312-38 : Certified Network Defender : Part 08

  1. Attacks are classified into which of the following? Each correct answer represents a complete solution. Choose all that apply.

    • Active attack
    • Session hijacking
    • Passive attack
    • Replay attack
    Explanation:
    An attack is an action against an information system or network that attempts to violate the system’s security policy. Attacks can be broadly classified as being either active or passive.
    1.Active attacks modify the target system or message, i.e. they violate the integrity of the system or message.
    2.Passive attacks violate confidentiality without affecting the state of the system. An example of such an attack is the electronic eavesdropping on network transmissions to release message contents or to gather unprotected passwords.
    Answer options B and D are incorrect. Session hijacking and replay attacks come under the category of active attacks.
  2. Which of the following is a technique for gathering information about a remote network protected by a firewall?

    • Firewalking
    • Warchalking
    • Wardriving
    • Wardialing
    Explanation:
    Fire walking is a technique for gathering information about a remote network protected by a firewall. This technique can be used effectively to perform information gathering attacks. In this technique, an attacker sends a crafted packet with a TTL value that is set to expire one hop past the firewall. If the firewall allows this crafted packet through, it forwards the packet to the next hop. On the next hop, the packet expires and elicits an ICMP “TTL expired in transit” message to the attacker. If the firewall does not allow the traffic, there should be no response, or an ICMP “administratively prohibited” message should be returned to the attacker. A malicious attacker can use firewalking to determine the types of ports/protocols that can bypass the firewall. To use firewalking, the attacker needs the IP address of the last known gateway before the firewall and the IP address of a host located behind the firewall. The main drawback of this technique is that if an administrator blocks ICMP packets from leaving the network, it is ineffective.
    Answer option B is incorrect. Warchalking is the drawing of symbols in public places to advertise an open Wi-Fi wireless network. Having found a Wi-Fi node, the warchalker draws a special symbol on a nearby object, such as a wall, the pavement, or a lamp post. The name warchalking is derived from the cracker terms war dialing and war driving.
    Answer option C is incorrect. War driving, also called access point mapping, is the act of locating and possibly exploiting connections to wireless local area networks while driving around a city or elsewhere. To do war driving, one needs a vehicle, a computer (which can be a laptop), a wireless Ethernet card set to work in promiscuous mode, and some kind of an antenna which can be mounted on top of or positioned inside the car. Because a wireless LAN may have a range that extends beyond an office building, an outside user may be able to intrude into the network, obtain a free Internet connection, and possibly gain access to company records and other resources.
    Answer option D is incorrect. War dialing or wardialing is a technique of using a modem to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for computers, Bulletin board systems, and fax machines. Hackers use the resulting lists for various purposes, hobbyists for exploration, and crackers – hackers that specialize in computer security – for password guessing.
  3. Which of the following is an Internet application protocol used for transporting Usenet news articles between news servers and for reading and posting articles by end-user client applications?

    • NNTP
    • BOOTP
    • DCAP
    • NTP
    Explanation:
    The Network News Transfer Protocol (NNTP) is an Internet application protocol used for transporting Usenet news articles (netnews) between news servers and for reading and posting articles by end user client applications. NNTP is designed so that news articles are stored in a central database, allowing the subscriber to select only those items that he wants to read.
    Answer option D is incorrect. Network Time Protocol (NTP) is used to synchronize the timekeeping among the number of distributed time servers and clients. It is used for the time management in a large and diverse network that contains many interfaces. In this protocol, servers define the time, and clients have to be synchronized with the defined time. These clients can choose the most reliable source of time defined from the several NTP servers for their information transmission. Answer option C is incorrect. The Data Link Switching Client Access Protocol (DCAP) is an application layer protocol that is used between workstations and routers for transporting SNA/NetBIOS traffic over TCP sessions. It was introduced in order to address a few deficiencies by
    the Data Link Switching Protocol (DLSw). The DLSw raises the important issues of scalability and efficiency, and since DLSw is a switch-to-switch protocol, it is not efficient when implemented on workstations. DCAP was introduced in order to address these issues.
    Answer option B is incorrect. The BOOTP protocol is used by diskless workstations to collect configuration information from a network server. It is also used to acquire a boot image from the server.
  4. Which of the following attacks is a class of brute force attacks that depends on the higher likelihood of collisions found between random attack attempts and a fixed degree of permutations?

