Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
872 Cards in this Set
- Front
- Back
|
Which access control mechanism provides the owner of an object the opportunity to determine the access control permissions for other subjects? |
C. Discretionary access control provides the owner of an object the opportunity to determine the access control permissions for other subjects.
|
|
|
What is the most common form of authentication used?
A. Biometrics B. Tokens C. Access card D. Username/password |
D. Username/password is the single most common authentication mechanism in use today.
|
|
|
A retinal scan device is an example of what type of authentication mechanism?
A. Something you know B. Something you have C. Something about you/something you are D. Multifactor authentication |
C. A retinal scan is an example of a biometric device, which falls into the category of something about you/something you are.
|
|
|
Which of the following is true about the security principle of implicit deny?
A. In a given access control situation, if a rule does not specifically allow the access, it is by default denied. B. It incorporates both access-control and authentication mechanisms into a single device. C. It allows for only one user to an object at a time; all others are denied access. D. It bases access decisions on the role of the user, as opposed to using the more common access control list mechanism. |
A. The basic premise of implicit deny is that an action is allowed only if a specific rule states that it is acceptable, making A the most correct answer
|
|
|
From a security standpoint, what are the benefits of job rotation?
A. It keeps employees from becoming bored with mundane tasks that might make it easier for them to make a mistake without noticing. B. It provides everybody with a better perspective of the issues surrounding security and lessens the impact of losing any individual employee since others can assume their duties. C. It keeps employees from learning too many details related to any one position thus making it more difficult for them to exploit that position. D. It ensures that no employee has the opportunity to exploit a specific position for any length of time without risk of being discovered. |
B. While both C and D may indeed bear a semblance of truth, they are not the primary reasons given as benefits of rotating employees through jobs in an organization. The reasons discussed included ensuring that no single individual alone can perform security operations, plus the benefit of having more employees understand the issues related to security
|
|
|
What was described in the chapter as being essential in order to implement mandatory access controls?
A. Tokens B. Certificates C. Labels D. Security classifications |
C. Labels were discussed as being required for both objects and subjects in order to implement mandatory access controls. D is not the correct answer, because mandatory access controls are often used to implement various levels of security classification but security classifications are not needed in order to implement MAC
|
|
|
The CIA of security includes
A. Confidentiality, integrity, authentication B. Certificates, integrity, availability C. Confidentiality, inspection, authentication D. Confidentiality, integrity, availability |
D. Don’t forget that even though authentication was described at great length in this chapter, the A in the CIA of security represents availability, which refers to the hardware and data being accessible when the user wants it.
|
|
|
Security through obscurity is an approach to security that is sometimes used but that is dangerous to rely on. It attempts to do the following:
A. Protect systems and networks by using confusing URLs to make them difficult to remember or find. B. Protect data by relying on attackers not being able to discover the hidden, confusing, or obscure mechanisms being used as opposed to employing any real security practices or devices. C. Hide data in plain sight through the use of cryptography. D. Make data hard to access by restricting its availability to a select group of users |
B. Answer B describes the more general definition of this flawed approach, which relies on attackers not being able to discover the mechanisms being used in the belief that if it is confusing or obscure enough, it will remain safe. The problem with this approach is that once the confusing or obscure technique is discovered, the security of the system and data can be compromised.
Security must rely on more than just obscurity to be effective. Answer A does at some level describe activity that is similar to the concept of security through obscurity, but it is not the best answer |
|
|
The fundamental approach to security in which an object has only the necessary rights and privileges to perform its task with no additional permissions is a description of
A. Layered security B. Least privilege C. Role-based security D. Kerberos |
. B. This description describes least privilege. Layered security refers to using multiple layers of security (such as at the host and network layers) so that if an intruder penetrates one layer, they still will have to face additional security mechanisms before gaining access to sensitive information.
|
|
|
Which access control technique discussed relies on a set of rules to determine whether access to an object will be granted or not?
A. Role-based access control B. Object and rule instantiation access control C. Rule-based access control D. Discretionary access control |
C. Rule-based access control relies on a set of rules to determine whether access to an object will be granted or not.
|
|
|
The security principle that ensures that no critical function can be executed by any single individual (by dividing the function into multiple tasks that can’t all be executed by the same individual) is known as
A. Discretionary access control B. Security through obscurity C. Separation of duties D. Implicit deny |
C. The separation of duties principle ensures that no critical function can be executed by any single individual.
|
|
|
The ability of a subject to interact with an object is described as
A. Authentication B. Access C. Confidentiality D. Mutual authentication |
B. Access is the ability of a subject to interact with an object.
|
|
|
Information security places the focus of security efforts on
A. The system hardware B. The software C. The user D. The data |
D. Information security places the focus of the security efforts on the data (information).
|
|
|
In role-based access control, which of the following is true?
A. The user is responsible for providing both a password and a digital certificate in order to access the system or network. B. A set of roles that the user may perform will be assigned to each user, thus controlling what the user can do and what information he or she can access. C. The focus is on the confidentiality of the data the system protects and not its integrity. D. Authentication and nonrepudiation are the central focus |
B. In role-based access controls, roles are assigned to the user. Each role will describe what the user can do and the data or information that can be accessed to accomplish that role.
|
|
|
Using different types of firewalls to protect various internal subnets is an example of
A. Layered security B. Security through obscurity C. Diversity of defense D. Implementing least privilege for access control |
C. This is an example of diversity of defense. The idea is to provide different types of security and not rely too heavily on any one type of product.
|
|
|
Which type of social engineering attack utilizes voice messaging to conduct the attack?
A. Phishing B. War dialing C. Vishing D. War driving |
C. Vishing is basically a variation of phishing that uses voice communication technology to obtain the information the attacker is seeking. Vishing takes advantage of the trust that most people place in the telephone network. The users are unaware that using Voice over IP (VoIP) technology, attackers can spoof calls from legitimate entities. Voice messaging can be compromised and used in these attempts.
|
|
|
Social engineering attacks work well because the individual who is the target of the attack/attempt
A. Is often not very intelligent and can’t recognize the fact that a social engineering attack is being attempted. B. Often either genuinely wants to help or is trying to avoid a confrontation, depending on the attacker’s specific tack. C. Is new to the organization and can’t tell that the story he is being fed is bogus. D. Knows the attacker. |
B. Social engineering works because people generally truly want to help an individual asking for assistance or because they are trying to avoid a confrontation. It also works because people generally want to believe that the individual really is who he claims to be, even if that’s not actually the case. The target’s intelligence isn’t an important factor; anybody can fall prey to an adept social engineer. If an employee is new to an organization it can certainly be easier for an attacker to convince a target that he is entitled to the information requested, but it is not a requirement. Long-time employees can just as easily provide sensitive information to a talented social engineer. The target and attacker generally do not know each other in a social engineering attack, so D is not a good answer.
|
|
|
From a security standpoint, why should an organization consider a policy of mandatory vacations?
A. To ensure that employees are not involved in illicit activity that they are attempting to hide. B. Because employees who are tired are more prone to making errors. C. To provide an opportunity for security personnel to go through their desks and computer systems. D. To keep from having lawsuits filed against the organization for adverse working conditions. |
A. A common characteristic of employees who are involved in illicit activities is their reluctance to take a vacation. A prime security reason to require mandatory vacations is to discourage illicit activities in which employees are engaged.
|
|
|
Select all of the following that are examples of personally identifiable information:
A. An individual’s name B. A national identification number C. A license plate number D. A telephone number E. A street address |
A, B, C, D, E. All of these are examples of personally identifiable information. Any information that can be used to uniquely identify an individual falls into this category.
|
|
|
A hoax can still be a security concern because
A. It may identify a vulnerability that others can then decide to use in an attack. B. It shows that an attacker has the contact information for an individual who might be used in a later attack. C. It can result in a user performing some action that could lead to a compromise or that might adversely affect the system or network. D. A hoax is never a security concern—that is why it is called a hoax. |
C. A hoax can cause a user to perform some action, such as deleting a file that the operating system needs. Because of this, hoaxes can be considered legitimate security concerns.
|
|
|
How should CDs and DVDs be disposed of?
A. By shredding using a paper shredder designed also to shred CDs and DVDs. B. By using a commercial grade degausser. C. By overwriting the disk with 0s, then 1s, and then a random character. D. There is no approved way of disposing of this type of media, so they must be archived in a secure facility. |
A. Shredders that are designed to destroy CDs and DVDs are common and inexpensive. A degausser is designed for magnetic media, not optical. Writing over with 0s, 1s, and a random character is a method that can be used for other magnetic media but not CDs or DVDs.
|
|
|
What type of attack consists of looking through an individual’s or organization’s trash for sensitive information?
A. Phishing B. Vishing C. Shoulder surfing D. Dumpster diving |
D. This is a description of dumpster diving. From a security standpoint, you should be concerned with an attacker being able to locate information that can help in an attack on the organization. From an individual perspective, you should be concerned about the attacker obtaining information such as bank account or credit card numbers.
|
|
|
What type of attack can involve an attacker setting up a camera to record the entries individuals make on keypads used for access control?
A. Phishing B. Shoulder surfing C. Dumpster diving D. Vishing |
B. This is a description of a shoulder surfing method. Other methods include simply looking over a person’s shoulder as she enters code or using binoculars to watch from a distance.
|
|
|
Which of the following should be included in a password policy?
A. An explanation of how complex the password should be (i.e., what types of characters a password should be made up of) B. The length of time the password will be valid before it expires C. A description of how passwords should be distributed and protected D. All of the above |
D. All three of these were mentioned as part of what a password policy should include.
|
|
|
What is the best method of preventing successful phishing attacks?
A. Firewalls that can spot and eliminate the phishing e-mails B. Blocking sites where phishing originates C. A viable user training and awareness program D. There is no way to prevent successful phishing attacks. |
C. While research is being conducted to support spotting and eliminating phishing e-mails, no effective method is currently available to do this. It may be possible to block some sites that are known to be hostile, but again this is not effective at this time since an e-mail could come from anywhere and its address can be spoofed anyway. There might be some truth to the statement (D) that there is no way to prevent successful phishing attacks, because users continue to fall for them. The best way to prevent this is an active and viable user training and awareness program.
|
|
|
What type of attack uses e-mails with a convincing story to encourage users to provide account or other sensitive information?
A. Vishing B. Shoulder surfing C. Dumpster diving D. Phishing |
D. This is a description of phishing, which is a type of social engineering attack as are the other options. Vishing employs the use of the telephone network. Shoulder surfing involves the attacker attempting to observe a user entering sensitive information on a form, keypad, or keyboard. Dumpster diving involves the attacker searching through the trash of an organization or individual to find useful and sensitive information.
|
|
|
The reason for providing a group access control policy is
A. It provides a mechanism for individual users to police the other members of the group. B. It provides an easy mechanism to identify common user restrictions for members of the group. This means that individual profiles for each user don’t have to be created but instead each is identified as a member of the group with its associated group profile/policies. C. It is the only way to identify individual user access restrictions. D. It makes it easier for abnormal behaviors to be identified, as a group norm can be established. |
B. Groups and domains provide a mechanism to organize users in a logical way. Individuals with similar access restrictions can be placed within the same group or domain. This greatly eases the process of account creation for new employees.
|
|
|
Which of the following is a high-level, broad statement of what the organization wants to accomplish?
A. Policy B. Procedure C. Guideline D. Standard |
A. This is the definition of a policy. Procedures are the step-by-step instructions on how to implement policies in an organization.
|
|
|
The VP of IS wants to monitor user actions on the company’s intranet. What is the best method of obtaining the proper permissions?
A. A consent banner displayed upon login B. Written permission from a company officer C. Nothing, because the system belongs to the company D. Written permission from the user |
A. A consent banner consenting to monitoring resolves issues of monitoring with respect to the Electronic Communications Privacy Act (ECPA) of 1986.
|
|
|
Your Social Security number and other associated facts kept by your bank are protected by what law against disclosure?
A. The Social Security Act of 1934 B. The Patriot Act of 2001 C. The Gramm-Leach-Bliley Act D. HIPAA |
C. The Gramm-Leach-Bliley Act governs the sharing of privacy information with respect to financial institutions.
|
|
|
Breaking into another computer system in the United States, even if you do not cause any damage, is regulated by what laws?
A. State law, as the damage is minimal B. Federal law under the Identity Theft and Assumption Deterrence Act C. Federal law under Electronic Communications Privacy Act (ECPA) of 1986 D. Federal law under the Patriot Act of 2001 |
D. The Patriot Act of 2001 made computer trespass a felony.
|
|
|
Export of encryption programs is regulated by the
A. U.S. State Department B. U.S. Commerce Department C. U.S. Department of Defense D. National Security Agency |
B. Export controls on commercial encryption products are administered by the Bureau of Industry and Security (BIS) in the U.S. Department of Commerce.
|
|
|
For the FBI to install and operate Carnivore on an ISP’s network, what is required?
A. A court order specifying items being searched for B. An official request from the FBI C. An impact statement to assess recoverable costs to the ISP D. A written request from an ISP to investigate a computer trespass incident |
B. The Patriot Act of 2001 mandated ISP compliance with the FBI Carnivore program.
|
|
|
True or false: Digital signatures are equivalent to notarized signatures for all transactions in the United States.
A. True for all transactions in which both parties agree to use digital signatures B. True only for non-real property transactions C. True only where governed by specific state statute D. False, as the necessary laws have not yet passed |
A. Electronic digital signatures are considered valid for transactions in the United States since the passing of the Electronic Signatures in Global and National Commerce Act (E-Sign) in 2001.
|
|
|
The primary factor(s) behind data sharing compliance between U.S. and European companies is/are
A. Safe Harbor Provision B. European Data Privacy Laws C. U.S. FTC enforcement actions D. All of the above |
D. All of the above. The primary driver is European data protection laws as enforced on U.S. firms by the FTC through the Safe Harbor provision mechanism.
|
|
|
True or false: Writing viruses and releasing them across the Internet is a violation of law.
A. Always true. All countries have reciprocal agreements under international law. B. Partially true. Depends on laws in country of origin. C. False. Computer security laws do not cross international boundaries. D. Partially true. Depends on the specific countries involved, the author of the virus, and the recipient. |
D. This is partially true, for not all countries share reciprocal laws. Some common laws and reciprocity issues exist in certain international communities—for example, the European Union—so some cross-border legal issues have been resolved.
|
|
|
Publication of flaws in encryption used for copy protection is a potential violation of
A. HIPAA B. U.S. Commerce Department regulations C. DMCA D. National Security Agency regulations |
C. This is a potential violation of the Digital Millennium Copyright Act of 1998 unless an exemption provision is met.
|
|
|
Violation of DMCA can result in
A. Civil fine B. Jail time C. Activity subject to legal injunctions D. All of the above |
D. All of the above have been attributed to DMCA, including the jailing of a Russian programmer who came to the United States to speak at a security conference.
|
|
|
What is the biggest drawback to symmetric encryption?
A. It is too easily broken. B. It is too slow to be easily used on mobile devices. C. It requires a key to be securely shared. D. It is available only on UNIX. |
C. In symmetric encryption, the key must be securely shared. This can be complicated because long keys are required for good security.
|
|
|
What is Diffie-Hellman most commonly used for?
A. Symmetric encryption key exchange B. Signing digital contracts C. Secure e-mail D. Storing encrypted passwords |
A. Diffie-Hellman is most commonly used to protect the exchange of keys used to create a connection using symmetric encryption. It is often used in Transport Layer Security (TLS) implementations for protecting secure web pages.
|
|
|
What is AES meant to replace?
A. IDEA B. DES C. Diffie-Hellman D. MD5 |
B. AES, or Advanced Encryption Standard, is designed to replace the old U.S. government standard DES.
|
|
|
What kind of encryption cannot be reversed?
A. Asymmetric B. Hash C. Linear cryptanalysis D. Authentication |
B. Hash functions are one-way and cannot be reversed to provide the original plaintext.
|
|
|
What is public key cryptography a more common name for?
A. Asymmetric encryption B. SHA C. An algorithm that is no longer secure against cryptanalysis D. Authentication |
A. Asymmetric encryption is another name for public key cryptography.
|
|
|
How many bits are in a block of the SHA algorithm?
A. 128 B. 64 C. 512 D. 1024 |
C. 512 bits make up a block in SHA.
|
|
|
How does elliptical curve cryptography work?
A. It multiplies two large primes. B. It uses the geometry of a curve to calculate three points. C. It shifts the letters of the message in an increasing curve. D. It uses graphs instead of keys. |
B. Elliptical curve cryptography uses two points to calculate a third point on the curve.
|
|
|
A good hash function is resistant to what?
A. Brute-forcing B. Rainbow tables C. Interception D. Collisions |
D. A good hash algorithm is resistant to collisions, or two different inputs hashing to the same value.
|
|
|
How is 3DES an improvement over normal DES?
A. It uses public and private keys. B. It hashes the message before encryption. C. It uses three keys and multiple encryption and/or decryption sets. D. It is faster than DES. |
C. 3DES uses multiple keys and multiple encryption or decryption rounds to improve security over regular DES.
|
|
|
What is the best kind of key to have?
A. Easy to remember B. Long and random C. Long and predictable D. Short |
B. The best encryption key is one that is long and random, to reduce the predictability of the key.
|
|
|
What makes asymmetric encryption better than symmetric encryption?
A. It is more secure. B. Key management is part of the algorithm. C. Anyone with a public key could decrypt the data. D. It uses a hash. |
B. In public key cryptography, only the private keys are secret, so key management is built into the algorithm.
|
|
|
What kinds of encryption does a digital signature use?
A. Hashing and asymmetric B. Asymmetric and symmetric C. Hashing and symmetric D. All of the above |
A. Digital signatures use hashing and asymmetric encryption.
|
|
|
What does differential cryptanalysis require?
A. The key B. Large amounts of plaintext and ciphertext C. Just large amounts of ciphertext D. Computers able to guess at key values faster than a billion times per second |
B. Differential cryptanalysis requires large amounts of plaintext and ciphertext.
|
|
|
What is a brute-force attack?
A. Feeding certain plaintext into the algorithm to deduce the key B. Capturing ciphertext with known plaintext values to deduce the key C. Sending every key value at the algorithm to find the key D. Sending two large men to the key owner’s house to retrieve the key |
C. Brute-forcing is the attempt to use every possible key to find the correct one.
|
|
|
What is key escrow?
A. Printing out your private key B. How Diffie-Hellman exchanges keys C. When the government keeps a copy of your key D. Rijndael |
C. When the government keeps a copy of your private key, this is typically referred to as key escrow.
|
|
|
When a user wants to participate in a PKI, what component does he or she need to obtain, and how does that happen?
A. The user submits a certification request to the CA. B. The user submits a key pair request to the CRL. C. The user submits a certification request to the RA. D. The user submits proof of identification to the CA. |
C. The user must submit identification data and a certification request to the registration authority (RA). The RA validates this information and sends the certification request to the certificate authority (CA).
|
|
|
How does a user validate a digital certificate that is received from another user?
A. The user will first see whether her system has been configured to trust the CA that digitally signed the other user’s certificate and will then validate that CA’s digital signature. B. The user will calculate a message digest and compare it to the one attached to the message. C. The user will first see whether her system has been configured to trust the CA that digitally signed the certificate and then will validate the public key that is embedded within the certificate. D. The user will validate the sender’s digital signature on the message. |
A. A digital certificate is validated by the receiver by first determining whether her system has been configured to trust the CA that digitally signed the certificate. If this has been configured, the user’s software uses the CA’s public key and validates the CA’s digital signature that is embedded within the certificate.
|
|
|
What is the purpose of a digital certificate?
A. It binds a CA to a user’s identity. B. It binds a CA’s identity to the correct RA. C. It binds an individual to an RA. D. It binds an individual to a public key. |
D. A digital certificate vouches for an individual’s identity and binds that identity to the public key that is embedded within the certificate.
|
|
|
What steps does a user take to validate a CA’s digital signature on a digital certificate?
A. The user’s software creates a message digest for the digital certificate and decrypts the encrypted message digest included within the digital certificate. If the decryption performs properly and the message digest values are the same, the certificate is validated. B. The user’s software creates a message digest for the digital signature and encrypts the message digest included within the digital certificate. If the encryption performs properly and the message digest values are the same, the certificate is validated. C. The user’s software creates a message digest for the digital certificate and decrypts the encrypted message digest included within the digital certificate. If the user can encrypt the message digest properly with the CA’s private key and the message digest values are the same, the certificate is validated. D. The user’s software creates a message digest for the digital signature and encrypts the message digest with its private key. If the decryption performs properly and the message digest values are the same, the certificate is validated. |
A. The user’s software calculates a message digest for the digital certificate and decrypts the encrypted message digest value included with the certificate, which is the digital signature. The message digest is decrypted using the CA’s public key. If the two message digest values match, the user knows that the certificate has not been modified in an unauthorized manner, and since the encrypted message digest can be decrypted properly with the CA’s public key, the user is assured that this CA created the certificate.
|
|
|
What is a bridge CA, and what is its function?
A. It is a hierarchical trust model that establishes a root CA, which is the trust anchor for all other CAs. B. It is an entity that creates and maintains the CRL for several CAs at one time. C. It is a CA that handles the cross-certification certificates for two or more CAs in a peer-to-peer relationship. D. It is an entity that validates the user’s identity information for the RA before the request goes to the CA. |
C. A bridge CA is set up to handle all of the cross-certification certificates and traffic between different CAs and trust domains. A bridge CA is used instead of requiring all of the CAs to authenticate to each other and create certificates with one another, which would end up in a full mesh configuration.
|
|
|
Why would a company implement a key archiving and recovery system within the organization?
A. To make sure all data encryption keys are available for the company if and when it needs them B. To make sure all digital signature keys are available for the company if and when it needs them C. To create session keys for users to be able to access when they need to encrypt bulk data D. To back up the RA’s private key for retrieval purposes |
A. To protect itself, the company will make backups of the data encryption keys its employees use for encrypting company information. If an employee is no longer available, the company must make sure that it still has access to its own business data. Companies should not need to back up digital signature keys, since they are not used to encrypt data.
|
|
|
Within a PKI environment, where does the majority of the trust actually lie?
A. All users and devices within an environment trust the RA, which allows them to indirectly trust each other. B. All users and devices within an environment trust the CA, which allows them to indirectly trust each other. C. All users and devices within an environment trust the CRL, which allows them to indirectly trust each other. D. All users and devices within an environment trust the CPS, which allows them to indirectly trust each other. |
B. The trust anchor for a PKI environment is the CA. All users and devices trust the CA, which allows them to indirectly trust each other. The CA verifies and vouches for each user’s and device’s identity, so these different entities can have confidence that they are communicating with specific individuals.
|
|
|
Which of the following properly explains the m of n authentication?
A. This is the process a user must go through to properly register for a certificate through the RA. B. This ensures that a certificate has to be fully validated by a user before he can extract the public key and use it. C. This is a control in key recovery to enforce separation of duties. D. This is a control in key recovery to ensure that the company cannot recover a user’s key without the user’s consent. |
C. The m of n authentication is the part of the key recovery software that allows a certain number of people to be involved with recovering and reconstructing a lost or corrupted key. A certain number of people (n) are allowed to authenticate to the software, which will allow them to participate in the key recovery process. Not all of those people may be available at one time, however, so a larger number of people (m) need to be involved with the process. The system should not allow only one person to carry out key recovery, because that person could then use the keys for fraudulent purposes.
|
|
|
Which of the following is not a valid field that could be present in an X.509 version 3 digital certificate?
A. Validity dates B. Serial number C. Extensions D. Symmetric key |
D. The first three values are valid fields that are used in digital certificates. Validity dates indicate how long the certificate is good for, the serial number is a unique value used to identify individual certificates, and extensions allow companies to expand the use of their certificates. A public key is included in the certificate, which is an asymmetric key, not a symmetric key.
|
|
|
To what does a certificate path pertain?
A. All of the digital certificates that need to be validated before a received certificate can be fully validated and trusted B. All of the digital certificates that need to be validated before a sent certificate can be properly encrypted C. All of the digital certificates that need to be validated before a user trusts her own trust anchor D. All of the digital certificates that need to be validated before a received certificate can be destroyed |
A. The certificate path is all of the certificates that must be validated before the receiver of a certificate can validate and trust the newly received certificate. When a user receives a certificate, she must obtain the certificate and public key of all of the CAs until she comes to a self-signed certificate, which is the trusted anchor. So the user must validate each of these certificates until the trusted anchor is reached. The path between the receiver and a trusted anchor is referred to as the certificate path. This is a hierarchical model of trust, and each rung of the trust model must be verified before the end user’s certificate can be validated and trusted.
|
|
|
Which of the following certificate characteristics was expanded upon with version 3 of the X.509 standard?
A. Subject B. Extensions C. Digital signature D. Serial number |
B. The X.509 standard is currently at version 3, which added more extension capabilities to digital certificates and which added more flexibility for companies using PKIs. Companies can define many of these extensions to mean specific things that are necessary for their proprietary or customized environment and software.
|
|
|
What is a certification practices statement (CPS), and what is its purpose?
A. A CPS outlines the steps a CA goes through to validate identities and generate certificates. Companies should review this document to ensure that the CA follows the necessary steps the company requires and provides the necessary level of protection. B. A CPS outlines the steps a CA goes through to communicate with other CAs in other states. Companies should review this document to ensure that the CA follows the necessary steps the company requires and provides the necessary level of protection. C. A CPS outlines the steps a CA goes through to set up an RA at a company’s site. Companies should review this document to ensure that the CA follows the necessary steps the company requires and provides the necessary level of protection. D. A CPS outlines the steps a CA goes through to become a business within a vertical market. Companies should review this document to ensure that the CA follows the necessary steps the company requires and provides the necessary level of protection. |
A. The CPS outlines the certificate classes the CA uses and the CA’s procedures for verifying end-entity identities, generating certificates, and maintaining the certificates throughout their lifetimes. Any company that will be using a specific CA needs to make sure it is going through these procedures with the level of protection the company would require of itself. The company will be putting a lot of trust in the CA, so the company should do some homework and investigate how the CA actually accomplishes its tasks.
|
|
|
Which of the following properly describes what a public key infrastructure (PKI) actually is?
A. A protocol written to work with a large subset of algorithms, applications, and protocols B. An algorithm that creates public/private key pairs C. A framework that outlines specific technologies and algorithms that must be used D. A framework that does not specify any technologies, but provides a foundation for confidentiality, integrity, and availability services |
D. A PKI is a framework that allows several different types of technologies, applications, algorithms, and protocols to be plugged into it. The goal is to provide a foundation that can provide a hierarchical trust model, which will allow end-entities to indirectly trust each other and allow for secure and trusted communications
|
|
|
Once an individual validates another individual’s certificate, what is the use of the public key that is extracted from this digital certificate?
A. The public key is now available to use to create digital signatures. B. The user can now encrypt session keys and messages with this public key and can validate the sender’s digital signatures. C. The public key is now available to encrypt future digital certificates that need to be validated. D. The user can now encrypt private keys that need to be transmitted securely. |
B. Once a receiver validates a digital certificate, the embedded public key can be extracted and used to encrypt symmetric session keys, encrypt messages, and validate the sender’s digital signatures.
|
|
|
Why would a digital certificate be added to a certificate revocation list (CRL)?
A. If the public key had become compromised in a public repository B. If the private key had become compromised C. If a new employee joined the company and received a new certificate D. If the certificate expired |
B. When certificates are added to a CRL the public/private key pair should no longer be bound to a specific person’s identity. This can happen if a private key is compromised, meaning that it was stolen or captured—this would mean someone else could be using the private key instead of the original user, so the CRL is a protection mechanism that will alert others in the PKI of this incident. Certificates can be added to the CRL if an employee leaves the company or is no longer affiliated with the company for one reason or another. Expired certificates are not added to CRLs.
|
|
|
What is an online CRL service?
A. End-entities can send a request containing a serial number of a specific certificate to an online CRL service. The online service will query several CRL distribution points and respond with information about whether the certificate is still valid or not. B. CAs can send a request containing the expiration date of a specific certificate to an online CRL service. The online service will query several other RAs and respond with information about whether the certificate is still valid or not. C. End-entities can send a request containing a public key of a specific certificate to an online CRL service. The online service will query several end-entities and respond with information about whether the certificate is still valid or not. D. End-entities can send a request containing a public key of a specific CA to an online CRL service. The online service will query several RA distribution points and respond with information about whether the CA is still trustworthy or not. |
A. Actually getting the data on the CRLs to end-entities is a huge barrier for many PKI implementations. The environment can have distribution points set up, which provide centralized places that allow the users’ systems to query to see whether a certificate has been revoked or not. Another approach is to push down the CRLs to each end-entity or to use an online service. The online service will do the busy work for the end-entity by querying all the available CRLs and returning a response to the end-entity indicating whether the certificate has been revoked or not.
|
|
|
If an extension is marked as critical, what does this indicate?
A. If the CA is not programmed to understand and process this extension, the certificate and corresponding keys can be used for their intended purpose. B. If the end-entity is programmed to understand and process this extension, the certificate and corresponding keys cannot be used. C. If the RA is not programmed to understand and process this extension, communication with the CA is not allowed. D. If the end-entity is not programmed to understand and process this extension, the certificate and corresponding keys cannot be used. |
D. Digital certificates have extensions that allow companies to expand the use of certificates within their environments. When a CA creates a certificate, it is certifying the key pair to be used for a specific purpose (for digital signatures, data encryption, validating a CA’s digital signature, and so on). If a CA adds a critical flag to an extension, it is stating that the key pair can be used only for the reason stated in the extension. If an end-entity receives a certificate with this critical flag set and cannot understand and process the marked extension, the key pair cannot be used at all. The CA is stating, “I will allow the key pair to be used only for this purpose and under these circumstances.” If an extension is marked noncritical, the end-entity does not have to be able to understand and process that extension.
|
|
|
How can users have faith that the CRL was not modified to present incorrect information?
A. The CRL is digitally signed by the CA. B. The CRL is encrypted by the CA. C. The CRL is open for anyone to post certificate information to. D. The CRL is accessible only to the CA. |
A. The CRL contains all of the certificates that have been revoked. Only the CA can post information to this list. The CA then digitally signs the list to ensure that any modifications will be detected. When an end-entity receives a CRL, it verifies the CA’s digital signature, which tells the end-entity whether the list has been modified in an unauthorized manner and guarantees that the correct CA signed the list.
|
|
|
When would a certificate be suspended, and where is that information posted?
A. It would be suspended when an employee leaves the company. It is posted on the CRL. B. It would be suspended when an employee changes his or her last name. It is posted on the CA. C. It would be suspended when an employee goes on vacation. It is posted on the CRL. D. It would be suspended when a private key is compromised. It is posted on the CRL |
C. A certificate can be suspended if it needs to be temporarily taken out of production for a period of time. If an employee goes on vacation and wants to make sure no one can use his certificate, he can make a suspension request to the CA, which will post the information to the CRL. The other answers in this question would require the certificate to be revoked, not suspended, and a new certificate would need to be created for the user.
|
|
|
What does cross certification pertain to in a PKI environment?
A. When a company uses an outsourced service provider, it needs to modify its CPS to allow for cross certification to take place between the RA and CA. B. When two end-entities need to communicate in a PKI, they need to exchange certificates. C. When two or more CAs need to trust each other so that their end-entities can communicate, they will create certificates for each other. D. An RA needs to perform a cross certification with a user before the certificate registration is terminated |
C. Cross certification means that two or more CAs create certificates for each other. This takes place when two trust domains, each with their own CA, need to be able to communicate—a trusted path needs to be established between these domains. Once the first CA validates the other CA’s identity and creates a certificate, it then trusts this other CA, which creates a trusted path between the different PKI environments. The trust can be bidirectional or unidirectional. |
|
|
Which organization created PKCS?
A. RSA B. IEEE C. OSI D. ISO |
A. RSA Laboratories created Public Key Cryptography Standards (PKCS).
|
|
|
Which of the following is not part of a public key infrastructure?
A. Certificates B. Certificate revocation list (CRL) C. Substitution cipher D. Certificate authority (CA) |
C. The substitution cipher is not a component of PKI. The substitution cipher is an elementary alphabet-based cipher.
|
|
|
Which of the following is used to grant permissions using rule-based, rolebased, and rank-based access controls?
A. Attribute Certificate B. Qualified Certificate C. Control Certificate D. Operational Certificate |
A. An Attribute Certificate (AC) is used to grant permissions using rule-based, role-based, and rank-based access controls.
|
|
|
Transport Layer Security consists of which two protocols?
A. TLS Record Protocol and TLS Certificate Protocol B. TLS Certificate Protocol and TLS Handshake Protocol C. TLS Key Protocol and TLS Handshake Protocol D. TLS Record Protocol and TLS Handshake Protocol |
D. Transport Layer Security consists of the TLS Record Protocol, which provides security, and the TLS Handshake Protocol, which allows the server and client to authenticate each other.
|
|
|
Which of the following provides connection security by using common encryption methods?
A. TLS Certificate Protocol B. TLS Record Protocol C. TLS Layered Protocol D. TLS Key Protocol |
B. The TLS Record Protocol provides connection security by using common encryption methods, such as DES.
|
|
|
Which of the following provides a method for implementing a key exchange protocol?
A. EISA B. ISA C. ISAKMP D. ISAKEY |
C. The Internet Security Association and Key Management Protocol (ISAKMP) provides a method for implementing a key exchange protocol and for negotiating a security policy.
|
|
|
A relationship in which two or more entities define how they will communicate securely is known as what?
A. Security association B. Security agreement C. Three-way agreement D. Three-way handshake |
A. During a security association, the client and the server will list the types of encryption of which they are capable and will choose the most secure encryption standard that they have in common.
|
|
|
The entity requesting an SA sets what?
A. Initiator cookie B. Process ID C. Session number D. Session ID |
A. The entity requesting a security association will request an initiator cookie.
|
|
|
What protocol is used to establish a CA?
A. Certificate Management Protocol B. Internet Key Exchange Protocol C. Secure Sockets Layer D. Public Key Infrastructure |
A. The Certificate Management Protocol is used to establish a CA.
|
|
|
What is the purpose of XKMS?
A. Encapsulates session associations over TCP/IP B. Extends session associations over many transport protocols C. Designed to replace SSL D. Defines services to manage heterogeneous PKI operations via XML |
D. XML Key Management Specification (XKMS) allows services to manage PKI via XML, which is interoperable across different vendor platforms.
|
|
|
Which of the following is a secure e-mail standard?
A. POP3 B. IMAP C. S/MIME D. SMTP |
C. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a secure e-mail standard. Other popular standards include Pretty Good Privacy (PGP) and OpenPGP.
|
|
|
Secure Sockets Layer uses what port to communicate?
A. 143 B. 80 C. 443 D. 53 |
C. SSL’s well-known port is 443. SSL was developed by Netscape.
|
|
|
The feature that could allow a CD to load malicious code is called what?
A. A false negative B. A CD-Key C. A MBR, or Master Boot Record D. Autorun |
D. Autorun allows CDs to execute code automatically.
|
|
|
Why is water not used for fire suppression in data centers?
A. It would cause a flood. B. Water cannot put out an electrical fire. C. Water would ruin all the electronic equipment. D. Building code prevents it. |
C. Electronic components would be ruined by a water-based fire-suppression system.
|
|
|
Which one is not a unique biometric?
A. Fingerprint B. Eye retina C. Hand geometry D. Shoulder-to-waist geometry |
D. Shoulder-to-waist geometry is not unique. All the other examples are biometrics that are unique.
|
|
|
Why is physical security so important to good network security?
A. Because encryption is not involved B. Because physical access defeats nearly all network security measures C. Because an attacker can steal biometric identities D. Authentication |
B. Physical access to a computer system will almost always defeat any security measures put in place on the system.
|
|
|
How does multiple-factor authentication improve security?
A. By using biometrics, no other person can authenticate. B. It restricts users to smaller spaces. C. By using a combination of authentications, it is more difficult for someone to gain illegitimate access. D. It denies access to an intruder multiple times. |
C. Multiple-factor authentication gives an attacker several systems to overcome, making the unauthorized access of systems much more difficult.
|
|
|
Why is access to an Ethernet jack a risk?
A. A special plug can be used to short out the entire network. B. An attacker can use it to make a door entry card for himself. C. Wireless traffic can find its way onto the local area network. D. It allows access to the internal network. |
D. An exposed Ethernet jack available in a public place can allow access to the internal network, typically bypassing most of the network’s security systems.
|
|
|
When a biometric device has a false positive, it has done what?
A. Generated a positive charge to the system for which compensation is required B. Allowed access to a person who is not authorized C. Denied access to a person who is authorized D. Failed, forcing the door it controls to be propped open |
B. A false positive means the system granted access to an unauthorized person based on a biometric being close to an authorized person’s biometric.
|
|
|
Why does an IP-based CCTV system need to be implemented carefully?
A. Camera resolutions are lower. B. They don’t record images; they just send them to web pages. C. The network cables are more easily cut. D. They could be remotely attacked via the network. |
D. Any device attached to the IP network can be attacked using a traditional IP-based attack.
|
|
|
Which of the following is a very simple physical attack?
A. Using a custom RFID transmitter to open a door B. Accessing an Ethernet jack to attack the network C. Outright theft of the computers D. Installing a virus on the CCTV system |
C. The theft of a computer is a very simple attack that can be carried out surprisingly effectively. This allows an attacker to compromise the stolen machine and its data at his leisure.
|
|
|
A perfect bit-by-bit copy of a drive is called what?
A. Drive picture B. Drive image C. Drive copy D. Drive partition |
B. A drive image is a perfect copy of a drive that can then be analyzed on another computer.
|
|
|
What about physical security makes it more acceptable to other employees?
A. It is more secure. B. Computers are not important. C. It protects the employees themselves. D. It uses encryption. |
C. Physical security protects the people, giving them a vested interest in its support.
|
|
|
On whom should a company perform background checks?
A. System administrators only B. Contract personnel only C. Background checks are not needed outside of the military D. All individuals who have unescorted physical access to the facility |
D. All unescorted people entering the facility should be background checked.
|
|
|
What is a common threat to token-based access controls?
A. The key B. Demagnetization of the strip C. A system crash D. Loss or theft of the token |
D. The loss or theft of the token is the most common and most serious threat to the system; anyone with a token can access the system.
|
|
|
Why should security guards get cross-training in network security?
A. They are the eyes and ears of the corporation when it comes to security. B. They are the only people in the building at night. C. They are more qualified to know what a security threat is. D. They have the authority to detain violators. |
A. Security guards are the corporation’s eyes and ears and have a direct responsibility for security information.
|
|
|
Why can a USB flash drive be a threat?
A. They use too much power. B. They can bring malicious code past other security mechanisms. C. They can be stolen. D. They can be encrypted. |
B. USB drives have large storage capacities and can carry some types of malicious code past traditional virus filters.
|
|
|
Switches operate at which layer of the OSI model?
A. Physical layer B. Network layer C. Data link layer D. Application layer |
C. Switches operate at layer 2, the data link layer of the OSI model.
|
|
|
UTP cables are terminated for Ethernet using what type of connector?
A. A BNC plug B. An Ethernet connector C. A standard phone jack connector D. An RJ-45 connector |
D. The standard connector for UTP in an Ethernet network is the RJ-45 connector. An RJ-45 is larger than a standard phone connector.
|
|
|
Coaxial cable carries how many physical channels?
A. Two B. Four C. One D. None of the above |
C. A coaxial connector carries one wire, one physical circuit.
|
|
|
The purpose of a DMZ in a network is to
A. Provide easy connections to the Internet without an interfering firewall B. Allow server farms to be divided into similar functioning entities C. Provide a place to lure and capture hackers D. Act as a buffer between untrusted and trusted networks |
D. A DMZ-based topology is designed to manage the different levels of trust between the Internet (untrusted) and the internal network (trusted).
|
|
|
Network access control is associated with which of the following?
A. NAP B. IPsec C. IPv6 D. NAT |
A. NAP (Network Access Protection) is one form of network access control.
|
|
|
The purpose of twisting the wires in twisted-pair circuits is to
A. Increase speed B. Increase bandwidth C. Reduce crosstalk D. Allow easier tracing |
C. The twist in twisted-pair wires reduces crosstalk between wires.
|
|
|
The shielding in STP acts as
A. A physical barrier strengthening the cable B. A way to reduce interference C. An amplifier allowing longer connections D. None of the above |
B. The shielding on STP is for grounding and reducing interference.
|
|
|
What is the common standard for data link layer loop protection?
A. Virtual hosts B. TTL (Time to Live counter) C. NAT D. 802.1D (Spanning Tree) |
D. Spanning tree protocol is the method of maintaining loop-free layer 2 networks.
|
|
|
One of the greatest concerns addressed by physical security is preventing unauthorized connections having what intent?
A. Sniffing B. Spoofing C. Data diddling D. Free network access |
A. Sniffing is the greatest threat, for passwords and accounts can be captured and used later
|
|
|
SNMP is a protocol used for which of the following functions?
A. Secure e-mail B. Secure encryption of network packets C. Remote access to user workstations D. Remote access to network infrastructure |
D. The Simple Network Management Protocol is used to control network devices from a central control location.
|
|
|
. Firewalls can use which of the following in their operation?
A. Stateful packet inspection B. Port blocking to deny specific services C. NAT to hide internal IP addresses D. All of the above |
D. Firewalls can do all of these things.
|
|
|
SMTP is a protocol used for which of the following functions?
A. E-mail B. Secure encryption of network packets C. Remote access to user workstations D. None of the above |
A. SMTP, the Simple Mail Transfer Protocol, is used to move e-mail across a network.
|
|
|
Microwave communications are limited by
A. Speed—the maximum for microwave circuits is 1 Gbps B. Cost—microwaves take a lot of energy to generate C. Line of sight—microwaves don’t propagate over the horizon D. Lack of standard operation protocols for widespread use |
C. Microwave energy is a line-of-sight transmission medium; hence, towers must not be spaced too far apart or the horizon will block transmissions.
|
|
|
USB-based flash memory is characterized by
A. Expensive B. Low capacity C. Slow access D. None of the above |
D. USB-based flash memory is low cost, fast, and high capacity—currently 32GB.
|
|
|
Mobile devices connected to networks include what?
A. Smart phones B. Laptops C. MP3 music devices D. All of the above |
D. Almost any digital memory–containing device can find its way onto a network.
|
|
|
PPP provides for
A. Network control of printers over a parallel port B. Encapsulation of datagrams across serial point-to-point connections C. An obsolete layer protocol from before the Internet D. A service to establish VPNs across the Internet |
B. PPP supports three functions: encapsulate datagrams across serial links; establish, configure, and test links using LCP; and establish and configure different network protocols using NCP.
|
|
|
Authentication is typically based upon what? (Select all that apply.)
A. Something a user possesses B. Something a user knows C. Something measured on a user, such as a fingerprint D. None of the above |
A, B, and C. Authentication is commonly performed with passwords, something you know; tokens, something you have; and biometrics, such as fingerprints.
|
|
|
Passwords are an example of
A. Something you have B. Something you know C. A shared secret D. None of the above |
B. Passwords are defined as something you know, and are not to be shared.
|
|
|
Which of these protocols is used for carrying authentication, authorization, and configuration (accounting) information between a network access server and a shared authentication server?
A. IPsec B. VPN C. SSH D. RADIUS |
D. RADIUS is a protocol for performing authentication, authorization, and accounting. It involves an information exchange between a network access server, which desires authentication of specific connections, and a shared authentication server.
|
|
|
On a VPN, traffic is encrypted and decrypted at
A. Endpoints of the tunnel only B. Users’ machines C. Each device at each hop D. The data link layer of access devices |
A. A virtual private network (VPN) is a secure communications protocol that encrypts traffic between two endpoints of a tunnel. At each endpoint of the secure VPN tunnel, the traffic is either encrypted or decrypted, depending on whether the traffic is going into or out of the tunnel.
|
|
|
What protocol is used for TACACS+?
A. UDP B. NetBIOS C. TCP D. Proprietary |
C. TACACS+ is TCP-based and uses port 49.
|
|
|
What protocol is used for RADIUS?
A. UDP B. NetBIOS C. TCP D. Proprietary |
A. RADIUS has been officially assigned UDP ports 1812 for RADIUS Authentication and 1813 for RADIUS Accounting by the Internet Assigned Number Authority (IANA). However, previously, ports 1645–Authentication and 1646–Accounting were used unofficially and became the default ports assigned by many RADIUS client/server implementations of the time. The tradition of using 1645 and 1646 for backward compatibility continues to this day. For this reason, many RADIUS server implementations monitor both sets of UDP ports for RADIUS requests. Microsoft RADIUS servers default to 1812 and 1813, but Cisco devices default to the traditional 1645 and 1646 ports.
|
|
|
Which protocols are natively supported by Microsoft Windows XP and Vista for use in securing remote connections?
A. SSH B. PPTP C. IPsec D. RADIUS |
B and C. Both PPTP and IPsec are supported by Microsoft Windows operating systems. IPsec is more resource intensive, but also more versatile, and it allows greater flexibility in connections.
|
|
|
What are the foundational elements of an access control system?
A. Passwords, permissions, cryptography B. Shared secrets, authorization, authenticators C. Authentication, permissions, user IDs D. Identification, authorization, authentication |
D. Access control systems need three main components: identification, authorization, and authentication.
|
|
|
IPsec provides which options as security services?
A. ESP and AH B. ESP and AP C. EA and AP D. EA and AH |
A. IPsec utilizes Encapsulating Security Payload (ESP) and Authentication Headers (AH)
|
|
|
Secure Shell uses which port to communicate?
A. TCP port 80 B. UDP port 22 C. TCP port 22 D. TCP port 110 |
C. SSH initiates conversations over TCP port 22.
|
|
|
Elements of Kerberos include which of the following:
A. Tickets, ticket granting server, ticket authorizing agent B. Ticket granting ticket, authentication server, ticket C. Services server, Kerberos realm, ticket authenticators D. Client to server ticket, authentication server ticket, ticket |
B. Kerberos works using tickets. A ticket granting ticket is one type of ticket obtained from the authentication server.
|
|
|
To establish an PPTP connection across a firewall, you must do which of the following?
