Network+ Domain 3: Network Security
Unlock all answers in this set
Unlock answersquestion
Which of the following attacks is a form of software exploitation that transmits or submits a longer stream of data than the input variable is designed to handle?
answer
Buffer overflow A buffer overflow occurs when software code receives too much input than it was designed to handle and when the programmer of that code failed to include input validation checks. When a buffer overflow occurs, the extra data is pushed into the execution stack and processed with security context of the system itself. In other words, a buffer overflow attack often allows the attacker to perform any operation on a system.
question
You have worked as the network administrator for a company for seven months. One day all picture files on the server become corrupted. You discover that a user downloaded a virus from the Internet onto his workstation, and it propagated to the server. You successfully restore all files from backup, but your boss is adamant that this situation does not reoccur. What should you do?
answer
Install a network virus detection software solution.
question
An attacker sets up 100 drone computers that flood a DNS server with invalid requests. This is an example of which kind of attack?
answer
DDoS A DDoS attack is when multiple PCs attack a victim simultaneously and generate excessive traffic, thereby overloading communication channels, or exploiting software flaws.
question
Which is a form of attack that either exploits a software flaw or floods a system with traffic in order to prevent legitimate activities or transactions from occurring?
answer
Denial of service attack
question
Which of the following is a form of denial of service attack that uses spoofed ICMP packets to flood a victim with echo requests using a bounce/amplification network?
answer
Smurf Smurf is a form of denial of service attack which uses spoofed ICMP packets to flood a victim with echo requests using a bounce/amplification network.
question
A Smurf attack requires all but which of the following elements to be implemented?
answer
Padded cell A padded cell is a type of intrusion enticement mechanism similar to a honey pot. A padded cell is a simulated network environment that is created when an intruder is detected. The intruder is transferred into the padded cell where all of its activities are monitored and logged while isolating the intruder from all sensitive information or controls.
question
What is the common name for a program that has no useful purpose, but attempts to spread itself to other systems and often damages resources on the systems where it is found?
answer
Virus
question
Which of the following is not a primary characteristic of a worm?
answer
It infects the MBR of a hard drive A worm does not infect an MBR like a virus, a worm does not require a host file or drive element. A worm is a self-contained, executable software package. It is able to self-replicate and actively seeks to spread itself to other networked systems.
question
Which of the following is the best countermeasure against man-in-the middle attacks?
answer
IPsec Use IPsec to encrypt data in a VPN tunnel as it passes between two communication partners
question
Which of the following describes a man-in-the-middle attack?
answer
A false server intercepts communications from a client by impersonating the intended server.
question
What is the main difference between a worm and a virus?
answer
A worm can replicate itself and does not need a host for distribution. Both viruses and worms can cause damage to data and systems, and both spread from system to system, although a worm can spread itself while a virus attaches itself to a host for distribution.
question
Your company security policy states that wireless networks are not to be used because of the potential security risk they present to your network. One day you find that an employee has connected a wireless access point to the network in his office. What type of security risk is this?
answer
Rogue access point
question
An attacker is trying to compromise a wireless network that has been secured using WPA2-PSK and AES. She first tried using AirSnort to capture packets, but found that she couldn't break the encryption. As an alternative, she used software to configure her laptop to function as an access point. She configured the fake access point with the same SSID as the wireless network she is trying to break into. When wireless clients connect to her access point, she presents them with a web page asking them to enter the WPA2 passphrase. When they do, she then uses it to connect a wireless client to the real access point. What attack techniques did the attacker use in this scenario? (Select two.)
answer
Pharming Evil twin • Evil twin: In this exploit, an attacker near a valid wireless access point installs an access point with the same (or similar) SSID. • Pharming: In this exploit, the access point is configured to display a bogus web page that prompts for credentials, allowing the attacker to steal those credentials.
question
A senior executive reports that she received a suspicious email concerning a sensitive, internal project that is behind production. The email is sent from someone she doesn't know and he is asking for immediate clarification on several of the project's details so the project can get back on schedule. Which type of an attack best describes the scenario?
answer
Whaling Whaling is a form of a social engineering attack that is targeted to senior executives and high profile victims. Social engineering is an attack that exploits human nature by convincing someone to reveal information or perform an activity.
question
Which of the following is a common form of social engineering attack?
answer
Hoax virus information e-mails.
question
A collection of zombie computers have been setup to collect personal information. What type of malware do the zombie computers represent?
answer
Botnet A botnet refers to a collection of zombie computers which are commanded from a central control infrastructure to propagate spam or to collect usernames and passwords to access secure information.
question
Which of the following is a characteristic of a virus?
answer
Requires an activation mechanism to run
question
You have heard about a new malware program that presents itself to users as a virus scanner. When users run the software, it installs itself as a hidden program that has administrator access to various operating system components. The program then tracks system activity and allows an attacker to remotely gain administrator access to the computer. Which of the following terms best describes this software?
answer
Rootkit A rootkit is a set of programs that allows attackers to maintain permanent, administrator-level, hidden access to a computer. Rootkits require administrator access to install, and typically gain this access using a Trojan horse approach--masquerading as a legitimate program to entice users to install the software.
question
Which of the following is undetectable software that allows administrator-level access?
answer
Rootkit
question
What is the greatest threat to the confidentiality of data in most secure organizations?
