Zero Day Attacks

teancum144 · June 2012

Below are similar questions from two different test banks. However the answers are different. If I encounter a similar question on the N10-004 test tomorrow, what should I answer?

The boss has just read an article about zero-day attacks and rushes into your office in a panic, demanding to know what you'll do to save the company network. What security technique would best protect against such attacks?
A. keep antivirus definitions updated.
B. Use aggressive patch management.
C. Implement user awareness training.
D. Implement effective security policies.

Test bank answer: D

Which of the following security mitigation techniques is the MOST effective against zero-day attacks?
A. Update antivirus definitions
B. MAC filtering
C. Effective security policies
D. User awareness training

Test bank answer: D

sratakhin · June 2012

I think both answers are good.

ChooseLife · June 2012

sratakhin wrote: »

I think both answers are good.

+1, though I am slightly inclined towards the security policy answer, assuming that implies proper security design and defense in depth.

JDMurray · June 2012

Both exam items are basically asking the same question, they both have the same two answers, yet the correct answer choice is different for each item?

Give the two choices of "effective security policies" and "user awareness training," which one is the best defense against zero-day attacks?

From the two exam items given, the correct choices would be either C & D or D & C. They both can't be D.

Zectel · June 2012

If both of these questions are correct, the only logical explanation of this is the way the questions are worded so you have to dissect the semantics. One puts it vaguely at "security techniques" and the other gets a little more specific by adding "security migration techniques."

The best overall security technique, I would think, would definitely be effective security policies on the network, but if you want the best security "mitigation" technique, you might see how "user awareness training" can be the best answer since you can be migrating information from one person to the other in order to protect your network. An even simpler way to look at it is people migrate and security policies in this situation wouldn't be.

JDMurray · July 2012

I think you are too thinly slicing the semantics of what is a basic security exam item. Policies are useless without the user awareness training that forces the users to read and agree to the "what" of the polices. That's true whether including the term mitigation or not. The answer to the first item is incorrect.

teancum144 · July 2012

JDMurray wrote: »

From the two exam items given, the correct choices would be either C & D or D & C. They both can't be D.

Each question is from a different practice test bank - so two different sources with similar questions - but different answers.

the_hutch · July 2012

I kinda think both of those questions are kinda bullshit... You don't implement good security policy or awareness training to protect your organization from zero-day attacks. Zero day attacks by definition have no effective countermeasure. By definition, the only risk management option in this case is risk acceptance. There is no way to effectivley mitigate them, and you would never tell your boss that you protect against zero days because "you have good security policy and/or awareness training." That's how you get fired when somebody exploits a zero-day vulnerability and you had mislead the boss to believe it was taken care of because of security policy. You would tell your boss that its a risk that he must accept...and explain to him why. That being said...try not to think too much when taking a comptia exam. It will get you into trouble.

JDMurray · July 2012

Well, that's a whole 'nother ballgame.

The best possible answer is, "Unplug your network from the Internet and don't let anyone touch your systems--including the users." However, this isn't practical. The best practical answer is, "Reduce your attack surface by uninstalling unnecessary applications." The fewer the entry points the less chance of a zero-day being discovered or exploited. Not a quick solution, but it's typically the most effective.

However, in the universe of cert exam questions, you can only work with the answers given.

ptilsen · July 2012

the_hutch wrote: »

You don't implement good security policy or awareness training to protect your organization from zero-day attacks. Zero day attacks by definition have no effective countermeasure. By definition, the only risk management option in this case is risk acceptance. There is no way to effectivley mitigate them

I disagree. A zero-day attack is exploitation of a specific vulnerability. It does not mean that the vulnerability in question can be exploited in all instances nor does it mean that it cannot be mitigated against. For example, an RPC vulnerability may have a zero-day expoit, but good policies on separating systems and networks can still prevent the vulnerability from being exploited and/or limit the scope of the exploit to certain systems. This is mitigation, rather than elimination of the vulnerability.

The second question is better-phrased in this regard because it focuses on mitigation against the attack, rather than "defense". It's an important distinction, because as you said, a zero-day exploit it cannot be defended against or prevented, but as I am saying its effects can still be mitigated.

the_hutch · July 2012

You're right. My point was there, but I mispoke when using the term mitigation. I will concede to your distinction between prevention and mitigation.

the_hutch · July 2012

My reply was mostly in response to the idea of a panicked boss running into your office asking what you are going to do about Zero Days. And you responding with..."all is as it should be sir...our security policy is sound"

ptilsen · July 2012

Gotcha, and that's fair. With anything of that nature, I think the idea is managing expectations. I would tell the boss that by definition, we cannot patch vulnerabilities before they are exploited in the case of zero-day exploits, but that we can help prevent the chances and limit the effects of exploitation through good security policies. I would also indicate that we have effective policies in place to respond to such attacks in a timely and effective manner.

All of this is of course assuming we actually have good policies and posture in place.

If not, I would use it as an opportunity to get the business on board with making the changes and getting the resources necessary to effect good security policies.

JDMurray · July 2012

ptilsen wrote: »

The second question is better-phrased in this regard because it focuses on mitigation against the attack, rather than "defense". It's an important distinction, because as you said, a zero-day exploit it cannot be defended against or prevented, but as I am saying its effects can still be mitigated.

I'm not sure I see your difference between "mitigation against the attack" and "defense." Mitigating an attack is using (applying) defense, whether it be proactively lessening the chance of the attack occurring or reactively reducing the harmful after-effects of an attack. I interpret both questions are referring to proactive defense to keep a zero-day attack from occurring.

ptilsen · July 2012

Perhaps I'm interpreting defense as "definitively preventing", which in hindsight is probably not a good interpretation. I do prefer the word "mitigate" to "defense" in this context, but I would interpret the question the same either way.

Jasiono · July 2012

the_hutch wrote: »

I kinda think both of those questions are kinda bullshit... You don't implement good security policy or awareness training to protect your organization from zero-day attacks.

Exactly what I was thinking when I read those questions. Glad I'm not the only one

Zero Day Attacks

Comments