A. Do nothing; PPTP does not need to cross firewalls by design. B. Do nothing; PPTP traffic is invisible and tunnels past firewalls. C. Open a UDP port of choice and assign to PPTP. D. Open TCP port 1723. |
D. PPTP uses TCP port 1723 to establish communications, so this port must be open across a firewall for PPTP to function correctly.
|
|
|
To establish an L2TP connection across a firewall, you must do which of the following?
A. Do nothing; L2TP does not cross firewalls by design. B. Do nothing; L2TP tunnels past firewalls. C. Open a UDP port of choice and assign to L2TP. D. Open UDP port 1701. |
D. L2TP uses UDP port 1701 to establish communications, so this port must be open across a firewall for L2TP to function correctly.
|
|
|
IPsec can provide which of the following types of protection?
A. Context protection B. Content protection C. Both context and content protection D. Neither context nor content protection |
C. IPsec can provide both context and content protection by using both ESP and AH
|
|
|
What encryption method does WEP use to try to ensure confidentiality of 802.11 networks?
A. MD5 B. AES C. RC4 D. Diffie-Hellman |
C. WEP uses the RC4 stream cipher.
|
|
|
How does WTLS ensure integrity?
A. Sender’s address B. Message authentication codes C. Sequence number D. Public key encryption |
B. WTLS uses a message authentication code generated with a one-way hash algorithm.
|
|
|
What two key lengths does WEP support?
A. 1024 and 2048 B. 104 and 40 C. 512 and 256 D. 24 and 32 |
B. WEP currently supports 104 and 40, though it is sometimes packaged as 64-bit and 128-bit encryption. The initialization vector takes up 24 bits, leaving the 40and 104-bit key strings.
|
|
|
Why does the SSID provide no real means of authentication?
A. It cannot be changed. B. It is only 24 bits. C. It is broadcast in every beacon frame. D. SSID is not an authentication function. |
C. The SSID, or service set identifier, attempts to provide an authentication function, but because it is broadcast in every frame, it is trivial for an attacker to break.
|
|
|
The 802.1X protocol is a new protocol for Ethernet
A. Authentication B. Speed C. Wireless D. Cabling |
A. Authentication; 802.1X is the new EAP framework for strong authentication over Ethernet networks.
|
|
|
Why does WTLS have to support shorter key lengths?
A. WAP doesn’t need high security. B. The algorithm cannot handle longer key lengths. C. Key lengths are not important to security. D. WTLS has to support devices with low processor power and limited RAM. |
D. WAP is designed to be used with small mobile devices, usually with low processor power and limited RAM, so it must support lower grade encryption.
|
|
|
Why is 802.11 wireless such a security problem?
A. It has too powerful a signal. B. It provides access to the physical layer of Ethernet without a person needing physical access to the building. C. All the programs on wireless are full of bugs that allow buffer overflows. D. It draws too much power and the other servers reboot. |
B. The 802.11 protocol provides physical layer access without a person needing to have physical access to the building, thus promoting drive-by and parking lot attacks.
|
|
|
What protocol is WTLS trying to secure?
A. WAP B. WEP C. GSM D. SSL |
A. WTLS is an attempt to secure the Wireless Application Protocol, or WAP.
|
|
|
Why should wireless have strong two-way authentication?
A. Because you want to know when an attacker connects to the network. B. Because wireless is especially susceptible to a man-in-the-middle attack. C. Wireless needs authentication to prevent users from adding their home computers. D. Two-way authentication is needed so an administrator can ask the wireless user a set of questions. |
B. Wireless is not connected to any physical medium, making it especially vulnerable to a man-in-the-middle attack.
|
|
|
Why is attacking wireless networks so popular?
A. There are more wireless networks than wired. B. They all run Windows. C. It’s easy. D. It’s more difficult and more prestigious than other network attacks. |
C. Attacking wireless networks is extremely popular because it’s easy—the majority of wireless networks have no security installed on them. This allows anyone to connect and have practically full access to the network.
|
|
|
How are the security parameters of WTLS chosen between two endpoints?
A. Only one option exists for every parameter. B. The client dictates all parameters to the server. C. The user codes the parameters through DTMF tones. D. The WTLS handshake determines what parameters to use. |
D. The WTLS handshake lets both endpoints exchange capabilities, and then the parameters are agreed upon.
|
|
|
What is bluejacking?
A. Stealing a person’s mobile phone B. Sending an unsolicited message via Bluetooth C. Breaking a WEP key D. Leaving your Bluetooth in discoverable mode |
B. Bluejacking is a term used for the sending of unauthorized messages to another Bluetooth device.
|
|
|
How does 802.11n improve network speed?
A. Wider bandwidth B. Higher frequency C. Multiple-input multiple-output D. Both A and C |
D. The “n” protocol uses both wider bandwidth and multiple-input and multiple-output techniques to increase speed several times over the “g” protocol.
|
|
|
Bluebugging can give an attacker what?
A. All of your contacts B. The ability to send “shock” photos C. Total control over a mobile phone D. A virus |
C. Bluebugging gives an attacker total control over a mobile phone.
|
|
|
Why is it important to scan your own organization for wireless?
A. It can detect rogue access points. B. It checks the installed encryption. C. It finds vulnerable mobile phones. D. It checks for wireless coverage. |
A. Scanning detects rogue access points.
|
|
|
What are the three types of event logs generated by Windows NT and 2000 systems?
A. Event, Process, and Security B. Application, User, and Security C. User, Event, and Security D. Application, System, and Security |
D. The three main types of event logs generated by Windows NT and 2000 systems are Application, System, and Security.
|
|
|
Network-based and host-based
B. Signature-based and event-based C. Active and reactive D. Intelligent and passive |
A. The two main types of intrusion detection systems are network-based and host-based. Network-based systems monitor network connections for suspicious traffic. Host-based systems reside on an individual system and monitor that system for suspicious or malicious activity.
|
|
|
The first commercial, network-based IDS product was
A. Stalker B. NetRanger C. IDES D. RealSecure |
B. The first commercial network-based IDS product was NetRanger, released by Wheelgroup in 1995.
|
|
|
What are the two main types of IDS signatures?
A. Network-based and file-based B. Context-based and content-based C. Active and reactive D. None of the above |
B. The two main types of IDS signatures are context-based and contentbased. Context-based signatures examine traffic and how that traffic fits into the other traffic around it. A port scan is a good example of a context-based signature. A content-based signature looks at what is inside the traffic, such as the contents of a specific packet.
|
|
|
A passive, host-based IDS
A. Runs on the local system B. Does not interact with the traffic around it C. Can look at system event and error logs D. All of the above |
D. A passive, host-based IDS runs on the local system, cannot interfere with traffic or activity on that system, and would have access to local system logs.
|
|
|
Which of the following is not a capability of network-based IDS?
A. Can detect denial-of-service attacks B. Can decrypt and read encrypted traffic C. Can decode UDP and TCP packets D. Can be tuned to a particular network environment |
B. A network-based IDS typically cannot decrypt and read encrypted traffic. This is one of the principle weaknesses of network-based intrusion detection systems.
|
|
|
An active IDS can
A. Respond to attacks with TCP resets B. Monitor for malicious activity C. A and B D. None of the above |
C. An active IDS can perform all the functions of a passive IDS (monitoring, alerting, reporting, and so on) with the added ability of responding to suspected attacks with capabilities such as sending TCP reset messages to the source and destination IP addresses.
|
|
|
Honeypots are used to
A. Attract attackers by simulating systems with open network services B. Monitor network usage by employees C. Process alarms from other IDSs D. Attract customers to e-commerce sites |
A. Honeypots are designed to attract attackers by providing what appear to be easy, inviting targets. The honeypot collects and records the activity of attackers and their tools.
|
|
|
Egress filtering is used to detect SPAM that is
A. Coming into an organization B. Sent from known spammers outside your organization C. Leaving an organization D. Sent to mailing lists in your organization |
C. Egress filtering is performed to detect and stop SPAM from leaving your organization. Mail is checked as it leaves your organization.
|
|
|
. Preventative intrusion detection systems
A. Are cheaper B. Are designed to stop malicious activity from occurring C. Can only monitor activity D. Were the first types of IDS |
B. Preventative intrusion detection systems are designed to “prevent” malicious actions from having any impact on the targeted system or network. For example, a host-based preventative IDS may intercept an attacker’s buffer overflow attempt and prevent it from executing. By stopping the attack, the IDS prevents the attacker from affecting the system.
|
|
|
Which of the following is not a type of proxy?
A. Reverse B. Web C. Open D. Simultaneous |
D. Reverse, Web, and Open are all types of proxies discussed in the chapter. Simultaneous is not a type of known proxy.
|
|
|
IPS stands for
A. Intrusion processing system B. Intrusion prevention sensor C. Intrusion prevention system D. Interactive protection system |
C. IPS stands for intrusion prevention system.
|
|
|
A protocol analyzer can be used to
A. Troubleshoot network problems B. Collect network traffic statistics C. Monitor for suspicious traffic D. All of the above |
D. A protocol analyzer is a very flexible tool and can be used for network traffic analysis, statistics collection, and monitoring and identification of suspicious or malicious traffic.
|
|
|
True or False: Windows Defender is available with every version of the Windows operating system.
A. True B. False |
B. False. Windows Defender is available for Windows XP, Vista, Windows Server 2003, and Windows Server 2008.
|
|
|
Heuristic scanning looks for
A. Normal network traffic patterns B. Viruses and spam only C. Firewall policy violations D. Commands or instructions that are not normally found in application programs |
D. Heuristic scanning typically looks for commands or instructions that are not normally found in application programs.
|
|
|
Implicit deny in a firewall rule set means:
A. All traffic is rejected B. All incoming traffic is rejected C. Any traffic not expressly permitted is denied D. Any traffic not denied by a prior rule is permitted |
D. Implicit deny means that any traffic not expressly permitted by a rule in the firewall’s rule set or ACL is denied and rejected by the firewall.
|
|
|
An “all-in-one security appliance” typically performs which of the following functions?
A. Intrusion detection/prevention B. Antivirus C. Network firewall D. All of the above |
D. All of the above. All-in-one security appliances perform multiple security roles including firewall, IDS/IPS, VPN capabilities, anti-spam, malicious web traffic filtering, antispyware, content filtering, and traffic shaping.
|
|
|
Which of the following security devices might have the ability to scan all outgoing and incoming web traffic to detect and block undesirable traffic such as malware, spyware, adware, malicious scripts, and file-based attacks?
A. Spam filter B. Web security gateway C. Honeypot D. Packet-filtering firewall |
B. A web security gateway has the ability to scan all outgoing and incoming web traffic to detect and block undesirable traffic such as malware, spyware, adware, malicious scripts, and file-based attacks.
|
|
|
A web application firewall is designed to detect and stop which of the following?
A. SQL injection attacks B. Port scans C. Infected e-mail traffic D. Worms |
A. Web application firewalls are intended to address the security threats and pitfalls unique to web-based traffic such as SQL injection attacks.
|
|
|
What IDS model requires the system to learn what “normal” network activity looks like before it can effectively detect malicious activity?
A. Signature-based B. Malware-based C. Behavior-based D. Activity-based |
C. A behavior-based IDS model relies on a collected set of “normal behavior”—what should happen on the network and is considered “normal” or “acceptable” traffic. Behavior that does not fit into the “normal” activity categories or patterns is considered suspicious or malicious.
|
|
|
Which IDS model uses artificial intelligence and algorithms to detect malicious activity?
A. Signature-based model B. Web-based model C. Heuristic model D. Denning model |
C. The heuristic model uses artificial intelligence to detect intrusions and malicious traffic. This is typically implemented through algorithms that help an IDS decide if a traffic pattern is malicious or not.
|
|
|
Which of the following is a tool designed to identify what devices are connected to a given network and, where possible, the operating system in use on that device?
A. Firewall B. Web security gateway C. All-in-one security appliance D. Network mapper |
D. A network mapper is a tool designed to identify what devices are connected to a given network and, where possible, the operating system in use on that device.
|
|
|
Egress filtering is:
A. Filtering e-mail traffic leaving your organization for spam B. Filtering e-mail traffic entering your organization for spam C. Filtering e-mail traffic from known spam senders D. Filtering e-mail traffic between employees in your organization |
A. Egress filtering is filtering e-mail traffic leaving your organization.
|
|
|
A web security gateway performs all of the following functions except:
A. Content monitoring B. Port mirroring C. Data protection and compliance monitoring D. Malware protection |
B. Port mirroring is used on switches to copy packets seen on one or more ports to a different port, typically for monitoring purposes.
|
|
|
When discussing Intrusion Prevention systems, HIPS refers to:
A. Host-based Intrusion Prevention Systems B. Heuristic-based Intrusion Prevention Systems C. Hardware-based Intrusion Prevention Systems D. Holistic-based Intrusion Prevention Systems |
A. HIPS refers to Host-based Intrusion Prevention Systems.
|
|
|
Which of the following steps is part of the hardening process for operating systems?
A. Removing unnecessary applications and utilities B. Disabling unneeded services C. Setting appropriate permissions on files D. All of the above |
D. All of the steps mentioned (removing unnecessary applications, disabling unnecessary services, and setting appropriate permissions on files) are part of the hardening process. Leaving out any of these steps could result in an insecure system.
|
|
|
Group policies can be applied to
A. Users and systems B. Only to the local system C. Only to users D. Only to systems |
A. Group policies can be applied to both users and systems.
|
|
|
Buffer overflow attacks are best defeated by
A. Removing sample files B. Selecting strong passwords C. Setting appropriate permissions on files D. Installing the latest patches |
D. The best defense against buffer overflows is to apply the appropriate patches or fixes that eliminate the buffer overflow condition.
|
|
|
Which of the following is a disciplined approach to the acquisition, testing, and implementation of operating system and application updates?
A. Security templates B. Patch management C. System hardening D. System baselining |
B. Patch management is a disciplined approach to the acquisition, testing, and implementation of operating system and application updates.
|
|
|
Traffic filtering is used to
A. Scan incoming web requests for malformed code B. Restrict access to ports and services C. Prevent buffer overflows D. Optimize the flow of time-sensitive traffic |
B. Traffic filtering is used to restrict access to ports and services. This helps control who has access to network services and which services they may access.
|
|
|
File permissions under UNIX consist of what three types?
A. Modify, read, and execute B. Full control, read-only, and run C. Write, read, and open D. Read, write, and execute |
D. File permissions under UNIX consist of read, write, and execute.
|
|
|
The netstat command
A. Lists active network connections B. Provides the status of all hardware interfaces C. Shows open files and directories D. All of the above |
A. The netstat (network statistics) command lists information about active network connections.
|
|
|
Security templates can be used to configure settings in the following areas:
A. Restricted Groups, User Rights, and Memory Usage B. User Rights, System Services, and Disk Usage C. System Services, Registry Permissions, and Restricted Groups D. Disk Usage, File Permissions, and Bandwidth Usage |
C. Security templates can be used to configure settings in all of the following areas: Account Policies, Event Log settings, File Permissions, Registry Permissions, Restricted Groups, System Services, and User Rights.
|
|
|
The inetd daemon
A. Listens for incoming connections B. Starts the appropriate service when required C. Runs at system startup D. All of the above |
D. The Internet superserver daemon, inetd, performs all of the functions listed. This helps prevent other services from using system resources until they need to do so.
|
|
|
To provide an immediate solution addressing a specific vulnerability, a vendor may release
A. A hotfix B. A service pack C. A patch D. None of the above |
A. Immediate solutions designed to address a specific vulnerability are usually called hotfixes. Patches and service packs tend to be larger, they are released on a slower timetable, and they often contain fixes for many different problems.
|
|
|
Network Access Quarantine Control allows administrators to
A. Block malicious or suspicious traffic on wireless connections B. Prevent computers from connecting to the network until their configuration has been reviewed and deemed “safe” C. Filter out viruses, malware, and Trojans D. Restrict traffic from systems using non-Microsoft operating systems |
B. Network Access Quarantine Control enables administrators to prevent computers from connecting to the network until their configuration has been reviewed and deemed “safe.” This capability can help prevent the spread of viruses and malware.
|
|
|
Password security consists of
A. Selecting a password with at least eight characters, at least one change in case, and at least one number or nonalphanumeric character B. Storing the password in your wallet or purse C. Using the same password on every system D. Changing passwords at least once a year |
A. Password security consists of selecting a password with at least eight characters, at least one change in case, and at least one number or nonalphanumeric character.
|
|
|
TCP wrappers
A. Verify checksums on every packet entering or leaving the system B. Help prioritize network traffic for optimal throughput C. Help restrict access to the local system D. None of the above |
C. TCP wrappers help restrict access to the local system by controlling what systems are allowed to connect to what services. This functionality is typically implemented in the hosts.allow and hosts.deny files on a specific system.
|
|
|
Ensuring software is patched and up to date is important for
A. Operating systems B. Network devices C. Applications D. All of the above |
D. Ensuring software is patched and up to date is important for every piece of software and network equipment.
|
|
|
Security templates are
A. A collection of security settings B. A method of managing patches C. Application-specific security features D. Available only on domain controllers |
A. Security templates are a collection of security settings that can be applied to systems to increase their security posture.
|
|
|
Firewall rules are not used for which of the following tasks?
A. To control traffic leaving an organization B. To control traffic entering an organization C. To control traffic reaching the firewall itself D. To control traffic from the loopback network interface |
D. Firewall rules are not used to control traffic from the loopback network interface. This interface, sometimes referred to as localhost, is a virtual adapter within the local computer.
|
|
|
Rules used to control network traffic flow on routers are called
A. Access Centric Lists B. Access Control Lists C. Allowed Traffic Lists D. Group Policies |
B. Rules used to control network traffic flow on routers are called Access Control Lists.
|
|
|
To help secure DNS servers, zone transfers should
A. Always be disabled B. Be restricted to hosts on the local network only C. Be limited to DNS servers that need access to the entire zone information for update and replication purposes D. Be permitted as long as another DNS server is making the zone transfer request |
C. DNS zone transfers should be limited to DNS servers that need access to the entire zone information for update and replication purposes.
|
|
|
On mail servers, the expn command
A. Is used to verify e-mail accounts on the remote mail server B. Validates incoming mail as not spam C. Is used to provide a list of all e-mail accounts belonging to a mailing list or alias D. Should never be disabled |
C. On mail servers, the expn command is used to provide a list of all e-mail accounts belonging to a mailing list or alias.
|
|
|
To help secure web servers, sample files
A. Should be set to read-only but left in place B. Should be removed from production servers C. Should be set to read-write and left in place D. Should be moved to a folder called /samples |
B. To help secure web servers, sample files should be removed from all production web servers.
|
|
|
On recent versions of Microsoft Windows, Bitlocker can be used to
A. Encrypt data and files on the system B. Filter incoming traffic C. Enforce group policies and login time restrictions D. Prevent web-based malware from infecting your system |
A. On recent versions of Microsoft Windows, Bitlocker can be used to encrypt files and data on the local system.
|
|
|
On mail servers, relaying occurs when
A. A message is forwarded between local users B. The server handles a message and neither the sender nor the recipient is a local user C. The server handles a message and the sender is not a local user D. The server handles a message and the recipient is not a local user |
B. On mail servers, relaying occurs when the server handles a message and neither the sender nor the recipient is a local user.
|
|
|
Which of the following hosts.allow entries would allow FTP traffic from the 10.10.10.0 network to reach the localhost?
A. FTP: 10.10.10.0 B. HTTP: 10.10.10.0 C. 10.10.10.0: SOME D. PERMIT: FTP |
A. The hosts.allow entry that would allow FTP traffic from the 10.10.10.0 network to reach the local host is “FTP: 10.10.10.0”.
|
|
|
LDAP is used to both update and query Active Directory. LDAP is
A. Lightweight Domain Access Protocol B. Lightweight Directory Access Protocol C. Lightweight Domain Access Permission D. Local Domain Access Protocol |
B. LDAP is Lightweight Directory Access Protocol.
|
|
|
Within the Windows environment, group policies are stored in GPOs, also known as
A. Group Permission Objects B. Group Package Objects C. Group Policy Objects D. Global Policy Objects |
C. Within the Windows environment, group policies are stored in GPOs, also known as Group Policy Objects.
|
|
|
A SYN flood is an example of what type of attack?
A. Malicious code B. Denial-of-service C. Man-in-the-middle D. Spoofing |
B. A SYN flood attack involves launching a large number of SYN packets at a system. In TCP, the response to this is a SYN/ACK, and the system then waits for an ACK to complete the three-way handshake. If no ACK is received, the system will wait until a time-out occurs, and then it will release the connection. If enough SYN packets are received (requesting that communication be set up) the system can fill up and not process any more requests. This is a type of DoS attack.
|
|
|
An attack in which the attacker simply listens for all traffic being transmitted across a network, in the hope of viewing something such as a user ID and password combination, is known as
A. A man-in-the-middle attack B. A denial-of service-attack C. A sniffing attack D. A backdoor attack |
C. Sniffing consists of a person simply listening to all traffic on a network. It takes advantage of the friendly nature of the network, in which systems are only supposed to grab and examine packets that are destined for them. Sniffing looks at all packets traveling across the network.
|
|
|
Which attack takes advantage of a trusted relationship that exists between two systems?
A. Spoofing B. Password guessing C. Sniffing D. Brute-force |
A. One form of spoofing attack attempts to take advantage of the trusted relationship that may exist between two systems. This trusted relationship could mean that users on one system will not be required to authenticate themselves when accessing the other system; the second system trusts the first to have performed any necessary authentication. If packets are formed that claim to have come from one of the trusted systems, the target can be fooled into performing actions as if an authorized user had sent them.
|
|
|
In what type of attack does an attacker resend the series of commands and codes used in a financial transaction to cause the transaction to be conducted multiple times?
A. Spoofing B. Man-in-the-middle C. Replay D. Backdoor |
C. This is the description of a replay attack.
|
|
|
The trick in both spoofing and TCP/IP hijacking is in trying to
A. Provide the correct authentication token. B. Find two systems between which a trusted relationship exists. C. Guess a password or brute-force a password to gain initial access to the system or network. D. Maintain the correct sequence numbers for the response packets. |
D. Getting the correct sequence number is the tricky part of any attempt to spoof or take over a session. This is made easy if the attacker can observe (sniff) the network traffic. If, however, the attacker is external to the network, the task is much more complicated.
|
|
|
Rootkits are challenging security problems because
A. They can be invisible to the operating system and end user. B. Their true functionality can be cloaked, preventing analysis. C. They can do virtually anything an operating system can do. D. All of the above. |
D. Rootkits have almost unlimited power over an infected system. They can cloak themselves from detection and hide their true nature.
|
|
|
The ability of an attacker to crack passwords is directly related to the method the user employed to create the password in the first place, as well as
A. The length of the password B. The size of the character set used in generating the password C. The speed of the machine cracking the password D. The dictionary and rules used by the cracking program |
D. This is a tricky question. All of the answers have a bearing on the ability of the attacker to crack the password, but, as discussed in the text, the dictionary and rule set used will make or break the attempt (unless an attacker wants to try a brute-force attack, which is generally his last option). The size of the password will certainly have a bearing, but the difference between brute-forcing a 13-character password and a 14-character password is not important—neither will be accomplished in the lifetime of the attacker. The same can be said of the size of the character set used to generate the password. The more characters that are available, the larger the number of passwords that must be tried in order to brute-force it—but attackers try to stay away from using brute-force attacks. The speed of the machine will have some bearing, but speed will make little difference if the attacker uses a bruteforce attack, since he still won’t crack it in time to take advantage of it. If the attacker can pick a good dictionary and rule set, he can probably crack the password (remember that users have a tendency to select poor passwords).
|
|
|
A piece of malicious code that must attach itself to another file to replicate itself is known as
A. A worm B. A virus C. A logic bomb D. A Trojan |
B. This answer defines a virus. This is the distinguishing aspect of a virus that separates it from other forms of malicious code, especially worms.
|
|
|
A piece of malicious code that appears to be designed to do one thing (and may in fact do that thing) but that hides some other payload (often malicious) is known as
A. A worm B. A virus C. A logic bomb D. A Trojan |
D. This describes a Trojan (or Trojan horse). A virus that is attached to another file and that appears to be that file may also hide a malicious payload, but the description provided is traditionally used to describe a Trojan.
|
|
|
An attack in which an attacker attempts to lie and misrepresent himself in order to gain access to information that can be useful in an attack is known as
A. Social science B. White-hat hacking C. Social engineering D. Social manipulation |
C. This is a description of social engineering. The term white-hat hacking is often used to refer to authorized penetration tests on a network.
|
|
|
The first step in an attack on a computer system consists of
A. Gathering as much information about the target system as possible B. Obtaining as much information about the organization in which the target lies as possible C. Searching for possible exploits that can be used against known vulnerabilities D. Searching for specific vulnerabilities that may exist in the target’s operating system or software applications |
B. The first step is generally acknowledged to be to gather as much information about the organization as possible. This information can then be used in social engineering attacks that can result in the revelation of even more information, or even access to the system. If access can be obtained without having to run any exploits, the attacker’s chance of discovery is minimized. The second step is to gather information about the specific systems and networks—details on the actual hardware and software that is being used. It is not until both of these steps have been accomplished that possible vulnerabilities and tools to exploit them can be determined. This sequence may differ if the attacker is not targeting a specific system, but is instead looking for systems that are vulnerable to a specific exploit. In this case, the attacker would probably be searching for a vulnerability first, and then for a tool that exploits it, and he may never even consider the organization that is being targeted.
|
|
|
The best way to minimize possible avenues of attack for your system is to
A. Install a firewall and check the logs daily. B. Monitor your intrusion detection system for possible attacks. C. Limit the information that can be obtained on your organization and the services that are run by your Internet-visible systems. D. Ensure that all patches have been applied for the services that are offered by your system. |
C. To minimize the avenues of attack, you need to limit the information that can be obtained and the number of services you offer. The more services that are available, the greater the number of possible avenues that can be exploited. It is important to install patches, but this doesn’t minimize the avenues; it protects specific avenues from attack. The use of firewalls and intrusion detection systems is important, but monitoring them doesn’t aid in minimizing the avenues of attack (though a properly administered firewall can help to limit the exposure of your network).
|
|
|
A war-driving attack is an attempt to exploit what technology?
A. Fiber-optic networks whose cables often run along roads and bridges B. Cellular telephones C. The public switched telephone network (PSTN) D. Wireless networks |
D. War-driving is an attempt to locate wireless networks whose access area extends into publicly accessible space.
|
|
|
How can you protect against worms of the type that Robert Morris unleashed on the Internet?
A. Follow the same procedures you’d use to secure your system from a human attacker. B. Install antivirus software. C. Ensure that no executable attachments to e-mails are executed unless their integrity has been verified. D. Monitor for changes to utilities and other system software. |
A. The Morris worm used the same type of techniques to penetrate the systems that human attackers use. Therefore, if you protect the system against one, you are protecting it against the other. Installing an antivirus package and not allowing executable attachments to e-mail to be executed are good ideas, but they address the other type of worm, not the Morris type of Internet worm. Monitoring the system for changes to utilities and other system software is also a good idea, but it is reactive in nature and discovering these changes means the individual or worm has already penetrated your system. Your goal should be to try to prevent this in the first place.
|
|
|
Malicious code that is set to execute its payload on a specific date or at a specific time is known as
A. A logic bomb B. A Trojan horse C. A virus D. A time bomb |
D. This defines a time bomb. The more general term logic bomb is sometimes used, but this term generally refers to a piece of software that is set to execute when some specified event occurs. When that event is a date or time, we often refer to the malicious code as a time bomb.
|
|
|
What is spam?
A. Unsolicited commercial e-mail B. A Usenet archive C. A computer virus D. An encryption algorithm |
A. Spam is unsolicited commercial e-mail.
|
|
|
How does the Realtime Blackhole List help fight spam?
A. It is a universal Internet receptacle for spam. B. It maintains current signatures of all available spam for download. C. It takes all spam and returns it to the sender. D. It maintains a list of spam sources against which e-mail servers can check messages. |
D. The Realtime Blackhole List is a list of sources known to send spam, and e-mail servers can use it to perform checks against the source of e-mail. If the source matches, often the e-mail is simply dropped from the server.
|
|
|
How many bits are needed in a symmetric encryption algorithm to give decent protection from brute-force attacks?
A. 24 bits B. 40 bits C. 56 bits D. 128 bits |
D. 128 bits is the current requirement to provide decent security from bruteforce attacks against the key.
|
|
|
How do some instant messaging programs cause problems for intrusion detection systems?
A. They can scan for open ports trying to find a server. B. They force the IDS to decode your conversations. C. They force the IDS to shut down. D. They run on Windows PCs. |
A. Some instant messaging programs can look like an internal port scan when trying to find a server, causing the IDS to alert you even when an actual attack is not occurring.
|
|
|
What makes e-mail hoaxes popular enough to keep the same story floating around for years?
A. They are written by award-winning authors. B. The story prompts action on the reader’s part. C. The story will grant the user good luck only if he or she forwards it on. D. The hoax e-mail forwards itself. |
B. Hoax e-mails work by prompting action on the user’s part. Typically the action is to forward the e-mail to everyone the reader knows, sometimes to right some moral injustice.
|
|
|
What is greylisting?
A. E-mail messages are temporarily rejected so that the sender is forced to resend. B. E-mail messages are run through a strong set of filters before delivery. C. E-mail messages are sent through special secure servers. D. E-mail is sent directly from the local host to the remote host, bypassing servers entirely. |
A. Greylisting is a temporary rejection of e-mail to force the remote server to resend the message. Since spammers will not follow the RFC specifications, they will not perform resending.
|
|
|
Why do PGP and S/MIME need public key cryptography?
A. Public keys are necessary to determine whether the e-mail is encrypted. B. The public key is necessary to encrypt the symmetric key. C. The public key unlocks the password to the e-mail. D. The public key is useless and gives a false sense of privacy. |
B. The public key is used to encrypt the symmetric key, which is then used to encrypt the message contents, because encrypting the entire message would take too much processing power.
|
|
|
What symmetric encryption protocols does S/MIME support?
A. AES and RC4 B. IDEA and 3DES C. 3DES and RC2 D. RC4 and IDEA |
C. S/MIME supports 3DES and RC2.
|
|
|
Why is HTML e-mail dangerous?
A. It can’t be read by some e-mail clients. B. It sends the content of your e-mails to web pages. C. It can allow launching of malicious code from the preview pane. D. It is the only way spam can be sent. |
C. HTML e-mail can carry embedded instructions to download or run scripts that can be launched from the preview pane in some e-mail programs, without requiring that the user actively launch the attached program.
|
|
|
What is a Trojan horse program?
A. A program that encrypts e-mail for security B. A program that appears legitimate but is actually malicious code C. A program that runs only on a single computer D. A program that self-compiles before it runs |
B. A Trojan horse program looks like a legitimate game or video but actually carries malicious code.
|
|
|
Why is S/MIME sometimes considered unsecured?
A. It doesn’t actually encrypt the e-mail. B. It can send unsigned e-mails. C. It uses inferior Triple DES encryption. D. It can be used with only 40-bit ciphers. |
D. S/MIME currently supports a 40-bit cipher to perform the symmetric encryption, and this is considered unsecured by some, as 128 bits should be the minimum on symmetric keys.
|
|
|
If they are both text protocols, why is instant messaging traffic riskier than e-mail?
A. More viruses are coded for IM. B. IM has no business purpose. C. IM traffic has to travel outside of the organization to a server. D. Emoticons. |
C. IM protocols require the traffic travel to the hosting server, so two users in an organization are sending the traffic to an outside server and back when communicating via IM.
|
|
|
What makes spam so popular as an advertising medium?
A. Its low cost per impression B. Its high rate of return C. Its ability to canvass multiple countries D. Its quality of workmanship |
A. Spam is popular simply because of its low cost. Spam can be sent to thousands of people for less than a cent per reader.
|
|
|
What is one of the popular Trojan horse payloads?
A. Word processor B. Web server C. Remote control programs |
C. Remote control programs, such as SubSeven and Back Orifice, are popular Trojan horse programs because they give the attacker access to all the resources of the machine.
|
|
|
What is a potential security problem with key escrow?
A. The key gets lost. B. Someone could add a key to your encryption and then distribute the key. C. The key could contain a Trojan horse. D. Key escrow requires 40-bit keys. |
B. Because key escrow involves adding an additional private key to your original private key in the encryption routine, if an attacker is able to add a key without your knowledge, he can secretly decode all your messages.
|
|
|
A cookie is
A. A piece of data in a database that enhances web browser capability B. A small text file used in some HTTP exchanges C. A segment of script to enhance a web page D. A favorite snack of web developers, so they named a program after it |
B. Cookies are small pieces of ASCII text used in HTTP transfers to exchange data between client and server.
|
|
|
The use of certificates in SSL is similar to
A. A receipt proving purchase B. Having a notary notarize a signature C. A historical record of a program’s lineage D. None of the above |
B. A certificate acts as an electronic notary, providing a method of determining authenticity through a third party.
|
|
|
SSL can be used to secure
A. POP3 traffic B. HTTP traffic C. SMTP traffic D. All of the above |
D. SSL can be used to secure all of the above—SPOP3 is POP3 secured, HTTPS is secure HTTP, and SSMTP is secure SMTP.
|
|
|
SFTP uses which method to secure its transmissions?
A. IPsec B. VPN C. SSH D. SSL |
C. SFTP uses SSH to enable secure file transfers.
|
|
|
Security for JavaScript is established by whom?
A. The developer at the time of code development. B. The user at the time of code usage. C. The user through browser preferences. D. Security for JavaScript is not necessary—the Java language is secure by design. |
C. JavaScript security is ultimately the responsibility of the end user, and the options exist in browsers to select various security levels or even disable it altogether.
|
|
|
ActiveX can be used for which of the following purposes?
A. Add functionality to a browser B. Update the operating system C. Both A and B D. Neither A nor B |
C. ActiveX can be used to create all kinds of software and modifications to existing software. ActiveX is technology that can be used to create complex application logic that is then embedded into other container objects such as a web browser.
|
|
|
CGI has a weakness in its implementation because
A. It offers almost unlimited operating system access and functionality on a UNIX box. B. It is limited to Windows operating systems only. C. It is difficult to program in. D. It has a proprietary interface. |
A. Unlimited access to operating system functionality makes many CGI scripts security hazards to the system, and special care is required in their design and implementation.
|
|
|
The keyword [secure] in a cookie
A. Causes the system to encrypt its contents B. Prevents it from passing over HTTP connections C. Tells the browser that the cookie is a security upgrade D. None of the above |
B. Cookies with the [secure] tag are only passed by browsers over HTTPS connections.
|
|
|
Code signing is used to
A. Allow authors to take artistic credit for their hard work B. Provide a method to demonstrate code integrity C. Guarantee code functionality D. Prevent copyright infringement by code copying |
B. Code signing includes data integrity checking through a hash value.
|
|
|
SSL provides which of the following functionality?
A. Data integrity services B. Authentication services C. Data confidentiality services D. All of the above |
D. SSL provides all of the above.
|
|
|
SSL uses which port to carry HTTPS traffic?
A. TCP port 80 B. UDP port 443 C. TCP port 443 D. TCP port 8080 |
C. HTTPS traffic is connection oriented (TCP) and carried over port 443 by default.
|
|
|
High security browsers can use what to validate SSL credentials for a user?
A. AES encrypted links to a root server B. An extended validation SSL certificate C. MD-5 hashing to ensure integrity D. SSL v. 3.0 |
B. Extended validation SSL certificate is signed by the CA to prove authenticity.
|
|
|
To establish an SSL connection for e-mail and HTTP across a firewall, you must
A. Open TCP ports 80, 25, 443, and 223 B. Open TCP ports 443, 465, and 995 C. Open a TCP port of choice and assign it to all SSL traffic D. Do nothing; SSL tunnels past firewalls |
B. HTTP uses 443, SSMTP uses 465, and SPOP3 uses 995.
|
|
|
Directories are characterized by
A. Being optimized for read-only data B. Being optimized for attribute type data C. More functionality than a simple database D. Better security model than a database |
B. Directories are used primarily for reading attribute type data to support fast lookups and searches.
|
|
|
To prevent the use of cookies in a browser, a user must
A. Tell the browser to disable cookies via a setup option. B. Delete all existing cookies. C. All of the above. D. The user need do nothing—by design, cookies are necessary and cannot be totally disabled. |
C. The user must do both A and B. A will prevent future cookies from interacting, but B is necessary to stop cookies already downloaded from being passed back to the server on subsequent visits.
|
|
|
A business impact assessment is designed to do which of the following?
A. Determine the impact your business has on other organizations. B. Determine the impact your business has on local, regional, and national economies. C. Determine the effect your corporate security strategy has on the way you conduct your operations. D. Determine which processes, systems, and people are critical to the operation of your organization. |
D. This is the description of what a business impact assessment is supposed to accomplish. It is important to emphasize that the BIA not only includes the systems (hardware and software) needed by the organization, but any supplies or specific individuals that are critical for the operation of the organization.
|
|
|
A good backup plan will include which of the following?
A. The critical data needed for the organization to operate B. Any software that is required to process the organization’s data C. Specific hardware to run the software or to process the data D. All of the above |
D. All of these are important. Having copies of your data will not be useful if specialized software is required to process it and if specialized hardware is needed to run the special software. You must consider all of these in your backup plan.
|
|
|
Which backup strategy backs up only the files and software that have changed since the last full backup?
A. Full B. Differential C. Incremental D. Delta |
B. This is the definition of a differential backup. In an incremental backup, the data and software that has changed since the last full or incremental backup is saved. A delta backup saves only those portions of the files that have changed, instead of the entire file.
|
|
|
Which of the following is not a consideration in calculating the cost of a backup strategy?
A. The cost of the backup media B. The storage costs for the backup media C. The probability that the backup will be needed D. The frequency with which backups are created |
C. This was a tricky question. The probability that the backup will be needed is a factor in determining the optimal backup frequency, but it was not discussed as part of the cost of the backup strategy. It is also a figure that can be used in a risk analysis to determine the optimum strategy.
|
|
|
Which of the following is the name for a fully configured environment similar to the normal operating environment that can be operational immediately to within a few hours?
A. Hot site B. Warm site C. Online storage system D. Backup storage facility |
A. This is the definition of a hot site.
|
|
|
Which of the following is considered an issue with long-term storage of magnetic media, as discussed in the chapter?
A. Tape media can be used a limited number of times before it degrades. B. Software and hardware evolve, and the media stored may no longer be compatible with current technology. C. Both of the above. D. None of the above. |
C. Both A and B were identified as issues that must be considered when planning your long-term storage strategy.
|
|
|
Which of the following is the best approach to take for potential short-term loss of electrical power?
A. Don’t worry about it. If it is short term, the systems will be back up in at most a few minutes, and processing can resume. B. Install an uninterruptible power supply (UPS) to allow processing to continue while you wait for power to be restored. If it will take longer than a few minutes, the supply will allow you to gracefully bring the system down so no loss of information is suffered. C. Install a backup power generator and maintain a supply of fuel for it. D. Have the power company install a backup power line into your facility. |
B. Purchasing and using a UPS is the best strategy to address short-term power loss. It allows for continued operation if the loss is brief or lets you bring the system down without loss of data. Generators are expensive to purchase and maintain and are not appropriate for short-term power loss. They may be essential for long-term loss of power in installations where this is likely and processing is critical. Ignoring the issue (answer A) is not a good approach as even a brief loss in power can disrupt processing and cause loss of data. Installing a second power line is also not a reasonable answer.
|
|
|
What other common utility is it important to consider when developing your recovery plans?
A. Water B. Gas C. Communications D. Television/cable |
C. Communications (whether telephone or wireless) is critical for organizations today. Water and gas may be important, especially for longterm utility interruption, but they are generally not considered as important as communications, where even a short-term loss can be disastrous. While loss of television or cable may result in you missing your favorite show, it generally is not considered as crucial to business (unless the cable also supplies your Internet connectivity and is relied on for business operations).
|
|
|
RAID stands for
A. Replacement Array of Identical Disks B. Replacement Array of Inexpensive Disks C. Redundant Array of Identical Devices D. Redundant Array of Inexpensive Disks |
D. This is the original definition for this acronym, but Redundant Array of Independent Disks is also now used.
|
|
|
Which RAID technique uses an array of identical disks with all data copied to each of the disks?
A. RAID 0 B. RAID 1 C. RAID 4 D. RAID 5 |
B. This is the description for RAID 1. This technique is more expensive than other techniques as the total capacity for the entire RAID implementation is the capacity of a single disk.
|
|
|
Which of the following is a reason to maintain a supply of spare parts (hardware and software)?
A. Products fail but newer versions may not be compatible with older versions. B. Buying multiple copies of products will reduce the overall cost. C. Insurance companies that provide insurance against data loss require it. D. In the case of a security incident, law enforcement agencies can seize your original equipment so you’ll need to have extra copies to maintain business continuity. |
A. Older equipment and software may not be compatible with newer versions, which could mean that business continuity is lost if a product fails. Having spare parts enables you to bring systems back up more quickly without problems associated with compatibility issues.
|
|
|
Developing a DRP, BCP, and backup policy is just one step in preparing for a disaster. What other step needs to be taken?
A. Once developed, the plans should be exercised to make sure that they are complete and that all individuals know their responsibilities. B. The plans need to be provided to the organization’s insurance provider to ensure that they are sufficient to cover the needs of the organization. C. The plans should be published on the Internet to share with others who can learn from the organization’s experience. D. An independent contractor should be consulted to ensure that the plans are complete and adequate. |
A. This is the best answer. Every plan should be tested to ensure that it is complete and so that key individuals in the plan know their parts and can accomplish assigned tasks. Exercising a plan can also identify items that are required in the event of a disaster but that are not required during normal business operations. The other answers may all have elements that could be partially correct but are not the best answer. Insurance companies may indeed want to know that the organization has a BCP, DRP, and backup plan, but this is not the best answer. Sharing information between organizations certainly is a practice that can help raise the level of preparedness across an industry, but sharing specifics about your plan is not advisable and could lead to a security breach. Contractors might be able to help develop a plan and can provide valuable assistance, but they are not required in the process if your organization has sufficient expertise.
|
|
|
Which of the following refers to the time within which an organization wants to have a critical service restored after a disruption in service occurs?
A. Mean time to restore B. Mean time between failures C. Recovery point objective D. Recovery time objective |
D. This is the definition of recovery time objective. Closely related to this is recovery point objective, but it is based on a determination of how much data loss an organization can withstand.
|
|
|
Which of the following is a technique designed to distribute processing over two or more systems? It is used to help improve resource utilization and throughput but also has the added advantage of increasing the fault tolerance of the overall system since a critical process may be split across several systems.
A. Clustering B. High Reliability C. Load Balancing D. Distributed networking |
C. This is the definition of load balancing. A cluster is similar, but a cluster links a group of systems to have them work together. A cluster of computers working together in many respects can be considered a single larger computer.
|
|
|
Which of the following correctly defines qualitative risk management?
A. The loss resulting when a vulnerability is exploited by a threat B. To reduce the likelihood of a threat occurring C. The process of subjectively determining the impact of an event that affects a project, program, or business D. The process of objectively determining the impact of an event that affects a project, program, or business |
C. Qualitative risk management is the process of subjectively determining the impact of an event that affects a project, program, or business. A defines impact, Bdefines mitigation, and D defines quantitative risk assessment.
|
|
|
Which of the following correctly defines risk?
A. The risks still remaining after an iteration of risk management B. The possibility of suffering harm or loss C. The loss resulting when a vulnerability is exploited by a threat D. Any circumstance or event with the potential to cause harm to an asset |
B. Risk is the possibility of suffering harm or loss. A defines residual risk, C defines impact, and D defines threat.
|
|
|
Single loss expectancy (SLE) can best be defined by which of the following equations?
A. SLE = asset value * exposure factor B. SLE = annualized loss expectancy * annualized rate of occurrence C. SLE = asset value * annualized rate of occurrence D. SLE = annualized loss expectancy * exposure factor |
A. SLE is the value of the asset multiplied by the exposure factor.
|
|
|
Which of the following correctly defines annualized rate of occurrence?
A. On an annualized basis, the frequency with which an event is expected to occur B. How much an event is expected to cost per year C. A measure of the magnitude of loss of an asset D. Resources or information an organization needs to conduct its business |
A. Annualized rate of occurrence is defined as the frequency with which an event is expected to occur on an annual basis. Answer B defines annualized loss expectancy. Answer C defines exposure factor. Answer D defines asset.
|
|
|
Which of the following are business risks?
A. Business continuity management B. Fraud C. Contract management D. Treasury management E. All of the above F. None of the above |
E. All listed items are business risks.
|
|
|
The Basel Committee defines operational risk as which of the following?
A. Risk of default of outstanding loans B. Risk of losses due to fluctuations of market prices C. The possibility of suffering harm or loss D. Risk from disruption by people, systems, processes, or disasters |
D. The Basel Committee defines operational risk as risk from disruption by people, systems, processes, or disasters. Answer A defines credit risk. Answer B defines market risk. Answer C defines risk.
|
|
|
Which of the following are not assets?
A. Hardware B. Inventory C. Equipment or software failure D. Cash E. All of the above F. None of the above For questions 8 and 9, assume the following: The asset value of a small distribution warehouse is $5 million, and this warehouse serves as a backup facility. Its complete destruction by a disaster would take away about 1/5 of the capability of the business. Also assume that this sort of disaster is expected to occur about once every 50 years. |
C. Equipment or software failure is a threat. All other answers are examples of assets.
|
|
|
Which of the following is the calculated single loss expectancy (SLE)?
