Network Forensics EEE 4752 Final Review

About NetFlow, the false sentence is:

1. The only thing that is guaranteed with NetFlow is what data is gathered and how it is transmitted

2. Other developers that have not adopted NetFlow specifically may have developed something similar

3. Once you have devices generating NetFlow data, you need a system in place to handle the collection. This system is called a NetFlow Complier

4. Though Cisco developed this particular protocol, it has been adopted by other vendors as well

3. Once you have devices generating NetFlow data, you need a system in place to handle the collection. This is called a NetFlow Complier.

Why: The name is actually NetFlow Collector (pg. 160)

Which sentence is false about Syslog?

1. Syslog originally functioned as a de facto standard until it was eventually fully standardized by the Internet Engineer Task Force (IETF)

2. Syslog specifies different facilities, which indicate what type of event the log entry is. Using these facilities, the syslog server can determine how the log entry is disposed of

3. The original syslog is the only implementation existing and functions remains the same even after updates

4. In addition to facilities, the syslog standard specifies levels of severity

3. The original syslog is the only implementation existing and functions remains the same even after updates.

Why: There are other implementations like rsyslog and syslog-ng (pg. 166)

There are other ways to look at the Event Logs on Windows. One method is to use:

1. None of the above

2. NetFlow

3. Power Shell

4. TechNet

3. Power Shell (pg. 172)

Based on the Sample syslog configuration file below, which sentence is false?

1. A common syslog configuration file will include lines specifying what to do about log events based on facility and severity

2. If you don't care as much about whether a particular event makes it to the log file you can add a dash before the filename

3. You can't use one log setup for centralized logging

4. Each entry indicates what to do with the log events, typically by specifying a file to write the events out to

3. You can't use one log setup for centralized logging

Why: You can use one because a syslog server can be used as a centralized log server (pg. 169)

Convert the hexadecimal number 2C to decimal:

1. 34

2. 3A

3. 44

4. 42

3. 44

About Logging, which sentences are true?

I. From a networking perspective analyzing only the operating system and application log is more than enough to investigate network incidents

II. While logging systems often store the log data on the device where it is generated, larger enterprises may be more likely to store their logs on centralized logging systems

III. Any device that interacts with users in some way or is exposed to a larger network has the potential to be compromised

IV. An attacker couldn't manipulate the log files even if he gains the necessary access, which may include administrative privileges

1. III and IV

2. I and IV

3. II and III

4. I and II

3. II and III (pg. 165)

About Security Information and Event Management (SIEM):

1. All the above

2. Helps the operations team can get access to all of the information they need as well as manage the even from start to finish

3. The idea of a SIEM is to put all of the intelligence and the workflow into a single system

4. help to minimize blind spots by not having data scattered across multiple repositories, viewed by multiple groups

3. The idea of a SIEM is to put all of the intelligence and the workflow into a single system (pg. 184)

_______ is a protocol that was developed by ______ as a way of providing data that could be used to troubleshoot a network

1. NetFlow, Cisco Systems

2. NetFlow, Siemens

3. Citrix ICA, Citrix

4. AGS, Cisco Systems

1. NetFlow, Cisco Systems (pg. 160)

______ is an old ______ logging system. It was initially developed as part of the mail server Sendmail.

1. Syslog, Unix-based

2. Syslog, Windows

3. NetFlow, Unix-based

4. NetFlow, Windows

1. Syslog, Unix-based (pg. 166)

Which sentence is false about Windows Event Logs?

1. Since the underlying storage of the events is not just plaintext lines as in syslog, but instead in an XML format, using the Event Viewer will help you extract all of the relevant information and present it in a meaningful way so it's easier to quickly parse the event

2. Most of the time, users and administrators will use the Event Viewer

3. The Windows Event Log has been around since Windows NT was released in 1991

4. One advantage of the Event Viewer is that it collects everything into one interface

3. The Windows Event Log has been around since Windows NT was released in 1991

Why: It was released in 1993 (pg. 171)

Firewall logs are another important tool when it comes to looking into network incidents. What is possible to see in the log entries below?

1. The IN and OUT interfaces

2. All the above

3. statistics related to the packet such as the length (LEN) and the type of service (TOS)

4. MAC address, the SRC and DST (source and destination) IP addresses

2. All the above (pg. 174)

The logs from Antivirus programs

1. Will always be found in the same place on the server

2. should be able to indicate not only if and when a file has been isolated as potentially problematic

3. may be pushed back to an enterprise console, so they cannot be stored on a server

4. Can't be stored on the local systems int ext files or they may be in the Windows Event system

2. should be able to indicate not only if and when a file has been isolated as potentially problematic (pg. 180)

Which sentences are true about Router and Switch Logs?

