software in firmware that generates and stores cryptographic keys. The TPM chip must be enabled in the BIOS/UEFI. The TPM chip stores the BitLocker key that is used to unlock the disk partitions and stores information about the system to verify the integrity of the system hardware. The TPM ensures system integrity as follows: 1. The TPM examines the startup components present on the unencrypted partition. 2. Based on the hardware and system components, a system identifier is generated and saved in the TPM. 3. At startup, components are examined and a new system identifier is generated. 4. The new identifier is compared to the saved identifier. If the identifiers match, the system is allowed to boot.

Answer 35

You have the following options for implementing Bitlocker on systems without a TPM chip: • You can save the BitLocker key on a USB device. The USB device is inserted before starting the computer and provides authentication before the operating system drive is decrypted. The BIOS must support reading USB devices during startup. • Windows 8 and later allows you to configure an unlock password for the operating system drive. To use this feature, enable Configure Use Of Passwords For Operating System Drives policy in the Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives node of Computer Configuration. • Windows supports authentication using a smart card certificate. The smart card certificate is stored on a USB device and is used similarly to the BitLocker key on a USB device.

Answer 36

* BitLocker encrypts the entire volume. EFS encrypts individual files. * BitLocker encrypts the volume for use on the computer, regardless of the user. Any user who has the PIN or startup key and who can successfully log on can access a BitLocker volume. With EFS, only the user who encrypted the file can access the file unless access has been granted to other users. * BitLocker protects files against offline access only. If the computer boots successfully, any authorized user who can log on can access the volume and its data. EFS protects against offline access as well as online access for unauthorized users. EFS does not provide online protection if an authorized user's credentials are compromised.

Answer 37

Encryption is the process of scrambling data to make it unreadable except to those who have the required key to unlock the obscured data.

Answer 38

File encryption encrypts individual files so that only the user who created the file can open it. • The Encrypting File Service (EFS) on Windows systems encrypts individual files. Windows automatically decrypts a file when the file owner accesses it. • With EFS, you can add other users who are also allowed to access the encrypted file. • EFS is available only on NTFS partitions. Moving an encrypted file to a non-NTFS partition removes the encryption. • Files remain encrypted and inaccessible even when the drive is moved to another computer or if another operating system is used. This is because the encryption keys needed to decrypt the file do not exist on these other systems. • Encryption cannot be used together with compression (you can use either, but not both).

Answer 39

Whole disk encryption encrypts the entire contents of a hard drive, protecting all files on the disk. • During system startup, a special key is required to unlock the hard disk. Without the key, data on the drive is inaccessible. Providing the key allows the system to decrypt files on the hard drive. • You cannot access the contents of an encrypted drive by moving it to another computer because the encryption keys needed to decrypt the data do not exist on the other computer system. • Most solutions provide for a backup recovery key that can be used to unlock the drive if the original key is lost. If both the encryption key and the recovery key are lost, data cannot be retrieved. • BitLocker is a Microsoft solution that provides whole disk encryption. BitLocker is supported on Ultimate or Enterprise editions of Windows. • You can implement BitLocker with or without a Trusted Platform Module (TPM). o When using BitLocker with a TPM, the key required to use the disk can be stored in the TPM. This means that the computer can boot without a prompt as long as the hard drive is in the original computer. o Without a TPM, the startup key must be stored on a USB drive. On Windows 10, you can also supply a password at system boot to unlock a BitLocker-encrypted drive. o When the startup key is saved in the TPM, you can require an additional PIN or startup key that must be used to start the system. • You can use BitLocker to encrypt removable storage devices (such as USB flash drives).

Answer 40

Data that is sent through a network can potentially be intercepted and read by an attacker. Use some form of encryption to protect data sent through a network. You should be aware of the following solutions to protect data communications. • A virtual private network (VPN) uses an encryption protocol to establish a secure communication channel between two hosts, or between one site and another site. Data that passes through the unsecured network is encrypted and protected. • IPsec, PPTP, and L2TP are common protocols used for establishing a VPN. • Secure Sockets Layer ((SSL) is a protocol that can be added to other protocols to provide security and encryption. For example, HTTPS uses SSL to secure Web transactions. • Use WPA, WPA2, or WEP to secure wireless communications, which are highly susceptible to eavesdropping (data interception). WEP, WPA Personal, and WPA2 Personal use a common shared key configured on the wireless access point and on all wireless clients. • When implementing network services, do not use protocols such as FTP or Telnet that pass logon credentials and data in clear text. Instead, use a secure alternative such as FTP-S or SSH.

