Chapter 2
Understanding Security Threats

CISCO CCNA SECURITY EXAM OBJECTIVES COVERED IN THIS CHAPTER:

  • images 1.2 Common security threats
    • Identify common network attacks
    • Describe social engineering
    • Identify malware
    • Classify the vectors of data loss/exfiltration

images To secure a network, you must have a clear understanding of the threats that the network faces. These threats come from all sorts of sources and have a variety of goals. In this chapter, you will continue your investigation of common security threats and their associated threat vectors.

In this chapter, you will learn the following:

  • Common security threats

Common Network Attacks

While new attacks and new motivations for those attacks seem to be arriving almost daily, there are some common attacks and common motivations for those attacks. In this chapter, you’ll first learn about common motivations for attacks and common attack vectors that are simply various ways in which the attacks are implemented. Following that, you’ll learn about some specific attacks that are quite common.

Motivations

Hackers hack for many different reasons. When you really get down to it, they want one of four things:

  • Financial gain
  • Disruption
  • Geopolitical change
  • Notoriety

The Federal Bureau of Investigation (FBI) has identified three categories of threat actors.

  • Organized crime groups primarily threatening the financial services sector and expanding the scope of their attacks
  • State sponsors, usually foreign governments, interested in pilfering data, including intellectual property and research and development data from major manufacturers, government agencies, and defense contractors
  • Terrorist groups that want to impact countries by using the Internet and other networks to disrupt or harm the viability of our way of life by damaging our critical infrastructure

While there are other less organized groups out there, these three groups are considered to be the primary threat actors by law enforcement. However, organizations should not totally disregard the threat of any threat actors that fall outside these three categories. Lone actors or smaller groups that use hacking as a means to discover and exploit any discovered vulnerability can cause damage just like the larger, more organized groups.

Hacktivists This includes those who hack not for personal gain but to further a cause. An example is the Anonymous group that hacks from time to time for various political reasons.

Thrill hackers These guys do it for the notoriety. They deface websites and brag about their conquests to their fellow thrill hackers on websites where they share tools and methods.

Hacker and cracker are two terms that are often used interchangeably in media but do not actually have the same meaning. Hackers are individuals who attempt to break into secure systems to obtain knowledge about the systems and possibly use that knowledge to carry out pranks or commit crimes. Crackers, on the other hand, are individuals who attempt to break into secure systems without using the knowledge gained for any nefarious purposes.

In the security world, the terms white hat, gray hat, and black hat are more easily understood and less often confused than the terms hackers and crackers. A white hat does not have any malicious intent. A black hat has malicious intent. A gray hat is considered somewhere in the middle of the two. A gray hat will break into a system, notify the administrator of the security hole, and offer to fix the security issues for a fee.

Classifying Attack Vectors

After assets have been classified with regard to sensitivity and criticality (see Chapter 1), the next step is to identify threats. When determining vulnerabilities and threats to an asset, considering the threat agents first is often easiest. Threat agents can be grouped into the following six categories:

  • Human includes both malicious and nonmalicious insiders and outsiders, terrorists, spies, and terminated personnel.
  • Natural includes floods, fires, tornadoes, hurricanes, earthquakes, or other natural disaster or weather event.
  • Technical includes hardware and software failure, malicious code, and new technologies.
  • Physical includes CCTV issues, perimeter measures failure, and biometric failure.
  • Operational includes any process or procedure that can affect CIA.

Examples of the threat actors include both internal and external actors and include the following:

  • Internal actors
    • Reckless employee
    • Untrained employee
    • Partner
    • Disgruntled employee
    • Internal spy
    • Government spy
    • Vendor
    • Thief
  • External actors
    • Anarchist
    • Competitor
    • Corrupt government official
    • Data miner
    • Government cyber warrior
    • Irrational individual
    • Legal adversary
    • Mobster
    • Activist
    • Terrorist
    • Vandal

Spoofing

Spoofing, also referred to as masquerading, occurs when communication from an attacker appears to come from trusted sources. The goal of this type of attack is to obtain access by pretending to be that trusted source. Spoofing can be attempted based on the following:

  • IP addresses
  • MAC addresses
  • Email addressees

Let’s look at each one of these types of spoofing.

IP Address Spoofing

IP address spoofing is one of the techniques used by hackers to hide their trail or to masquerade as another computer. The hacker alters the IP address as it appears in the packet. This can sometimes allow the packet to get through an ACL that is based on IP addresses. It also can be used to make a connection to a system that trusts only certain IP addresses or ranges of IP addresses.