1. The logs will indicate who has accessed the administration interfaces for these devices

2. It is impossible to see who has been doing work on the device and when they were doing it

3. Unfortunately, you can't get accounting information associated with configuration changes

4. Routers and switches aren't capable of generating logs

1. The logs will indicate who has accessed the administration interfaces for these devices (pg. 177)

In the Syslog severity Levels, the _____ severities have _____ numbers. The most severe log entry will have a severity level of _____

1. Higher, higher, 10

2. Higher, lower, 0

3. Lower, higher, 0

4. Lower, lower, 0

2. Higher, lower, 0 (pg. 168)

Which option represents a correct correlation between Severity, Keyword and Description

1. Notice- notice- Normal operational messages that require no action

2. Error- err- Should be corrected immediately

3. Alert- alert- Critical conditions

4. Warning- warning- May indicate that an error will occur if action is not taken

4. Warning- warning- May indicate that an error will occur if action is not taken (pg. 167)

About heuristic detection system it is wrong to say:

1. They can be challenging because it may require a lot of tuning to keep the baseline up to date

2. The problem with approaches like this is the potential for alerts that aren't really intrusions

3. From the standpoint of a forensic investigator, they can be useful because they may provide a lot of data about anything that occurs that isn't normal, which may be a lot of information

4. Unlike signature-based systems, there is total control over what gets detected

4. Unlike signature-based systems, there is total control over what gets detected

Why: There is not total control over what gets detected (pg. 190)

About NIDS is correct to say:

1. The only way for a NIDS to be able to detect encrypted traffic is for it to have the decryption key and it is very common for a NIDS to have encryption keys

2. Even if traffic is encrypted, the NIDS do detection on the payload normally

3. They are called network investigation and detection systems

4. The NIDS would be limited to looking at the headers through the transport layer, which cannot be encrypted

4. The NIDS would be limited to looking at the headers though the transport layer, which cannot be encrypted (pg. 190)

Tripwire is a _____ IDS and was long focused on identifying file changes

1. VM based

2. Host-based

3. Perimeter

4. Network-based

2. Host-based (pg. 205)

_____ intrusion detection systems rely on someone to identify a pattern in the malicious _____

1. Heuristic, events

2. Signature-based, network traffic

3. Signature-based, events

4. Heuristic, software

2. Signature-based, network traffic (pg. 188)

Using the approach of identifying bad events and determining what they look like is called _____.

1. Signature-based detection

2. Normal detection

3. Heuristic detection

4. Intrusion detection

1. Signature-based detection (pg. 188)

Snort _____

1. is highly configurable but can be run only in Linux and Windows operating systems and hardware platforms

2. Had its first version named Firepower offered buy Cisco in 1989

3. is the first network IDS, so it has been around for a long time and exists only in commercial offerings

4. rules can be used across multiple packages, which makes learning how to read and create the rules useful, even if you aren't using Snort itself

4. rules can be used across multiple packages, which makes learning how to read and create the rules useful, even if you aren't using Snort itself (pg. 191)

Which one is not a problem of the Heuristic detection system?

1. It requires multiple rules which may increase over time, increasing the processing needs

2. There is no control over what gets detected

3. A lot of tuning is required

4. It requires a period of learning

1. It requires multiple rules which may increase over time, increasing the processing needs

Why: this describes signature-based IDS (pg. 190)

A Host-based IDS:

1. is looking at the events within the operating system after the network traffic has been received

2. detects events after the decryption process has already happened

3. is looking at the events within the operating system after action has been taken by the receiving application

4. All the above

4. All the above (pg. 190)

Which sentence is FALSE?

1. When it comes to monitoring IDS alerts, no additional infrastructure is necessary

2. Most switches have the ability to use something called a port span, span port, or port mirror

3. For an intrusion detection system to work, all network traffic needs to get to the IDS

4. You can specify a switch port to send some portion of traffic or all traffic to, so that traffic is being sent to one system also gets sent to the switch port where the IDS is installed

1. When it comes to monitoring IDS alerts, no additional infrastructure is necessary

Why: additional infrastructure may be necessary (pg. 207)

Which affirmative is wrong about OSSEC?