A. SLE = $25 million B. SLE = $1 million C. SLE = $2.5 million D. SLE = $5 million |
B. SLE = asset value ($5 million) * exposure factor (1/5) = $1 million.
|
|
|
Which of the following is the calculated annualized loss expectancy (ALE)?
A. ALE = $50,000 B. ALE = $20,000 C. ALE = $1 million D. ALE = $50 million |
B. ALE = SLE ($1 million) * annualized rate of occurrence (1/50) = $20,000.
|
|
|
When discussing qualitative risk assessment versus quantitative risk assessment, which of the following is true?
A. It is impossible to conduct a purely quantitative risk assessment, and it is impossible to conduct a purely qualitative risk assessment. B. It is possible to conduct a purely quantitative risk assessment, but it is impossible to conduct a purely qualitative risk assessment. C. It is possible to conduct a purely quantitative risk assessment, and it is possible to conduct a purely qualitative risk assessment. D. It is impossible to conduct a purely quantitative risk assessment, but it is possible to conduct a purely qualitative risk assessment. |
D. A purely quantitative risk assessment is not achievable because it is impossible to define and quantitatively measure all factors. On the other hand, a risk assessment that qualitatively evaluates risk is possible.
|
|
|
An upgrade to a software package resulted in errors that had been corrected in the previously released upgrade. This type of problem could have been prevented by
A. The system administrator making the changes instead of the developer B. Proper change management procedures being used when changing the object code C. The use of an object-oriented design approach rather than a rapid prototyping design approach D. Proper change management procedures when changing the source code |
D. Reappearing errors are likely caused by a developer not using the most recent version of the source code. Answer A is wrong because proper segregation of duties states that the developer is responsible for changing software programs, not the system administrator. Answer B is wrong because the source code will be recompiled, not the object code. Answer C is wrong because the design approach would not have caused this problem.
|
|
|
Change management procedures are established to
A. Ensure continuity of business operations in the event of a major disruption B. Ensure that changes in business operations caused by a major disruption are properly controlled C. Add structure and control to the development of software systems D. Identify threats, vulnerabilities, and mitigating actions that could impact an organization |
C. The fundamental purpose of software change management is to add structure and control to the software development process. Answers A and B are incorrect because software change management does not apply directly to ensuring business continuity. Answer D is incorrect; this is the definition of risk management.
|
|
|
Which of the following is not a principle of separation of duties?
A. Software development, testing, quality assurance, and production should be assigned to different individuals. B. Software developers should have access to production data and source code files. C. Software developers and testers should be restricted from accessing “live” production data. D. The functions of creating, installing, and administrating software programs should be assigned to different individuals. |
B. Programmers should not be given direct access to production data or files. All the other answers are principles of segregation of duties, as outlined in the chapter.
|
|
|
Why should end users not be given access to program source code?
A. It could allow an end user to implement the principle of least privilege. B. It helps lessen the opportunity of exploiting software weaknesses. C. It assists in ensuring an independent and objective testing environment. D. It ensures testing and quality assurance perform their proper functions. |
B. If end users have access to source code, they could possibly view, identify, and abuse errors or weaknesses in the source code. Answer A is incorrect because the principle of least privilege does not directly apply here. Answer C is incorrect because end user access to program source code is not directly related to the testing environment. Answer D is incorrect because end user access to program source code is not directly related to the testing and quality assurance functions.
|
|
|
Configuration status accounting consists of
A. The process of controlling changes to items that have been baselined B. The process of identifying which assets need to be managed and controlled C. The process of verifying that the configuration items are built and maintained properly D. The procedures for tracking and maintaining data relative to each configuration item in the baseline |
D. Configuration status accounting consists of the procedures for tracking and maintaining data relative to each configuration item in the baseline. Answers A, B, andC are the definitions of configuration control, configuration identification, and configuration auditing, respectively.
|
|
|
Configuration identification consists of
A. The process of controlling changes to items that have been baselined B. The process of identifying which assets need to be managed and controlled C. The process of verifying that the configuration items are built and maintained properly D. The procedures for tracking and maintaining data relative to each configuration item in the baseline |
B. Configuration identification consists of the process of identifying which assets need to be managed and controlled. Answers A, C, and D are the definitions of configuration control, configuration auditing, and configuration status accounting, respectively.
|
|
|
Which position is responsible for moving executable code to the test/QA or production systems?
A. System administrator B. Developer C. Manager D. Quality assurance |
A. The system administrator should be the only person allowed to move executables. The developer modifies the source code, the manager approves moving the executable to the production system, and quality assurance tests the executables.
|
|
|
Which computer security technology is used to ensure the integrity of executable code?
A. Host-based intrusion detection systems B. Firewalls C. Gateways D. Network-based intrusion detection systems |
A. Host-based intrusion detection systems create and maintain a database of the size and content of executable modules. Firewalls filter IP traffic; gateways also filter traffic, and network-based intrusion detection systems monitor IP traffic.
|
|
|
In the Software Engineering Institute’s Capability Maturity Model Integration for Development (CMMI-DEV), which of the following correctly defines Level 3, Defined?
A. Statistical evaluation and quantitative objectives are used to control and manage processes. B. Processes are ad hoc and are not institutionalized. C. Processes are well characterized and understood and are described in standards, procedures, tools, and methods. D. Processes are planned and executed according to policy and are monitored, controlled, reviewed, and evaluated. |
C. Level 3, Defined means that processes are well characterized and understood and are described in standards, procedures, tools, and methods. Answers A, B, andD are the definitions of Level 4, Quantitatively Managed; Level 1, Initial; and Level 2, Managed, respectively.
|
|
|
In the Software Engineering Institute’s Capability Maturity Model Integration for Development (CMMI-DEV), which of the following correctly defines Level 2, Managed?
A. Statistical evaluation and quantitative objectives are used to control and manage processes. B. Processes are improved based on quantitative understanding of business objectives and performance needs. C. Processes are well characterized and understood and are described in standards, procedures, tools, and methods. D. Processes are planned and executed according to policy and are monitored, controlled, reviewed, and evaluated. |
D. Level 2, Managed means that processes are planned and executed according to policy and are monitored, controlled, reviewed, and evaluated. Answers A, B, andC are the definitions of Level 4, Quantitatively Managed; Level 5, Optimizing; and Level 3, Defined, respectively.
|
|
|
Privilege management applies to
A. Files, resources, and users B. Users, physical locations, and resources C. Users, physical locations, and processes D. Applications, systems, and security |
A. Privilege management is the process of restricting a user’s ability to interact with the computer system, including files and resources.
|
|
|
A user ID is
A. A unique identifier assigned to each user B. A form of privilege management C. A unique identifier given to each process D. A type of system command |
A. A user ID is a unique identifier assigned to each user of a computer system. It allows the system to distinguish one user from another as well as determine what information, applications, and resources a particular user can access.
|
|
|
Role management is based on
A. The user ID B. The group to which a user is assigned C. A job or function D. The rights associated with the root user |
C. Role management is based on jobs and functions, not specific groups or users.
|
|
|
Single sign-on
A. Works for only one user B. Requires only one user ID and password C. Groups like users together D. Requires the user to log in to each resource one time |
B. Single sign-on requires only one user ID and password. The user logs on to the SSO server once, and the SSO server then performs any additional authentication tasks for the user.
|
|
|
Compared to decentralized management, centralized management
A. Typically requires less training and fewer resources B. Brings control to a central location C. Is easier to audit and manage D. All of the above |
D. When compared to decentralized management, centralized management typically requires less training and fewer resources, brings control to a central location, and is easier to audit and manage.
|
|
|
Records showing which users accessed a computer system and what actions they performed are called
A. User rights B. System and event logs C. Audit trails D. Permissions |
C. Records showing which users accessed a computer system and what actions they performed are called audit trails.
|
|
|
Minimum password age is
A. The number of days a password must be used before it can be changed B. The number of days a password can be used C. The number of days before the password becomes inactive D. The number of days before a password must be changed |
A. Minimum password age is the number of days that must pass before a password can be changed.
|
|
|
The three types of auditing are
A. Privilege, usage, and escalation B. User, system, and application C. File, process, and media D. None of the above |
A. The three main types of auditing discussed were privilege, usage, and escalation.
|
|
|
In the context of privilege management, MAC stands for
A. Media access control B. Monetary audit control C. Mandatory access control D. None of the above |
C. MAC stands for mandatory access control, which is the process of controlling access to information based on the sensitivity of that information and whether or not the user is operating at the appropriate sensitivity level and has the authority to access that information.
|
|
|
Under discretionary access control,
A. File access is controlled by permissions. B. Owners can change permissions of their own files. C. File permissions may consist of owner, group, and world. D. All of the above. |
D. Under discretionary access control, file access is controlled by permissions, Owners can change their files’ permissions when they want to, and file permissions in UNIX operating systems consist of different privileges for owner, group, and world.
|
|
|
In role-based access control
A. Resources are assigned to individual user IDs B. Access is granted based on job function C. Files are labeled with sensitivity levels D. Users are divided into groups |
B. In role-based access control, access to files and resources is usually assigned by job function. For example, a person with a “backup operator” role would be assigned the rights and privileges needed to perform that function.
|
|
|
A domain password policy
A. Tells users how to safeguard their passwords B. Specifies the minimum length of a password C. Determines when passwords should be used D. Controls access to resources based on time of day |
B. A domain password policy specifies the minimum length of a password. Answers A and C should be part of the organizational password policy.
|
|
|
In the context of privilege management, RBAC can stand for
A. Right-based Access Control B. Role-based Access Control C. Remote-based Access Control D. Risk-based Access Control |
B. In the context of privilege management, RBAC can stand for Role-based Access Control.
|
|
|
Which of the following is not an area where logging can be effective?
A. DNS B. Performance C. Access D. Password policies |
D. In this chapter we talked about DNS, Performance, and Access all being areas where logging can be effective.
|
|
|
Which of the following is not a security label used to classify information and information resources for MAC systems?
A. Important B. Top Secret C. Unclassified D. Secret |
A. Important is not a security label used to classify information and information resources for MAC systems. Top Secret, Secret, Confidential, and Unclassified are all security labels used to classify information and information resources.
|
|
|
Which of the following correctly defines evidence as being sufficient?
A. The evidence is material to the case or has a bearing to the matter at hand. B. The evidence is presented in the form of business records, printouts, and so on. C. The evidence is convincing or measures up without question. D. The evidence is legally qualified and reliable. |
C. is the correct definition. Answer A defines relevant evidence. Answer B defines documentary evidence. Answer D defines competent evidence.
|
|
|
Which of the following correctly defines direct evidence?
A. The knowledge of the facts is obtained through the five senses of the witness. B. The evidence consists of tangible objects that prove or disprove a fact. C. The evidence is used to aid the jury and may be in the form of a model, experiment, chart, or the like, offered to prove an event occurred. D. It is physical evidence that links the suspect to the scene of a crime. |
A. is the correct definition. Answer B defines real evidence. Answer C defines demonstrative evidence. Answer D defines real evidence.
|
|
|
Which of the following correctly defines demonstrative evidence?
A. The evidence is legally qualified and reliable. B. The evidence consists of tangible objects that prove or disprove a fact. C. The evidence is used to aid the jury and may be in the form of a model, experiment, chart, or the like, offered to prove an event occurred. D. The evidence is in the form of business records, printouts, manuals, and so on. |
C. is the correct definition. Answer A defines competent evidence. Answer B defines real evidence. Answer D defines documentary evidence.
|
|
|
Which of the following correctly defines the best evidence rule?
A. The evidence is legally qualified and reliable. B. Courts prefer original evidence rather than a copy to ensure that no alteration of the evidence (intentional or unintentional) has occurred. C. The evidence is used to aid the jury and may be in the form of a model, experiment, chart, or the like, offered to prove an event occurred. D. Physical evidence that links the suspect to the scene of a crime. |
B. is the correct definition. Answer A defines competent evidence. Answer C defines demonstrative evidence. Answer D defines real evidence.
|
|
|
Which of the following correctly defines the exclusionary rule?
A. The knowledge of the facts is obtained through the five senses of the witness. B. The evidence consists of tangible objects that prove or disprove a fact. C. The evidence is used to aid the jury and may be in the form of a model, experiment, chart, or the like, offered to prove an event occurred. D. Any evidence collected in violation of the Fourth Amendment is not admissible as evidence. |
D. is the correct definition. Answer A defines direct evidence. Answer B defines real evidence. Answer C defines demonstrative evidence.
|
|
|
Which of the following is the most rigorous investigative method?
A. Build a new system that completely images the suspect system. B. Verify software on the suspect system and use that software for investigation. C. Examine the suspect system using its software without verification. D. Use a dedicated forensic workstation. |
D. Answers A and B are other methods on the rigor spectrum. Answer C is the least rigorous method.
|
|
|
Which of the following correctly defines slack space?
A. The space on a disk drive that is occupied by the boot sector B. The space located at the beginning of a partition C. The remaining clusters of a previously allocated file that are available for the operating system to use D. The unused space on a disk drive when a file is smaller than the allocated unit of storage (such as a cluster) |
D. Answers A and B are contrived definitions. Answer C defines free space.
|
|
|
Which of the following correctly defines the process of acquiring evidence?
A. Dump the memory, power down the system, create an image of the system, and analyze the image. B. Power down the system, dump the memory, create an image of the system, and analyze the image. C. Create an image of the system, analyze the image, dump the memory, and power down the system. D. Dump the memory, analyze the image, power down the system, and create an image of the system. |
A. The other answers are not in the correct order.
|
|
|
If you are investigating a computer incident, and you need to remove the disk drive from a computer and replace it with a copy so the user doesn’t know it has been exchanged, how many copies of the disk should you make, and how should they be used?
A. Three copies: One to replace the drive removed, one to be used for file authentication, and one for analysis. B. Four copies: One to replace the drive removed; one is marked, sealed, logged, and stored with the original, unmodified disk as evidence; one is for file authentication; and one is for analysis. C. Five copies: One to replace the drive removed; one is marked, sealed, logged, and stored with the original, unmodified disk as evidence; one is for file authentication; one is for analysis; and one is for holding message digests. D. Four copies: One to replace the drive removed; one is marked, sealed, logged, and stored with the original, unmodified disk as evidence; one is for file authentication; and one is for holding message digests. |
B. The other answers are contrived responses.
|
|
|
Which of the following correctly describes the hashing concept?
A. A method of verifying that data has been completely deleted from a disk B. A method of overwriting data with a specified pattern of 1s and 0s on a disk C. An algorithm that applies mathematical operations to a data stream to calculate a unique number based on the information contained in the data stream D. A method used to keep an index of all files on a disk |
C. is the correct definition. The other answers are contrived responses.
|
|
|
In information security, what are the three main goals? (Select the three best answers.)
A. Auditing B. Integrity C. Nonrepudiation D. Confidentiality E. Risk Assessment F. Availability |
B, D, and F. Confidentiality, integrity, and availability (known as CIA or the CIA triad) are the three main goals when it comes to information security. Another goal within information security is accountability.
|
|
|
To protect against malicious attacks, what should you think like?
A. Hacker B. Network admin C. Spoofer D. Auditor |
A. To protect against malicious attacks, think like a hacker. Then, protect and secure like a network security administrator.
|
|
|
Tom sends out many e-mails containing secure information to other companies. What concept should be implemented to prove that Tom did indeed send the e-mails?
A. Authenticity B. Nonrepudiation C. Confidentiality D. Integrity |
B. You should use nonrepudiation to prevent Tom from denying that he sent the e-mails.
|
|
|
Which of the following does the A in CIA stand for when it comes to IT security? Select the best answer.
A. Accountability B. Assessment C. Availability D. Auditing |
C. Availability is what the “A” in “CIA” stands for, as in “the availability of data.” Together the acronym stands for confidentiality, integrity, and availability. Although accountability is important and is often included as a fourth component of the CIA triad, it is not the best answer. Assessment and auditing are both important concepts when checking for vulnerabilities and reviewing and logging, but they are not considered to be part of the CIA triad.
|
|
|
Which of the following is the greatest risk when it comes to removable storage?
A. Integrity of data B. Availability of data C. Confidentiality of data D. Accountability of data |
C. For removable storage, the confidentiality of data is the greatest risk because removable storage can easily be removed from the building and shared with others. Although the other factors of the CIA triad are important, any theft of removable storage can destroy the confidentiality of data, and that makes it the greatest risk.
|
|
|
When it comes to information security, what is the I in CIA?
A. Insurrection B. Information C. Indigestion D. Integrity |
D. The I in CIA stands for integrity. Together CIA stands for confidentiality, integrity, and availability. Accountability is also a core principle of information security.
|
|
|
You are developing a security plan for your organization. Which of the following is an example of a physical control?
A. Password B. DRP C. ID card D. Encryption |
C. An ID card is an example of a physical security control. Passwords and encryption are examples of technical controls. A disaster recovery plan (DRP) is an example of an administrative control.
|
|
|
When is a system completely secure?
A. When it is updated B. When it is assessed for vulnerabilities C. When all anomalies have been removed D. Never |
D. A system can never truly be completely secure. The scales are always tipping back and forth; a hacker develops a way to break into a system, then an administrator finds a way to block that attack, and then the hacker looks for an alternative method. It goes on and on; be ready to wage the eternal battle!
|
|
|
A group of compromised computers that have software installed by a worm is known as which of the following?
A. Botnet B. Virus C. Honeypot D. Zombie |
A. A botnet is a group of compromised computers, usually working together, with malware that was installed by a worm or a Trojan horse.
|
|
|
What are some of the drawbacks to using HIDS instead of NIDS on a server? (Select the two best answers.)
A. A HIDS may use a lot of resources that can slow server performance. B. A HIDS cannot detect operating system attacks. C. A HIDS has a low level of detection of operating system attacks. D. A HIDS cannot detect network attacks. |
A and D. Host-based intrusion detection systems (HIDS) run within the operating system of a computer. Because of this, they can slow a computer’s performance. Most HIDS do not detect network attacks well (if at all). However, a HIDS can detect operating system attack and will usually have a high level of detection for those attacks.
|
|
|
Which of the following computer security threats can be updated automatically and remotely? (Select the best answer.)
A. Virus B. Worm C. Zombie D. Malware |
C. Zombies (also known as zombie computers) are systems that have been compromised without the knowledge of the owner. A prerequisite is the computer must be connected to the Internet so that the hacker or malicious attack can make its way to the computer and be controlled remotely. Multiple zombies working in concert often form a botnet. See the section “Computer Systems Security Threats” earlier in this chapter for more information.
|
|
|
Which of the following is the best mode to use when scanning for viruses?
A. Safe Mode B. Last Known Good Configuration C. Command Prompt only D. Boot into Windows normally |
A. Safe Mode should be used (if your AV software supports it) when scanning for viruses
|
|
|
Which of the following is a common symptom of spyware?
A. Infected files B. Computer shuts down C. Applications freeze D. Pop-up windows |
D. Pop-up windows are common to spyware. The rest of the answers are more common symptoms of viruses.
|
|
|
What are two ways to secure the computer within the BIOS? (Select the two best answers.)
A. Configure a supervisor password. B. Turn on BIOS shadowing. C. Flash the BIOS. D. Set the hard drive first in the boot order. |
A and D. Configuring a supervisor password in the BIOS disallows any other user to enter the BIOS and make changes. Setting the hard drive first in the BIOS boot order disables any other devices from being booted off, including floppy drives, optical drives, and USB flash drives. BIOS shadowing doesn’t have anything to do with computer security, and although flashing the BIOS may include some security updates, it’s not the best answer.
|
|
|
Dan is a network administrator. One day he notices that his DHCP server is flooded with information. He analyzes it and finds that the information is coming from more than 50 computers on the network. Which of the following is the most likely reason?
A. Virus B. Worm C. Zombie D. PHP script |
B. A worm is most likely the reason that the server is being bombarded with information by the clients; perhaps it is perpetuated by a botnet. Because worms self-replicate, the damage can quickly become critical.
|
|
|
Which of the following is not an example of malicious software?
A. Rootkits B. Spyware C. Viruses D. Browser |
D. A web browser (for example, Internet Explorer) is the only one listed that is not an example of malicious software. Although a browser can be compromised in a variety of ways by malicious software, the application itself is not the malware.
|
|
|
Which type of attack uses more than one computer?
A. Virus B. DoS C. Worm D. DDoS |
D. A DDoS, or distributed denial of service, attack uses multiple computers to make its attack, usually perpetuated on a server. None of the other answers use multiple computers.
|
|
|
What are the two ways that you can stop employees from using USB flash drives? (Select the two best answers.)
A. Utilize RBAC. B. Disable USB devices in the BIOS. C. Disable the USB root hub. D. Enable MAC filtering. |
B and C. By disabling all USB devices in the BIOS, a user cannot use his flash drive. Also, the user cannot use the device if you disable the USB root hub within the operating system.
|
|
|
Which of the following does not need updating?
A. HIDS B. Antivirus software C. Pop-up blockers D. Antispyware |
C. Pop-up blockers do not require updating to be accurate. However, host-based intrusion detection systems, antivirus software, and antispyware all need to be updated to be accurate.
|
|
|
Which of the following are Bluetooth threats? (Select the two best answers.)
A. Bluesnarfing B. Blue bearding C. Bluejacking D. Distributed denial of service |
A and C. Bluesnarfing and bluejacking are the names of a couple Bluetooth threats. Another attack could be aimed at a Bluetooth device’s discovery mode. To date there is no such thing as blue bearding, and a distributed denial of service attack uses multiple computers attacking one host.
|
|
|
What is a malicious attack that executes at the same time every week?
A. Virus B. Worm C. Bluejacking D. Logic bomb |
D. A logic bomb is a malicious attack that executes at a specific time. Viruses normally execute when a user inadvertently runs them. Worms can self-replicate at will. And bluejacking deals with Bluetooth devices.
|
|
|
Which of these is true for active inception?
A. When a computer is put between a sender and receiver B. When a person overhears a conversation C. When a person looks through files D. When a person hardens an operating system |
A. Active inception (aka active interception) normally includes a computer placed between the sender and the receiver to capture information.
|
|
|
Tim believes that his computer has a worm. What is the best tool to use to remove that worm?
A. Antivirus software B. Antispyware software C. HIDS D. NIDS |
A. Antivirus software is the best option when removing a worm. It may be necessary to boot into Safe Mode to remove this worm when using antivirus software.
|
|
|
Which of the following types of scanners can locate a rootkit on a computer?
A. Image scanner B. Barcode scanner C. Malware scanner D. Adware scanner |
C. Malware scanners can locate rootkits and other types of malware. These types of scanners are often found in antimalware software from manufacturers such as McAfee, Norton, Vipre, and so on. Adware scanners (often free) can scan for only adware. Always have some kind of antimalware software running on live client computers!
|
|
|
Which type of malware does not require a user to execute a program to distribute the software?
A. Worm B. Virus C. Trojan horse D. Stealth |
A. Worms self-replicate and do not require a user to execute a program to distribute the software across networks. All the other answers do require user intervention. Stealth refers to a type of virus.
|
|
|
Which of these is not considered to be an inline device?
A. Firewall B. Router C. CSU/DSU D. HIDS |
D. HIDS or host-based intrusion detection systems are not considered to be an inline device. This is because they run on an individual computer. Firewalls, routers, and CSU/DSUs are inline devices.
|
|
|
Whitelisting, blacklisting, and closing open relays are all mitigation techniques addressing what kind of threat?
A. Spyware B. Spam C. Viruses D. Botnets |
B. Closing open relays, whitelisting, and blacklisting are all mitigation techniques that address spam. Spam e-mail is a serious problem for all companies and must be filtered as much as possible.
|
|
|
How do most network-based viruses spread?
A. By CD and DVD B. Through e-mail C. By USB flash drive D. By floppy disk |
B. E-mail is the number one reason why network-based viruses spread. All a person needs to do is double-click the attachment within the e-mail, and the virus will do its thing, which is most likely to spread through the user’s address book. Removable media such as CDs, DVDs, USB flash drives, and floppy disks can spread viruses but are not nearly as common as e-mail.
|
|
|
Which of the following defines the difference between a Trojan horse and a worm? (Select the best answer.)
A. Worms self-replicate but Trojan horses do not. B. The two are the same. C. Worms are sent via e-mail; Trojan horses are not. D. Trojan horses are malicious attacks; worms are not. |
A. The primary difference between a Trojan horse and a worm is that worms will self-replicate without any user intervention; Trojan horses do not self-replicate.
|
|
|
Which of the following types of viruses hides its code to mask itself?
A. Stealth virus B. Polymorphic virus C. Worm D. Armored virus |
D. An armored virus attempts to make disassembly difficult for an antivirus software program. It thwarts attempts at code examination. Stealth viruses attempt to avoid detection by antivirus software altogether. Polymorphic viruses change every time they run. Worms are not viruses.
|
|
|
Which of the following types of malware appears to the user as legitimate but actually enables unauthorized access to the user’s computer?
A. Worm B. Virus C. Trojan D. Spam |
C. A Trojan, or a Trojan horse, appears to be legitimate and looks like it’ll perform desirable functions, but in reality it is designed to enable unauthorized access to the user’s computer.
|
|
|
Which of the following would be considered detrimental effects of a virus hoax? (Select the two best answers.)
A. Technical support resources are consumed by increased user calls. B. Users are at risk for identity theft. C. Users are tricked into changing the system configuration. D. The e-mail server capacity is consumed by message traffic. |
A and C. Because a virus can affect many users, technical support resources can be consumed by an increase in user phone calls and e-mails. This can be detrimental to the company because all companies have a limited amount of technical support personnel. Another detrimental effect is that unwitting users may be tricked into changing some of their computer system configurations. The key term in the question is “virus hoax.” If the e-mail server is consumed by message traffic, that would be a detrimental effect caused by the person who sent the virus and by the virus itself but not necessarily by the hoax. Although users may be at risk for identity theft, it is not one of the most detrimental effects of the virus hoax.
|
|
|
To mitigate risks when users accesses company e-mail with their cell phone, what security policy should be implemented on the cell phone?
A. Data connection capabilities should be disabled. B. A password should be set on the phone. C. Cell phone data should be encrypted. D. Cell phone should be only for company use. |
B. A password should be set on the phone, and the phone should lock after a set period of time. When the user wants to use the phone again, the user should be prompted for a password. Disabling the data connection altogether would make access to e-mail impossible on the cell phone. Cell phone encryption of data is possible, but it could use a lot of processing power that may make it unfeasible. Whether the cell phone is used only for company use is up to the policies of the company.
|
|
|
Your manager wants you to implement a type of intrusion detection system (IDS) that can be matched to certain types of traffic patterns. What kind of IDS is this?
A. Anomaly-based IDS B. Signature-based IDS C. Behavior-based IDS D. Heuristic-based IDS |
B. When using an IDS, particular types of traffic patterns refer to signature-based IDS.
|
|
|
You are the security administrator for your organization. You want to ensure the confidentiality of data on mobile devices. What is the best solution?
A. Device encryption B. Remote wipe C. Screen locks D. AV software |
A. Device encryption is the best solution listed to protect the confidentiality of data. By encrypting the data, it makes it much more difficult for a malicious person to make use of the data. Screen locks are a good idea but are much easier to get past than encryption. Antivirus software will not stop an attacker from getting to the data once the mobile device has been stolen. Remote sanitization doesn’t keep the data confidential, it removes it altogether! While this could be considered a type of confidentiality, it would only be so if a good backup plan was instituted. Regardless, the best answer with confidentiality in mind is encryption. For example, if the device was simply lost, and was later found, it could be reused (as long as it wasn’t tampered with). But if the device was sanitized, it would have to be reloaded and reconfigured before being used again.
|
|
|
You are tasked with implementing a solution that encrypts the CEO’s laptop. However, you are not allowed to purchase additional hardware or software. Which of the following solutions should you implement?
A. HSM B. TPM C. HIDS D. USB encryption |
B. A TPM or trusted platform module is a chip that resides on the motherboard of the laptop. It generates cryptographic keys that allow the entire disk to be encrypted, as in full disk encryption (FDE). Hardware security modules (HSMs) and USB encryption require additional hardware. A host-based intrusion detection system requires either additional software or hardware.
|
|
|
One of your co-workers complains of very slow system performance and says that a lot of antivirus messages are being displayed. The user admits to recently installing pirated software and downloading and installing an illegal keygen to activate the software. What type of malware has affected the user’s computer?
A. Worm B. Logic bomb C. Spyware D. Trojan |
D. A Trojan was probably installed (unknown to the user) as part of the keygen package. Illegal downloads often contain malware of this nature. At this point, the computer is compromised. Not only is it infected, but malicious individuals might be able to remotely access it.
|
|
|
A smartphone has been lost. You need to ensure 100% that no data can be retrieved from it. What should you do?
A. Remote wipe B. GPS tracking C. Implement encryption D. Turn on screen locks |
A. If the device has been lost and you need to be 100% sure that data cannot be retrieved from it, then you should remotely sanitize (or remotely “wipe”) the device. This removes all data to the point where it cannot be reconstructed by normal means. GPS tracking might find the device, but as time is spent tracking and acquiring the device, the data could be stolen. Encryption is a good idea, but over time encryption can be deciphered. Screen locks can be easily circumvented.
|
|
|
A user complains that they were browsing the Internet when the computer started acting erratically and crashed. You reboot the computer and notice that performance is very slow. In addition, after running a netstat command you notice literally hundreds of outbound connections to various websites, many of which are well-known sites. Which of the following has happened?
A. The computer is infected with spyware. B. The computer is infected with a virus. C. The computer is now part of a botnet. D. The computer is now infected with a rootkit. |
C. The computer is probably now part of a botnet. The reason the system is running slowly is probably due to the fact that there are hundreds of outbound connections to various websites. This is a solid sign of a computer that has become part of a botnet. Spyware, viruses, and rootkits might make the computer run slowly, but they will not create hundreds of outbound connections.
|
|
|
Virtualization technology is often implemented as operating systems and applications that run in software. Often, it is implemented as a virtual machine. Of the following, which can be a security benefit when using virtualization?
A. Patching a computer will patch all virtual machines running on the computer. B. If one virtual machine is compromised, none of the other virtual machines can be compromised. C. If a virtual machine is compromised, the adverse effects can be compartmentalized. D. Virtual machines cannot be affected by hacking techniques. |
C. By using a virtual machine (which is one example of a virtual instance) any ill effects can be compartmentalized to that particular virtual machine, usually without any ill effects to the main operating system on the computer. Patching a computer does not automatically patch virtual machines existing on the computer. Other virtual machines can be compromised, especially if nothing is done about the problem. Finally, virtual machines can definitely be affected by hacking techniques. Be sure to secure them!
|
|
|
Eric wants to install an isolated operating system. What is the best tool to use?
A. Virtualization B. UAC C. HIDS D. NIDS |
A. Virtualization enables a person to install operating systems (or applications) in an isolated area of the computer’s hard drive, separate from the computer’s main operating system.
|
|
|
Where would you turn off file sharing in Windows Vista?
A. Control Panel B. Local Area Connection C. Network and Sharing Center D. Firewall properties |
C. The Network and Sharing Center is where you can disable file sharing in Windows Vista.
|
|
|
Which option enables you to hide ntldr?
A. Enable Hide Protected Operating System Files B. Disable Show Hidden Files and Folders C. Disable Hide Protected operating system Files D. Remove the -R Attribute |
A. To hide ntldr you need to enable the Hide Protected Operating System Files checkbox. Keep in mind that you should have already enabled the Show Hidden Files and Folders radio button.
|
|
|
Which of the following should be implemented to harden an operating system? (Select the two best answers.)
A. Install the latest service pack. B. Install Windows Defender. C. Install a virtual operating system. D. Execute PHP scripts. |
A and B. Two ways to harden an operating system include installing the latest service pack and installing Windows defender. However, virtualization is a separate concept altogether, and PHP scripts will generally not be used to harden an operating system.
|
|
|
In Windows 7, Vista, and XP, what is the best file system to use?
A. FAT B. NTFS C. DFS D. FAT32 |
B. NTFS is the most secure file system for use with Windows 7, Vista, and XP. FAT and FAT32 are older file systems, and DFS is the distributed file system used in more advanced networking.
|
|
|
A customer’s computer uses FAT16 as its file system. What file system can you upgrade it to when using the convert command?
A. NTFS B. HPFS C. FAT32 D. NFS |
A. The Convert command is used to upgrade FAT and FAT32 volumes to the more secure NTFS without loss of data. HPFS is the High Performance File System developed by IBM and not used by Windows. NFS is the Network File System, something you would see in a storage area network.
|
|
|
Which of the following is not an advantage of NTFS over FAT32?
A. NTFS supports file encryption. B. NTFS supports larger file sizes. C. NTFS supports larger volumes. D. NTFS supports more file formats. |
D. NTFS and FAT32 support the same number of file formats.
|
|
|
What is the deadliest risk of a virtual computer?
A. If a virtual computer fails, all other virtual computers immediately go offline. B. If a virtual computer fails, the physical server goes offline. C. If the physical server fails, all other physical servers immediately go offline. D. If the physical server fails, all the virtual computers immediately go offline. |
D. The biggest risk of running a virtual computer is that it will go offline immediately if the server that it is housed on fails. All other virtual computers on that particular server will also go offline immediately.
|
|
|
Virtualized browsers can protect the OS that they are installed within from which of the following?
A. DDoS attacks against the underlying OS B. Phishing and spam attacks C. Man-in-the-middle attacks D. Malware installation from Internet websites |
D. The beauty of a virtualized browser is that regardless of whether a virus or other malware damages it, the underlying operating system will remain unharmed. The virtual browser can be deleted and a new one can be created; or if the old virtual browser was backed up previous to the malware attack, it can be restored.
|
|
|
Which of the following needs to be backed up on a domain controller to recover Active Directory?
A. User data B. System files C. Operating system D. System state |
D. The system state needs to be backed up on a domain controller to recover the active directory database in the future. The system state includes user data and system files but does not include the entire operating system. If a server fails, the operating system would have to be reinstalled, and then the system state would need to be restored.
|
|
|
Which of the following should you implement to fix a single security issue on the computer?
A. Service pack B. Support website C. Patch D. Baseline |
C. A patch can fix a single security issue on a computer. A service pack addresses many issues and rewrites many files on a computer; it may be overkill to use a service pack when only a patch is necessary. You might obtain the patch from a support website. A baseline can measure a server or a network and to obtain averages of usage.
|
|
|
An administrator wants to reduce the size of the attack surface of Windows server 2008. Which of the following is the best answer to accomplish this?
A. Update antivirus software. B. Install service packs. C. Disable unnecessary services. D. Install network intrusion detection systems. |
C. Often, operating system manufacturers such as Microsoft refer to the attack surface as all the services that run on the operating system. By conducting an analysis of which services are necessary and which are unnecessary, an administrator can find out which ones need to be disabled, thereby reducing the attack surface. Service packs, antivirus software, and network intrusion detection systems (NIDS) are good tools to use to secure an individual computer and the network but do not help to reduce the size of the attack surface of the operating system.
|
|
|
You finished installing the operating system for a home user. What are three good methods to implement to secure that operating system? (Select the three best answers.)
A. Install the latest service pack. B. Install a hardware- or software-based firewall. C. Install the latest patches. D. Install pcAnywhere. |
A, B, and C. After installing an operating system, it’s important to install the latest service pack, patches, and a firewall. These three methods can help to secure the operating system. However, pcAnywhere can actually make a computer less secure and should be installed only if the user requests it. pcAnywhere is just one of many examples of remote control software.
|
|
|
Which of the following is a security reason to implement virtualization in your network?
A. To isolate network services and roles B. To analyze network traffic C. To add network services at lower costs D. To centralize patch management |
A. Virtualization of computer servers enables a network administrator to isolate the various network services and roles that a server may play. Analyzing network traffic would have to do more with assessing risk and vulnerability and monitoring and auditing. Adding network services at lower costs deals more with budgeting than with virtualization, although, virtualization can be less expensive. Centralizing patch management has to do with hardening the operating systems on the network scale.
|
|
|
Which of the following is one example of verifying new software changes on a test system?
A. Application hardening B. Virtualization C. Patch management D. HIDS |
C. Patch management is an example of verifying any new changes in software on a test system (or live systems for that matter.) Verifying the changes (testing) is the second step of the standard patch management strategy. Application hardening might include updating systems, patching them, and so on, but to be accurate, this question is looking for that particular second step of patch management. Virtualization is the creating of logical OS images within a working operating system. HIDS stands for host-based intrusion detection system, which attempts to detect malicious activity on a computer.
|
|
|
You have been tasked with protecting an operating system from malicious software. What should you do? (Select the two best answers.)
A. Disable the DLP. B. Update the HIPS signatures. C. Install a perimeter firewall. D. Disable unused services. E. Update the NIDS signatures. |
B and D. Updating the host-based intrusion prevention system is important. Without the latest signatures, the HIPS will not be at its best when it comes to protecting against malware. Also, disabling unused services will reduce the attack surface of the OS, which in turn makes it more difficult for attacks to access the system and run malicious code. Disabling the data leakage prevention device would not aid the situation, and it would probably cause data leakage from the computer. Installing a perimeter firewall won’t block malicious software from entering the individual computer. A personal firewall would better reduce the attack surface of the computer, but it is still not meant as an antimalware tool. Updating the NIDS signatures will help the entire network, but might not help the individual computer. In this question we want to focus in on the individual computer, not the network. In fact, given the scenario of the question, you do not even know if a network exists.
|
|
|
Which of the following is one way of preventing spyware from being downloaded?
A. Use firewall exceptions. B. Adjust Internet Explorer security settings. C. Adjust the Internet Explorer home page. D. Remove the spyware from Add/Remove Programs. |
B. Adjust the Internet Explorer security settings so that security is at a higher level, and add trusted and restricted websites.
|
|
|
What key combination should be used to close a pop-up window?
A. Windows+R B. Ctrl+Shift+Esc C. Ctrl+Alt+Del D. Alt+F4 |
D. Alt+F4 is the key combination that is used to close an active window. Sometimes it is okay to click the X, but malware creators are getting smarter all the time; the X could be a ruse.
|
|
|
Which protocol can be used to secure the e-mail login from an Outlook client using POP3 and SMTP?
A. SMTP B. SPA C. SAP D. Exchange |
B. SPA (Secure Password Authentication) is a Microsoft protocol used to authenticate e-mail clients. S/MIME and PGP can be used to secure the actual e-mail transmissions.
|
|
|
What are two ways to secure Internet Explorer? (Select the two best answers.)
A. Set the Internet zone’s security level to High. B. Disable the pop-up blocker. C. Disable ActiveX controls. D. Add malicious sites to the Trusted Sites zone. |
A and C. By increasing the Internet zone security level to high, you employ the maximum safeguards for that zone. ActiveX controls can be used for malicious purposes; disabling them makes it so that they do not show up in the browser. Disabling a pop-up blocker and adding malicious sites to the Trusted Sites zone would make Internet Explorer less secure.
|
|
|
Heaps and stacks can be affected by which of the following attacks?
A. Buffer overflows B. Rootkits C. SQL injection D. Cross-site scripting |
A. Stacks and heaps are data structures that can be affected by buffer overflows. Value types are stored in a stack, whereas reference types are stored in a heap. An ethical coder will try to keep these running efficiently. An unethical coder will attempt to use a buffer overflow to affect heaps and stacks that in turn could affect the application in question or the operating system. The buffer overflow might be initiated by certain inputs and can be prevented by bounds checking.
|
|
|
As part of your user awareness training, you recommend that users remove which of the following when they finish accessing the Internet?
A. Instant messaging B. Cookies C. Group policies D. Temporary files |
B. The best answer is cookies, which can be used for authentication and session tracking and can be read as plain text. They can be used by spyware and can track people without their permission. It is also wise to delete temporary Internet files as opposed to temporary files.
|
|
|
Which statement best applies to the term Java applet?
A. It decreases the usability of web-enabled systems. B. It is a programming language. C. A web browser must have the capability to run Java applets. D. It uses digital signatures for authentication. |
C. To run Java applets, a web browser must have that option enabled. Java increases the usability of web-enabled systems, and Java is a programming language. It does not use digital signatures for authentication.
|
|
|
Which of the following concepts can ease administration but can be the victim of malicious attack?
A. Zombies B. Backdoors C. Buffer overflow D. Group policy |
B. Backdoors were originally created to ease administration. However, hackers quickly found that they could use these backdoors for a malicious attack.
|
|
|
In an attempt to collect information about a user’s activities, which of the following will be used by spyware?
A. Tracking cookie B. Session cookie C. Shopping cart D. Persistent cookie |
A. A tracking cookie will be used, or misused, by spyware in an attempt to access a user’s activities. Tracking cookies are also known as browser cookies or HTTP cookies, or simply a cookie. Shopping carts take advantage of cookies to keep the shopping cart reliable.
|
|
|
What is it known as when a web script runs in its own environment and does not interfere with other processes?
A. Quarantine B. Honeynet C. Sandbox D. VPN |
C. When a web script runs in its own environment for the express purpose of not interfering with other processes, it is known as running in a sandbox. Often, the sandbox will be used to create sample scripts before they are actually implemented. Quarantining is a method used to isolate viruses. A honeynet is a collection of servers used to attract hackers and isolate them in an area where they can do no damage. VPN is short for virtual private network, which enables the connection of two hosts from remote networks.
|
|
|
How can you train a user to easily determine whether a web page has a valid security certificate? (Select the best answer.)
A. Have the user contact the webmaster. B. Have the user check for HTTPS://. C. Have the user click the padlock in the browser and verify the certificate. D. Have the user called the ISP. |
C. In Internet Explorer, the user should click the padlock in the browser; this will show the certificate information. Often, the address bar will have different colors as the background; for example, blue or green means that the certificate is valid, whereas red or pink indicates a problem. In Firefox, click the name of the website listed in the address bar just before where it says HTTPS to find out the validity of the certificate. Contacting the webmaster and calling the ISP are time-consuming, not easily done, and not something that an end user should do. Although HTTPS:// can tell a person that the browser is now using the hypertext transfer protocol secure, it does not necessarily determine whether the certificate is valid.
|
|
|
To code applications in a secure manner, what is the best practice to use?
A. Cross-site scripting B. Flash version 3 C. Input validation D. HTML version 5 |
C. Input validation is the best practice to use when coding applications. This is important when creating web applications or web pages that require information to be inputted by the user.
|
|
|
An organization hires you to test an application that you have limited knowledge of. You are given a login to the application, but do not have access to source code. What type of test are you running?
A. White box B. Gray box C. Black box D. SDLC |
B. A gray box test is when you are given limited information about the system you are testing. Black box testers are not given logins, source code, or anything else, though they may know the functionality of the system. White box testers are given logins, source code, documentation, and more. SDLC stands for Systems Development Life Cycle of which these types of tests are just a part.
|
|
|
You check the application log of your web server and see that someone attempted unsuccessfully to enter the text “test; etc/passwd” into an HTML form field. Which attack was attempted?
A. SQL injection B. Code injection C. Command injection D. Buffer overflow |
C. In this case a command was entered, and the attacker was attempting to gain access to the password file within the /etc directory. If the attacker tried to inject code, he would not use commands, but rather PHP, ASP, or another language. SQL injections are usually run on databases, not web servers’ HTML forms. Buffer overflows have to do with memory and how applications utilize it.
|
|
|
An attacker takes advantage of vulnerability in programming, which allows the attacker to copy more than 16 bytes to a standard 16-byte variable. Which attack is being initiated?
A. Directory traversal B. Command injection C. XSS D. Buffer overflow |
D. A buffer overflow can be initiated when a string variable is not programmed correctly—for example, if the variable allows for more than the standard amount of bytes. Directory traversal is when an attacker uses commands and code to access unauthorized parent directories. Command injection is when commands and command syntax are entered into an application or OS. XSS or cross-site scripting is when code is injected into a website form to obtain information and unauthorized access.
|
|
|
What’s the best way to prevent SQL injection attacks on web applications?
A. Input validation B. Host-based firewall C. Add HTTPS pages D. Update the web server |
A. Input validation is the best way to prevent SQL injection attacks on web servers and database servers (or combinations of the two). Host-based firewalls aid in preventing network attacks but not necessarily coded attacks of this type. HTTPS pages initiate a secure transfer of data, but they don’t necessarily lock out attackers that plan on using SQL injection. Updating the web server is a good idea, but will have little if any effect on the forms that are written by the web programmer.
|
|
|
Which of the following attacks uses a JavaScript image tag in an e-mail?
A. SQL injection B. Cross-site scripting C. Cross-site request forgery D. Directory traversal |
B. Cross-site scripting (XSS) can be initiated on web forms or through e-mail. It often uses JavaScript to accomplish its means. SQL injection is when code (SQL-based) is inserted into forms or databases. Cross-site request forgery (XSRF) is when a user’s browser sends unauthorized commands to a website, without the user’s consent. Directory traversal is when an attacker attempts to gain access to higher directories in an OS.
|
|
|
Which of the following should occur first when developing software?
A. Fuzzing B. Penetration testing C. Secure code review D. Patch management |
C. Of the listed answers, secure code review should happen first in the SDLC. It should be followed by fuzzing and penetration testing in that order. Patch management is a recurring theme until the software meets the end of its life cycle.
|
|
|
You are the security administrator for a multimedia development company. Users are constantly searching the Internet for media, information, graphics, and so on. You receive complaints from several users about unwanted windows appearing on their displays. What should you do?
A. Install antivirus software B. Install pop-up blockers C. Install screensavers D. Install a host-based firewall |
B. The windows that are being displayed are most likely pop-ups. Standard pop-up blockers will prevent most of these. Antivirus software of itself does not have pop-up blocking technology but might be combined in a suite of antimalware software that does have pop-up blocking capability. Screensavers won’t affect the users’ web sessions. Host-based firewalls are a good idea and will prevent attacks, but since a firewall will allow the connections that users make to websites, it cannot stop pop-ups.
|
|
|
You have analyzed what you expect to be malicious code. The results show that JavaScript is being utilized to send random data to a separate service on the same computer. What attack has occurred?
