Software Designer - Information Security Knowledge

 

 
 

  

security attribute

• Confidentiality: principle of least authorization, anti-exposure, information encryption, physical confidentiality
• Integrity: security protocol, verification code, password verification, digital signature, notarization
• Availability: comprehensive guarantee (IP filtering, service flow control, routing control, audit trail)
• Non-repudiation: Digital Signatures

 
 

 
 

 
 

Encryption Technology

  Encryption technology is the most commonly used means of security and confidentiality. The key to data encryption technology lies in encryption/decryption algorithms and key management. The basic process of data encryption is to process the original plaintext files or data according to a certain encryption algorithm, making it an unreadable piece of code, usually called "ciphertext". "Ciphertext" can only display the original content after entering the corresponding key, so that the data will not be stolen.

  In security and confidentiality, the communication security of network information can be guaranteed through appropriate key encryption technology and management mechanism. The cryptographic system of key encryption technology is divided into two types: symmetric key system and asymmetric key system. Correspondingly, the data encryption technology is divided into two categories, namely, symmetric encryption (private key encryption) and asymmetric encryption (public key encryption).

Symmetric encryption

Symmetric encryption (also known as private key encryption/shared key encryption): Encryption and decryption use the same key .

Features :
1. The encryption strength is not high, but the efficiency is high;
2. Key distribution is difficult.
(A large amount of plaintext generally uses symmetric encryption to ensure encryption efficiency)
Common symmetric key encryption algorithms: DES, 3DES (triple DES), RC-5, IDEA, AES algorithms.

 
 

• DES : replacement + shift, 56-bit key, 64-bit data block, fast speed, easy to generate key
    DES mainly uses the method of replacement and shift to encrypt. It uses a 56-bit key to encrypt 64-bit binary data blocks. Each encryption can encode 64-bit input data for 16 rounds. After a series of replacements and shifts, the input 64-bit original data is converted into a completely different 64-bit output data. The DES algorithm is fast in operation and easy in key production, and is suitable for being implemented in software on most current computers, and is also suitable for implementing on a dedicated chip.

• 3DES (Triple DES): Triple DES is adopted on the basis of DES, that is, two 56-bit keys K1 and K2 are used for
  encryption: K1 encryption—>K2 decryption—>K1 encryption and
  decryption: K1 decryption——>K2 encryption ——>K1 decryption

• AES : Advanced Encryption Standard Rijndael encryption method, which is a block encryption standard adopted by the US federal government. This standard is used to replace the original DES. Its requirement is "at least as safe as 3DES".
    The AES algorithm is based on permutation and permutation operations. Permutation is the rearrangement of data, and permutation is the replacement of one data unit by another. AES uses several different methods to perform permutation and permutation operations.
    AES is an iterative, symmetric-key block cipher that can use 128-, 192-, and 256-bit keys, and encrypts and decrypts data in blocks of 128 bits (16 bytes).

• RC-5 : Many products from RSA Data Security use RC-5.

• IDEA algorithm : 128-bit key, 64-bit data block, better encryption than DES, relatively low requirements for computer functions, PGP.
    IDEA is developed on the basis of DES algorithm, similar to triple DES. IDEA's key is 128 bits, such a long key should be safe for years to come. Similar to DES, the IDEA algorithm is also a data block encryption algorithm. It designs a series of encryption rounds, and each round of encryption uses a subkey generated from the complete encryption key. The IDEA encryption standard is used by the PGP (Pretty Good Privacy) system.

 
 

 
 

 
 

asymmetric encryption

Asymmetric encryption (also known as public key encryption): keys must be used in pairs (public key for encryption, corresponding private key for decryption).
  Unlike symmetric encryption algorithms, asymmetric encryption algorithms require two keys: a public key (Publickey) and a private key (Privatekey). The public key and the private key are a pair. If the data is encrypted with the public key, only the corresponding private key can be used to decrypt it; if the data is encrypted with the private key, only the corresponding public key can be used to decrypt the data. decrypt. Because encryption and decryption use two different keys, this algorithm is called an asymmetric encryption algorithm.

Features : The confidentiality of the asymmetric encryption algorithm is relatively good, which eliminates the need for end users to exchange keys, but the encryption and decryption take a long time and the speed is slow, so it is not suitable for encrypting files, but only for a small amount of data. encryption.
Common asymmetric key encryption algorithms: RSA, ECC

 

Asymmetric encryption has two different systems , as shown in the figure below:

  The basic process of asymmetric encryption algorithm to realize the exchange of confidential information is: Party A generates a pair of keys and discloses one of them as a public key to other parties; Party B of the public key uses this key to encrypt the confidential information and then sends it to Party A; Party A then uses another private key kept by itself to decrypt the encrypted information. Party A can only use its private key to decrypt any information encrypted by its public key.

 

• RSA : 512-bit (or 1024-bit) key, huge amount of calculation, difficult to crack
    a public key encryption algorithm, it selects the public key and key according to the following requirements.
    (1) Choose two large prime numbers p and q (greater than 10 ¹⁰⁰ ).
    (2) Let n = p × q and z - (p - 1) × (q - 1).
    (3) Choose d and z to be relatively prime.
    (4) Choose e such that e × d = 1(mod z).
    The plaintext P is divided into k-bit blocks, and k is the largest integer satisfying 2 ^k < n, so 0 ≤ P < n. Calculated during encryption
  C = P^e^(mod n), so that the public key is (e,n). Calculated during decryption p = C^d^(mod n), that is, the private key is (d, n).
    For example, let p = 2, q = 11, n = 33, z = 20, d = 7, e = 3, C = P 3 (mod 33), P = C 7 (mod ³³ ) ^, then C = 2 ³ (mod 33) = 8(mod 33) = 8
    P = 8 ⁷ (mod 33) = 2097152(mod 33) = 2
    The security of the RSA algorithm is based on the difficulty of factorizing large prime numbers. The attacker can decompose the known n to obtain p and q, then obtain z, and finally use Euclid algorithm to obtain d from e and z. But to decompose a 200-digit number, it takes 4 billion years; to decompose a 500-digit number, it takes 1025 years.

• Elgamal : based on the Diffie-Hellman key exchange algorithm

• ECC : Elliptic Curve Algorithm

• Other asymmetric algorithms include: knapsack algorithm, Rabin, DH

 
 

 
 

 
 

information summary

One-way hash function ( one-way Hash function ), fixed-length hash value.
  Hash (hash) function provides such a calculation process: input a string of variable length, return a string of strings of fixed length, also known as Hash value. A one-way Hash function is used to generate message digests. The Hash function can mainly solve the following two problems: within a certain period of time, it is impossible to find the original message that generates a specific Hash value after the Hash operation; it is also impossible to find two different messages that generate the same Hash value after the Hash operation . In this way, the problems of signature verification, user authentication and non-repudiation can be solved in digital signature.