1. OSSEC is host-based intrusion detection system

2. OSSEC is multiplatform, like the other tools we have been talking about. It is also open source and free to use

3. Besides the evidence that can be provided by the network traffic, OSSEC cannot provide any additional evidence of what is happening on the local system

4. In addition to file integrity monitoring, it also offers monitoring for rootkits, log monitoring, and process monitoring

3. Besides the evidence that can be provided by the network traffic, OSSEC cannot provide any additional evidence of what is happening on the local system

Why: OSSEC can provide additional evidence (pg. 206)

Which of the following is NOT a characteristic of an intrusion detection system?

1. Continually monitors

2. Identifies patterns

3. Generates alerts

4. Blocks attacks

4. Blocks attacks

Why: That is more of the firewall's job

About signature-based intrusion detection systems, which sentence is FALSE?

1. This signature-based identification is a common approach to intrusion detection, just as it's a common approach to antivirus programs

2. Signature is the pattern in the malicious network traffic

3. When it comes to intrusion detection at the network level, the signature may be any number of individual pieces of data or a number of them together

4. These systems enable identifying and preventing a crime before it happens for the first time

4. These systems enable identifying and preventing a crime before it happens for the first time

Why: A crime must be committed in order for the identifying marker to be captured (pg. 188)

By default, the Snort source doesn't come with rules. Because rules are regularly being contributed, these additional signatures need to be downloaded. This means that new rules need to be pulled, and Snort doesn't come with the ability to do that without help. Which program can you use to regularly download the new sets of rules that are available?

1. Oinkcode

2. Bro

3. Suricata

4. Pulledpork

4. Pulledpork (pg. 198)

Suricata _____

1. is an open source intrusion detection system that can't use Snort rules to operate

2. Had the advantage of being multithreaded where Snort was single-threaded, when it was developed

3. Wasn't designed to be more oriented toward application layer protocols

4. Can't output to the same unified2 output format as Snort

2. Has the advantage of being multithreaded where Snort was single-threaded, when it was developed (pg. 201)

About Bro is wrong to say:

1. Unlike Snort and other IDSs that we have looked at, where rules that are essentially pattern matching are written for detection of events, Bro has an entirely different way of looking at events

2. Bro doesn't provide a lot of flexibility, as compared to an IDS like Snort, that provides a large number of actions that can be triggered

3. Bro is event-driven, which means that when events happen, functions get called

4. It was first described as an intrusion detection system in 1999 by Vern Paxson at the Lawrence Berkeley National Library

2. Bro doesn't provide a lot of flexibility, as compared to an IDS like Snort, that provides a large number of actions that can be triggered

Why: Bro is flexible (pg. 191)

The _____ will leave behind an audit event indicating that the log has been cleared. The same is true of the _____. In fact, the _____ will also generate an event saying that the _____ has been cleared, if the it was to be cleared.

1. System, Security, Security, Application

2. Security, System, System, Application

3. Security, Security, System, Application

4. Application, Security, Security, System

2. Security, System, System, Application (pg. 231)

About Firewall logs is WRONG to say:

1. All firewalls will automatically log dropped messages, but they can often be directed to log drops

2. The logs will help to correlate what you have been seeing and can fill in missing pieces if there are messages that have been dropped

3. No matter what type of firewall, though, looking at firewall logs will be useful

4. Logging network traffic, even if you are just logging metadata, will increase processor overhead on the firewall and will consume disk space

1. All firewalls will automatically log dropped messages, but they can often be directed to log drops

Why: Not all firewalls automatically log, but they can be directed to log drops (pg. 234)

Which of the options below are primary categories of Windows logs? (Select all the correct alternatives)

1. Application

2. System

3. Setup

4. Security

1, 2 & 4: Application, System, and Security (pg. 224)

Syslog was configured with a level 1 trap. Which types of logs would be generated?

1. Critical

2. Errors

3. Alerts

4. Emergencies

3 & 4: Alerts and Emergencies (pg. 214)

Which technology allows syslog messages to be filtered to different devices based on event importance?

