21. A company's security policy outlines the security measures to be taken. Implementing the security policy is the first thing that needs to be done.
22. DMZ is short for DeMilitalized Zone. If a company intends to host its own servers to be accessed from public Internet, a DMZ is most preferred solution. The network segment within the DMZ is secured by two firewalls, one interfacing with the public Internet, and the other interfacing the internal corporate network. Thus, a DMZ provides additional layer of security to internal corporate network. The type of servers that are hosted on DMZ may include web servers, email servers, file servers, DNS servers, etc.
23. According to the principle of least privilege, a user should be given only the minimum privileges that are required to do his/her works accurately and completely. Other choices are not appropriate.
24. Message Authentication Codes (MACs), also called "keyed hashes", are used to verify the authenticity of a message. Let us say, Jane (the sender of a message) and Mike (the recipient) share a secret key. Jane uses the message and the key to compute the MAC, and sends the MAC along with the message. When Mike receives the message, he computes the MAC, and then checks to see if his MAC matches Jane's. If it does, then he knows the message is from Jane and that nobody has changed it since she sent it.
25. Digital signature ensures that the sender cannot repudiate having
sent the message at a future date.
Encryption ensures that the
message cannot be read by any person who do not have matching key
to decode the coded message
Hashing ensures that the message
is not tampered with, during transit or storage. Note that Hashing
not necessarily encode or encrypt a message.
26. Secret-key encryption is also known as single-key or symmetric
encryption. It involves the use of a single key that is shared by
both the sender and the receiver of the message.
Typically, the
sender encrypts the message with a key and transmits the message
to the recipient. The recipient then decrypts it by using a copy
of the same key used to encrypt it.
27. Confidentiality ensures that a message is not disclosed to any unintended parties. Note that integrity is to do with the correctness of information, and authorization refers to privileges to access a given resource. Authentication is used in conjunction with validation of a user or a process to login.
28. Given below are some of the widely known password guessing methods:
1. dictionary
2. birthday
3. brute force
4. rainbow tables
1. dictionary: this is the method in which dictionary terms
are used for guessing a password.
2. birthday: It takes advantage
of probabilities, much like two people in a 50-person room shared
the same birthday. With every person, the chances of two people
having the same birth date increases. In the same way, when you
start guessing the password, the chances of a hit keep increasing.
3. brute force: In a Brute Force attack, muscle (in this case, CPU
and/or network muscle) is applied to break through a particular
security mechanism, rather than using particular intelligence or
logic. "Brute force" is most commonly applied to password guessing,
taking advantage of computer power available to an attacker, to
try every possible password value, until the right one is found.
In cryptography, a brute-force attack is an attempt to recover a
cryptographic key or password by trying every possible combination
until the correct one is found. How quickly this can be done depends
on the size of the key, and the computing resources applied.
4. rainbow tables: Rainbow tables are huge lists of keys or passwords.
A password-guessing program uses these lists of keys or passwords
rather than generating each key or password itself.
29. Computer based access controls prescribe not only who or what
process may have access to a given resource, but also the type of
access that is permitted. These controls may be implemented in the
computer system or in external devices. Different types of access
control are:
5. Mandatory access control
6. Discretionary
access control
7. Rule based access control
8. Role based
access control
Mandatory Access Control (MAC) secures information by assigning
sensitivity labels on objects (resources) and comparing this to
the level of sensitivity a subject (user) is operating at. MAC ensures
that all users only have access to that data for which they have
matching or greater security label (or security clearance). In general,
MAC access control mechanisms are more secure than DAC. MAC is usually
appropriate for extremely secure systems including multilevel secure
military applications or mission critical data applications.
Discretionary Access Control (DAC): Discretionary Access Control
(DAC) is a means of restricting access to information based on the
identity of users and/or membership in certain groups. Access decisions
are typically based on the authorizations granted to a user based
on the credentials he presented at the time of authentication (user
name, password, hardware/software token, etc.). In most typical
DAC models, the owner of information or any resource is able to
change its permissions at his discretion. DAC has the drawback of
the administrators not being able to centrally manage these permissions
on files/information stored on the web server.
Role
Based Access Control (RBAC): In Role-Based Access Control (RBAC),
access decisions are based on an individual's roles and responsibilities
within the organization. For instance, in a corporation, the different
roles of users may include those such as chief executive, manager,
executive, and clerk. Obviously, these members require different
levels of access in order to perform their functions, but also the
types of web transactions and their allowed context vary greatly
depending on the security policy. In Role Based Access Control,
the administrator sets the roles. Therefore, this type of access
control is sometimes considered as a subset of MAC.
Rule
Based Access Control (RBAC): The access to a resource in Rule Based
Access Control is based a set of rules. ACLs (Access Control Lists)
are used for this type of access control. In Rule Based Access Control,
the administrator sets the rules. Therefore, this type of access
control is sometimes considered as a subset of MAC.