  A message summary briefly describes a longer piece of information or a file, which can be viewed as a "digital fingerprint" of a long file and is used to create a digital signature. For a specific file, the message summary is unique. Information summaries can be made public without revealing any content of the corresponding document.
  Commonly used message digest algorithms include MD5, SHA, etc. MD5 is widely used in the market, and the hash values ​​of SHA algorithms are 128 and 160 bits respectively. Because SHA usually uses a longer key length, the security is higher than MD5.

The MD5 algorithm has the following characteristics:
(1) Compressibility : For any length of data, the length of the calculated MD5 value is fixed (128 bits).
(2) Easy calculation : It is easy to calculate the MD5 value from the original data.
(3) Anti-modification : Any modification to the original data, even if only one byte is modified, will result in a very different MD5 value.
(4) Strong anti-collision : Knowing the original data and its MD5 value, it is very difficult to find a data with the same MD5 value (ie forged data).

 
 

 
 

 
 

digital signature

Digital signature mainly goes through the following processes.
(1) The information sender uses a one-way hash function (Hash function) to generate an information summary for the information.
(2) The message sender uses his own private key to sign the message digest.
(3) The message sender sends the message itself and the signed message digest together.
(4) The information receiver uses the same one-way hash function (Hash function) used by the information sender to generate a new information summary for the received information itself, and then uses the information sender's public key to verify the information summary. To confirm the identity of the information sender and whether the information has been modified.

Common digital signature algorithms: RSA, DSA, ECDSA Elliptic Curve Digital Signature Algorithm.

 
 

 
 

 
 

Network Security Protocol

1. Layering of security protocols

2. HTTPS protocol is the combination of HTTP protocol and SSL protocol, and the default port number is 443.

3. The PGP protocol is an email security protocol.

4. The SET protocol is an e-commerce security protocol, involving electronic transaction security.

5. SSH: It is a security protocol based on the application layer. SSH is a more reliable protocol designed to provide security for remote login sessions and other network services.

 
 

 
 

 
 

Network attacks

1. Five basic elements of information security

• Confidentiality : Ensuring that information is not exposed to unauthorized entities or processes. (encryption)
• Integrity : Only those who are allowed can modify the data, and can tell whether the data has been tampered with. (Summary)
• Availability : Authorized entities can access data when needed, that is, attackers cannot occupy all resources and hinder the authorizer's work.
• Controllability : It is possible to control the information flow and behavior within the scope of authorization. (User Rights Control)
• Auditability : Provide the basis and means for investigating information security issues that arise. (audit)
   
   

2. Common attacks

• Passive attack : mainly collect information and destroy confidentiality.
• Active attack : The main categories of active attack are: interruption (destruction of availability), tampering (destruction of integrity), and forgery (destruction of authenticity).

attack type	attack name	describe
passive aggressive	wiretapping (network monitoring)	Use various possible legal or illegal means to steal information resources and sensitive information in the system.
	business flow analysis	Through long-term monitoring of the system, statistical analysis methods are used to study parameters such as communication frequency, communication information flow, and changes in the total amount of communication, so as to discover valuable information and laws.
	illegal login	Some sources classify this approach as passive-aggressive.
active attack	false identity	By deceiving the communication system (or users), illegal users pretend to be legitimate users, or users with low privileges pretend to be users with high privileges. Hackers mostly use impersonation to attack.
	deny	This is a kind of attack from the user, such as: denying a certain message that you have published, forging a letter from the other party, etc.
	bypass control	Attackers take advantage of system security flaws or security vulnerabilities to obtain unauthorized rights or privileges.
	replay attack	An intercepted copy of legitimate communication data is resent for illegal purposes.
	Denial of Service (DOS)	Lawful access to information or other resources is unconditionally blocked.

 
 

 
 

 
 

Common Defenses

(1) Firewall technology

(2) Vulnerability scanning

  Intruders can use system vulnerabilities to intrude into the system, and system administrators can use vulnerability scanning technology to understand the security problems existing in the system in a timely manner and take corresponding measures to improve system security.

(3) Intrusion Detection IDS

  Classification based on data source - audit function, record security log. Based on the detection method - abnormal behavior detection.

 
 

 
 

 
 

Computer Viruses and Trojan Horses

1. Naming of common viruses and Trojan horses

• System virus (prefix: Win32, PE, W32, such as: KCOM——Win32.KCOM)

• Worms (e.g. Worm.BBeagle, Panda Burning Incense, Code Red, Lovebug)

• Trojan virus, hacker virus (such as: QQ message tail Trojan - Trojan.QQ3344)

• Script viruses (eg: Code Red - Script.Redlof)

• Macro virus (eg: Melissa - Macro.Melissa)

• Backdoor virus (eg: Huigezi——Backdoor.Win32.Huigezi)

• Virus Planter Virus (Ice Seeder - Dropper.BingHe2.2C)

• Destructive program virus (killer command - Harm.Command.Killer)

• Joke virus (such as: female ghost - Jioke.Grl ghost)

• Binding machine virus (such as: binding QQ-Binder.QQPass.QQBin)

2. Common virus classification

(1) File-type computer viruses infect executable files (including EXE and COM files)

(2) Bootable computer viruses affect the boot sector of a floppy disk or hard disk.

(3) Directory-type computer viruses can modify the addresses of all files stored on the hard disk.

(4) The objects of macro virus infection are text documents, databases, spreadsheets and other files created by certain programs.

3. The characteristics of the virus

The characteristics of computer viruses include concealment , infectivity , latency , triggering and destructiveness .

• Infectiousness : A normal computer program generally does not forcibly connect its own code to other programs. Once a computer virus enters the computer and is executed, it will search for other programs or storage media that meet its infection conditions. After determining the target Insert its own code into it to achieve the purpose of self-reproduction.
• Concealment : The computer virus code is usually designed to be very short, it is attached to the normal program or a hidden place on the disk, or appears in the form of a hidden file. Without code analysis, the virus program is not easy to distinguish from the normal program. Strong concealment. Generally, in the absence of protective measures, a computer virus program can infect a large number of programs in a short period of time after gaining control of the system, and after being infected, the computer system can usually still run normally, and users will not feel any abnormality.
• Latency : Most computer viruses generally do not attack immediately after infecting the system, but can hide in the system for a long time, and the performance (destruction) module is only activated when its specific conditions are met. Destructive: As long as any computer virus invades the system, it will have varying degrees of impact on the system and applications. The light ones will reduce the working efficiency of the computer and occupy system resources, and the severe ones can cause the system to crash.
• Destructive : Once a computer system is infected with a virus program, the stability of the system will be affected to varying degrees. Generally, when a computer virus breaks out, due to its continuous self-replication, most system resources are occupied, thereby slowing down the running speed of the computer and making it impossible for users to use it normally. In severe cases, the entire system can be paralyzed, beyond repair, resulting in losses.
• Triggering : Generally, after a computer virus invades the system, it will not attack immediately, but rather hidden in a certain program or a certain disk, when the triggering conditions determined by the virus program are met, such as setting the date The triggering condition or setting operation is the triggering condition. When the condition is satisfied, the virus program will be automatically executed immediately, and it will continuously replicate itself and infect other disks to destroy the system.