Answer 41

Authentication is the process of submitting and checking credentials to validate or prove user identity. On a computer system, authentication typically occurs during logon where the user provides a username and password or some other form of credential (such as a smart card or a biometric scan). The system verifies the credentials, allowing access if the credentials are valid.

Answer 42

Something you know authentication requires you to provide a password or some other data that you know. This is the weakest type of authentication. Examples of something you know include: • Passwords, codes, or IDs • PINs • Passphrases (long, sentence-length passwords) • Cognitive information such as questions that only the user can answer, including: o Your mother's maiden name o The model or color of your first car o The city where you were born Usernames are not a form of Type 1 authentication. Usernames are often easy to discover or guess. Only the passwords or other information associated with the usernames can be used to validate identity.

Answer 43

Something you have (also called token-based authentication) is authentication based on something a user has in their possession. Examples of something you have authentication controls are: • Swipe cards (similar to credit cards) with authentication information stored on the magnetic strip. • Smart cards with a memory chip containing encrypted authentication information. Smart cards can: o Require contact such as swiping, or they can be contactless. o Contain microprocessor chips with the ability to add, delete, and manipulate data on it. o Can store digital signatures, cryptography keys, and identification codes. o Use a private key for authentication to log a user into a network. The private key will be used to digitally sign messages. o Be based on challenge-response. A user is given a code (the challenge) which he or she enters into the smart card. The smart card then displays a new code (the response) that the user can present to log in.

Answer 44

Something you are authentication uses a biometric system. A biometric system attempts to identify a person based on metrics or a mathematical representation of the subject's biological attribute. This is generally considered to be the most secure form of authentication. Common attributes used for biometric systems are: • Fingerprints (end point and bifurcation pattern) • Hand topology (side view) or geometry (top down view) • Palm scans (pattern, including fingerprints) • Retina scans (blood vein pattern) • Iris scans (color) • Facial scans (pattern) • Voice recognition • Handwriting dynamics • Keyboard or keystroke dynamics (behavioral biometric systems) o Dwell time (key press time) o Flight time (how fingers move from key to key)

Answer 45

* Universality means that all individuals possess the attribute. * Uniqueness means that the attribute is different for each individual. * Permanence means that the attribute always exists and will not change over time. * Collectability ensures that the attribute can be measured easily. * Performance means that the attribute can be accurately and quickly collected. * Circumvention allows for acceptable substitutes for the attribute in case the original attribute is missing or can't be read. * Acceptability identifies the degree to which the technology is accepted by users and management.

Answer 46

A dictionary attack tries to guess a user's password using a list of words from a dictionary. Often symbols and upper and lower case characters are substituted inside the dictionary word. The dictionary attack frequently works because users tend to choose easy-to-guess passwords. A strong password policy is the best defense against dictionary attacks.

Answer 47

A hybrid attack adds appendages to known dictionary words. For example, 1password, password07, p@ssword1.

Answer 48

A brute force attack tries to identify a user's password by exhaustively working through all possibilities of all letter, number, and symbol combinations until the correct password is identified. Brute force attacks will always be successful if given enough time, yet they are frequently the most time consuming method of attack.

Answer 49

• Require that user passwords: o Contain multiple character types, including uppercase, lowercase, numbers, and symbols. o Are a minimum length of eight characters (longer is even better). o Do not contain any part of a username or email address. o Do not contain words found in the dictionary. • Require that user passwords be changed frequently (such as every 30 days). This is called password aging. Be aware that requiring overly complex passwords or changing them too frequently can cause users to circumvent security policies by writing down their passwords. • Retain password history to prevent re-use. • Implement multifactor authentication. • Audit computer systems for excessive failed logon attempts. • Implement account lockout to lock accounts when multiple incorrect passwords are used.

