312-38 : Certified Network Defender : Part 04
-
Which of the following can be performed with software or hardware devices in order to record everything a person types using his or her keyboard?
- Warchalking
- Keystroke logging
- War dialing
- IRC bot
Explanation:
Keystroke logging is a method of logging and recording user keystrokes. It can be performed with software or hardware devices. Keystroke logging devices can record everything a person types using his or her keyboard, such as to measure employee’s productivity on certain clerical tasks. These types of devices can also be used to get usernames, passwords, etc.
Answer option C is incorrect. War dialing is a technique of using a modem to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for computers, BBS systems, and fax machines. Hackers use the resulting lists for various purposes, hobbyists for exploration, and crackers (hackers that specialize in computer security) for password guessing.
Answer option A is incorrect. Warchalking is the drawing of symbols in public places to advertise an open Wi-Fi wireless network. Having found a Wi-Fi node, the warchalker draws a special symbol on a nearby object, such as a wall, the pavement, or a lamp post. The name warchalking is derived from the cracker terms war dialing and war driving.
Answer option D is incorrect. An Internet Relay Chat (IRC) bot is a set of scripts or an independent program that connects to Internet Relay Chat as a client, and so appears to other IRC users as another user. An IRC bot differs from a regular client in that instead of providing interactive access to IRC for a human user, it performs automated functions. -
FILL BLANK
Fill in the blank with the appropriate term.
A ______________ is a translation device or service that is often controlled by a separate Media Gateway Controller, which provides the call control and signaling functionality.- Media gateway
Explanation: A Media gateway is a translation device or service that converts digital media streams between disparate telecommunications networks such as PSTN, SS7, Next Generation Networks (2G, 2.5G and 3G radio access networks) or PBX. Media gateways enable multimedia communications across Next Generation Networks over multiple transport protocols such as Asynchronous Transfer Mode (ATM) and Internet Protocol (IP). Because the media gateway connects different types of networks, one of its main functions is to convert between different transmission and coding techniques. Media streaming functions such as echo cancellation, DTMF, and tone sender are also located in the media gateway. Media gateways are often controlled by a separate Media Gateway Controller, which provides the call control and signaling functionality. -
Which of the following tools is a free laptop tracker that helps in tracking a user’s laptop in case it gets stolen?
- SAINT
- Adeona
- Snort
- Nessus
Explanation:
Adeona is a free laptop tracker that helps in tracking a user’s laptop in case it gets stolen. All it takes is to install the Adeona software client on the user’s laptop, pick a password, and make it run in the background. If at one point, the user’s laptop gets stolen and is connected to the Internet, the Adeona software sends the criminal’s IP address. Using the Adeona Recovery, the IP address can then be retrieved. Knowing the IP address helps in tracking the geographical location of the stolen device.
Answer option D is incorrect. Nessus is proprietary comprehensive vulnerability scanning software. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on tested systems. It is capable of checking various types of vulnerabilities, some of which are as follows: Vulnerabilities that allow a remote cracker to control or access sensitive data on a system Misconfiguration (e.g. open mail relay, missing patches, etc), Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack. Denials of service against the TCP/IP stack by using mangled packets
Answer option A is incorrect. SAINT stands for System Administrator’s Integrated Network Tool. It is computer software used for scanning computer networks for security vulnerabilities, and exploiting found vulnerabilities. The SAINT scanner screens every live system on a network for TCP and UDP services. For each service it finds running, it launches a set of probes designed to detect anything that could allow an attacker to gain unauthorized access, create a denial-of-service, or gain sensitive information about the network.
Answer option C is incorrect. Snort is an open source network intrusion detection system. The Snort application analyzes network traffic in realtime mode. It performs packet sniffing, packet logging, protocol analysis, and a content search to detect a variety of potential attacks. -
DRAG DROP
Drag and drop the Response management plans to match up with their respective purposes.
-
FILL BLANK
Fill in the blank with the appropriate term. ______________is a free open-source utility for network exploration and security auditing that is used to discover computers and services on a computer network, thus creating a “map” of the network.