A. DoS B. SQL injection C. LDAP injection D. Buffer overflow |
D. Buffer overflows can be initiated by sending random data to other services on a computer. While JavaScript is commonly used in XSS attacks, it can also be used to create a buffer overflow. DoS stands for denial of service, which is when a computer sends many packets to a server or other important system in the hope of making that system fail. SQL and LDAP injection will not use JavaScript.
|
|
|
Which of the following would you set up in a router?
A. DMZ B. DOS C. OSI D. ARP |
A. A DMZ, or demilitarized zone, can be set up on a router to create a sort of safe haven for servers. It is neither the LAN nor the Internet, but instead, a location in between the two.
|
|
|
Which of the following is an example of a nonessential protocol?
A. DNS B. ARP C. DMZ D. TFTP |
D. The Trivial File Transfer Protocol (TFTP) is a simpler version of FTP that uses a small amount of memory. It is generally considered to be a nonessential protocol. The Domain Name System service (or DNS service) is required for Internet access and on Microsoft domains. The Address Resolution Protocol (ARP) is necessary in Ethernets that use TCP/IP. And a demilitarized zone (DMZ) is not a protocol but more of a network design element.
|
|
|
A person attempts to access a server during a zone transfer to get access to a zone file. What type of server are they trying to manipulate?
A. Proxy server B. DNS server C. File server D. Web server |
B. DNS servers are the only types of servers listed that do zone transfers. The purpose of accessing the zone file is to find out what hosts are on the network.
|
|
|
Which of the following is a private IP address?
A. 11.16.0.1 B. 127.0.0.1 C. 172.16.0.1 D. 208.0.0.1 |
C. 172.16.0.1 is the only address listed that is private. The private assigned ranges can be seen in Table 5-1 earlier in the chapter. 11.16.0.1 is a public IP address, as is 208.0.0.1. 127.0.0.1 is the loopback address.
|
|
|
Which of these hides an entire network of IP addresses?
A. SPI B. NAT C. SSH D. FTP |
B. Network Address Translation hides an entire network of IP Addresses. SPI, or Stateful Packet Inspection, is the other type of firewall that today’s SOHO routers incorporate.
|
|
|
Which one of the following can monitor and protect a DNS server?
A. Ping the DNS server. B. Block port 53 on the firewall. C. Purge PTR records daily. D. Check DNS records regularly. |
D. By checking a DNS server’s records regularly, a security admin can monitor and protect it. Blocking port 53 on a firewall might protect it (it also might make it inaccessible depending on the network configuration) but won’t enable you to monitor it. Pinging the server can simply tell you whether the server is alive. Purging pointer records (PTR) cannot help to secure or monitor the server.
|
|
|
Which TCP port does LDAP use?
A. 389 B. 80 C. 443 D. 143 |
A. The Lightweight Directory Access Protocol (LDAP) uses port TCP 389. Port 80 is used by HTTP. Port 443 is used by HTTPS. Port 143 is used by IMAP.
|
|
|
From the list of ports select two that are used for e-mail. (Select the two best answers.)
A. 110 B. 3389 C. 143 D. 389 |
A and C. POP3 uses port 110; IMAP uses port 143; 3389 is used by the remote desktop protocol; and 389 is used by LDAP.
|
|
|
Which port number does the domain name system use?
A. 53 B. 80 C. 110 D. 88 |
A. The domain name system or DNS uses port 53. Port 80 is used by HTTP; port 110 is used by POP3; and port 88 is used by Kerberos.
|
|
|
Which of the following statements best describes a static NAT?
A. Static NAT uses a one-to-one mapping. B. Static NAT uses a many-to-many mapping. C. Static NAT uses a one-to-many mapping. D. Static NAT uses a many-to-one mapping. |
A. Static network address translation normally uses a one-to-one mapping when dealing with IP addresses.
|
|
|
ohn needs to install a web server that can offer SSL-based encryption. Which of the following ports is required for SSL transactions?
A. Port 80 inbound B. Port 80 outbound C. Port 443 inbound D. Port 443 outbound |
C. For clients to connect to the server via SSL, the server must have inbound port 443 open. The outbound ports on the server are of little consequence for this concept, and inbound port 80 is used by HTTP.
|
|
|
If a person takes control of a session between a server and a client, it is known as what type of attack?
A. DDoS B. Smurf C. Session hijacking D. Malicious software |
C. Session hijacking (or TCP/IP hijacking) is when an unwanted mediator takes control of the session between a client and a server (for example, an FTP or HTTP session).
|
|
|
Making data appear as if it is coming from somewhere other than its original source is known as what?
A. Hacking B. Phishing C. Cracking D. Spoofing |
D. Spoofing is when a malicious user makes data or e-mail appear to be coming from somewhere else.
|
|
|
Which of the following enables a hacker to float a domain registration for a maximum of five days?
A. Kiting B. DNS poisoning C. Domain hijacking D. Spoofing |
A. Kiting is the practice of monopolizing domain names without paying for them. Newly registered domain names can be canceled with a full refund during an initial five-day window known as an AGP, or add grace period.
|
|
|
What is the best definition for ARP?
A. Resolves IP addresses to DNS names B. Resolves IP addresses to host names C. Resolves IP addresses to MAC addresses D. Resolves IP addresses to DNS addresses |
C. The address resolution protocol, or ARP, resolves IP addresses to MAC addresses. DNS resolves from IP addresses to hostnames, word domain names, and vice versa. RARP resolves MAC addresses to IP addresses.
|
|
|
Which of the following should be placed between the LAN and the Internet?
A. DMZ B. HIDS C. Domain controller D. Extranet |
A. A demilitarized zone, or DMZ, can be placed between the LAN and the Internet; this is known as a back-to-back perimeter configuration. This allows external users on the Internet to access services but segments access to the internal network. In some cases, it will be part of a 3-leg firewall scheme. Host-based intrusion detection systems are placed on an individual computer, usually within the LAN. Domain controllers should be protected and are normally on the LAN as well. An extranet can include parts of the Internet and parts of one or more LANs; normally it connects two companies utilizing the power of the Internet.
|
|
|
You have three e-mail servers. What is it called when one server forwards e-mail to another?
A. SMTP relay B. Buffer overflows C. POP3 D. Cookies |
A. The SMTP relay is when one server forwards e-mail to other e-mail servers. Buffer overflows are attacks that can be perpetuated on web pages. POP3 is another type of e-mail protocol, and cookies are small text files stored on the client computer that remember information about that computer’s session with a website.
|
|
|
You want to reduce network traffic on a particular network segment to limit the amount of user visibility. Which of the following is the best device to use in this scenario?
A. Switch B. Hub C. Router D. Firewall |
A. A switch can reduce network traffic on a particular network segment. It does this by keeping a table of information about computers on that segment. Instead of broadcasting information to all ports of the switch, the switch selectively chooses where the information goes.
|
|
|
A coworker goes to a website but notices that the browser brings her to a different website and that the URL has changed. What type of attack is this?
A. DNS poisoning B. Denial of service C. Buffer overflow D. ARP poisoning |
A. DNS poisoning can occur at a DNS server and can affect all clients on the network. It can also occur at an individual computer. Another possibility is that spyware has compromised the browser. A denial of service is a single attack that attempts to stop a server from functioning. A buffer overflow is an attack that, for example, could be perpetuated on a web page. ARP poisoning is the poisoning of an ARP table, creating confusion when it comes to IP address-to-MAC address resolutions.
|
|
|
Which of the following misuses the transmission control protocol handshake process?
A. Man-in-the-middle attack B. SYN attack C. WPA attack D. Replay attack |
B. A synchronize (SYN) attack misuses the TCP three-way handshake process. The idea behind this is to overload servers and deny access to users.
|
|
|
For a remote tech to log in to a user’s computer in another state, what inbound port must be open on the user’s computer?
A. 21 B. 389 C. 3389 D. 8080 |
C. Port 3389 must be open on the inbound side of the user’s computer to enable a remote tech to log in remotely and take control of that computer. Port 21 is the port used by FTP, and 389 is used by LDAP. 8080 is another port used by web browsers that takes the place of port 80.
|
|
|
A DDoS attack can be best defined as what?
A. Privilege escalation B. Multiple computers attacking a single server C. A computer placed between a sender and receiver to capture data D. Overhearing parts of a conversation |
B. When multiple computers attack a single server, it is known as a Distributed Denial of Service attack, or DDoS. Privilege escalation is when a person who is not normally authorized to a server manages to get administrative permissions to resources. If a computer is placed between a sender and receiver, it is known as a man-in-the-middle attack. Overhearing parts of a conversation is known as eavesdropping.
|
|
|
When users in your company attempt to access a particular website, the attempts are redirected to a spoofed website. What are two possible reasons for this?
A. DoS B. DNS poisoning C. Modified hosts file D. Domain name kiting |
B and C. DNS poisoning and a DNS server’s modified hosts files are possible causes for why a person would be redirected to a spoofed website. DoS, or a Denial of Service, is when a computer attempts to attack a server to stop it from functioning. Domain name kiting is when a person renews and cancels domains within five-day periods.
|
|
|
What kind of attack is it when the packets sent do not require a synchronization process and are not connection-oriented?
A. Man-in-the-middle B. TCP/IP hijacking C. UDP attack D. ICMP flood |
C. User Datagram Protocol (UDP) attacks, or UDP flood attacks, are DoS attacks that use a computer to send a large number of UDP packets to a remote host. The remote host will reply to each of these with an ICMP Destination Unreachable packet, which ultimately, makes it inaccessible to clients.
|
|
|
How many of the TCP/IP ports can be attacked?
A. 1,024 ports B. 65,535 C. 256 D. 16,777,216 |
B. The best answer to this question is 65,535. The Internet Assigned Numbers Authority (IANA) list of ports starts at 0 and ends at 65,535. Although this equals 65,536 ports, it should be known that normally port 0 (zero) will forward packets to another port number that is dynamically assigned. So port 0 should not be affected by attacks, because it actually doesn’t act as a normal port.
|
|
|
Which of the following attacks is a type of DoS attack that sends large amounts of UDP echoes to port 7 and 19?
A. Teardrop B. IP spoofing C. Fraggle D. Replay |
C. A Fraggle attack is a type of DoS attack that sends large amounts of UDP echoes to port 7 and 19. This is similar to the Smurf attack. Teardrop DoS attacks send many IP fragments with oversized payloads to a target.
|
|
|
Don must configure his firewall to support TACACS. Which port(s) should he open on the firewall?
A. Port 53 B. Port 49 C. Port 161 D. Port 22 |
B. Port 49 is used by TACACS. Port 53 is used by DNS, Port 161 is used by SNMP, and Port 22 is used by SSH.
|
|
|
Which of the following ports is used by Kerberos by default?
A. 21 B. 80 C. 88 D. 443 |
C. Port 88 is used by Kerberos by default. Port 21 is used by FTP. Port 80 is used by HTTP. Port 443 is used by HTTPS (TLS/SSL).
|
|
|
Which of the following is the best option if you are trying to monitor network devices?
A. SNMP B. TELNET C. FTPS D. IPsec |
A. SNMP (Simple Network Management Protocol) is the best protocol to use to monitor network devices. TELNET is a deprecated protocol that is used to remotely administer network devices. FTPS provides for the secure transmission of files from one computer to another. IPsec is used to secure VPN connections and other IP connections.
|
|
|
What is a secure way to remotely administer Linux systems?
A. SCP B. SSH C. SNMP D. SFTP |
B. SSH (Secure SHell) is used to remotely administer Unix/Linux systems and network devices. SCP (Secure copy) is a way of transferring files securely between two hosts—it utilizes SSH. SNMP is used to remotely monitor network equipment. SFTP is used to securely transfer files from host to host—it also uses SSH.
|
|
|
You receive complaints about network connectivity being disrupted. You suspect that a user connected both ends of a network cable to two different ports on a switch. What can be done to prevent this?
A. Loop protection B. DMZ C. VLAN segregation D. Port forwarding |
A. Loop protection should be enabled on the switch to prevent the looping that can occur when a person connects both ends of a network cable to the same switch. A DMZ is a demilitarized zone that is used to keep servers in a midway zone between the Internet and the LAN. VLAN segregation (or VLAN separation) is a way of preventing ARP poisoning. Port forwarding refers to logical ports associated with protocols.
|
|
|
You see a network address in the command-line that is composed of a long string of letters and numbers. What protocol is being used?
A. IPv4 B. ICMP C. IPv3 D. IPv6 |
D. IPv6 uses a long string of numbers and letters in the IP address. These addresses are 128-bit in length. IPv4 addresses are shorter (32-bit) and are numeric only. ICMP is the Internet Control Message Protocol, which is used by the ping and other commands. IPv3 was a test version prior to IPv4 and was similar in IP addressing structure.
|
|
|
Which of the following cloud computing services offers easy to configure operating systems?
A. SaaS B. IaaS C. PaaS D. VM |
C. Platform as a Service (PaaS) is a cloud computing service that offers many software solutions including easy-to-configure operating systems and on-demand computing. SaaS is Software as a Service, used to offer solutions such as webmail. IaaS is Infrastructure as a Service, used for networking and storage. VM stands for virtual machine, which is something that PaaS also offers.
|
|
|
Your web server that conducts online transactions crashed, so you examine the HTTP logs and see that a search string was executed by a single user masquerading as a customer. The crash happened immediately afterward. What type of network attack occurred?
A. DDoS B. DoS C. MAC spoofing D. MITM |
B. A denial of service (DoS) attack probably occurred. The attacker most likely used code to cause an infinite loop or repeating search, which caused the server to crash. It couldn’t have been a DDoS (distributed denial of service) since there was only one attacker involved. MAC spoofing is when an attacker disguises the MAC address of their network adapter with another number. MITM stands for the man-in-the-middle attack, which wasn’t necessary since the attacker had direct access to the search fields on the web server.
|
|
|
Which port number is used by SCP?
A. 22 B. 23 C. 25 D. 443 |
A. SCP (Secure Copy) uses SSH, which runs on port 22 by default. Port 23 is TELNET. Port 25 is SMTP. Port 443 is HTTPS (SSL/TLS).
|
|
|
A malicious insider is accused of stealing confidential data from your organization. What is the best way to identify the insider’s computer?
A. IP address B. MAC address C. Computer name D. NetBIOS name |
B. The MAC address is the best way because it is unique and is the hardest to modify or spoof. IP addresses are often dynamically assigned on networks and are easily modified. Computer names (which are effectively NetBIOS names) can easily be changed as well.
|
|
|
What is the best way to utilize FTP sessions securely?
A. FTPS B. FTP passive C. FTP active D. TFTP |
A. FTPS (FTP Secure) uses encryption in the form of SSL or TLS to secure file transfers. The other three options do not use encryption, making them less secure.
|
|
|
Which tool would you use if you want to view the contents of a packet?
A. TDR B. Port scanner C. Protocol analyzer D. Loopback adapter |
C. A protocol analyzer has the capability to “drill” down through a packet and show the contents of that packet as they correspond to the OSI model.
|
|
|
The honeypot concept is enticing to administrators because
A. It enables them to observe attacks. B. It traps an attacker in a network. C. It bounces attacks back at the attacker. D. It traps a person physically between two locked doors. |
A. By creating a honeypot, the administrator can monitor attacks without sustaining damage to a server or other computer. Don’t confuse this with a honeynet (answer B), which is meant to attract and trap malicious attackers in an entire false network. Answer C is not something that an administrator would normally do, and answer D is defining a man trap.
|
|
|
James has detected an intrusion in his company. What should he check first?
A. DNS Logs B. Firewall logs C. The Event Viewer D. Performance logs |
B. If there were an intrusion, the first thing you should check are the firewall logs. DNS logs in the event viewer and the performance logs will most likely not show intrusions to the company. The best place to look first is the firewall logs.
|
|
|
Which of the following devices should you employ to protect your network? (Select the best answer.)
A. Protocol analyzer B. Firewall C. DMZ D. Proxy server |
B. Install a firewall to protect the network. Protocol analyzers do not help to protect a network but are valuable as vulnerability assessment and monitoring tools. Although a DMZ and a proxy server could possibly help to protect a portion of the network to a certain extent, the best answer is firewall.
|
|
|
Which device’s log file will show access control lists and who was allowed access and who wasn’t?
A. Firewall B. PDA C. Performance monitor D. IP proxy |
A. A firewall contains one or more access control lists (ACLs) defining who is enabled to access to the network. The firewall can also show attempts at access and whether they succeeded or failed. A personal digital assistant (PDA) might list who called or e-mailed, but as of the writing of this book does not use ACLs. Performance Monitor analyzes the performance of a computer, and an IP proxy deals with network address translation, hiding many private IP addresses behind one public address. Although the function of an IP proxy is often built into a firewall, the best answer would be firewall.
|
|
|
Where are software firewalls usually located?
A. On routers B. On servers C. On clients D. On every computer |
C. Software-based firewalls, such as the Windows Firewall, are normally running on the client computers. Although a software-based firewall could also be run on a server, it is not as common. Also, a SOHO router might have a built-in firewall, but not all routers have firewalls.
|
|
|
Where is the optimal place to have a proxy server?
A. In between two private networks B. In between a private and a public network C. In between two public networks D. On all of the servers |
B. Proxy servers should normally be between the private and the public network. This way they can act as a go-between for all the computers located on the private network. This applies especially to IP proxy servers but might also include HTTP proxy servers.
|
|
|
A coworker has installed an SMTP server on the company firewall. What security principle does this violate?
A. Chain of custody B. Use of a device as it was intended C. Man trap D. Use of multifunction network devices |
B. SMTP servers should not be installed on a company firewall. This is not the intention of a firewall device. The SMTP server should most likely be installed within a DMZ.
|
|
|
You are working on a server and are busy implementing a network intrusion detection system on the network. You need to monitor the network traffic from the server. What mode should you configure the network adapter to work in?
A. Half-duplex mode B. Full-duplex mode C. Auto configuration mode D. Promiscuous mode |
D. To monitor the implementation of NIDS on the network, you should configure the network adapter to work in promiscuous mode; this forces the network adapter to pass all the traffic it receives to the processor, not just the frames that were addressed to that particular network adapter. The other three answers have to do with duplexing—whether the network adapter can send and receive simultaneously.
|
|
|
Which of the following displays a single public IP address to the Internet while hiding a group of internal private IP addresses?
A. HTTP proxy B. Protocol analyzer C. IP proxy D. SMTP proxy |
C. An IP proxy displays a single public IP address to the Internet while hiding a group of internal private IP addresses. It sends data back and forth between the IP addresses by using Network Address Translation (NAT). This functionality is usually built into SOHO routers and is one of the main functions of those routers. HTTP proxies store commonly accessed Internet information. Protocol analyzers enable the capture and viewing of network data. SMTP proxies act as a go-between for e-mail.
|
|
|
If your ISP blocks objectionable material, what device would you guess has been implemented?
A. Proxy server B. Firewall C. Internet content filter D. NIDS |
C. An Internet content filter, usually implemented as content-control software can block objectionable material before it ever gets to the user. This is common in schools, government, and many companies.
|
|
|
Of the following, which is a collection of servers that was set up to attract hackers?
A. DMZ B. Honeypot C. Honeynet D. VLAN |
C. A honeynet is a collection of servers set up to attract hackers. A honeypot is usually one computer or one server that has the same purpose. A DMZ is the demilitarized zone that is in between the LAN and the Internet. A VLAN is a virtual LAN.
|
|
|
Which of the following will detect malicious packets and discard them?
A. Proxy server B. NIDS C. NIPS D. PAT |
C. NIPS, or a network intrusion prevention system, detects and discards malicious packets. A NIDS only detects them and alerts the administrator. A proxy server acts as a go-between for clients sending data to systems on the Internet. PAT is port-based address translation.
|
|
|
Which of the following will an Internet filtering appliance analyze? (Select the three best answers.)
A. Content B. Certificates C. Certificate revocation lists D. URLs |
A, B, and D. However, certificate revocation lists will most likely not be analyzed. Remember that CRLs are published only periodically.
|
|
|
Which of the following devices would detect but not react to suspicious behavior on the network?
A. NIPS B. Firewall C. NIDS D. HIDS |
C. A NIDS will detect suspicious behavior but most likely not react to it. To prevent it and react to it you would want a NIPS. Firewalls block certain types of traffic but by default do not check for suspicious behavior. HIDS is the host-based version of an IDS; it checks only the local computer, not the network.
|
|
|
One of the programmers in your organization complains that he can no longer transfer files to the FTP server. You check the network firewall and see that the proper FTP ports are open. What should you check next?
A. ACLs B. NIDS C. AV definitions D. FTP permissions |
A. Access control lists can stop particular network traffic (such as FTP transfers) even if the appropriate ports are open. A NIDS will detect traffic and report on it but not prevent it. Antivirus definitions have no bearing on this scenario. If the programmer was able to connect to the FTP server, the password should not be an issue. FTP permissions might be an issue, but since you are working in the firewall, you should check the ACL first; then later you can check on the FTP permissions, passwords, and so on.
|
|
|
Which of the following is likely to be the last rule contained within the ACLs of a firewall?
A. Time of day restrictions B. Explicit allow C. IP allow any D. Implicit deny |
D. Implicit deny (block all) is often the last rule in a firewall; it is added automatically by the firewall, not by the user. Any rules that allow traffic will be before the implicit deny/block all on the list. Time of day restrictions will probably be stored elsewhere but otherwise would be before the implicit deny as well.
|
|
|
Which of the following best describes an IPS?
A. A system that identifies attacks B. A system that stops attacks in progress C. A system that is designed to attract and trap attackers D. A system that logs attacks for later analysis |
B. An IPS (intrusion prevention system) is a system that prevents or stops attacks in progress. A system that only identifies attacks would be an IDS. A system designed to attract and trap attackers would be a honeypot. A system that logs attacks would also be an IDS or several other devices or servers.
|
|
|
What is a device doing when it actively monitors data streams for malicious code?
A. Content inspection B. URL filtering C. Load balancing D. NAT |
A. A device that is actively monitoring data streams for malicious code is inspecting the content. URL filtering is the inspection of the URL only (for example,www.comptia.org). Load balancing is the act of dividing up workload between multiple computers. NAT is network address translation, which is often accomplished by a firewall or IP proxy.
|
|
|
Allowing or denying traffic based on ports, protocols, addresses, or direction of data is an example of what?
A. Port security B. Content inspection C. Firewall rules D. Honeynet |
C. Firewall rules (ACLs) are generated to allow or deny traffic. They can be based on ports, protocols, IP addresses, or which way the data is headed. Port security deals more with switches and the restriction of MAC addresses that are allowed to access particular physical ports. Content inspection is the filtering of web content, checking for inappropriate or malicious material. A honeynet is a group of computers or other systems designed to attract and trap an attacker.
|
|
|
Which of the following is the most secure protocol to use when accessing a wireless network?
A. WEP B. WPA C. WPA2 D. WEP2 |
C. Wi-Fi Protected Access 2 (WPA2) is the most secure protocol listed for connecting to wireless networks. It is more secure than WPA and WEP. Wired Equivalent Privacy (WEP) is actually a deprecated protocol that should be avoided, as is WEP2. The WEP and WEP2 algorithms are considered deficient for encrypted wireless networks.
|
|
|
What type of cabling is the most secure for networks?
A. STP B. UTP C. Fiber-optic D. Coaxial |
C. Fiber-optic is the most secure because it cannot be tapped like the other three copper-based cables; it does not emit EMI. Although shielded twisted pair (STP) offers a level of security due to its shielding, it does not offer a level of security like to that of fiber-optic and is not the best answer.
|
|
|
What should you configure to improve wireless security?
A. Enable the SSID B. IP spoofing C. Remove repeaters D. MAC filtering |
D. MAC filtering disallows connections from any wireless clients unless the wireless client’s MAC address is on the MAC filtering list.
|
|
|
In a wireless network, why is an SSID used?
A. To secure the wireless access point B. To identify the network C. To encrypt data D. To enforce MAC filtering |
B. The SSID is used to identify the wireless network. It does not secure the wireless access point; one of the ways to secure a wireless access point is by masking the word disabling the SSID. The SSID does not encrypt data or enforce MAC filtering.
|
|
|
What is the most commonly seen security risk of using coaxial cable?
A. Data that emanates from the core of the cable B. Crosstalk between the different wires C. Chromatic dispersion D. Time domain reflection |
A. Some types of coaxial cables suffer from the emanation of data from the core of the cable, which can be accessed. Crosstalk occurs on twisted-pair cable. Chromatic dispersion occurs on fiber-optic cable. Time domain reflection is a concept that is used by a TDR.
|
|
|
Of the following, what is the most common problem associated with UTP cable?
A. Crosstalk B. Data emanation C. Chromatic dispersion D. Vampire tapping |
A. Of the listed answers, crosstalk is the most common problem associated with UTP cable. Older versions of UTP cable (for example, Category 3 or 5) are more susceptible to crosstalk than newer versions such as Cat 5e or Cat6. Although data emanation can be a problem with UTP cable, it is more common with coaxial cable, as is vampire tapping. Chromatic dispersion is a problem with fiber-optic cable.
|
|
|
What two security precautions can best help to protect against wireless network attacks?
A. Authentication and the WEP B. Access control lists and WEP C. Identification and WPA2 D. Authentication and WPA |
D. The best two security precautions are authentication and WPA. Although WPA2 is more secure than WPA, the term identification is not correct. WEP is a deprecated wireless encryption protocol and should be avoided.
|
|
|
Which of the following cables suffers from chromatic dispersion if the cable is too long?
A. Twisted-pair cable B. Fiber-optic cable C. Coaxial cable D. USB cables |
B. Fiber-optic cable is the only one listed that might suffer from chromatic dispersion, because it is the only cable based on light. All the other answers are based on electricity.
|
|
|
Which of the following cable media is the least susceptible to a tap?
A. Coaxial cable B. Twisted-pair cable C. Fiber-optic cable D. CATV cable |
C. Fiber-optic cable is the least susceptible to a tap because it operates on the principle of light as opposed to electricity. All the other answers suffer from data emanation because they are all copper-based.
|
|
|
Which of the following, when removed, can increase the security of a wireless access point?
A. MAC filtering B. SSID C. WPA D. Firewall |
B. By removing the security set identifier or SSID, the wireless access point will be more secure, and it will be tougher for wardrivers to access that network. Of course, no new clients can connect to the wireless access point (unless they do so manually). MAC filtering, WPA, and firewalls are all components that increase the security of a wireless access point.
|
|
|
A wireless network switch has connectivity issues but only when the air-conditioning system is running. What can be added to fix the problem?
A. Shielding B. A wireless network C. A key deflector D. Redundant air-conditioning systems |
A. By shielding the network switch, we hope to deflect any interference from the air conditioning system. Another option would be to move the network switch to another location.
|
|
|
Which of the following is the most secure type of cabling?
A. Unshielded twisted pair B. Shielded twisted pair C. Coaxial D. Category five |
B. Shielded twisted pair is the most secure type of cabling listed. It adds an aluminum sheath around the wires that can help mitigate data emanation. By far, fiber-optic would be the most secure type of cabling because it does not suffer from data emanation because the medium is glass instead of copper.
|
|
|
Which of the following is the least secure type of wireless encryption?
A. WEP 64-bit B. WEP 128-bit C. WPA with TKIP D. WPA2 with AES |
A. WEP 64-bit is the least secure type of wireless encryption listed in the possible answers. The answers are listed in order from least secure to most secure.
|
|
|
Which of the following is the unauthorized access of information from a Bluetooth device?
A. Bluejacking B. Bluesnarfing C. Blue privileges D. The Blues Brothers |
B. Bluesnarfing is the unauthorized access of information from a Bluetooth device, for example, calendar information, phonebook contacts, and so on. Bluejacking is the sending of unsolicited messages to Bluetooth-enabled devices. Blue privileges is not a valid answer, and if you answered the Blues Brothers, you should reread this entire chapter.
|
|
|
Which of the following can be described as the act of exploiting a bug or flaw in software to gain access to resources that normally would be protected?
A. Privilege escalation B. Chain of custody C. Default account D. Backdoor |
A. Privilege escalation is as the act of exploiting a bug or flaw in software to gain access to resources that normally would be protected. Chain of custody is the chronological paper trail used as evidence. A default account is an account such as admin set up by the manufacturer on a device; it usually has a blank or simple password. A backdoor is used in computer programs to bypass normal authentication and other security mechanisms that might be in place.
|
|
|
What does isolation mode on an AP provide?
A. Hides the SSID B. Segments each wireless user from every other wireless user C. Stops users from communicating with the AP D. Stops users from connecting to the Internet |
B. AP isolation mode segments every wireless user so they can’t communicate with each other. They can still communicate with the AP and access the Internet (or other network that the AP connects to). It does not hide the SSID.
|
|
|
You scan your network and find a rogue access point with the same SSID used by your network. What type of attack is occurring?
A. Wardriving B. Bluesnarfing C. Evil twin D. IV attack |
C. An evil twin is a rogue access point that has the same SSID as another access point on the network. Wardriving is when a person attempts to access a wireless network, usually while driving in a vehicle. Bluesnarfing is the unauthorized access of information through a Bluetooth connection. An IV attack is one that attempts to break the encryption of wireless protocols.
|
|
|
Which of the following is an unauthorized wireless router that allows access to a secure network?
A. Rogue access point B. Evil twin C. Wardriving D. AP isolation |
A. A rogue access point is an unauthorized wireless router (or WAP) that allows access to a secure network. An evil twin is a type of rogue AP, but it also uses the same SSID as the legitimate network. Wardriving is the act of trying to access a wireless network. AP isolation blocks each wireless user from communicating with each other.
|
|
|
Your boss asks you to limit the wireless signal of a WAP from going outside the building. What should you do?
A. Put the antenna on the exterior of the building B. Disable the SSID C. Enable MAC filtering D. Decrease the power levels of the WAP |
D. To limit the wireless signal, decrease the power levels! This can easily be done in most WAP control panels. Putting the antenna on the exterior of the building would make it easier for wardrivers to access the network, and more difficult for actual users. Disabling the SSID has no effect on the signal level. Nor does MAC filtering, though both of those methods can increase the security of your wireless network.
|
|
|
Which of the following is the verification of a person’s identity?
A. Authorization B. Accountability C. Authentication D. Password |
C. Authentication is the verification of a person’s identity. Authorization to specific resources cannot be accomplished without previous authentication of the user.
|
|
|
Which of the following would fall into the category of “something a person is”?
A. Passwords B. Passphrases C. Fingerprints D. Smart cards |
C. Fingerprints are an example of something a person is. The process of measuring that characteristic is known as biometrics.
|
|
|
Which of the following are good practices for tracking user identities? (Select the two best answers.)
A. Video cameras B. Key card door access systems C. Sign-in sheets D. Security guards |
A and B. Video cameras enable a person to view and visually identify users as they enter and traverse through a building. Key card access systems can be configured to identify a person as well, as long as the right person is carrying the key card!
|
|
|
What are two examples of common single sign-on authentication configurations? (Select the two best answers.)
A. Biometrics-based B. Multifactor authentication C. Kerberos-based D. Smart card-based |
C and D. Kerberos and smart card setups are common single sign-on configurations.
|
|
|
Which of the following is an example of two factor authentication?
A. L2TP and IPSec B. Username and password C. Thumb print and key card D. Client and server |
C. Two-factor authentication (or dual-factor) means that two pieces of identity are needed prior to authentication. A thumbprint and key card would fall into this category. L2TP and IPSec are protocols used to connect through a VPN, which by default require only a username and password. Username and password is considered one-factor authentication. There is no client and server authentication model.
|
|
|
What is the main purpose of a physical access log?
A. To enable authorized employee access B. To show who exited the facility C. To show who entered the facility D. To prevent unauthorized employee access |
C. A physical access log’s main purpose is to show who entered the facility and when. Different access control and authentication models will be used to permit or prevent employee access.
|
|
|
Which of the following is not a common criteria when authenticating users?
A. Something you do B. Something you are C. Something you know D. Something you like |
D. Common criteria when authenticating users includes something you do, something you are, something you know, and something you have. A person’s likes and dislikes are not common criteria; although, they may be asked as secondary questions when logging in to a system.
|
|
|
Of the following, what two authentication mechanisms require something you physically possess? (Select the two best answers.)
A. Smart card B. Certificate C. USB flash drive D. Username and password |
A and C. Two of the authentication mechanisms that require something you physically possess include smart cards and USB flash drives. Key fobs and cardkeys would also be part of this category. Certificates are granted from a server and are stored on a computer as software. The username/password mechanism is a common authentication scheme, but they are something that you type and not something that you physically possess.
|
|
|
Which of the following is the final step a user needs to take before that user can access domain resources?
A. Verification B. Validation C. Authorization D. Authentication |
C. Before a user can gain access to domain resources, the final step is to be authorized to those resources. Previously the user should have provided identification to be authenticated.
|
|
|
To gain access to your network, users must provide a thumbprint and a username and password. What type of authentication model is this?
A. Biometrics B. Domain logon C. Multifactor D. Single sign-on |
C. Multifactor authentication means that the user must provide two different types of identification. The thumbprint is an example of biometrics. Username and password are examples of a domain logon. Single sign-on would only be one type of authentication that enables the user access to multiple resources.
|
|
|
The IT director has asked you to set up an authentication model in which users can enter their credentials one time, yet still access multiple server resources. What type of authentication model should you implement?
A. Smart card and biometrics B. Three factor authentication C. SSO D. VPN |
C. Single sign-on or SSO enables users to access multiple servers and multiple resources while entering their credentials only once. The type of authentication can vary but will generally be a username and password. Smart cards and biometrics are an example of two-factor authentication. VPN is short for virtual private network.
|
|
|
Which of the following about authentication is false?
A. RADIUS is a client/server system that provides authentication, authorization, and accounting services. B. PAP is insecure because usernames and passwords are sent as clear text. C. MS-CHAPv1 is capable of mutual authentication of the client and server. D. CHAP is more secure than PAP because it encrypts usernames and passwords. |
C. MS-CHAPv1 is not capable of mutual authentication of the client and server. Mutual authentication is accomplished with Kerberos. All the other statements are true.
|
|
|
What types of technologies are used by external motion detectors? (Select the two best answers.)
A. Infrared B. RFID C. Gamma rays D. Ultrasonic |
A and D. Motion detectors often use infrared technology; heat would set them off. They also use ultrasonic technology; sounds in higher spectrums that humans cannot hear would set these detectors off.
|
|
|
In a secure environment, which authentication mechanism performs better?
A. RADIUS because it is a remote access authentication service. B. RADIUS because it encrypts client/server passwords. C. TACACS because it is a remote access authentication service. D. TACACS because it encrypts client/server negotiation dialogues. |
D. Unlike RADIUS, TACACS (Terminal Access Control or Access Control System) encrypts client/server negotiation dialogues. Both protocols are remote authentication protocols.
|
|
|
Which port number does the protocol LDAP use when it is secured?
A. 389 B. 443 C. 636 D. 3389 |
C. Port 636 is the port used to secure LDAP. Port 389 is the standard LDAP port number. Port 443 is used by HTTPS (SSL/TLS), and Port 3389 is used by RDP.
|
|
|
Which of the following results occurs when a biometric system identifies a legitimate user as unauthorized?
A. False rejection B. False positive C. False acceptance D. False exception |
A. If a biometric system identifies a legitimate user as unauthorized, it is known as a false rejection or a false negative. A false positive is when a system authenticates a user who should not be allowed access.. False acceptance is similar to a false positive in biometric systems. False exceptions have to do with software that has failed and needs to be debugged.
|
|
|
Of the following, which is not a logical method of access control?
A. Username/password B. Access control lists C. Biometrics D. Software-based policy |
C. The only answer that is not a logical method of access control is biometrics. Biometrics deals with the physical attributes of a person and is the most tangible of the answers. All the rest deal with software, so they are logical methods.
|
|
|
Which of the following permits or denies access to resources through the use of ports?
A. Hub B. 802.11n C. 802.11x D. 802.1X |
D. 802.1X permits or denies access to resources through the use of ports. It implements port-based Network Access Control or PNAC. This is part of the 802.1 group of IEEE protocols. 802.1X should not be confused with 802.11x, which is an informal term used to denote any of the 802.11 standards including 802.11b, 802.11g, and 802.11n. A hub connects computers by way of physical ports but does not permit or deny access to any particular resources; it is a simple physical connector of computers.
|
|
|
Your data center has highly critical information. Because of this you want to improve upon physical security. The data center already has a video surveillance system. What else can you add to increase physical security? (Select the two best answers.)
A. A software-based token system B. Access control lists C. A mantrap D. Biometrics |
C and D. A mantrap is a device made to capture a person. It is usually an area with two doorways, the first of which leads to the outside and locks when the person enters, the second of which leads to the secure area and is locked until the person is granted access. Biometrics can help in the granting of this access by authenticating the user in a secure way, such as thumbprint, retina scan, and so on. Software-based token systems and access control lists are both logical and do not play into physical security.
|
|
|
Which authentication method completes the following in order: Logon request, encrypts value response, server, challenge, compare encrypts results, and authorize or fail referred to?
A. Security tokens B. Certificates C. Kerberos D. CHAP |
D. CHAP, the Challenge Handshake Authentication Protocol, authenticates a user or a network host to entities like Internet access providers. CHAP periodically verifies the identity of the client by using a three-way handshake; the verification is based on a shared secret. After a link has been established, the authenticator sends a challenge message to the peer; this does not happen in the other three authentication methods listed.
|
|
|
What does a virtual private network use to connect one remote host to another? (Select the best answer.)
A. Modem B. Network adapter C. Internet D. Cell phone |
C. The Internet is used to connect hosts to each other in virtual private networks. A particular computer will probably also use a VPN adapter and/or a network adapter. Modems are generally used in dial-up connections and not used in VPNs.
|
|
|
Two items are needed before a user can be given access to the network. What are these two items? (Select the two best answers.)
A. Authentication and authorization B. Authorization and identification C. Identification and authentication D. Password and authentication |
C. Before users can be given access to the network, the network needs to identify them and authenticate them. Later users may be authorized to use particular resources on the network. Part of the authentication scheme may include a username and password. This would be known as an access control method.
|
|
|
Kerberos uses which of the following? (Select the two best answers.)
A. Ticket distribution service B. The Faraday cage C. Port 389 D. Authentication service |
A and D. Kerberos uses a ticket distribution service and an authentication service. This is provided by the Key Distribution Center. A Faraday cage is used to block data emanations. Port 389 is used by LDAP. One of the more common ports that Kerberos uses is port 88.
|
|
|
Which of the following authentication systems make use of a Key Distribution Center?
A. Security tokens B. CHAP C. Kerberos D. Certificates |
C. Kerberos uses a KDC or Key Distribution Center to centralize the distribution of certificate keys and keep a list of revoked keys.
|
|
|
Of the following, which best describes the difference between RADIUS and TACACS?
A. RADIUS is a remote access authentication service. B. RADIUS separates authentication, authorization, and auditing capabilities. C. TACACS is a remote access authentication service. D. TACACS separates authentication, authorization, and auditing capabilities. |
D. Unlike RADIUS, TACACS separates authentication, authorization, and auditing capabilities. The other three answers are incorrect and are not differences between RADIUS and TACACS.
|
|
|
Which of the following best describes the proper method and reason to implement port security?
A. Apply a security control that ties specific ports to end-device MAC addresses, and prevents additional devices from being connected to the network. B. Apply a security control that ties specific ports to end-device IP addresses, and prevents additional devices from being connected to the network. C. Apply a security control that ties specific ports to end-device MAC addresses, and prevents all devices from being connected to the network. D. Apply a security control that ties specific ports to end-device IP addresses, and prevents all devices from being connected to the network. |
A. You can achieve port security by applying a security control (such as 802.1X), which ties specific physical ports to end-device MAC addresses and prevents additional devices from being connected to the network. Note that port security solutions such as 802.1X are Data Link Layer technologies (layer 2) so they deal with MAC addresses, not IP addresses. You wouldn’t want to exclude all devices from being connected to the network as this would cause a severe problem with connectivity.
|
|
|
You are tasked with setting up a wireless network that uses 802.1X for authentication. You set up the wireless network using WPA2 and CCMP; however, you don’t want to use a PSK for authentication. Which of the following options would support 802.1X authentication?
A. Kerberos B. CAC card C. Preshared key D. RADIUS |
D. RADIUS is a common back-end authenticator for 802.1X. When setting up a wireless access point, the two security mode options are usually PSK (preshared key), which is stored on the WAP, and Enterprise, which usually refers authentication to an external RADIUS server. Kerberos deals with authentication to Microsoft domains. CAC cards are smart cards that are used for ID and authentication to systems.
|
|
|
Which two options can prevent unauthorized employees from entering a server room? (Select the two best answers.)
A. Bollards B. CCTV C. Security guard D. 802.1X E. Proximity reader |
C and E. If a person doesn’t have the proper proximity card, that person will be prevented from entering a server room or other protected room. Security guards can also prevent people from accessing unauthorized areas. However, bollards (short vertical posts) probably wouldn’t stop a person, besides they aren’t normally installed in front of a server room entrance. CCTV video surveillance is a detective control, but not a preventive control. 802.1X deals with authentication, not with physical security.
|
|
|
What is the most secure method of authentication and authorization in its default form?
A. TACACS B. Kerberos C. RADIUS D. LDAP |
B. Kerberos is the most secure method of authentication listed. It has a more complicated system of authentication than TACACS (which is outdated) and RADIUS (which is used in different scenarios than Kerberos). LDAP deals with directories, for example, the ones on a Microsoft domain controller, which Kerberos first needs to give access to.
|
|
|
When attempting to grant access to remote users, which protocol uses separate, multiple-challenge responses for each of the authentication, authorization, and audit processes?
A. RADIUS B. TACACS C. TACACS+ D. LDAP |
C. TACACS+ is the only answer listed that uses separate processes for authentication, authorization, and auditing. That is one of the main differences between it and RADIUS. TACACS is deprecated and is not often seen in the field. LDAP deals with managing directories of information.
|
|
|
Before gaining access to the datacenter, you must swipe your finger on a device. What type of authentication is this?
A. Biometrics B. Single sign-on C. Multifactor D. Tokens |
A. Fingerprint technology is part of the realm of biometrics. Single sign-on means that you can use one type of authentication to get access to more than one system. While that could be going on in this scenario, it is not explicit, so biometrics is the more accurate answer. Multifactor means that more than one type of authentication is needed, for example, a fingerprint and a PIN. Let’s say that users were expected to type a PIN into a keypad to gain access to the datacenter. You might find over time that some persons who enter don’t match the owner of the PIN. That uncertainty can be avoided by incorporating biometrics. Tokens are used to gain access to systems and networks, and might include rolling one-time passwords, but do not incorporate a person’s physical characteristics such as a fingerprint.
|
|
|
Which of the following is the strongest password?
A. |ocrian# B. Marqu1sD3S0d C. This1sV#ryS3cure D. Thisisverysecure |
C. Answer C incorporates case-sensitive letters, numbers, and special characters and is 16 characters long. The other answers do not have the complexity of answer C.
|
|
|
Which of these is a security component of Windows 7?
A. UAC B. UPS C. Gadgets D. Control Panel |
A. User Account Control (UAC) adds a layer of security to Windows Server 2008, Windows 7, and Windows Vista to protect against malware and user error and conserve resources. It enforces a type of separation of duties.
|
|
|
What key combination helps to secure the logon process?
A. Windows+R B. Ctrl+Shift+Esc C. Ctrl+Alt+Del D. Alt+F4 |
C. Ctrl+Alt+Del is the key combination used to help secure the logon process. It can be added by configuring the Local Security policy.
|
|
|
Which of the following is the most common authentication model?
A. Username and password B. Biometrics C. Key cards D. Tokens |
A. By far the username and password combination is the most common authentication model. Although biometrics, key cards, and tokens are also used, the password is still the most common.
|
|
|
Which of the following access control methods uses rules to govern whether object access will be allowed? (Select the best answer.)
A. Rule-based access control B. Role-based access control C. Discretionary access control D. Mandatory access control |
A. Rule-based access control uses rules to govern whether an object can be accessed. It is a type of mandatory access control.
|
|
|
When using the mandatory access control model, what component is needed?
A. Labels B. Certificates C. Tokens D. RBAC |
A. Labels are required in the mandatory access control model (MAC).
|
|
|
Which of the following statements regarding the MAC access control model is true?
A. Mandatory access control is a dynamic model. B. Mandatory access control enables an owner to establish access privileges to a resource. C. Mandatory access control is not restrictive. D. Mandatory access control users cannot share resources dynamically. |
D. In MAC (mandatory access control) users cannot share resources dynamically. MAC is not a dynamic model; it is a static model. Owners cannot establish access privileges to a resource; this would be done by the administrator. MAC is indeed very restrictive, as restrictive as the administrator wants it to be.
|
|
|
In the DAC model, how are permissions identified?
A. Role membership. B. Access control lists. C. They are predefined. D. It is automatic. |
B. In the discretionary access control model, permissions to files are identified by access control lists or ACLs. Role membership is used in RBAC. The mandatory access control model predefines permissions. Either way, it is not identified automatically.
|
|
|
Robert needs to access a resource. In the DAC model, what is used to identify him or other users?
A. Roles B. ACLs C. MAC D. Rules |
B. Access control lists (ACLs) are used in the Discretionary Access Control model. This is different from role-based, rule-based, and MAC (Mandatory Access Control) models.
|
|
|
A company has a high attrition rate. What should you ask the network administrator do first? (Select the best answer.)
A. Review user permissions and access control lists. B. Review group policies. C. Review Performance logs. D. Review the Application log. |
A. The first thing administrators should do when they notice that the company has a high attrition rate (high turnover of employees) is to conduct a thorough review of user permissions, rights, and access control lists. A review of group policies might also be necessary but is not as imperative. Performance logs and the Application log will probably not pertain to the fact that the company has a lot of employees being hired and leaving the company.
|
|
|
Your company has 1,000 users. Which of the following password management systems will work best for your company?
