SANS GISCP and GIAC EXAM
QUESTIONS & ANSWERS 100%
CORRECT!!
Ack Piggybacking - ANSWERSThe Practice of sending an ACK inside another packet
going to the same destination
Address resolution protocol - ANSWERSProtocol for mapping an IP address to a
physical machine address that is recognized on the local network.
A table, usually called the ARP cache, is used to maintain a correlation between each
MAC and its corresponding IP address
What are the five threat vectors? - ANSWERSOutside attack from network
Outsider attack from telephone
Insider attack from local network
insider attack from local system
attack from malicious code
What are some external threat concerns? - ANSWERS-Malicious code might execute
destructive overwrite to hard disks
-Malicious mas mailing code might expose sensitive information to the internet
- web server compromise might expose organization to ridicule
- Web server compromise might expose customer private data
What are some ways to bypass firewall protections? - ANSWERS- Worms and Wireless
- modems
- tunnel anything through HTTP
- social engineering
What is social engineering? - ANSWERS- attempt to manipulate or trick a person into
providing information or access
- bypass network security by exploiting humans
- vector is often outside attack by telephone or visitor inside
What is Hping? - ANSWERS- a TCP version of ping
- sends custom TCP packets to a host and listens for replies
- enables port scanning and spoofing simultaneously
What is a group? - ANSWERSA group means multiple iterations won't matter. If you
encrypt with a key, then re-encrypt, it's the same as using one key.
What is a port scan? - ANSWERS- common backdoor to open a port
,- port scan scans for open ports on remote host
- scans 0 - 65,535 twice. TCP and UDP
What is nmap? - ANSWERSNetwork scanner.
What are nmap scanning techniques? - ANSWERS- Full open
- half open (stealth scan)
- UDP
- Ping
What is network stumbler? - ANSWERS- free windows based wireless scanner for
802.1b
- detects access point settings
- supports GSP integration
- identifies networks as encrypted or unencrypted
What is Kismet? - ANSWERS- Free linux WLAN analysis tool
- completely passive, cannot be detected
- supports advanced GPS integration and mapping features
- used for wardriving, WLAN vulerability assessment
What is Wardriving? - ANSWERSGoing around with equipment to detect wireless
networks
What is War Dialing? - ANSWERS- trying to ID modems in a telephone exchange that
may be susceptible to compromise
What are some Pen Test techniques? - ANSWERS- War dialing
- war driving
- Sniffing
- eavesdropping
- dumpster diving
- social engineering
What is IDS? - ANSWERS- intrusion detection system
- it reports attacks against monitored systems/networks
What is IDS not? - ANSWERS- not a replacement for firewalls, hardening, strong
policies, or other DiD methods
- low maintenance
- inexpensive
What are the four types of events reported by IDS? - ANSWERS- true positive
- false positive
- true negative
- false negative
,How does IDS signature analysis work? - ANSWERS- rules indicate criteria in packets
that represent events of interest
- rules are applied to packets as they are received
- alerts are created when matches are found
How does anomaly analysis work? - ANSWERS- flags anomalous conditions in traffic
on the network
- requires understanding on what is normal
- bases good traffic as a baseline
What is deep packet inspection? - ANSWERS- slow, requires stateful data tracking
- inspects all fields, including variable-length fields
What is shallow packet inspection? - ANSWERS- fast, with little fidelity
- examines header information and limited payload data
What is Honeyd? - ANSWERS- low interaction production honeypot
- network daemon that can simulate other hosts
- each host can appear as a different OS
What is a netcat listener? - ANSWERS- simplest form of a research honeypot
- useful in identifying nature of TCP scans, allows attacker to complete 3-way
handshake
- listens on a defined port, logs incoming requests for analysis
What are some disadvantages of honeypots? - ANSWERS- improper deployment can
increase attack risk - if production systems aren't sufficiently protected, they can be
vulnerable from a honeypot
- legal liability
What are some honeypot advantages? - ANSWERS- provides insight into the tactics,
motives, and attacker tools
What is a honeypot? - ANSWERS- a system resource that has no legitimate purpose or
reason for someone to connect to it
- its purpose is to draw in attackers to understand how they break into a system
What is a proxy or application gateway? - ANSWERS- maintains complete TCP
connection state and sequencing through 2 connections
- address translation built-in by virtue of second connection above
What is a stateful firewall? - ANSWERSStateful firewalls maintain state of traffic flows
, What is No State Inspection ACK flag set? - ANSWERSpacket filter firewalls rely on
TCP flags to determine connection state. Attacker can send ACK packets only to
bypass firewall.