 
 

 
 

 
 

topic example

---

AES is a () algorithm.

• A. Public key encryption
• B. Stream ciphers
• C. Block encryption
• D. Message Digest

[Examination question analysis]: AES is an iterative, symmetric key block cipher, which can use 128, 192 and 256-bit keys. And use 128-bit blocks to encrypt and decrypt data.

---

Among the following algorithms, the one that is not a public key encryption algorithm is ().

• A. ECC
• B. DSA
• C. RSA
• D. DES

[Examination question analysis]: public-key cryptography (public-key cryptography), also known as asymmetric encryption (asymmetric cryptography), a type of cryptographic algorithm, in this cryptographic method, a pair of keys is required, one is One is the private key and the other is the public key.
Common public key encryption algorithms are: RSA, EiGamal, knapsack algorithm, Rabin (a special case of RSA), public key encryption algorithm in Diffie-Hellman key exchange protocol, elliptic curve encryption algorithm (liptic Curve Cryptography, ECC) ;DSA digital signature (also known as public key digital signature), encrypts the summary information with the sender's private key, and the receiver can only decrypt the encrypted summary information with the sender's public key, which also belongs to the public key encryption algorithm.
DES is a typical private key encryption system, which belongs to symmetric encryption, not public key encryption, so choose option D for this question.

---

DES is () algorithm.

• A. Public key encryption
• B. Shared Key Encryption
• c. Digital signature
• D. Certification

[Examination question analysis]: For asymmetric encryption, it is also called public key encryption, and shared key encryption refers to symmetric encryption. Common symmetric encryption algorithms are: DES, triple DES, RC-5, IDEA, AES, so choose option B for this question.

---

Algorithms that can be used for digital signatures are ( ).

• A. RSA
• B. IDEA
• C. RC4
• D. MD5

[Analysis of test questions]: IDEA algorithm and RC4 algorithm are both symmetric encryption algorithms, which can only be used for data encryption. The MD5 algorithm is a message digest algorithm, which can only be used to generate message digests and cannot be used for digital signatures.
The RSA algorithm is a typical asymmetric encryption algorithm, which mainly has the functions of digital signature and verification.

---

In the following statement about authentication and encryption, the error is ().

• A. Encryption to ensure data confidentiality
• B. Authentication is used to ensure the authenticity of the message sender and receiver
• C. Both authentication and encryption can prevent passive attacks by adversaries
• D. The purpose of identity authentication is to identify the legitimacy of users and prevent illegal users from accessing the system

[Examination question analysis]: Authentication generally includes account name/password authentication, authentication using digest algorithm, and authentication based on PKI.
Authentication can only prevent active attacks, not passive attacks. Statements A, B, and D are all correct, and option C is wrong. Therefore, the answer is option C.

---

In secure communication, S uses ( ) to digitally sign the sent information, and T can use ( ) to verify the authenticity of the message after receiving the message.

Question one

• A.S's public key
• B.S's private key
• C.T's public key
• D.T's private key

question two

• A.S's public key
• B.S's private key
• C.T's public key
• D.T's private key

[Examination question analysis]: Digital signature technology is to encrypt the summary information with the private key of the sender, and transmit it to the receiver together with the original text. The recipient can only decrypt the encrypted summary information with the sender's public key, and then use the HASH function to generate a summary information for the received original text, and compare it with the decrypted summary information. If they are the same, it means that the received information is complete and has not been modified during transmission, otherwise it means that the information has been modified, so the digital signature can verify the integrity of the information.
Digital signature is an encryption process, and digital signature verification is a decryption process. Guarantee the integrity of information transmission, sender's identity authentication, and prevent repudiation in transactions.

---

The purpose of using the message digest algorithm to generate a message digest is ().

• A. Verify the identity of the communicating party to prevent counterfeiting
• B. Encrypt the transmitted data to prevent data from being eavesdropped
• C. Prevent sending statements denying that data has been sent
• D. Prevent sent messages from being tampered with

[Examination question analysis]: The message digest is used to ensure data integrity. Once the transmitted data is modified, the digest is different. It is only necessary to compare the summaries twice to determine whether the data has been modified.

---

Users A and B need to communicate securely, and the communication process needs to confirm the identity of both parties and the non-repudiation of the message. When A and B communicate, () can be used to authenticate the user's identity; use () to ensure that the message is non-repudiable.

Question one

• A. Digital certificates
• B. Message encryption
• C. User private key
• D. Digital signature

question two

• A. Digital certificates
• B. Message encryption
• C. User private key
• D. Digital signature

[Analysis of test questions]: The first test is about the authentication of user identity, that is, the authentication of digital signature. The public key of the sender should be used here. Among these 4 options, only option A can include the public key of the sender. Digital certificate;
the second space ensures that the message is non-repudiable, that is, checking to ensure the non-repudiation of the identity of the sender, so the digital signature of the sender should be used here.

---

User B receives a message M with a digital signature from user A. In order to verify the authenticity of M, it first needs to obtain the digital certificate of user A from the CA, and use ( ) to verify the authenticity of the certificate, and then use ( ) to verify the authenticity of M sex.

Question one

• A. The public key of the CA
• B. B's private key
• C. A's public key
• D. B's public key

question two

• A. The public key of the CA
• B. B's private key
• C. A's public key
• D. B's public key

[Explanation of test questions]: Digital certificates are a series of data that mark the identity information of all parties in Internet communication, just like personal ID cards in daily life. Digital certificates are issued by an authoritative certificate authority (CA). The simplest certificates contain a public key, name, and digital signature of a certificate authority. Among them, the digital signature of the certificate authority is completed with its own private key, and its public key is also public. You can use its public key to verify whether the certificate is issued by a certificate authority to achieve digital verification. certificate of authenticity.
Therefore, in order to verify the authenticity of user A's digital certificate, it is necessary to use the public key of CA to complete, and because the message M is the result of encryption by A with its private key, to verify its authenticity, it is necessary to use A's public key to Decryption, if it can be decrypted, it means that the message M is signed by A with its private key.

---

SQL is a database structured query language, and the primary target of SQL injection attacks is ().