Answer 50

a type of software designed to take over or damage a computer, without the user's knowledge or approval

Answer 51

o The browser home page or default search page has changed. o Excessive pop-ups or strange messages are displayed. o Firewall alerts about programs trying to access the internet. o System errors about corrupt or missing files are displayed. o File extension associations have changed to open files with a different program. o There are files that disappear, are renamed, or are corrupt. o New icons appear on the desktop or taskbar, or new toolbars are displayed in the browser. o The firewall or antivirus software is turned off, or you can't run antivirus scans. o The system won't boot. o The system runs very slowly. o Unusual applications or services are running.

Answer 52

Remediation is the process of correcting any problems that are found. Most antivirus software remediates problems automatically or semi-automatically (i.e. you are prompted to identify the action to take)

Answer 53

Scheduled scanning checks computer files for malware. Windows Defender can run three different types of scans: • A Quick scan checks file system locations that are most likely to be infected by spyware. • A Full scan checks all files in the file system, the registry, all currently running applications, and other critical areas of the operating system. • A Custom scan checks only the locations you specify. Windows Defender performs a quick scan at 2 a.m. each day. You can also manually initiate a scan, if necessary. The results of the scan are shown in the Home tab in Windows Defender.

Answer 54

Windows Defender helps protect against slow performance and malware-caused security threats. Like most other anti-malware engines, Windows Defender uses definition files to identify harmful software.

Answer 55

Offline scanning causes the system to reboot and Windows Defender to run a scan in an offline state before returning to Windows. This allows some types of malware to be removed that normally can't be removed from a running system.

Answer 56

Real-time protection alerts you when spyware or potentially unwanted software attempts to install itself or run on your computer. It also alerts you when programs attempt to change important Windows settings. Real-time protection uses security agents to monitor specific system components and software.

Answer 57

Cloud-based protection provides real-time protection by sending Microsoft information about potential security threats discovered by Windows Defender. This feature requires automatic sample submission to be enabled.

Answer 58

Automatic sample submission allows Windows Defender to send information to Microsoft for use in analyzing and identifying new malware.

Answer 59

Malware (sometimes called malicious code) is a type of software designed to take over or damage a computer user's operating system, without the user's knowledge or approval. It can be very difficult to remove and it can cause considerable damage.

Answer 60

A virus is a program that attempts to damage a computer system and replicate itself to other computer systems. A virus has the following characteristics: • A virus requires a replication mechanism which is a file that it uses as a host. When the host file is distributed, the virus is also distributed. Viruses typically attach to files with execution capabilities such as .doc, .exe, and .bat extensions. Many viruses are distributed through email and are distributed to everyone in your address book. They can also be inadvertently downloaded from a malicious or compromised website. • The virus replicates only when an activation mechanism is triggered. For example, each time the infected file or program is executed, the virus is activated. • The virus is programmed with an objective, which is usually to destroy, compromise, or corrupt data.

Answer 61

A worm is a self-replicating program. A worm: • Does not require a host file to propagate. • Automatically replicates itself without an activation mechanism. A worm can travel across computer networks without requiring any user assistance. • Infects one system and spreads to other systems on the network.

Answer 62

A Trojan horse is a malicious program that is disguised as legitimate or desirable software. A Trojan horse: • Is usually hidden within useful software such as games. A wrapper is a program that is used legitimately, but has a Trojan attached to it that will infiltrate whichever computer runs the wrapper software. • Cannot replicate itself • Relies on user decisions and actions to spread • Often contains spy or backdoor functions that allow a computer to be remotely controlled from the network

Answer 63

A zombie is a computer that has been infected with a Trojan and is remote controlled by a zombie master. A botnet is a network of computers infected with the same Trojan. To find out if your computer has been turned into a zombie, examine the computer's firewall log files. The log will show the outbound traffic from the zombie going through the firewall to the zombie master. A botnet: • Uses IRC channels to communicate with the zombie master. • Is controlled by an infrastructure created by a zombie master (also known as the bot herder). • May be used for spamming, committing click fraud, and performing distributed denial-of-service attacks

Answer 64

A denial-of-service attack, also known as DoS or DDos (distributed denial-of-service) is when a service or an application is overwhelmed with remote connections from botnets, and it crashes because it cannot process all of them