What is IDS data normalization? - ANSWERS- used by IDS for a baseline before
analysis
- attackers will try to de-normalize traffic to evade detection
- IDS will normalize data for understood protocols
What are NIDS advantages? - ANSWERS- provides insight into traffic on the network
- help detect problems with network operations
- provides auditing for other security measures
What are NIDS challenges? - ANSWERS- deployment challenges including topology
and access limitations
- analyzing encrypted traffic
- quantity vs. quality of signatures
- performance limitations with extensive analysis techniques
- very costly for proper management
What are some NIDS topology limitations? - ANSWERS- switches networks make it
difficult to monitor traffic in promiscuous mode
- topology must be able to support traffic aggregation for monitoring
What is Snort? - ANSWERS- open source tool for monitoring
- can be used as a NIDS
- has quick updates and flexibility for custom rules
What is a stateless packet filter? - ANSWERSA low end firewall that can quickly be
deployed using existing hardware. They examine packets themselves with no content.
What are some firewall benefits? - ANSWERS- protects internal/external systems from
attack
- filters communications based on content
- performs NAT
- encrypts communications for VPN
- logging to aid in intrusion detection
What are some firewall challenges? - ANSWERS- application layer attacks may get
through
- dialup, VPN, extranet connections may bypass firewalls
What is a firewall? - ANSWERSAn appliance that controls access between public
internet and a companies private network, or between a PC NIC and the rest of the PC.
QUESTIONS & ANSWERS 100%
CORRECT!!
Ack Piggybacking - ANSWERSThe Practice of sending an ACK inside another packet
going to the same destination
Address resolution protocol - ANSWERSProtocol for mapping an IP address to a
physical machine address that is recognized on the local network.
A table, usually called the ARP cache, is used to maintain a correlation between each
MAC and its corresponding IP address
What are the five threat vectors? - ANSWERSOutside attack from network
Outsider attack from telephone
Insider attack from local network
insider attack from local system
attack from malicious code
What are some external threat concerns? - ANSWERS-Malicious code might execute
destructive overwrite to hard disks
-Malicious mas mailing code might expose sensitive information to the internet
- web server compromise might expose organization to ridicule
- Web server compromise might expose customer private data
What are some ways to bypass firewall protections? - ANSWERS- Worms and Wireless
- modems
- tunnel anything through HTTP
- social engineering
What is social engineering? - ANSWERS- attempt to manipulate or trick a person into
providing information or access
- bypass network security by exploiting humans
- vector is often outside attack by telephone or visitor inside
What is Hping? - ANSWERS- a TCP version of ping
- sends custom TCP packets to a host and listens for replies
- enables port scanning and spoofing simultaneously
What is a group? - ANSWERSA group means multiple iterations won't matter. If you
encrypt with a key, then re-encrypt, it's the same as using one key.
What is a port scan? - ANSWERS- common backdoor to open a port
,- port scan scans for open ports on remote host
- scans 0 - 65,535 twice. TCP and UDP
What is nmap? - ANSWERSNetwork scanner.