    • Phishing attack
    • Replay attack
    • Birthday attack
    • Dictionary attack
    Explanation:
    A birthday attack is a class of brute force attacks that exploits the mathematics behind the birthday problem in probability theory. It is a type of cryptography attack. The birthday attack depends on the higher likelihood of collisions found between random attack attempts and a fixed
    degree of permutations.
    Answer option D is incorrect. A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities. A dictionary attack uses a brute-force technique of successively trying all the words in an exhaustive list (from a pre-arranged list of values). In contrast with a normal brute force attack, where a large proportion key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed, typically derived from a list of words in a dictionary. Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), single words found in dictionaries, or
    simple, easily-predicted variations on words, such as appending a digit.
    Answer option A is incorrect. Phishing is a type of internet fraud attempted by hackers. Hackers try to log into system by masquerading as a trustworthy entity and acquire sensitive information, such as, username, password, bank account details, credit card details, etc. After collecting this information, hackers try to use this information for their gain.
    Answer option B is incorrect. A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution.
  5. Which of the following is a digital telephone/telecommunication network that carries voice, data, and video over an existing telephone network infrastructure?

    • PPP
    • Frame relay
    • ISDN
    • X.25
    Explanation:
    Integrated Services Digital Network (ISDN) is a digital telephone/telecommunication network that carries voice, data, and video over an existing telephone network infrastructure. It requires an ISDN modem at both the ends of a transmission. ISDN is designed to provide a single interface for hooking up a telephone, fax machine, computer, etc.
    ISDN has two levels of service, i.e., Basic Rate Interface (BRI) and Primary Rate Interface (PRI).
    Answer option A is incorrect. The Point-to-Point Protocol, or PPP, is a data link protocol commonly used to establish a direct connection between two networking nodes. It can provide connection authentication, transmission encryption privacy, and compression. PPP is commonly used as a data link layer protocol for connection over synchronous and asynchronous circuits, where it has largely superseded the older, non-standard Serial Line Internet Protocol (SLIP) and telephone company mandated standards (such as Link Access Protocol, Balanced (LAPB) in the X.25 protocol suite). PPP was designed to work with numerous network layer protocols, including Internet Protocol (IP), Novell’s Internetwork Packet Exchange (IPX), NBF, and AppleTalk.
    Answer option D is incorrect. The X.25 protocol, adopted as a standard by the Consultative Committee for International Telegraph and Telephone (CCITT), is a commonly-used network protocol. The X.25 protocol allows computers on different public networks (such as CompuServe, Tymnet, or a TCP/IP network) to communicate through an intermediary computer at the network layer level. X.25’s protocols correspond closely to the data-link and physical-layer protocols defined in the Open Systems Interconnection (OSI) communication model.
    Answer option B is incorrect. Frame relay is a telecommunication service designed for cost-efficient data transmission for intermittent traffic between local area networks (LANs) and between end-points in a wide area network (WAN). Frame relay puts data in a variable-size unit called a frame. It checks for lesser errors as compared to other traditional forms of packet switching and hence speeds up data transmission.
    When an error is detected in a frame, it is simply dropped. The end points are responsible for detecting and retransmitting dropped frames.
  6. FILL BLANK

    Fill in the blank with the appropriate term.
    ______________ is a prime example of a high-interaction honeypot.

    • Honeynet
    Explanation:
    Honeynet is a prime example of a high-interaction honeypot. Two or more honeypots on a network form a honeynet. Typically, a honeynet is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient. Honeynets and honeypots are usually implemented as parts of larger network intrusion-detection systems. A honeyfarm is a centralized collection of honeypots and analysis tools.
  7. FILL BLANK

    Fill in the blank with the appropriate term.
    ______________ is an enumeration technique used to glean information about computer systems on a network and the services running its open ports.