- Nmap
Explanation:
Nmap is a free open-source utility for network exploration and security auditing. It is used to discover computers and services on a computer network, thus creating a “map” of the network. Just like many simple port scanners, Nmap is capable of discovering passive services. In addition, Nmap may be able to determine various details about the remote computers. These include operating system, device type, uptime, software product used to run a service, exact version number of that product, presence of some firewall techniques and, on a local area network, even vendor of the remote network card. Nmap runs on Linux, Microsoft Windows, etc. -
FILL BLANK
Fill in the blank with the appropriate term. ______________is a powerful and low-interaction open source honeypot.
- Honeyd
Explanation:
Honeyd is a powerful and low-interaction open source honeypot. It was released by Niels Provos in 2002. It was written in C and designed for Unix platforms. It introduced a variety of new concepts, including the ability to monitor millions of unused IPs, IP stack spoofing, etc. It can also simulate hundreds of operating systems and monitor all UDP and TCP-based ports. -
Which of the following statements are true about volatile memory? Each correct answer represents a complete solution. Choose all that apply.
- Read-Only Memory (ROM) is an example of volatile memory.
- The content is stored permanently, and even the power supply is switched off.
- The volatile storage device is faster in reading and writing data.
- It is computer memory that requires power to maintain the stored information.
Explanation:
Volatile memory, also known as volatile storage, is computer memory that requires power to maintain the stored information, unlike non-volatile memory which does not require a maintained power supply. It has been less popularly known as temporary memory. Most forms of modern random access memory (RAM) are volatile storage, including dynamic random access memory (DRAM) and static random access memory (SRAM). A volatile storage device is faster in reading and writing data. Answer options B and A are incorrect. Non-volatile memory, nonvolatile memory, NVM, or non-volatile storage, in the most basic sense, is computer memory that can retain the stored information even when not powered. Examples of non-volatile memory include read-only memory, flash memory, most types of magnetic computer storage devices (e.g. hard disks, floppy disks, and magnetic tape), optical discs, and early computer storage methods such as paper tape and punched cards. -
Which of the following firewalls are used to track the state of active connections and determine the network packets allowed to enter through the firewall? Each correct answer represents a complete solution. Choose all that apply.
- Circuit-level gateway
- Stateful
- Proxy server
- Dynamic packet-filtering
Explanation:
A dynamic packet-filtering firewall is a fourth generation firewall technology. It is also known as a stateful firewall. It tracks the state of active connections and determines which network packets are allowed to enter through the firewall. It records session information, such as IP addresses and port numbers to implement a more secure network. The dynamic packet-filtering firewall operates at Layer3, Layer4, and Layer5.
Answer option A is incorrect. A circuit-level gateway is a type of firewall that works at the session layer of the OSI model between the application layer and the transport layer of the TCP/IP stack. They monitor TCP handshaking between packets to determine whether a requested session is legitimate. Information passed to a remote computer through a circuit level gateway appears to have originated from the gateway. This is useful for hiding information about protected networks. Circuit-level gateways are relatively inexpensive and have the advantage of hiding information about the private network they protect.
Answer option C is incorrect. A proxy server firewall intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses. -
Which of the following statements are NOT true about the FAT16 file system? Each correct answer represents a complete solution. Choose all that apply.
- It does not support file-level security.
- It works well with large disks because the cluster size increases as the disk partition size increases.
- It supports the Linux operating system.
- It supports file-level compression.
Explanation:
The FAT16 file system was developed for disks larger than 16MB. It uses 16-bit allocation table entries. The FAT16 file system supports all Microsoft operating systems. It also supports OS/2 and Linux.
Answer options C and A are incorrect. All these statements are true about the FAT16 file system. -
FILL BLANK
Fill in the blank with the appropriate term. The ____________ is used for routing voice conversations over the Internet. It is also known by other names such as IP Telephony, Broadband Telephony, etc.
- VoIP
Explanation: The Voice over Internet Protocol (VoIP) is used for routing of voice conversation over the Internet. The VoIP is also known by other names such as IP Telephony, Broadband Telephony, etc. Analog signals are used in telephones in which the sound is received as electrical pulsation, which is amplified and then carried to a small loudspeaker attached to the other phone, and the call receiver can hear the sound. In VoIP, analog signals are changed into digital signals, which are transmitted on the Internet. VoIP is used to make free phone calls using an Internet connection, and this can be done by using any VoIP software available in the market. There are various modes for making phone calls through the Internet. Some of the important modes are as follows:
Through Analog Telephone Adapter (ATA)
In this mode, the traditional phone is attached to the computer through AT
A. ATA receives analog signals from the phone and then converts these signals to digital signals. The digital signals are then received by the Internet Service Providers (ISP), and the system is ready to make calls over VoIP.