MAC Address Spoofing

MAC addresses can also be spoofed and used to get through MAC address filters. These filters are typically applied to control access to wireless access points at layer 2. They can also be used to impersonate another device connected to the same switch. In that scenario, it enables the impersonating device to receive traffic intended for the legitimate device. In Chapters 4 and 5 you will learn about methods to prevent these switch-based attacks.

Email Spoofing

Email spoofing is the process of sending an email that appears to come from one source when it really comes from another. It is made possible by altering the fields of email headers such as From, Return Path, and Reply-to. Its purpose is to convince the receiver to trust the message and reply to it with some sensitive information that the receiver would not have shared unless it was a trusted message.

Often this is one step in an attack designed to harvest usernames and passwords for banking or financial sites. This attack can be mitigated in several ways. One is SMTP authentication, which, when enabled, disallows the sending of an email by a user who cannot authenticate with the sending server.

Another possible mitigation technique is to implement the Sender Policy Framework (SPF). SPF is an email validation system that works by using DNS to determine whether an email sent by someone has been sent by a host sanctioned by that domain’s administrator. If it can’t be validated, it is not delivered to the recipient’s box.

Password Attacks

A password attack is one that attempts to discover user passwords. The two most popular password threats are dictionary attacks and brute-force attacks.

The best countermeasures against password threats are to implement complex password policies, require users to change passwords on a regular basis, employ account lockout policies, encrypt password files, and use password-cracking tools to discover weak passwords.

Dictionary Attack

A dictionary attack occurs when attackers use a dictionary of common words to discover passwords. An automated program uses the hash of the dictionary word and compares this hash value to entries in the system password file. Although the program comes with a dictionary, attackers also use extra dictionaries that are found on the Internet.

You should implement a security rule that says that a password must not be a word found in the dictionary to protect against these attacks.

Brute-Force Attack

Brute-force attacks are more difficult to carry out because they work through all possible combinations of numbers and characters. A brute-force attack is also referred to as an exhaustive attack. It carries out password searches until a correct password is found. These attacks are also very time-consuming.

Reconnaissance Attacks

Reconnaissance attacks are carried out to gather information about the organizational network as a prelude to a larger attack. It is also sometimes called fingerprinting the network. It is the first step that a penetration tester will take because it mimics the first step of a real attacker. There are several ways in which information can be gathered about the network topology. Let’s take a look at the three most common.

Ping Scans

Ping scans involve identifying the live hosts on a network or in a domain namespace. Nmap and other scanning tools (ScanLine, SuperScan) can be used for this. It records responses to pings sent to every address in the network. It can also be combined with a port scan by using the proper arguments to the command.

To execute this scan from nmap, the command is nmap -sP 192.168.0.0-100 (0-100 is the range of IP addresses to be scanned in the 192.168.0.0 network). Figure 2.1 shows an example of the output. All devices that are on will be listed. For each the MAC address will also be listed.

Image described by caption and surrounding text.

FIGURE 2.1 Ping scan with nmap

Port Scans

As operating systems have well-known vulnerabilities, so do common services. By determining the services that are running on a system, the attacker also discovers potential vulnerabilities of the service of which he may attempt to take advantage. This is typically done with port scans in which all “open” or “listening” ports are identified. Once again, the lion’s share of these issues will have been mitigated with the proper security patches, but that is not always the case, and it is not uncommon for security analysts to find that systems that are running vulnerable services are missing the relevant security patches. Consequently, when performing service discovery, patches should be checked on systems found to have open ports. It is also advisable to close any ports not required for the system to do its job.

Nmap is one of the most popular port scanning tools used today. By performing scans with certain flags set in the scan packets, security analysts (and hackers) can make certain assumptions based on the responses received. These flags are used to control the TCP connection process, so they are present only in those packets. Figure 2.2 shows a TCP header. The flags of which I speak are circled. Normally the flags that are “turned on” will be done as a result of the normal TCP process, but a hacker can craft packets with the flags checked that the hacker desires.

Table shows labels for source port, destination port, sequence number, acknowledgement number, data offset, reserved, window size, checksum, urgent pointer, options, and padding.

FIGURE 2.2 TCP header

These are the flags shown:

  • URG: Urgent pointer field significant
  • ACK: Acknowledgment field significant
  • PSH: Push function
  • RST: Reset the connection
  • SYN: Synchronize sequence numbers
  • FIN: No more data from sender

By performing scans with certain flags set in the scan packets, security analysts (and hackers) can make certain assumptions based on the responses received

Nmap exploits weaknesses with three scan types.

