click below
click below
Normal Size Small Size show me how
IINS 640-554 Part 2
Cisco IINS 640-554 Part 2
Question | Answer |
---|---|
Which part of CIA is this definition: Information is accessible by authorized users when needed | Availability |
What is a security policy? | A Document that describes the restrictions on member behaviors and what info may be accessed by whom |
What is Asset Management | Inventory and classification scheme for information assets |
What is access control? | Restriction of access rights to the organizations assets |
What does the compliance group do? | Ensuring conformance with information security policies standards and regulations |
Define Information Security Incident Mgmt | How to anticipate and respond to information security breaches |
Define the practice of risk assesment | Determine the quantitative and qualitative value of risk |
Define Business Continuity Mgmt (BC) or Disaster Recovery (DR) | Protection, maintenance and recovery of business-critical processes and systems |
What is the definition of a trojan? | An application written to look like something else. When it is opened it attacks the end-user computer from within |
What is the definition of a Worm? | Executes code which installs copies of itself in the memory of the infected computer, which in turn infects other hosts |
What is the definition of a payload as it applies to security? | Any malicious code that results in some action |
Define propagation mechanism. | The method by which the code replicates itself and locates new targets |
Define what is an Enabling vulnerability: | A vulnerability on a system that the worm or virus exploits |
5 phases of attach in proper order (5 P's) | 1- Probe, 2- Penetrate, 3- Persist, 4- Propagate, 5- Paralyze |
Most attacks take advantage of what type of vulnerability? | Overflow of a fixed memory allocation size for a particular purpose (buffer overflow) |
True/False: Antivirus software will prevent viruses from entering the network. | False |
Define the theory of network containment: | Compartmentalization and segmentation of the network to slow down or stop or prevent further infections. |
Define the practice of a quarantine: | Identifying and isolating infected machines within the contained areas. |
Define an Access attack: | Exploit known vulnerabilities to gain entry to web accounts, databases, etc.. |
Define a Recon (Reconnaissance) attack: | Unauthorized mapping and discovery of systems, services, or vulnerabilities. |
Define a DoS (Denial of Service) attack: | Send extremely large numbers of requests, slowing or crashing a device or service. |
Define the methods of performing a Reconnaissance Attack: | Ping Sweep Port Scan Packet Sniffer Internet Information Queries |
Define the methods of performing an Access Attack / Active attack: | Password Attack, Man-in-the-Middle, TCP SYN flood, Smurf Attack, Poisonous Packet (ARP poisoning), Continuous Stream of Packets, Trust exploitation, Port Redirection, Buffer Overflow |
List a few ways to combat recon attacks: | Use Authentication, Use anti-sniffer tools |
List a few ways to combat access attacks: | Minimize trust relationships Use strong passwords |
List a few ways to prevent DoS attacks: | Implement QoS and traffic policing Anti-spoofing techniques |
Name the primary mitigation for recon and access attacks: | Encryption |
Define the concept of Defense-in-Depth | A router does a preliminary screening and passes external traffic to a firewall for verification before it reaches LAN |
Define what the concept of a DMZ is: | An org has an internal LAN, external connection, and a third zone where servers are housed that are to be accessed by external traffic |
What is Router hardening? | Eliminate abuse of unused services and connections |
How does one apply Physical Security in a networking environment? | Place device in secure location only accessible to authorized people |
Define the concept of Out of band management: | Devices are managed using a separate network from production traffic |
Which router access methods do not require a password by default (bare metal / new out of box): | Privilege mode console telnet sessions |
What is the Local DB on a cisco device? | List of valid usernames and passwords on a cisco device |
List some facts about SSH: | Requires configuration of a domain name. Uses port 22. Version 2 requires 1024 crypto-key (easily generated by turning on https) |
True/False: A user having privilege level 10 can execute commands that are defined for level 8? | TRUE Levels are downwardly inclusive (E.G. everything below the level a user is at is included) |
True/False: A CLI view contains only commands, while a Superview contains only other views? | TRUE A superview is like an LDAP /x.500 OU in a sense. |
True/False: A person must be in root view to create a view | True: Also AAA must be enabled. |