answer
USB devices
question
A relatively new employee in the data entry cubical farm was assigned a user account similar to that of all of the other data entry employees. However, audit logs have shown that this user account has been used to change ACLs on several confidential files and has accessed data in restricted areas. This situation indicates which of the following has occurred?
answer
Privilege escalation
question
Which of the following attacks tries to associate an incorrect MAC address with a known IP address?
answer
ARP poisoning ARP spoofing/poisoning associates the attacker's MAC address with the IP address of victim devices. When computers send an ARP request to get the MAC address of a known IP address, the attacker's system responds with its MAC address.
question
A router on the border of your network detects a packet with a source address that is from an internal client but the packet was received on the Internet-facing interface. This is an example of what form of attack?
answer
Spoofing Spoofing is the act of changing or falsifying information in order to mislead or re-direct traffic. In this scenario, a packet received on the inbound interface cannot receive a valid packet with a stated source that is from the internal network.
question
What is modified in the most common form of spoofing on a typical IP packet?
answer
Source address
question
Which type of Denial of Service (DoS) attack occurs when a name server receives malicious or misleading data that incorrectly maps host names and IP addresses?
answer
DNS poisoning
question
Which of the following is an example of an internal threat?
answer
A user accidentally deletes the new product designs
question
An attacker sends an unwanted and unsolicited email message to multiple recipients with an attachment that contains malware. What kind of attack has occurred in this scenario?
answer
Spam
question
An attacker uses an exploit to push a modified hosts file to client systems. This hosts file redirects traffic from legitimate tax preparation sites to malicious sites to gather personal and financial information. What kind of exploit has been used in this scenario? (Choose two. Both responses are different names for the same exploit.)
answer
Pharming DNS poisoning
question
Match the social engineering description on the left with the appropriate attack type on the right.
answer
Phishing An attacker sends an email pretending to be from a trusted organization, asking users to access a website to verify personal information. Whaling An attacker gathers personal information about the target individual, who is a CEO. Spear phishing An attacker gathers personal information about the target individual in an organization. Dumpster diving An attacker searches through an organization's trash for sensitive information. Piggybacking An attacker enters a secured building by following an authorized employee through a secure door without providing identification. Vishing An attacker uses a telephone to convince target individuals to reveal their credit card information.
question
While developing a network application, a programmer adds functionally that allows her to access the running program, without authentication, to capture debugging data. The programmer forgets to remove this functionality prior to finalizing the code and shipping the application. What type of security weakness does this represent?
answer
Backdoor
question
When you browse to a website, a pop-up window tells you that your computer has been infected with a virus. You click on the window to see what the problem is. Later, you find out that the window has installed spyware on your system. What type of attack has occurred?
answer
Drive-by download Drive-by downloads can occur in a few different ways: • Through social engineering, the user is tricked into downloading the software. • By exploiting a browser or operating system bug, a site is able to install software without the user's knowledge or consent.
question
While using a web-based order form, an attacker enters an unusually large value in the Quantity field. The value entered is large enough to exceed the maximum value supported by the variable type used to store the quantity in the web application. This causes the value of the quantity variable to wrap around to the minimum possible value, which is a negative number. As a result, the web application processes the order as a return instead of a purchase, and the attacker's account is refunded a large sum of money. What type of attack has occurred in this scenario?
answer
Integer overflow
question
Purchasing insurance is what type of response to risk?
answer
Transference An organization can transfer risk through the purchase of insurance. When calculating the cost of insurance and the deductible, balance the cost against the expected loss from the incident.
question
Over the last month you have noticed a significant increase in the occurrence of inappropriate activities performed by employees. What is the best first response step to take in order to improve or maintain the security level of the environment?
answer
Improve and hold new awareness sessions
question
Which of the following uses hacking techniques to proactively discover internal vulnerabilities?
answer
Penetration testing
question
Which of the following activities are typically associated with a penetration test? (Select two.)
answer
Attempting social engineering Running a port scanner
question
What is the main difference between vulnerability scanning and penetration testing?
answer
Vulnerability scanning is performed within the security perimeter; penetration testing is performed outside of the security perimeter.
question
Which of the following types of penetration test teams will provide you information that is most revealing of a real-world hacker attack?
answer
Zero knowledge team A zero knowledge team is a penetration testing team which most closely simulates a real-world hacker attack as they must perform all of the initial blind reconnaissance.
question
A security administrator is conducting a penetration test on a network. She connects a notebook system running Linux to the wireless network and then uses NMAP to probe various network hosts to see which operating system they are running. Which process did the administrator use in the penetration test in this scenario?
answer
Active fingerprinting Active fingerprinting is a form of system enumeration that is designed to gain as much information about a specific computer as possible. It identifies operating systems based upon ICMP message quoting characteristics. Portions of an original ICMP request are repeated (or quoted) within the response, and each operating system quotes this information back in a slightly different manner. Active fingerprinting can determine the operating system and even the patch level.
question
A security administrator is conducting a penetration test on a network. She connects a notebook system to a mirror port on a network switch. She then uses a packet sniffer to monitor network traffic to try and determine which operating systems are running on network hosts. Which process did the administrator use in the penetration test in this scenario?