• A. Destroying Web Services
• B. Stealing confidential information such as user passwords
• C. Attack the user's browser to gain access
• D. Obtain database permissions

[Examination question analysis]: SQL injection attack is to insert SQL commands into Web forms to submit or enter query strings for domain names or page requests, and finally trick the server into executing malicious SQL commands. Its primary purpose is to gain database access.

---

In the Kerberos system, replay attacks can be prevented by adding () to the message.

• A. Session key
• b. Timestamp
• c. User ID
• D. Private key

[Examination Analysis]: Replay Attacks, also known as replay attacks, replay attacks or Freshness Attacks, refer to the attacker sending a package that has been received by the destination host to achieve the purpose of deceiving the system. It is used in the authentication process and destroys the correctness of the authentication.
The Kerberos system uses a time stamp scheme to prevent replay attacks. In this scheme, the sent data packets are time stamped, and the server can judge whether it is a replay packet based on the time stamp, so as to prevent replay attacks. .

---

Among the following aggressive behaviors, which is a typical passive aggressive is ( ).

• A. Denial of service attack
• B. Session interception
• C. System interference
• D. Modify data command

[Examination Question Analysis]: Option A Denial of Service (DOS): Legal access to information or other resources is unconditionally blocked.
Option B session interception: Unauthorized use of an established session.
D option modify data command: intercept and modify the data command transmitted in the network.
ABD is active attack.
System interference in option C: refers to the attacker gaining access to the system, thereby interfering with the normal operation of the system, which can generally be classified as a passive attack.

---

In order to attack the remote host, the () technology is usually used to detect the status of the remote host.

• A. Virus killing
• B. Port scanning
• C. QQ chat
• D. Authentication

[Explanation of test questions]: The port scanner selects remote TCP/IP services on different ports and records the answers given by the target. Through this method, a lot of useful information about the target host can be collected.

---

The reason why the ARP attack makes the network unable to communicate across network segments is ().

• A. Sending a large number of ARP packets causes network congestion
• B. Fake gateway ARP packets so that data packets cannot be sent to the gateway
• C. An ARP attack destroys the physical connectivity of the network
• D. ARP attack destroys the gateway device

[Examination question analysis]: ARP attack is to achieve ARP spoofing by forging IP address and MAC address. It communicates with you by forging gateway ARP packets, so that your data packets cannot be sent to the real gateway, thus causing the network to fail to cross network segments. communication.

---

Among the following network attacks, which belongs to DoS attack is ().

• A. Trojan horse attack
• B. SYN flooding attack
• C. Port spoofing attack
• D. IP spoofing attack

[Examination question analysis]: DoS is the abbreviation of Denial of Service, that is, denial of service, and the attack behavior that causes DoS is called DoS attack, and its purpose is to make the computer or network unable to provide normal services. The most common DoS attacks are computer network bandwidth attacks and connectivity attacks.
Make an image metaphor to understand DoS. Street restaurants provide catering services for the general public. If a group of hooligans want to DoS a restaurant, they will use many methods, such as occupying the table and not paying the bill, blocking the door of the restaurant and not giving way, harassing the waiters or cooks of the restaurant so that they cannot work, or even worse. Evil...SYN Flooding attack is a typical representative of DoS attack. This attack sends SYN packets to the destination router with multiple random source host addresses, but does not respond after receiving the SYNACK from the destination router. In this way, the destination router is responsible for these The source host has established a large number of connection queues, and has been maintaining these queues without receiving ACK, resulting in a large consumption of resources and cannot provide services to normal requests, and even causes the router to crash. The server has to wait for a timeout (Time Out) before disconnecting the allocated resources.

---

In the following statement about denial of service attacks, the incorrect one is ().

• A. The purpose of the denial of service attack is to make the computer or network unable to provide normal services
• B. Denial of service attack is achieved by continuously sending requests to the computer
• C. Denial of service attacks will cause leakage of user passwords
• D. DDoS is a form of denial of service attack

[Explanation of test questions]: Denial of service attack means that the attacker finds a way to make the target machine stop providing services or resource access, which is one of the attack methods commonly used by hackers. These resources include disk space, memory, processes and even network bandwidth, thereby blocking normal users' access. In fact, the consumption attack on the network bandwidth is only a small part of the denial of service attack. As long as it can cause trouble to the target, suspend some services or even crash the host, it is a denial of service attack. The problem of denial of service attack has not been reasonably solved, and the reason is that it is caused by the security defect of the network protocol itself, so the denial of service attack has become the ultimate method of the attacker. The attacker conducts a denial of service attack, which actually allows the server to achieve two effects: one is to force the server's buffer to be full and not receive new requests; connect. DDos is an acronym for Distributed Dos, and it is also a form of denial of service attack. It can be seen from the principle that denial of service attack Dos will not cause password disclosure.

---

The Stuxnet virus is a malicious code that destroys industrial infrastructure. It exploits system vulnerabilities to attack industrial control systems, which is extremely harmful ().

• A. Boot sector virus
• B. Macro virus
• C. Trojan virus
• D. Worms

[Analysis of test questions]: Stuxnet refers to a kind of worm virus. Its complexity is far beyond the ability of ordinary computer hackers. This Stuxnet virus was first detected in June 2010, and it is the first "worm" virus that specifically targets basic (energy) facilities in the real world, such as nuclear power plants, dams, and national power grids.
The A-option boot area virus damages the boot disk, file directory, etc. The B-option macro virus damages OFFICE files, and the C-option Trojan horse generally emphasizes control operations.

---

( ) is not a worm.

• A. Panda Burning Incense
• B. Code Red
• C. Glacier
• D. Lovebug virus

[Examination Question Analysis]: Panda Burning Incense is a "worm virus" variant that has undergone many variants. It was written by Li Jun, a 25-year-old man from Xinzhou District, Wuhan, Hubei, China, on October 16, 2006. This is a veritable virus that has the ability to infect The propagation function ravaged the Internet in early January 2007. It was mainly transmitted through downloaded files. The infected machine files were carried by mistake and indirectly caused serious damage to other computer programs and systems. In June 2013, virus makers Zhang Shun and Li Jun were jailed again in the case of opening an online casino with others.
"Code Red virus is a new type of network virus in 2001. The technology used in its propagation can fully reflect the ingenious combination of network security and viruses in the Internet era. It integrates network worms, computer viruses, and Trojan horse programs into one, creating a network virus transmission. It can be called an epoch-making virus.
Glacier is a Trojan horse software. On
May 4, 2000, a computer virus named "I Love You" began to spread rapidly around the world. The virus is spread through the Microsoft Outlook email system with the subject "ILOVEYOU" and an attachment. Once the email is opened in Microsoft Outlook, the system will automatically copy and send the virus to all email addresses in the address book. The "I Love You Virus, also known as the Love Bug" virus, is a worm virus that is very similar to the 1999 Melissa virus. It is said that this virus can rewrite some files on local and network hard drives. After the user's machine is infected, the mail system will slow down and may cause the entire network system to crash.

