1. Which of the following is NOT one of the recognized virus or malware phases?
a) Triggering
b) Execution
c) Dormant
d) Stealth
2. Briefly describe what "blended attack" means with regard to malware.
3. Match the following with the words that best describe them.
Rootkit; Social engineering; Spyware; Worm; Malicious mobile code;
Backdoor; Bot/Zombie; Cross-site scripting; Zero-day exploits
a) An injection of malicious code/script into a vulnerable website so that a visitor's browser will execute it ____________________
b) Replicating program that propagates over a network ____________________
c) Lightweight program that is downloaded from a remote system and executed locally with minimal or no user intervention ____________________
d) An attack/activity that takes advantage of a previously unknown vulnerability ____________________
e) Mechanism that bypasses normal security to allow unauthorized access ____________________
f) Program taking over network attached computers to launch hard to trace attacks ____________________
4. Identify and briefly describe the key characteristic of any one of the primary anti-virus software approaches/generations/forms.
5. Which of the following is the advanced characteristic of malware which indicates it uses multiple infection vectors?
a) Polymorphic
b) Multipartite
c) Stealth
d) Metamorphic
6. TRUE / FALSE The graph that a typical worm propagation model creates is a straight, nearly 45o diagonal line similar to this:
7. What are two categories of "resources" that could be attacked/exhausted as the result of a denial of service attack?
8. What type of packets could be used for flooding DoS attacks?
a) ICMP
b) TCP SYN
c) UDP
d) All of the above
9. Identify and briefly describe an important architectural element/feature that is typically used to make a denial of service attack "Distributed."
10. Which of the following most correctly explains the difference between a reflection attack and an amplification attack?
a) A reflection attack is a sub-category of amplification attacks that differs in that it sends packets to hosts instead of servers.
b) Amplification attacks are distributed, and reflection attacks are not.
c) An amplification attack is a variation of a reflection attack that differs in that it generates multiple response packets for each original packet sent.
d) They are essentially the same thing.
11. Identify and briefly describe two important defensive steps or mechanisms that can be used against DDoS attacks.
12. Which of the following is most important in the success of DoS attacks?
a) Stealth
b) Control
c) Message content
d) Volume
13. Briefly define what is meant by an "insider" or "inside threat" AND identify two things an insider might do on your network or system.
14. Which of the following is the best definition of the scanning phase of an attack?
a) Detecting vulnerabilities
b) Finding systems
c) Maintaining access
d) Exploiting vulnerabilities
15. Briefly describe the difference between a "white hat hacker" and a "black hat hacker" in today's environment.
16. Which of the following is NOT a typical IDS component?
a) Analyzers
b) Logger
c) User interface
d) Sensors
17. Match the following terms with the words that best describe them Anomaly Detection; Network based IDS; Host based IDS; Signature Detection
a) Monitors characteristics and events on a single host for suspicious activity ____________________
b) Observation of events on a system and applying a set of rules to decide if intruder activity is involved ____________________
c) Monitors network traffic for suspicious activity ____________________
d) Collection and analysis of data relating to the behavior of legitimate users over a period of time ____________________
18. Identify any of the "measures that may be used for intrusion detection" (things/events that IDS look for) AND discuss how monitoring this measure might lead to a "false alarm" by your IDS. (2 parts)
19. TRUE / FALSE A honeypot or honeynet is a defensive "sticky" area of your network meant to slow the attacker down by filtering their traffic.
20. List three design goals (desired characteristics) for a firewall.
21. Which of the following is NOT true with regard to Packet Filtering firewalls?
a) Monitors the status of TCP connections
b) Examines information in packet headers
c) Can discard or forward inspected packets
d) Examines source and destination addresses
22. Which of the following is TRUE with regard to Stateful Inspection firewalls?
a) Only reviews header information
b) Evaluates the data/content of a packet for legality
c) Does not consider port numbers
d) Tracks TCP sequence numbers in decision making
23. How does Unified Threat Management (UTM) differ from a firewall? (3 pts)
24. Match the following with the words that best describe them.
Bastion Host; Application gateway; Circuit-level gateway;
Personal firewall; UTM; DMZ; SNORT; Sandbox;
a) Network area which provides a protective barrier between external/untrusted sources of traffic and an internal network ____________________
b) An isolated system area used to quarantine code ____________________
c) Middle man for TCP connections between an inside user and an outside host
____________________
d) Controls traffic flow to/from a PC/workstation ____________________
e) Critical strongpoint in network ____________________
f) Acts as a relay of application-level traffic ____________________
25. TRUE / FALSE The ordering of firewall rules does not impact the proper operation of a firewall.
26. In your own layman's words, explain what a buffer overflow is AND identify one (1) possible immediate impact a buffer overflow can result in (in other words, identify something bad that could happen next).
27. Which of the following best describes a key thing that must be identified to successfully implement a buffer overflow attack?
a) Must understand how a program has been fuzzed
b) Must identify exactly how many characters of input are expected
c) Must understand how/where the buffer is stored
d) Must identify the exact sequence of calls to libraries in a program
28. Name three (3) areas of computer memory that overflow attacks can typically target.
29. Which of the following best describes why some high-level programming languages are less vulnerable to buffer overflows?
a) Mandatory use of guard bands in memory
b) Strong notion of type for variables and valid operations
c) The mixing of assembly language and graphical interfaces
d) No buffers are used
30. Which of the following is NOT true with regard to the use of Shellcode in overflow attacks?
a) Can be saved in buffer being overflowed
b) Requires only rudimentary knowledge of scripting
c) Specific to processor and operating system
d) Used to transfer control to a command line/shell
31. Name and very briefly describe two approaches or mechanisms used to defend against buffer overflow attacks.