1. syslog severity levels

2. syslog facilities

3. syslog service identifiers

4. syslog service timestamps

1. syslog severity levels

A _____ adds another layer of complexity. In addition to the simple port, protocol, and address rules, you can also determine whether to allow traffic based on its state

1. Any type of firewall

2. Stateful firewall

3. Host-based firewall

4. Network-based

2. Stateful firewall (pg. 233)

In the Common Log format, all the options are present except:

1. MAC address

2. Authenticated user

3. Date

4. Request

1. MAC address (pg. 241)

Select the correct sentence about proxy and its logs

1. The proxy is not capable of determining whether web traffic should be allowed through

2. A proxy is different from a firewall, since it can make determinations as to whether traffic should be allowed to pass through

3. The web proxy takes in requests from the user, then re-originates those requests as though it were doing the request for itself

4. Proxy servers aren't used as a way of conserving bandwidth, because the proxy server doesn't cache copies of web documents locally

3. The web proxy takes in requests from the user, then re-originates those requests as though it were doing the request for itself (pg. 236)

When you clear event logs it is correct to say:

1. After you have cleared the Application log, there is nothing at all left but an entry indicating that the log file has been cleared is generated

2. The security log will leave behind an audit event indicting that the log had been cleared

3. This would wipe all entries from the log file, and you wouldn't get the option to save the log entries before clearing them

4. Event logs cannot easily be deleted using the Event Viewer

2. The Security log will leave behind an audit event indicating that the log had been cleared (pg. 231)

Syslog defines a priority as being the facility code multiplied by 8 then adding the severity code. In that case, which Severity would automatically give you a priority of 0?

1. Error

2. Emergency

3. Critical

4. Kernel

2. Emergency

Why: Because Kernel is a facility code, not a severity code (pg. 214)

Syslog defines a priority as being the facility code multiplied by 8 then adding the severity code. In that case, which Facility would automatically give you a priority of 0?

1. Kernel

2. Mail

3. Clock

4. User

1. Kernel (pg. 214)

About Windows logs, it is WRONG to say:

1. Four subtypes of logs are stored within the Applications and Services logs. These are Admin, Operational, Analytic, and Debug

2. The five categories of Windows logs are events that have system-wide impact

3. Windows doesn't enable other applications to generate log data even if that data doesn't have any impact on the operating system

4. Different categories of information can be stored in Applications and Services Logs

3. Windows doesn't enable other applications to generate log data even if that data doesn't have any impact on the operating system

Why: Windows does enable other applications to generate log data (pg. 225)

As syslog defines a priority as being the facility code multiplied by 8 then adding the severity code, what is the priority of a local7 debug message?

1. 128

2. 191

3. 144

4. 182

2. 191

Why: 23 x 8 = 184

184 + 7 = 191

(pg. 167)

Wireshark is a tool that can be used to the following purposes, EXCEPT:

1. Perform log aggregation and management

2. Decode messages

3. Generate time-based data that can help you present information within a timeline

4. Provide warnings of packets that were potentially problematic on the network

1. Perform log aggregation and management (pg. 261-262)

When using Wireshark, which file format is used to store timestamps for all frames in Epoch time?

1. tms

2. wir

3. ino

4. pcap

4. pcap (pg. 250)

Which option presents the correct relationship in NTP's hierarchy to determine the reliability of time?

1. Stratum 1- atomic clock or a global positioning system (GPS)- accurate to milliseconds

2. Stratum 1- reference clock- accurate to microseconds

3. Stratum 0- atomic clock or a global positioning system (GPS)- accurate to milliseconds

4. Stratum 2- reference clock- accurate to milliseconds

3. Stratum 0- atomic clock or a global positioning system (GPS)- accurate to milliseconds (pg. 248)

Which program would know exactly what time the frame arrived while performing a packet capture?

1. Wireshark

2. Event viewer

3. Tcpdump

4. Syslog

3. Tcpdump (pg. 249)

About time synchronization, select the correct affirmatives:

1. Desktops and servers are the only systems that need to have their times synchronized. Besides, the network devices and other appliances don't need to have their times synchronized

2. Each system within a network should be configured to synchronize with a local time source

3. Operating systems like Windows and Mac OS X are configured by default to synchronize with a time server maintained by Microsoft and Apple, respectively

4. Linux, systems would commonly use one of the pool servers maintained by ntp.org to synchronize

2, 3 & 4: Each system within a network should be configured to synchronize with a local time source; Operating systems like Windows and Mac OS X are configured by default to synchronize with a time server maintained by Microsoft and Apple, respectively; Linux, systems would commonly use one of the pool servers maintained by ntp.org to synchronize (pg. 248)

Which tool is capable of doing analysis on potential malware samples?