A. Multiple access methods B. Synchronize passwords C. Historical passwords D. Self-service password resetting |
D. It would be difficult for administrators to deal with thousands of users passwords; therefore, the best management system for a company with 1,000 users would be self-service password resetting.
|
|
|
In a discretionary access control model, who is in charge of setting permissions to a resource?
A. The owner of the resource B. The administrator C. Any user of the computer D. The administrator and the owner |
A. In the discretionary access control model (DAC), the owner of the resource is in charge of setting permissions. In a mandatory access control model, the administrator is in charge.
|
|
|
Jason needs to add several users to a group. Which of the following will help him to get the job done faster?
A. Propagation B. Inheritance C. Template D. Access control lists |
C. By using a template, you can add many users to a group at once simply by applying the template to the users. Propagation and inheritance deal with how permissions are exchanged between parent folders and subfolders. Access control lists show who was allowed access to a particular resource.
|
|
|
How are permissions defined in the mandatory access control model?
A. Access control lists B. User roles C. Defined by the user D. Predefined access privileges |
D. The mandatory access control model uses predefined access privileges to define which users have permission to resources.
|
|
|
Which of the following would lower the level of password security?
A. After a set number of failed attempts, the server will lock the user out, forcing her to call the administrator to reenable her account. B. Passwords must be greater than eight characters and contain at least one special character. C. All passwords are set to expire after 30 days. D. Complex passwords that users cannot change are randomly generated by the administrator. |
D. To have a secure password scheme, passwords should be changed by the user. They should not be generated by the administrator. If an administrator were to generate the password for the user, it would have to be submitted in written (and unencrypted) form in some way to the user. This creates a security issue, especially if the user does not memorize the password and leaves a written version of it lying around. All the other answers would increase the level of password security.
|
|
|
Of the following access control models, which use object labels? (Select the best answer.)
A. Discretionary access control B. Role-based access control C. Rule-based access control D. Mandatory access control |
D. The mandatory access control (MAC) model uses object and subject labels. DAC and RBAC (role-based access control) do not. Rule-based access control is a portion of MAC, and although it might use labels, MAC is the best answer.
|
|
|
Which of the following methods could identify when an unauthorized access has occurred?
A. Two-factor authentication B. Session termination C. Previous logon notification D. Session lock |
C. Previous logon notification can identify whether unauthorized access has occurred. Two-factor authentication means that person will supply two forms of identification before being authenticated to a network or system. Session termination is a mechanism that can be implemented to end an unauthorized access. Session lock mechanisms can be employed to lock a particular user or IP address out of the system.
|
|
|
What would you use to control the traffic that is allowed in or out of a network? (Select the best answer.)
A. Access control lists B. Firewall C. Address resolution protocol D. Discretionary access control |
A. Access control lists can be used to control the traffic that is allowed in or out of a network. They are usually included as part of a firewall, and they are the better answer because they specifically will control the traffic. Address resolution protocol or ARP resolves IP addresses to MAC addresses. In the discretionary access control model, the owner controls permissions of resources.
|
|
|
In an attempt to detect fraud and defend against it, your company cross-trains people in each department. What is this an example of?
A. Separation of duties B. Chain of custody C. Job rotation D. Least privilege |
C. When a company cross-trains people, it is known as job rotation. Separation of duties is in a way the opposite; this is when multiple people are needed to complete a single task. Chain of custody has to do with the legal paper trail of a particular occurrence. Least privilege is a mitigation technique to defend against privilege escalation attacks.
|
|
|
What is a definition of implicit deny?
A. Everything is denied by default. B. All traffic from one network to another is denied. C. ACLs are used to secure the firewall. D. Resources that are not given access are denied by default. |
D. If a resource is not given specific access, it will be implicitly denied by default. Access control lists are used to permit or deny access from one network to another and are often implemented on a firewall.
|
|
|
In an environment where administrators, the accounting department, and the marketing department all have different levels of access, which of the following access control models is being used?
A. Role-based access control (RBAC) B. Mandatory access control (MAC) C. Discretionary access control (DAC) D. Rule-based access control (RBAC) |
A. Role-based access control is when different groups or roles are assigned different levels of permissions; rights and permissions are based on job function. In the mandatory access control model, an administrator centrally controls permissions. In the discretionary access control model, the owner of the user sets permissions. In the rule-based access control model, rules are defined by the administrator and are stored in an ACL.
|
|
|
Which security measure should be included when implementing access control?
A. Disabling SSID broadcast B. Time-of-day restrictions C. Changing default passwords D. Password complexity requirements |
D. By implementing password complexity requirements, users will be forced to select and enter complex passwords, for example, eight characters or more, uppercase characters, special characters, and more. Disabling the SSID deals with wireless networks, time-of-day restrictions are applied only after persons log in with their username and password, and changing default passwords should be part of a password policy.
|
|
|
Which password management system best provides for a system with a large number of users?
A. Locally saved passwords management systems B. Synchronized passwords management systems C. Multiple access methods management systems D. Self-service password reset management systems |
D. If a network has a large number of users, the administrator should set up a system and policies to enforce the system that will allow for users to reset their own passwords. The passwords should be stored centrally, not locally. Also, it would be best if single sign-on were implemented and not a multiple access method.
|
|
|
You administer a bulletin board system for a rock and roll band. While reviewing logs for the board, you see one particular IP address posting spam multiple times per day. What is the best way to prevent type of problem?
A. Block the IP address of the user. B. Ban the user. C. Disable ActiveX. D. Implement CAPTCHA. |
D. By implementing CAPTCHA, another level of security is added that users have to complete before they can register to and/or post to a bulletin board. Although banning a user or the user’s IP address can help to eliminate that particular person from spamming the site, the best way is to add another level of security, such as CAPTCHA. This applies to all persons who attempt to attack the bulletin board.
|
|
|
Your organization has enacted a policy where employees are required to create passwords with at least 15 characters. What type of policy does this define?
A. Password length B. Password expiration C. Minimum password age D. Password complexity |
A. Password length is the policy that deals with how many characters are in a password. Password expiration and minimum (and maximum) password age define how long a password will be valid. Password complexity defines whether the password should have uppercase letters, numbers, and special characters.
|
|
|
Users are required to change their passwords every 30 days. Which policy should be configured?
A. Password length B. Password recovery C. Password expiration D. Account lockout |
C. The password expiration policy should be configured. For example, in Windows, the maximum password age policy should be set to 30 days. Password length deals with how many characters are in the password. Password recovery defines how (and if) a user can get back his password or create a new one. Account lockout policies dictate how many times the user has to type a password incorrectly to be locked out of the system, and how for long the user will remain locked out.
|
|
|
Which type of vulnerability assessments software can check for weak passwords on the network?
A. Wireshark B. Antivirus software C. Performance Monitor D. A password cracker |
D. A password cracker can check for weak passwords on the network. Antivirus software can scan for viruses on a computer. Performance Monitor enables you to create baselines to check the performance of a computer. Wireshark is a protocol analyzer.
|
|
|
You are contracted to conduct a forensics analysis of the computer. What should you do first?
A. Back up the system. B. Analyze the files. C. Scan for viruses. D. Make changes to the operating system. |
A. Back up the system before you do anything else. This way, you have a backup copy in case anything goes wrong when you analyze or make changes to the system.
|
|
|
Which of the following has schemas written in XML?
A. OVAL B. 3DES C. WPA D. PAP |
A. OVAL (Open Vulnerability and Assessment Language) uses XML as a framework for the language. It is a community standard dealing with the standardization of information transfer. 3DES is an encryption algorithm. WPA is a wireless encryption standard, and the deprecated PAP is the Password Authentication Protocol, used for identifying users to a server.
|
|
|
Russ is using only documentation to test the security of a system. What type of testing methodology is this known as?
A. Active security analysis B. Passive security analysis C. Hybrid security analysis D. Hands-on security analysis |
B. Passive security analysis or passive security testing would be one that possibly does not include a hands-on test. It is less tangible and often includes the use of documentation only. To better protect a system or network, a person should also use active security analysis.
|
|
|
Of the following which is the best way for a person to find out what security holes exist on the network?
A. Run a port scan. B. Use a network sniffer. C. Perform a vulnerability assessment. D. Use an IDS solution. |
C. The best way to find all the security holes that exist on a network is to perform a vulnerability assessment. This may include utilizing a port scanner and using a network sniffer and perhaps using some sort of IDS.
|
|
|
After using NMAP to do a port scan of your server, you find that several ports are open. Which of the following should you do next?
A. Leave the ports open and monitor them for malicious attacks. B. Run the port scan again. C. Close all ports. D. Examine the services and/or processes that use those ports. |
D. If you find ports open that you don’t expect, be sure to examine the services and or processes that use those ports. You may have to close some or all those ports. When you finish with your examination, and after you have taken action, run the port scan again to verify that those ports are closed.
|
|
|
Which of the following is a vulnerability assessment tool?
A. John the Ripper B. AirSnort C. Nessus D. Cain & Abel |
C. Nessus is a vulnerability assessment tool. AirSnort is used to crack wireless encryption codes. John the Ripper and Cain & Abel are password cracking programs.
|
|
|
You are a consultant for an IT company. Your boss asks you to determine the topology of the network. What is the best device to use in this circumstance?
A. Network mapper B. Protocol analyzer C. Port scanner D. A vulnerability scanner |
A. A network mapper is the best tool to use to determine the topology of the network and to find out what devices and computers reside on that network. An example of this would be LAN Surveyor.
|
|
|
Which of the following can enable you to find all the open ports on an entire network?
A. Protocol analyzer B. Network scanner C. Firewall D. Performance monitor |
B. A network scanner is a port scanner used to find open ports on multiple computers on the network. A protocol analyzer is used to delve into packets. A firewall protects a network, and a performance monitor is used to create baselines for and monitor a computer.
|
|
|
What can hackers accomplish using malicious port scanning?
A. “Fingerprint” of the operating system B. Topology of the network C. All the computer names on the network D. All the usernames and passwords |
A. Port scanning can be used in a malicious way to find out all the openings to a computer’s operating system; this is known as the “fingerprint” of the operating system. Port scanning cannot find out the topology of the network, computer names, usernames, or passwords.
|
|
|
Many companies send passwords via clear text. Which of the following can view these passwords?
A. Rainbow Table B. Port scanner C. John the Ripper D. Protocol analyzer |
D. A protocol analyzer can delve into the packets sent across the network and determine whether those packets contain clear-text passwords. Rainbow Tables and John the Ripper deal with cracking passwords that were previously encrypted; they aren’t necessary if the password were sent via clear text. Port scanners scan computers for any open ports.
|
|
|
Which of the following persons is ultimately in charge of deciding how much residual risk there will be?
A. Chief security officer B. Security administrator C. Senior management D. Disaster Recovery Plan coordinator |
C. Residual risk is the risk left over after a security and disaster recovery plan have been implemented. There is always risk, because a company cannot possibly foresee every future event, nor can it secure against every single threat. Senior management as a collective whole is ultimately responsible for deciding how much residual risk there will be in a company’s network. No one person should be in charge of this, but it should be decided on as a group. If the group decides that residual risk is too high, the group might decide to get insurance in addition to its security plan. The security administrator is in charge of finding and removing risks to the network and systems and should mitigate risks if possible. The disaster recovery plan (DRP) coordinator usually assesses risks and documents them, along with creating strategies to defend against any disastrous problems that might occur from that risk, but that person does not decide on the amount of acceptable residual risk to a company.
|
|
|
To show risk from a monetary standpoint, which of the following should risk assessments be based upon?
A. Survey of loss, potential threats, and asset value B. Quantitative measurement of risk, impact, and asset value C. Complete measurement of all threats D. Qualitative measurement of risk and impact |
B. When dealing with dollars, risk assessments should be based upon a quantitative measurement of risk, impact, and asset value.
|
|
|
The main objective of risk management in an organization is to reduce risk to a level _____________. (Fill in the blank.)
A. The organization will mitigate B. Where the ARO equals the SLE C. The organization will accept D. Where the ALE is lower than the SLE |
C. The main objective of risk management is to reduce risk to a level that the organization or company will accept. Mitigation is the act of reducing threats in general.
|
|
|
Why would a security administrator use a vulnerability scanner? (Select the best answer.)
A. To identify remote access policies B. To analyze protocols C. To map the network D. To find open ports on a server |
D. The best answer for why a security administrator would use a vulnerability scanner is to find open ports on a particular computer. Although a vulnerability scanner can do more than scan for open ports, it is the best answer listed.
|
|
|
An example of a program that does comparative analysis is what?
A. Protocol analyzer B. Password cracker C. Port scanner D. Event Viewer |
B. A password cracker is considered to be a program that does comparative analysis. It systematically guesses the password and compares all previous guesses before making new ones until it cracks the password.
|
|
|
Why do hackers often target nonessential services? (Select the two best answers.)
A. Often they are not configured correctly. B. They are not monitored as often. C. They are not used. D. They are not monitored by an IDS. |
A and B. Nonessential services are often not configured and secured by the network administrator; this goes hand-in-hand with the fact that they are not monitored as often as essential services. It is imperative that network administrators scan for nonessential services and close any corresponding ports. Even though services may be nonessential, that doesn’t necessarily mean that they are not used. An IDS, if installed properly, should monitor everything on a given system.
|
|
|
Which of the following tools uses ICMP as its main underlying protocol?
A. Ping scanner B. Port scanner C. Image scanner D. Barcode scanner |
A. A ping scanner uses the Internet Control Message Protocol (ICMP) to conduct its scans. Ping uses ICMP as its underlying protocol and IP and ARP. Image scanners are found in printers and as standalone items that scan images, photos, and text into a computer. Barcode scanners are used to scan barcodes, for example, at the supermarket.
|
|
|
Which command would display the following output?
Active Connections Proto Local Address Foreign Address State TCP laptop-musicxpc:1395 8.15.228.165:http ESTABLISHED A. Ping B. Ipconfig C. Nbtstat D. Netstat |
D. Netstat shows sessions including the local computer and remote computer. It shows these connections by computer name (or IP) and port name (or number).
|
|
|
Which of the following is used when performing a quantitative risk analysis?
A. Asset value B. Surveys C. Focus groups D. Best practices |
A. Asset value is assigned when performing quantitative risk analysis. Surveys, focus groups, and best practices might help with qualitative risk analysis but do not offer concrete data that a quantitative risk analysis requires. Money is the key ingredient here when it comes to quantitative risk analysis.
|
|
|
You have been tasked with running a penetration test on a server. You have been given limited knowledge about the inner workings of the server. What kind of test will you be performing?
A. White box B. Gray box C. Black box D. Passive vulnerability scan |
B. When you are given limited information of a system or network, it is known as gray box testing. White box testing is when you are given in-depth or complete information about the system. Black box testing is when you know very little (or nothing) about the system to be tested. Penetration tests are active and are meant to test for a single threat and exploit it. Passive vulnerability scans are different tests altogether and test for as many threats as they can find, without exploiting one of them.
|
|
|
Which of the following is a technical control?
A. Disaster recovery plan B. Baseline configuration development C. Least privilege implementation D. Categorization of system security |
C. The least privilege concept is executed as a technical control. A process that is severely limited in its functionality and a user who has very limited rights are some of the things that must be initiated technically. A disaster recovery plan and baseline configuration development would be operational controls. The categorization of system security would be a management control.
|
|
|
Which of the following is a detective security control?
A. Bollards B. Firewall C. Tape backup D. CCTV |
D. Close-circuit television is an example of a detective security control. It can detect who is entering a building and when it happened. Bollards (vertical posts) and firewalls are preventive controls, while tape backup is a corrective control.
|
|
|
Which of the following is a management control?
A. Least privilege implementation B. Baseline configuration development C. Vulnerability scanning D. Session locks |
C. Vulnerability scanning, as it is part of vulnerability management would be a management control. least privilege implementation and session locks would be examples of technical controls. Baseline configuration development would be an example of an operational control.
|
|
|
Which of the following would you make use of when performing a qualitative risk analysis?
A. Judgment B. Asset value C. Threat frequency D. SLE |
A. When performing a qualitative risk analysis a person often uses his own judgment. Asset value, threat frequency, and SLE (single loss expectancy) are all components of a quantitative risk analysis.
|
|
|
What is the best action to take when you conduct a corporate vulnerability assessment?
A. Document your scan results for the change control board B. Examine vulnerability data with a network sniffer C. Update systems D. Organize data based on severity and asset value |
D. When conducting vulnerability assessments you should organize the collected data by vulnerability and exploit severity as well as the asset value of the possibly affected equipment/systems. Documenting your scan results for a change control board may come later depending on some decision making by the corporation. You should have already used a network sniffer to find vulnerabilities and possible exploits. Updating the systems will most likely happen at some point, but for the time being, it should be a recommendation within your vulnerability assessment. Management will decide how and if that will occur.
|
|
|
You are implementing a new enterprise database server. After you evaluate the product with various vulnerability scans you determine that the product is not a threat in of itself but it has the potential to introduce new vulnerabilities to your network. Which assessment should you now take into consideration while you continue to evaluate the database server?
A. Risk assessment B. Code assessment C. Vulnerability assessment D. Threat assessment |
A. If a new solution poses the potential for new vulnerabilities to your network, you should run an in-depth risk assessment of the new product. In this case, we are not yet doing any coding, so a code assessment is not necessary, but should be implemented as part of a secure code review in the case that we make any programming changes to the database server. You have already run a vulnerability assessment when you did the vulnerability scans. You found that the solution is not a threat but could pose other threats. The risk assessment defines what kind of issues your organization could face due to the threats and vulnerabilities.
|
|
|
Why should penetration testing only be done during controlled conditions?
A. Because vulnerability scanners can cause network flooding B. Because penetration testing actively tests security controls and can cause system instability C. Because white box penetration testing cannot find zero-day attacks D. Because penetration testing passively tests security controls and can cause system instability |
B. Penetration testing is an active test that seeks to exploit one vulnerability. It can indeed cause system instability, so it should be run only during controlled conditions and with express consent of the system owner. Vulnerability scanners are usually passive and should not cause network flooding. Zero-day attacks are based on vulnerabilities that are unknown to the system designer. In a white box testing environment, zero-day vulnerabilities may become uncovered (at which point they are not quite zero-day anymore), but the fact remains that penetration testing can cause system instability.
|
|
|
Which of the following is a record of the tracked actions of users?
A. Performance Monitor B. Audit trails C. Permissions D. System and event logs |
B. Audit trails are records showing the tracked actions of users. The Performance Monitor is a tool in Windows that enables you to track the performance of objects such as CPU, RAM, network adapter, physical disk, and so on. Permissions grant or deny access to resources. To see whether permissions were granted, auditing must be enabled. The system and other logs record events that happened in other areas of the system, for example, events concerning the operating system, drivers, applications, and so on.
|
|
|
What tool enables you to be alerted if a server’s processor trips a certain threshold?
A. TDR B. Password cracker C. Event Viewer D. Performance Monitor |
D. The Performance Monitor can be configured in such a way where alerts can be set for any of the objects (processor, RAM, paging file) in a computer. For example, if the processor were to go beyond 90% usage for more than 1 minute, an alert would be created and could be sent automatically to an administrator. A TDR is a time-domain reflectometer, an electronic instrument used to test cables for faults. A password cracker is a software program used to recover or crack passwords; an example would be Cain & Abel. The Event Viewer is a built-in application in Windows that enables a user to view events on the computer such as warnings, errors, and other information events. It does not measure the objects in a server in the way that Performance Monitor does.
|
|
|
The IT director has asked you to install agents on several client computers and monitor them from a program at a server. What is this known as?
A. SNMP B. SMTP C. SMP D. Performance Monitor |
A. The Simple Network Management Protocol (SNMP) is used when a person installs agents on client computers to monitor those systems from a single remote location. SMTP is used by e-mail clients and servers. SMP is Symmetric Multi-Processing, which is not covered in the Security+ exam objectives. Performance Monitor enables a person to monitor a computer and create performance baselines.
|
|
|
One of your coworkers complains to you that he cannot see any security events in the Event Viewer. What are three possible reasons for this? (Select the three best answers.)
A. Auditing has not been turned on. B. The log file is only 512 KB. C. The coworker is not an administrator. D. Auditing for an individual object has not been turned on. |
A, C, and D. To audit events on a computer, an administrator would need to enable auditing within the computer’s policy, then turn on auditing for an individual object (folder, file, and so on), and then view the events within the Security log of the Event Viewer. 512 KB is big enough for many events to be written to it.
|
|
|
Which tool can be instrumental in capturing FTP GET requests?
A. Vulnerability scanner B. Port scanner C. Performance Monitor D. Protocol analyzer |
D. A protocol analyzer captures data including things such as GET requests that were initiated from an FTP client. Vulnerability scanners and port scanners look for open ports and other vulnerabilities of a host. Performance Monitor is a Windows program that reports on the performance of the computer system and any of its parts.
|
|
|
Your manager wants you to implement a type of intrusion detection system (IDS) that can be matched to certain types of traffic patterns. What kind of IDS is this?
A. Anomaly-based IDS B. Signature-based IDS C. Behavior-based IDS D. Heuristic-based IDS |
B. When using an IDS, particular types of traffic patterns refer to signature-based IDS. Heuristic signatures are a subset of signature-based monitoring systems, so signature-based IDS is the best answer. Anomaly-based and behavior-based systems use different methodologies.
|
|
|
You are setting up auditing on a Windows XP Professional computer. If set up properly, which log should have entries?
A. Application log B. System log C. Security log D. Maintenance log |
C. After Auditing is turned on and specific resources are configured for auditing, you need to check the Event Viewer’s Security log for the entries. These could be successful logons or misfired attempts at deleting files; there are literally hundreds of options. The Application log contains errors, warnings, and informational entries about applications. The System log deals with drivers and system files and so on. A System Maintenance log can be used to record routine maintenance procedures.
|
|
|
You have established a baseline for your server. Which of the following is the best tool to use to monitor any changes to that baseline?
A. Performance Monitor B. Antispyware C. Antivirus software D. Vulnerability assessments software |
A. Performance monitoring software can be used to create a baseline and monitor for any changes to that baseline. An example of this would be the Performance console window within Windows Server 2003. (It is commonly referred to as the Performance Monitor.) Antivirus and antispyware applications usually go hand-in-hand and are not used to monitor server baselines. Vulnerability assessing software such as Nessus or Nmap are used to see whether open ports and other vulnerabilities are on a server.
|
|
|
In what way can you gather information from a remote printer?
A. HTTP B. SNMP C. CA D. SMTP |
B. SNMP (Simple Network Management Protocol) enables you to gather information from a remote printer. HTTP is the hypertext transfer protocol that deals with the transfer of web pages. A CA is a certificate authority, and SMTP is the Simple Mail Transfer Protocol.
|
|
|
Which of the following can determine which flags are set in a TCP/IP handshake?
A. Protocol analyzer B. Port scanner C. SYN/ACK D. Performance Monitor |
A. A protocol analyzer can look inside the packets that make up a TCP/IP handshake. Information that can be viewed includes SYN, which is synchronize sequence numbers, and ACK, which is acknowledgment field-significant. Port scanners and performance monitor do not have the capability to view flags set in a TCP/IP handshake, nor can they look inside packets in general.
|
|
|
Which of following is the most basic form of IDS?
A. Anomaly based B. Behavioral-based C. Signature-based D. Statistical-based |
C. Signature-based IDS is the most basic form of intrusion detection systems, or IDS. This monitors packets on the network and compares them against a database of signatures. Anomaly-based, behavioral-based, and statistical-based are all more complex forms of IDS. Anomaly and statistical are often considered to be the same type of monitoring methodology.
|
|
|
Which of the following deals with the standard load for a server?
A. Patch management B. Group policy C. Port scanning D. Configuration baseline |
D. A configuration baseline deals with the standard load of a server. By measuring the traffic that passes through the server’s network adapter, you can create a configuration baseline over time.
|
|
|
Your boss wants you to properly log what happens on a database server. What are the most important concepts to think about while you do so? (Select the two best answers.)
A. The amount of virtual memory that you will allocate for this task B. The amount of disk space you will require C. The information that will be needed to reconstruct events later D. Group policy information |
B and C. It is important to calculate how much disk space you will require for the logs of your database server and verify that you have that much disk space available on the hard drive. It is also important to plan what information will be needed in the case that you need to reconstruct events later. Group policy information and virtual memory are not important for this particular task.
|
|
|
Which of the following is the best practice to implement when securing logs files?
A. Log all failed and successful login attempts. B. Deny administrators access to log files. C. Copy the logs to a remote log server. D. Increase security settings for administrators. |
C. It is important to copy the logs to a secondary server in case something happens to the primary log server; this way you have another copy of any possible security breaches. Logging all failed and successful login attempts might not be wise, because it will create many entries. The rest of the answers are not necessarily good ideas when working with log files.
|
|
|
What is the main reason to frequently view the logs of a DNS server?
A. To create aliases B. To watch for unauthorized zone transfers C. To defend against denial of service attacks D. To prevent domain name kiting |
B. Security administrators should frequently view the logs of a DNS server to monitor any unauthorized zone transfers. Aliases are DNS names that redirect to a hostname or FQDN. Simply viewing the logs of a DNS server will not defend against denial-of-service attacks. Domain name kiting is the process of floating a domain name for up to five names without paying for the domain name.
|
|
|
As you review your firewall log, you see the following information. What type of attack is this?
S=207.50.135.54:53 - D=10.1.1.80:0 S=207.50.135.54:53 - D=10.1.1.80:1 S=207.50.135.54:53 - D=10.1.1.80:2 S=207.50.135.54:53 - D=10.1.1.80:3 S=207.50.135.54:53 - D=10.1.1.80:4 S=207.50.135.54:53 - D=10.1.1.80:5 A. Denial of service B. Port scanning C. Ping scanning D. DNS spoofing |
B. Information listed is an example of a port scan. The source IP address perpetuating the port scan should be banned or blocked on the firewall. The fact that the source computer is using port 53 is of no consequence during the port scan and does not imply DNS spoofing. It is not a denial-of-service attack; note that the destination IP address ends in 80, but the number 80 is part of the IP and is not the port.
|
|
|
Of the following, which two security measures should be implemented when logging a server? (Select the two best answers.)
A. Cyclic redundancy checks B. The application of retention policies on log files C. Hashing of log files D. Storing of temporary files |
B and C. The log files should be retained in some manner either on this computer or on another computer. By hashing the log files, the integrity of the files can be checked even after they are moved. Cyclic redundancy checks or CRCs have to deal with the transmission of Ethernet frames over the network. Temporary files are normally not necessary when dealing with log files.
|
|
|
You suspect a broadcast storm on the LAN. Which tool should you use to diagnose which network adapter is causing the storm?
A. Protocol analyzer B. Firewall C. Port scanner D. Network intrusion detection system |
A. A protocol analyzer should be used to diagnose which network adapter on the LAN is causing the broadcast storm. A firewall cannot diagnose attacks perpetuated on a network. Port scanner is used to find open ports on one or more computers. A network intrusion detection system is implemented to locate and possibly quarantine some types of attacks but will not be effective when it comes to broadcast storms.
|
|
|
Which of the following should be done if an audit recording fails?
A. Stop generating audit records. B. Overwrite the oldest audit records. C. Send an alert to the administrator. D. Shut down the server. |
C. If an audit recording fails, there should be sufficient safeguards employed that can automatically send an alert to the administrator, among other things. Audit records should not be overwritten and in general should not be stopped.
|
|
|
Which of the following log files should show attempts at unauthorized access?
A. DNS B. System C. Application D. Security |
D. The security log file should show attempts at unauthorized access to a Windows computer. The application log file must deal with events concerning applications within the operating system and some third-party applications. The system log file deals with drivers, system files, and so on. A DNS log will log information concerning the domain name system.
|
|
|
To find out when a computer was shutdown, which log file would an administrator use?
A. Security log B. System log C. Application log D. DNS log |
B. The system log will show when a computer was shut down (and turned on for that matter or restarted). The security log shows any audited information on a computer system. The application log deals with OS apps and third-party apps. The DNS log shows events that have transpired on a DNS server.
|
|
|
Which of the following requires a baseline? (Select the two best answers.)
A. Behavior-based monitoring B. Performance Monitor C. Anomaly based monitoring D. Signature-based monitoring |
A and C. Behavior-based monitoring and anomaly-based monitoring require creating a baseline. Many host-based IDS systems will monitor parts of the dynamic behavior and the state of the computer system. An anomaly-based IDS will classify activities as either normal or anomalous; this will be based on rules instead of signatures. Both behavior-based and anomaly-based monitoring require a baseline to make a comparative analysis. Signature-based monitoring systems do not require this baseline because they are looking for specific patterns or signatures and are comparing them to a database of signatures. The performance monitor program can be used to create a baseline on Windows computers, but it does not necessarily require a baseline.
|
|
|
Jason is a security administrator for a company of 4,000 users. He wants to store 6 months of logs to a logging server for analysis. The reports are required by upper management due to legal obligations but are not time-critical. When planning for the requirements of the logging server, which of the following should not be implemented?
A. Performance baseline and audit trails B. Time stamping and integrity of the logs C. Log details and level of verbose logging D. Log storage and backup requirements |
A. A performance baseline and audit trails are not necessarily needed. Because the reports are not time-critical, a performance baseline should not be implemented. Auditing this much information could be unfeasible for one person. However, it is important to implement time stamping of the logs and store log details. Before implementing the logging server, Jason should check whether he has enough storage and backup space to meet his requirements.
|
|
|
Your manager wants you to implement a type of intrusion detection system (IDS) that can be matched to certain types of traffic patterns. What kind of IDS is this?
A. Anomaly based IDS B. Signature-based IDS C. Behavior-based IDS D. Heuristic-based IDS |
B. When using an IDS, particular types of traffic patterns refers to signature-based IDS.
|
|
|
Michael has just completed monitoring and analyzing a web server. Which of the following indicates that the server might have been compromised?
A. The web server is sending hundreds of UDP packets. B. The web server has a dozen connections to inbound port 80. C. The web server has a dozen connections to inbound port 443. D. The web server is showing a drop in CPU speed and hard disk speed. |
D. If the Web server is showing a drop in processor and hard disk speed, it might have been compromised. Further analysis and comparison to a pre-existing baseline would be necessary. All the other answers are common for a web server.
|
|
|
What kind of security control do computer security audits fall under?
A. Detective B. Preventive C. Corrective D. Protective |
A. A computer security audit is an example of a detective security control. If a security administrator found that a firewall was letting unauthorized ICMP echoes into the network the administrator might close the port on the firewall—a corrective control, and for the future, a preventive control. The term protective control is not generally used in security circles as it is a somewhat ambiguous term.
|
|
|
Which of the following is the proper order of functions for asymmetric keys?
A. Decrypt, validate, and code and verify B. Sign, encrypt, decrypt, and verify C. Encrypt, sign, decrypt, and verify D. Decrypt, decipher, and code and encrypt |
C. The proper order of functions for asymmetric keys is as follows: encrypt, sign, decrypt, and verify. This is the case when a digital signature is used to authenticate an asymmetrically encrypted document.
|
|
|
Which type of encryption technology is used with the BitLocker application?
A. Symmetric B. Asymmetric C. Hashing D. WPA2 |
A. BitLocker uses symmetric encryption technology based on AES. Hashing is the process of summarizing a file for integrity purposes. WPA2 is a wireless encryption protocol.
|
|
|
Which of the following will provide an integrity check?
A. Public key B. Private key C. WEP D. Hash |
D. A hash provides integrity checks, for example, MD5 hash algorithms. Public and private keys are the element of a cipher that allows for output of encrypted information. WEP (Wired Equivalent Privacy) is a deprecated wireless encryption protocol.
|
|
|
Why would a hacker use steganography?
A. To hide information B. For data integrity C. To encrypt information D. For wireless access |
A. Steganography is the act of writing hidden messages so that only the intended recipients know of the existence of the message. This is a form of security through obscurity. Steganographers are not as concerned with data integrity or encryption because the average person shouldn’t even know that a message exists. Although steganography can be accomplished by using compromised wireless networks, it is not used to gain wireless access.
|
|
|
You need to encrypt and send a large amount of data, which of the following would be the best option?
A. Symmetric encryption B. Hashing algorithm C. Asymmetric encryption D. PKI v |
A. Symmetric encryption is the best option for sending large amounts of data. It is superior to asymmetric encryption. PKI is considered an asymmetric encryption type, and hashing algorithms don’t play into sending large amounts of data.
|
|
|
Imagine that you are a hacker. Which would be most desirable when attempting to compromise encrypted data?
A. A weak key B. The algorithm used by the encryption protocol C. Captured traffic D. A block cipher |
A. The easiest way for a hacker to get at encrypted data is if that encrypted data has a weak encryption key. The algorithm isn’t of much use to a hacker unless it has been broken, which is a far more difficult process than trying to crack an individual key. Captured traffic, if encrypted, still needs to be decrypted, and a weak key will aid in this process. The block cipher is a type of algorithm.
|
|
|
An SHA algorithm will have how many bits?
A. 64 B. 128 C. 512 D. 1,024 |
C. SHA-2 algorithm blocks have 512 bits. SHA-1 is 160-bit. MD5 is 128-bit; 1,024-bit keys are common in asymmetric encryption.
|
|
|
What is another term for secret key encryption?
A. PKI B. Asymmetrical C. Symmetrical D. Public key |
C. Symmetric key encryption uses a secret key. The term symmetric key is also referred to as the following: private key, single key, and shared key (and sometimes as session key). PKI and public keys at their core are asymmetrical.
|
|
|
Your boss wants you to set up an authentication scheme in which employees will use smart cards to log in to the company network. What kind of key should be used to accomplish this?
A. Private key B. Public key C. Cipher key D. Shared key |
A. A private key should be used by users when logging in to the network with their smart card. The key should certainly not be public. A key actually determines the function of a cipher. Shared key is another term for symmetric-key encryption but does not imply privacy.
|
|
|
The IT director wants you to use a cryptographic algorithm that cannot be decoded by being reversed. Which of the following would be the best option?
A. Asymmetric B. Symmetric C. PKI D. One way function |
D. In cryptography, the one-way function is one option of an algorithm that cannot be reversed, or is difficult to reverse, in an attempt to decode data. An example of this would be a hash such as SHA-2, which creates only a small hashing number from a portion of the file or message. There are ways to crack asymmetric and symmetric encryptions, which enable complete decryption (decoding) of the file.
|
|
|
Which of the following concepts does the Diffie-Hellman algorithm rely on?
A. Usernames and passwords B. VPN tunneling C. Biometrics D. Key exchange |
D. The Diffie-Hellman algorithm relies on key exchange before data can be sent. Usernames and passwords are considered a type of authentication. VPN tunneling is done to connect a remote client to a network. Biometrics is the science of identifying people by one of their physical attributes.
|
|
|
What does steganography replace in graphic files?
A. The least significant bit of each byte B. The most significant bit of each byte C. The least significant byte of each bit D. The most significant byte of each bit |
A. Steganography replaces the least significant bit of each byte. It would be impossible to replace a byte of each bit, because a byte is larger than a bit; a byte is eight bits.
|
|
|
What does it mean if a hashing algorithm creates the same hash for two different downloads?
A. A hash is not encrypted. B. A hashing chain has occurred. C. A one-way hash has occurred. D. A collision has occurred. |
D. If a hashing algorithm generates the same hash for two different messages within two different downloads, a collision has occurred and the implementation of the hashing algorithm should be investigated.
|
|
|
Which of the following methods will best verify that a download from the Internet has not been modified since the manufacturer released it?
A. Compare the final LANMAN hash with the original. B. Download the patch file over an AES encrypted VPN connection. C. Download the patch file through an SSL connection. D. Compare the final MD5 hash with the original. |
D. The purpose of the MD5 hash is to verify the integrity of a download. SHA is another example of a hash that will verify the integrity of downloads. LANMAN hashes are older deprecated hashes used by Microsoft LAN Manager for passwords. Encrypted AES and SSL connections are great for encrypting the data transfer but do not verify integrity.
|
|
|
Which of the following encryption methods deals with two distinct, large prime numbers and the inability to factor those prime numbers?
A. SHA-1 B. RSA C. WPA D. Symmetric |
B. The RSA encryption algorithm uses two prime numbers. If used properly they will be large prime numbers that are difficult or impossible to factor. SHA-1 is an example of a Secure Hash Algorithm. WPA is the Wi-Fi Protected Access protocol, and RSA is an example of an asymmetric method of encryption.
|
|
|
Which of the following is not a symmetric key algorithm?
A. RC4 B. ECC C. 3DES D. Rijndael |
B. ECC or elliptic curve cryptography is an example of public key cryptography that uses an asymmetric key algorithm. All the other answers are symmetric key algorithms.
|
|
|
You are attempting to move data to a USB flash drive. Which of the following enables a rapid and secure connection?
A. SHA-1 B. 3DES C. AES256 D. MD5 |
C. AES256 enables a quick and secure encrypted connection for use with a USB flash drive. It might even be used with a whole disk encryption technology, such as BitLocker. SHA-1 and MD5 are examples of hashes. 3DES is an example of an encryption algorithm but would not be effective for sending encrypted information in a highly secure manner and quickly to USB flash drive.
|
|
|
Which of the following is used by PGP to encrypt data.
A. Asymmetric key distribution system B. Asymmetric scheme C. Symmetric key distribution system D. Symmetric scheme |
D. Pretty Good Privacy (PGP) encryption uses a symmetric-key cryptography scheme and a combination of hashing and data compression. Key distribution systems are part of an entire encryption scheme, such as technologies such as Kerberos (key distribution center) or quantum cryptography.
|
|
|
Which of the following encryption algorithms is used to encrypt and decrypt data?
A. SHA-1 B. RC5 C. MD5 D. NTLM |
B. RC5 (Rivest Cipher version 5) can encrypt and decrypt data. SHA-1 and MD5 are used as hashing algorithms, and NTLM (NT LAN Manager) is used by Microsoft as an authentication protocol and a password hash.
|
|
|
Of the following, which statement correctly describes the difference between a secure cipher and a secure hash?
A. A hash produces a variable output for any input size; a cipher does not. B. A cipher produces the same size output for any input size; a hash does not. C. A hash can be reversed; a cipher cannot. D. A cipher can be reversed; a hash cannot. |
D. Ciphers can be reverse engineered but hashes cannot when attempting to re-create a data file. Hashing is not the same as encryption; hashing is the digital fingerprint, so to speak, of a group of data. Hashes are not reversible.
|
|
|
When encrypting credit card data, which would be the most secure algorithm with the least CPU utilization?
A. AES B. 3DES C. SHA-1 D. MD5 |
A. AES (the Advanced Encryption Standard) is fast and secure, more so than 3DES. SHA-1 and MD5 are hashing algorithms. Not listed is RSA, which is commonly implemented to secure credit card transactions.
|
|
|
A hash algorithm has the capability to avoid the same output from two guessed inputs. What is this known as?
A. Collision resistance B. Collision strength C. Collision cipher D. Collision metric |
A. A hash is collision-resistant if it is difficult to guess two inputs that hash to the same output.
|
|
|
Which of the following is the weakest encryption type?
A. DES B. RSA C. AES D. SHA |
A. DES or the Data Encryption Standard was developed in the 1970s; its 56-bit key has been superseded by 3DES (max 168-bit key) and AES (max 256-bit key). DES is now considered to be insecure for many applications. RSA is definitely stronger than DES even when you compare its asymmetric strength to a relative symmetric strength. SHA is a hashing algorithm.
|
|
|
Give two examples of hardware devices that can store keys. (Select the two best answers.)
A. Smart card B. Network adapter C. PCI Express card D. PCMCIA card |
A and D. Smart cards and PCMCIA cards can be used as devices that carry a token and store keys; this means that they can be used for authentication to systems, often in a multifactor authentication scenario. Network adapters and PCI Express cards are internal to a PC and would not make for good key storage devices.
|
|
|
What type of attack sends two different messages using the same hash function, which end up causing a collision?
A. Birthday attack B. Bluesnarfing C. Man-in-the-middle attack D. Logic bomb |
A. A birthday attack exploits the mathematics behind the birthday problem in probability theory. It deals with two different messages using the same hash function, generating the same message digest. Bluesnarfing deals with Bluetooth devices. The man-in-the-middle attack is when a person or computer intercepts information between a sender and the receiver. A logic bomb is a malicious attack set to go off at a particular time; often it is stored on a zombie computer.
|
|
|
Why would a hacker use steganography?
A. To hide information B. For data integrity C. To encrypt information D. For wireless access |
A. Steganography is the act of writing hidden messages so that only the intended recipients will know of the existence of the message. This is a form of security through obscurity. Data integrity is accomplished through the use of hashing. Steganography is not the same as cryptography in that it doesn’t care whether a person sees the original message.
|
|
|
Which of the following might a public key be used to accomplish?
A. To decrypt the hash of a digital signature B. To encrypt web browser traffic C. To digitally sign a message D. To decrypt wireless messages |
A. Public keys can be used to decrypt the hash of a digital signature. Session keys are used to encrypt web browser traffic. Private keys are used to digitally sign a message and decrypt wireless messages.
|
|
|
You scan a computer for weak passwords and discover that you can figure out the password by cracking the first seven characters and then cracking the second part of the password separately. What type of hash is being used on the computer?
A. MD5 B. SHA-1 C. LANMAN D. NTLMv2 |
C. The LANMAN hash is a deprecated cryptographic hash function that breaks the password into two parts, the first of which is only seven characters. Due to its weakness, NTLMv2 is recommended. MD5 and SHA-1 are more powerful cryptographic hash functions that do not have this problem.
|
|
|
WEP improperly uses an encryption protocol and because of this is considered to be insecure. What encryption protocol does it use?
A. AES B. RSA C. RC6 D. RC4 |
D. RC4 has several vulnerabilities when used incorrectly by protocols such as WEP. WEP does not use AES, RSA, or RC6, all of which are secure protocols if used correctly.
|
|
|
The fundamental difference between symmetric key systems and asymmetric key systems is that the symmetric key system will:
A. Use the same key on each end B. Use different keys on each end C. Use multiple keys for nonrepudiation purposes D. Use public key cryptography |
A. Symmetric key systems use the same key on each end during transport of data. Asymmetric key systems (such as public key cryptography systems) use different keys.
|
|
|
Last week, one of the users in your organization encrypted a file with a private key. This week the user left the organization, and unfortunately the systems administrator deleted the user’s account. What are the most probable outcomes of this situation? (Select the two best answers.)
A. The data is not recoverable. B. The former user’s account can be re-created to access the file. C. The file can be decrypted with a PKI. D. The data can be decrypted using the recovery agent. E. The data can be decrypted using the root user account. |
A and D. Many systems have a recovery agent that is designed just for this purpose. If the account that encrypted the file is deleted, it cannot be re-created (without different IDs and therefore no access to the file), and the recovery agent will have to be used. If there is no recovery agent (which in some cases needs to be configured manually), then the file will be unrecoverable. This file was encrypted with a private key and needs to be decrypted with a private key—PKI is a system that uses asymmetric key pairs (private and public). The root user account does not have the ability to recover files that were encrypted by other users.
|
|
|
You are tasked with ensuring that messages being sent and received between two systems are both encrypted and authenticated. Which of the following protocols accomplishes this?
A. Diffie-Hellman B. WDE C. RSA D. SHA-1 |
C. RSA can both encrypt and authenticate messages. Diffie-Hellman encrypts only. WDE is whole disk encryption, which deals with encrypting entire hard drives but is not used to send and receive messages. SHA-1 is a cryptographic hash function used to preserve the integrity of files.
|
|
|
Which of the following does not apply to an x.509 certificate?
A. Certificate version B. The Issuer of the certificate C. Public key information D. Owner’s symmetric key |
D. In x.509, the owner does not use a symmetric key. All the other answers apply to x.509.
|
|
|
What two items are included in a digital certificate? (Select the two best answers.)
A. User’s private key B. Certificate Authority’s digital signature C. The user’s public key D. Certificate Authority’s IP address |
B and C. A digital certificate includes the Certificate Authority’s (CA) digital signature and the user’s public key. A user’s private key should be kept private and should not be within the digital certificate. The IP address of the CA should have been known to the user’s computer before obtaining the certificate.
|
|
|
Rick has a local computer that uses software to generate and store key pairs. What type of PKI implementation is this?
A. Distributed key B. Centralized C. Hub and spoke D. Decentralized |
D. When creating key pairs, PKI has two methods: centralized and decentralized. Centralized is when keys are generated at a central server and are transmitted to hosts. Decentralized is when keys are generated and stored on a local computer system for use by that system.
|
|
|
Which of the following is usually used with L2TP?
A. IPsec B. SSH C. PHP D. SHA |
A. IPsec is usually used with L2TP. SSH is a more secure way of connecting to remote computers. PHP is a type of language commonly used on the web. SHA is a type of hashing algorithm.
|
|
|
What ensures that a CRL is authentic and has not been modified?
A. The CRL can be accessed by anyone. B. The CRL is digitally signed by the CA. C. The CRL is always authentic. D. The CRL is encrypted by the CA. |
B. Certificate revocation lists or CRLs are digitally signed by the certificate authority for security purposes. If a certificate is compromised, it will be revoked and placed on the CRL. CRLs are later generated and published periodically.
|
|
|
Which of the following encryption concepts is PKI based on?
A. Asymmetric B. Symmetric C. Elliptical curve D. Quantum |
A. The public key infrastructure, or PKI, is based on the asymmetric encryption concept. Symmetric, elliptical curve, and quantum cryptography are all different encryption schemes that PKI is not associated with.
|
|
|
You are in charge of PKI certificates. What should you implement so that stolen certificates cannot be used?
A. CRL B. CAD C. CA D. CRT |
A. You should implement a certificate revocation list or CRL so that stolen certificates, or otherwise revoked or held certificates, cannot be used.
|
|
|
Which of the following are certificate-based authentication mapping schemes? (Select the two best answers.)