---

In the following description about the Trojan horse program, the correct one is ().

• A. Trojan horse programs are mainly spread through removable disks
• B. The client of the Trojan horse program runs on the attacker's machine
• C. The purpose of the Trojan horse program is to make the computer or network unable to provide normal services
• D. Sniffer is a typical Trojan horse program

[Analysis of test questions]: Transmission method:
1. Transmission through email attachments, program downloads, etc., so option A is wrong.
2. By disguising the login process of the webpage, defrauding user information and spreading it.
3. Spread Trojan horses by attacking system security holes, and a large number of hackers use special hacking tools to spread Trojan horses. The danger of Trojan horse programs is that most of them have malicious intentions, such as occupying system resources, reducing computer performance, endangering the information security of this machine (stealing QQ account, game account or even bank account), using this machine as a tool to attack other devices, etc. Therefore, C The option is wrong;
4. Sniffer is a tool for intercepting TCPIP/UDPICMP and other data packets transmitted through the network. It can be used to analyze network application protocols, debug network programming, monitor data transmitted through the network, and detect Trojan horse programs, etc. , so option D is wrong.
Only option B is correct in this question.

---

In recent years, various types of viruses have appeared in my country () viruses infect smartphones in the form of Trojan horses.

• A. happy hour
• B. Panda Burning Incense
• C. X Undercover
• D. PLACE

[Explanation of test questions]: X undercover software is a monitoring software installed in mobile phones.

---

Establish a connection with an external host through an internal connection, and the malicious code that is controlled by the external host and steals user information is ().

• A. Trojan horse
• B. Worms
• C. Macro virus
• D. CIH virus

[Explanation of test questions]: Trojan horse is a malicious program hidden in secret and can be controlled through a remote network. It allows the controller to control all resources and behaviors of the computer that is secretly implanted into the Trojan horse.
Worm virus is a common virus that uses the network to replicate and spread. When the virus breaks out, a bug-like thing will appear on the screen, devouring the letters on the screen and reshaping them.
A macro virus is a virus that resides in the macros of a document or template. Once such a document is opened, the macros in it are executed, and the macro virus is activated, transferred to the computer, and resides on the Normal template.
The CIH virus is a vicious virus that can damage computer system hardware, and sometimes damage the computer's BIOS.

---

Macro viruses generally infect files with () extensions.

• A. EXE
• B.COM
• C. DOC
• D. DLL

[Analysis of test questions]: Macro virus is a script virus. Its most important feature is that it is a computer virus stored in the macro of a document or template. Macro viruses mainly infect files such as Word and Excel documents. And will reside on the Normal panel. The prefix of the macro virus is: Macro, and the second prefix is: one of Word and Excel. Such as: Macro.Word.WhiteScreen, Melissa (Macro.Melissa), etc.
In this question, among the 4 options given in the question, the one with the extension DOC is generally a Word document, so it is easy to be infected with macro viruses.

---

The anti-virus software report found the virus Macro.Melssa, the virus type can be inferred from the virus name (), the main infection target of this type of virus is ().

Question one

• A. File type
• B. Guided
• C. Catalog type
• D. Macro virus

question two

• A. EXE or COM executable file
• B. Word or Excel file
• C. DLL system file
• D. Disk boot sector

[Explanation of test questions]: There are many classification methods of computer viruses. According to the most common way of distinguishing, that is, according to the way of infection and the technology used, computer viruses can be divided into file-type computer viruses, boot-type computer viruses, and macro viruses. and directory computer viruses.
File computer viruses infect executable files (including EXE and COM files).
Boot computer viruses affect the boot sector of a floppy disk or hard disk.
Directory computer viruses are capable of modifying the addresses of all files stored on the hard disk.
The targets of macro virus infection are text documents, databases, spreadsheets and other files created by certain programs. It can be seen from the file name that Macro.Melissa is a macro virus, so the answers to the two blanks in the question are D and B.

---

Computers infected with the "Panda Burning Incense" virus will not appear ().

• A. The icon of the executable file changes to Panda Burning Incense
• B. User information is leaked
• C. The system runs slower
• D. damage the computer motherboard

[Examination Question Analysis]: Bear Panda Burning Incense is an infectious worm virus, it can infect exe, ~, pif, src, html and asp files in the system, it can also stop a large number of anti-virus software processes and delete extensions It is a file of gho, which is a backup file of a system backup tool GHOST, which causes the user's system backup file to be lost.
All .exe executable files in the infected user's system were changed to look like a panda holding three sticks of incense.

---

Polymorphic virus refers to ( ) computer virus.

• A. Can hide itself from antivirus detection
• B. Each infection changes itself
• C. Can be disseminated through different channels
• D. Can cause different damage according to different environments

【Explanation of test questions】: Polymorphic virus is a relatively advanced virus, which will change itself after each infection.

---

A typical phenomenon after a computer is infected with a Trojan horse is ( ).

• A. The program exits abnormally
• B. An unknown program is trying to establish a network connection
• C. Mailbox filled with spam
• D. Windows system black screen

[Explanation of test questions]: Trojan horse is a virus that spreads through the network. It is divided into two parts: client and server. The server is located on the infected computer. A typical phenomenon behind a Trojan horse is that an unknown program tries to establish a network connection.

---

Which of the following cannot be used for remote login or control is ().

• A. IGMP
• B. SSH
• C. Telnet
• D. RFB

[Examination question analysis]: IGMP: belongs to the multicast protocol of the network, and cannot realize the remote login of the relevant application layer.
SSH: SSH is a security protocol based on the application layer. SSH is a more reliable protocol designed to provide security for remote login sessions and other network services.
Telnet: The Telnet protocol is a member of the TCPIP protocol family, and it is the standard protocol and main method of Internet remote login service. It provides users with the ability to do remote host work on their local computer. Use the telnet program on the end user's computer to connect to the server.
RFB: The RFB (Remote Frame Buffer) protocol is a simple protocol for remote access to graphical user interfaces. Since the RFB protocol works at the frame buffer layer, it is applicable to all window systems and applications.

---

Usually use () to encrypt IP data packets.

• A. IPSec
• B. PP2P
• C. HTTPS
• D. TLS

[Explanation of test questions]: Option A: IPSec works at the network layer and encrypts IP datagrams.
Option B: PP2P works at the data link layer for link encryption.
Option C: HTTPS is a combination of HTTP and SSL, which encrypts data above the transport layer.
D option: TLS security transport layer protocol is used to provide confidentiality and data integrity between two communication applications.

