SY0-401:3 TS Quiz Threats and Vulnerabilities with complete solutions

"Bob manages the sales department. Most of his sales representatives travel among several client sites. He wants to enable these sales representatives to check the shipping status of their orders online. This information currently resides on the company intranet, but it is not accessible to anyone outside the company firewall. Bob has asked you to make the information available to traveling sales representatives. You decide to create an extranet to allow these employees to view their customers' order status and history. Which technique could you use to secure communications between network segments sending order-status data via the Internet? VPN VLAN Extranet Certificate server" " Answer: VPN Explanation: A virtual private network (VPN) is not a physical network. In a VPN, a public network, such as the Internet, is used to allow secure communication between companies that are not located together or between private networks. A VPN transports encrypted data. A Virtual LAN (VLAN) allows networks to be segmented logically without physically rewiring the network. A VLAN is an excellent way to provide an added layer of security by isolating resources into separate subnets. If a small company purchases an all-in-one wireless router/switch and has two Web servers, and it needs to protect from access by BYOD, you could create a server VLAN and place an ACL on the Web servers. An extranet enables two or more companies to share information and resources. While an extranet should be configured to provide the shared data, an extranet is only a Web page. It is not actually responsible for data transmission. An extranet has a wider boundary than an intranet. A certificate server provides certificate services to users. Certificates are used to verify user identity and protect data communication. VPNs use what is known as a tunneling protocol for the secure transfer of data using the Internet. A common tunneling protocol for this purpose is Point-to-Point Tunneling Protocol (PPTP). The term ""tunnel"" refers to how the information is privately sent. Data being sent is encapsulated into what are called network packets. Packets are encrypted from where they originate before they are sent via the Internet. The information travels in an encrypted, or non-readable, form. Once the information arrives at its destination, it is then decrypted. By using a VPN, a company avoids the expense of leased lines for secure communication, but instead can use public networks to transfer data in a secure way. Client computers can connect to the VPN by dial-up, DSL, ISDN, or cable modems. An intranet is a local area network (LAN) add-on that is restricted to certain users, usually a company's employees. The data contained on it is usually private in nature." Match the descriptions on the left with the malware types on the right. "Explanation: The malware types should be matched with the descriptions in the following manner: Backdoor - a developer hook in a system or application that allows developers to circumvent normal authentication Logic bomb - a program that executes when a certain predefined event occurs Spyware - a program that monitors and tracks user activities Trojan horse - a program that infects a system under the guise of another legitimate program " 00:02 01:20 "To which type of attack are password files stored on a server vulnerable? a dictionary attack a SYN flood attack a side channel attack a Denial of Service (DoS) attack " "Explanation: A dictionary attack is based on the attacker's efforts to determine the decryption key to defeat a cipher. This attack uses words from the dictionary and typically succeeds because many users choose passwords from a dictionary that are easy to remember. Therefore, the dictionary attack is a part of cryptanalysis. One-way encryption or one-way hashing protects against reading or modifying the password file, but an intruder can launch a dictionary attack after capturing the password file. A SYN flood attack is a Denial of Service (DoS) technique. The attacker sends multiple SYN packets to a target machine from a spoofed source IP address. The victim machine responds to the service requests by replying with an acknowledgement (SYN-ACK) and allocating resources to the spoofed source IP address. The target machine runs out of resources, and the requests from legitimate users are denied. In a side channel attack, the attacker gains information regarding the encryption algorithms running in the cryptosystem that is implemented in the network. The attacker can use information such as power consumption, electromagnetic radiations, and sound to break into a system. The side channel attack can also be based on the time taken to perform a computation. A DoS attack exploits the limitations of the TCP/IP protocol by flooding the network with a large number of false resource requests or by consuming the complete bandwidth of the network. To fulfill the resource requests that are falsely created by the attacker, the network exhausts its resources. Therefore, legitimate and authorized users are denied services on the basis of a resource crunch in the network. " " You have just discovered that an application that your company purchased is intentionally embedded with software code that allows