  • A NULL scan is a series of TCP packets that contain a sequence number of 0 and no set flags. Because the NULL scan does not contain any set flags, it can sometimes penetrate firewalls and edge routers that filter incoming packets with particular flags. When this packet is sent, these responses are possible:
    • No response: The port is open on the target.
    • RST: The port is closed on the target.

  • Figure 2.3 shows the result of this scan using the command nmap -sN. In this case, nmap is unable to determine whether the port is open or closed because there was no response, but you don’t know if the port is closed or if the firewall is blocking the port. That’s why they are listed as open/filtered.

  • A FIN scan sets the FIN bit set. When this packet is sent, these responses are possible.
    • No response: The port is open on the target.
    • RST/ACK: The port is closed on the target.

  • The following is sample output of this scan using the command nmap -sF. I added -v for verbose output. Again, in this case, nmap is unable to determine whether the port is open or closed because there was no response, but you don’t know if the port is closed or if the firewall is blocking the port. That’s why they are listed as open/filtered.
Image described by caption and surrounding text.

FIGURE 2.3 NULL scan

# nmap -sF -v 192.168.0.7
 
Starting nmap 3.81 at 2016-01-23 21:17 EDT
Initiating FIN Scan against 192.168.0.7 [1663 ports] at 21:17
The FIN Scan took 1.51s to scan 1663 total ports.
Host 192.168.0.7 appears to be up ... good.
Interesting ports on 192.168.0.7:
(The 1654 ports scanned but not shown below are in state: closed)
PORT     STATE         SERVICE
21/tcp   open|filtered ftp
22/tcp   open|filtered ssh
23/tcp   open|filtered telnet
79/tcp   open|filtered finger
110/tcp  open|filtered pop3
111/tcp  open|filtered rpcbind
514/tcp  open|filtered shell
886/tcp  open|filtered unknown
2049/tcp open|filtered nfs
MAC Address: 00:03:47:6D:28:D7 (Intel)

Nmap finished: 1 IP address (1 host up) scanned in 2.276 seconds
               Raw packets sent: 1674 (66.9KB) | Rcvd: 1655 (76.1KB)
  • An XMAS scan sets the FIN, PSH, and URG flags. When this packet is sent, these responses are possible:
    • No response: The port is open on the target.
    • RST: The port is closed on the target.

  • Figure 2.4 shows the result of this scan using the command nmap -sX. In this case, nmap is unable to determine whether the port is open or closed because there was no response, but you don’t know if the port is closed or if the firewall is blocking the port. That’s why they are listed as open/filtered.
Image described by caption and surrounding text.

FIGURE 2.4 XMAS scan

These three scans (NULL, FIN, and XMAS) all serve the same purpose (to discover open ports and ports blocked by a firewall) and differ only in the switch used. While there are many more scan types and attacks that can be launched with this tool, these scan types are commonly used during environmental reconnaissance testing to discover what the hacker might discover before the hacker does and take steps to close any gaps in security.

OS Fingerprinting

Operating system fingerprinting is simply the process of using some method to determine the operating system running on a host or a server. Its value to the hacker is that by identifying the OS version and build number, common vulnerabilities of that operating system can be identified using readily available documentation from the Internet. While many of the issues will have been addressed in subsequent service packs and hotfixes, there might be zero-day weaknesses (those that have not been widely publicized or addressed by the vendor) the hacker may be able to leverage in the attack. Moreover, if any of the relevant security patches have not been applied, the weaknesses the patch was intended to address will exist on the machine. Therefore, the purpose of attempting OS fingerprinting during assessment is to assess the relative ease with which it can be done and identifying methods to make it more difficult.

Buffer Overflow

Buffers are portions of system memory that are used to store information. A buffer overflow is an attack that occurs when the amount of data that is submitted to data is larger than the buffer can handle. Typically, this type of attack is possible because of poorly written application or operating system code. This can result in an injection of malicious code, primarily either a denial-of-service attack or a SQL injection.

To protect against this issue, organizations should ensure that all operating systems and applications are updated with the latest service packs and patches. In addition, programmers should properly test all applications to check for overflow conditions. Hackers can take advantage of this phenomenon by submitting too much data, which can cause an error or in some cases execute commands on the machine if the hacker can locate an area where commands can be executed. Not all attacks are designed to execute commands. An attack may just lock the computer as in a DoS attack.