answer
Passive fingerprinting Passive fingerprinting is a form of system enumeration that is designed to gain as much information about network computers as possible. It passively listens to network traffic generated by network hosts and attempts to identify which operating systems are in use based upon the ICMP message quoting characteristics they use. Portions of original ICMP requests are repeated (or quoted) within each response. Each operating system quotes this information back in a slightly different manner.
question
Drag each penetration test characteristic on the left to the appropriate penetration test name on the right.
answer
White box test The tester has detailed information about the target system prior to starting the test. Grey box test The tester has the same amount of information that would be available to a typical insider in the organization. Black box test The tester has no prior knowledge of the target system. Single blind test Either the attacker has prior knowledge about the target system, or the administrator knows that the test is being performed. Double blind test The tester does not have prior information about the system and the administrator has no knowledge that the test is being performed.
question
When recovery is being performed due to a disaster, which services are to be stabilized first?
answer
Mission critical The services to be restored first are mission critical services. If mission critical services are not restored within their maximum tolerable downtime, the organization is no longer viable.
question
In business continuity planning, what is the primary focus of the scope?
answer
Business processes Company assets are the focus of risk assessment for security policy development, not BCP. Human life and safety are considerations for emergency response, but are not the focus of the BCP scope. Recovery time objective is a consideration in the development of emergency response, not an aspect of BCP scope.
question
What is the primary goal of business continuity planning?
answer
Maintaining business operations with reduced or restricted infrastructure capabilities or resources
question
Which of the following network strategies connects multiple servers together such that if one server fails, the others immediately take over its tasks, preventing a disruption in service?
answer
Clustering Clustering connects multiple servers together using special software.
question
What is the primary security feature that can be designed into a network's infrastructure to protect and support availability?
answer
Redundancy
question
You manage a website for your company. The website uses three servers configured in a cluster. Incoming requests are distributed automatically between the three servers. All servers use a shared storage device that holds the website contents. Each server has a single network connection and a single power supply. Considering the availability of your website, which component represents a single point of failure?
answer
Website storage A single point of failure means that failure in one component will cause the entire website to be unavailable. If the storage unit fails, then the website content will be unavailable.
question
Besides protecting a computer from under voltages, a typical UPS also performs which two actions:
answer
Conditions the power signal Protects from over voltages
question
You manage the website for your company. The website uses a cluster of two servers with a single shared storage device. The shared storage device uses a RAID 1 configuration. Each server has a single connection to the shared storage, and a single connection to your ISP. You want to provide redundancy such that a failure in a single component does not cause the website to be unavailable. What should you add to your configuration to accomplish this?
answer
Connect one server through a different ISP to the Internet. If the ISP connection goes down, then the website is unavailable. Connecting one server to a different ISP, or both servers to two ISPs, will provide redundancy for the connection.
question
Even if you perform regular backups, what must be done to ensure that you are protected against data loss?
answer
Regularly test restoration procedures
question
Which encryption method is used by WPA for wireless networks?
answer
TKIP WPA uses TKIP for encryption. TKIP uses rotating encryption keys for added security over WEP. AES encryption is used with WPA2. AES requires specialized hardware that might not be available on a device that only supports WPA. WEP is a security method for wireless networks that provides encryption through the use of a shared encryption key (the WEP key).
question
You want to implement 802.1x authentication on your wireless network. Which of the following will be required?
answer
RADIUS
question
You want to implement 802.1x authentication on your wireless network. Where would you configure passwords that are used for authentication?
answer
On a RADIUS server 802.1x authentication uses usernames and passwords, certificates, or devices such as smart cards to authenticate wireless clients. Authentication requests received by the wireless access point are passed to a RADIUS server which validates the logon credentials (such as the username and password).
question
Which of the following wireless security methods uses a common shared key configured on the wireless access point and all wireless clients?
answer
WEP, WPA Personal, and WPA2 Personal
question
You want to connect your client computer to a wireless access point connected to your wired network at work. The network administrator tells you that the access point is configured to use WPA2 Personal with the strongest encryption method possible. SSID broadcast is turned off. Which of the following must you configure manually on the client? (Select three.)
answer
Preshared key AES SSID WPA2 Personal uses a shared key for authentication. Once authenticated, dynamic keys are generated to be used for encryption. WPA2 supports AES and TKIP encryption, with AES being the stronger encryption method. With the SSID broadcast turned off, you will need to manually configure the SSID on the client.
question
Which of the following authentication protocols uses a three-way handshake to authenticate users to the network? (Choose two.)
answer
MS-CHAP CHAP
question
Which type of device is required to implement port authentication through a switch?
answer
RADIUS server Port authentication is provided by the 802.1x protocol, and allows only authenticated devices to connect to the LAN through the switch. 802.1x requires a RADIUS server (also called an AAA server) to validate the authentication credentials.
question
You want to increase the security of your network by allowing only authenticated users to be able to access network devices through a switch. Which of the following should you implement?
answer
802.1x 802.1x authentication is an authentication method used on a LAN to allow or deny access based on a port or connection to the network. 802.1x is used for port authentication on switches and authentication to wireless access points. 802.1x requires an authentication server for validating user credentials. This server is typically a RADIUS server. Authenticated users are allowed full access to the network; unauthenticated users only have access to the RADIUS server.
question
Which of the following applications typically use 802.1x authentication? (Select two.)
answer
Controlling access through a switch Controlling access through a wireless access point
question
Which of the following attacks, if successful, causes a switch to function like a hub?