1. Splunk

2. Wireshark

3. PacketTotal

4. Nxlog

3. PacketTotal (pg. 259)

When synchronizing time across systems regardless the time zone they are located in, it is correct to say:

1. All the above

2. Every system in the network, or at least every system you care about, must be using the same source for its timing information

3. If the system clock is set to UTC, every system, no matter where it is, has the same time and no resolution needs to happen to ensure every event captured has the same base time

4. When systems need to all be on a particular time standard in order to make sure that what happens can be resolved easily later on, as in a timeline, they may simply set their local clocks to UTC

1. All the above (pg. 247)

What does SIEM stand for?

1. Security Inspection and Event Management

2. Security Information and Enterprise Management

3. System Information and Event Management

4. Security Information and Event Management

4. Security Information and Event Management (pg. 183)

About packages timing and capture, all the options are correct, EXCEPT:

1. Packet captures can also be used as a source of timeline information, and this is important because of the value of using packet captures in a network investigation

2. The packet capture ordering is based on offsets from the beginning of the packet capture

3. Packet captures always include their own per-frame times

4. Packet captures often need to be correlated with logs, and logs can come from many systems

3. Packet captures always include their own per-frame times

Why: They don't because everything is based on offsets from the beginning of a packet capture (pg. 246)

All the sentences present correct information about SIEM, EXCEPT:

1. the SIEM will do a lot of correlation for you so yo don't have to pull a lot of data together yourself

2. The object of a SIEM is to focus specifically on security-related information

3. A SIEM can also serve as a central log storage system and provide capabilities to query the information that it stores

4. Each SIEM will generate rules in different ways, but always with same complexity levels

4. Each SIEM will generate rules in different ways, but always with same complexity levels

Why: The complexity levels can differ (pg. 263)

Nxlog is a tool owned by:

1. Siemens

2. Cisco

3. Microsoft

4. IBM

4. IBM (pg. 218)

Windows uses the _____ to store log information

1. Log Viewer

2. Event Viewer

3. System Log

4. Event Log

4. Event Log (pg. 251)

Which of these tools are commonly used to perform Log Management (Select all the correct options)

1. Windows Event Viewer

2. Nxlog

3. Splunk

4. Syslog

1, 2, 3 & 4: Windows Event Viewer; Nxlog; Splunk; Syslog (pg. 254-256)

Select the correct sentences about the tool known as Plaso

1. log2timeline is a Plaso's component, which does the work of taking the input, performing any parsing, and filtering then outputting a storage file useful to other tools

2. Plaso is a collection of Java scripts and all of them are run from the command line

3. Plaso is a collection of software that provides the ability to ingest several data types

4. Plaso relies on a number of libraries and other software packages to handle some of the work, so even if those libraries are not installed all the functions will work

1 & 3: log2timeline is a Plaso's component, which does the work of taking the input, performing any parsing, and filtering then outputting a storage file useful to other tools; Plaso is a collection of software that provides the ability to ingest several data types (pg. 258)

Why does NTP transmits and receives over UPD? (Select all the correct options)

1. Because you need to verify that you are talking to the correct server

2. Because in that case you want to receive the messages from the NTP server with the shortest delay absolutely possible

3. Because in the case of a time synchronization message, it is less important that it get there guaranteed

4. Because speed is the most important factor

2, 3 & 4: Because in that case you want to receive the messages from the NTP server with the shortest delay absolutely possible; Because in the case of a time synchronization message, it is less important that it get there guaranteed; Because speed is the most important factor (pg. 248)

When conducting ports scanning, what is the main objective?

1. Scan for communication items

2. Test for firewalls

3. Find open ports

4. Determine vulnerabilities

3. Find open ports (pg. 266)

Nmap can determine the operating system of its target, what option would perform this action?

1. -OS

2. -A

3. -O

4. -sO

3. -O

What information is obtained by using fping -g 192.168.86.0/24?

1. Pings one system at IP 192.168.86.0

2. Which systems are alive

3. Runs a test of all system banners

4. Which systems are running a -g scan

2. Which systems are alive (pg. 279)

In nmap, what type of scan does the -sT command perform?

1. a half-scan

2. Not a valid command

3. A full scan

4. A connect scan

4. A connect scan (pg. 269)

Why does the nmap -sS require sudo before the command?

1. To avoid having to keep entering the command

2. So it can use raw sockets

3. To enable the admin extra time

4. To test the network stack

2. So it can use raw sockets (pg. 268)

The tools Nessus, is used for?