With proper input validation, a buffer overflow attack will cause an access violation. Without proper input validation, the allocated space will be exceeded, and the data at the bottom of the memory stack will be overwritten. The key to preventing many buffer overflow attacks is input validation, in which any input is checked for format and length before it is used. Buffer overflows and boundary errors (when input exceeds the boundaries allotted for the input) are a family of error conditions called input validation errors.

DoS

A denial-of-service (DoS) attack occurs when attackers flood a device with enough requests to degrade the performance of the targeted device. Some popular DoS attacks include SYN floods, pings of death, and smurf attacks. Let’s explore how these attacks work.

TCP SYN Flood

To understand a TCP SYN flood attack, you must understand the three-way TCP handshake, which occurs whenever a TCP connection is made. Figure 2.5 displays the process.

Diagram shows host on left and server on right with arrows between them labeled SYN, SYN/ACK, ACK, and established.

FIGURE 2.5 TCP handshake

One important fact not evident in the figure is that when the recipient of the initial SYN packet receives that packet and responds by sending a SYN/ACK packet, it will reserve a small piece of memory for the expected response (ACK). In the attack the attacker sends thousands of these SYN packets and never answers the SYN/ACK packets with an ACK packet. At some point, the recipient will fill up its memory, reserving space for the responses that never come. Then the target will be unable to do anything and is thus the denial of service. Figure 2.6 shows the attack. At the point in the diagram where it says TCP Queue Full, the target memory is full.

Image described by caption and surrounding text.

FIGURE 2.6 SYN flood

Ping of Death

A ping of death is when an oversized ICMP packet is sent to the target. The maximum allowable IP packet size is 65,535 bytes, including the packet header, which is typically 20 bytes. An ICMP echo request is an IP packet with a pseudoheader, which is 8 bytes. Therefore, the maximum allowable size of the data area of an ICMP echo request is 65,507 bytes (65,535 – 20 – 8 = 65,507).

A grossly oversized ICMP packet can trigger a range of adverse system reactions such as DoS, crashing, freezing, and rebooting. Figure 2.7 shows such a packet. The packet will be fragmented en route, and when the target attempts to reassemble the packet, it will crash some systems.

Diagram shows three boxes for original unfragmented packet with labels for IP header (20 bytes), ICMP header (8 bytes), and ICMP data (65,510 bytes).

FIGURE 2.7 Ping-of-death packet

DDoS

A distributed DoS (DDoS) attack is a DoS attack that is carried out from multiple attack locations. Vulnerable devices are infected with software agents, called zombies. This turns the vulnerable devices into botnets, which then carry out the attack.

Because of the distributed nature of the attack, identifying all the attacking botnets is virtually impossible. The botnets also help to hide the original source of the attack. These attacks can be direct, reflected, and amplified. Let’s look at examples of each.

Direct DDoS

In a direct DDoS attack, the attacker launches the attack by sending the attack signal to the handlers, which in turn signal the zombies to attack, as shown in Figure 2.8 . The attack is greatly amplified by the use of the zombies. So, a direct attack is also an amplified attack.

Flow diagram shows attacker divides into two handlers, which in turn leads to two sets of four zombies, and together finally lead to victim.

FIGURE 2.8 Direct DDoS

Reflection

In a reflected DDoS attack, the attack is bounced off a large number of devices without actually recruiting the devices as zombies. A good example of the reflection type of DDoS is the smurf attack. In the smurf attack, the attacker sends an ICMP packet to the broadcast address of the network in which the target resides. However, the hacker creates this ICMP packet with a spoofed source address and that spoofed address is that of the target. When every device in the network answers the ping requests, the answers will go to the target. Typically, the hacker will set the number of pings to a very high number so that this continues for some time and uses all the resources of the web server, as shown in Figure 2.9 .

Diagram shows attacker uses spoofed packets (Internet) and ICMP echo requests, and ICMP echo replies to victim together leads to web server (172.18.173.109).

FIGURE 2.9 Smurf attack

Man-in-the-Middle Attack

A man-in-the-middle (MITM) attack is when an active attacker listens to the communication between two communicators and changes the contents of this communication. While performing this attack, the attacker pretends to be one of the parties to the other party. The most common type of MITM attack is done at layer 2 and uses the technique described in the next attack to pollute the ARP cache of the targets.

ARP Poisoning

One of the ways a man-in-the middle attack is accomplished is by poisoning the ARP cache on a switch. The attacker accomplishes this ARP poisoning by answering ARP requests for another computer’s IP address with their own MAC address. Once the ARP cache has been successfully poisoned, when ARP resolution occurs, both computers will have the attacker’s MAC address listed as the MAC address that maps to the other computer’s IP address. As a result, both are sending to the attacker, placing the attacker “in the middle.”