answer
MAC flooding MAC flooding overloads the switch's MAC forwarding table to make the switch function like a hub. The attacker floods the switch with packets, each containing different source MAC addresses. The flood of packets fills up the forwarding table and consumes so much of the memory in the switch that it causes the switch to enter a state called failopen mode, in which all incoming packets are broadcast out all ports (as with a hub), instead of just to the correct ports as per normal operation.
question
You just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a server room that requires an ID card to gain access. You backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer using a Telnet client with a username of admin and a password of admin. You used the MD5 hashing algorithm to protect the password. What should you do to increase the security of this device? (Select two.)
answer
Use an SSH client to access the router configuration. Change the default administrative username and password.
question
You've just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a cubicle near your office. You've backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer using an SSH client with a user name of admin01 and a password of P@ssW0rd. You have used the MD5 hashing algorithm to protect the password. What should you do to increase the security of this device?
answer
Move the router to a secure server room.
question
You can use a variety of methods to manage the configuration of a network router. Match the management option on the right with its corresponding description on the left. (Each option can be used more than once.)
answer
SSL ==> Uses public-key cryptography HTTP ==> Transfers data in clear text SSH ==> Uses public-key cryptography Telnet ==> Transfers data in clear text Console port ==> Cannot be sniffed
question
You run a small network for your business that has a single router connected to the Internet and a single switch. You keep sensitive documents on a computer that you would like to keep isolated from other computers on the network. Other hosts on the network should not be able to communicate with this computer through the switch, but you still need to access the network through the computer. What should you use for this situation?
answer
VLAN Define virtual LANs (VLANs) on the switch. With a VLAN, a port on the switch is associated with a VLAN. Only devices connected to ports that are members of the same VLAN can communicate with each other. Routers are used to allow communication between VLANs if necessary.
question
When using Kerberos authentication, which of the following terms is used to describe the token that verifies the identity of the user to the target system?
answer
Ticket The tokens used in Kerberos authentication are known as tickets. These tickets perform a number of functions including notifying the network service of the user who has been granted access, and authenticating the identity of the person when they attempt to use that network service.
question
You have been contracted by a firm to implement a new remote access solution based on a Windows Server 2003 system. The customer wants to purchase and install a smartcard system to provide a high level of security to the implementation. Which of the following authentication protocols are you most likely to recommend to the client?
answer
EAP
question
Which of the following is a platform independent authentication system that maintains a database of user accounts and passwords that centralizes the maintenance of those accounts?
answer
RADIUS The Remote Authentication Dial-In User Service (RADIUS) is an authentication system that allows the centralization of remote user account management.
question
Which of the following is a mechanism for granting and validating certificates?
answer
PKI Certificates are obtained from a Public Key Infrastructure (PKI). A PKI is a system that provides for a trusted third party to vouch for user identities. A PKI is made up of Certification Authorities (CAs), also called certificate authorities. A CA is an entity trusted to issue, store, and revoke certificates.
question
Which of the following are methods for providing centralized authentication, authorization, and accounting for remote access? (Select two.)
answer
RADIUS TACACS+
question
You want to implement an authentication method that uses public and private key pairs. Which authentication method should you use?
answer
EAP Public and private key pairs are used by certificates for authentication and encryption. Extensible Authentication Protocol (EAP) allows the client and server to negotiate the characteristics of authentication. EAP is used to allow authentication using smart cards, biometrics (user physical characteristics), and certificate-based authentication.
question
You have a web server that will be used for secure transactions for customers who access the website over the Internet. The web server requires a certificate to support SSL. Which method would you use to get a certificate for the server?
answer
Obtain a certificate from a public PKI.
question
Which of the following authentication methods uses tickets to provide single sign-on?
answer
Kerberos
question
Which of the following are used when implementing Kerberos for authentication and authorization? (Select two.)
answer
Ticket granting server Time server
question
You have decided to implement a remote access solution that uses multiple remote access servers. You want to implement RADIUS to centralize remote access authentication and authorization. Which of the following would be a required part of your configuration?
answer
Configure the remote access servers as RADIUS clients. When configuring a RADIUS solution, configure a single server as a RADIUS server. Then configure all remote access servers as RADIUS clients.
question
Which of the following are characteristics of TACACS+? (Select two.)
answer
Uses TCP Allows for a possible of three different servers, one each for authentication, authorization, and accounting
question
Which of the following is a feature of MS-CHAP v2 that is not included in CHAP?
answer
Mutual authentication
question
Which of the following specifications identify security that can be added to wireless networks? (Select two.)
answer
802.11i 802.1x Standards described in 802.11i have been implemented in Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2). 802.1x is an authentication protocol that can be used on wireless networks.
question
As you are helping a user with a computer problem you notice that she has written her password on a note stuck to her computer monitor. You check the password policy of your company and find that the following settings are currently required: • Minimum password length = 10 • Minimum password age = 4 • Maximum password age = 30 • Password history = 6 • Require complex passwords that include numbers and symbols • Account lockout clipping level = 3 Which of the following is the best action to take to make remembering passwords easier so that she no longer has to write the password down?
answer
Implement end-user training. Instruct users on the importance of security and teach them how to create and remember complex passwords. Making any other changes would violate the security policy and reduce the overall security of the passwords. References
question
Which of the following is the most common form of authentication?