Through IP Phone
IP Phones look exactly like the traditional phones, but they differ in that they have RJ-45 Ethernet connectors, instead of RJ-11 phone connectors, for connecting to the computers.
Computer To Computer
This is the easiest way to use VoIP. For this, we need software, microphone, speakers, sound card and an Internet connection through a cable or a DSL modem.
Soft Phones
Soft phone is a software application that can be loaded onto a computer and used anywhere in the broadband connectivity area. -
FILL BLANK
Fill in the blank with the appropriate term. The ___________ protocol is a feature of packet-based data transmission protocols. It is used to keep a record of the frame sequences sent and their respective acknowledgements received by both the users.
- Sliding Window
Explanation:
The Sliding Window protocol is a feature of packet-based data transmission protocols. It is used in the data link layer (OSI model) as well as in TCP (transport layer of the OSI model). It is used to keep a record of the frame sequences sent, and their respective acknowledgements received, by both the users. Its additional feature over a simpler protocol is that can allow multiple packets to be “in transmission” simultaneously, rather than waiting for each packet to be acknowledged before sending the next.In transmit flow control, sliding window is a variable-duration window that allows a sender to transmit a specified number of data units before an acknowledgment is received or before a specified event occurs.An example of a sliding window is one in which, after the sender fails to receive an acknowledgment for the first transmitted frame, the sender “slides” the window, i.e., resets the window, and sends a second frame. This process is repeated for the specified number of times before the sender interrupts transmission. Sliding window is sometimes called acknowledgment delay period. -
FILL BLANK
Fill in the blank with the appropriate term. A ______________ is a set of tools that take Administrative control of a computer system without authorization by the computer owners and/or legitimate managers.
- rootkit
Explanation:
A rootkit is a set of tools that take Administrative control of a computer system without authorization by the computer owners and/or legitimate managers. A rootkit requires root access to be installed in the Linux operating system, but once installed, the attacker can get root access at any time. Rootkits have the following features:
They allow an attacker to run packet sniffers secretly to capture passwords.
They allow an attacker to set a Trojan into the operating system and thus open a backdoor for anytime access.
They allow an attacker to replace utility programs that can be used to detect the attacker’s activity.
They provide utilities for installing Trojans with the same attributes as legitimate programs. -
Which of the following standards is an amendment to the original IEEE 802.11 and specifies security mechanisms for wireless networks?
- 802.11b
- 802.11e
- 802.11i
- 802.11a
Explanation:
802.11i is an amendment to the original IEEE 802.11. This standard specifies security mechanisms for wireless networks. It replaced the short Authentication and privacy clause of the original standard with a detailed Security clause. In the process, it deprecated the broken WEP. 802.11i supersedes the previous security specification, Wired Equivalent Privacy (WEP), which was shown to have severe security weaknesses. Wi-Fi Protected Access (WPA) had previously been introduced by the Wi-Fi Alliance as an intermediate solution to WEP insecurities. The Wi-Fi Alliance refers to their approved, interoperable implementation of the full 802.11i as WPA2, also called RSN (Robust Security Network). 802.11i makes use of the Advanced Encryption Standard (AES) block cipher, whereas WEP and WPA use the RC4 stream cipher.
Answer option D is incorrect. 802.11a is an amendment to the IEEE 802.11 specification that added a higher data rate of up to 54 Mbit/s using the 5 GHz band. It has seen widespread worldwide implementation, particularly within the corporate workspace. Using the 5 GHz band gives 802.11a a significant advantage, since the 2.4 GHz band is heavily used to the point of being crowded. Degradation caused by such conflicts can cause frequent dropped connections and degradation of service.
