CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [63]
4. Examine the list and look for anything out of the ordinary. After doing this a few times, you will become familiar with what is normally there and will be able to spot oddities quickly.
5. Notice the values in the CPU column. Those values will always total 100, with System Idle Processes typically making up the bulk. High numbers on another process can indicate that there is a problem with it. If the numbers do not add up to 100, it can be a sign that a rootkit is masking some of the display.
6. Close the Task Manager.
Lab 2.2: Identify Running Processes on a Linux-Based Machine
Most versions of Linux include a graphical utility to allow you to see the running processes. Those utilities differ based on the distribution of Linux you are using and the desktop that you have chosen.
All versions of Linux, however, do offer a command line and the ability to use the ps utility. Because of that, this method is employed in this lab. To access this information, follow these steps:
1. Open a shell window, or otherwise access a command prompt.
2. Type ps -ef | more.
3. The display shows the processes running for all users. The names of the processes appear in the rightmost column, and the processor time will be in the column closest to it. The names are cryptic, but definitions for most can be found by using the man command followed by the name of the process. Those that are application specific can usually be found through a web search.
4. Examine the list and look for anything out of the ordinary. After doing this a few times, you will become familiar with what is normally there and will be able to spot oddities quickly.
5. Pay particular attention to those processes associated with the root user (the user appears in the first column). Because the root user has the power to do anything, only necessary daemons and processes should be associated with that user.
6. Exit the shell.
Review Questions
1. Which type of attack denies authorized users access to network resources?
a. DoS
b. Worm
c. Logic bomb
d. Social engineering
2. As the security administrator for your organization, you must be aware of all types of attacks that can occur and plan for them. Which type of attack uses more than one computer to attack the victim?
a. DoS
b. DDoS
c. Worm
d. UDP attack
3. A server in your network has a program running on it that bypasses authorization. Which type of attack has occurred?
a. DoS
b. DDoS
c. Back door
d. Social engineering
4. An administrator at a sister company calls to report a new threat that is making the rounds. According to him, the latest danger is an attack that attempts to intervene in a communications session by inserting a computer between the two systems that are communicating. Which of the following types of attacks does this constitute?
a. Man-in-the-middle attack
b. Back door attack
c. Worm
d. TCP/IP hijacking
5. You’ve discovered that an expired certificate is being used repeatedly to gain logon privileges. Which type of attack is this most likely to be?
a. Man-in-the-middle attack
b. Back door attack
c. Replay attack
d. TCP/IP hijacking
6. A junior administrator comes to you in a panic. After looking at the log files, he has become convinced that an attacker is attempting to use an IP address to replace another system in the network to gain access. Which type of attack is this?
a. Man-in-the-middle attack
b. Back door attack
c. Worm
d. TCP/IP hijacking
7. A server on your network will no longer accept connections using the TCP protocol. The server indicates that it has exceeded its session limit. Which type of attack is probably occurring?
a. TCP ACK attack
b. Smurf attack
c. Virus attack
d. TCP/IP hijacking
8. A smurf attack attempts to use a broadcast ping on a network; the return address of the ping may be a valid system in your network. Which protocol does a smurf