answer
Password Most secure systems require only a username and password to provide users with access to the computing environment. Many forms of online intrusion attacks focus on stealing passwords. This makes using strong passwords very important. Without a strong password policy and properly trained users, the reliability of your security system is greatly diminished.
question
Which of the following is an example of two-factor authentication?
answer
A token device and a PIN Two-factor authentication uses two different types of authentication (i.e. a combination of Type I, Type II, and Type III authentication). Of the examples listed here, a token device (Type II) combined with a PIN (Type I) is the only example of two-factor authentication.
question
Which of the following is an example of three-factor authentication?
answer
Token device, keystroke analysis, cognitive question Three-factor authentication uses three items for authentication, one each from each of the authentication types: • Type I (something you know, such as a password, PIN, pass phrase, or cognitive question) • Type II (something you have, such as a smart card, token device, or photo ID) • Type III (something you are, such as fingerprints, retina scans, voice recognition, or keyboard dynamics)
question
Which of the following best describes one-factor authentication?
answer
Multiple authentication credentials may be required, but they are all of the same type One-factor authentication uses credentials of only one type, but may require multiple methods within the same type. For example, you might log on with just a password, or with a password along with answering a cognitive question (such as your mother's maiden name). One-factor authentication that uses multiple credentials of the same type is also sometimes called strong authentication.
question
Match the authentication factor types on the left with the appropriate authentication factor on the right. Each authentication factor type can be used more than once.
answer
PIN ==> Something you know Smart card ==> Something you have Password ==> Something you know Retina scan ==> Something you are Fingerprint scan ==> Something you are Hardware token ==> Something you have User name ==> Something you know Voice recognition ==> Something you are Wi-Fi triangulation ==> Somewhere you are Typing behaviors ==> Something you do
question
You want to prevent your browser from running JavaScript commands that are potentially harmful. Which of the following would you restrict to accomplish this?
answer
Client-side scripts JavaScript is an example of client-side scripting, where the client system runs the scripts that are embedded in Web pages. When pages download, the scripts are executed. ActiveX runs executable code within a browser, but ActiveX controls are not written using the JavaScript language. Server-side scripts execute on the server, and modify the Web pages served to clients based on the results of the scripts. The Common Gateway Interface (CGI) is scripting language that is often used to capture data from forms in a Web page and pass the data to an external program. CGI runs on the server to process Web form data.
question
Which of the following actions should you take to reduce the attack surface of a server?
answer
Disable unused services.
question
You are concerned that wireless access points may have been deployed within your organization without authorization. What should you do? (Select two. Each response is a complete solution.)
answer
Conduct a site survey. Check the MAC addresses of devices connected to your wired switch.
question
If your anti-virus software does not detect and remove a virus, what should you try first?
answer
Update your virus detection software.
question
Which remote access authentication protocol allows for the use of smart cards for authentication?
answer
EAP Extensible Authentication Protocol (EAP) is a set of interface standards that allows you to use various authentication methods including smartcards, biometrics, and digital certificates.
question
Which of the following do switches and wireless access points use to control access through the device?
answer
MAC filtering Both switches and wireless access points are layer 2 devices, meaning they use the MAC address for making forwarding decisions. Both devices typically include some form of security that restricts access based on the MAC address.
question
Telnet is inherently insecure because its communication is in plain text and is easily intercepted. Which of the following is an acceptable alternative to Telnet?
answer
SSH SSH (Secure Shell) allows for secure interactive control of remote systems. SSH uses RSA public key cryptography for both connection and authentication. SSH uses the IDEA algorithm for encryption by default, but is able to use Blowfish and DES.
question
Which security protocols use RSA encryption to secure communications over an untrusted network? (Select two.)
answer
Transport Layer Security Secure Sockets Layer
question
Which of the following networking devices or services prevents the use of IPsec in most cases?
answer
NAT IPsec cannot typically be used when static IP addresses are not used by both communication partners. NAT proxy performs network address translation on all communications. For this reason, the IP address seen for a system outside of the proxied network is not the real IP address of that system. This prevents the use of IPsec.
question
Which of the following protocols are often added to other protocols to provide secure transmission of data? (Select two.)
answer
TLS SSL Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are protocols that are used with other protocols to add security. In addition, Secure Shell (SSH) can be used to add security when using unsecure protocols.
question
A network switch detects a DHCP frame on the LAN that appears to have come from a DHCP server that is not located on the local network. In fact, it appears to have originated from outside the organization's firewall. As a result, the switch drops the DHCP message from that server. Which security feature was enabled on the switch to accomplish this?
answer
DHCP snooping DHCP snooping filters out untrusted DHCP messages. An untrusted DHCP message is received from outside the network or firewall. DHCP snooping acts like a firewall between DHCP clients and your DHCP servers.
question
A network switch is configured to perform the following validation checks on its ports: • All ARP requests and responses are intercepted. • Each intercepted request is verified to ensure that it has a valid IP-to-MAC address binding. • If the packet has a valid binding, the switch forwards the packet to the appropriate destination. • If the packet has an invalid binding, the switch drops the ARP packet. What security feature was enabled on the switch to accomplish this?
answer
Dynamic ARP Inspection
question
You have just downloaded a file. You create a hash of the file and compare it to the hash posted on the website. The two hashes match. What do you know about the file?