    • Banner grabbing
    Explanation:
    Banner grabbing is an enumeration technique used to glean information about computer systems on a network and the services running its open ports. Administrators can use this to take inventory of the systems and services on their network. An intruder however can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits.
    Some examples of service ports used for banner grabbing are those used by Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP); ports 80, 21, and 25 respectively. Tools commonly used to perform banner grabbing are Telnet, which is included with most operating systems, and Netcat.
    For example, one could establish a connection to a target host running a Web service with netcat, then send a bad html request in order to get information about the service on the host:
    [root@prober] nc www.targethost.com 80
    HEAD / HTTP/1.1
    HTTP/1.1 200 OK
    Date: Mon, 11 May 2009 22:10:40 EST
    Server: Apache/2.0.46 (Unix) (Red Hat/Linux)
    Last-Modified: Thu, 16 Apr 2009 11:20:14 PST
    ETag: “1986-69b-123a4bc6”
    Accept-Ranges: bytes
    Content-Length: 1110
    Connection: close
    Content-Type: text/html
    The administrator can now catalog this system or an intruder now knows what version of Apache to look for exploits.
  8. Which of the following steps are required in an idle scan of a closed port?

    Each correct answer represents a part of the solution. Choose all that apply.

    • The attacker sends a SYN/ACK to the zombie.
    • The zombie’s IP ID increases by only 1.
    • In response to the SYN, the target sends a RST.
    • The zombie ignores the unsolicited RST, and the IP ID remains unchanged.
    • The zombie’s IP ID increases by 2.
    Explanation:
    Following are the steps required in an idle scan of a closed port:
    1.Probe the zombie’s IP ID: The attacker sends a SYN/ACK to the zombie. The zombie, unaware of the SYN/ACK, sends back a RST, thus disclosing its IP ID.
    312-38 Part 08 Q08 021
    312-38 Part 08 Q08 021

    2.Forge a SYN packet from the zombie: In response to the SYN, the target sends a RST. The zombie ignores the unsolicited RST, and the IP ID remains unchanged.

    312-38 Part 08 Q08 022
    312-38 Part 08 Q08 022

    3.Probe the zombie’s IP ID again: The zombie’s IP ID has increased by only 1 since step 1. So the port is closed.

    312-38 Part 08 Q08 023
    312-38 Part 08 Q08 023
  9. Which of the following is a mechanism that helps in ensuring that only the intended and authorized recipients are able to read data?

    • Integrity
    • Data availability
    • Confidentiality
    • Authentication
    Explanation:
    Confidentiality is a mechanism that ensures that only the intended and authorized recipients are able to read data. The data is so encrypted that even if an unauthorized user gets access to it, he will not get any meaning out of it.
    Answer option A is incorrect. In information security, integrity means that data cannot be modified without authorization. This is not the same thing as referential integrity in databases. Integrity is violated when an employee accidentally or with malicious intent deletes important data files, when a computer virus infects a computer, when an employee is able to modify his own salary in a payroll database, when an unauthorized user vandalizes a web site, when someone is able to cast a very large number of votes in an online poll, and so on. There are many ways in which integrity could be violated without malicious intent. In the simplest case, a user on a system could mistype someone’s address. On a larger scale, if an automated process is not written and tested correctly, bulk updates to a database could alter data in an incorrect way, leaving the integrity of the data compromised. Information security professionals are tasked with finding ways to implement controls that prevent errors of integrity.
    Answer option B is incorrect. Data availability is one of the security principles that ensures that the data and communication services will be available for use when needed (expected). It is a method of describing products and services availability by which it is ensured that data continues to be available at a required level of performance in situations ranging from normal to disastrous. Data availability is achieved through redundancy, which depends upon where the data is stored and how it can be reached.
    Answer option D is incorrect. Authentication is the act of establishing or confirming something (or someone) as authentic, i.e., the claims made by or about the subject are true (“authentification” is a variant of this word).
  10. Which of the following help in estimating and totaling up the equivalent money value of the benefits and costs to the community of projects for establishing whether they are worthwhile?

    Each correct answer represents a complete solution. Choose all that apply.

