Question 41: What provides for both authentication and confidentiality in IPSec?
A. AH
B. IKE
C. OAKLEY
D. ESP
Correct Answer: D. ESP
Explanation: Encapsulation Security Payload (ESP) is a member of the IPSec protocol suite, and it provides data authentication (proving the data is actually from who it’s supposed to be from) and confidentiality (by encrypting the data). In Transport mode, ESP doesn’t provide integrity and authentication for the entirety of the packet, but it does in Tunnel mode (excluding the outer IP header, of course).
AH is incorrect because Authentication Header (AH) provides authentication but not encryption.
IKE is incorrect because Internet Key Exchange (IKE) is a protocol that produces the security keys.
OAKLEY is incorrect because OAKLEY is a protocol used to create a master key as well as a key specific to each session in the data transfer. It makes use of the Diffie-Hellman algorithm for this process.
Question 42: Which of the following statements best describes the comparison between spoofing and session hijacking?
A. Spoofing and session hijacking are the same thing.
B. Spoofing interrupts a client’s communication, whereas hijacking does not.
C. Hijacking interrupts a client’s communication, whereas spoofing does not.
D. Hijacking emulates a foreign IP address, whereas spoofing refers to MAC addresses.
Correct Answer: C. Hijacking interrupts a client’s communication, whereas spoofing does not.
Explanation: Hijacking and spoofing can sometimes be confused with each other, although they really shouldn’t be. Spoofing refers to a process where the attacking machine pretends to be something it is not. Whether by faking a MAC address or an IP address, the idea is that other systems on the network will communicate with your machine (that is, set up and tear down sessions) as if it’s the target system. Generally this is used to benefit sniffing efforts. Hijacking is a totally different animal. In hijacking, the attacker jumps into an already existing session, knocking the client out of it and fooling the server into continuing the exchange. In many cases, the client will simply reconnect to the server over a different session, with no one the wiser: the server isn’t even aware of what happened, and the client simply connects again in a different session. As an aside, EC-Council describes the session hijack in these steps:
- Sniff the traffic between the client and the server.
- Monitor the traffic and predict the sequence numbering.
- Desynchronize the session with the client.
- Predict the session token and take over the session.
- Inject packets to the target server.
“Spoofing and session hijacking are the same thing” is incorrect because spoofing and hijacking are different. An argument can be made that hijacking makes use of some spoofing, but the two attacks are separate entities: spoofing pretends to be another machine, eliciting (or setting up) sessions for sniffing purposes, whereas hijacking takes advantage of existing communications sessions.
“Spoofing interrupts a client’s communication, whereas hijacking does not” is incorrect because spoofing doesn’t interrupt a client’s existing session at all; it’s designed to sniff traffic and/or set up its own sessions.
“Hijacking emulates a foreign IP address, whereas spoofing refers to MAC addresses” is incorrect because spoofing isn’t relegated to MAC addresses only. You can spoof almost anything, from MAC and IP addresses to system names and services.
Question 43: Which of the following is an effective deterrent against TCP session hijacking?
A. Install and use an HIDS on the system.
B. Install and use Tripwire on the system.
C. Enforce good password policy.
D. Use unpredictable sequence numbers.
Correct Answer: D. Use unpredictable sequence numbers.
Explanation: As noted already, session hijacking requires the attacker to guess the proper upcoming sequence number(s) to pull off the attack, pushing the original client out of the session. Using unpredictable session IDs (or, better stated in the real world, using a modern operating system with less predictable sequence numbers) in the first place protects against this. Other countermeasures for session hijacking are fairly common sense: use encryption to protect the channel, limit incoming connections, minimize remote access, and regenerate the session key after authentication is complete. And, lastly, don’t forget user education: if the users don’t know any better, they might not think twice about clicking past the security certificate warning or reconnecting after being suddenly shut down.
“Install and use an HIDS on the system” is incorrect because a host-based intrusion detection system may not deter session hijacking at all.
“Install and use Tripwire on the system” is incorrect because Tripwire is a file integrity application and won’t do a thing for session hijacking prevention.
“Enforce good password policy” is incorrect because system passwords have nothing to do with session hijacking.
Question 44: When is session hijacking performed?
A. Before the three-step handshake
B. During the three-step handshake
C. After the three-step handshake
D. After a FIN packet
Correct Answer: C. After the three-step handshake
Explanation: This question should be an easy one for you, but it’s included here to reinforce the point that you need to understand session hijacking steps well for the exam. Of course, session hijacking should occur after the three-step handshake. As a matter of fact, you’ll probably need to wait quite a bit after the three-step handshake so that everything on the session can be set up — authentication and all that nonsense should be taken care of before you jump in and take over.
“Before the three-step handshake” and “During the three-step handshake” are incorrect because session hijacking occurs after a session is already established, and the three-step handshake must obviously occur first for this to be true.
“After a FIN packet” is incorrect because the FIN packet brings an orderly close to the TCP session. Why on Earth would you wait until the session is over to start trying to hijack it?
Question 45: Which technologies are increasingly used today instead of IDS?
A. IPS
B. SIEM
C. Data loss prevention
D. All of the above
Correct Answer: D. All of the above
Explanation: IPSes provide high levels of security if designed, implemented and managed properly, but other technologies, such as enterprise detection and response systems, data loss prevention and SIEM, should be considered instead of IPS or as a complement to it in an enterprise security strategy.
Question 46: When discussing IDS/IPS, what is a signature?
A. An electronic signature used to authenticate the identity of a user on the network
B. Patterns of activity or code corresponding to attacks
C. “Normal,” baseline network behavior
D. None of the above
Correct Answer: B. Patterns of activity or code corresponding to attacks
Explanation: A signature in an IDS or IPS is a pattern of activity or malicious code that is known to be associated with specific attacks. A signature-based IDS/IPS scans incoming network packets for certain content, such as header or payload data, to determine if it is harmful.
Question 47: Which is true of a signature-based IDS?
A. It cannot work with an IPS.
B. It only identifies on known signatures.
C. It detects never-before-seen anomalies.
D. It works best in large enterprises.
Correct Answer: B. It only identifies on known signatures.
Explanation: Signature-based IDSes are only able to detect known attacks. While effective at monitoring inbound traffic at high volumes, signature-based IDSes seek out traffic sequences or patterns that match known attack signatures — not novel or previously undetected attacks.
Question 48: Which of the following provides a baseline measurement for comparison of IDSes?
A. Crossover error rate
B. False negative rate
C. False positive rate
D. Bit error rate
Correct Answer: A. Crossover error rate
Explanation: The crossover error rate, or CER, provides a baseline measure for IDSes. A system’s CER is determined by adjusting the system’s sensitivity until the false positive and false negative rates are equal.
Question 49: A false positive can be defined as:
A. An alert that indicates nefarious activity on a system that, upon further inspection, turns out to represent legitimate network traffic or behavior
B. An alert that indicates nefarious activity on a system that, upon further inspection, turns out to truly be nefarious activity
C. The lack of an alert for nefarious activity
D. All of the above
Correct Answer: A. An alert that indicates nefarious activity on a system that, upon further inspection, turns out to represent legitimate network traffic or behavior
Explanation: A false positive is any alert that indicated malicious activity but ended up being legitimate network traffic or behavior.
Question 50: Where is an IPS commonly placed in a network?
A. In front of the firewall
B. In line with the firewall
C. Behind the firewall
D. On the end users’ device
Correct Answer: B. In line with the firewall
Explanation: An IPS is placed in line with firewalls at the network edge, usually between the internal corporate network and the internet.