Computer security

  Home  Basic Common  Computer security


“Computer security Interview Questions and Answers will guide you now that Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, so learn more about Computing Security,Information Security, NT security, Web Security and Network Security with the help of this Computer security Interview Questions with Answers guide”



89 Computer Security Questions And Answers

41⟩ Are some operating systems more secure to use as platforms for Web servers than others?

The answer is yes, although the Unix and NT communities may not like to hear it. In general, the more powerful and flexible the operating system, the more open it is for attack through its Web (and other) servers.

Unix systems, with their large number of built-in servers, services, scripting languages, and interpreters, are particularly vulnerable to attack because there are simply so many portals of entry for hackers to exploit. Less capable systems, such as Macintoshes and special-purpose Web server boxes, are less easy to exploit. The safest Web site is a bare-bones Macintosh running a bare-bones Web server.

In the real world, of course, many sites will want to run a Windows NT or Unix server in order to gain the performance advantage of a multitasking operating system and the benefits of database and middleware connectivity . Security holes have been found in both Unix and Windows NT server systems, and new security holes are being found on a regular basis. On the whole Windows NT systems seem to be more vulnerable at the current time, partly the OS is relatively new and the big bugs haven't been shaken out, and partly because the NT file system and user account system are highly complex and difficult to configure correctly.

If you have configured your system correctly and are compulsive about applying your vendor's security patches promptly, a typical Unix system will be more secure than a typical NT system. However, you also have to factor in the experience of the people running the server host and software. A Unix system administered by a novice system administrator will be far less secure than an NT system set up by a seasoned Windows NT system administrator.

 143 views

42⟩ Are CGI scripts insecure?

CGI scripts are a major source of security holes. Although the CGI (Common Gateway Interface) protocol is not inherently insecure, CGI scripts must be written with just as much care as the server itself. Unfortunately some scripts fall short of this standard and trusting Web administrators install them at their sites without realizing the problems.

 165 views

43⟩ What general security precautions should I take?

If you are a Webmaster, system administrator, or are otherwise involved with the administration of a network, the single most important step you can take to increase your site's security is to create a written security policy. This security policy should succinctly lay out your organization's policies with regard to:

* who is allowed to use the system

* when they are allowed to use it

* what they are allowed to do (different groups may be granted different levels of access)

* procedures for granting access to the system

* procedures for revoking access (e.g. when an employee leaves)

* what constitutes acceptable use of the system

* remote and local login methods

* system monitoring procedures

* protocols for responding to suspected security breaches

This policy need not be anything fancy. It need only be a succinct summary of how the information system work, reflecting your organization's technological and political realities. There are several benefits to having a written security policy:

1. You yourself will understand what is and is not permitted on the system. If you don't have a clear picture of what is permitted, you can never be sure when a violation has occurred.

2. Others in your organization will understand what the security policy is. The written policy raises the level of security consciousness, and provides a focal point for discussion.

3. The security policy serves as a requirements document against which technical solutions can be judged. This helps guard against the "buy first, ask questions later" syndrome.

4. The policy may help bolster your legal case should you ever need to prosecute for a security violation.

More suggestions for formulating a security policy can be found in the general Internet security reference works listed at the end of this document.

For Web servers running on Unix and NT systems, here are some general security precautions to take:

1. Limit the number of login accounts available on the machine. Delete inactive users.

2. Make sure that people with login privileges choose good passwords. The Crack program will help you detect poorly-chosen passwords:

3. Turn off unused services. For example, if you don't need to run FTP on the Web server host, get rid of the ftp software. Likewise for tftp, sendmail, gopher, NIS (network information services) clients, NFS (networked file system), finger, systat, and anything else that might be hanging around. Check the file /etc/inetd.conf (Unix) or Service Manager for a list of servers that may be lurking. Deactivate any that you don't use.

4. Remove shells and interpreters that you don't absolutely need. For example, if you don't run any Perl-based CGI scripts, remove the Perl interpreter.