answer
Your copy is the same as the copy posted on the website. A hash is a function that takes a variable-length string (message) and compresses and transforms it into a fixed-length value. Hashes ensure the data integrity of files and messages in transit. The sender and the receiver use the same hashing algorithm on the original data. If the hashes match, then the data can be assumed to be unmodified. Hashes do not ensure confidentiality (in other words, hashes are not used to encrypt data).
question
You are an IT consultant and are visiting a new client's site to become familiar with their network. As you walk around their facility, you note the following: • When you enter the facility, a receptionist greets you and directs you down the hallway to the office manager's cubicle. The receptionist uses a notebook system that is secured to her desk with a cable lock. • The office manager informs you that the organization's servers are kept in a locked closet. Only she has the key to the closet. When you arrive on site, you will be required to get the key from her to access the closet. • She informs you that server backups are configured to run each night. A rotation of external USB hard disks are used as the backup media. • You notice the organization's network switch is kept in an empty cubicle adjacent to the office manager's workspace. • You notice that a router/firewall/content filter all-in-one device has been implemented in the server closet to protect the internal network from external attacks. Which security-related recommendations should you make to this client? (Select two.)
answer
Relocate the switch to the locked server closet. Control access to the work area with locking doors and card readers.
question
What is a secure doorway that can be used in coordination with a mantrap to allow easy egress from a secured environment but which actively prevents re-entrance through the exit portal?
answer
Turnstiles Turnstiles allow easy egress from a secured environment but actively prevent re-entrance through the exit portal. Turnstiles are a common exit portal used in conjunction with entrance portal mantraps. A turnstile cannot be used to enter into a secured facility as it only functions in one direction.
question
You want to use CCTV to increase your physical security. You want to be able to remotely control the camera position. Which camera type should you choose?
answer
PTZ A Pan Tilt Zoom (PTZ) camera lets you dynamically move the camera and zoom in on specific areas to monitor (cameras without PTZ capabilities are manually set looking a specific direction). Automatic PTZ mode automatically moves the camera between several preset locations; manual PTZ lets an operator remotely control the position of the camera.
question
Which of the following allows for easy exit of an area in the event of an emergency, but prevents entry? (Select two.)
answer
Turnstile Double-entry door A double entry door has two doors that are locked from the outside but with crash bars on the inside that allow easy exit. Double entry doors are typically used only for emergency exits, and alarms sound when the doors are opened. A turnstile is a barrier that permits entry in only one direction. Turnstiles are often used to permit easy exit from a secure area.
question
Match each physical security control on the left with an appropriate example of that control on the right. Each security control may be used once, more than once, or not at all.
answer
Hardened carrier >> Protected cable distribution Biometric authentication >> Door locks Barricades >> Perimeter barrier Emergency escape plans >> Safety Alarmed carrier >> Protected cable distribution Anti-passback system >> Physical access control Emergency lighting >> Safety Exterior floodlights >> Perimeter barrier
question
You are an IT consultant and are visiting a new client's site to become familiar with their network. As you walk around their facility, you note the following: • When you enter the facility, a receptionist greets you and directs you down the hallway to the office manager's cubicle. The receptionist uses a notebook system that is secured to her desk with a cable lock. • The office manager informs you that the organization's servers are kept in a locked closet. Only she has the key to the closet. When you arrive on site, you will be required to get the key from her to access the closet. • She informs you that server backups are configured to run each night. A rotation of external USB hard disks are used as the backup media. • You notice the organization's network switch is kept in an empty cubicle adjacent to the office manager's workspace. • You notice that a router/firewall/content filter UTM device has been implemented in the server closet to protect the internal network from external attacks. Which security-related recommendations should you make to this client? (Select two.)
answer
Relocate the switch to the locked server closet. Control access to the work area with locking doors and proximity readers.
question
Which of the following is the most important thing to do to prevent console access to a network switch?
answer
Keep the switch in a room that uses a cipher lock.
question
Which of the following does a router acting as a firewall use to control which packets are forwarded or dropped?
answer
ACL When you configure a router as a firewall, you configure the access control list (ACL) with statements that identify traffic characteristics, such as the direction of traffic (inbound or outbound), the source or destination IP address, and the port number. ACL statements include an action to either allow or deny the traffic specified by the ACL statement.
question
You have a router that is configured as a firewall. The router is a layer 3 device only. Which of the following does the router use for identifying allowed or denied packets?
answer
IP address A router acting as a firewall at layer 3 is capable of making forwarding decisions based on the IP address.
question
You want to allow traveling users to connect to your private network through the Internet. Users will connect from various locations including airports, hotels, and public access points such as coffee shops and libraries. As such, you won't be able to configure the firewalls that might be controlling access to the Internet in these locations. Which of the following protocols would be most likely to be allowed through the widest number of firewalls?
answer
SSL Ports must be opened in firewalls to allow VPN protocols. For this reason, using SSL for the VPN often works through firewalls when other solutions do not because SSL uses port 443--a port that is often already open to allow HTTPS traffic. In addition, some NAT solutions do not work well with VPN connections.
question
Which protocol does HTTPS use to offer greater security in Web transactions?
answer
SSL HTTPS uses Secure Sockets Layer (SSL) to offer greater security in Web transactions.