What happens when "no service password-recovery" is issued? | Access to ROMMON mode is disabled, removing the ability to reset the password. The only recovery is completely wiping the config (not recovering the password, but a true 100% write erase) |
List the types of syslog events in order of severity: | Emergencies Alerts Critical Warning Notifications Informational Debugging |
What is the phrase to remember syslog severity ratings? | Every Alligator Consumes Wheaties Near Its Den |
Which SNMP command is the equivalent of having the enable secret password? | SET |
What is the best way to set multiple devices' time source? | NTP server and make network devices clients. |
What port and protocol does NTP user? | UDP port #123 |
What are turned of as best practices on a bare-metal cisco device (usually - new devices) | SNMP Finger DNS Gratuitous Arp (GARP) TCP and UDP minor services |
Answers the AAA question "What did you do?" | Accounting |
Answers the AAA question "Who are you?" | Authentication. |
Answers the AAA question "What can you do?" | Authorization. |
What type of system stores usernames and passwords on a centralized server location and has access from multiple devices? | Server-Based AAA Authentication. |
What is a locally located username and password database called? | Local AAA |
What is the max number of auth methods permitted when using AAA? | 4 |
True/False: If a system has 2 AAA authorization methods configured, if the user is denied access by the first checked method, it will see if the other one permits it? | False - AAA and security in general is always least permissive role set chosen. |
an admin issues AAA new-model but no other aaa commands. Local uname has been set, which type of login will require a password? | All except the console. |
What is a primary difference between "AAA local authentication attempts max-fail" and the "login delay" commands? | The aaa command locks the user out until teh admin releases the account, whereas login delay does not require intervention. |
Which AAA method is this: Entire packet is encrypted. | TACACS+ Primary reason for using TACACS is encryption via TCP. |
Which AAA method is this: router command auth per-user or per-group. | TACACS+ |
Which AAA method is this: separates all components of AAA | TACACS+ |
Which AAA method is this: TCP port 49. | TACACS+ Remember that TACACS is on TCP so it's guaranteed results, so it's bi-directional by design. |
Which AAA method is this: Bidirectional challenge and response. | TACACS+ Remember that TACACS is on TCP so it's guaranteed results, so it's bi-directional by design. |
Which AAA method is this: Primarily Cisco supported. | TACACS+ |
Which AAA method is this: Limited accounting (historically). | TACACS+ |
Which AAA method is this: Unidirectional server challenge response . | RADIUS |
Which AAA method is this: Supports 802.1x and SIP. | RADIUS |
Which AAA method is this: Uses port 1645 or 1812 for authorization. | RADIUS |
Which AAA method is this: Combines authenticaiton and authorization, separates accounting. | RADIUS |
Which AAA method is this: Only the password is encrypted. | RADIUS |
Which AAA method is this: UDP port 1646 or 1813 for accounting. | RADIUS |
Extensive Accounting. | |
Cisco's AAA server is called... | Cisco Secure ACS. But everyone refers to it as simply 'ACS'. |
ACL's numbered 1 - 99 are what type, and what do they filter on? | Standard, makes decisions based on source IP address. |
ACL's numbered 100 - 199 are what type, and what do they filter on? | Extended, makes decisions based on Source or Destination IP or port#. Much more flexible - almost all modern ACL's are of this type. |
ACL's numbered 700 - 799 are what type and what do they filter? | Makes decisions based on source MAC address |
Which ACLs that do not impact packets whose source is the router itself. | Trick question. Both standard and extended ACLs do not affect packets from the router's ip address and/or ports. |
Which ACLs that Should be applied closest to the destination? | standard ACL's. |
Which ACLs should be applied closest to the source? | Extended ACL's. |
A good use for Nmap is to... | Identify open ports on a device. |
What is a CLI command to view the number of packets matching a given ACL entry: | sh ip access-list |
It can be used on only extended access lists and is meant to block internet traffic except replies to TCP traffic initiated inside. | TCP Keyword "established". |
This type of ACL adds temporary ACL Entries (ACE) into an extended ACL that has been applied to external interface based on match of an ACE with a reflect parameter for any type of IP traffic. | Reflexive ACL. |
The purpose of using an access list number on the debug ip packet command is to... | limit the packets displayed and reduce usage of system resources. |