5. Check both the system and Web logs regularly for suspicious activity.

6. Make sure that permissions are set correctly on system files, to discourage tampering.

Be alert to the possibility that a _local_ user can accidentally make a change to the Web server configuration file or the document tree that opens up a security hole. You should set file permissions in the document and server root directories such that only trusted local users can make changes. Many sites create a "www" group to which trusted Web authors are added. The document root is made writable only by members of this group. To increase security further, the server root where vital configuration files are kept, is made writable only by the official Web administrator. Many sites create a "www" user for this purpose.

 135 views

44⟩ What is the URLScan Security Tool?

Urlscan is a powerful IIS security tool that works in conjunction with the IIS Lockdown Tool to give IIS Web site administrators the ability to restrict certain HTTP requests that the server will process, and thus prevents potentially harmful requests from reaching the server and causing damage. The URLScan Security Tool page on Microsoft TechNet describes its features and usage, provides answers to common questions, and details steps for download and installation.

 140 views

45⟩ What is the HFNetChk Security Tool?

The HFNetChk Security Tool is a tool released by Microsoft that aids system administrators in the task of maintaining security across Windows-based servers; it is a command-line tool that enables the administrator to check the patch status of all the machines in a network from a central location. The HFNetChk Security Tool page on TechNet provides more information and instructions for download.

 135 views

46⟩ What do you see as the most critical and current threats effecting Internet accessible websites?

Note: Goal of question – To gauge the applicant's knowledge of current web related threats. Topics such as Denial of Service, Brute Force, Buffer Overflows, and Input Validation are all relevant topics. Hopefully they will mention information provided by web security organizations such as the Web Application Security Consortium (WASC) or the Open Web Application Security Project (OWASP).

 142 views

47⟩ What do you see as challenges to successfully deploying/monitoring web intrusion detection?

Note: Goal of question – We are attempting to see if the applicant has a wide knowledge of web security monitoring and IDS issues such as:

· Limitations of NIDS for web monitoring (SSL, semantic issues with understanding HTTP)

· Proper logging – increasing the verboseness of logging (Mod_Security audit_log)

· Remote Centralized Logging

· Alerting Mechanisms

· Updating Signatures/Policies

 132 views

48⟩ What are the most important steps you would recommend for securing a new web server? Web application?

Note: Goal of question – Once again, there is no right or wrong answer, however we are interested in what the applicant views as important.

Web Server Security:

· Update/Patch the web server software

· Minimize the server functionality – disable extra modules

· Delete default data/scripts

· Increase logging verboseness

· Update Permissions/Ownership of files

Web Application Security:

· Make sure Input Validation is enforced within the code - Security QA testing

· Configured to display generic error messages

· Implement a software security policy

· Remove or protect hidden files and directories

 135 views

49⟩ What are some examples of you how you would attempt to gain access?

Note: Goal of question – Determine if the applicant has a wide knowledge of different authentication vulnerabilities. They may attempt default usernames/passwords or attempt SQL Injection queries that provide an SQL true statement (such as – ‘ OR 1=1#). If they provide SQL examples, then offer them the following Error document information and ask them what this indicates.

ODBC Error Code = 37000 (Syntax error or access violation)

[Microsoft][ODBC SQL Server Driver][SQL Server]Line 4: Incorrect syntax near '='.

Data Source = "ECommerceTheArchSupport2"

SQL = "SELECT QuickJump_Items.ItemId FROM QuickJump_Items WHERE QuickJump_Items.ItemId <> 0 AND QuickJumpId ="

The error occurred while processing an element with a general identifier of (CFQUERY), occupying document position (1:1) to (1:42) in the template file K:InetPubclientsloginhttpailment.cfm

The specific sequence of files included or processed is: K:INETPUBCLIENTSLOGINHTTPAILMENT.CFM

This error message indicates that the target web application if running Microsoft SQL and discloses directory structures.

 138 views

50⟩ What does this log entry indicate? How could you identify what the contents are of the hacked.htm file that the attacker is trying to upload?