Answer 65

A rootkit is a stealthy type of malware. After infection, a rootkit can be very difficult to detect and remove from a system. A rootkit is installed in the boot sector of the hard disk drive. On systems that do not include the secure boot function, this causes the rootkit to be loaded before the operating system. As a result, a rootkit can hide itself from detection methods used by typical anti-malware software. If a rootkit is detected, it usually can't be removed from the system without completely re-installing the operating system from scratch

Answer 66

Spyware is software that is installed without the user's consent or knowledge, designed to intercept or take partial control over the user's interaction with the computer. Spyware: • Is usually installed on your machine by visiting a malicious website or installing an infected application. • Collects various types of personal information, such as your internet surfing habits and passwords, and then sends the information back to its originating source. • Uses tracking cookies to collect and report a user's activities. • Can interfere with user control of the computer such as installing additional software, changing computer settings, and redirecting web browser activity

Answer 67

Adware monitors actions that denote personal preferences, then sends pop-ups and ads that match those preferences. Adware: • Is usually passive • Invades the user's privacy • Is installed by visiting a malicious website or installing an infected application • Is usually more annoying than harmful

Answer 68

Grayware is software that might offer a legitimate service, but which also includes features that you aren't aware of or features that could be used for malicious purposes. • Grayware is often installed with the user's permission, but without the user fully understanding what is being adding. • Some grayware installs automatically when another program is installed, or in some cases it can be installed automatically. • Features included with grayware might be identified in the end user license agreement (EULA), or the features could be hidden or undocumented. The main objection to grayware is that the user cannot easily tell what the application does or what was added with the application

Answer 69

Ransomware is a form of malware that denies access to an infected computer system until the user pays a ransom

Answer 70

Scareware is a scam that fools users into thinking they have some form of malware on their system. The intent of the scam is to sell the user fake antivirus software to remove malware they don't have

Answer 71

Crimeware is designed to facilitate identity theft by gaining access to a user's online financial accounts, such as banks and online retailers. Crimeware can: • Use keystroke loggers, which capture keystrokes, mouse operations, or screenshots and transmits those actions back to the attacker to obtain passwords. • Redirect users to fake sites. • Steal cached passwords. • Conduct transactions in the background after logon

Answer 72

Rainbow table is a reference table for hashed passwords. When a password is hashed, a reference key is added to a database. The rainbow table can be used for reversing the hashed cryptography into the original password

Answer 73

Spam is unwanted and unsolicited email sent to many recipients. Spam: • Can be benign as emails trying to sell products. • Can be malicious containing phishing scams or malware as attachments. • Wastes bandwidth and could fill the inbox, resulting in a denial of service condition where users can no longer receive emails

Answer 74

Some motherboards allow you to set a password on the system hard disk. This practice is sometimes referred to as drive locking. • When set, the password must be given at system startup or the disk cannot be used. • There are two different passwords: user and master. • Set the password(s) by using the motherboard's BIOS/UEFI configuration program. • Passwords are saved on the hard disk itself. o You cannot read the passwords from the disk. o You cannot move the drive to another system to access the disk without the password (the password moves with the disk). o You cannot format the disk to remove the passwords. • If you forget the user password, use the master password to access the drive. If you do not know either password, you cannot access any data on the drive. • Most drive locking systems allow a limited number of incorrect password attempts. After that time, you must restart the system to try entering additional passwords • Some systems ship with a default master password already set. However, these passwords (if they exist) are not publicly available and cannot be obtained from disk manufacturers

Answer 75

Chassis intrusion detection helps you identify when a system case has been opened. With chassis intrusion detection a sensor switch is located inside the system case. When the case cover is removed, the switch sends a signal to the BIOS/UEFI. Depending on the system configuration, a message might be displayed on the screen at startup, or the message might be visible only from within the BIOS/UEFI configuration program

Answer 76

A TPM is a special chip on the motherboard that generates and stores cryptographic keys. • You can use the BIOS/UEFI configuration program to initialize the TPM. • During initialization, you can set a TPM owner password. The TPM password is required to manage TPM settings. • The TPM includes a unique key on the chip that can be used for hardware system identification. • The TPM can generate a cryptographic key or hash based on the hardware in the system. It then uses this key value to verify that the hardware has not changed. This value can be used to prevent the system from booting if the hardware has changed. • The TPM can be used by applications to generate and save keys that are used with encryption.