A. One to-many mapping B. One-to-one mapping C. Many-to-many mapping D. Many-to-one mapping |
B and D. When dealing with certificate authentication, asymmetric systems use one-to-one mappings and many-to-one mappings.
|
|
|
Which of the following network protocols sends data between two computers while using a secure channel?
A. SSH B. SMTP C. SNMP D. P2P |
A. SSH, or the secure Shell, enables two computers to send data via a secure channel. SMTP is the Simple Mail Transfer Protocol that deals with e-mail. SNMP is the Simple Network Management Protocol that enables the monitoring of remote systems. P2P is the abbreviated version of peer-to-peer network.
|
|
|
Which of the following protocols uses port 443?
A. SFTP B. HTTPS C. SSHTP D. SSLP |
B. Port 443 is used by HTTPS, which implements TLS/SSL for security. SFTP is the Secure File Transfer Program. There are no protocols named SSHTP and SSLP.
|
|
|
Which of the following protocols creates an unencrypted tunnel?
A. L2TP B. PPTP C. IPsec D. VPN |
A. In Virtual Private Networks (VPN), Layer Two Tunneling Protocol (L2TP) creates an unencrypted tunnel between two IP addresses. It is usually used with IPsec to encrypt the data transfer. PPTP is the Point-to-Point Tunneling Protocol that includes encryption.
|
|
|
In a public key infrastructure setup, which of the following should be used to encrypt the signature of an e-mail?
A. Private key B. Public key C. Shared key D. Hash |
A. A private key should be used to encrypt the signature of an e-mail in an asymmetric system such as PKI. Public keys and shared keys should never be used to encrypt this type of information. A hash is not used to encrypt in this fashion; it is used to verify the integrity of the message.
|
|
|
Two computers are attempting to communicate with the SSL protocol. Which two types of keys will be used? (Select the two best answers.)
A. Recovery key B. Session key C. Public key D. Key card |
B and C. In an SSL session, a session key and a public key are used. A recovery key is not necessary unless data has been lost. A key card would be used as a physical device to gain access to a building or server room.
|
|
|
Which layer of the OSI model does IPsec operate at?
A. Data Link B. Network C. Transport D. Application |
B. IPsec is a dual mode, end-to-end security scheme that operates at Layer 3, the Network Layer of the OSI model, also known as the Internet Layer within the Internet Protocol Suite. It is often used with L2TP for VPN tunneling among other protocols.
|
|
|
Which layer of the OSI model is where SSL provides encryption?
A. Network B. Transport C. Session D. Application |
C. SSL, or the Secure Sockets Layer, and its successor Transport Layer Security (TLS) encrypt segments of network connections that start at the Transport Layer. The actual encryption is done at the Session Layer, and the protocol is known as an Application Layer protocol.
|
|
|
Which of the following details one of the primary benefits of using S/MIME?
A. S/MIME expedites the delivery of e-mail messages. B. S/MIME enables users to send e-mail messages with a return receipt. C. S/MIME enables users to send both encrypted and digitally signed e-mail messages. D. S/MIME enables users to send anonymous e-mail messages. |
C. S/MIME enables users to send both encrypted and digitally signed e-mail messages enabling a higher level of e-mail security. It does not make the delivery of e-mail any faster nor does it have anything to do with return receipts. Return receipts are usually controlled by the SMTP server. Anonymous e-mail messages would be considered spam, completely insecure, and something that a security administrator wants to reduce, and certainly does not want users to implement.
|
|
|
What should you do to make sure that a compromised PKI key cannot be used again?
A. Renew the key. B. Reconfigure the key. C. Revoke the key. D. Create a new key. |
C. Key revocation is the proper way to approach the problem of a compromised PKI key. The revoked key will then be listed in the CRL (Certificate Revocation List).
|
|
|
Which of the following statements is correct about IPsec authentication headers?
A. The authentication information is a keyed hash based on half of the bytes in the packet. B. The authentication information is a keyed hash based on all the bytes in the packet. C. The authentication information hash will remain the same even if the bytes change on transfer. D. The authentication header cannot be used in combination with the IP Encapsulating Security Payload. |
B. The only statement that is true is that the authentication information is a keyed hash that is based on all the bytes in the packet. A hash will not remain the same if the bytes change on transfer; a new hash will be created for the authentication header (AH). The authentication header can be used in combination with the Encapsulating Security Payload (ESP).
|
|
|
Which of the following protocols is not used to create a VPN tunnel and not used to encrypt VPN tunnels?
A. PPTP B. L2TP C. PPP D. IPsec |
C. PPP, or point-to-point protocol, does not provide security and is not used to create VPN connections. You will see PPP used in dial-up connections, and it is an underlying protocol used by L2TP, PPTP, and IPsec, which are all used in VPN connections.
|
|
|
Which of the following answers are not part of IPsec? (Select the two best answers.)
A. TKIP B. Key exchange C. AES D. Authentication header |
A and C. IPsec contains (or uses) a key exchange (either Internet Key Exchange or Kerberized Internet Negotiation of Keys) and an authentication header (in addition to many other components). TKIP and AES are other encryption protocols.
|
|
|
What should you publish a compromised certificate to?
A. CRL B. CA C. PKI D. AES |
A. A compromised certificate should be published to the certificate revocation list (CRL). The CA is the certificate authority that houses the CRL. PKI stands for public key infrastructure—the entire system that CRLs and CAs are just components of. AES is an encryption protocol.
|
|
|
You have been asked to set up authentication through PKI, and encryption of a database using a different cryptographic process to decrease latency. What encryption types should you use?
A. Public key encryption to authenticate users and public keys to encrypt the database B. Public key encryption to authenticate users and private keys to encrypt the database C. Private key encryption to authenticate users and private keys to encrypt the database D. Private key encryption to authenticate users and public keys to encrypt the database |
B. PKI uses public keys to authenticate users. If you are looking for a cryptographic process that allows for decreased latency, then symmetrical keys (private) would be the way to go. So the PKI system uses public keys to authenticate the users, and the database uses private keys to encrypt the data.
|
|
|
Which of the following statements are true about PKI? (Select the two best answers.)
A. When encrypting a message with the public key, only the private key can decrypt it. B. When encrypting a message with the public key, only the public key can decrypt it. C. When encrypting a message with the public key, only the CA can decrypt it. D. When encrypting a message with the private key, only the public key can decrypt it. E. When encrypting a message with the private key, only the private key can decrypt it. |
A. and D. Messages encrypted with a public key can only be decrypted with a private key, and vice-versa, messages encrypted with a private key can only be decrypted with a public key. The same key will not be used on both ends as PKI is an asymmetric system. The CA itself does not encrypt or decrypt keys; it manages the certificates.
|
|
|
Which of the following describes key escrow?
A. Maintains a secured copy of the user’s private key for the purpose of recovering the CRL B. Maintains a secured copy of the user’s private key for the purpose of recovering the key if it is lost C. Maintains a secured copy of the user’s public key for the purpose of recovering messages if the key if it is lost D. Maintains a secured copy of the user’s public key for the purpose of increasing network performance |
B. Key escrow is implemented to secure a copy of the user’s private key in the case that it is lost, not the public key. It has nothing to do with the CRL.
|
|
|
When a user’s web browser communicates with a CA, what PKI element does the CA require from the browser?
A. Public key B. Private key C. Symmetric key D. Secret key |
A. The browser must present the public key, which is matched against the CA’s private key. Symmetric and secret keys are other names for private keys.
|
|
|
Which of the following RAID versions offers the least amount of performance degradation when a disk in the array fails?
A. RAID 0 B. RAID 1 C. RAID 4 D. RAID 5 |
B. RAID 1 is known as mirroring. If one drive fails, the other will still function and there will be no downtime and no degraded performance. All the rest of the answers are striping-based and therefore have either downtime or degraded performance associated with them. RAID 5 is the second best option because in many scenarios it will have zero downtime and little degraded performance. RAID 0 will not recover from a failure; it is not fault tolerant.
|
|
|
Which of the following can facilitate a full recovery within minutes?
A. Warm site B. Cold site C. Reestablishing a mirror D. Hot site |
D. A hot site can facilitate a full recovery of communications software and equipment within minutes. Warm and cold sites cannot facilitate a full recovery but may have some of the options necessary to continue business. Reestablishing a mirror will not necessarily implement a full recovery of data communications or equipment.
|
|
|
What device should be used to ensure that a server does not shut down when there is a power outage?
A. RAID 1 box B. UPS C. Redundant NIC D. Hot site |
B. An Uninterruptible Power Supply (UPS) ensures that a computer will keep running even if a power outage occurs. The amount of minutes the computer can continue in this fashion depends on the type of UPS and battery it contains. A backup generator can also be used, but it does not guarantee 100% uptime, because there might be a delay between when the power outage occurs and when the generator comes online. RAID 1 has to do with the fault tolerance of data. Redundant NICs (network adapters) are used on servers in the case that one of them fails. Hot sites are completely different places that a company can inhabit. Although the hot site can be ready in minutes, and although it may have a mirror of the server in question, they do not ensure that the original server will not shut down during a power outage.
|
|
|
Which of the following tape backup methods enable daily backups, weekly full backups, and monthly full backups?
A. Towers of Hanoi B. Incremental C. Grandfather-father-son D. Differential |
C. The grandfather-father-son (GFS) backup scheme generally uses daily backups (the son), weekly backups (the father), and monthly backups (the grandfather). The Towers of Hanoi is a more complex strategy based on a puzzle. Incremental backups are simply one-time backups that back up all data that has changed since the last incremental backup. These might be used as the son in a GFS scheme. Differential backups back up everything since the last full backup.
|
|
|
To prevent electrical damage to a computer and its peripherals, the computer should be connected to what?
A. Power strip B. Power inverter C. AC to DC converter D. UPS |
D. A UPS (uninterruptible power supply) protects computer equipment against surges, spikes, sags, brownouts, and blackouts. Power strips, unlike surge protectors, do not protect against surges.
|
|
|
Which of the following would not be considered part of a disaster recovery plan?
A. Hot site B. Patch management software C. Backing up computers D. Tape backup |
B. Patching a system is part of the normal maintenance of a computer. In the case of a disaster to a particular computer, the computer’s OS and latest service pack would have to be reinstalled. The same would be true in the case of a disaster to a larger area, like the building. Hot sites, backing up computers, and tape backup are all components of a disaster recovery plan.
|
|
|
Which of the following factors should you consider when evaluating assets to a company? (Select the two best answers.)
A. Its value to the company B. Its replacement cost C. Where they were purchased from D. Their salvage value |
A and B. When evaluating assets to a company, it is important to know the replacement cost of those assets and the value of the assets to the company. If the assets were lost or stolen, the salvage value is not important, and although you may want to know where the assets were purchased from, it is not one of the best answers.
|
|
|
You are using the following backup scheme. A full backup is made every Friday night at 6 p.m. Differential backups are made every other night at 6 p.m. Your database server fails on Thursday afternoon at 4 p.m. How many tapes will you need to restore the database server?
A. One B. Two C. Three D. Four |
B. You need two tapes to restore the database server—the full backup tape made on Friday and the differential backup tape made on the following Wednesday. Only the last differential tape is needed. When restoring the database server, the technician must remember to start with the full backup tape.
|
|
|
Of the following, what is the worst place to store a backup tape?
A. Near a bundle of fiber-optic cables B. Near a power line C. Near a server D. Near an LCD screen |
B. Backup tapes should be kept away from power sources including power lines, CRT monitors, speakers, and so on. And the admin should keep backup tapes away from sources that might emit EMI. LCD screens, servers, and fiber-optic cables have low EMI emissions.
|
|
|
Critical equipment should always be able to get power. What is the correct order of devices that your critical equipment should draw power from?
A. Generator, line conditioner, UPS battery B. Line conditioner, UPS battery, generator C. Generator, UPS battery, line conditioner D. Line conditioner, generator, UPS battery |
B. The line conditioner is constantly serving critical equipment with clean power. It should be first and should always be on. The UPS battery should kick in only if there is a power outage. Finally, the generator should kick in only when the UPS battery is about to run out of power. Often, the line conditioner and UPS battery will be the same device. However, the line conditioner function will always be used, but the battery comes into play only when there is a power outage, or brownout.
|
|
|
What is the best way to test the integrity of a company’s backed up data?
A. Conduct another backup B. Use software to recover deleted files C. Review written procedures D. Restore part of the backup |
D. The best way to test the integrity of backed up data is to restore part of that backup. Conducting another backup will tell you if the backup procedure is working properly, and if necessary after testing the integrity of the backup and after the restore a person might need to use software to recover deleted files. It’s always important to review written procedures and amend them if need be.
|
|
|
Your company has six web servers. You are implementing load balancing. What is this an example of?
A. UPS B. Redundant servers C. RAID D. Warm site |
B. Load balancing is a method used when you have redundant servers. In this case, the six web servers will serve data equally to users. The UPS is an uninterruptible power supply, and RAID is the redundant array of inexpensive disks. A warm site is a secondary site that a company can use if a disaster occurs that can be up and running within a few hours or a day.
|
|
|
Your company has a T-1 connection to the Internet. Which of the following can enable your network to remain operational even if the T-1 fails?
A. Redundant network adapters B. RAID 5 C. Redundant ISP D. UPS |
C. A secondary ISP enables the network to remain operational and still gain Internet access even if the T-1 connection fails. This generally means that there will be a second ISP and a secondary physical connection to the Internet. Redundant network adapters are used on servers so that the server can have a higher percentage of uptime. RAID 5 is used for redundancy of data and spreads the data over three or more disks. A UPS is used in the case of a power outage.
|
|
|
Which action should be taken to protect against a complete disaster in the case that a primary company’s site is permanently lost?
A. Back up all data to tape, and store those tapes at a sister site in another city. B. Back up all data to tape, and store those tapes at a sister site across the street. C. Back up all data to disk, and store the disk in a safe deposit box at the administrator’s home. D. Back up all data to disk, and store the disk in a safe in the building’s basement. |
A. In the case that a building’s primary site is lost, data should be backed up to tape stored at a sister site in another city. Storing information across the street might not be good enough especially if the area has to be evacuated. Company information should never be stored at an employee’s home. And of course if the data were stored in the primary building’s basement and there were a complete disaster at the primary site, that data would also be lost.
|
|
|
Of the following backup types, which describes the backup of files that have changed since the last full or incremental backup?
A. Incremental B. Differential C. Full D. Copy |
A. An incremental backup backs up only the files that have changed since the last incremental or full backup. Generally it is used as a daily backup. Differential backups back up files that have changed since the last full backup. A full backup backs up all files in a particular folder or drive, depending on what has been selected; this is regardless of any previous differential or incremental backups. Copies of data can be made, but they will not affect backup rotations that include incremental, differential, and full backups.
|
|
|
Michael’s company has a single web server that is connected to three other distribution servers. What is the greatest risk involved in this scenario?
A. Fraggle attack B. Single point of failure C. Denial of service D. Man-in-the-middle attack |
B. The greatest risk involved in this scenario is that the single web server is a single point of failure regardless that it is connected to three other distribution servers. If the web server goes down or is compromised, no one can access the company’s website. A Fraggle is a type of denial-of-service attack. Although denial-of-service attacks are a risk to web servers, they are not the greatest risk in this particular scenario. A company should implement as much redundancy as possible.
|
|
|
Which method would you use if you were disposing hard drives as part of a company computer sale?
A. Destruction B. Purging C. Clearing D. Formatting |
B. Purging (or sanitizing) removes all the data from a hard drive so that it cannot be reconstructed by any known technique. If a hard drive were destroyed, it wouldn’t be of much value at a company computer sale. Clearing is the removal of data with a certain amount of assurance that it cannot be reconstructed; this method is usually used when recycling the drive within the organization. Formatting is not nearly enough to actually remove data because it leaves data residue, which can be used to reconstruct data.
|
|
|
Which of these governs the disclosure of financial data?
A. SOX B. HIPAA C. GLB D. Top secret |
A. SOX, or Sarbanes-Oxley, governs the disclosure of financial and accounting data. HIPAA governs the disclosure and protection of health information. GLB, or the Gramm-Leach-Bliley Act of 1999, enables commercial banks, investment banks, securities firms, and insurance companies to consolidate. Top secret is a classification given to confidential data.
|
|
|
Jeff wants to employ a Faraday cage. What will this accomplish?
A. It will increase the level of wireless encryption. B. It will reduce data emanations. C. It will increase EMI. D. It will decrease the level of wireless emanations. |
B. The Faraday cage will reduce data emanations. The cage is essentially an enclosure (of which there are various types) of conducting material that can block external electric fields and stop internal electric fields from leaving the cage, thus reducing or eliminating data emanations from such devices as cell phones.
|
|
|
If a fire occurs in the server room, which device is the best method to put it out?
A. Class A extinguisher B. Class B extinguisher C. Class C extinguisher D. Class D extinguisher |
C. When you think Class C, think Copper. Extinguishers rated as Class C can suppress electrical fires, which are the most likely kind in a server room.
|
|
|
What device will not work in a Faraday cage? (Select the best two answers.)
A. Cell phones B. Computers C. Pagers D. TDR |
A and C. Signals cannot emanate outside a Faraday cage. Therefore, cell phones and pagers will not work inside the Faraday cage.
|
|
|
You go out the back door of your building and noticed someone looking through your company’s trash. If this person were trying to acquire sensitive information, what would this attack be known as?
A. Browsing B. Dumpster diving C. Phishing D. Hacking |
B. Dumpster diving is when a person goes through a company’s trash to find sensitive information about an individual or a company. Browsing is not an attack but something you do when connected to the Internet. Phishing is known as acquiring sensitive information through the use of electronic communication. Nowadays, hacking is a general term used with many different types of attacks.
|
|
|
You are told by your manager to keep evidence for later use at a court proceeding. Which of the following should you document?
A. Disaster recovery plan B. Chain of custody C. Key distribution center D. Auditing |
B. A chain of custody is the chronological documentation or paper trail of evidence. A disaster recovery plan details how a company will recover from a disaster with such methods as backup data and sites. A key distribution center is used with the Kerberos protocol. Auditing is the verification of logs and other information to find out who did what action and when and where.
|
|
|
Which law protects your Social Security number and other pertinent information?
A. HIPAA B. SOX C. The National Security Agency D. The Gramm-Leach-Bliley Act |
D. The Gramm-Leach-Bliley Act protects private information such as Social Security numbers. HIPAA deals with health information privacy. SOX, or the Sarbanes Oxley Act of 2002, applies to publicly held companies and accounting firms and protects shareholders in the case of fraudulent practices.
|
|
|
User education can help to defend against which of the following? (Select the three best answers.)
A. Social engineering B. Phishing C. Rainbow Tables D. Dumpster diving |
A, B, and D. Rainbow Tables are lookup tables used when recovering passwords. User education and awareness can help defend against social engineering attacks, phishing, and dumpster diving.
|
|
|
Which of these is an example of social engineering?
A. Asking for a username and password over the phone B. Using someone else’s unsecured wireless network C. Hacking into a router D. Virus |
A. Social engineering is the practice of obtaining confidential information by manipulating people. Using someone else’s network is just theft. Hacking into a router is just that, hacking. And a virus is a self-spreading program that may or may not cause damage to files and applications.
|
|
|
What is the most common reason that social engineering succeeds?
A. Lack of vulnerability testing B. People share passwords C. Lack of auditing D. Lack of user awareness |
D. User awareness is extremely important when attempting to defend against social engineering attacks. Vulnerability testing and auditing are definitely important as part of a complete security plan but will not necessarily help defend against social engineering and definitely not as much as user awareness training. People should not share passwords.
|
|
|
Which of the following is not one of the steps of the incident response process?
A. Eradication B. Recovery C. Containment D. Nonrepudiation |
D. Nonrepudiation, although an important part of security, is not part of the incident response process. Eradication, containment, and recovery are all parts of the incident response process.
|
|
|
In which two environments would social engineering attacks be most effective? (Select the two best answers.)
A. Public building with shared office space B. Company with a dedicated IT staff C. Locked building D. Military facility E. An organization whose IT personnel have little training |
A and E. Public buildings, shared office space, and companies with employees that have little training are all environments in which social engineering attacks are common and would be most successful. Social engineering will be less successful in secret buildings, buildings with a decent level of security such as military facilities, and organizations with dedicated and well-trained IT staff.
|
|
|
Of the following definitions, which would be an example of eavesdropping?
A. Overhearing parts of a conversation B. Monitoring network traffic C. Another person looking through your files D. A computer capturing information from a sender |
A. Eavesdropping is when people listen to a conversation that they are not part of. A security administrator should keep in mind that someone could always be listening and to try to protect against this.
|
|
|
Your company expects its employees to behave in a certain way. How could a description of this behavior be documented?
A. Chain of custody B. Separation of duties C. Code of ethics D. Acceptable use policy |
C. The code of ethics describes how a company wants its employees to behave. A chain of custody is a legal and chronological paper trail. Separation of duties means that more than one person is required to complete a job. Acceptable use policy is a set of rules that restrict how a network or a computer system may be used.
|
|
|
You are a forensics investigator. What is the most important reason for you to verify the integrity of acquired data?
A. To ensure that the data has not been tampered with B. To ensure that a virus cannot be copied to the target media C. To ensure that the acquired data is up-to-date D. To ensure that the source data will fit on the target media |
A. Before analyzing any acquired data, you need to make sure that the data has not been tampered with, so you should verify the integrity of the acquired data before analysis.
|
|
|
Of the following, which type of fire suppression can prevent damage to computers and servers?
A. Class A B. Water C. CO2 D. ABC extinguishers |
C. CO2 is the best answer that will prevent damage to computers because it is air-based, not water-based. CO2 displaces oxygen. Fire needs oxygen; without it the fire will go out. All the others have substances that can damage computers. However, because CO2 can possibly cause ESD damage, the best solution in a server room would be Halotron or FE-36.
|
|
|
You are the security administrator for your organization. You have just identified a malware incident. Of the following, what should be your first response?
A. Containment B. Removal C. Recovery D. Monitoring |
A. Most organizations’ incident response procedures will specify that containment of the malware incident should be first. Next would be the removal, then recovery of any damaged systems, and finally monitoring that should actually be going on at all times.
|
|
|
A man pretending to be a data communications repair technician enters your building and states that there is networking trouble and he needs access to the server room. What is this an example of?
A. Man-in-the-middle attack B. Virus C. Social engineering D. Chain of custody |
C. Any person pretending to be a data communications repair person would be attempting a social engineering attack.
|
|
|
Employees are asked to sign a document that describes the methods of accessing a company’s servers. Which of the following best describes this document?
A. Acceptable use policy B. Chain of custody C. Incident response D. Privacy Act of 1974 |
A. Acceptable use (or usage) policies set forth the principles for using IT equipment such as computers, servers, and network devices. Employees are commonly asked to sign such a document that is a binding agreement that they will try their best to adhere to the policy.
|
|
|
One of the developers for your company asks you what he should do before making a change to the code of a program’s authentication. Which of the following processes should you instruct him to follow?
A. Chain of custody B. Incident response C. Disclosure reporting D. Change management |
D. He should follow the change management process as dictated by your company’s policies and procedures. This might include filing forms in paper format and electronically, and notifying certain departments of the proposed changes before they are made.
|
|
|
As a network administrator, one of your jobs is to deal with Internet service providers. You want to ensure that the provider guarantees end-to-end traffic performance. What is this known as?
A. SLA B. VPN C. DRP D. WPA |
A. An SLA, or service-level agreement, is the agreement between the Internet service provider and you, finding how much traffic you are allowed, and what type of performance you can expect. A VPN is a virtual private network. A DRP is a disaster recovery plan. And WPA is Wi-Fi protected access.
|
|
|
Turnstiles, double entry doors, and security guards are all preventative measures for what kind of social engineering?
A. Dumpster diving B. Impersonation C. Piggybacking D. Eavesdropping |
C. Turnstiles, double entry doors, and security guards are all examples of preventative measures that attempt to defeat piggybacking. Dumpster diving is when a person looks through a coworker’s trash or a building’s trash to retrieve information. Impersonation is when a person attempts to represent another person possibly with the other person’s identification. Eavesdropping is when a person overhears another person’s conversation.
|
|
|
When it comes to security policies, what should HR personnel be trained in?
A. Maintenance B. Monitoring C. Guidelines and enforcement D. Vulnerability assessment |
C. Human resource personnel should be trained in guidelines and enforcement. A company’s standard operating procedures will usually have more information about this. However, a security administrator might need to train these employees in some areas of guidelines and enforcement.
|
|
|
In a classified environment, clearance to top secret information that enables access to only certain pieces of information is known as what?
A. Separation of duties B. Chain of custody C. Nonrepudiation D. Need to know |
D. In classified environments, especially when accessing top secret information, a person can get access to only what they need to know.
|
|
|
In addition to bribery and forgery, which of the following are the most common techniques that attackers used to socially engineer people? (Select the two best answers.)
A. Flattery B. Assuming a position of authority C. Dumpster diving D. Whois search |
A and C. The most common techniques that attackers use to socially engineer people include flattery, dumpster diving, bribery, and forgery. Although assuming a position of authority is an example of social engineering, it is not one of the most common. A WHOIS search is not necessarily malicious; it can be accomplished by anyone and can be done for legitimate reasons. This type of search can tell a person who runs a particular website or who owns a domain name.
|
|
|
What is documentation that describes minimum expected behavior known as?
A. Need to know B. Acceptable usage C. Separation of duties D. Code of ethics |
D. A code of ethics is documentation that describes the minimum expected behavior of employees of a company or organization. Need to know deals with the categorizing of data and how much an individual can access. Acceptable usage defines how a user or group of users may use a server or other IT equipment. Separation of duties refers to a task that requires multiple people to complete.
|
|
|
You are the security administrator for your company. You have been informed by human resources that one of the employees in accounting has been terminated. What should you do?
A. Delete the user account. B. Speak to the employee’s supervisor about the person’s data. C. Disable the user account. D. Change the user’s password. |
C. When an employee has been terminated, the employee’s account should be disabled, and the employee’s data should be stored for a certain amount of time, which should be dictated by the company’s policies and procedures. There is no need to speak to the employee’s supervisor. It is important not to delete the user account because the company may need information relating to that account later on. Changing the user’s password is not enough; the account should be disabled.
|
|
|
You need to protect your datacenter from unauthorized entry at all times. Which is the best type of physical security to implement?
A. Mantrap B. Video surveillance C. Nightly security guards D. 802.1X |
A. Mantraps are the best solution listed—they are the closest to foolproof of the listed answers. Mantraps (if installed properly) are strong enough to keep a human inside until he completes the authentication process or is escorted off the premises. This is a type of preventive security control meant to stop tailgating and piggybacking. Video surveillance will not prevent an unauthorized person from entering your datacenter, it is a detective security control. Security guards are a good idea, but if they only work at night, then they can’t prevent unauthorized access at all times. 802.1X is an excellent authentication method, but it is logically implemented as software and devices; it is not a physical security control.
|
|
|
Which of the following targets specific people?
A. Pharming B. Phishing C. Vishing D. Spear phishing |
D. Spear phishing is a targeted attack unlike regular phishing, which usually works by contacting large groups of people. Pharming is when a website’s traffic is redirected to another, illegitimate, website. Vishing is the phone/VoIP version of phishing.
|
|
|
Why would you implement password masking?
A. To deter tailgating B. To deter shoulder surfing C. To deter impersonation D. To deter hoaxes |
B. Password masking is when the characters a user types into a password field are replaced, usually by asterisks. This is done to prevent shoulder surfing. Tailgating is when an unauthorized person follows an authorized person into a secure area, without the second person’s consent. Impersonation is when a person masquerades as another authorized user. A hoax is an attempt at deceiving people into believing something that is false.
|
|
|
Your organization already has a policy in place that bans flash drives. What other policy could you enact to reduce the possibility of data leakage?
A. Disallow the saving of data to a network share B. Enforce that all work files have to be password protected C. Disallow personal music devices D. Allow unencrypted HSMs |
C. By creating a policy that disallows personal music devices, you reduce the possibility of data leakage. This is because many personal music devices can store data files, not just music files. This could be a difficult policy to enforce since smartphones can play music and store data. That’s when you need to configure your systems so that those devices cannot connect to the organization’s network. DLP devices would also help to prevent data leakage. Network shares are part of the soul of a network, without them, there would be chaos as far as stored data. If network shares are configured properly, there shouldn’t be much of a risk of data leakage. Password protecting files is something that would be hard to enforce, and the encryption used could very easily be subpar and easily cracked. HSMs are inherently encrypted; that is their purpose. To allow an HSM would be a good thing, but there are no unencrypted HSMs.
|
|
|
Which of the following requires special handling and policies for data retention and distribution?
A. Phishing B. Personal electronic devices C. SOX D. PII |
D. PII (personally identifiable information) must be handled and distributed carefully to prevent ID theft and fraud. Phishing is the attempt at obtaining information fraudulently. Personal electronic devices should be protected and secured but do not require special policies. SOX (Sarbanes Oxley) is an act that details the disclosure of banking information.
|
|
|
A targeted e-mail attack is received by your organization’s CFO. What is this an example of?
A. Vishing B. Phishing C. Whaling D. Spear phishing |
C. Whaling is a type of spear phishing that targets senior executives such as CFOs. Regular old phishing does not target anyone, but instead tries to contact as many people as possible until an unsuspecting victim can be found. Vishing is the telephone-based version of phishing. Spear phishing does target individuals but not senior executives.
|
|
|
One of the accounting people is forced to change roles with another accounting person every three months. What is this an example of?
A. Least privilege B. Job rotation C. Mandatory vacation D. Separation of duties |
B. Job rotation is when people switch jobs, usually within the same department. This is done to decrease the risk of fraud. It is closely linked with separation of duties, which is when multiple people work together to complete a task; each person is given only a piece of the task to accomplish. Least privilege is when a process (or a person) is given only the bare minimum needed to complete its function. Mandatory vacations are when an employee is forced to take X amount of consecutive days vacation away from the office.
|
|
|
Which of the following environmental variables reduces the possibility of static discharges (ESD)?
A. Humidity B. Temperature C. EMI D. RFI |
A. Humidity (if increased) can reduce the chance of static discharges. Temperature does not have an effect on computer systems (within reason). EMI and RFI are types of interference that in some cases could possibly increase the chance of static discharge.
|
|
|
You have been ordered to implement a secure shredding system as well as privacy screens. What two attacks is your organization attempting to mitigate?
A. Shoulder surfing B. Impersonation C. Phishing D. Dumpster diving E. Tailgating |
A. and D. The privacy screens are being implemented to prevent shoulder surfing. The secure shredding system is being implemented to mitigate dumpster diving. Impersonation is when an unauthorized person masquerades as a legitimate, authorized person. Phishing is when an attacker attempts to fraudulently obtain information through e-mail scams. Tailgating is when a person (without proper credentials) attempts to gain access to an unauthorized area by following someone else in.
|
|
|
What are the three main goals of information security? (Select the three best answers.)
A. Auditing B. Integrity C. Nonrepudiation D. Confidentiality E. Risk assessment F. Availability |
Answers: B, D, and F. Confidentiality, Integrity, and Availability
Explanation: Confidentiality, Integrity, and Availability (known as CIA or the CIA triad) are the three main goals of information security. Another goal within information security is Accountability. |
|
|
Which of the following describes an application that accepts more input than it was originally expecting?
A. Buffer overflow B. Denial of service (DoS) C. Sandbox D. Brute force |
Answer: A. Buffer overflow
Explanation: Buffer overflows occur when an application or an operating system accepts more input than it expects. This could cause a radical behavior in applications especially if the affected memory already has other data in it. A denial of service is a network attack perpetuated on servers to stop them from performing their proper functions for users. Sandbox is when a web script runs in its own environment so that it won’t interfere with other processes; this is often used in testing environments. Brute force is a type of password cracking attack. |
|
|
A security assessment of an existing application has never been made. Which of the following is the best assessment technique to use to identify an application’s security posture?
A. Functional testing B. Threat modeling C. Baseline reporting D. Protocol analysis |
Answer: C. Baseline reporting
Explanation: Baseline reporting is the best answer for identifying the application’s security posture. A Security Posture Assessment (SPA) is used to find out the baseline security of an application, a system, or a network, as long as the application (or system or network) already exists. By checking past results and comparing them with current (and future) results, a security professional can see whether an application is secure, or has a “secure posture.” Some applications come with built-in baseline reporting tools, which allow you to tell whether a system is compliant and secure. The other three answers don’t (by definition) associate with the “security posture” of an application. Functional testing is a method of verifying a program by inputting information to the program and analyzing the output. Threat modeling defines a set of possible attacks that could exploit a vulnerability. Protocol analysis deals with examining packet streams with a sniffer or protocol analyzer. |
|
|
Why would a system administrator have both a user-level account and an administrator-level account?
A. To prevent privilege escalation B. To prevent admin account lockout C. To prevent password sharing D. To prevent loss of access through implicit deny |
Answer: A. To prevent privilege escalation
Explanation: Some organizations that use UAC might employ a policy where all administrators are expected to log on as their standard user account. With UAC enabled, the “administrator” will not be able to accomplish administrative tasks unless he types in his administrator-level account username and password at the UAC prompt. It’s really UAC that is used to prevent privilege escalation for all users. |
|
|
What is the best reason why security researchers use virtual machines?
A. To offer a secure virtual environment where they can conduct online deployments B. To offer an environment where they can discuss security research C. To offer an environment where network applications can be tested D. To offer an environment where malware might be executed but with minimal risk to equipment |
Answer: D. To offer an environment where malware might be executed but with minimal risk to equipment.
Explanation: The best reason why security researchers use virtual machines is to offer an environment where malware might be executed but with minimal risk to the equipment. This is because the virtual machine is isolated from the actual operating system, and the virtual machine can simply be deleted if it is affected by viruses or other types of malware. Although the other answers are possible reasons why a security researcher would use a virtual machine, the best answer is that it offers the isolated environment where a malicious activity can occur but be easily controlled and monitored |
|
|
You need to monitor network devices on your network. Which of the following protocols will best help you complete this task?
A. ICMP B. SNMP C. SMTP D. NetBIOS |
Answer: B. SNMP
Explanation: The Simple Network Management Protocol (SNMP) is meant to be used within network monitoring programs, which are used to monitor the parameters of devices on your network. ICMP stands for Internet Control Message Protocol, which among other things is an integral part of the ping command. SMTP stands for Simple Mail Transfer Protocol, which is used to send mail. NetBIOS stands for Network Basic Input/Output System and provides name services. |
|
|
You are configuring an 802.11n wireless network. You need to have the best combination of encryption and authorization. Which of the following options should you select?
A. WPA2-PSK B. WEP and 802.1x C. WPA-Enterprise D. WPA and TKIP |
Answer: C. WPA-Enterprise
Explanation: WPA-Enterprise offers a decent level of encryption (WPA) as well as a powerful means of authorization (Enterprise). Enterprise usually means you are using a separate RADIUS server or something similar to handle the authorization side of things and are not relying on the wireless device itself. While WPA2-PSK offers a better level of encryption, it does not offer authorization the way an enterprise configuration does. WEP and 802.1x does offer a form of authorization, but WEP is deprecated and is not recommended in any scenario. WPA and TKIP offers the same level of encryption as WPA-Enterprise but does not offer authorization. |
|
|
Tim needs to collect data from users that utilize an Internet-based application. Which of the following should he reference before doing so?
A. Secure code review B. SOX C. Acceptable use policy D. Privacy policy |
Answer: D. Privacy policy
Explanation: Tim should refer to his organization’s privacy policy before collecting any data from users of the Internet-based application. This policy will dictate whether he is allowed to collect the information he requires. Secure code reviews check for incorrect and possibly risky coding techniques in applications. SOX stands for Sarbanes-Oxley Act, which sets standards for management and public accounting organizations. Acceptable use policies (AUP) state how a network or system may be used. |
|
|
You have been asked to set up a web server that will service regular HTTP requests as well as HTTP secure requests. Which of the following ports would you use by default? (Select the two best answers.)
A. 21 B. 25 C. 80 D. 135 E. 443 F. 445 |
Answers: C. 80 and E. 443
Explanation: The default port for HTTP requests is port 80. The default port for HTTP Secure (HTTPS) requests is port 443. Port 21 is FTP. Port 25 is SMTP. Port 135 is known as the DCE endpoint manager port or RPC (Remote Procedure Call); it is a DCOM related port that is used to remotely manage services and is generally considered insecure. Port 445 is the Server Message Block (SMB) port that deals with Microsoft directory services. |
|
|
Sandy is comparing six different computers on a network. She wants to know which of the systems is more susceptible to attack. Which is the best tool for her to use?
A. Vulnerability scanner B. Port scanner C. Ping scanner D. Baseline reporting |
Answer: A. Vulnerability scanner
Explanation: The vulnerability scanner will be able to scan for various vulnerabilities on multiple computers. A port scanner would be the next choice but will only tell Sandy which ports are open, not what vulnerabilities the computers have, and by default it will only work with one computer at a time (although this is configurable). Ping scanners can find out what computers exist on the network but won’t display any vulnerabilities. Baseline reporting is used to compare a system’s current configuration to an older configuration to find out its security posture. |
|
|
Which of the following reduces the chances of a single point of failure on a server when it fails?
A. Virtualization B. Clustering C. RAID D. Cold site |
Answer: B. Clustering
Explanation: Clustering enables a technician to use two or more servers together. In a failover cluster, a failure on the working server will cause that server to be disabled, but the next server in the cluster will then become active; so most single points of failure can be overcome. Virtualization of a server creates an entirely new server in a virtual machine, but it will have the same possibility of a single point of failure as a physical server. RAID (Redundant Array of Inexpensive Disks) reduces the chances of a server’s single point of failure by allowing for fault tolerant disks—but only for disks, and only certain kinds of RAID. If any other points on the server fail, RAID will not be able to recover. A cold site does not have servers ready to go in the case there is a single point of failure on a particular server. However, hot sites could usually recover from these types of issues, though the users might have to physically go to the building depending on the configuration. |
|
|
Which of the following statements is true about a certificate revocation list (CRL)?
A. It should be kept secret. B. It must be encrypted. C. It should be kept public. D. It should be used to sign other keys. |
Answer: C. It should be kept public.
Explanation: Certificate revocation lists (CRLs) should be published regularly so that users know whether an issuer’s certificate is valid. If the CRL was secret, it would defy its purpose. The CRL is not usually encrypted but will be digitally signed by the certificate authority (CA). The CRL does not sign any keys; instead the CA takes care of this. |
|
|
HIDS and NIDS are similar intrusion detection systems. However, one is for individual computers, and the other is for networks. Which of the following would a HIDS be installed to monitor?
A. System files B. CPU performance C. Network adapter performance D. Temporary Internet files |
Answer: A. System files
Explanation: HIDS, or host-based intrusion detection system, is software installed to an individual computer to monitor important files and watch for intrusions. System files are some of the most important files that will be monitored by a HIDS. Temporary Internet files are not nearly as important and are usually removed automatically by way of a policy in many organizations. CPU and network adapter performance is usually monitored by some type of performance monitoring program; these are often built into the operating system. |
|
|
Thumb drives can be used to compromise systems and enable unauthorized access. What kind of malware was most likely installed to the thumb drive?
A. Bot B. Logic bomb C. Virus D. Trojan |
Answer: D. Trojan
Explanation: Trojans are used to access a system without authorization. They can be installed to USB flash drives, can be remote access programs, or could be unwittingly stumbled upon when accessing disreputable websites. The key phrase here is “unauthorized access”; that is what the Trojan is trying to do. A bot is a computer that performs actions without the user’s consent and is often controlled by a remote master computer. Though the bot doesn’t enable unauthorized access, a Trojan might carry a bot program as part of its payload. Logic bombs are generally a method of transferring malware and are meant to initiate a malicious function at a specific time. Viruses infect a computer but are not used for unauthorized access. |
|
|
You are the systems administrator for your organization. You have been tasked to block database ports at the firewall. Which port should you block?
A. 3389 B. 1433 C. 443 D. 53 |
Answer: B. 1433
Explanation: Port 1433 is used by Microsoft SQL Server databases and should be blocked at the firewall if you want to block SQL Server activity. Port 3389 is used by the Remote Desktop Protocol. Port 443 is used by HTTPS. Port 53 is used by DNS. |
|
|
Your boss speculates that an employee in a sensitive position is committing fraud. What is the best way to identify if this is true?
A. Mandatory vacations B. Separation of duties C. Due diligence D. Acceptable usage policy |
Answer: A. Mandatory vacations
Explanation: Mandatory vacations should be implemented to help detect (and possibly stop) fraud, sabotage, or other malicious activity on the part of a person working in a sensitive position in an organization. Separation of duties (and job rotation) are employed when more than one person is utilized to complete a task. While this might be a way to identify fraud, it does not take into account the possibility that one user is still committing fraud without the other user(s) noticing. It also doesn’t take into account the chance that all users involved in the job rotation system could be committing fraud together. Mandatory vacations are a better method of detecting ongoing fraud. Due diligence ensures that IT risks are known and managed. Acceptable usage policies define the rules that restrict how a system may be used. |
|
|
Your organization’s network has a main office and two remote sites that connect back to the main office solely. You have been tasked with blocking TELNET access into the entire network. Which would be the best way to go about this?
A. Block port 25 on the main office’s firewall B. Block port 25 on each of the L2 switches at the remote sites C. Block port 23 on each of the L2 switches at the remote sites D. Block port 23 on the main office’s firewall |
Answer: D. Block port 23 on the main office’s firewall
Explanation: You should block port 23 on the main office’s firewall because by default TELNET uses port 23. Port 25 is used by SMTP. By blocking port 23 on the main office’s firewall you will by default be blocking it for the entire network in the scenario. L2 (layer 2) switches deal with MAC addresses and other principles of the Data Link Layer of the OSI Model. They do not usually have the option to block particular TCP/IP ports. |
|
|
Tom is getting reports from several users that they are unable to download specific items from particular websites although they can access other pages of those websites. Also, they can download information from other websites just fine. Tom’s IDS is also sending him alarms about possible malicious traffic on the network. What is the most likely cause why the users cannot download the information they want?
A. The firewall is blocking web activity. B. The NIDS is blocking web activity from those specific websites. C. The NIPS is blocking web activity from those specific websites. D. The router is blocking web activity. |
Answer: C. The NIPS is blocking web activity from those specific websites.
Explanation: The most likely answer is that the network intrusion prevention system (NIPS) is blocking the specific traffic because it has detected that particular downloads could be malicious. A NIDS would only detect this and send alarms to Tom; it would not prevent the traffic. The firewall will usually block entire websites from being accessed, not just prevent specific downloads. The router will not block web activity, although it could block access to particular IP addresses. However, if this was the case, the users would not be able to access the website in question at all. |
|
|
Users on your network are identified with tickets. Which of the following systems is being used?
A. Kerberos B. RADIUS C. TACACS+ D. LDAP |
Answer: A. Kerberos
Explanation: Kerberos is the only authentication system listed that uses tickets to identify users—the ticketing system proves the identity of users. RADIUS uses authentication schemes such as CHAP and EAP. RADIUS and TACACS+ are normally used for remote authentication of users, whereas Kerberos is used in Domains. TACACS+ uses TCP, and RADIUS uses UDP for connections. LDAP is used for accessing and modifying directory services data. |
|
|
Which of the following invalidates SQL injection attacks that were launched from a lookup field of a web server?
A. Input validation B. Security template C. NIDS D. Buffer overflow protection |
Answer: A. Input validation.
Explanation: Input validation is a process that ensures the correct usage of data. It is important when dealing with any types of forms on a web server. Because these forms can be compromised by various attacks, forms should be coded in such a way where any input from the user will be validated by the web page before it is accepted. For example, if you were to type in six digits in a ZIP code field when it expects only a maximum of five digits, input validation should deny that entry, and if coded properly will ask the user to re-enter the information. Security templates import many secure policies at one time. A NIDS protects an entire network from intrusion. Buffer overflow protection ensures that memory is storing data the way that the developer intended. Input validation also prevents buffer overflow attacks in addition to other types of attacks such as SQL injection attacks. |
|
|
You want to curtail users from e-mailing confidential data outside your organization. Which of the following would be the best method?
A. Block port 110 on the firewall. B. Prevent the usage of USB flash drives. C. Install a network-based DLP device. D. Implement PGP. |
Answer: C. Install a network-based DLP device.
Explanation: A network-based data loss prevention (DLP) device is the best solution listed. This device normally sits on the perimeter of the network and can be configured to analyze traffic for confidential information and prevent it from going outside the network. DLP devices can also be storage-based and endpoint-based, but in this case the network-based DLP would be best. Blocking port 110 on the firewall might stop all outbound POP3 e-mails from leaving the network, and while that would probably stop confidential e-mails from going out, it would cause a whole slew of other problems—as you might imagine! Preventing the usage of flash drives probably wouldn’t affect the scenario either way. PGP is used to encrypt and digitally sign e-mails, which is a decent option when attempting to keep data confidential but won’t help when you want to keep that confidential data from leaving the network. |
|
|
What should be incorporated with annual awareness security training?
A. Signing of a user agreement B. Implementation of security controls C. User rights and permissions review D. Succession planning |
Answer: A. Signing of a user agreement
Explanation: Security awareness training should be coupled with the signing of a user agreement. This agreement states that the user acknowledges and accepts specific rules of behavior, conduct, and nondisclosure of the training. Some organizations might add other policies that the user must agree to as well. Security controls deal with the proper implementation of a security plan. User rights and permissions reviews are part of security audits. Succession planning is the process of developing and readying new servers and other equipment in the case that the current equipment fails, is compromised, or becomes outdated. |
|
|
A critical system in the server room was never connected to a UPS. The security administrator for your organization has initiated an authorized service interruption of the server to fix the problem. Which of the following best describes this scenario?
