Download Host-Based Intrusion Detection Systems (HIDS) and more Exams Computer Science in PDF only on Docsity!
SANS 401 Practice Exam Certified for High
Academic Standards Designed for Achievement in
Every Exam Customized for Top Academic
Performance Curated by Global Experts
A file is classified as "Secret" and can only be accessed by a user that has "Clearance Level B". Which type of access control is this? Role-based Access Control - Mandatory Access Control - Ruleset-based Access Control - Discretionary Access Control INCORRECT ON PT - - correct ans- - Mandatory Access Control ( Explanation ) Mandatory access controls (MAC) are set by the system and cannot be overwritten by the administrator. MAC requires a lot of work to maintain because all data has a classification and all users have a clearance. Users must have the appropriate clearance to access data classified a certain way. Users cannot give their clearance to another person. In this case the data's classification is "Secret" and the user's clearance must be "Level B" to access the file. What term describes software products deployed directly on a computer that analyze system event logs and use signature matching to flag suspicious activity? Network based IDS - Antivirus scanner - Host based IDS - File integrity monitors - - correct ans- - Host based IDS ( Explanation )
Instead of analyzing network traffic, host-based sensors (or host IDS) analyze the event logs from one or several hosts. By watching event logs, host-based sensors are able to catch some intrusion attempts network-based intrusion detection would miss. Network based sensor, antivirus software, and file integrity monitors do not check system event logs by definition. Why is the job of analyzing Network Intrusion Detection System (NIDS) logs more difficult than analyzing firewall logs? NIDS logs do not use standard syslog format - NIDS only creates Out-of-Baseline events - NIDS produces false positives - NIDS time signatures do not correlate with other device signatures - - correct ans- - NIDS produces false positives ( Explanation ) Reviewing Network IDS logs is extremely useful and is often a frustrating task because NIDSs sometimes produce false positives. Still, NIDS log analysis often comes second after firewalls; the value of such info for security is undeniable, and logs can, in most cases, be easily centralized for analysis. NIDS may or may not use syslog format, but collectors (or their pre-processors) normalize the logging differences of the logs they aggregate. In situations where correlation is important, the time difference between a NIDS and another system is trivial in nearly all circumstances. Once properly tuned, NIDS produces routine, known bad, and out-of- baseline events. Which class of Windows Operating Systems are commonly referred to as "Windows IOT"? Windows Embedded - Windows Ultimate - Windows Client - Windows Server - - correct ans- - Windows Embedded The Windows Embedded class is commonly referred to as Windows IOT.
Which description below is an example of an external threat to Acme Corporation? An Acme employee contracted to another company logging into Acme from a PC at the other company - A visitor to Acme who attempts to connect to Acme's enterprise network - A buggy software update that an Acme sys admin applied to an Acme server - An Acme employee returning from lunch and plugging in a USB drive she found INCORRECT ON PT - - correct ans- - A visitor to Acme who attempts to connect to Acme's enterprise network ( Explanation ) The visitor attempting to access enterprise WiFi is the external threat. The other examples are insiders taking an action that poses a threat to Acme's information. Creating a file that has no legitimate purpose with a specific string embedded along with a corresponding IDS rule to detect this string is an example of what type of mechanism? Building malicious payloads to be used for 'hack back' campaigns - Establishing a baseline for which to compare future attacks - Creating canaries to slow down an adversary - Utilizing a honeytoken for detection of data exfiltration - - correct ans- - Utilizing a honeytoken for detection of data exfiltration ( Explanation ) A honeytoken is a file placed on the production system that is designed to look legitimate, but does not have any true value. Embedding a honeytoken with a specific string inside of it that can be detected by an intrusion detection system is a great way to detect attempted data exfiltration. With the rule in place, when the file attempts to traverse the IDS, it would immediately be detected. If this is implemented in an IPS, the connection could be closed automatically and the IP blocked.