    • Business Continuity Planning
    • Benefit-Cost Analysis
    • Disaster recovery
    • Cost-benefit analysis
    Explanation:
    Cost-benefit analysis is a process by which business decisions are analyzed. It is used to estimate and total up the equivalent money value of the benefits and costs to the community of projects for establishing whether they are worthwhile. It is a term that refers both to:
    helping to appraise, or assess, the case for a project, program, or policy proposal;
    an approach to making economic decisions of any kind. Under both definitions, the process involves, whether explicitly or implicitly, weighing the total expected costs against the total expected benefits of one or more actions in order to choose the best or most profitable option. The formal process is often referred to as either CBA (Cost-Benefit Analysis) or BCA (Benefit-Cost Analysis).
    Answer option A is incorrect. Business Continuity Planning (BCP) is the creation and validation of a practiced logistical plan that defines how an organization will recover and restore partially or completely interrupted critical (urgent) functions within a predetermined time after a disaster or extended disruption. The logistical plan is called a Business Continuity Plan.
    Answer option C is incorrect. Disaster recovery is the process, policies, and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Disaster recovery planning is a subset of a larger process known as business continuity planning and should include planning for resumption of applications, data, hardware, communications (such as networking) and other IT infrastructure. A business continuity plan (BCP) includes planning for non-IT related aspects such as key personnel, facilities, crisis communication and reputation protection, and should refer to the disaster recovery plan (DRP) for IT related infrastructure recovery / continuity.
  11. Which of the following steps will NOT make a server fault tolerant? Each correct answer represents a complete solution. (Choose two.)

    • Adding a second power supply unit
    • Performing regular backup of the server
    • Adding one more same sized disk as mirror on the server
    • Implementing cluster servers’ facility
    • Encrypting confidential data stored on the server
    Explanation:
    Encrypting confidential data stored on the server and performing regular backup will not make the server fault tolerant.
    Fault tolerance is the ability to continue work when a hardware failure occurs on a system. A fault-tolerant system is designed from the ground up for reliability by building multiples of all critical components, such as CPUs, memories, disks and power supplies into the same computer. In the event one component fails, another takes over without skipping a beat.
    Answer options A, C, and D are incorrect. The following steps will make the server fault tolerant:
    Adding a second power supply unit
    Adding one more same sized disk as a mirror on the server implementing cluster servers facility
  12. This is a Windows-based tool that is used for the detection of wireless LANs using the IEEE 802.11a, 802.11b, and 802.11g standards. The main features of these tools are as follows:
    It displays the signal strength of a wireless network, MAC address, SSID, channel details, etc.
    It is commonly used for the following purposes:

    a.War driving
    b.Detecting unauthorized access points
    c.Detecting causes of interference on a WLAN
    d.WEP ICV error tracking
    e.Making Graphs and Alarms on 802.11 Data, including Signal Strength
    This tool is known as __________.

    • Kismet
    • Absinthe
    • THC-Scan
    • NetStumbler
    Explanation:
    NetStumbler is a Windows-based tool that is used for the detection of wireless LANs using the IEEE 802.11a, 802.11b, and 802.11g standards. The main features of NetStumbler are as follows:
    It displays the signal strength of a wireless network, MAC address, SSID, channel details, etc.
    It is commonly used for the following purposes:
    a.War driving
    b.Detecting unauthorized access points
    c.Detecting causes of interference on a WLAN
    d.WEP ICV error tracking
    e.Making Graphs and Alarms on 802.11 Data, including Signal Strength
    Answer option A is incorrect. Kismet is an IEEE 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
    Answer option C is incorrect. THC-Scan is a war-dialing tool.
    Answer option B is incorrect. Absinthe is an automated SQL injection tool.
  13. Which of the following are the common security problems involved in communications and email? Each correct answer represents a complete solution. Choose all that apply.