Answer 77

LoJack is a mechanism that is used to secure systems that are prone to being stolen, such as notebooks systems. The LoJack software is implemented within a chip on the motherboard itself and you can use it to recover a stolen system. The LoJack service running on the computer periodically contacts a LoJack server at the vendor's site to: • Report its current location using GPS coordinates. • Query LoJack headquarters to see if that system's been reported as stolen. If the system has been reported as stolen, then LoJack will continuously update the server with its current location, making it easier for law enforcement to figure out where it is. The software that performs these two tasks is not actually contained in the motherboard chip. The software contained in the motherboard chip is just a downloader that downloads and installs the LoJack software as a Windows service

Answer 78

UEFI systems include several security features that are not available on BIOS-based systems: • UEFI requires firmware updates to be digitally signed by the hardware vendor. Using digital signatures, unauthorized changes to firmware updates (such as the insertion of malware) can be detected. • UEFI provides a security feature called SecureBoot, which requires the operating system installed on the system hard drive to be digitally signed. If it isn't digitally signed, then the UEFI firmware will not boot it by default. This is designed to block a special type of malware called a rootkit. A rootkit inserts itself into the boot sector of a storage device, causing it to be loaded first. Then the rootkit loads the actual operating system. By doing this, the rootkit gets loaded before any anti-malware software, making it more difficult to detect. SecureBoot also prevents the booting of unauthorized operating systems. For example, it prevents the system from booting an operating system installed on a removable USB drive that could be used to access data on the system hard drive.

Answer 79

Social engineering exploits human nature by convincing someone to reveal information or perform an activity. Examples of social engineering include: • Impersonating support staff or management, either in person or over the phone. • Asking for someone to hold open a door rather than using a key for entrance. • Spoofed emails that ask for information or tasks to be performed (such as delete a file or go to a website and enter sensitive information). • Looking on desks for usernames and passwords

Answer 80

Dumpster diving is the process of looking in the trash for sensitive information that has not been properly disposed of.

Answer 81

Shoulder surfing is looking over the shoulder of someone working on a computer.

Answer 82

Piggybacking refers to an attacker entering a secured building by following an authorized employee. This is also called tailgating.

Answer 83

Masquerading refers to convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access. • The attacker usually poses as a member of senior management. • A scenario of distress is fabricated to the user to convince them that the actions are necessary

Answer 84

Eavesdropping refers to an unauthorized person listening to conversations of employees or other authorized personnel discussing sensitive topics

Answer 85

Phishing uses an email and a spoofed website to gain sensitive information. In a phishing attack: • A fraudulent message that appears to be legitimate is sent to a target • The message requests the target to visit a website which also appears to be legitimate. • The fraudulent website requests the victim to provide sensitive information such as the account number and password. Hoax virus information email are a form of a phishing attack. This type of attack preys on email recipients who are fearful and will believe most information if it is presented in a professional manner. All too often, the victims of these attacks fail to double check the information or instructions with a reputable third-party antivirus software vendor before implementing the recommendations. Usually these hoax messages instruct the reader to delete key system files or download Trojan horses

Answer 86

A security incident is an event or series of events that result from a security policy violation that has adverse effects on a company's ability to proceed with normal business. Security incidents include employee errors, unauthorized acts by employees, insider attacks, hacker attacks, malware attacks, and unethical gathering of competitive information

Answer 87

Incident response is the actions taken to deal with an incident during and after the incident. Prior planning helps people know what to do when a security incident occurs, especially the first responder

Answer 88

The first responder: • Is the first person on the scene after a security incident has occurred • May be a dedicated member of the security response team • Has the following goals: o Contain the damage (or incident) as much as possible. o Do not damage any evidence. • Initiates an escalation procedure to ensure that the right people are informed and that the right people are brought on the incident site • Initiates the documentation of the incident

Answer 89

An Organizational Security Policy is a high-level overview of the organization's security program. The Organizational Security Policy is usually written by security professionals, but must be supported and endorsed by senior management. This policy usually identifies: • Roles and responsibilities to support and maintain the elements of the security program • What is acceptable and unacceptable regarding security management • The rules and responsibilities for enforcement of the policy

