QUESTION: 165

Exhibit:

The following is an entry captured by a network IDS. You are assigned the task of analyzing this entry. You notice the value 0x90, which is the most common NOOP instruction for the Intel processor. You figure that the attacker is attempting a buffer overflow attack. You also notice "/bin/sh" in the ASCII part of the output. As an analyst what would you conclude about the attack?

The buffer overflow attack has been neutralized by the IDS
The attacker is creating a directory on the compromised machine
The attacker is attempting a buffer overflow attack and has succeeded
The attacker is attempting an exploit that launches a command-line shell

Answer(s): D

Explanation:

This log entry shows a hacker using a buffer overflow to fill the data buffer and trying to insert the execution of /bin/sh into the executable code part of the thread. It is probably an existing exploit that is used, or a directed attack with a custom built buffer overflow with the “payload” that launches the command shell.

Reveal Solution Next Question

QUESTION: 166

As a securing consultant, what are some of the things you would recommend to a company to ensure DNS security?
Select the best answers.

Use the same machines for DNS and other applications
Harden DNS servers
Use split-horizon operation for DNS servers
Restrict Zone transfers
Have subnet diversity between DNS servers

Answer(s): B,C,D,E

Explanation:

A is not a correct answer as it is never recommended to use a DNS server for any other application. Hardening of the DNS servers makes them less vulnerable to attack. It is recommended to split internal and external DNS servers (called split-horizon operation). Zone transfers should only be accepted from authorized DNS servers.
By having DNS servers on different subnets, you may prevent both from going down, even if one of your networks goes down.

Reveal Solution Next Question