A. Succession planning B. Fault tolerance C. Continuity of operations D. Disaster recovery |
Answer: B. Fault tolerance
Explanation: Because the security administrator is deliberately interrupting service in a proactive effort to fix the problem, this scenario would be best described as fault tolerance. Also, the fact that a UPS is being installed to make the system tolerant of power loss lends to the fault tolerance answer. If the administrator was planning how a new server was to be implemented, then it would be succession of planning. Continuity of operations and disaster recovery deal with the scenario of an actual disaster and the planning for recovery from that disaster. |
|
|
Which of the following devices is used to optimize and distribute data workloads across multiple computers or networks?
A. VPN concentrator B. Protocol analyzer C. Proxy server D. Load balancer |
Answer: D. Load balancer
Explanation: A load balancer is used to distribute workload across multiple computers or a computer cluster. It could be done by a dedicated hardware or software. VPN concentrators are devices used for remote access. Protocol analyzers are used to examine packets of information that are captured from a computer. Proxy servers act as go-betweens for client computers and the Internet and often cache information that comes from websites. |
|
|
Which of the following is used to cache content?
A. Firewall B. Load balancer C. Proxies D. VPN concentrator |
Answer: C. Proxies
Explanation: A proxy is used to cache or store content for later use. An example of this would be an HTTP proxy that remembers the content of a web page that a client computer accessed. This information can then be accessed by other client computers without the computer having to access the Internet. Firewalls are used to protect a network and secure ports. Load balancers are used to distribute workload across two or more computers or networks. VPN concentrators allow for secure encrypted remote access. |
|
|
Which of the following enables a person to view the IP headers on a data packet?
A. Protocol analyzer B. NIDS C. Firewall D. L2 switch |
Answer: A. Protocol analyzer
Explanation: A protocol analyzer (or packet sniffer) allows a person to break down a packet and view its contents including IP headers. Network intrusion detection systems (NIDS) detect malicious activity on a network. Firewalls are used to protect the entire network from malicious activity by closing and securing ports. L2 switches are used as central connecting devices for computers on a LAN—they identify each computer by its MAC address. |
|
|
A programmer wants to prevent cross-site scripting. Which of the following should the programmer implement?
A. Validation of input to remove bit code B. Validation of input to remove shell scripts C. Validation of input to remove batch files D. Validation of input to remove hypertext |
Answer: D. Validation of input to remove hypertext
Explanation: Cross-site scripting (XSS) is a vulnerability to web applications. For example, a malicious attacker might attempt to inject hypertext into a standard text-based web form. Shell scripts, batch files, and Java bit code are not associated with XSS attacks. |
|
|
You have been asked by your boss to protect the confidentiality of sensitive data entered into a database table. What is the best method to use?
A. Encryption B. Hashing C. Secure Copy D. Biometrics |
Answer: B. Hashing
Explanation: Hashing is used in databases for indexing and file retrieval and is used to protect the confidentiality of data in database tables. It is faster and easier to use than encryption methods. Secure Copy (SCP) is used to securely transfer files between two computers. Biometrics is the science of identifying humans from their physical characteristics. |
|
|
Jane is a systems administrator and must revoke the access of a user who has been terminated. Which policy must she implement?
A. Password recovery B. Password expiration C. Account disablement D. Account lockout |
Answer: C. Account disablement
Explanation: If an employee is terminated, the employee’s account should be disabled. This way, the employee will not be able to log in to the system, but the history of the user account is still intact and can be viewed by administrators if necessary. There is no need to modify the password recovery or expiration settings. The password will no longer do the user any good, and the administrator should be able to access anything the employee did. Even if the user password is required, it can be reset by the administrator. It would be unwise to lock out the user, because many policies have a timeout on the lockout, thus allowing the user to log back in later on. |
|
|
What is one reason to implement security logging on a DNS server?
A. To perform penetration testing on the server B. To prevent DNS DoS C. To watch for unauthorized zone transfers D. To measure server performance |
nswer: C. To watch for unauthorized zone transfers.
Explanation: It is important to log your DNS server to monitor for unauthorized zone transfers. This type of logging can only let you know if an unauthorized zone transfer has occurred; it will not prevent it, nor will it prevent any types of denial of service (DoS) attacks. Penetration testing is usually done with some type of vulnerability scanning software, and performance measuring is usually done with some type of performance monitoring software. |
|
|
What is the best way to prevent ARP poisoning across a network?
A. MAC flooding B. Log analysis C. Loop protection D. VLAN segregation |
Answer: D. VLAN segregation
Explanation: By segregating a network into multiple virtual LANs, ARP poisoning attacks will hopefully falter when trying to cross from one VLAN to the next. This isn’t always successful, but it is one smart way to try to avoid ARP poisoning attacks. A MAC flood is an attack where numerous packets are sent to a switch, each with a different MAC address. Log analysis is used to determine what happened at a specific time on a particular system. Loop protection can be enabled on some switches, which protects from a person connecting both ends of a patch cable to two different switch ports on a switch. |
|
|
Stephen has been instructed to update all three routers’ firmware for his organization. Where should he document his work?
A. Change management system B. Router system log C. Event Viewer D. Chain of custody |
Answer: A. Change management system
Explanation: Change management is the structured way of making changes to systems and devices. It includes implementation, testing, monitoring, and documentation. Routers will have logs, not necessarily called a system log, which can be used to identify what has happened on the router in the past, but these aren’t used to document work done to the router. The Event Viewer contains the log files in Microsoft operating systems. A chain of custody is the chronological documentation of evidence but does not include work done on a regular basis to routers or other equipment. |
|
|
Which of the following would be installed on a single computer to prevent intrusion?
A. Network firewall B. Host-based firewall C. Host intrusion detection system D. VPN concentrator |
Answer: B. Host-based firewall
Explanation: Firewalls are designed to prevent intrusion. To prevent intrusion on a single computer, install a host-based firewall. Another viable option would be to install a host-based intrusion prevention system (HIPS) but not a host-based intrusion detection system (HIDS) since the HIDS will only detect the intrusion, not prevent it. A VPN concentrator is used to enable secure remote connections between hosts and networks. |
|
|
One of the users in your organization informs you that her 802.11n network adapter is connecting and disconnecting to and from an access point that was recently installed. The user has Bluetooth enabled on the laptop. A neighboring company had its wireless network compromised last week. Which of the following is the most likely cause of the disconnections?
A. The attacker that compromised the neighboring company is running a wardriving attack. B. A Bluetooth device is interfering with the user’s laptop. C. An attacker in your organization is attempting a bluejacking attack. D. The new access point was not properly configured and is interfering with another access point. |
Answer: D. The new access point was not properly configured and is interfering with another access point.
Explanation: The most likely cause is that the new access point that the laptop is connecting to was not configured properly. Perhaps the antennae were not set to a high enough power level, or the placement of the AP is not close enough to the laptop. Less likely is the possibility that an attacker is running a wardriving attack against your network. It is possible that a Bluetooth device is causing interference (since both share the 2.4 GHz spectrum), but it is also less likely. A bluejacking attack (if successful) would probably not affect the ability for an 802.11n network adapter to connect with an access point. |
|
|
You have critical backups that are made at night and taken to an offsite location. Which of the following would allow for a minimal amount of downtime in the case of a disaster?
A. Have a backup server at the offsite location B. Make the offsite location into a hot site C. Make the offsite location into a warm site D. Make the offsite location into a cold site |
Answer: B. Make the offsite location into a hot site
Explanation: A hot site would be the best option in the case of a disaster because it can be up and running faster than any of the other answers listed. A backup server is only a single facet of many organizations’ disaster recovery plans. Warm sites and cold sites do not offer as little downtime as a hot site does. |
|
|
What is the purpose of LDAP authentication services?
A. To prevent multifactor authentication B. To act as a single point of management C. To implement MAC D. To issue one-time passwords |
Answer: B. To act as a single point of management
Explanation: LDAP (Lightweight Directory Access Protocol) contains the directory for a network and allows for a single point of user management of that directory. Multifactor authentication is when more than one type of identification is required to gain access to a system, network or building. MAC (Mandatory Access Control) is a type of access control system not usually associated with LDAP. One-time passwords can be issued by several technologies including RSA tokens. |
|
|
Where would you store a revoked certificate?
A. Key escrow B. Recovery agent C. CRL D. PKI |
Answer: C. CRL
Explanation: The CRL (certificate revocation list) is where revoked certificates should be stored. Key escrow is when certificate keys are held in the case that third parties need to access information. The recovery agent is used to recover lost keys. PKI stands for Public Key Infrastructure, which is the entire system of parts that allows for certificates, certificate authorities, and so on. |
|
|
An attacker uses a method that is meant to obtain information from a specific person. What type of attack is this?
A. Spear phishing B. DNS poisoning C. Pharming D. Fraggle |
Answer: A. Spear phishing
Explanation: Spear phishing is the attempt at fraudulently obtaining information from specific individuals—usually done through e-mail. DNS poisoning is a compromise of a DNS server’s name cache database. Pharming is an attack that redirects a website’s traffic to another illegitimate website. A Fraggle attack contains UDP traffic sent to port 7 and 19—it is a type of DoS attack. |
|
|
Which of the following is a type of photo ID that is used by government officials to gain access to secure locations?
A. Biometrics B. DAC C. RSA tokens D. CAC |
Answer: D. CAC
Explanation: CAC (Common Access Card) is a smart card used by the DoD to identify military personnel, government employees, and so on. Biometrics is the science of using a human’s physical characteristics for identification. DAC is the Discretionary Access Control method. RSA tokens allow for rolling one-time passwords. |
|
|
Which of following best describes a NIDS?
A. Used to attract and trap potential attackers B. Filters out various types of Internet activities such as websites accessed C. Detects malicious network activities such as port scans and DoS attacks D. Redirects malicious traffic |
Answer: C. Detects malicious network activities such as port scans and DoS attacks
Explanation: NIDS, or network intrusion detection system, detects malicious network activities such as port scans and DoS attacks. A honeypot or honeynet is used to attract and trap potential attackers. An Internet filter filters out various types of Internet activities such as websites accessed. A NIPS, or network intrusion prevention system, removes, detains, or redirects malicious traffic. |
|
|
A co-worker’s laptop has been compromised. What is the best way to mitigate data loss?
A. Common Access Card B. Strong password C. Biometric authentication D. Full disk encryption |
Answer: D. Full disk encryption
Explanation: Full disk encryption is the best way (listed) to mitigate data loss in the case of a stolen or otherwise compromised laptop because it will be difficult to decrypt the data on the laptop. A Common Access Card is a smart card/photo ID used by the DoD. Strong passwords are a good idea on portable devices but can be cracked or circumvented more easily than decrypting a full disk encryption solution. Biometric authentication can also be cracked given enough time. |
|
|
Your organization wants you to set up a wireless router so that only certain wireless clients can access the wireless network. Which of the following is the best solution?
A. Disable the SSID broadcast B. Enable 802.11n only C. Configure AP isolation D. Implement MAC filtering |
Answer: D. Implement MAC filtering
Explanation: MAC filtering enables you to specify which MAC addresses will be allowed to access the wireless AP—and by extension the rest of the wireless network. Disabling the SSID will stop all new wireless clients from connecting (unless they know the SSID and do it manually). 802.11n will allow connections by 802.11n clients only, but won’t allow you to pick and choose particular wireless clients that you want to connect. AP isolation separates and isolates each wireless client connected to it. |
|
|
A user is required to have a password that is 14 characters or more. What is this an example of?
A. Password length B. Password recovery C. Password complexity D. Password expiration |
Answer: A. Password length
Explanation: If a user is required to have a password that is longer than a set amount of characters, this is known as password length requirements. Password recovery deals with self-service resets and password recovery programs. Password complexity refers to passwords that require capital letters, numbers, and special characters. Password expiration is associated with a policy that a system administrator sets that defines how long a password is valid before it needs to be changed. |
|
|
Which of the following only encrypts the password portion of a packet between the client and server?
A. TACACS B. RADIUS C. TACACS+ D. XTACACS |
Answer: B. RADIUS
Explanation: RADIUS only encrypts the password portion of an access-request packet that is transmitted between the client and the server. TACACS, XTACACS, and TACACS+ encrypt the entire body of the packet. |
|
|
Which is the most secure option when transferring files from one host to another?
A. FTP B. TFTP C. SFTP D. TELNET |
Answer: C. SFTP
Explanation: SFTP (Secure File Transfer Program) is a secure version of regular FTP that is based on SSH, which enables it to run over a secure channel. TFTP (Trivial FTP) is a simplistic, insecure, and somewhat deprecated protocol. TELNET is also insecure and deprecated. |
|
|
Your boss has instructed you to shred some confidential documents. Which threat does this mitigate?
A. Dumpster diving B. Tailgating C. Shoulder surfing D. Baiting |
Answer: A. Dumpster diving
Explanation: Dumpster diving is a type of social engineering where a person sifts through an organization’s paper recycling and garbage in the hopes of finding sensitive or confidential information. By shredding documents, it makes it near impossible for a dumpster diver to recreate the confidential information. Tailgating is when an unauthorized person follows an authorized person into a secured area. |
|
|
To be proactive, you use your vehicle to take several wardriving routes each month though your company’s campus. Recently you have found a large number of unauthorized devices. Which of the following security breaches have you most likely encountered?
A. Bluejacking B. Interference C. IV attack D. Rogue access points |
Answer: D. Rogue access points
Explanation: Chances are that there are rogue APs that need to be named properly and added to a network, or disabled altogether. Bluejacking is the sending of unsolicited messages to Bluetooth devices. Interference happens when devices share channels, are too close to each other, or multiple technologies share the same frequency spectrum. Interference could be happening in the above scenario, but it is difficult to say exactly without more information. In addition, interference isn’t necessarily an attack. IV attacks are attacks on wireless stream ciphers. |
|
|
Which of the following methods will identify which services are running on a computer?
A. Calculate risk B. Determine open ports C. Review baseline reporting D. Review firewall logs |
Answer: B. Determine open ports
Explanation: By using a port scanner (and some vulnerability scanners) you can identify which ports are open on a computer (or other device), which in turn will tell you the corresponding services that are running on that computer. For example, if you see that port 80 is open, then you know that the HTTP service is running, and most likely the computer is also acting as a web server. All other answers are incorrect as they do not have to do with identifying services running on a computer. |
|
|
A user can enter improper input into a new computer program and is able to crash the program. What has your organization’s programmer most likely failed to implement?
A. Error handling B. CRC C. SDLC D. Data formatting |
Answer: A. Error handling
Explanation: Error handling is the practice of anticipating, detecting, and resolving programming errors. Programs should be thoroughly tested with various user input before being implemented in a real environment. A CRC (cyclic redundancy check) is a hash function that produces a checksum that can detect errors in data to be sent across a network. SDLC is the Systems Development Life Cycle, a process for creating computing systems. Data formatting deals with the type of data in question and the organization of that data. |
|
|
What would be an example of a device used to shield a server room from data emanation?
A. Faraday cage B. TEMPEST C. EMI D. Crosstalk |
Answer: A. Faraday cage.
Explanation: A Faraday cage is used to shield a server room from data emanation or signal emanation. Data emanation is the electromagnetic (EM) field generated by a network cable or network device. These cables and devices can be affected by external EMI (electromagnetic interference), and cables can be affected by crosstalk. TEMPEST refers to a group of standards that investigate emissions conducted from electrical and mechanical devices. |
|
|
The security company you work for has been contracted to discern the security level of a software application. The company building the application has given you the login details, production documentation, a test environment, and the source code. Which of the following testing types has been offered to you?
A. Black box B. Red teaming C. Gray box D. White box |
Answer: D. White box
Explanation: White box testing is when you are given as many details as possible about the application you are about to test. White box testing tests the internal workings of an application. Black box testing tests the functionality of an application without any real specific knowledge of the application. Gray box testing is when the owners of the application give you the internal knowledge of white box testing, but when you actually test the functionality of the application. A red team is a group of penetration testers that assess the security of an organization as opposed to an individual application. |
|
|
Which of the following gives the user a one-time password?
A. PIV B. Tokens C. Single sign-on D. Biometrics |
Answer: B. Tokens
Explanation: Tokens can incorporate a one-time password (OTP), which is a password that is only valid for one session. For example, RSA SecurID time synchronization tokens will utilize an OTP. PIV stands for Personal Identity Verification. Single sign-on means that a user can use a single username/password to access multiple systems. Biometrics is the science of authenticating humans by way of their physical characteristics. |
|
|
Kate is allowed to perform a self-service password reset. What is this an example of?
A. Password expiration B. Password length C. Password recovery D. Password complexity |
Answer: C. Password recovery
Explanation: If a user performs a self-service password reset, this would fall into the category of password recovery. For example, if Kate couldn’t log in to a shopping portal website, she could ask the website to reset her password and e-mail the new one to her. Password expiration entails a minimum and maximum expiration date and specifies how long a user can make use of a password before the user is required to change it. Password length is a policy that requires a user to type a password at least x characters long. Anything shorter than the policy dictates and the computer will request a new password from the user. Password complexity deals with capital letters, numerical characters, and special characters. |
|
|
Which of the following are PII that are used in conjunction with each other? (Select the two best answers.)
A. Birthday B. Full name C. Favorite food D. Marital status E. Pet’s name |
Answers: A and B.
Explanation: PII stands for personally identifiable information. Out of the answers listed, the two used in conjunction the most often to identify a person are the person’s full name and the person’s birthday. The other answers are secondary information that won’t identify the person nearly as well. |
|
|
Your organization has a PKI. Data loss is unacceptable. What method should you implement?
A. CRL B. Web of trust C. CA D. Key escrow |
Answer: D. Key escrow
Explanation: Key escrow should be implemented if data loss is unacceptable. This is when keys are held in case another party needs access to secured communications. The CRL is the certificate revocation list. A web of trust is a decentralized model used for the management of keys. A CA (certificate authority) is a centralized model used for the management of keys. |
|
|
Jake is in the process of running a bulk data update. However, the process writes incorrect data throughout the database. What has been compromised?
A. Integrity B. Confidentiality C. Availability D. Accountability |
Answer: A. Integrity
Explanation: If incorrect data has been written throughout the database, then the integrity of the data has been compromised. It is still secret or as confidential as it is supposed to be. It is still available, though the data will now have errors. Someone (or something) needs to be held accountable for this problem, but accountability isn’t necessarily something that can be compromised in the way that the other three concepts of the CIA triad can be. |
|
|
Which of the following should you install to stop unwanted and unsolicited e-mails?
A. Spyware definitions B. Pop-up blockers C. Spam filters D. Virus definitions |
Answer: C. Spam filters
Explanation: Spam filters will help to filter out spam (unwanted e-mail). They can be configured in most e-mail programs or can be implemented as part of an antimalware package. Spyware definitions are used to update a spyware application making web browsing sessions more safe. Pop-up blockers remove a percentage of the pop-up windows common with many websites. Virus definitions should be updated often to prevent a virus from executing on a computer. |
|
|
Your organization has implemented cloud computing. Which of the following security controls do you no longer possess?
A. Logical control of data B. Physical control of data C. Administrative control of data D. Executive control of data |
Answer: B. Physical control of data
Explanation: Cloud computing relies on an external service provider. Your organization would still be able to logically manipulate data services and have administrative control over them similar to if the data and services were administered locally. But physical control would be lost and the organization would rely solely on the cloud computing service for hardware, servers, network devices, and so on. In security there is no “executive control” per se as part of a standard security plan, and even if there was, your organization, by definition, would still maintain that control. |
|
|
One of the users in your organization is attempting to access a secure website. However, the certificate is not recognized by his web browser. Which of the following is the most likely reason?
A. Weak certificate cipher B. No key escrow was implemented C. Intermittent Internet connection D. Self-signed certificate |
Answer: D. Self-signed certificate
Explanation: A self-signed certificate is one that the website creator has created and signed. Since the certificate did not come from a known third-partysecurity company the web browser does not recognize it in this scenario. A weak certificate cipher is usually recognized, but the web browser will display a warning of some sort or perhaps block initial attempts to access the web page. Key escrow is when keys are held for third-party organizations in case they need access to data. Intermittent Internet connections would either allow access to the web page or not, and are otherwise not associated with certificates. Although a secure page with a certificate might take longer to access in a web browser than a standard page, this has nothing to do with the Internet connection—rather it has to do with the speed of the secure connection to the website. |
|
|
Which of the following might be used to start a DDoS attack?
A. Spyware B. Worm C. Botnet D. Rootkit |
Answer: C. Botnet
Explanation: A botnet is often used to start a coordinated DDoS (distributed denial-of-service) attack. One master computer synchronizes many compromised zombie computers, which form the botnet, launching an all-out attack at the same time. Spyware is software that tracks a user’s actions on the Internet. A worm is malicious code that can self-replicate. A rootkit is software that subverts the operating system so that a person can gain access at the level of an administrator. |
|
|
Jennifer has been tasked with configuring multiple computers on the WLAN to use RDP on the same wireless router. Which of the following might be necessary to implement?
A. Enable a DMZ for each wireless computer B. Forward each computer to a different RDP port C. Turn off port forwarding for each computer D. Turn on AP isolation on the wireless router |
Answer: B. Forward each computer to a different RDP port
Explanation: If there are multiple computers allowing incoming Remote Desktop Protocol (RDP) sessions on the WLAN, you might have to configure the wireless router to forward each computer to a different RDP port. For example, the standard RDP port is 3389 (Also known as Terminal Services). If that is open on the router, then clients on the Internet will be able to initiate RDP sessions to your network. But usually, the port on the router can only be forwarded to one computer. It might be necessary to set up additional port numbers and have each one map to a separate computer on the WLAN. Of course, the users on the Internet would need to know the special port number that corresponds to the computer they want to connect to. Often this will be used for remote access by the employee who would otherwise be working at the computer in the office. You would not normally create a DMZ for each computer, and this would make it difficult to configure so that the computers could communicate with each other. Turning off port forwarding would make the situation worse and would stop any remote connections from flowing through the router. AP isolation would also separate the wireless clients and would not have any effect on the goal at hand. |
|
|
You scan the network and find a counterfeit access point that is using the same SSID as an already existing access point. What is this an example of?
A. Evil twin B. Wardriving C. AP isolation D. Rogue access point |
Answer: A. Evil twin
Explanation: The evil twin is another access point or base station that uses the same SSID as an existing access point. It attempts to fool users into connecting to the wrong AP, compromising their wireless session. Wardriving is the act of using a vehicle and laptop to find open unsecured wireless networks. AP isolation compartmentalizes the wireless network and separates each client. Rogue access points are ones that are not part of your wireless network infrastructure. |
|
|
Which of the following provides a user with a rolling password for one-time use?
A. PIV card B. CAC card C. Multifactor authentication D. RSA tokens |
Answer: D. RSA tokens
Explanation: RSA tokens (and other tokens for that matter) can provide a user with an OTP (one-time password). PIV cards are Personal Identity Verification cards, which are special ID cards used by the NIST. CAC cards are Common Access Cards used by the DoD. Neither of these cards uses OTPs. Multifactor authentication is when a user must provide two types of identification before they are authenticated to a building, computer, or network—for example, a username/password and a smart card used in conjunction. |
|
|
What is the purpose of a chain of custody as it is applied to forensic image retention?
A. To provide documentation as to who handled the evidence B. To provide a baseline reference C. To provide proof the evidence hasn’t been tampered with D. To provide data integrity |
Answer: A. To provide documentation as to who handled the evidence
Explanation: A chain of custody is the chronological documentation of evidence. A procedure is involved when creating the chain of custody that logically defines how the documentation will be entered. Baseline references and baseline reporting deal with checking the security posture of a system, as in a security posture assessment. To prove that the image hasn’t been tampered with (to prove its integrity), a security professional will hash the image. |
|
|
Robert has been asked to make sure that a server is highly available. He must ensure that hard drive failure will not affect the server. Which of the following methods allows for this? (Select the two best answers.)
A. True clustering B. Software RAID 1 C. Load balancing D. Hardware RAID 5 E. Software RAID 0 |
Answers: B. Software RAID1 and D. Hardware RAID5
Explanation: RAID 1 (mirroring) and RAID 5 (striping with parity) are both fault tolerant methods that will allow for high availability ensuring that hard drive failure will not affect the server. True clustering is when multiple computers’ resources are used together to create a faster more efficient system—it often uses load balancing to accomplish this. However, it does not necessarily allow for fault tolerance of data. RAID 0 (striping) is not fault tolerant because there is no parity information. |
|
|
Sherry must prevent users from accessing the network after 6PM. She must also prevent them from accessing the accounting department’s shares at all times. Which of the following should Sherry implement? (Select the two best answers.)
A. Single sign-on B. Access control lists C. MAC D. Job rotation E. Time of day restrictions |
Answers: B. Access control lists and E. Time of day restrictions
Explanation: To prevent users from accessing the network after 6PM Sherry should implement time of day restrictions. If configured properly, the users will not be able to log in accept for the times she allows. To prevent the users from accessing the accounting department shares, she should set up access control lists. In most operating systems this is known as rights or permissions. Single sign-on is when a user can supply one set of credentials but be able to access multiple systems or networks. MAC is mandatory access control, in which the system defines the rights and permissions, not a user or administrator. Job rotation is when multiple users work together to complete a task. |
|
|
You analyze the network and see that a lot of data is being transferred on port 22. Which of the following protocols are most likely being used?
A. SSL and SFTP B. SCP and TELNET C. FTP and TFTP D. SCP and SFTP |
Answer: D. SCP and SFTP
Explanation: SCP (Secure Copy) and SFTP (Secure FTP) both rely on SSH, which uses port 22. SSL uses port 443. Telnet uses port 23. FTP uses port 21, and TFTP uses port 69. |
|
|
You want to stop malicious eavesdroppers from capturing network traffic. What should you implement?
A. Hot and cold aisles B. Video surveillance C. EMI shielding D. HVAC shielding |
Answer: C. EMI shielding
Explanation: EMI shielding can be implemented as shielded network cable or as something that protects network devices or even entire server rooms. If a malicious user cannot access the data emanation from EMI then they cannot capture network traffic. Hot and cold aisles are used for heating and cooling in data centers and server rooms. Video surveillance is used to find out when a person entered or left a building or secure area. HVAC shielding is used to prevent interference with network cables and network devices. |
|
|
What are the best reasons to use an HSM? (Select the two best answers.)
A. To recover keys B. To store keys C. For a CRL D. To generate keys E. To transfer keys to the hard drive |
Answers: B. To store keys and D. To generate keys
Explanation: An HSM (hardware security module) is a device that manages digital keys for cryptography. It allows for onboard secure storage of data. It is used to generate and store keys. Key recovery and the transferring of keys is done by other methods. Although an HSM can be used in conjunction with PKI, it does not have the option of storing a CRL. |
|
|
If you were to deploy your wireless devices inside a TEMPEST-certified building, what could you prevent?
A. Bluesnarfing B. Weak encryption C. Bluejacking D. Wardriving |
Answer: D. Wardriving
Explanation: If a building is TEMPEST-certified, it can prevent wardriving, the act of accessing organizations’ wireless networks in a malicious manner. This would require various shielding, Faraday cages, shielded cabling, and so on. Bluesnarfing and bluejacking are attacks on devices equipped with Bluetooth. Weak encryption invites wardriving; for example, if an organization used WEP, the wireless access point would be much easier to hack. |
|
|
Why is fiber-optic cable considered to be more secure than category 5 twisted-pair cable? (Select the two best answers.)
A. It is made of glass instead of copper. B. It is hard to tap. C. It is not susceptible to interference. D. It is more difficult to install. |
Answers: B and C. It is hard to tap, and it is not susceptible to interference.
Explanation: Fiber-optic cable is difficult to tap into because it does not emanate signal the way a twisted-pair cable would. More advanced tools are necessary to tap a fiber-optic cable as compared to a twisted-pair cable. Fiber-optic cable is not susceptible to interference because it does not run on electricity and is not copper-based. Fiber-optic cable does indeed have a glass core, but because it does not use electricity and is not susceptible to interference, it is safer than twisted-pair cable. Fiber-optic cable generally is more difficult to install than twisted-pair cable, but that does not make it more secure. |
|
|
What would a password be characterized as?
A. Something a user has B. Something a user is C. Something a user does D. Something a user knows |
Answer: D. Something a user knows
Explanation: Passwords, pin numbers, and other types of passphrases and codes are characterized as something a user knows. Examples of something a user has include smart cards or other ID cards. Examples of something a user is include thumbprints, retina scans, and other biometric information. An example of something a user does could be a signature or voice-recognition. |
|
|
James wants to set up a VPN connection between his main office and a satellite office. Which protocol should he use?
A. 802.1X B. IPSec C. RDP D. TELNET |
Answer: B. IPSec
Explanation: IPSec is used to secure VPN connections (such as L2TP tunnels). 802.1X specifies port-based network access control (NAC). RDP is the remote desktop protocol. TELNET is used to remotely connect to other computers and routers, but it is insecure and deprecated, and is not used in VPNs. |
|
|
Your boss asks you to purchase additional insurance in an effort to reduce risk. What is this an example of?
A. Risk transference B. Risk elimination C. Risk acceptance D. Risk avoidance |
Answer: A. Risk transference
Explanation: Risk transference is when risk is passed on to an external agency, for example, an insurance company. While in reality some insurance companies will have a clause that states the risk is still the responsibility of the organization in question, the definition is still the best one listed. There is no such thing as risk elimination; it is impossible to remove all risk. Risk acceptance is when a company is okay with a certain amount of risk and considers it the cost of doing business if a risk does manifest itself. An example of risk avoidance would be if a company decided to shut down a server that was being attacked by botnets sending DDoS attacks every day |
|
|
What type of cloud service is webmail known as?
A. Software as a Service B. Remote Desktop C. Platform as a Service D. Infrastructure as a Service |
Answer: A. Software as a Service
Explanation: Webmail can be classified as Software as a Service (SaaS). This is when an external provider (in the cloud) offers e-mail services that a user can access with a web browser. Examples include Gmail and Hotmail. Remote desktop or RDP allows a person to remotely control another computer. Platform as a Service (PaaS) is when a cloud-based service provider offers an entire application development platform that can be accessed via a web browser or other third-party application. Infrastructure as a Service (IaaS) is when a cloud-based service provider offers an entire network located on the Internet. |
|
|
Your boss asks you to implement multifactor authentication. Which of the following should you use?
A. Username and password B. Common Access Card C. Pin number and smart card D. ACL entry and password |
Answer: C. Pin number and smart card
Explanation: The only answer listed that has two factors of authentication is pin number and smart card. Username and password is a single type of authentication. Common Access Card (CAC) is a type of photo ID/authentication card used by the DoD. An ACL entry is not a type of authentication but is a way of defining whether a person can be authorized to network resources. |
|
|
Ann has been asked by her boss to periodically ensure that a domain controller/DNS server maintains the proper security configuration. Which of the following should she review?
A. Firewall logs B. NIPS logs C. WINS configuration D. User rights |
Answer: D. User rights
Explanation: The best answer is user rights. A domain controller is in charge of user accounts and the permissions (rights) associated with those users. The domain controller might have a host-based firewall, but it is doubtful. Chances are that the firewall is network-based, or less commonly, is running on a separate server. The NIPS is the network intrusion prevention system, which is external from the server and usually resides on the perimeter of the network. The WINS configuration can be reviewed to verify the security of the WINS database and service but does not allow for review of the security configuration of the server as described, which is a domain controller/DNS server. Also, if the server is running the DNS server, it is doubtful that it is also running the WINS service. |
|
|
Which of the following asymmetric keys is used to encrypt data to be decrypted by an intended recipient only?
A. Secret key B. Public key C. Private key D. Session key |
Answer: B. Public key
Explanation: In an asymmetric key system the public key is used to encrypt data while the intended recipient utilizes a private key to decrypt the data. Secret keys are another name for private keys. Session keys are also sometimes used synonymously with private keys and are used to encrypt all messages in a particular communications session. |
|
|
Your organization uses a type of cryptography that provides good security but uses smaller key sizes and utilizes logarithms that are calculated against a finite field. Which type of cryptography does your organization use?
A. Quantum cryptography B. Diffie-Hellman C. RSA D. Elliptic curve |
Answer: D. Elliptic curve
Explanation: Elliptic curve cryptography (ECC) is based on the difficulty to solve certain math problems and is calculated against a finite field. It uses smaller key sizes than most other encryption methods. Quantum cryptography (as of 2011) is a newer type of encryption method based on quantum mechanics. The Diffie-Hellman method of key exchange relies on a secure key exchange based on each computer’s equation; however it can be adapted for use with ECC. RSA is an asymmetric algorithm that uses much larger size keys. |
|
|
You and several others in the IT team are deciding on an access control model. The IT director wants to implement the strictest access control model available, ensuring that data is kept as secure as possible. Which of the following access control models should you and your IT team implement?
A. Discretionary access control B. Mandatory access control C. Role-based access control D. Rule-based access control |
Answer: B. Mandatory access control
Explanation: Mandatory access control (MAC) is the strictest access control model listed in the answers. It is a well-defined model used primarily by the government. It uses security labels to define resources. In the discretionary access control (DAC) model, the owner decides what users are allowed to have access to objects; it is not as strict as MAC. Role-based access control (RBAC) is an access model that, like MAC, is controlled by the system but differs from MAC in how permissions are configured; it is not as strict as MAC. |
|
|
You have been hired by an organization to design the security for its banking software. You need to implement a system where tasks regarding the transfer of money require action by more than one user. Activities should be logged and audited often. What access control methods should you implement?
A. Job rotation B. Separation of duties C. Implicit deny D. Least privilege |
Answer: B. Separation of duties
Explanation: Separation of duties is when more than one person is required to complete a task. If one person has too much control and completes too many portions of a task, it can become a security risk. Checks and balances are employed to make sure that the proper equilibrium of users is maintained. Job rotation is one of the checks and balances that might be employed to enforce the proper separation of duties. Job rotation might be incorporated to increase user insight as to overall operations or increase operation security in general. Implicit deny denies access to resources by default unless the user is specifically granted access to that resource. Least privilege is when a user or a program is given only the amount of privileges needed to do the job and not one bit more. |
|
|
Which of the following security actions should be completed before a user is given access to the network?
A. Identification and authentication B. Authentication and authorization C. Identification and authorization D. Authentication and biometrics |
nswer: A. Identification and authentication.
Explanation: Before users are given access to a network, they need to identify themselves in one or more ways and be authenticated via whatever system is in place. After they are given access to the network, they can later be authorized to individual resources. The authentication step cannot be skipped. |
|
|
Which of the following is the best reason to perform a penetration test?
A. To identify all vulnerabilities and weaknesses within your network B. To passively test security controls C. To determine the impact of a threat against your network D. To find the security posture of the network |
Answer: C. To determine the impact of a threat against your network
Explanation: Penetration tests are usually designed to simulate a particular attack, allowing the administrator to determine the impact of that threat to the network. They are not designed to identify all vulnerabilities and weaknesses—to do that we would use a vulnerability scanner among other things. Penetration tests are not passive; they are active tests that should be done off hours and with much preparation beforehand. The security posture of the network is usually discerned by security assessments and baseline reporting. |
|
|
You are tasked with implementing an access point to gain more wireless coverage area. What should you look at first?
A. SSID B. Radio frequency C. Encryption type D. Power levels |
Answer: D. Power levels
Explanation: The power levels will dictate how far an access point can transmit its signal. For more coverage, increase the power levels, but be careful not to go beyond your organization’s work area, or other neighboring entities might try to compromise your network. The SSID is the name of the wireless network. The radio frequency used could possibly increase coverage (for example, if you change from 802.11b to 802.11n) but is not the first thing you should look at. The encryption type will not have an effect on the coverage area. |
|
|
What are two reasons to use a digital signature? (Select the two best answers.)
A. Nonrepudiation B. Availability C. Confidentiality D. Integrity E. Encryption |
Answers: A. Nonrepudiation and D. Integrity
Explanation: A valid digital signature ensures to the recipient that the message was created by the sender, and thereby validating the integrity of the message. Also, a sender cannot claim that they didn’t send the message; this is an example of nonrepudiation. Digital signatures do not affect the confidentiality or availability of a message. However, encryption will increase the confidentiality of a message. |
|
|
Your web server’s private key has been compromised by a malicious intruder. What, as the security administrator, should you do?
A. Issue a new CA B. Submit the public key to the CRL C. Submit the private key to the CRL D. Use key escrow |
Answer: B. Submit the public key to the CRL
Explanation: in a PKI, an asymmetric key pair is created. The private key is kept secret, but the public key is distributed as needed. It is this public key that should be submitted to the CRL so that no other entities utilize it. A new key pair will then be created at the CA, but a new CA is not necessary. That would only be necessary if the entire CA was compromised, which was not part of the scenario. The private key is not seen by other entities so only the public key should be submitted to the CRL. Key escrow is when copies of keys are kept in the case a third party needs access to data. |
|
|
You need to access a network router. Which of the following authentication services should you use?
A. TACACS+ B. SSH C. TELNET D. SNMP |
Answer: A. TACACS+
Explanation: Network devices (specifically Cisco devices) can be administered by a person with TACACS+ authentication. SSH is used primarily to remotely configure Linux/Unix hosts. TELNET was used to administer network devices, but it is not the best answer because it is insecure and outdated. SNMP is used to monitor network devices and hosts. |
|
|
You have identified a security threat on a server, but you have decided not to exploit it. What method have you implemented?
A. Penetration test B. Risk mitigation C. NIDS D. Vulnerability scan |
Answer: D. Vulnerability scan
Explanation: Vulnerability scans will identify threats but not exploit them the way a penetration test might. Nothing has been mitigated in this scenario, only identified. NIDS (network intrusion detection system) will detect malicious traffic on the network, but will not find security threats on a server. |
|
|
RAID is most concerned with what?
A. Availability B. Baselining C. Confidentiality D. Integrity |
Answer: A. Availability
Explanation: RAID is most concerned with availability—the uptime of hard drives and the accessibility of data regardless of faults. Baselining can be accomplished with various tools such as Performance Monitor. Confidentiality can be achieved with encryption. Integrity can be brought about by way of hashing. |
|
|
Which of the following makes use of three components: a managed device, an agent, and a network management system?
A. SNMP B. Wireshark C. Performance Monitor D. Security log file |
Answer: A. SNMP
Explanation: SNMP, which is the Simple Network Management Protocol, aids in monitoring a network attached to devices and computers. It can be broken down into three components: managed devices, agents, and a network management system (NMS). Wireshark is a protocol analyzer; Performance Monitor is a Windows program that analyzes the performance of the resources on a computer, and a Security log file is a log file within the event viewer used to audit systems. |
|
|
Which of the following is not a record of the tracked actions of users?
A. Previous logon notification B. Audit trails C. Application log D. Security log |
Answer: C. Application log
Explanation: The application log is not a record of the tracked actions of users. The application log does show events that have occurred concerning built-in Windows applications or third-party applications. Previous logon notation, audit trails, and security logs are all records of the tracked actions of users. |
|
|
NOP sleds are an indication of what kind of attack?
A. Buffer overflow B. SQL injection C. XSS D. Smurf attack |
Answer: A. Buffer overflow
Explanation: NOP slide is a technique used to exploit a buffer overflow. This is done by corrupting the stack with no-op machine instructions. Because of this, NOP sleds are sometimes referred to as NOOP sleds. SQL injections exploit databases. XSS (cross-site scripting) attacks exploit web servers and web pages. Smurf attacks are DoS attacks. |
|
|
Eliot just finished taking a forensic image of a server’s memory. What should he employ to ensure image integrity?
A. Compress the image B. Run the image though SHA256 C. Run the image through AES128 D. Make a duplicate of the image |
Answer: B. Run the image though SHA256
Explanation: SHA256 is one of four algorithms in the SHA-2 hash function family. Hashes are used to prove integrity of data and images. Compressing the image would only decrease the storage space needed for the image; it would not ensure integrity. Running the image through AES128 would encrypt it, ensuring confidentiality but not integrity. Making a duplicate would allow for availability but not integrity; in fact, integrity might be compromised if this is done, but that will depend on several factors. |
|
|
Which of the following describes hiding data within other files?
A. Steganography B. PKI C. Encryption D. Digital signatures |
Answer: A. Steganography
Explanation: Steganography is the art and science of hiding messages within other messages or elsewhere. It is a form of security through obscurity. PKI is the public key infrastructure that deals with encryption—the modification of data so that it cannot be read. Digital signatures are used for integrity and nonrepudiation. |
|
|
You surmise that a user’s session was interrupted by an attacker who inserted malicious code into the network traffic. What attack has occurred?
A. DoS B. Spoofing C. Phishing D. Man-in-the-middle |
Answer: D. Man-in-the-middle
Explanation: Man-in-the-middle attacks (MITM) are when an attacker intercepts data between a client and a server and modifies the data in transit. DoS attacks are Denial of Service attacks meant to disrupt a server. Spoofing is when an attacker masquerades as another person. Phishing is when a person attempts to obtain information from a person via e-mail. |
|
|
Which of the following can prevent tailgating?
A. Video cameras B. Biometrics C. Mantraps D. Proximity cards |
Answer: C. Mantraps
Explanation: Tailgating is when an unauthorized user follows an authorized user into a secured area (usually without the person’s consent). The mantrap is meant to allow only one person to pass through a secure area at a time. Locking doors surround the area so that a tailgater cannot exit. Video cameras and video surveillance are used to report when a person entered or exited a building or other area. Biometrics are used to authenticate people according to their physical attributes. Proximity cards are used in electronic door systems. |
|
|
A proximity card is an example of what?
A. Something a user has B. Something a user is C. Something a user knows D. Something a user does |
Answer: A. Something a user has
Explanation: Proximity cards are something that a person has; it is a tangible item that a person carries with them. In the world of authentication, an example of something the user is would be a thumbprint. An example of something a user knows is a password. An example of something a user does would be a written signature. |
|
|
What are recovery point objectives and recovery time objectives related to?
A. Risk management B. Succession planning C. Business impact analysis D. Single points of failure |
Answer: C. Business impact analysis
Explanation: Business impact analysis is the examination of critical versus noncritical functions. These functions are assigned two different values: recovery point objectives (RPO), which is the acceptable latency of data, and recovery time objectives (RTO), which is the acceptable amount of time to restore a function. Risk management is identification, assessment, and prioritization of risks. Succession planning is a method for replacing servers and other equipment when they become outdated or if they fail permanently. A single point of failure is any hardware on a server or other device that will cause the device to shut down or otherwise stop serving users. |
|
|
Which of the following descriptions is true concerning external security testing?
A. External security testing is conducted from outside the building where an organization’s servers are hosted. B. External security testing is conducted from outside the perimeter switch but inside the border router. C. External security testing is conducted from outside the organization’s security perimeter. D. External security testing is conducted from outside the perimeter switch but inside the organization’s firewall. |
Answer: C. External security testing is conducted from outside the organization’s security perimeter.
Explanation: Proper external security testing should be conducted from outside the organization’s security perimeter, wherever that might be. It is generally outside devices such as switches, routers, firewalls, and so on. This may incorporate more than one building; a proper external security test in this case can test an entire campus area network. |
|
|
Which of the following is the most complicated centralized key management scheme?
A. Asymmetric B. Symmetric C. Whole disk encryption D. Steganography |
Answer: A. Asymmetric
Explanation: Asymmetric systems such as PKI (public key infrastructure) have a complicated centralized key management scheme. A system such as PKI creates asymmetric key pairs including a public key and a private key. The private key is kept secret, whereas the public key can be distributed. Symmetric systems use two keys, but they are the same type of key, usually identical, thus the name symmetric. Whole disk encryption schemes such as BitLocker use trusted platform modules (TPMs) that store the symmetric encrypted keys; these keys are often based on the Advanced Encryption Standard (AES). Steganography is the science of hiding messages within files and doesn’t use keys. |
|
|
Why would you use a vulnerability scanner? Select the best answer.
A. To identify open ports on a computer B. To identify remote access policies C. To crack passwords D. To see whether passwords are sent as clear text |
Answer: A. To identify open ports on a computer
Explanation: Vulnerability scanners are primarily used to find open ports on a computer and define what threats are associated with those ports. Remote access policies should be identified within the server where the policy was created, for example, in Windows Server. Password recovery programs such as John the Ripper should be used to crack passwords. To see whether passwords are being sent as clear text, you should use a protocol analyzer. |
|
|
What is another name for a malicious attacker?
A. White hat B. Penetration tester C. Fuzzer D. Black hat |
Answer: D. Black hat
Explanation: A black hat is someone who attempts to break into computers and networks without authorization. They are considered to be malicious attackers. A white hat is a nonmalicious hacker, often employed by an organization to test the security of a system before it goes online. An example of a white hat would be a penetration tester, who administers active tests against systems to determine whether specific threats can be exploited. A fuzzer is a colloquial name for a software tester. |
|
|
Your organization is designing two new systems. They require emphasis on the following: System A requires high availability. System B requires high security. Which configuration should you select?
A. System A and System B both fail open. B. System A fails closed. System B fails open. C. System A fails open. System B fails closed. D. System A and System B both fail closed. |
Answer: C. System A fails open. System B fails closed.
Explanation: System A requires high availability so it should fail open. For example, if the system were a monitoring system, and a portion of it failed, the organization might want it to fail open so that other portions of the monitoring system will still be accessible. However, System B requires security, so it should fail closed. Let’s say that System B was a firewall. If it crashed, would we still want network connectivity to pass through it? Probably not; because there would be little or no protection to the network. In general, if you need high availability the system should fail open. If you need high security, it should fail closed. |
|
|
What would you use a TPM for?
A. Input validation B. System hardening C. Cloud computing D. Full disk encryption |
Answer: D. Full disk encryption
Explanation: A TPM (Trusted Platform Module) is a chip that resides on a motherboard (or similar location) that stores encrypted keys used to encrypt the entire hard disk on the system. Input validation is a technique used by programmers to secure their forms. System hardening is the process of securing a computer system through updates, closing ports, and so on. Cloud computing is the use of web-based applications (and other software, platforms, and infrastructures) that are provided by an external source on the Internet. |
|
|
What kind of attack would a flood guard protect from?
