SANS GISCP and GIAC Security 401
Ack Piggybacking - CORRECT ANSWER-The Practice of sending an ACK inside
another packet going to the same destination
Address resolution protocol - CORRECT ANSWER-Protocol for mapping an IP
address to a physical machine address that is recognized on the local network.
A table, usually called the ARP cache, is used to maintain a correlation between
each MAC and its corresponding IP address
What are the five threat vectors? - CORRECT ANSWER-Outside attack from
network
Outsider attack from telephone
Insider attack from local network
insider attack from local system
attack from malicious code
What are some external threat concerns? - CORRECT ANSWER--Malicious
code might execute destructive overwrite to hard disks
-Malicious mas mailing code might expose sensitive information to the internet
- web server compromise might expose organization to ridicule
- Web server compromise might expose customer private data
What are some ways to bypass firewall protections? - CORRECT ANSWER--
Worms and Wireless
- modems
- tunnel anything through HTTP
- social engineering
What is social engineering? - CORRECT ANSWER-- attempt to manipulate or
trick a person into providing information or access
- bypass network security by exploiting humans
- vector is often outside attack by telephone or visitor inside
What is Hping? - CORRECT ANSWER-- a TCP version of ping
- sends custom TCP packets to a host and listens for replies
,- enables port scanning and spoofing simultaneously
What is a group? - CORRECT ANSWER-A group means multiple iterations won't
matter. If you encrypt with a key, then re-encrypt, it's the same as using one key.
What is a port scan? - CORRECT ANSWER-- common backdoor to open a port
- port scan scans for open ports on remote host
- scans 0 - 65,535 twice. TCP and UDP
What is nmap? - CORRECT ANSWER-Network scanner.
What are nmap scanning techniques? - CORRECT ANSWER-- Full open
- half open (stealth scan)
- UDP
- Ping
What is network stumbler? - CORRECT ANSWER-- free windows based wireless
scanner for 802.1b
- detects access point settings
- supports GSP integration
- identifies networks as encrypted or unencrypted
What is Kismet? - CORRECT ANSWER-- Free linux WLAN analysis tool
- completely passive, cannot be detected
- supports advanced GPS integration and mapping features
- used for wardriving, WLAN vulerability assessment
What is Wardriving? - CORRECT ANSWER-Going around with equipment to
detect wireless networks
What is War Dialing? - CORRECT ANSWER-- trying to ID modems in a
telephone exchange that may be susceptible to compromise
What are some Pen Test techniques? - CORRECT ANSWER-- War dialing
- war driving
- Sniffing
- eavesdropping
,- dumpster diving
- social engineering
What is IDS? - CORRECT ANSWER-- intrusion detection system
- it reports attacks against monitored systems/networks
What is IDS not? - CORRECT ANSWER-- not a replacement for firewalls,
hardening, strong policies, or other DiD methods
- low maintenance
- inexpensive
What are the four types of events reported by IDS? - CORRECT ANSWER-- true
positive
- false positive
- true negative
- false negative
How does IDS signature analysis work? - CORRECT ANSWER-- rules indicate
criteria in packets that represent events of interest
- rules are applied to packets as they are received
- alerts are created when matches are found
How does anomaly analysis work? - CORRECT ANSWER-- flags anomalous
conditions in traffic on the network
- requires understanding on what is normal
- bases good traffic as a baseline
What is deep packet inspection? - CORRECT ANSWER-- slow, requires stateful
data tracking
- inspects all fields, including variable-length fields
What is shallow packet inspection? - CORRECT ANSWER-- fast, with little
fidelity
- examines header information and limited payload data
What is Honeyd? - CORRECT ANSWER-- low interaction production honeypot
- network daemon that can simulate other hosts
, - each host can appear as a different OS
What is a netcat listener? - CORRECT ANSWER-- simplest form of a research
honeypot
- useful in identifying nature of TCP scans, allows attacker to complete 3-way
handshake
- listens on a defined port, logs incoming requests for analysis
What are some disadvantages of honeypots? - CORRECT ANSWER-- improper
deployment can increase attack risk - if production systems aren't sufficiently
protected, they can be vulnerable from a honeypot
- legal liability
What are some honeypot advantages? - CORRECT ANSWER-- provides insight
into the tactics, motives, and attacker tools
What is a honeypot? - CORRECT ANSWER-- a system resource that has no
legitimate purpose or reason for someone to connect to it
- its purpose is to draw in attackers to understand how they break into a system
What is a proxy or application gateway? - CORRECT ANSWER-- maintains
complete TCP connection state and sequencing through 2 connections
- address translation built-in by virtue of second connection above
What is a stateful firewall? - CORRECT ANSWER-Stateful firewalls maintain
state of traffic flows
What is No State Inspection ACK flag set? - CORRECT ANSWER-packet filter
firewalls rely on TCP flags to determine connection state. Attacker can send ACK
packets only to bypass firewall.
What is IDS data normalization? - CORRECT ANSWER-- used by IDS for a
baseline before analysis
- attackers will try to de-normalize traffic to evade detection
- IDS will normalize data for understood protocols
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through EFT, credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying this summary from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller EXAMQA. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy this summary for R196,39. You're not tied to anything after your purchase.