Answer option A is incorrect. 802.11b is an amendment to the IEEE 802.11 specification that extended throughput up to 11 Mbit/s using the same 2.4 GHz band. This specification under the marketing name of Wi-Fi has been implemented all over the world. 802.11b is used in a point-to-multipoint configuration, wherein an access point communicates via an omni-directional antenna with one or more nomadic or mobile clients that are located in a coverage area around the access point.
Answer option B is incorrect. The 802.11e standard is a proposed enhancement to the 802.11a and 802.11b wireless LAN (WLAN) specifications. It offers quality of service (QoS) features, including the prioritization of data, voice, and video transmissions. 802.11e enhances the 802.11 Media Access Control layer (MAC layer) with a coordinated time division multiple access (TDMA) construct, and adds error-correcting mechanisms for delay-sensitive applications such as voice and video. -
Which of the following tools is an open source network intrusion prevention and detection system that operates as a network sniffer and logs activities of the network that is matched with the predefined signatures?
- Dsniff
- KisMAC
- Snort
- Kismet
Explanation:
Snort is an open source network intrusion prevention and detection system that operates as a network sniffer. It logs activities of the network that is matched with the predefined signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). The three main modes in which Snort can be configured are as follows:
Sniffer mode: It reads the packets of the network and displays them in a continuous stream on the console.
Packet logger mode: It logs the packets to the disk.
Network intrusion detection mode: It is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user-defined rule set.
Answer option A is incorrect. Dsniff is a set of tools that are used for sniffing passwords, e-mail, and HTTP traffic. Some of the tools of Dsniff include dsniff, arpredirect, macof, tcpkill, tcpnice, filesnarf, and mailsnarf. Dsniff is highly effective for sniffing both switched and shared networks. It uses the arpredirect and macof tools for switching across switched networks. It can also be used to capture authentication information for FTP, telnet, SMTP, HTTP, POP, NNTP, IMAP, etc.
Answer option D is incorrect. Kismet is a Linux-based 802.11 wireless network sniffer and intrusion detection system. It can work with any wireless card that supports raw monitoring (rfmon) mode. Kismet can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet can be used for the following tasks:
To identify networks by passively collecting packets
To detect standard named networks
To detect masked networks
To collect the presence of non-beaconing networks via data traffic
Answer option B is incorrect. KisMAC is a wireless network discovery tool for Mac OS X. It has a wide range of features, similar to those of Kismet, its Linux/BSD namesake and far exceeding those of NetStumbler, its closest equivalent on Windows. The program is geared towards the network security professionals, and is not as novice-friendly as the similar applications. KisMAC will scan for networks passively on supported cards, including Apple’s AirPort, AirPort Extreme, and many third-party cards. It will scan for networks actively on any card supported by Mac OS X itself.
Cracking of WEP and WPA keys, both by brute force, and exploiting flaws, such as weak scheduling and badly generated keys is supported when a card capable of monitor mode is used, and when packet reinsertion can be done with a supported card. The GPS mapping can be performed when an NMEA compatible GPS receiver is attached. Data can also be saved in pcap format and loaded into programs, such as Wireshark. -
Which of the following is a non-profit organization that oversees the allocation of IP addresses, management of the DNS infrastructure, protocol parameter assignment, and root server system management?
- ANSI
- IEEE
- ITU
- ICANN
Explanation:
ICANN stands for Internet Corporation for Assigned Names and Numbers. ICANN is responsible for managing the assignment of domain names and IP addresses. ICANN’s tasks include responsibility for IP address space allocation, protocol identifier assignment, top-level domain name system management, and root server system management functions. Internet Corporation for Assigned Names and Numbers (ICANN) is a non-profit organization that oversees the allocation of IP addresses, management of the DNS infrastructure, protocol parameter assignment, and root server system management.
Answer option B is incorrect. Institute of Electrical and Electronics Engineers (IEEE) is an organization of engineers and electronics professionals who develop standards for hardware and software.
Answer option C is incorrect. The International Telecommunication Union is an agency of the United Nations which regulates information and communication technology issues. ITU coordinates the shared global use of the radio spectrum, promotes international cooperation in assigning satellite orbits, works to improve telecommunication infrastructure in the developing world and establishes worldwide standards. ITU is active in areas including broadband Internet, latest-generation wireless technologies, aeronautical and maritime navigation, radio astronomy, satellite-based meteorology, convergence in fixed-mobile phone, Internet access, data, voice, TV broadcasting, and next-generation networks.