Two mitigation techniques are available for preventing ARP poisoning on a Cisco switch.

Dynamic ARP Inspection (DAI) This security feature intercepts all ARP requests and responses and compares each response’s MAC address and IP address information against the MAC–IP bindings contained in a trusted binding table. This table is built by also monitoring all DHCP requests for IP addresses and maintaining the mapping of each resulting IP address to a MAC address (which is part of DHCP snooping). If an incorrect mapping is attempted, the switch rejects the packet.

DHCP Snooping The main purpose of DHCP snooping is to prevent a poisoning attack on the DHCP database. This is not a switch attack per se, but one of its features can support DAI. It creates a mapping of IP addresses to MAC addresses from a trusted DHCP server that can be used in the validation process of DAI.

You must implement both DAI and DHCP snooping because DAI depends on DHCP snooping. Both configurations will be covered in Chapter 6.

Social Engineering

Social engineering attacks occur when attackers use believable language and user gullibility to obtain user credentials or some other confidential information. In this section we are going to focus our attention on a social engineering attack that has been in the news quite a bit lately: phishing.

Phishing/Pharming

Phishing is a social engineering attack in which attackers try to learn personal information, including credit card information and financial data. This type of attack is usually carried out by implementing a fake website that very closely resembles a legitimate website. Users enter data, including credentials on the fake website, allowing the attackers to capture any information entered. Spear phishing is a phishing attack carried out against a specific target by learning about the target’s habits and likes. Spear phishing attacks take longer to carry out than phishing attacks because of the information that must be gathered.

Pharming is similar to phishing, but pharming actually pollutes the contents of a computer’s DNS cache so that requests to a legitimate site are actually routed to an alternate site.

Prevention

The best countermeasure against social engineering threats is to provide user security awareness training. This training should be required and must occur on a regular basis because social engineering techniques evolve constantly.

Caution users against using any links embedded in e-mail messages, even if the message appears to have come from a legitimate entity. Users should also review the address bar any time they access a site where their personal information is required to ensure that the site is correct and that SSL is being used, which is indicated by an HTTPS designation at the beginning of the URL address.

Malware

Malicious software, also called malware, is any software that is designed to perform malicious acts. The following are the four classes of malware you should understand:

Virus Any malware that attaches itself to another application to replicate or distribute itself

Worm Any malware that replicates itself, meaning that it does not need another application or human interaction to propagate

Trojan Horse Any malware that disguises itself as a needed application while carrying out malicious actions

Spyware Any malware that collects private user data, including browsing history or keyboard input

The best defense against malicious software is to implement antivirus and anti-malware software. Today most vendors package these two types of software in the same package. Keeping antivirus and anti-malware software up-to-date is vital. This includes ensuring that the latest virus and malware definitions are installed.

Data Loss and Exfiltration

Data exfiltration is the unauthorized transfer of data from a computer or from a storage device. At its most serious level, it is the ultimate goal of advanced persistent threats (APTs), which are those that continue on a long-term basis and are carried out by highly skilled cybercriminals. These groups are not interested in the vacation photos of the receptionist. They are interested in three types of data that they can monetize. Let’s look at these data types.

IP

Intellectual property is property that is considered to be a unique creation of the mind and includes books, music, logos, inventions, and slogans. These items can be protected by copyrights, patents, trademarks, and registrations. However, it also includes things that cannot be protected with these mechanisms such as organizational plans, formulas, recipes, customer lists, and other types of data that cannot be disclosed because it might eliminate or reduce the effectiveness of a business advantage. Attack vectors for IP include disgruntled employees, competitors performing corporate espionage, and inadvertent releases though social media.

PII

Personally identifiable information (PII) is any piece of data that can be used alone or with other information to identify a single person. Any PII that an organization collects must be protected in the strongest manner possible. PII includes full name, identification numbers (including driver’s license number and Social Security number), date of birth, place of birth, biometric data, financial account numbers (both bank account and credit card numbers), and digital identities (including social media names and tags).

Keep in mind that different countries and levels of government can have different qualifiers for identifying PII. Security professionals must ensure that they understand international, national, state, and local regulations and laws regarding PII. As the theft of this data becomes even more prevalent, you can expect more laws to be enacted that will affect your job.