    • False message
    • Message digest
    • Message replay
    • Message repudiation
    • Message modification
    • Eavesdropping
    • Identity theft
    Explanation:
    Following are the common security problems involved in communications and email:
    Eavesdropping: It is the act of secretly listening to private information through telephone lines, e-mail, instant messaging, and any other method of communication considered private.
    Identity theft: It is the act of obtaining someone’s username and password to access his/her email servers for reading email and sending false email messages. These credentials can be obtained by eavesdropping on SMTP, POP, IMAP, or Webmail connections.
    Message modification: The person who has system administrator permission on any of the SMTP servers can visit anyone’s message and can delete or change the message before it continues on to its destination. The recipient has no way of telling that the email message has been altered.
    False message: It the act of constructing messages that appear to be sent by someone else.
    Message replay: In a message replay, messages are modified, saved, and re-sent later.
    Message repudiation: In message repudiation, normal email messages can be forged. There is no way for the receiver to prove that someone had sent him/her a particular message. This means that even if someone has sent a message, he/she can successfully deny it.
    Answer option B is incorrect. A message digest is a number that is created algorithmically from a file and represents that file uniquely.
  14. Which of the following are the six different phases of the Incident handling process? Each correct answer represents a complete solution. Choose all that apply.

    • Containment
    • Identification
    • Post mortem review
    • Preparation
    • Lessons learned
    • Recovery
    • Eradication
    Explanation:
    Following are the six different phases of the Incident handling process:
    1.Preparation: Preparation is the first step in the incident handling process. It includes processes like backing up copies of all key data on a regular basis, monitoring and updating software on a regular basis, and creating and implementing a documented security policy. To apply this step a documented security policy is formulated that outlines the responses to various incidents, as a reliable set of instructions during the time of an incident. The following list contains items that the incident handler should maintain in the preparation phase i.e. before an incident occurs:
    Establish applicable policies
    Build relationships with key players
    Build response kit
    Create incident checklists
    Establish communication plan
    Perform threat modeling
    Build an incident response team
    Practice the demo incidents
    2.Identification: The Identification phase of the Incident handling process is the stage at which the Incident handler evaluates the critical level of an incident for an enterprise or system. It is an important stage where the distinction between an event and an incident is determined, measured and tested.
    3.Containment: The Containment phase of the Incident handling process supports and builds up the incident combating process. It helps in ensuring the stability of the system and also confirms that the incident does not get any worse.
    4.Eradication: The Eradication phase of the Incident handling process involves the cleaning-up of the identified harmful incidents from the system. It includes the analyzing of the information that has been gathered for determining how the attack was committed. To prevent the incident from happening again, it is vital to recognize how it was conceded out so that a prevention technique is applied.
    5.Recovery: Recovery is the fifth step of the incident handling process. In this phase, the Incident Handler places the system back into the working environment. In the recovery phase the Incident Handler also works with the questions to validate that the system recovery is successful. This involves testing the system to make sure that all the processes and functions are working normal. The Incident Handler also monitors the system to make sure that the systems are not compromised again. It looks for additional signs of attack.
    6.Lessons learned: Lessons learned is the sixth and the final step of incident handling process. The Incident Handler utilizes the knowledge and experience he learned during the handling of the incident to enhance and improve the incident-handling process. This is the most ignorant step of all incident handling processes. Many times the Incident Handlers are relieved to have systems back to normal and get busy trying to catch up other unfinished work. The Incident Handler should make documents related to the incident or look for ways to improve the process.
    Answer option C is incorrect. The post mortem review is one of the phases of the Incident response process.
  15. Which of the following steps of the OPSEC process examines each aspect of the planned operation to identify OPSEC indicators that could reveal critical information and then compare those indicators with the adversary’s intelligence collection capabilities identified in the previous action?