---

Among the following protocols, the one that belongs to the secure remote login protocol is ().

• A. TLS
• B. TCP
• C. SSH
• D. TFTP

[Explanation of test questions]: Option A: TLS is used to provide confidentiality and data integrity between two communication applications.
Option B: TCP is a reliable transport layer protocol and has nothing to do with security.
Option C: SSH is the abbreviation of Secure Shell, formulated by the Network Working Group of IETF; SSH is a security protocol based on the application layer and the transport layer. SSH is currently the most reliable protocol designed to provide security for remote login sessions and other network services. Using the SSH protocol can effectively prevent information leakage in the remote management process. Choose option C for this question.
D option: TFTP (Trivial File Transfer Protocol, simple file transfer protocol) is a protocol in the TCPIP protocol family used for simple file transfer between the client and the server, providing uncomplicated and low-cost file transfer services.

---

Among the following agreements, the one that has nothing to do with the security of e-mail service is ().

• A. SSL
• B. HTTPS
• C. MIME
• D. PGP

[Examination Question Analysis]: MIME is a multi-purpose Internet mail extension standard, which extends the e-mail standard so that it can support multimedia information transmission and has nothing to do with security. Related to secure e-mail is S/MIME Secure Multipurpose Internet Mail Extensions.
A option SSL and B option HTTPS involve the security of the mail transmission process, D option PGP (full name: Pretty Good Privacy, excellent confidentiality agreement), is a set of applications for information encryption and verification, and can be used to encrypt email content.

---

The network administrator manages the router through the command line, and needs to ensure the confidentiality of the ID, password and session content. The access method should be ().

• A. Console
• B. AUX
• C. TELNET
• D. SSH

[Examination question analysis]: SSH is the abbreviation of Secure Shell, which is formulated by the Network Working Group of IETF; SSH is a security protocol based on the application layer. SSH is currently the most reliable protocol designed to provide security for remote login sessions and other network services. Using the SSH protocol can effectively prevent information leakage in the remote management process.

---

Compared with HTTP, the HTTPS protocol encrypts the transmitted content, which is more secure. HTTPS is based on () security protocol, and its default port is ().

Question one

• A. RSA
• B.DES
• C. SSL
• D. SSH

question two

• A. 1023
• B. 443
• C. 80
• D. 8080

[Analysis of test questions]: 1. HTTPS is based on SSL (Secure Sockets Layer).
2. The port number of http is 80, and the default port of HTTPS is 443, pay attention to the distinction.

---

( ) protocol to establish a secure connection between an end device and a remote site.

• A. ARP
• B. Telnet
• C. SSH
• D. WEP

[Examination question analysis]: SSH is the abbreviation of Secure Shell, which is formulated by the Network Working Group of IETF; SSH is a security protocol based on the application layer and the transport layer. SSH is currently the most reliable protocol designed to provide security for remote login sessions and other network services. Using the sSH protocol can effectively prevent the information leakage problem in the remote management process.

---

The security authentication protocol in PPP is (), which uses the session process of three-way handshake to transmit ciphertext.

• A. MD5
• B. PAP
• C. CHAP
• D. HASH

[Analysis of test questions]:
1. Introduction to security certification
1. The NCP of PPP can carry layer 3 data packets of various protocols.
2. PPP uses LCP to control the parameters of various links (establishment, authentication, compression, callback)
2. PPP authentication type
1. PPP pap authentication is to establish authentication through the second handshake (plain text is not encrypted)
2. PPP The chap challenge handshake authentication protocol establishes authentication through a three-way handshake (ciphertext is encrypted with MD5)
3. The two-way verification of PPP adopts the main verification style of chap
4. The reinforced verification of PPP adopts two types (pap, chap) Verify while using

---

Among the following security protocols, the one closest to TLS is ( ).

• A. PGP
• B. SSL
• C. HTTPS
• D. IPSec

[Examination Question Analysis]:
TLS is the abbreviation of Transport Layer Security Protocol, which is used to provide confidentiality and data integrity between two communication applications.
SSL is the abbreviation of Secure Socket Layer Protocol. It is also a protocol that provides security and data integrity for network communication. It is very close to TLS. They both encrypt network connections at the transport layer.
PGP is an email encryption software based on the RSA public key encryption system. , which can be used to keep the email confidential to prevent unauthorized persons from reading it. -
HTTPS is the secure version of HTTP (Hypertext Transfer Protocol), which adds the SSL layer under HTTP, and the security basis of HTTPS is SSL.
IPSec is a security protocol at the network layer, which ensures confidential and secure communication on the network by using encrypted security services.

---

A firewall is usually divided into three areas: intranet, extranet, and DMZ. According to the degree of protection, the correct order from low to high is ().

• A. Intranet, Extranet and DMZ
• B. Extranet, DMZ and Intranet
• C. DMZ, intranet and extranet
• D. Intranet, DMZ and extranet

[Explanation of test questions]: In a LAN connected by a router, we can divide the network into three areas: LAN Area (intranet) with the highest security level, DMZ area with medium security level and Internet area with the lowest security level (external network). net). The three areas have different access policies due to their different tasks. When we configure a network with a DMZ area, we usually define the following access control policies to realize the barrier function of the DMZ area.

---

The packet filtering firewall checks the () data packets.

• A. Application layer
• B. Physical layer
• C. Network layer
• D. Link layer

[Explanation of test questions]: In a LAN connected by a router, we can divide the network into three areas: LAN Area (intranet) with the highest security level, DMZ area with medium security level and Internet area with the lowest security level (external network). net). The three areas have different access policies due to their different tasks. When we configure a network with a DMZ area, we usually define the following access control policies to realize the barrier function of the DMZ area.

---

() The firewall is the isolation point between the internal network and the external network, and it can monitor and filter the communication data flow of the application layer.

• A. Packet filtering
• B. Application level gateway
• c. database
• D. Web

[Examination question analysis]: Packet filtering firewall: Packet filtering firewall generally has a packet inspection block (usually called packet filter), and data packet filtering can control sites and sites, sites and networks, and networks according to various information in the packet header. Mutual access with the network, but the content of the transmitted data cannot be controlled, because the content is application layer data, and the packet filter is between the network layer and the data link layer, which does not meet the requirements of this question.
Application-level gateway firewall: The application proxy gateway firewall completely isolates the direct communication between the internal network and the external network. The access of internal network users to the external network becomes the access of the firewall to the external network, and then forwarded to the internal network users by the firewall. All communication must be forwarded by the application layer agent software, which can monitor and filter the communication data flow of the application layer.
Database firewall: database firewall technology is a kind of database security active defense technology that arises at the historic moment for relational database protection requirements. The database firewall is deployed between the application server and the database, which does not meet the requirements of this question.
Web firewall: Web firewall is an intrusion detection system, a kind of intrusion prevention system. In a broad sense, a web application firewall is an application-level comprehensive solution for website security, which is somewhat different from the firewall concept we mentioned and does not meet the requirements of this question.