Credit Card

While PII can be used to perform identity theft, stealing credit card information provides a much quicker path to monetizing malicious activities. Many of the most high-profile data breaches have involved the harvesting of thousands of credit card numbers and the related information that makes them usable. When an organization suffers this type of disclosure, it hurts their reputation because they must inform every user whose data was disclosed. They will also be responsible for any harm suffered by the disclosure, so this is a real nightmare when it occurs. The best mitigation for this is to adopt all recommendations of the Payment Card Industry Data Security Standard (PCI-DSS).

Summary

This chapter covered common network attacks and their motivations. It also discussed various attack vectors, such as malicious and nonmalicious insiders and outsiders, terrorists, spies, and terminated personnel. The chapter also looked at various methods used to perform network reconnaissance, such as ping scans and port scans. Finally, the chapter covered types of malware and the exfiltration of sensitive data such as IP, PII, and credit card data.

Exam Essentials

Describe attack motivations. These include financial gain, disruption, geopolitical change, and notoriety. They may be attempted by organized crime groups, state sponsors, terrorist groups, hacktivists, and thrill hackers.

Identify common network attacks. These include but are not limited to IP address spoofing, MAC address spoofing, and email spoofing. They also include password attacks such as dictionary and brute-force attacks. Finally, explain reconnaissance attacks such as ping scans, port scans, and SYN scans.

Explain social engineering attacks. Describe phishing and pharming attacks and how these attacks can lead to malware such as viruses, worms, and Trojan horses.

Define the types of information most susceptible to data exfiltration. These include personally identifiable information (PII), intellectual property, and credit card information. Provide examples for each type of data.

Review Questions

  1. What is the typical motivation of a hacktivist?

    1. Financial gain
    2. Disruption
    3. Geopolitical change
    4. Notoriety

  2. Which of the following attacks has as its goal to get through an ACL on a router?

    1. IP address spoofing
    2. MAC address spoofing
    3. Email spoofing
    4. Buffer overflow

  3. Which of the following is not a form of password attack?

    1. Brute force
    2. Dictionary
    3. Port scan
    4. Social engineering

  4. When executing a NULL scan, which response indicates the port is closed on the target?

    1. No response
    2. Destination unreachable
    3. RST
    4. ACK

  5. Which of the following is a measure used to prevent buffer overflows?

    1. Input validation
    2. Multifactor authentication
    3. Complex passwords
    4. Sensitivity labels

  6. Which of the following is not a DDoS attack?

    1. SYN flood
    2. Ping of death
    3. Smurf attack
    4. Man-in-the-middle

  7. Which of the following is typically used to set up a man-in-the-middle attack?

    1. ARP poisoning
    2. Dynamic ARP inspection
    3. Rogue switches
    4. MAC overflow

  8. Which of the following is mitigation for ARP poisoning?

    1. Input validation
    2. DAI
    3. Multifactor authentication
    4. Rootguard

  9. Which of the following must be implemented to use DAI?

    1. DTP
    2. Authenticated ARP
    3. DHCP snooping
    4. NAT

  10. Which of the following attaches itself to another application to replicate or distribute itself?

    1. Worm
    2. Rootkit
    3. Spyware
    4. Virus

  11. Which of the following is considered to be a unique creation of the mind?

    1. PII
    2. IP
    3. PHI
    4. IPS

  12. Which of the following provides recommendations for securely handling credit card data?

    1. HIPAA
    2. SOX
    3. PCI-DSS
    4. GLBA

  13. At what OSI layer does MAC address spoofing occur?

    1. 1
    2. 2
    3. 3
    4. 4

  14. Which of the following is mitigation for email spoofing?

    1. SPF
    2. DAI
    3. DNSSec
    4. DHCP snooping

  15. Which of the following is a common tool used for ping and port scans?

    1. Metasploit
    2. Nmap
    3. Netstat
    4. Snort

  16. Which of the following is not a flag set in an XMAS scan?

    1. FIN
    2. PSH
    3. SYN
    4. URG

  17. Which of the following attacks uses an oversized ICMP packet?

    1. Ping of death
    2. Smurf
    3. Fraggle
    4. SYN flood

  18. Which of the following is a reflected DDoS attack?

    1. Ping of death
    2. Smurf
    3. Buffer overflow
    4. XXS

  19. Which attack type does DAI address?

    1. IP spoofing
    2. MAC overflow
    3. ARP poisoning
    4. Ping of death

  20. Which of the following pollutes the contents of a computer’s DNS cache so that requests to a legitimate site are actually routed to an alternate site?

    1. Phishing
    2. Pharming
    3. Vishing
    4. Whaling
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.14.79.63