Which of the following statements best describes where a border router is normally placed? Between your ISP and your external firewall - Between your firewall and your internal network - Between your ISP and DNS server - Between your firewall and DNS server - - correct ans- - Between your ISP and your external firewall ( Explanation )A border router is normally placed between our Internet Service Provider (ISP) and our firewall. Which of the following Linux commands can change both the username and groupname a file belongs to? chown - chgrp - newgrp - chmod - - correct ans- - chown ( Explanation ) The chown command can also be run to change both the user ownership and group ownership at the same time. For example to change the document 'file.txt' owner to a user 'jdoe' and the group identifier to 'marketing' you can issue this command: chown jdoe:marketing file.txt You are asked by your manager to run a vulnerability scan against the engineering department's network. What should you ensure you have before performing any scanning activity? Previous Scan Results - Commercial Vulnerability Scanner - Written Permission - Wireless Internet Scans - Root Access to Systems - - correct ans- - Written Permission
The ls command in Linux lists files and directory contents. The file command is used to describe what type of data is in a file. The cd command is used to change directories. The du command is used to describe how much space a file or directory takes. The ln command is used to create a shortcut. An organization is worried about malicious or unauthorized software being run on their network. What solution should they implement for the best security? VLANs - Blacklisting - Firewalls - Whitelisting - - correct ans- - Whitelisting ( Explanation ) Whitelisting would be the best solution because it would ensure that only acceptable and authorized applications are being run. While blacklisting would accomplish this, it would only disallow specific applications. Programs or code that was not known by the blacklisting software would not be blocked. Firewalls can prevent traffic from unauthorized traffic from entering and leaving the network, but cannot prevent software from running on endpoints. VLANs don't stop software from being ran. Which of the following would be a valid reason to use a Windows workgroup? Consistent permissions and rights - Simplicity of single sign-on - Lower initial cost - Centralized control INCORRECT ON PT - - correct ans- - Lower initial cost ( Explanation )Workgroups do have lower initial costs. Disadvantages include no centralized control, difficulties with implementing single sign-on and no consistent permissions and rights.
When the last command is run without any arguments, as shown in the image, what log file is it displaying? utmp - wtmp - btmp - syslog - - correct ans- - wtmp ( Explanation ) When you are running last with no arguments, you will see the output of the wtmp log file. The last command, however, can read from utmp, wtmp, and btmp. Running the command last by itself will give you who logged in, when they logged in, and when they logged out, among other useful info on the screen, and it is historical data. If you pass the last command the - f switch, you also can tell last to read from the utmp or the btmp file. What is hashed to compute the IPSec Authentication Header's Integrity Check Value? Sender's public key - Source and destination addresses - Every field in the packet - Every field in the packet that will not change during transit - - correct ans- - Every field in the packet that will not change during transit ( Explanation ) The IPSec Authentication Header adds a keyed hash of the message to the packet. This hash is referred to as the Integrity Check Value (ICV). In the ICV computation, AH includes every field that does not change during its trip from source to destination. This includes the source address, destination address, length, and the data. This information is inserted into the packet after the regular IP header, but before the data. Which of the following is supported for multi-factor authentication on Microsoft Azure AD? RSA Token - Smart Card - Retinal Scan - SMS PIN
Twofish - 3DES - RC6 - Rijndael - - correct ans- - Rijndael ( Explanation ) NIST selected the five AES finalists on August 9, 1999. In October 2000, Rijndael was announced as the winner and was approved as the official AES cipher Which of the following event classification types occurs when an activity is malicious but an alert is not generated by the Intrusion Detection System? False negative - False positive - True positive - True negative - - correct ans- - False negative ( Explanation ) A true positive is when the Intrusion Detection System (IDS) worked as intended and correctly flagged malicious activity as anomalous. A false positive is where the IDS generates an alert flagging benign activity as hostile. A true negative event is where activity is known to be benign and no alert is generated. A false negative event is when the IDS identifies data as benign, when in fact itwas malicious. Which of the following is a characteristic of a Windows NT File System (NTFS)? Permissions on a file or folder are not enforced when that object is accessed using FTP - The CHKDSK.EXE program is run automatically after a power failure or Blue Screen of Death - The driver does not provide compression on the file system, a separate application is required - Allow permissions take precedence over Deny permissions on a file or folder INCORRECT ON PT - - correct ans- - The CHKDSK.EXE program is run automatically after a power failure or Blue Screen of Death