---

The firewall does not have the () function.

• A. Documenting the access process
• B. Virus checking
• C. Packet filtering
• D. Proxy

[Explanation of test questions]: A network firewall is a piece of software located between a computer and the network to which it is connected. All network traffic to and from this computer passes through this firewall. A firewall scans network traffic passing through it, which can filter out some attacks before they can be executed on the target computer. Firewall Pi can close unused ports. And it can also prohibit the outgoing communication of a specific port and block Trojan horses. Finally, it can block access from special sites, thus preventing all communication from unknown intruders.
The functions of the firewall include: access control; management and control of ip address, port, user and time based on state detection technology; bidirectional nat, providing ip address translation and ip and tcp/udp port mapping, realizing ip multiplexing and hiding network structure : agent etc.

---

In the network system, () is usually placed in the DMZ area.

• A. Network management server
• B. Web server
• C. Intrusion Detection Server
• D. Financial Management Server

[Analysis of test questions]: DMZ is the abbreviation of "demilitarized zone" in English, and the Chinese name is "isolation zone", also known as "demilitarized zone". It is to solve the problem that the external network cannot access the internal network server after the firewall is installed, and a buffer between the non-secure system and the secure system is set up. This buffer is located in the small network area between the internal network and the external network of the enterprise. In this small network area, some server facilities that must be disclosed can be placed, such as corporate Web servers, FTP servers, and forums. On the other hand, through such a DMZ area, the internal network is more effectively protected, because this kind of network deployment has one more checkpoint for attackers than the general firewall solution.

---

In the following description about packet filtering firewall and proxy service firewall, the correct one is ().

• A. The implementation cost of packet filtering technology is high, so the security performance is high
• B. Packet filtering technology is transparent to applications and users
• C. Proxy service technology has high security and can improve the overall performance of the network
• D. Proxy service technology can only be configured to establish a connection after user authentication

[Examination question analysis]: The packet filtering firewall works at the IP layer of the network protocol. It only processes the source address, destination address and corresponding port of the IP packet, so the speed is relatively fast and it can handle many concurrent connections. The attack is powerless, the cost of packet filtering has no causal relationship with its security performance, and applications and users do not need to understand the process of packet filtering, so this technology is transparent to applications and users, choose option B for this question.
The proxy server firewall restores the received IP packets to high-level protocol communication data, such as http connection information, so it can intercept attacks based on high-level protocols. The disadvantage is that the processing speed is relatively slow, and the number of concurrency that can be processed is relatively small, so the overall performance of the network cannot be improved, and the proxy can be set for user authentication.

---

The working level of the firewall is the main factor that determines the efficiency and security of the firewall. In the following description, the correct one is ().

• A. The lower the working level of the firewall, the higher the work efficiency and the higher the security
• B. The lower the working level of the firewall, the lower the work efficiency and the lower the security
• C. The higher the working level of the firewall, the higher the work efficiency and the lower the security
• D. The higher the working level of the firewall, the lower the work efficiency and the higher the security

[Analysis of test questions]: The lower the working level of the firewall, the higher the work efficiency and the lower the security. The higher the working level of the firewall, the lower the work efficiency and the higher the security.

---

Packet filtering The basis for filtering data packets by the firewall does not include ().

• A. Source IP address
• B. Source port number
• C. MAC address
• D. Destination IP address

[Examination question analysis]: Packet filtering firewalls filter data packets based on source IP address, source port number, destination IP address and destination port number.

---

All resources can only be modified by authorized parties or in authorized ways, that is, the property that information cannot be changed without authorization refers to ( ).

• A. Integrity
• B. Availability
• C. Confidentiality
• D. Non-repudiation

[Analysis of test questions]: The confidentiality (confidentiality) of data means that the data cannot be peeked by unauthorized persons during the transmission process; the integrity
of the data means that the data cannot be illegally tampered with during the transmission process. This question involves modification only Integrity;
data authenticity (non-repudiation) refers to the confirmation of the identity of the sender of the information or the identity confirmation of the relevant subject in the system, which can ensure the credibility of the information; availability refers to the identity of both the sender and the receiver
. The communication method is normal. Therefore, the correct answer is option A.

---

In network security management, the strategies that can be adopted to strengthen internal defense and internal control are ().

① Control the number of terminal access

②Terminal access authorization to prevent unauthorized access by legitimate terminals

③Strengthen terminal security inspection and policy management

④Strengthen the management of employees' online behavior and the audit of violations

• A. ②③
• B. ②④
• C. ①②③④
• D. ②③④

[Analysis of test questions]: Strengthening internal defense and internal control is mainly achieved through the comprehensive application of various security methods such as access authorization, security policy, security inspection and behavior audit. The number of terminal accesses affects the scale of the network and the performance of data exchange, not the focus of internal defense and control.

---

In the lE browser, the locale with the highest level of security is ().

• A. Internet
• B. Local Intranet
• C. Trusted sites
• D. Restricted Sites

[Examination question analysis]: In the lE browser, the regional setting with the highest security level is a restricted site.
Among them, the Internet zone setting applies to Internet websites, but not to websites listed in trusted and restricted areas; the local intranet zone setting applies to all websites found in the intranet; the trusted site zone setting applies to websites you trust; The Restricted Sites locale is the highest level of security for websites that could damage your computer or files.

---

Network security system design can be carried out from the aspects of physical line security, network security, system security, and application security. Among them, database disaster recovery belongs to ().

• A. Physical Line Security and Network Security
• B. Physical Line Security and Application Security
• C. System security and network security
• D. System Security and Application Security

[Explanation of test questions]: Network security system design is one of the important contents of logic design work, and database disaster recovery belongs to the category of system security and application security considerations.

---

Security requirements can be divided into physical line security, network security, system security and application security. Among the following security requirements, those belonging to system security are (), and those belonging to application security are ().