Answer option A is incorrect. ANSI (American National Standards Institute) is the primary organization for fostering the development of technology standards in the United States. ANSI works with industry groups and is the U.S. member of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Long-established computer standards from ANSI include the American Standard Code for Information Interchange (ASCII) and the Small Computer System Interface (SCSI). -
With which of the following flag sets does the Xmas tree scan send a TCP frame to a remote device? Each correct answer represents a part of the solution. Choose all that apply.
- PUSH
- RST
- FIN
- URG
Explanation:
With the URG, PUSH, and FIN flag sets, the Xmas tree scan sends a TCP frame to a remote device. The Xmas tree scan is called an Xmas tree scan because the alternating bits are turned on and off in the flags byte (00101001), much like the lights of a Christmas tree. Answer option B is incorrect. The RST flag is not set when the Xmas tree scan sends a TCP frame to a remote device. -
Network security is the specialist area, which consists of the provisions and policies adopted by the Network Administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources. For which of the following reasons is network security needed? Each correct answer represents a complete solution. Choose all that apply.
- To protect information from loss and deliver it to its destination properly
- To protect information from unwanted editing, accidentally or intentionally by unauthorized users
- To protect private information on the Internet
- To prevent a user from sending a message to another user with the name of a third person
Explanation:
Network security is needed for the following reasons:
To protect private information on the Internet
To protect information from unwanted editing, accidentally or intentionally by unauthorized users
To protect information from loss and deliver it to its destination properly
To prevent a user from sending a message to another user with the name of a third person -
Which of the following policies helps in defining what users can and should do to use network and organization’s computer equipment?
- General policy
- Remote access policy
- IT policy
- IT policyUser policy
Explanation:
A user policy helps in defining what users can and should do to use network and organization’s computer equipment. It also defines what limitations are put on users for maintaining the network secure such as whether users can install programs on their workstations, types of programs users are using, and how users can access data.
Answer option C is incorrect. IT policy includes general policies for the IT department. These policies are intended to keep the network secure and stable. It includes the following:
Virus incident and security incident
Backup policy
Client update policies
Server configuration, patch update, and modification policies (security)
Firewall policies Dmz policy, email retention, and auto forwarded email policy
Answer option A is incorrect. It defines the high level program policy and business continuity plan.
Answer option B is incorrect. Remote access policy is a document that outlines and defines acceptable methods of remotely connecting to the internal network. -
FILL BLANK
Fill in the blank with the appropriate term. In computing, ______________ is a class of data storage devices that read their data in sequence.
- SAM
Explanation:
In computing, sequential access memory (SAM) is a class of data storage devices that read their data in sequence. This is in contrast to random access memory (RAM) where data can be accessed in any order. Sequential access devices are usually a form of magnetic memory. While sequential access memory is read in sequence, access can still be made to arbitrary locations by “seeking” to the requested location. Magnetic sequential access memory is typically used for secondary storage in general-purpose computers due to their higher density at lower cost compared to RAM, as well as resistance to wear and non-volatility. Examples of SAM devices include hard disks, CD-ROMs, and magnetic tapes. -
Which of the following are the responsibilities of the disaster recovery team? Each correct answer represents a complete solution. Choose all that apply.
- To monitor the execution of the disaster recovery plan and assess the results
- To modify and update the disaster recovery plan according to the lessons learned from previous disaster recovery efforts
- To notify management, affected personnel, and third parties about the disaster
- To initiate the execution of the disaster recovery procedures
Explanation:
The responsibilities of the disaster recovery team are as follows: To develop, deploy, and monitor the implementation of appropriate disaster recovery plans after analysis of business objectives and threats to organizations
To notify management, affected personnel, and third parties about the disaster
To initiate the execution of the disaster recovery procedures
To monitor the execution of the disaster recovery plan and assess the results
To return operations to normal conditions
To modify and update the disaster recovery plan according to the lessons learned from previous disaster recovery efforts
To increase the level of the organization’s disaster recovery preparedness by conducting mock drills, regular DR systems testing, and threat analysis to create awareness among various stakeholders of the organization by conducting training and awareness sessions