1. Determine system vulnerabilities

2. Valid system timeline

3. Test for open ports

4. Enumerate all systems

1. Determine system vulnerabilities (pg. 281)

The term port knocking refers to?

1. Test for stealth ports

2. Externally opening ports

3. Probe open ports

4. Run scripts on ports

2. Externally opening ports (pg. 285)

In nmap, what type of scan does the comman -sS perform?

1. A Xmas scan

2. A half-scan

3. A connect scan

4. A null scan

2. A half-scan (pg. 268)

The scanner OpenVas is more closely related to which other scanner?

1. Ripe

2. Nmap

3. NextPose

4. Nessus

4. Nessus (pg. 281)

In nmap, the -sU command consucts what type of scan?

1. UXC

2. UCC

3. UUU

4. UDP

4. UDP (pg. 270-271)

What does this command accomplish, sudo nmap --script=ssh-hostkey.nse 192.168.86.111?

1. Runs scripts against target

2. Conducts a test of the nse system

3. Performs a scan of closed ports

4. Is an invalid command

1. Runs scripts against target (pg. 274)

To perform banner grabbing, which tools would you use?

1. nmap

2. telnet

3. gbanner

4. zenmap

2. telnet (pg. 277-278)

A tool very similar to Nessus is?

1. Nexpose

2. Nmap

3. ScanMap

4. Ripe

1. Nexpose (pg. 283)

Certificates are normal used in which type of encryption?

1. Strong bonds link

2. None of these

3. Asymmetric

4. Symmetric

3. Asymmetric (pg. 300-302)

What are hypervisors?

1. Power system that allow for system virtualization

2. A manner of enhancing the speed and performance of hardware

3. An accelerator for graphic intensive applications

4. A special hardware that enhance the transfer of data

1. Power system that allow for system virtualization (pg. 307)

When conducting normal frequency distribution of letters, which letter is more often encountered?

1. O

2. A

3. E

4. Z

3. E (pg. 293)

Restoring encrypted information to the original message, commonly called plaintext, is?

1. Encoding

2. Decoding

3. Encryption

4. Decryption

4. Decryption (pg. 292)

The search engine Ahima searches for?

1. Services available on the Internet

2. A cumulative search of web sites

3. Samples of IoT devices found in the hidden web

4. Hidden services on the Tor Network

4. Hidden services on the Tor Network (pg. 316)

What is the Caeser cipher?

1. A letter substitution process

2. A simple calculator

3. A symmetrical cipher

4. A special key

1. A letter substitution process (pg. 292)

What does cloud computing mean?

1. A computing service is being provided somewhere in a network

2. A type of computing model that reduces information in the Internet

3. A computing resource available only to desktop systems

4. The same as the fog

1. A computing service is being provided somewhere in a network (pg. 306)

The Onion Router (TOR) provides access to what system?

1. The visible web

2. The hidden web

3. The secret web

4. The dark web

4. The dark web (pg. 314)

The term Diffie-Hellman is known to achieve?

1. A type of encoding

2. A type of encryption

3. A type of scan

4. A key exchange protocol

4. A key exchange protocol (pg. 294)

Which of the following is a type of symmetric encryption algorithm?

1. AES

2. MD5

3. SYM

4. SSL

1. AES (pg. 294)

Storage as a Service is typically available to?

1. Move data and program to a secure location

2. A repository of metadata

3. Store data in the cloud

4. An external hard drive on your system

3. Store data in the cloud (pg. 309)

How can keys are required for a symmetric encryption?

1. A public and private combination

2. Does not require a key

3. Two

4. One

4. One (pg. 294)

What is the objective of using SSLScan?

1. Determines the decoding/encoding pairs

2. Determines cipher suites supported in SSL or TLS

3. Test the system for encryption compatibility

4. Conduct a scan of the ports that use encoding

2. Determines cipher suites supported in SSL or TLS (pg. 297)

What is the HeartBleed bug?

1. A test of vulnerabilities encountered on Windows system only

2. None of the above

3. The potential to take an encrypted communication stream and offer a way to decrypt it

4. The space between SSL and certificates

3. The potential to take an encrypted communication stream and offer a way to decrypt it (pg. 304)

A type of Infrastructure as a Service is?

1. All of the above

2. Google Docs

3. Microsoft Azure

4. Amazon Ec2

1. All of the above (pg. 307)