1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 64
Выбрать главу

140. b. The timeout determination policy is a part of the transport layer security policies but not a part of the data link layer security policies. The other three choices are the same between these two layer’s policies.

141. Which of the following protects the confidentiality of data in transit in a file-sharing environment?

a. Network file sharing (NFS)

b. Apple filing protocol (AFP)

c. Server message block (SMB)

d. Secure file transfer protocol (SFTP)

141. d. Secure FTP (SFTP) and Secure Copy (SCP) encrypt their network communications to protect the confidentiality of data in transit. Examples of commonly used client/server file sharing services are file transfer protocol (FTP), network file sharing, Apple filing protocol, and server message block. These are standardized protocols without encryption that do not protect the confidentiality of the data in transit, including any supplied authentication credentials such as passwords.

142. Countermeasures against time-of-check to time-of-use (TOC-TOU) attacks include which of the following?

1. Use traffic padding techniques.

2. Apply task sequence rules.

3. Apply encryption tools.

4. Implement strong access controls.

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1 and 3

142. b. Time-of-check to time-of-use (TOC-TOU) attack is an example of asynchronous attacks where it takes advantage of timing differences between two events. Applying task sequence rules combined with encryption tools are effective against such attacks. Traffic padding technique is effective against traffic analysis attacks, and access controls are good against data inference attacks.

143. In a legacy wireless local-area network (WLAN) environment using wired equivalent privacy (WEP) protocol (IEEE 802.11), a bit-flipping attack results in which of the following?

a. Loss of confidentiality

b. Loss of integrity

c. Loss of availability

d. Loss of accountability

143. b. A bit-flipping attack occurs when an attacker knows which cyclic redundancy check-32-bits (CRC-32 bits) can change when message bits are altered, resulting in loss of integrity. A proposed countermeasure is encrypting the CRC-32 to produce an integrity check value (ICV), but it did not work because of use of stream ciphers (WEP’s RC4), meaning that the same bits flip whether encryption is used. Therefore, WEP ICV offers no additional protection against bit flipping. Eavesdropping attacks using sniffers result in loss of confidentiality. Packet flooding attacks and radio frequency signal jams result in loss of availability. Loss of accountability is not applicable here because it deals with an individual’s actions.

144. Which of the following factors contribute to network congestion problems?

1. Low-speed CPU and low memory for computers

2. Low-bandwidth lines for communications

3. More memory for routers

4. Long queues of packets

a. 1 only

b. 2 only

c. 4 only

d. 1, 2, 3, and 4

144. d. Network congestion problems occur when too many packets are present in the subnet (i.e., too much traffic), thus degrading the network performance in terms of some lost packets or all packets undelivered. When a queue is built up for packets and the CPU memory for computers is insufficient to hold all of them, some packets will be lost. When there is an imbalance between the routers with more memory and computers with less memory, duplicate packets are sent due to the timeout feature. Also, routers with slow CPU processors and low bandwidth lines can cause congestion problems.

145. Which of the following techniques to improve network quality-of-service (QoS) provides an easy and expensive solution?

a. Buffering

b. Over-provisioning

c. Traffic shaping

d. Packet scheduling

145. b. Over-provisioning is providing higher levels of router capacity, buffer space, and bandwidth for the network packets to flow from source to destination. Because of this, an over-provisioning technique is an easy but an expensive solution.

The other three choices do not incur costs the way over-provisioning does. Network flows can be buffered on the receiving side before being delivered. Buffering the flow does not affect the reliability, delay, or bandwidth, but it does smooth out the jitter often found in audio and video on demand applications. Traffic shaping, also called traffic policing, is achieved through the use of a leaky bucket algorithm or token bucket algorithm to smooth traffic between routers and to regulate the host output. Packet scheduling algorithms such as fair queuing and weighted fair queuing are available to schedule the flow of packets through the router so that one flow does not dominate the other.

146. Which of the following might be unsuccessful at identifying infected hosts running personal firewalls?

a. Network login scripts

b. Packet sniffers

c. Host scans

d. File scans

146. c. Personal firewalls can block the host scans, therefore making it unsuccessful in identifying the infected hosts. The other three choices are incorrect because they all can help to identify the possible infection on those hosts.

147. Which of the following is a mitigation technique to handle Internet relay chat (IRC) vulnerability for lack of confidentiality due to messages sent in plaintext throughout the IRC network?

a. Install operating system-level VPNs or application-level SSL/TLS.

b. Implement timers.

c. Put the system in a lockdown mode.

d. Block filtering requests based on filename extensions.

147. a. The Internet relay chat (IRC) communication is inherently insecure because it is a plaintext open protocol that uses transmission control protocol (TCP) that is susceptible to sniffing and interception. The original IRC protocol does not provide for any confidentiality, meaning that standard chat, nickname passwords, channel passwords, and private messaging are sent in plaintext throughout the IRC network. Confidentiality may be achieved by applying operating system level VPNs or SSL/TLS within the IRC network. The IRC clients and servers use encryption to protect information from unauthorized users. Furthermore, IPsec VPNs with PKI certificates or tunneled through Secure Shell should be used to provide further security for identification and authentication.

Timers are implemented to mitigate the IRC vulnerability of netsplits. A system lockdown mode is implemented to combat denial-of-service (DoS) attacks on the IRC network. The security administrator should block outright filtering requests based on filename extensions to prevent direct client connection (DCC) vulnerability within IRC networks. DCCs are performed directly from one client application to another, thus bypassing the IRC servers to form a client-to-client connection. DCC vulnerabilities, if not controlled properly, lead to unauthorized file transfers between IRC clients, allow users to bypass server-based security, shorten the communication path, allow social engineering attacks, and compromise the user’s application system.

~ 64 ~