question
You are the administrator of your company's network. You want to prevent unauthorized access to your intranet from the Internet. Which of the following should you implement?
answer
Firewall
question
You have been given a laptop to use for work. You connect the laptop to your company network, use it from home, and use it while traveling. You want to protect the laptop from Internet-based attacks. Which solution should you use?
answer
Host-based firewall
question
You manage a small network at work. Users use workstations connected to your network. No portable computers are allowed. As part of your security plan, you would like to implement scanning of e-mails for all users. You want to scan the e-mails and prevent any e-mails with malicious attachments from being received by users. Your solution should minimize administration, allowing you to centrally manage the scan settings. Which solution should you use?
answer
Network based firewall A network-based firewall inspects traffic as it flows between networks. For example, you can install a network-based firewall on the edge of your private network that connects to the Internet and scans all incoming e-mail. Scanning e-mail as it arrives at your e-mail server allows you to centralize management and stop malicious e-mails before they arrive at client computers.
question
Your company has a connection to the Internet that allows users to access the Internet. You also have a Web server and an e-mail server that you want to make available to Internet users. You want to create a DMZ for these two servers. Which type of device should you use to create the DMZ?
answer
Network based firewall
question
You have just installed a packet-filtering firewall on your network. Which options will you be able to set on your firewall? (Select all that apply.)
answer
Source address of a packet Port number Destination address of a packet
question
You want to install a firewall that can reject packets that are not part of an active session. Which type of firewall should you use?
answer
Circuit-level
question
Which of the following are characteristics of a circuit-level gateway? (Select two.)
answer
Filters based on sessions Stateful
question
Which of the following are characteristics of a packet filtering firewall? (Select two.)
answer
Filters IP address and port Stateless
question
You provide Internet access for a local school. You want to control Internet access based on user, and prevent access to specific URLs. Which type of firewall should you install?
answer
Application-level
question
You have a company network that is connected to the Internet. You want all users to have Internet access, but need to protect your private network and users. You also need to make a Web server publicly available to Internet users. Which solution should you use?
answer
Use firewalls to create a DMZ. Place the Web server inside the DMZ, and the private network behind the DMZ.
question
You have used firewalls to create a demilitarized zone. You have a Web server that needs to be accessible to Internet users. The Web server must communicate with a database server for retrieving product, customer, and order information. How should you place devices on the network to best protect the servers? (Select two.)
answer
Put the database server on the private network. Put the Web server inside the DMZ.
question
You provide Internet access for a local school. You want to control Internet access based on user, and prevent access to specific URLs. Which type of firewall should you install?
answer
Application level
question
You have just installed a packet-filtering firewall on your network. What options will you be able to set on your firewall? Select all that apply.
answer
Destination address of a packet Port number Source address of a packet
question
Which of the following describes how access lists can be used to improve network security?
answer
An access list filters traffic based on the IP header information such as source or destination IP address, protocol, or socket numbers.
question
Of the following security zones, which one can serve as a buffer network between a private secured network and the untrusted Internet?
answer
DMZ A DMZ or demilitarized zone is a network placed between a private secured network and the untrusted Internet to grant external users access to internally controlled services. The DMZ serves as a buffer network.
question
Which of the following is likely to be located in a DMZ?
answer
FTP server
question
When designing a firewall, what is the recommended approach for opening and closing ports?
answer
Close all ports; open only ports required by applications inside the DMZ.
question
In which of the following situations would you most likely implement a demilitarized zone (DMZ)?
answer
You want to protect a public Web server from attack.
question
A small startup company has hired you to harden their new network. Because funds are limited, you have decided to implement a unified threat management (UTM) device that provides multiple security features in a single network appliance: • Firewall • VPN • Anti-spam • Antivirus You join the UTM device to the company's Active Directory domain. The company's traveling sales force will use the VPN functionality provided by the UTM device to connect to the internal company network from hotel and airport public WiFi networks. What weaknesses exist in this implementation?
answer
The UTM represents a single point of failure.
question
Match the firewall type on the left with its associated characteristics on the right. Each firewall type may be used once, more than once, or not at all.
answer
Operates at Layer 2 >> Virtual firewall Operates at Layer 3 >> Routed firewall Counts as a hop in the path between hosts >> Routed firewall Does not count as a hop in the path between hosts >> Virtual firewall Each interface connects to a different network >> Routed firewall Each interface connects to the same network segment >> Virtual firewall
question
An all-in-one security appliance is best suited for which type of implementation?
answer
A remote office with no on-site technician.
question
Which of the following features are common functions of an all-in-one security appliance? (Select two.)
answer
Spam filtering Bandwidth shaping
question
You recently installed a new all-in-one security appliance in a remote office. You are in the process of configuring the device. You need to: • Increase the security of the device. • Enable remote management from the main office. • Allow users to be managed through Active Directory. You want to configure the device so you can access it from the main office. You also want to make sure the device is as secure as possible. Which of the following tasks should you carry out? (Select two.)
answer
Change the default username and password. Configure the device's authentication type to use Active Directory.
question
Members of the Sales team use laptops to connect to the company network. While traveling, they connect their laptops to the Internet through airport and hotel networks. You are concerned that these computers will pick up viruses that could spread to your private network. You would like to implement a solution that prevents the laptops from connecting to your network unless anti-virus software and the latest operating system patches have been installed. Which solution should you use?