    • Analysis of Threats
    • Application of Appropriate OPSEC Measures
    • Identification of Critical Information
    • Analysis of Vulnerabilities
    • Assessment of Risk
    Explanation:
    OPSEC is a 5-step process that helps in developing protection mechanisms in order to safeguard sensitive information and preserve essential secrecy.
    The OPSEC process has five steps, which are as follows:
    1.Identification of Critical Information: This step includes identifying information vitally needed by an adversary, which focuses the remainder of the OPSEC process on protecting vital information, rather than attempting to protect all classified or sensitive unclassified information.
    2.Analysis of Threats: This step includes the research and analysis of intelligence, counter-intelligence, and open source information to identify likely adversaries to a planned operation.
    3.Analysis of Vulnerabilities: It includes examining each aspect of the planned operation to identify OPSEC indicators that could reveal critical information and then comparing those indicators with the adversary’s intelligence collection capabilities identified in the previous action.
    4.Assessment of Risk: Firstly, planners analyze the vulnerabilities identified in the previous action and identify possible OPSEC measures for each vulnerability. Secondly, specific OPSEC measures are selected for execution based upon a risk assessment done by the commander and staff.
    5.Application of Appropriate OPSEC Measures: The command implements the OPSEC measures selected in the assessment of risk action or, in the case of planned future operations and activities, includes the measures in specific OPSEC plans.
  16. Which of the following statements are true about an IPv6 network? Each correct answer represents a complete solution. Choose all that apply.

    • For interoperability, IPv4 addresses use the last 32 bits of IPv6 addresses.
    • It increases the number of available IP addresses.
    • It uses longer subnet masks than those used in IPv4.
    • It provides improved authentication and security.
    • It uses 128-bit addresses.
    Explanation:
    IP addressing version 6 (IPv6) is the latest version of IP addressing. IPv6 is designed to solve many of the problems that were faced by IPv4, such as address depletion, security, auto-configuration, and extensibility. With the fast increasing number of networks and the expansion of the World Wide Web, the allotted IP addresses are depleting rapidly, and the need for more network addresses is arising. IPv6 solves this problem, as it uses a 128-bit address that can produce a lot more IP addresses. These addresses are hexadecimal numbers, made up of eight octet pairs. An example of an IPv6 address is 45CF: 6D53: 12CD: AFC7: E654: BB32: 543C: FACE.
    Answer option C is incorrect. The subnet masks used in IPv6 addresses are of the same length as those used in IPv4 addresses.
  17. Which of the following transmission modes of communication is one-way?

    • Half duplex
    • full-duplex mode
    • #NAME?
    • root mode
    • None
  18. Which of the following is designed to detect unwanted changes by observing the flame of the environment associated with combustion?

    • Fire extinguishing system
    • None
    • Gaseous fire-extinguishing systems
    • sprinkler
    • Smoke alarm system
  19. Which of the following features is used to generate spam on the Internet by spammers and worms?

    • AutoComplete
    • SMTP relay
    • Server Message Block (SMB) signing
    • AutoFill
    Explanation:
    SMTP relay feature of e-mail servers allows them to forward e-mail to other e-mail servers. Unfortunately, this feature is exploited by spammers and worms to generate spam on the Internet.
  20. Which of the following tools is described below? It is a set of tools that are used for sniffing passwords, e-mail, and HTTP traffic. Some of its tools include arpredirect, macof, tcpkill, tcpnice, filesnarf, and mailsnarf. It is highly effective for sniffing both switched and shared networks. It uses the arpredirect and macof tools for switching across switched networks. It can also be used to capture authentication information for FTP, telnet, SMTP, HTTP, POP, NNTP, IMAP, etc.

    • Dsniff
    • Cain
    • Libnids
    • LIDS
    Explanation:
    Dsniff is a set of tools that are used for sniffing passwords, e-mail, and HTTP traffic. Some of the tools of Dsniff include dsniff, arpredirect, macof, tcpkill, tcpnice, filesnarf, and mailsnarf. Dsniff is highly effective for sniffing both switched and shared networks. It uses the arpredirect and macof tools for switching across switched networks. It can also be used to capture authentication information for FTP, telnet, SMTP, HTTP, POP, NNTP, IMAP, etc.
    Answer option B is incorrect. Cain is a multipurpose tool that can be used to perform many tasks such as Windows password cracking, Windows enumeration, and VoIP session sniffing. This password cracking program can perform the following types of password cracking attacks:
    Dictionary attack
    Brute force attack
    Rainbow attack
    Hybrid attack
    Answer options D and C are incorrect. These tools are port scan detection tools that are used in the Linux operating system.