Answer 90

An Acceptable Use Policy (AUP) defines an employee's rights to use company property, such as: • Using computer equipment • Accessing data stored on company computers • Using the company's network • Accessing the internet through the organization's network For example, the AUP may identify whether users are allowed to: • Connect their personally-owned mobile devices to the organization's wireless network. If they are, it may also specify rules for what internet resources they are allowed to access using those devices. • Use company-owned computers for personal uses, such as shopping for personal items on ecommerce websites. The AUP should also set expectations for user privacy when using company resources. Privacy is the right of individuals to keep personal information from unauthorized exposure or disclosure. However, when using company-owned resources, organizations may need to monitor and record employee actions. To protect against potential legal issues, the AUP should disclose when employees may expect such monitoring to occur. For example, the AUP should: • Clearly communicate that monitoring may occur. • Define the types of activities that will be monitored. It is common for a business to reserve the right to monitor all activities performed on company computers, even if those activities might be of a personal nature. • Comply with all legal requirements for privacy. For example, personal medical information is protected and cannot be shared without prior authorization.

Answer 91

An organization's Password Policy identifies the requirements for passwords used to authenticate to company-owned systems. For example, this policy may specify: • Accounts should be disabled or locked out after a certain number of failed login attempts. • Users should be required to change their passwords within a certain time frame. • Users may not reuse old passwords. • Users must use strong passwords. Strong passwords should contain: o Multiple character types, including uppercase letters, lowercase letters, numbers, and symbols. o A minimum of eight characters. (More is better.) • User passwords should never contain: o Words found in the dictionary. o Personally-identifiable information, such as an employee's spouse's name, child's name, birth date, favorite sports teams, etc. o Part of a username or email address

Answer 92

The strongest technological security measures can be quickly defeated if employees engage in unsafe behaviors, such as: • Clicking links in a phishing email. • Visiting malicious websites. • Responding to social engineering attempts. • Downloading and installing unauthorized software. Employee awareness is the key to prevent these behaviors. The User Education and Awareness Policy is designed to: • Familiarize employees with the organization's security policy. • Communicate standards, procedures, and baselines that apply to the employee's job. • Facilitate employee ownership and recognition of security responsibilities. • Explain how to respond to security events. • Establish reporting procedures for suspected security violations

Answer 93

Many organization's implement a code of ethics to prevent user-facilitated security issues. A code of ethics is a set of rules or standards that define ethical behavior. Because the issues involved in different situations may vary and can be quite complex, the code of ethics does not prescribe actions for every situation. Instead, it identifies general principles of ethical behavior that can be applied to various situations. For example, a company's code of ethics may require that everyone: • Conduct themselves in accordance with the highest standards of moral, ethical, and legal behavior. • Not commit or be a party to any unlawful or unethical act that may negatively affect their professional reputation or the reputation of the organization. • Appropriately report activity related to the profession that they believe to be unlawful. • Openly cooperate with ongoing investigations

Answer 94

Users should have only the degree of access to the workstation necessary for them to complete their work and no more. Observe the following: • Only those users who need administrative access should have it. You should use limited user accounts for everyone else. Don't make a user a member of the Administrators group unless the user needs administrative access to the system. • The workstation should have the software required for it to fulfill its function on the network and no more. • Use delegated administration. Don't make all admin users members of the Administrators group. Make admins members of the Windows group that most closely matches the level of access they need: o Backup operators: members of this group can backup or restore files, regardless of permissions assigned to those files. o Cryptographic operators: members of this group can perform cryptographic operations. o Network Configuration Operators: members of this group can manage the IP configuration on the system. o Performance Log Users: members of this group can manage performance logs and alerts. o Performance Monitor Users: members of this group can manage performance counters. o Remote Desktop Users: members of this group can remotely access a workstation's desktop

Answer 95

A strong password is one that: • Is at least 8 characters long (longer is better) • Is not based on a word found in a dictionary • Contains both upper-case and lower-case characters • Contains numbers • Does not contain words that can be associated with you personally • Is changed frequently

Answer 96

A privacy filter is a polarized sheet of plastic that is placed over a computer screen to restrict screen visibility from any angle other than straight on. This prevents office guests and passers-by from being able to read information from the user's computer monitor

Security Flashcards

(128 cards)