answer
NAC Network Access Control (NAC) controls access to the network by not allowing computers to access network resources unless they meet certain predefined security requirements
question
You have a company network with a single switch. All devices connect to the network through the switch. You want to control which devices will be able to connect to your network. For devices that do not have the latest operating system patches, you want to prevent access to all network devices except for a special server that holds the patches that the computers need to download. Which of the following components will be part of your solution? (Select two.)
answer
802.1x authentication Remediation servers
question
A network utilizes a Network Access Control (NAC) solution to protect against malware. When a wired or wireless host tries to connect to the network, a NAC agent on the host checks it to make sure it has all of the latest operating system updates installed and that the latest antivirus definitions have been applied. What is this process called?
answer
Posture assessment When a wired or wireless host tries to connect to the network, a NAC agent on the host checks it to make sure it has all of the latest operating system updates installed and that the latest antivirus definitions have been applied. This is called a posture assessment. The agent then submits the results of the assessment as a Statement of Health (SoH) to the System Health Validator (SHV).
question
The outside sales reps from your company use notebook computers, tablets, and phones to connect to the internal company network. While traveling, they connect their devices to the Internet using airport and hotel networks. You are concerned that these devices will pick up viruses that could spread to your private network. You would like to implement a solution that prevents devices from connecting to your network unless antivirus software and the latest operating system patches have been installed. When a host tries to connect to the network, the host should be scanned to verify its health. If the host is not healthy, then it should be placed on a quarantine network where it can be remediated. Once healthy, the host can then connect to the production network. Which solution should you use?
answer
NAC Network Access Control (NAC) prevents devices from accessing network resources unless they meet certain predefined security requirements.
question
The owner of a hotel has contracted with you to implement a wireless network to provide Internet access for patrons. The owner has asked that you implement security controls such that only paying patrons are allowed to use the wireless network. She wants them to be presented with a login page when they initially connect to the wireless network. After entering a code provided by the concierge at check-in, they should then be allowed full access to the Internet. If a patron does not provide the correct code, they should not be allowed to access the Internet. Under no circumstances should patrons be able to access the internal hotel network where sensitive data is stored. What should you do?
answer
Implement a guest network
question
What is the most important element related to evidence in addition to the evidence itself?
answer
Chain of custody document
question
The chain of custody is used for what purposes?
answer
Listing people coming into contact with evidence
question
You have been asked to draft a document related to evidence gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court. What type of document is this?
answer
Chain of custody
question
What does hashing of log files provide?
answer
Proof that the files have not been altered
question
You want to store your computer-generated audit logs in case they are needed in the future for examination or to be used as evidence in the event of a security incident. Which method can you use to ensure that the logs you put in storage have not been altered when you go to use them in the future?
answer
Create a hash of each log.
question
Which method can be used to verify that a bit-level image copy of a hard drive is an exact clone of the original hard drive collected as evidence?
answer
Hashing Hashing is the method used to verify that a bit-level image copy of a hard drive is an exact clone of the original hard drive collected as evidence.
question
The immediate preservation of evidence is paramount when conducting a forensic analysis. Which of the following actions is most likely to destroy critical evidence?
answer
Rebooting the system
question
When duplicating a drive for forensic investigative purposes, which of the following copying methods is most appropriate?
answer
Bit-level cloning
question
How can a criminal investigator ensure the integrity of a removable media device found while collecting evidence?
answer
Create a checksum using a hashing algorithm
question
You manage the network for your company. You have recently discovered information on a computer hard drive that might indicate evidence of illegal activity. You want to perform forensic activities on the disk to see what kind of information it contains. What should you do first?
answer
Make a bit-level copy of the disk Before conducting an investigation of data on a disk, you should create a hash of the disk, create a bit-level copy of the disk, then create a hash of your copy of the disk. Perform any investigative activities on your copy of the disk, not on the original disk.
question
Arrange the computer components listed on the left in order of decreasing volatility on the right.
answer
CPU registers and caches System RAMWhich of the following is an important aspect of evidence gathering? Paging file Hard disk File system backup on an external USB drive
question
After an intrusion has occurred and the intruder has been removed from the system, which of the following is the best next step or action to take?
answer
Back up all logs and audits regarding the incident
question
If maintaining confidentiality is of the utmost importance to your organization, what is the best response when an intruder is detected on your network?
answer
Disconnect the intruder.
question
Which of the following is an important aspect of evidence gathering?
answer
Backing up all log files and audit trails
question
When conducting a forensic investigation, and assuming that the attack has been stopped, which of the following actions should you perform first?
answer
Document what's on the screen
question
During a recent site survey, you find a rogue wireless access point on your network. Which of the following actions should you take first to protect your network, while still preserving evidence?
answer
Disconnect the access point from the network
question
You have discovered a computer that is connected to your network that was used for an attack. You have disconnected the computer from the network to isolate it from the network and stop the attack. Which should you do next?
answer
Perform a memory dump
question
You have recently discovered that a network attack has compromised your database server. In the process, customer credit card numbers might have been taken by an attacker. You have stopped the attack and put measures in place to prevent the same incident from occurring in the future. What else might you be legally required to do?
answer
Contact your customers to let them know of the security breach
question
In which stage of the evidence lifecycle is the forensic report created?
answer
Preservation and analysis