One of your web servers is logging multiple requests similar to the following:

201.1.199.155 - - [26/Dec/2004:01:55:48 -0500] "PUT /hacked.htm HTTP/1.0" 403 769 "Microsoft Data Access Internet Publishing Provider DAV 1.1" "-"

What does this log entry indicate? How could you identify what the contents are of the "hacked.htm" file that the attacker is trying to upload?

Note: Goal of question – Determine if the applicant can identify both the attack (a web defacement attempt using the HTTP PUT Method), as well as, the logging limitations of CLF. In this type of attack, the defacement text is sent in the request body and not on the URL Request line. In order to identify this data, a network sniffing application would need to be utilized. An application such as Snort could be used with a custom rule to identify this activity. Here is an example rule –

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"LOCAL Put attempt"; flow:to_server,established; tag:session,50,packets; pcre:"/^PUT /A"; sid:3000001; rev:1;)

 142 views

51⟩ I am new to the Internet and have been hearing a lot about viruses. I am not exactly sure what they are. Can you help?

A virus is a small piece of software that attaches itself to 'real' software programs (executable code). Each time you launch the real program, the virus is also launched. The virus may then spread and attach itself to other programs and wreak havoc on your system.

The most widespread virus is an email virus. An email virus spreads through email attachments. It usually spreads by mailing itself to everyone within the email program's address book. It tricks the email recipient into believing the message was sent from someone they know.

Although this type of virus rapidly spreads, you can't get it simply by reading a plain text email. However, you can execute the virus by clicking on an encoded message that contains embedded executable code such as JavaScript within an HTML email message, or an executable file attachment.

Another type of program that is often thought of as a virus is a 'Trojan horse' program. However, it is not a virus. It is simply a computer program that acts like it's something it's not. For example, you may download a program that you think is a computer game. However, when you run the program, it may delete files on your hard drive. Trojan horses cannot automatically replicate themselves.

Another widespread program is known as a worm. A worm is actually a small piece of software that travels through vulnerable computer networks with security holes. The worm scans the network in search of other computers with security holes. It copies itself to each system it finds.

Although viruses can infect any type of executable code such as EXE files or DOC files, most media files such as GIF, JPG, BMP, MP3, WAV, AVI, MOV and TXT files are generally safe.

Although viruses can wreak havoc, computer virus hoaxes can also be damaging. Virus hoaxes may cause Internet users to begin to ignore all virus warnings. This can be harmful, as they are then left vulnerable to 'real' virus warnings.

In addition, many virus hoaxes also include a 'fix' that instructs the user to delete a certain file from their system. However, the file the hoax says is a virus is actually an important file needed by your computer.

Never follow the advice within an email 'virus alert' instructing you to remove a virus from your system without first verifying its validity.

You can protect your computer by taking a few precautionary steps:

1) Purchase a quality virus protection software and keep it updated.

2) If you're using Microsoft programs, make sure that the "Macro Virus Protection" is enabled. Never run a macro within a document unless you know exactly what it does.

3) Never open an email attachment unless you're absolutely sure where it came from and what it is.

4) Avoid downloading software programs from sources you're not familiar with. If you do download a program, make sure you scan the file with your anti-virus software prior to installing.

 132 views

52⟩ Checking on the interviewees knowledge of legal issues and information security

Checking on the interviewee's knowledge of legal issues and information security. Ask them to explain COPAA, SOX, HIPAA (If applicable) and GLB (if applicable). This will give the interviewer a good idea of how knowledgeable the interviewee is about legal issues surrounding the implementation of information security and information security policy. The interviewee should know this material cold so that they can have a really good discussion about these issues.

 161 views

53⟩ What is the security threat level today at the Internet Storm Center (ISC)?

For the interviewer the URL is http://isc.sans.org and is usually green. The reason for asking the question is to find out if the candidate is on top of what the internet looks like today. You can substitute the ISS rating one through five http://www.iss.net which is usually one, but most security folks know about the ISC and will spend time there.

 139 views

54⟩ How well the person can do architecture from scratch?

