CIA Triad/SNORT/Defensive Measures Flashcards Preview

P2B2 > CIA Triad/SNORT/Defensive Measures > Flashcards

Flashcards in CIA Triad/SNORT/Defensive Measures Deck (54)
Loading flashcards...
1
Q

assurance that sensitive information can only be read/interpreted by people/processes that are authorized to

A

Confidentiality

2
Q

assurance that authorized users can access/work with information assets, resources when needed with sufficient response and performance.

A

Availability

3
Q

assurance that information remains correct and authentic, protected by means of preventing/detecting unauthorized creation, modification and destruction of information.

A

Integrity

4
Q

What are some examples of a threat-source?

A

Natural (Hurricane), human (internal/external).

5
Q

flaw that can present a security breach

A

vulnerability

6
Q

safeguards/countermeasures to reduce risk

A

management controls

7
Q

What is the goal of risk management? How can it be accomplished?

A

to reach zero risk and it can be accomplished by eliminating the threat or the vulnerability.

8
Q

What are the four approaches when planning additional defensive measures?

A

Uniform Protection, Protected Enclaves, Information Centric, Vector-Oriented

9
Q

Information Centric and Vector are typically used when creating new networks. True or False?

A

False

10
Q

Uniform Protection and Protected Enclaves are typically used when creating new enterprise networks.

A

True

11
Q

defensive approach when all internal hosts receive same level of protection

A

Uniform Protection

12
Q

defensive approach when you subdivide the internal network (subdivide and separate networks) so it isn’t one large zone with no internal protections

A

Protected Enclaves

13
Q

where the client (supplicant) must pass muster with the networks policy server before getting to the resources on the network

A

Network Admissions Control

14
Q

Why do we use firewalls?

A

to isolate or split up groups and sensitive data from everyone else

15
Q

In order to travel from one VLAN to another, what do you have to pass through?

A

Access Control List (ACL)

16
Q

VPNs can give you two things. What are they?

A

confidentiality and ability that only hosts that are authorized to connect to other hosts to do so

17
Q

defensive measure that prioritizes protection of information over systems

A

Information Centric

18
Q

The goal of information centric is to protect the information regardless of where the information is. True or False?

A

True

19
Q

fast, flexible, open-source Network Intrusion Detection System developed in 1998,

A

SNORT

20
Q

Snort is not rule-based. (T or F)

A

F

21
Q

Snort looks at all traffic over IP and sniffs both traffic in both directions. (T or F)

A

T

22
Q

What are the three main operational modes when using Snort? How are they configured?

A

Sniffer, Packet Logger, Network Intrusion Detection System (NIDS).

They are configured via command line switches.

23
Q

Snort operational mode that logs all data and post-process to look for anomalous activity

A

Packet Logger

24
Q

Snort operational mode that can perform portscan detection, ip defrag, app layer analysis

A

NIDS mode

25
Q

This is used to set the operational configuration of Snort (what to log, what to alert on, what rules to include/location, setting substitution variables?)

A

snort.conf file

26
Q

Default path of snort.conf

A

/etc/snort/snort/snort.conf

27
Q

The three types of variables in snort.conf

A

var, portvar, ipvar

28
Q

Why is setting correct values in variables important?

A

reduce “false-positive” alerts

29
Q

plug-in tools that allow Snort to look for certain criteria in a packet after it has been decoded but before it is put through the detection engine

A

Snort Preprocessors

30
Q

set of instructions designed to pick out network traffic that matches a specified pattern, then takes chosen action when traffic matches (Snort)

A

Rule

31
Q

Most Snort rules are written in a single line. (T or F)

A

T

32
Q

the two sections of Rules

A

rule header and rule options

33
Q

alert messages and parts of packet inspected to determine further rule action or not (A Snort Rules Section)

A

Rule Options

34
Q

action, protocol, source and destination ports and IP addresses (a Snort Rules section)

A

Rule Header

35
Q

alert tcp any any -> 192.168.1.0/24 80 . Would this be the rule options or rule header?

A

Rule Header because it contains ip address and destination

36
Q

alert, log, pass, activate and dynamic. which mode is this? (snort rule actions)

A

detection mode

37
Q

ignore the packet (detection mode)

A

pass

38
Q

alert and then turn on another dynamic rule (detection mode)

A

activate

39
Q

drop, reject and sdrop. which mode is this? (snort rule actions)

A

inline mode

40
Q

make iptables drop packet but do not log (inline mode)

A

sdrop

41
Q

make iptables drop packet, log and send tcp reset if protocol is tcp (icmp port msg if protocol is UDP) - inline mode.

A

reject

42
Q

four major categories of rule options

A

general, payload, non-payload, post-detection

43
Q

provides information about the rule but do not have any effect during detection (Snort rule options)

A

general options

44
Q

looks for data inside packet payload, can be inter-related (Snort rule options)

A

payload

45
Q

rule specific triggers that happen after a rule has “fired” (Snort rule options)

A

post-detection

46
Q

tells logging and alerting engine that the message to print with packet dump or to an alert (Snort rule options)

A

msg rule option

47
Q

allows rules to include references to external identification systems (could reference bugtraq, cve, or URLs) . (Snort rule options)

A

reference keyword

48
Q

external attack ID systems

A

BID and CVE

49
Q

<100 means what? (Snort Rule Options Keywords)

A

reserved for future use

50
Q

100-1,000,000 means what? (Snort Rule Options Keywords)

A

rules included with the Snort distribution

51
Q

> 1,000,000 means what? (Snort Rule Options Keywords)

A

used for local rules

52
Q

what keyword would you use to uniquely identify Snort rules? (hint: three letter word)

A

sid

53
Q

PHP-based analysis engine to search and process database of security events (various IDSs, firewalls, and network monitoring tools)

A

Basic Analysis and Security Engine (BASE)

54
Q

In order for BASE to work, you must periodically do what?

A

refresh the screen