( Explanation ) NTFS uses transaction oriented processing on write operations to keep the file system in a consistent state, even after a power failure or Blue Screen of Death. In these cases, the system runs chkdsk.exe when the machine reboots. If a user is a member of two groups with conflicting permissions on a file or folder, DENY always takes precedence over ALLOW. On NTFS, file and folder permissions are always enforced by the operating system regardless of how the file is accessed. Compression is provided by the NTFS driver, no third party application is required. In PKI, when someone wants to verify that the certificate is valid, what do they use to decrypt the signature? Secret passphrase - CA's public key - CA's private key - X.509 certificate - Receiver's digital signature - - correct ans- - CA's public key When using PKI, an individual's digital certificate is signed by the Certificate Authority's (CA) private key. When someone wants to verify that the certificate is valid, they use the CA's public key to decrypt the signature. If it decrypts successfully, they know that the CA issued the certificate. What would an Active Directory administrator use to create large, corporate e-mail lists? Distribution group - DNS zone file - Security group - DNS record - - correct ans- - Distribution group ( Explanation ) To create a Global or Universal group in Active Directory, open the Active Directory Users and Computers tool > right-click any Organizational Unit > New > Group. You can create a Domain Local, Global or Universal group this way. Each group can be marked as either a distribution or security group, for example, a Global distribution group is not the same thing
Decloak - Beartrap - Tarpits - Artillery - Honey Badger - - correct ans- - Tarpits ( Explanation ) Tarpits is the process of reducing the TCP windows size to a small value so that very little data can be passed between the hosts. Under certain conditions, this could cause an attacker's machine to have to keep ports open and thereby cause his machine to use up resources maintaining the connection(s). Beartrap opens up false ports on a system, and can block hosts that try to access those ports. Artillery can monitor systems and give early warning of attack attempts. Honey Badger attempts to determine the physical location of an attacker by running a java applet on his machine. Decloak attempts to find an attacker's real IP address. Terminal Services and Remote Desktop BOTH rely on which protocol? Terminal Desktop Protocol (TDP) - Remote Desktop Protocol (RDP) - Terminal Services Protocol (TSP) - Remote Services Protocol (RSP) - - correct ans- - Remote Desktop Protocol (RDP) ( Explanation )Terminal Services and Remote Desktop both use the Remote Desktop Protocol (RDP) on Transmission Control Protocol (TCP) port 3389. Which of the following is a characteristic of a cookie? Can keep track of user authentication data and application session state - Set when the browser adds the set-cookie header to one of its requests - Can contain data which the web server searched for and found on the user's hard drive - Editable by users when stored on the hard drive, but not when residing in memory - Sent using SSL when the browser
initially sets the optional secure flag - - correct ans- - Can keep track of user authentication data and application session state ( Explanation ) Cookies normally keep track of user authentication data and the session state of the application. They are set when the server adds the set-cookie header to one of its responses. The web server does not search a client's hard drive to find information to put into cookies, the user provides the web server with that type of information. The server can set an optional secure flag on a cookie to notify the browser to send it only using SSL. Cookies can be edited when they are on the hard drive, or in memory using a proxy like Paros or ZAP. Which of the following is BEST known for its encryption capabilities, but can also be used for static packet filtering? Secure Socket Layer (SSL) - Transport Layer Security (TLS) - Point-to-Point Tunneling Protocol (PPTP) - Internet Protocol Security (IPSec) - - correct ans- - Internet Protocol Security (IPSec) ( Explanation )IPSec is best known for its encryption capabilities, but it also can be used for static packet filtering. A security analyst is preparing a vulnerability assessment against her organization's network. Which is the appropriate first step? Configure the scanning tool for passive activity - Get a network diagram from the administrator - Get signed permission from the data owner - Determine which hosts are in- scope for the scan - - correct ans- - Get signed permission from the data owner ( Explanation )
An encryption method's strength is determined mathematically, not by sampling data. A session ID simply tracks a user's web session, providing "state" to the stateless HTTP protocol - no personal information is associated with a session ID. If two users happened to share the same session ID, it would mean that the website would treat both sessions as the same session. Websites protect against this mistake by verifying a session ID value is not currently being used before issuing it for a new session. What information would an attacker need to carry out a TCP RST attack? Routing table for the router - Source and target port numbers - Router admin account and password - Target host MAC address - - correct ans- - Source and target port numbers ( Explanation ) To carry out a TCP RST attack, an attacker would need to sniff packets exchanged between two hosts and determine the source and destination IP addresses, source and destination ports, and the changing sequence number. Then he could craft a packet with the Reset flag set by spoofing the original source port, IP address, and sequence number to make the target system think the original source wanted to end the conversation. An attacker with administrative access to a router would not be able to craft and inject packets into an ongoing TCP conversation. The TCP protocol does not include the MAC address. A routing table is used by a router to determine where to send packets based on IP addresses. Which of the following is necessary to detect unusual events through log correlation for the devices in an organization? Understanding the normal network traffic and host activity for the organization - Triggering for incident response team activation when anomalies are detected - Visualization software for the combined system log files for the organization - Methodology for rotating and hashing central log files to prevent tampering - - correct ans- - Understanding the normal network traffic and host activity for the organization ( Explanation )