30. 1. When a user first authenticates to Kerberos, he talks to the
Authentication Service on the KDC to get a Ticket Granting Ticket
(TGT). This ticket is encrypted with the user's password.
2. When the user wants to talk to a Kerberized service, he uses
the TGT to talk to the Ticket Granting Service (TGS, also runs on
the KDC). The TGS verifies the user's identity using the TGT and
issues a ticket for the desired service.
The TGT ensures
that a user doesn't have to enter in their password every time they
wish to connect to a Kerberized service. The TGT usually expires
after eight hours. If the Ticket Granting Ticket is compromised,
an attacker can only masquerade as a user until the ticket expires.
The following are the important properties of Kerberos:
1.
It uses symmetric encryption
2. Tickets are time stamped
3.
Passwords are not sent over the network
31. The term "social engineering" refers to tricking someone into
revealing useful information, such as a password. Social engineering
can be used to collect any information an attacker might be interested
in, such as the layout of your network, names and/or IP addresses
of important servers, installed operating systems and software.
The information is usually collected through phone calls or as new
recruit or guest to your boss.
Phishing is the act of sending
an e-mail to a user claiming to be a reputed organization (such
as a bank) in an attempt to scam the user into providing information
over the Internet. The e-mail directs the user to a Web site where
they are prompted to provide private information, such as credit
card, and bank account numbers, that the legitimate organization
already has. The Web site, however, is bogus and set up only to
steal the user's information.
Vulnerability refers to what extent
a system is prone to attack from a hacker.
Soft intrusion is
a fictitious answer.
32. Viruses, worms, and Trojan horses are all harmful pieces of software.
The way they differ is how they infect the computers, and spread.
Virus: A computer virus attaches itself to a program or file so
it can spread from one computer to another. Almost all viruses are
attached to an executable file, and it cannot infect your computer
unless you run or open the malicious program. It is important to
note that a virus cannot be spread without a human action, (such
as running an infected program) to keep it going.
Worm: Worms
spread from computer to computer, but unlike a virus, it has the
capability to travel without any help from a person. The danger
with a worm is its capability to replicate itself. Unlike Virus,
which sends out a single infection at a time, a Worm could send
out hundreds or thousands of copies of itself, creating a huge devastating
effect.
Trojan Horse: The Trojan Horse, at first glance appears
to be a useful software but will actually do damage once installed
or run on your computer. Those on the receiving end of a Trojan
Horse are usually tricked into opening it because it appears to
be receiving legitimate software or file from a legitimate source.
33. Phishing is the practice of enticing unsuspecting Internet users to a fake Web site by using authentic-looking email with the legitimate organization's name, in an attempt to steal passwords, financial or personal information, or introduce a virus attack.
34. Simple Mail Transfer Protocol (SMTP), the main protocol used
when sending email, does not include a way to authenticate where
the email message originated. However, the mail server inserts a <Received:>
header at the top of every email message. This gives us a message's
route, making it possible to determine the origin of the message.
Email attachments from spammers usually contain malware, and one
should never open such attachments.
35. A client authenticating itself to a server and that server authenticating itself to the client in such a way that both parties are assured of the others' identity is known as mutual or two-way authentication.
36. Zombies are malware that puts a computer under the control of a hacker. Hackers use zombies to launch DoS or DDoS attacks. The hacker infects several other computers through the zombie computer. Then the hacker sends commands to the zombie, which in turn sends the commands to slave computers. The zombie, along with slave computers start pushing enormous amount of useless data to target computer, making it unable to serve it legitimate purpose. This type of attack is known as DDoS attack.
37. Kerberos uses port 88 by default. FTP uses port 21, https uses port 443, and SNMP uses port 161.
38. Any business continuity planning preferably include the following:
a. Redundant network connectivity
b. Clustering
c. Fault tolerance
using Raid or similar technique
d. Facilities management
39. Security policy planning should include the following:
a.
Due care, acting responsibly and doing right thing.
b. Privacy,
letting the employees and administrator know of the privacy issues
c. Separation of duties
d. Need to know, providing employees
only the information required to perform their role or duties.
e. Password management, auditing the passwords
f. Disposal and
destruction
g. Human rights policies, and
h. Incident
response, should take care of response to an act.
40. There are five types of extinguishers:
a. Water
b. Dry chemical
c. Halon
d. Carbon dioxide
e. Foam
Water is used with Class A fires. Regular dry chemical
extinguishers have a sodium bicarbonate base and are effective on
Class B and C fires. Carbon Dioxide Extinguishers are used primarily
on Class C fires and are also effective on Class B fires. Halon
Extinguishers are best used on Class B or C fires. Foam extinguishers
are less commonly used.
Oxygen and Nitro acid are fictitious
answers.