What are nmap scanning techniques? - ANSWERS- Full open
- half open (stealth scan)
- UDP
- Ping
What is network stumbler? - ANSWERS- free windows based wireless scanner for
802.1b
- detects access point settings
- supports GSP integration
- identifies networks as encrypted or unencrypted
What is Kismet? - ANSWERS- Free linux WLAN analysis tool
- completely passive, cannot be detected
- supports advanced GPS integration and mapping features
- used for wardriving, WLAN vulerability assessment
What is Wardriving? - ANSWERSGoing around with equipment to detect wireless
networks
What is War Dialing? - ANSWERS- trying to ID modems in a telephone exchange that
may be susceptible to compromise
What are some Pen Test techniques? - ANSWERS- War dialing
- war driving
- Sniffing
- eavesdropping
- dumpster diving
- social engineering
What is IDS? - ANSWERS- intrusion detection system
- it reports attacks against monitored systems/networks
What is IDS not? - ANSWERS- not a replacement for firewalls, hardening, strong
policies, or other DiD methods
- low maintenance
- inexpensive
What are the four types of events reported by IDS? - ANSWERS- true positive
- false positive
- true negative
- false negative
,How does IDS signature analysis work? - ANSWERS- rules indicate criteria in packets
that represent events of interest
- rules are applied to packets as they are received
- alerts are created when matches are found
How does anomaly analysis work? - ANSWERS- flags anomalous conditions in traffic
on the network
- requires understanding on what is normal
- bases good traffic as a baseline
What is deep packet inspection? - ANSWERS- slow, requires stateful data tracking
- inspects all fields, including variable-length fields
What is shallow packet inspection? - ANSWERS- fast, with little fidelity
- examines header information and limited payload data
What is Honeyd? - ANSWERS- low interaction production honeypot
- network daemon that can simulate other hosts
- each host can appear as a different OS
What is a netcat listener? - ANSWERS- simplest form of a research honeypot
- useful in identifying nature of TCP scans, allows attacker to complete 3-way
handshake
- listens on a defined port, logs incoming requests for analysis
What are some disadvantages of honeypots? - ANSWERS- improper deployment can
increase attack risk - if production systems aren't sufficiently protected, they can be
vulnerable from a honeypot
- legal liability
What are some honeypot advantages? - ANSWERS- provides insight into the tactics,
motives, and attacker tools
What is a honeypot? - ANSWERS- a system resource that has no legitimate purpose or
reason for someone to connect to it
- its purpose is to draw in attackers to understand how they break into a system
What is a proxy or application gateway? - ANSWERS- maintains complete TCP
connection state and sequencing through 2 connections
- address translation built-in by virtue of second connection above
What is a stateful firewall? - ANSWERSStateful firewalls maintain state of traffic flows
, What is No State Inspection ACK flag set? - ANSWERSpacket filter firewalls rely on
TCP flags to determine connection state. Attacker can send ACK packets only to
bypass firewall.
What is IDS data normalization? - ANSWERS- used by IDS for a baseline before
analysis
- attackers will try to de-normalize traffic to evade detection
- IDS will normalize data for understood protocols
What are NIDS advantages? - ANSWERS- provides insight into traffic on the network
- help detect problems with network operations
- provides auditing for other security measures
What are NIDS challenges? - ANSWERS- deployment challenges including topology
and access limitations
- analyzing encrypted traffic
- quantity vs. quality of signatures
- performance limitations with extensive analysis techniques
- very costly for proper management
What are some NIDS topology limitations? - ANSWERS- switches networks make it
difficult to monitor traffic in promiscuous mode
- topology must be able to support traffic aggregation for monitoring
What is Snort? - ANSWERS- open source tool for monitoring
- can be used as a NIDS
- has quick updates and flexibility for custom rules
What is a stateless packet filter? - ANSWERSA low end firewall that can quickly be
deployed using existing hardware. They examine packets themselves with no content.
What are some firewall benefits? - ANSWERS- protects internal/external systems from
attack
- filters communications based on content
- performs NAT
- encrypts communications for VPN
- logging to aid in intrusion detection
What are some firewall challenges? - ANSWERS- application layer attacks may get
through
- dialup, VPN, extranet connections may bypass firewalls
What is a firewall? - ANSWERSAn appliance that controls access between public
internet and a companies private network, or between a PC NIC and the rest of the PC.