a developer to bypass the regular access and authentication mechanisms. Which software code is being described? logic bomb pseudo-flaw multipart virus debugging hooks " "Answer: debugging hooks Explanation: A debugging or maintenance hook is software code that is intentionally embedded in the software during its development process to allow the developer to bypass the regular access and authentication mechanisms. These hooks can pose a threat to the security of the software and can be exploited if any maintenance hook is not removed before the software goes into production and an intruder is able to find the maintenance hook. A logic bomb implies a malicious program that remains dormant and is triggered following a specific action by the user or after a certain time interval. The primary difference between logic bombs, viruses, and worms is that a logic bomb is triggered when specific conditions are met. A pseudo-flaw refers to vulnerability code embedded intentionally in the software to trap intruders. A multipart virus can infect both executable files and boot sectors of hard disk drives. The virus first resides in the memory and then infects the boot sector and the executable files of the computer. " "Which spyware technique inserts a dynamic link library into a running process's memory? SMTP open relay DLL injection buffer overflow cookies " " Answer: DLL injection Explanation: DLL injection is a spyware technique that inserts a dynamic link library (DLL) into a running process's memory. Windows was designed to use DLL injection to make programming easier for developers. Some of the standard defenses against DLL injection include application and operating system patches, firewalls, and intrusion detection systems. SMTP open relay is an e-mail feature that allows any Internet user to send e-mail messages through the SMTP server. SMTP relay often results in an increased amount of spam. SMTP relay is designed into many e-mail servers to allow them to forward e-mail to other e-mail servers. Buffer overflow occurs when the length of the input data is longer than the length processor buffers can handle. Buffer overflow is caused when input data is not verified for appropriate length at the time of the input. Buffer overflow and boundary condition errors are examples of input validation errors. Memory addressing is specific to a buffer overflow attack. If a programmer allocates 16 bytes for a string variable but does not adequately ensure that more than 16 bytes can be copied into, a buffer overflow can occur. If a security analysis discovers JavaScript being used to send random data to another service on the same computer, a buffer overflow attack is occurring. One of the oldest examples of a buffer overflow attack is a no operation performed (NOOP) attack. A NOOP attack is an attack in which an instruction is given in which no operation is executed. Cookies store information on a Web client for future sessions with a Web server. It is used to provide a persistent, customized Web experience for each visit and to track a user's browser habits. The information stored in a cookie is not typically encrypted and might be vulnerable to hacker attacks. " "Which type of attack redirects you to a fake Web site? land attack hyperlink spoofing ICMP packet spoofing network address hijacking " "Answer: hyperlink spoofing Explanation: Hyperlink spoofing, which is also referred to as Web spoofing, is used by an attacker to persuade the Internet browser to connect to a fake server that appears as a valid session. The primary purpose of hyperlink spoofing is to gain access to confidential information, such as PIN numbers, credit card numbers, and bank details of users. This is also referred to as URL spoofing. Hyperlink spoofing takes advantage of people using hyperlinks instead of DNS addresses. In most scenarios, the DNS addresses are not visible, and the user is redirected to another fake Web site after clicking a hyperlink. A land attack involves sending a spoofed TCP SYN packet with the target host's IP address and an open port acting both as a source and a destination to the target host on an open port. The land attack causes the system to either freeze or crash because the machine continuously replies to itself. " "What is the best description of an evil twin? an unauthorized access point signals about the wireless network marked on the outside of a building an access point with the same SSID as the legitimate access point cracking the WEP secret key using the initialization vector (IV) " "Answer: an access point with the same SSID as the legitimate access point Explanation: An evil twin is an access point with the same SSID as the legitimate access point. It is a special type of unauthorized access point. A rogue access point is an unauthorized access point that allows access to a secure network. Performing a site survey is the best way to discover rogue access points. Discovering a large number of unauthorized wireless connections in a particular area is a sign of a rogue access point. War chalking is leaving signals about the wireless network on the outside of a building. An IV attack is cracking the WEP secret key using the initialization vector (IV). An IV attack involves interception of authentication traffic in an attempt to gain unauthorized access to a wireless