You first want to establish a baseline (what does the system look like under normal load?). This gives you something to compare to as utilization grows or when problems or incidents occur. Which of the following is one of the steps a HIDS performs when using FIC to assure file integrity? Scan the network for recently backed up files - Alert on any files where the hashes no longer match - Confirm cryptographic hashes can be modified - Perform backups of specified files at set intervals - - correct ans- - Alert on any files where the hashes no longer match ( Explanation ) Steps performed by file integrity checking:
- Define a list of files to check
- Perform a cryptographic hashes cannot be modified
- Store those files in a secure location
- Confirm cryptographic hashes CANNOT be modified
- At SET intervals, rerun cryptographic hashes on the specified files
- Compare the new hashes against the original
- Alert on any files where the hashes no longer match
- Optional: Alert on new files within a certain directory One of the steps a HIDS using file integrity checking performs is alerting on any files where the hashes no longer match. A certain directory may be scanned for new files, however the network is not scanned for recently backed up files. File integrity checking confirms the cryptographic hashes cannot be modified and reruns cryptographic hashes of specified files at set intervals, it does not perform back ups of specified files.
( Explanation ) To disable a service such as telnet on a Linux system running the xinetd daemon, the administrator would set the disable parameter to "no" in the /etc/xinetd.d/telnet file, then restart the xinetd daemon. The netstat utility is a command line tool for displaying network connections. The lsof program lists open files and the processes that opened those files. The /etc/inittab file defines what services are started at a specific run level, it is not used to manage specific services. Stopping the init daemon would crash the system. A user of a corporate network is accessing the Internet to check her email on her corporate notebook from an open wireless access point in a library. Against which attack will SSL provide protection? A PDF is attached to an email message and executes malicious code - An attacker captures network traffic and reads the email messages - An attacker connects a USB to the notebook which copies files from the disk - A packet sniffing program on her notebook is recording network traffic - - correct ans- - An attacker captures network traffic and reads the email messages ( Explanation ) Although SSL encryption can help keep a third-party from snooping on a session, it does nothing to prevent an attacker from playing around with a session she has already established. SSL also does nothing to prevent manipulating user input which includes cross site scripting and SQL injection since the HTML is still clear text on the client end and therefore can be modified. Which of the following is characteristic of a procedure? Addresses the what to do - Sets a starting point - Presents a recommendation - Addresses the how to do it - - correct ans- - Addresses the how to do it ( Explanation )
Procedures address the HOW to do it; are referenced when having trouble following the policy; are detailed and step by step; and are tactical. Policies address the WHAT to do; are read cover to cover; are concise and focused; and are strategic - high level. Guidelines present a recommendation as they are neither binding nor enforceable. Baselines set a starting point for comparison. Procedures are derived from policies; if you can characterize the procedures you follow (and you should be able to do that easily), then you can derive the parent policy. This is true even if it has not yet been written and signed. By walking through the who, what, when, where, and why, the parent policy is derived from an understanding of the procedure. An attacker gets a SYN/AC from all ports. What could be the cause of this? - - correct ans- - A network device with decoy ports ( Explanation ) An implementation of active defense would be to set up decoy ports on network devices that instead of responding with a RST packet to ports that are not open, they response with a SYN/ACK to any requests aimed at them. This can significantly slow down an attacker as not only will their scan take longer to complete, but also because they'll have to vet each individual port to see if it actually is open Ralph, the network administrator, notices that there is a high volume of network traffic coming from a network printer. How does Ralph know there is a high volume of network traffic? By looking at POP (Port 110) traffic that is coming from the network printer - By comparing current network traffic with normal network traffic - By understanding the configuration of the network printer devices - By running Netstat on the network printer to see what ports are open - - correct ans- - By comparing current network traffic with normal network traffic ( Explanation )