Question one

• A. Computer room security
• B. Intrusion Detection
• C. Vulnerability patch management
• D. Database Security

question two

• A. Computer room security
• B. Intrusion Detection
• C. Vulnerability patch management
• D. Database Security

[Explanation of test questions]: Computer room security belongs to physical security, intrusion detection belongs to network security, vulnerability patch management belongs to system security, and database security belongs to application security.
Hierarchical division of the security system:
(1) Security of the physical environment. Including the security of communication lines, physical equipment and computer rooms, etc. The security of the physical layer is mainly reflected in the reliability of communication lines (line backup, network management software and transmission media), the security of software and hardware equipment (replacing equipment, dismantling equipment, adding equipment), equipment backup, disaster prevention capabilities, and interference prevention. capacity, equipment operating environment (temperature, humidity, smoke) and uninterruptible power supply protection, etc.
(2) The security of the operating system. Mainly manifested in three aspects, one is the insecurity caused by the defects of the operating system itself, mainly including identity authentication, access control and system vulnerabilities; the other is the security configuration of the operating system; the third is the impact of viruses on the operating system. threaten.
(3) Network security. The security issues at the network layer are mainly reflected in the security of the computer network, including network layer identity authentication, access control of network resources, confidentiality and integrity of data transmission, security of remote access, domain name system security, and routing system security. , means of intrusion detection and anti-virus of network facilities, etc.
(4) Application security. Generated by the security of application software and data used to provide services, including Web services, email systems, and DNS. In addition, threats to the system by viruses are also included.
(5) Management security. Including the management of safety technology and equipment, safety management system, organizational rules of departments and personnel, etc. The institutionalization of management greatly affects the security of the entire computer network. A strict security management system, a clear division of departmental security responsibilities, and a reasonable allocation of personnel roles can greatly reduce security vulnerabilities at other levels.

---

When users use online banking to pay on e-commerce websites, they must exchange data between the Internet and the bank's private network through ().

• A. Payment gateway
• B. Antivirus Gateway
• C. Egress router
• D. Bastion host

[Explanation of test questions]: When users use online banking to pay on e-commerce websites, they must pass through the payment gateway to exchange data between the Internet and the bank's private network. A. Payment gateway: It is the interface between the bank financial network system and the Internet network. It is a set of server equipment operated by the bank that converts the data transmitted on the Internet into the internal data of the financial institution, or the designated third party handles the merchant payment information and payment instructions from customers.
B. Anti-virus gateway: Anti-virus gateway is a network device used to protect the security of data entering and leaving the network (usually a local area network). It is mainly reflected in the functions of virus killing, keyword filtering (such as pornography, reactionary), and spam blocking. At the same time, some devices also have certain firewall (Vlan division) functions. If connected to the Internet, antivirus software for the gateway is required.
C. Exit router: generally refers to the router from the LAN to the external network, or refers to the router directly connected to the external network by an enterprise, community, unit, metropolitan area network, provincial network, or national network. Acting as a gateway between networks, it is a dedicated intelligent network device that reads the address in each data packet and then decides how to transmit it.
D. Bastion host: A bastion host is a computer that is strengthened and can defend against attacks. It serves as a checkpoint for entering the internal network, so as to solve the security problems of the entire network on a certain host, thereby saving time and effort. Consider the purpose of security of other hosts.

---

The following strategies that can effectively prevent and control computer viruses are ( ).

• A. Deploy a firewall
• B. Deploy an intrusion detection system
• C. Install and update antivirus software in time
• D. Back up data files regularly

[Examination Question Analysis]: Deploying Firewall: Firewall technology is to help the computer network build a relatively isolated protective barrier between the internal and external networks by organically combining various software and hardware devices for security management and screening to protect users. A technology for data and information security cannot effectively prevent viruses.
Deploying an intrusion detection system: An intrusion detection system (VIDS for short) is a network security device that monitors network transmissions in real time, and sends an alarm or takes active response measures when suspicious transmissions are found. It is a network transmission Advanced monitoring technology cannot effectively prevent viruses.
Install and upgrade anti-virus software in time: aiming at anti-virus software itself is the most effective and direct way to prevent viruses.
Regularly back up data files: data backup is the basis of disaster recovery. In order to prevent data loss caused by system operation errors or system failures, the process of copying all or part of the data set from the hard disk or array of the application host to other storage media is to prevent system data loss and cannot effectively prevent viruses.

---

( ) is not an intrusion detection technology.

• A) expert system
• B. Model checking
• C. Simple match
• D. Vulnerability Scanning

[Analysis of test questions]: Vulnerability scanning is another security protection strategy.

---

Use () to obtain information about whether a writable directory exists in an FTP server.

• A. Firewall system
• B. Vulnerability scanning system
• C. Intrusion Detection System
• D. Virus defense system

[Explanation of test questions]: A firewall is a set of components located between two (or more) networks and implements inter-network access control. It is a set of filtering and blocking mechanisms established on the boundaries of internal and external networks. The main functions of the firewall are: filtering out unsafe services and illegal users; controlling access to special sites; providing a
convenient endpoint for monitoring lnternet security and early warning.
Vulnerability scanning systems usually refer to detecting the security vulnerabilities of specified remote or local computer systems through scanning and other means based on vulnerability databases, and discover exploitable vulnerabilities. Using the vulnerability scanning system, you can obtain whether there are any vulnerabilities in an FTP server. Write directory information.
Intrusion detection is a reasonable supplement to the firewall, which helps the system to deal with network attacks, expands the security management capabilities of system administrators (including security audit, monitoring, attack identification and response), and improves the integrity of the information security infrastructure. It collects information from several key points in the computer network system, and analyzes the information to see whether there are signs of violations of security policies and attacks in the network. Intrusion detection is considered as the second security gate behind the firewall, which can monitor the network without affecting the network performance, so as to provide real-time protection against internal attacks, external attacks and misoperations. The virus defense system is a defense system used to prevent hackers, viruses, and Trojan horses.

---

Among the following options, the most effective way to prevent network monitoring is ().

• A. Install a firewall
• B. Using wireless network transmission
• C. Data encryption
• D. Vulnerability Scanning

[Explanation of test questions]: Network monitoring is a management tool for monitoring network status, data flow, and information transmission on the network. Using network monitoring can effectively intercept data transmitted on the network. The most effective defense against network monitoring is to encrypt the transmitted data, so that even if the transmitted data is intercepted and the other party does not have the key, it is difficult to obtain useful information.

---

The following statement about the vulnerability scanning system is wrong ().

• A. The vulnerability scanning system is a program that automatically detects the security weaknesses of the target host
• B. Hackers use the vulnerability scanning system to find security holes in the target host
• C. Vulnerability scanning system can be used to find network intruders
• D. The realization of the vulnerability scanning system depends on the perfection of the system vulnerability database

[Explanation of test questions]: The vulnerability scanning system is a program that automatically detects the security weaknesses of the target host. The principle of the vulnerability scanning system is to verify the possible vulnerabilities of the system one by one according to the system vulnerability database. Hackers can use the vulnerability scanning system to find the security holes of the target host to launch a targeted attack on the system; the system administrator can use the vulnerability scanning system to find the vulnerabilities in the system and repair them to improve the reliability of the system. A vulnerability scanning system cannot be used to discover network intruders, and a system used to detect network intruders is called an intrusion detection system.