CEH Study Guide - 03 Security Foundations

Packet filters are used to make block/allow decisions based on header data like source and destination address and port.

Stateful firewalls add in the ability to factor in the state of the connection—new, related, established.

An Application layer gateway knows about Application layer protocols.

A unified threat management appliance adds additional capabilities on top of firewall functions, including antivirus.

Confidentiality is about making sure secrets are kept secret.

Integrity makes sure that data isn’t altered accidentally or by an unauthorized agent.

Non-repudiation makes sure someone can’t say a message didn’t originate with them if it came from their identity.

Availability means making sure data is where it needs to be when it should be there. This includes services as well.

Risk is the probability of the occurrence of an event multiplied by the dollar value of loss.

There is no mitigation factor that is quantified, so it could be put into a risk calculation.

Switches and optical cable connections can certainly be part of a network design, but in and of themselves they don’t add any security features.

You may use Linux on the desktop, but without more of a strategy for patch and vulnerability management, Linux is no better than other operating systems.

Access control lists on routers can add an additional layer of security, especially when combined with other elements like firewalls and intrusion detection systems.

Confidentiality is keeping secret information secret, which means unauthorized users can’t access it.

Encryption is a good way to keep unauthorized users from data because in order to get to the data, they need to have the key.

Watchdog processes are used to ensure that programs remain running.

Cryptographic hashes are used to verify the integrity of data.

Web servers are used to serve up information.

Firewalls are used to block traffic into a network, though an intrusion prevention system will also block traffic.

A packet filtering firewall uses header information, such as source and destination address and port, to determine whether to allow traffic into the network.

Syslog and the Windows event subsystem can be used to log system messages.

Intrusion detection systems can be used to generate alerts on traffic.

If a user makes a change to a file and saves it, that’s an intentional act and the data is what the user expects and wants.

If the disk drive has flagged bad blocks on the disk, the drive won’t write any data out to those blocks, so there will be no loss of integrity.

Credit cards passed in cleartext would be a violation of confidentiality.

Memory failures, though, could cause a loss of data integrity, even in the case of writing data to the drive. The corrupted data in memory could be written to disk. Also, memory failures may cause issues with the disk driver, which may also cause data corruption.

Security information event managers are used to aggregate event data, such as log information.

Once the data has been aggregated, it can be searched and correlated. Even though it’s called an event manager, it isn’t used to manage security projects, nor is it used to escalate security events.

Other tools can be used to gather and store open-source intelligence.

Commonly, system logs are stored on the system that generated the log message.

Certainly local systems can handle the logs they have generated. Log messages don’t typically consume a lot of space at an individual message level, so bandwidth isn’t a problem.

Transmitting over a network is generally not faster than moving data within local disks.

System logs can be used in identifying attacks, but the logs won’t defend against attacks. However, if an attacker does compromise a system, the attacker may delete the local logs because they could get access to them.

In TCP, a three-way handshake is used to synchronize sequence numbers and establish a connection.

While the sequence numbers are shared, they wouldn’t be called aligned, which might suggest that each end was using the same sequence number.

A SYN message is part of the three-way handshake, but it is not sufficient to establish a connection.

Option A, “Final acknowledgment message,” is ambiguous. It could refer to the acknowledgment to a FIN message, closing the connection.