The question about "here design a secure network" on the white board. This is an open ended question, and works on how well the person can do architecture from scratch. My favorite variation on this is that given a web server, an e-mail system, switch, router, Firewall, and SIM or central data repository (aka kiwi syslog daemon) and IPS system, tie them all together into a Security Information management system, show information paths, ports used, and protocols used. Usually the original question does not go into ports and protocols and remains at the logical hierarchy, assuming that all the systems work and can talk back to a central repository, this really opens up the questioning to how well they not only understand architecture, but dependencies, interdependencies, protocol use, and the security arrangements around protocol use. Same question, just more in-depth to determine how well they understand the risks, limitations, and support for various systems in the path.

All the above questions, depending on which ones are used, can give a real good indication of what the person knows to do, and how well they think about large and small issues. All of these questions do not trigger any HR issues, and as long as they pertain to the job, should not get the interviewer into any issues. The key thing on these questions is that the interviewer has to be knowledgeable about these, or if it is team interviewing, they should be knowledgeable about the answers. Many of these are leading and can provide for some really interesting responses back from the interviewee's. These are really just solid technical interview questions that many information security people should be able to answer given how many years they have been in the field, or how much exposure they have had to various technologies, or what they like to do.

 131 views

55⟩ What is LSA (Local Security Authority)?

LSA stands for Local Security Authority. This is an internal subsystem (as opposed to an environmental ditto, such as Win32) within Windows NT that "generates access tokens [...], manages the local security policy, and provides interactive user authentication services" (from "Windows NT resource guide", ISBN 1-55615-653-7).

 136 views

56⟩ What is a secure channel?

There is some confusion on this point when you consult the Microsoft sources on the subject. Ever since MS discovered the Internet, a secure channel is any point-to-point network connection established between a client and a server that "provides privacy, integrity, and authentication" (see $$$: Microsoft Internet Security Framework: Answers to Frequently Asked Questions ).

"Before Internet", a secure channel was (and still is) the magic connection between WNT computers in a domain. This kind of channel is used for transportation of sensitive data, such as user credentials during a domain logon and replication of the account database between DCs.

The secure channel is established as soon as the domain member machine is booted and is based on a shared secret that is used as the key for encrypting the data that travels through the channel. Each domain member has a machine account defined in the domain SAM database that is created when the machine joins the domain. The password of this account is used as the shared secret for encryption of the channel. The member machine stores it in the registry, where it can be retrieved using the lsadump program by Paul Ashton .

A problem with this is that the initial password (on a WS account) is poorly chosen (unicode(machine-name)). This means that anybody that can listen in to the network at the time of a domain join will be able to calculate the session key used to encrypt the channel, and by this can get hold of the user credentials of anybody doing a network logon from that particular machine. The password is changed as soon as the machine is rebooted after joining the domain and then periodically changed every 7:th day, but the new password is communicated through -- guess what -- the now not so secure channel, so as long as the listener keeps his ear on the wire, he will have the session key. No known solution, but the algorithm for encrypting the new password is not published (yet).

 134 views

57⟩ How do I get my computer C2-level secure, or, what is c2config?

On the CD-ROM that is included in the NT Resource Kit, there is a program called c2config that can be used for tighten the security of a NT based computer.

Be aware, that c2config will not work well on systems with localized environment, e.g. a german NT that uses ACLs in german, not in english.

 157 views

58⟩ Host security

In general, any computer that is not physically secured is not fully secured. If anyone is able to get access to the machine, it is possible to boot it from a diskette, CD-ROM or just steal the hard disk and use it in another computer.

 125 views

59⟩ User security?

Users are susceptible to a number of attacks, such as dictionary password guessing. In Windows NT, one way to protect against those types of attacks is to set the number of failed logins before disabling the account temporary or until the system manager manually enables it again.

 123 views

60⟩ What are giant packets? Or, is Windows NT susceptible to the PING attack?

There are mixed reports whether or not NT is vulnerable to this attack. By using ping to send a large packet to certain systems, they might hang or crash.

Windows NT 3.51 seem to be vulnerable to this attack. A knowledge base article, Q132470, describes symptoms in Windows NT 3.51, and also include a pointer to a patch for this problem

 141 views