network. Another consideration in wireless networks is interference or jamming. If an organization implements multiple wireless access points, the organization must ensure that the access points do not interfere with each other. This can be accomplished in one of two ways: deploy the access points on different channels within the frequency or decrease the power level of the access point. Also, some electronic devices can cause interference with access points. Often, just moving the wireless access point can fix the issue. Attackers can deploy devices that cause interference for your wireless network. Performing a site survey can help you to locate the interfering devices. " "You have been asked to reduce the surface area of a Windows Server 2008 computer that acts as a Web server. Which step is NOT included in reducing surface area attacks? Disable unnecessary services. Disable unnecessary protocols. Use least privilege. Disable auditing. " "Answer: Disable auditing. Explanation: You should not disable auditing. Auditing should be implemented to record events that could possibly compromise security. Without auditing, you have no way of tracking events that occur. Reducing surface area attacks includes the following steps: Disable unnecessary services. Disable unnecessary protocols. Disable unnecessary ports. Use least privilege. Apply defense in depth. Do not trust user input. Fail securely. Secure the weakest link. Create secure defaults. Hardening involves the following steps: Disable unnecessary accounts. Protect management interfaces and applications. Implement password protection. Disable unnecessary accounts. Unneeded services and protocols can easily allow hackers to access your servers. A port scanner can identify which services and protocols are running so that you can disable the unnecessary services and protocols. " "You have been tasked with designing the audit policy for your company based on your company's security policy. What is the first step you should take? Plan the audit strategy. Conduct the audit. Evaluate the audit results. Report the audit results to management. " " Answer: Plan the audit strategy. Explanation: When designing an audit policy for your company, the following steps need to be followed: Develop the company's security policy. Plan the audit strategy. Conduct the audit. Evaluate the audit results. Report the audit results to management. Conduct follow-up. To configure the audit, you should enable auditing, configure auditing on the objects, and then review event logs." "You have been promoted to security administrator for your company. The former security administrator gives you access to all of his tools, which includes Tripwire. Which statement is true of this tool? It increases the performance of systems. It is typically used by hackers to perform intrusions. It monitors the changes in the baseline configuration of a system. It acts as a centralized access control system for managing user accounts. " " Answer: It monitors the changes in the baseline configuration of a system. Explanation: The primary purpose of Tripwire is to monitor the baseline configuration of a system and the changes made to it. Changes or modifications to the operating system and to the application programs are monitored by maintaining a checksum value of the programs and by periodically examining the values. Tripwire monitors unauthorized alterations to the infrastructure software suite and cannot be used to enhance the performance of the system. Tripwire is a security enhancement tool and is not used by hackers to perform intrusions. Hackers can use tools such as l0phtrack, John the ripper, and Nessus to decipher passwords stored on Windows NT, crack the passwords for UNIX, and perform a reconnaissance attack. Tripwire does not act as a centralized access control system to manage user accounts. To manage user accounts, the Authentication, Authorization, and Accounting (AAA) services are deployed. An additional functionality of Tripwire is the antivirus functionality that ensures data integrity and generates alerts for administrators in the event of change in the operating system and the applications. " "Match the descriptions on the left with the malware type on the right that BEST matches the description. " "Explanation: The malware types should match with the descriptions in the following manner: Adware - a software application that displays advertisements while the application is executing Botnet - a group of computers that are hacked when a malicious program is installed on them and remotely triggered Rootkit - a collection of programs that grants a hacker administrative access to a computer or network Worm - a program that spreads itself through network connections " "Which Microsoft application will create security reports? Microsoft Baseline Security Analyzer Windows Firewall Task Manager Performance Monitor " " Answer: Microsoft Baseline Security Analyzer Explanation: Microsoft Baseline Security Analyzer is a Microsoft application that creates security reports. Windows Firewall is a host-based firewall solution. Task Manager is the Windows application that shows all applications, processes, and services running on a Windows computer. Performance Monitor monitors all hardware components in a computer, including memory, processor, and hard drive.