A. SYN attack B. Xmas attack C. MITM attack D. Botnet |
Answer: A. SYN attack
Explanation: A SYN attack is when a large amount of synchronization request packets are sent from a client to a server—it is also known as a SYN flood. To protect against this, SYN flood guards can be implemented within some firewalls or as separate devices altogether. If on a firewall, some configuration is usually necessary. An Xmas attack (Christmas tree packet attack) is set with every single option; they are used to analyze TCP/IP responses but do not have the SYN flag set. MITM stands for man-in-the-middle, an attack that intercepts and modifies data traversing between a client and a server. A botnet is a group of compromised computers that jointly (and unknowingly) attack single points of interest such as web servers. |
|
|
Your CFO’s smartphone holding classified data has been stolen. What is the best way to reduce data leakage?
A. Inform law enforcement B. Track the device with GPS C. Remotely sanitize the device D. Use strong encryption |
Answer: C. Remotely sanitize the device
Explanation: If a device holding classified data is stolen, the best thing to do is to remotely sanitize the device (known as a remote wipe). It is too late to use strong encryption, but that should always be implemented on mobile devices (or any devices for that matter) with classified information. After remotely sanitizing the device, you might opt to inform law enforcement (or your organization’s security company or internal security investigators) and possibly track the device via GPS. |
|
|
Which of the following would you most likely find in a buffer overflow attack?
A. NOOP instructions B. Sequence numbers C. IV length D. Set flags |
Answer: A. NOOP instructions
Explanation: A large number of NOOP (or no-op) instructions can be used to overflow a buffer, which could allow unwanted code to be executed or result in a DoS. Large numbers of NOOP instructions can be used to perform a NOP slide (or NOOP sled). Sequence numbers refers to how TCP packets are numbered. IV length has to do with the length of a string in a cipher. Flags are one or more bits that are set to a binary number to indicate whether something is on or off. |
|
|
You have been tasked to access an older network device. Your only option is to use TELNET. Which port would need to be open on the network device by default?
A. 3389 B. 161 C. 135 D. 23 |
Answer: D. 23
Explanation: TELNET uses port 23 by default. Some older devices may not be accessible remotely without using the deprecated TELNET protocol. The best thing to do in this situation would be to update the network device if possible or replace it. Port 135 is known as the DCE endpoint manager port or dcom-scm. Port 161 is the default port for SNMP. Port 3389 is the default port for the Remote Desktop Protocol. |
|
|
Some of the employees in your organization complain about how they are receiving e-mail loaded with advertisements. What should you do?
A. Install antispyware. B. Install antispam. C. Install antivirus. D. Install HIDS. |
Answer: B. Install antispam.
Explanation: Antispam software might be a standalone solution or part of an antimalware suite of programs. This is the best option when attempting to lessen the amount of spam e-mails that contain advertisements. Antimalware suites usually also include antispyware tools and antivirus tools. A HIDS is a host-based detection system. This is used to detect whether malicious activity is occurring on an individual computer. |
|
|
Which of the following encryption protocols is the strongest and can encrypt data with the least amount of CPU usage?
A. DES B. AES C. 3DES D. RC4 |
Answer: B. AES
Explanation: AES, the Advanced Encryption Standard, is currently considered to be the strongest symmetric encryption protocol. It can also encrypt data with the least amount of CPU usage compared to the rest of the listed answers. This makes it a great choice for wireless networks, whole disk encryption, and so on. DES and its successor 3DES were the predecessors to AES. Both of them are considered deprecated, weaker encryption protocols and require more CPU usage than AES. RC4 is a symmetric stream cipher used with SSL and WEP. It is known for its speed but when used with WEP can be cracked easily. |
|
|
Which of the following encryption algorithms are supported by the IEEE 802.11i standard? (Select the two best answers.)
A. TKIP B. RSA C. ECC D. AES |
Answers: A and D. TKIP and AES
Explanation: The IEEE 802.11i standard amends the original 802.11 standard and was later incorporated into the IEEE 802.11-2007 standard. It specifies security mechanisms for wireless networks including TKIP and AES. It also deprecates WEP. TKIP is the Temporal Key Integrity Protocol used as a solution to replace WEP without requiring any replacement of older hardware. Although it is a better solution than WEP, TKIP was deprecated in 2009 by the IEEE—CCMP is recommended in its place. AES, the Advanced Encryption Standard, is the superior type of encryption to use in wireless networks. It works with WPA and WPA2 but might require hardware upgrades. RSA (Rivest, Shamir, Adleman) is a public key cryptography algorithm commonly used on the Internet and considered to be unbreakable if used properly. ECC, which stands for elliptic curve cryptography, is another type of public key cryptography, but this is based on the structure of an elliptic curve and mathematical problems. |
|
|
Which of the following web application security weaknesses can be mitigated by preventing the usage of HTML tags?
A. SQL injection B. Cross-site scripting C. LDAP injection D. Rootkits |
Answer: B. Cross-site scripting
Explanation: Cross-site scripting (XSS) is an attack on website applications that injects client-side script into web pages. SQL injection is a type of code injection that exploits vulnerabilities in databases. LDAP injection can be used to modify LDAP statements and modify the LDAP tree. Rootkits are software designed to gain administrator-level access over a computer system. |
|
|
You want to secure your data to retain it over the long term. What is the best way to do this?
A. Onsite clustering B. Virtualization C. Offsite backup D. RAID 5 onsite backup |
Answer: C. Offsite backup
Explanation: For purposes of retention, offsite backup is the best option. By keeping your backups offsite, you mitigate the risk of losing data during a disaster to your main office. All of the other options imply onsite backup or virtualization onsite; all of which are at risk if a disaster occurs at the main office. |
|
|
Your boss’s smartphone is encrypted and has screen lock protection, yet data was still stolen from it. How is this possible?
A. Botnet B. Bluesnarfing C. SIM cloning D. GPS tracking |
Answer: B. Bluesnarfing
Explanation: Bluesnarfing is an attack that can steal data such as phonebook contacts, calendar information, and so on, regardless of the phone’s encryption and screen lock. To protect against this, set the smartphone to undiscoverable and use a hard-to-guess Bluetooth pairing key. A botnet might try to target a smartphone, but more often they will go for other targets; regardless, the phone might be rendered useless after a botnet attack, but the data would probably not be compromised. SIM cloning involves duplicating the SIM card on a GSM-enabled phone, which allows two phones to share an account. GPS tracking allows a smartphone to be located physically, but if the phone is still encrypted, GPS tracking will not help with the stealing of data. |
|
|
A malicious computer is sending data frames with false hardware addresses to a switch. What is happening?
A. DNS poisoning B. pWWN spoofing C. MAC spoofing D. ARP poisoning |
Answer: D. ARP poisoning
Explanation: ARP poisoning is an attack that exploits Ethernet networks—spoofed frames of data will contain false MAC addresses, ultimately sending false hardware address updates to a switch. DNS poisoning is the unauthorized modification of name resolution information. pWWN spoofing is a type of spoof attack carried out on SANs. MAC spoofing is a technique for changing the MAC address of a network adapter. |
|
|
You are surprised to notice that a co-worker’s computer is communicating with an unknown IRC server and is scanning other systems on the network. None of this was scheduled by anyone in your organization, and the user appears to be unknowing of what is transpiring. What is the most likely cause?
A. The computer is part of a botnet. B. The computer is infected with a worm. C. The computer is infected with spyware. D. The computer is infected with a rootkit. |
Answer: A. The computer is part of a botnet.
Explanation: If the computer in question is scanning the network and accessing an unknown IRC server without the user’s knowledge, then the computer has probably been compromised as a zombie and is now part of a botnet. The IRC server probably acts as a central communication point for all zombies in the botnet. Though the computer had to be infected with some kind of payload originally, that malware is not responsible for the events that are transpiring currently. |
|
|
In a PKI, what is responsible for verifying certificate contents?
A. Key escrow B. CA C. CRL D. Recovery agent |
Answer: B. CA
Explanation: The CA (certificate authority) is responsible for verifying the authenticity of certificate contents. Key escrow is when a copy of the key is held, usually by third parties. The CRL is the certificate revocation list, where certificates are listed when their corresponding public key has been compromised. The recovery agent is used to recover keys, key components, and plaintext messages. |
|
|
The university science lab is normally locked when no one is using it. The professor of the science department has a key to unlock the door. Other faculty members are given keys to lock the door only. What type of key structure is this?
A. Symmetric B. Key escrow C. Asymmetric D. Secret keys |
Answer: C. Asymmetric
Explanation: In an asymmetric key scenario, a pair of different keys is used to encrypt and decrypt data. They keys can be related, but they are not identical as in symmetric (or secret key) algorithms. The analogy here is that the professor and the other faculty have varying physical keys, one for unlocking; the others for locking. Key escrow is when keys are stored for third parties in the case of data loss. |
|
|
Mark works for a financial company. He has been tasked to protect customer data. He decides to install a mantrap and an HVAC system in the data center. Which of the following concepts has he addressed?
A. Availability B. Integrity C. Confidentiality D. Recovery E. Accountability |
Answers: A. Availability and C. Confidentiality
Explanation: The HVAC system addresses the need for availability of data. Without a proper HVAC system, a data center’s servers (and other equipment) would probably overheat resulting in a loss of service. The mantrap addresses the need for confidentiality. Customer data in financial organizations, health insurance companies, and many other organizations requires privacy and confidentiality. By installing a mantrap, unauthorized persons will be detained and won’t be able to access customer data. |
|
|
Several users complain they are encountering intermittent loss of network connectivity. The computers are wired to the LAN, and no wireless devices are being used. What should you implement?
A. Data emanation B. Shielding C. HVAC D. Faraday cage |
Answer: B. Shielding
Explanation: From the answers listed, shielding should be implemented. When multiple wired network connections are intermittently cutting out, chances are that EMI or some other type of interference is occurring and that something needs to be shielded better. One possibility is to replace standard UTP network cable with shielded twisted pair (STP). Another possibility is to check network devices and make sure they are not near a power source or other device that radiates EMI. HVAC equipment (if near network cabling or devices) can be shielded as well. Data emanation is when there is data leakage from network cables, wireless network devices, and other network equipment. A Faraday cage is used to block wireless data emanation, especially in server rooms and data centers. |
|
|
Which protocol is based on SSH?
A. SFTP B. TFTP C. FTP D. FTPS |
Answer: A. SFTP
Explanation: SFTP is the SSH File Transfer Protocol (also called Secure FTP). It is an extension of the SSH protocol, which uses port 22. Contrast this with FTPS, which is FTP Secure or FTP-SSL, which uses port 443. Plain FTP has no built-in security and is not based on SSH. TFTP is a simple version of FTP. |
|
|
The server room is on fire. What should the HVAC system do?
A. Increase the humidity B. Increase the heat C. Turn off D. Turn on the AC |
Answer: C. Turn off
Explanation: In the case of a fire, the HVAC system should be programmed to automatically shut off. The key here is that it is automated; that’s why the question is asking what the HVAC system would do, not what you would do. In fact, any other associated electrical units in the server room should shut off in the case of a fire as well. If an HVAC unit is turned on in any way shape or form (AC, heat, or whatever), it would effectively be blowing more air (oxygen) on the fire. Since oxygen feeds the fire, we don’t want to do this. To turn up the humidity you would have to move more humid air, once again, adding oxygen to the fire, so again not recommended. The HVAC system will not help in the case of a fire. That is what your specialized gaseous fire suppression system (and wet pipe system) is for. |
|
|
Which of the following is a removable device that can be used to encrypt in a high availability clustered environment?
A. Biometrics B. Cloud computer C. TPM D. HSM |
Answer: D. HSM
Explanation: An HSM (hardware security module) is a device used to manage digital keys and provide authentication. It can be connected to a computer, a server, or a particular server in a clustered environment. Biometrics is the science of authenticating individuals by their physical traits. A cloud computer is a computer that resides on the Internet and is run by a third-party service provider that offers various computing services to individual users and small to midsized companies. A TPM is a trusted platform module, which is similar to an HSM but is internal to the computer, perhaps as a chip on the motherboard. |
|
|
Of the following, what is the best option to implement if you wanted to recover a lost laptop?
A. Remote wipe B. HIDS C. GPS D. WDE |
Answer: C. GPS
Explanation: GPS tracking is the best answer listed if you want to recover a lost laptop. If installed properly (and if in GPS range) the GPS chip will enable the laptop to be tracked. Remote wipe (or remote sanitization) will wipe out all the data on the laptop (if it is accessible) but will, of itself, not inform you as to the location of the laptop. HIDS (host-based intrusion detection system) is software that can be loaded on the laptop that will detect malicious activity. WDE is whole disk encryption, which will make the data hard to decrypt and read but won’t aid in the tracking of the laptop. |
|
|
Which of the following is the best description of a security advantage when using a standardized server image?
A. All antivirus software will be current. B. All current updates for the OS will already have been applied. C. All mandated security configurations will already have been applied to the OS. D. OS licensing will be easier to track. |
Answer: C. All mandated security configurations will already have been applied to the OS.
Explanation: Organizations develop standardized images for their server operating systems. They are standardized according to organizational policy. So, any mandated security configurations should be applied to the OS before it is made into an image to be used on the network. Unfortunately, that only gets the OS image to a certain point in time. Any new AV definitions, security updates to the OS, and so on, will need to be applied afterward according to organizational policy. OS licensing trackability should not change. Whether you track your OS licenses on paper or with a scanning program, they should be tracked in the same manner as with physical operating systems. |
|
|
You are the security administrator for the company ABC Accounting Inc. The IT director has given rights to you allowing you to review logs and update network devices only. Other rights are given out to network administrators for the areas that fall within their job description. What kind of access control is this?
A. Job rotation B. Discretionary C. Mandatory vacation D. Least privilege |
Answer: D. Least privilege
Explanation: Least privilege is when users are given only the amount of rights necessary to do their job. Since the IT director only gave you specific rights and no more, and because other very specific rights are given to other network administrators, the least privilege rule applies here. Job rotation is when multiple users are cycled through different related tasks. Discretionary access control (DAC) is an access control model that has rules set by the user. Because the IT director has already set rights and permissions, this scenario does not involve DAC. Mandatory vacation is when a user is forced to take consecutive days vacation away from the office. |
|
|
Which wireless configurations can be easily circumvented using a network sniffer?
A. Disabled SSID B. EAP-TLS C. WPA2 D. MAC filtering E. WEP with 802.1X |
Answers: A. Disabled SSID and D. MAC filtering
Explanation: Utilizing a network sniffer (or packet analyzer) can aid an attacker in discerning the SSID of an AP as well as which MAC addresses are being allowed in. By drilling down through the frames of information that are captured, the attacker can easily find the SSID name, and with a little work can deduce the MAC addresses that have access to the network. Then, the person need only spoof the MAC address and connect to the AP’s SSID manually and have access to the wireless network. The other answers concern authentication and encryption methods, which will be much more difficult to circumvent. 802.1X is network access control that uses various types of authentication methods including EAP-TLS. WEP and WPA2 are encryption methods, and while WEP is deprecated, it is difficult to get past when used in conjunction with 802.1X. |
|
|
You have been tasked with providing a staff of 250 employees secure remote access to your corporate network. Which of the following is the best solution?
A. VPN concentrator B. Web security gateway C. Web proxy D. Software-based firewall |
Answer: A. VPN concentrator
Explanation: The VPN concentrator is the best solution listed. A hardware device such as this can handle 250 concurrent, secure, remote connections to the network. Web security gateways are used to block access to specific websites. Web proxies cache website content for later use. Software-based firewalls can allow for remote secure access but not for the amount of concurrent connections needed. A hardware-based firewall or VPN concentrator is the best solution. |
|
|
Susan is in charge of installing a business-critical application on an Internet-facing server. She is going to update the application to the most current version. What other security control should she perform in conjunction with the update? Select the best answer.
A. Run a port scan of the application server. B. Review and apply vendor-provided hardening documentation. C. Configure the firewall to prevent the application from auto-updating. D. Configure the firewall to allow the application to auto-update. |
Answer: B. Review and apply vendor-provided hardening documentation
Explanation: Third-party applications will usually come with a slew of documentation, including a list of hardening methods. This vendor documentation should be applied while updating the application as part of the entire application security process. It is the best answer as far as what to do in conjunction with the update. Running a port scan is a good idea at some point, but it has less to do with the application, and more to do with finding unnecessary ports and services. If the application is installed on an Internet-facing server, there probably won’t be a firewall involved. If the application server is in a DMZ, it will probably be behind a firewall, but by definition, even if the DMZ-based application serves users on the Internet, this isn’t considered to be directly Internet-facing. Otherwise, the firewall should usually be set up to allow an application to auto-update, but you never know; some applications might need to be updated manually, depending on the security level of the application and organizational policy. |
|
|
You have received several reports from users of corrupted data. You patched the affected systems but are still getting reports of corrupted data. Which of the following methods should you perform to help identify the problem?
A. Data integrity check B. Penetration testing C. Hardware baseline review D. Vulnerability scan |
Answer: D. Vulnerability scan
Explanation: If the data is becoming corrupted more than once even after an update to the affected systems, you should perform a vulnerability scan to find out what the possible threats and vulnerabilities are to those systems. A data integrity check would simply tell you that the data has been corrupted and therefore integrity is not intact. Penetration testing determines whether a system can be compromised by exploiting a particular threat. A hardware baseline review will tell you how your hardware is performing and how secure it is compared to the last baseline. Baselines are examples of vulnerability assessments, but in this case we need a software-based vulnerability assessment. |
|
|
Which of the following will stop network traffic when the traffic is not identified in the firewall ruleset?
A. Explicit allow B. Explicit deny C. Implicit deny D. Access control lists |
Answer: C. Implicit deny
Explanation: The principle of implicit deny is used to deny all traffic that isn’t explicitly (or specifically) allowed or denied. In other words, if the type of traffic hasn’t been associated with a rule, the implicit deny rule will kick in, thus protecting the device. Access control lists are used to filter packets and will include rules such as permit any, or explicit denies to particular IP addresses. |
|
|
Which of the following equations represents the complexity of a password policy that enforces a lowercase password using the letters “a” through “z” where “n” is the password length?
A. n2 * 26 B. 26n C. n26 D. 2n * 26 |
Answer: B. 26n
Explanation: The 26 refers to “a” through “z” (lowercase), which comes to 26 characters in total. The n is a variable that refers to the length of the password. When calculating a password, the amount of characters should be raised to a particular power that will be equal to the length of the password. So, if our policy in the above example dictated a password that was 8 characters long, then it would be 26 to the power of 8 or 268. In this case n = 8, but it doesn’t have to—it could be 10, 14, or whatever the security administrator sets the password length to in the password policy. |
|
|
Improper use of P2P and social networking software may result in which of the following?
A. Data loss prevention B. Denial of service C. Shoulder surfing D. Information disclosure |
Answer: D. Information disclosure
Explanation: Using P2P software and social networking software (and websites) can lead to information disclosure. This could be due to user error, not following guidelines, using a weak password, and so on. One direct reason for this is when users place personal information where it can be easily found. Data loss prevention is a technique used to stop data leakage—it often entails the use of a hardware-based device. A denial of service is when a server is attacked with a flood of packets and there is a stoppage of service. Shoulder surfing is when someone attempts to gain personal information about another person by looking about the person’s desk or watching him while he is working on his computer. |
|
|
Greg needs to centralize the authentication of multiple networking systems against a single user database. What is he trying to implement?
A. Access control list B. Single sign-on C. Multifactor authentication D. Common Access Card |
Answer: B. Single sign-on
Explanation: Single sign-on means the ability to log in to multiple systems using a single username/password combination (or other type of authentication method). This is what Greg needs in this scenario. Access control lists contain rules determining which IP addresses and users are allowed access to networks and data. Multifactor authentication is when two or more types of information (or physical security devices) are necessary to gain access to a system—for example, the combination of a username/password and a smart card. The Common Access Card is an authenticating smart card used by the DoD for personnel. |
|
|
Your organization has a policy that states that user passwords must be at least 16 characters. Your computers use NTLM2 authentication for clients. Which of the following hash algorithms will be used for password authentication?
A. MD5 B. AES C. LM hash D. SHA |
Answer: A. MD5
Explanation: The MD5 hashing algorithm is used by NTLM2 authentication. MD5 stands for Message-Digest algorithm 5. It uses a 128-bit key and is a widely used hashing algorithm. LM hash is used with passwords of 14 or less characters. If you use a password of 15 characters or more on newer versions of Windows, the OS will store a constant string as the LM hash, which is effectively a null password, and thereby uncrackable. The real password will be stored as an NTLM2 hash and (in this case calculated with MD5) will be used solely. AES is the Advanced Encryption Standard used widely in wireless networks. SHA is the Secure Hash Algorithm, which employs a 160-bit hash. Newer versions of SHA are more secure than MD5. |
|
|
Tara has written an application and is ready to go through the hardening process. Which of the following could be considered a hardening process of the SDLC?
A. Disabling unnecessary services B. Application patching management schedule C. Disabling unnecessary accounts D. Secure coding concepts |
Answer: D. Secure coding concepts
Explanation: Secure coding concepts such as input validation will help to harden an application within the systems development life cycle (SDLC). While disabling unnecessary services and accounts, and patching the application are all important, these could all be considered application or server hardening, not hardening within the SDLC. |
|
|
Hardware-based encryption devices such as hardware security modules (HSM) can sometimes see slower deployment in some organizations. What is the best reason for this?
A. RBAC B. USB removable encryption C. Lack of management software D. Multifactor authentication |
Answer: C. Lack of management software
Explanation: A lack of management software can cause slower deployment of HSMs. Because the HSM is an external device, it requires software to manage it allowing the HSM to communicate with the computer it is connected to. The lack of decent management software could cause some decision makers at organizations to be slow to adopt the solution. RBAC stands for role-based access control, which assigns roles to users based on sets of permissions. USB removable encryption is a decent solution for encrypting data, but an HSM can house extremely secure keys in comparison and have tamper protection as well—so USB removable encryption isn’t really a substitute for an HSM. Multifactor authentication means that a user needs to have two forms of ID, or needs to be authenticated in two or more ways to a system |
|
|
What is the main difference between a worm and a virus?
A. A virus is easily removed. B. A worm is undetectable. C. A worm is self-replicating. D. A virus is larger. |
Answer: C. A worm is self-replicating.
Explanation: Worms are self-replicating once they are executed, whereas viruses are not. Viruses may spread out and infect one or more files, but the actual virus cannot replicate itself. Viruses and worms can both be difficult to remove—it depends on their severity and age. Worms and viruses can both bedetected with antivirus software. Viruses can be larger or smaller than worms. The two are similar in general aside from self-replication. |
|
|
Which of the following will identify a Smurf attack?
A. NIDS B. Firewall C. Content filter D. Load balancer |
Answer: A. NIDS
Explanation: A NIDS (network intrusion detection system) is designed to identify network attacks such as a Smurf attack (a type of DoS). Firewalls can block particular packets or IP addresses but don’t identify actual attacks. Content filters are used to secure users’ web browsing sessions, filtering out unwanted websites. Load balancers are used to distribute workload among multiple servers. |
|
|
Which of the following ports is required by an e-commerce web server running SSL?
A. Port 443 inbound B. Port 80 inbound C. Port 80 outbound D. Port 443 outbound |
Answer: A. Port 443 inbound
Explanation: The web server needs to have inbound port 443 open to accept secure requests for SSL sessions from clients. The outbound port doesn’t actually matter; it’s the inbound port that is important for the server. Inbound port 80 is used by default for regular HTTP connections. |
|
|
In biometrics, what aspect of human authentication does a thumbprint scanner test for?
A. Something a user knows B. Something a user is C. Something a user has D. Something a user does |
Answer: B. Something a user is
Explanation: Biometrics is the science of authenticating individuals according to their physical characteristics, or something the person is. A thumbprint is an example of something a user is; other examples include retina scans and even brain scans. An example of something a user knows would be a password or PIN. An example of something a user has would be a smart card or other ID card. An example of something a user does would be a signature or voice recognition. |
|
|
What is MAC filtering a form of?
A. VPN B. NAT C. NAC D. DMZ |
Answer: C. NAC
Explanation: MAC filtering is when only a select list of MAC addresses is allowed to communicate with an AP or router. This is an example of network access control (NAC), a way of controlling how computers connect to the network in a secure fashion. VPN stands for virtual private network, which allows for the secure remote connection of computers to a network. NAT stands for network address translation, which takes care of the connection from LAN clients through a router and out to the Internet. A DMZ is a demilitarized zone—a place separate from the LAN where servers reside that can be reached by users on the Internet. |
|
|
A visitor plugs her laptop into the network in the conference room attempting to start a presentation that requires Internet access. The user gets a warning on the screen saying that her antivirus software is not up to date. As a result, the visitor is unable to access the Internet. What is the most likely cause of this?
A. The security posture on the network is disabled, and remediation must take place before the user can access the Internet. B. The IDS blocked access to the network. C. The IPS prevented access to the network. D. The security posture on the network is enabled, and remediation must take place before the user can access the Internet. |
Answer: D. The security posture on the network is enabled, and remediation must take place before the user can access the Internet.
Explanation: The security posture can be defined as the risk level to which a system is exposed. If enabled, a system will need to meet particular security requirements. In this case, the user cannot access the Internet with her laptop until the antivirus software is updated (the remediation). If disabled, the user would not need to update her system. An IDS will not block access to the network. Instead, an IDS will detect malicious activity on the network. An IPS is not designed to prevent internal users from accessing the network—it is designed to prevent malicious activity on the network. |
|
|
Your boss needs you to implement a password policy that prevents a user from reusing the same password. To be effective, it must be implemented in conjunction with the password history policy. Which of the following is the best method?
A. Minimum age B. Expiration time C. Password length D. Lockout time |
Answer: A. Minimum age
Explanation: This question refers to Windows Server products. The minimum age password policy must be set to enforce an effective password history policy. If this is not done (in conjunction with the password history policy) then the user will be able to reuse old passwords. For example, if the minimum age was set to the default of zero, then the user could simply change his password as many times as needed, without waiting, to get past the password history policy, and ultimately reuse an old password. The minimum age must always be less than the maximum age setting and must be more than zero to enforce a password history policy properly. Note: If you configure the maximum age in Windows Server 2008 or Server 2003, the minimum age will automatically be configured to a day less than the maximum age. While maximum age might be another good possible answer to this question, the best and most direct answer would be minimum age. Expiration of passwords, password length, and lockout time for accounts won’t affect this scenario. |
|
|
You are in charge of installing patches to servers. Which of the following processes should you follow before installing a patch?
A. Due process B. Separation of duties C. Fault tolerance D. Change management |
Answer: D. Change management
Explanation: Change management is a structured way of changing the state of a computer system or IT procedure. The idea behind this is that change is going to happen, but the organization should adapt with change and be knowledgeable of any proposed changes before they occur. Other people in your organization might require that patches not be installed to a particular server; you should get their permission first as part of the change management process before installing the patch. Due process is the principle that an organization must respect and safeguard a person’s rights. Separation of duties is when more than one person is required to complete a particular task. Fault tolerance is the capability of your network to continue functioning after an error or attack occurs |
|
|
Rick is reviewing the logs of a host-based IDS. They show that the computer has been compromised by a botnet and is communicating with a master server. If Rick needs to power the computer off, which of the following types of data will be unavailable?
A. Memory, system processes, and network processes B. Memory, archival storage, and temporary files C. Swap files, system processes, and the master boot record D. The system disk, e-mail, and log files |
Answer: A. Memory, system processes, and network processes
Explanation: Memory is cleared when the computer is shut down (unless hibernation mode has been implemented). This removes system and network processes from memory. Archival storage, the master boot record, system disk, e-mail, and log files will all still be available. Although two other answers had possibilities within them, they weren’t altogether correct. |
|
|
You have been tasked to implement an encryption algorithm that has a key length of 128 bits. Which of the following is the only solution?
A. SHA B. AES C. 3DES D. DES |
Answer: B. AES
Explanation: AES128 is a 128-bit cipher, meaning it has a key length of 128 bits. However, a more secure solution would be to use AES256 (256-bit key length). SHA -1 is 160-bit, and SHA-2 is 256 or 512-bit in key length. DES is 56-bit, and its successor 3DES is 168-bit. |
|
|
You have been tasked with securing a switch from physical access. Which of the following should you implement first?
A. Set up access control lists. B. Check the baseline configuration. C. Disable unused ports. D. Disable unnecessary accounts. |
Answer: C. Disable unused ports
Explanation: If you need to physically secure a switch, you should first disable unused ports so that a person who has gained unauthorized access to your server room or data center cannot plug a laptop into one of those ports and access the network. It would also be wise to check (or create) a security baseline at some point after this. Access control lists are generally set up on routers, not on switches. Regardless, they deal with the logical, not the physical. The same holds true for accounts, they are of a logical nature, and are usually set up on servers and routers. |
|
|
Which of the following requires a CA during the authentication process?
A. PEAP-TLS B. FTPS explicit C. FTPS implicit D. MD5 |
Answer: A. PEAP-TLS
Explanation: PEAP (Protected Extensible Authentication Protocol) creates a TLS tunnel by acquiring a PKI certificate from a CA. It is known simply as PEAP or as PEAP-TLS. It is similar to EAP-TTLS. FTPS is FTP over SSL. Explicit mode means that the FTPS client must explicitly request security from the FTPS server. Implicit FTPS connections do not allow negotiation—there is no request for security; it is expected from the server. MD5 is a cryptographic hash function. |
|
|
You have been instructed to install an intrusion detection system that can protect a database server and the rest of the network. You cannot afford to use any more resources on the database server. You decide to implement a network intrusion detection system. Why is this superior to a host-based intrusion detection system? (Select the two best answers.)
A. A HIDS is not reliable when it comes to detecting attacks. B. Usually, HIDS cannot detect network attacks. C. A HIDS cannot be updated. D. A HIDS can negatively impact system performance. |
Answers: B and D. Usually, HIDS cannot detect network attacks, and A HIDS can negatively impact system performance.
Explanation: A HIDS usually cannot detect network attacks, whereas a NIDS can. A HIDS will definitely have a negative impact on system performance because it uses resources in the form of CPU and RAM; however, a HIDS is reliable when it comes to detecting attacks on an individual computer. Also, a HIDS can be updated. |
|
|
What should a disaster recovery plan (DRP) contain?
A. Hierarchical access control lists B. Single points of failure C. Hierarchical list of hot sites D. Hierarchical list of critical systems |
Answer: D. Hierarchical list of critical systems
Explanation: A disaster recovery plan should contain (among other things) a list of critical systems in order from the most critical to the least critical. Access control lists don’t fail, but the router that they are contained within may fail and therefore the routers should be listed as critical systems. Anything could be a single point of failure. If a single point of failure cannot be tolerated, it needs to be mitigated in the form of fault tolerance (UPS, RAID, clustering, and so on). Generally, an organization will only have one hot site due to the fact that they are very expensive to maintain. |
|
|
NTLM is for the most part backward compatible and is an improved version of which of the following?
A. LANMAN B. AES C. MD5 D. passwd |
Answer: A. LANMAN
Explanation: LANMAN is an outdated hash used in Windows—it is the original hash used to store passwords. NTLM (and the newer NTLMv2) hash are used in newer versions of Windows to replace LANMAN. AES is the Advanced Encryption Standard, a popular encryption method. MD5 is a different hash function used in the downloading of files among other things. Passwd is a text-based file used in Linux that stores user information and permissions. |
|
|
A computer that is connected to an NAC-enabled network is not asked for the proper NAC credentials. What is a possible reason for this?
A. The computer is not patched. B. The computer doesn’t have the latest antivirus definitions. C. The computer is missing the authentication agent. D. The computer does not have the latest SP. |
Answer: C. The computer is missing the authentication agent.
Explanation: In a network access control (NAC) enabled network, computers must have the authentication agent installed; otherwise, the NAC system will not ask for the credentials (and the computer will not get access to the network). The authentication agent is also known as a supplicant (for example in 802.1X systems). The patch level, antivirus definitions, and service packs (SPs) are separate from the NAC system. |
|
|
Which of the following security technologies should you provide to allow users remote access to your network? (Select the two best answers.)
A. Firewall B. Subnetting C. NAT D. VPN E. NAC |
Answers: A. Firewall and D. VPN
Explanation: A firewall can be used in conjunction with a virtual private network (VPN) service to allow users remote access to your network. The firewall might incorporate the VPN, or the VPN might be controlled by a separate server or concentrator. Subnetting is not necessary for remote access, but it is a security method used to compartmentalize networks. Network address translation (NAT) is used to translate LAN addresses through to the Internet. Network access control (NAC) is used to authenticate computers and users in a secure fashion on the LAN. |
|
|
What kind of threat is a virus designed to format a computer’s hard drive on a specific calendar day?
A. Bot B. Spyware C. Logic bomb D. Adware |
Answer: C. Logic bomb
Explanation: A logic bomb is code designed to be set off on a specific day. This may cause a virus to execute or other malicious activity to occur at that specific time. A bot, short for robot, is also known as a zombie, which is a compromised computer controlled by a central source. Spyware is unwanted software that tracks Internet access. Adware is the pop-up ads you see when you go to various websites. It is also software similar to spyware that will track your Internet access to expose you to specific ads. |
|
|
When authenticating with PEAP, what is used to provide mutual authentication between peer computers?
A. MSCHAPv1 B. MD5 C. MSCHAPv2 D. EAP |
Answer: C. MSCHAPv2
Explanation: PEAP uses MSCHAPv2 most commonly. This supports authentication via Microsoft Active Directory databases. MSCHAPv1 does not allow this and is not used in PEAP. MD5 is not an authentication method, and is not used by PEAP, but it is used in EAP-MD5 (as a hashing algorithm), which is also challenge-based. PEAP is a derivative of EAP (Extensible Authentication Protocol). |
|
|
What needs to be configured to offer remote access to a network?
A. Tokens B. Biometrics C. Supplicants D. ACLs |
Answer: D. ACLs
Explanation: Access control lists (ACLs) need to be configured properly for users to gain remote access through a firewall/router and on to the main network. Tokens are used in authentication schemes (often local) but are usually generated without little configuration. Biometrics is the authentication of individuals through physical characteristics. Supplicants (authentication agents) are usually loaded on computers in an 802.1X NAC network, which is usually local and usually done with little configuration. |
|
|
To determine network access requirements, a person working in HR has been tasked with assigning users in Accounting the same job function. What is this an example of?
A. MAC B. DAC C. RBAC D. ACL |
Answer: C. RBAC
Explanation: Role-based access control (RBAC) is when individuals are assigned groups of permissions that constitute a role. While a person in HR might not assign job functions within the operating system directly, the person will commonly assign the job functions for each user in some type of paper or electronic document, and deliver that document to a security administrator who then implements those job functions within the operating system. Mandatory access control (MAC) is a model that determines permissions by a computer system. Discretionary access control (DAC) is when permissions are determined by the owner. An ACL is an access control list, which defines what IP addresses (or users) can access particular networks or resources. |
|
|
You have been given 10 hard drives that need to be decommissioned. What is the first thing you should do?
A. Format the hard drive. B. Perform a bit level erasure or overwrite the drive. C. Contact a waste disposal facility. D. Burn the hard drives in an incinerator. |
Answer: B. Perform a bit level erasure or overwrite the drive.
Explanation: Hard drives should be sanitized. This can be done with bit-level erasure software that completely obliterates any data that was previously on the drive. Formatting the drive is not enough as data can still be recovered from a formatted drive. Even if you plan on disposing of the drives with a third-party facility, the drive should still be sanitized beforehand. Most organizations will not burn hard drives. It might even be illegal in your municipality. Instead, after sanitization, hard drives are often pulverized. |
|
|
Which of the following protocols or services uses port 19?
A. CHARGEN B. Echo C. Telnet D. SMTP |
Answer: A. CHARGEN
Explanation: CHARGEN, the character generator, uses port 19. It is commonly used by a Fraggle attack. Echo uses port 7. Telnet uses port 23. SMTP uses port 25. |
|
|
You have several unused USB flash drives, three laptops, and two HSMs that contain sensitive data. What is the best way to prevent the theft of these devices?
A. GPS tracking B. Encryption C. Locking cabinet D. Hashing |
Answer: C. Locking cabinet
Explanation: A locking cabinet is the best way listed to prevent the theft of physical devices such as USB flash drives and laptops. But only if the locking cabinet...is locked. GPS tracking can aid in finding devices after they were stolen. Encryption helps in keeping data secure even if the device is stolen (although it isn’t a perfect solution). Hashing provides integrity of data. However, GPS tracking, encryption, and hashing won’t stop the physical devices from being stolen. It’s important to keep physical devices locked up when not in use and monitored by video surveillance or other means. |
|
|
You suspect that an unauthorized person has accessed your server room. Which of the following would be the best proof of this?
A. Card key log B. Video surveillance C. Security log D. Security guard testimony |
Answer: B. Video surveillance
Explanation: Video surveillance would be the most undeniable source of proof listed. A card key log from a proximity reader system could have been tampered with or the unauthorized person might have obtained a legitimate card key. Security logs are not good sources of proof, and although a security guard’s testimony could be compelling, it could still be deniable. Video surveillance (for example CCTV systems) is the best form of proof because it would be the hardest to tamper with or spoof. |
|
|
Your boss has asked you to reduce an AP’s power setting, and place the AP in the center of your building. What reconnaissance method is your boss trying to prevent?
A. Wardriving B. Evil twin C. Rogue AP D. RF interference |
Answer: A. Wardriving
Explanation: Your boss is trying to prevent wardriving. By streamlining your AP, you reduce the chance of a wardriver being able to access (or even “see”) your wireless network. An evil twin is an AP put in place maliciously that has the same SSID as an already existing AP on your network. Rogue APs are access points that are not part of your wireless network. The above techniques in the scenario might reduce RF interference; however, RF interference is not a reconnaissance method. |
|
|
Mitigating risk based on cost could be described as which of the following?
A. Business impact analysis B. Quantitative risk assessment C. Vulnerability assessment D. Qualitative risk assessment |
Answer: B. Quantitative risk assessment
Explanation: Quantitative risk assessment measures risk using exact monetary values. Whereas qualitative risk assessment assigns numeric values to the probability of risk. Business impact analysis is the differentiation of critical and nonurgent functions and is part of a DRP or BCP. A vulnerability assessment is an analysis of security weakness in an organization. |
|
|
A customer has asked you to implement a solution to hide as much information about the internal structure of the network as possible. The customer also wants to minimize traffic with the Internet and does not want to increase security risks to the internal network. Which of the following solutions should you implement?
A. NIDS B. Firewall C. Protocol analyzer D. Proxy server |
Answer: D. Proxy server
Explanation: A proxy server, specifically a caching proxy, will minimize traffic with the Internet. Users that access the same websites will get their information from the proxy server instead of from the Internet. An IP proxy server will hide information about the internal structure of the network. Proxy servers are available that can handle both of these functions. A NIDS, network intrusion detection system, detects attacks on the network. A firewall closes off ports on the network; and although some firewalls also come with proxy functionality, it is not the best answer for this scenario. Protocol analyzers, also known as network sniffers, can analyze packets of information that have been captured. |
|
|
Specific secure data is only supposed to be viewed by certain authorized users. What concept ensures this?
A. Confidentiality B. Integrity C. Availability D. Authenticity |
Answer: A. Confidentiality
Explanation: The concept of confidentiality ensures that only authorized users can view secure data. Integrity ensures that data has not been tampered with. Availability ensures that data is accessible and ready. Authenticity ensures that data comes from who the data is supposed to come from and that it is a reputable source. |
|
|
To prevent ad hoc configuration issues on your wireless network, what method should you implement?
A. Incident management strategy B. Auditing strategy C. Change management strategy D. Patch management strategy |
Answer: C. Change management strategy
Explanation: Change management is a structured way of making changes to networking equipment and other systems. It is done in a way where everyone involved is notified of a change. If a person was to add networking devices to an ad hoc wireless network without consulting anyone else, it could cause many issues, including, but not limited to, loss of access to the network. Incident management (and incident response) is a set of procedures that a person goes through when examining a computer or network-related security incident. Patch management is the planning, testing, implementing, and auditing of patches that are installed on systems. Auditing strategies in patch management involve making sure the patch holds properly over time. In general, auditing strategies are implemented to properly record and review what happens to data within the various servers and other computers on the network. |
|
|
You have disabled all unnecessary services on a domain controller. What is this an example of?
A. Secure code review B. Baselining C. Patch management strategy D. Application hardening |
Answer: D. Application hardening
Explanation: Application hardening is the securing of an application, disabling of unnecessary services, disabling unused accounts, removal of unnecessary applications, and so on. Secure code review is the analysis of code to make sure it cannot be corrupted—this is done through input validation, checking for unmanaged code, checking for sensitive data, and so on. Baselining is the process or measuring changes in a system. Patch management strategy is the entire four-step process involved when adding patches to a system. |
|
|
Which of the following would an antivirus program most likely not detect? (Select the two best answers.)
A. Logic bomb B. Worm C. Virus D. Trojan E. Pharming |
Answers: A. Logic bomb and E. Pharming
Explanation: Antivirus programs are meant to scan for viruses, worms, and Trojans. They are least likely to discover logic bombs since they don’t manifest themselves right away. Pharming is a type of social engineering attack that antivirus programs are not designed to detect. |
|
|
Users are required to log in to the network. They use a smart card to do so. Which type of key does the smart card use to log in to the network?
A. Cipher key B. Shared key C. Private key D. Public key |
Answer: C. Private key
Explanation: A private key is used by smart cards during login to a network. Often the smartcard will be used along with another form of authentication, creating a multifactor authentication scheme. Public keys are used in asymmetric encryption environments. A key is basically one component of a cipher or algorithm. A shared key is often used in public key environments and asymmetric encryption environments, in which two users share the same key |
|
|
The IT director is worried about OS vulnerabilities. What suggestion should you give as the best way to mitigate this threat?
A. Locking cabinet B. Patch management C. Antispam software D. Encryption |
Answer: B. Patch management
Explanation: If the IT director is worried about operating system vulnerabilities, then a solid patch management strategy should be implemented. By keeping the OS up to date, there should be fewer OS vulnerabilities and therefore fewer threats to the OS. Locking cabinets should be used to store devices and data when not in use. Antispam software is used to prevent unwanted e-mails from reaching users. Encryption is used to keep data confidential. |
|
|
What would you implement to separate two departments?
A. MAC filtering B. Cloud computing C. VLAN D. SaaS |
Answer: C. VLAN
Explanation: A virtual LAN (VLAN) is used to logically separate groups of computers. It is often done to separate departments in a virtual manner without having to change the physical cabling design. MAC filtering is a method implemented on access points to allow only specific systems onto the wireless network. Cloud computing is a group of various services offered by third-party organizations—the services are hosted on the Internet. SaaS (Software as a Service) is an example of cloud computing. |
|
|
Which of the following best describes a TPM?
A. Hardware chip that stores keys B. High-speed secure removable storage device C. Third-party certificate authority D. USB encryption |
Answer: A. Hardware chip that stores keys
Explanation: A TPM (Trusted Platform Module) is a chip that resides on a motherboard that stores encrypted keys used to encrypt the entire hard drive of a computer. A hardware security module (HSM) is a high-speed secure removable storage device. An example of a third-party certificate authority (CA) is a company such as VeriSign that develops and distributes trusted certificates. USB encryption is a removable type of encryption; for example, a USB flash drive might be encrypted with AES256 to keep data secure. |
|
|
Which of the following is a passive attempt at identifying weaknesses?
A. Port scanning B. Penetration testing C. DoS attack D. Vulnerability scanning |
Answer: D. Vulnerability scanning
Explanation: Vulnerability scanning is considered to be an example of passive security testing. The acts of port scanning, penetration testing, and testing by way of attack (such as a DoS) are all considered to be active security testing. |
|
|
Your organization currently uses two-factor authentication but wants to install a third factor of authentication. The existing system uses passwords and software-based PKI tokens. Which of the following would provide a third factor of authentication?
A. Elliptic curve B. Fingerprint scanner C. Passphrases D. Four digit pin codes |
Answer: B. Fingerprint scanner
Explanation: A fingerprint scanner is the only option that can offer a third factor of authentication. Elliptic curve is a type of asymmetric encryption, not a type of authentication. Passphrases and PINs fall into the same category as passwords, so they are not considered a separate type of authentication. |
|
|
An attacker has identified and exploited several vulnerabilities in a closed-source application that your organization has developed. What did the attacker implement?
A. Secure code review B. Vulnerability testing C. Fuzzing D. Compiling |
Answer: C. Fuzzing
Explanation: Fuzzing (fuzz testing) is the automated insertion of random data into a computer program. It is used to find vulnerabilities by the people who developed the program and by attackers. Secure code review is the analysis of source code by authorized individuals in an attempt to find problems and security issues. Vulnerability testing is a scan done on computers and networks to find their vulnerability level. Compiling is the transformation of source code, generally done to create executable programs. |
|
|
Which of the following are requirements for a cold site?
A. Power and connectivity B. Redundant servers and networking devices C. Close proximity to the datacenter D. Patched and updated client computers |
Answer: A. Power and connectivity
Explanation: A cold site need only have power and data/telco connectivity ready to go in the case of an emergency. The organization is expected to provide servers and other computers, phones, as well as configure them all. Warm sites might have computers and servers available but not configured. Hot sites will have redundant servers and networking devices, and patched client computers. Plus everything will be configured and ready to go at short notice. |
|
|
User awareness and training can help with which of the following?
A. Compliance with legislative and vendor software best practices B. Enforcement of physical security requirements C. Minimizing organizational risk caused by users D. Identifying DoS attacks |
Answer: C. Minimizing organizational risk caused by users
Explanation: Users are an aspect of risk to an organization (whether they mean to be or not!). By committing to a training schedule and other user awareness policies, an organization can reduce that risk. |
|
|
After auditing an FTP server you note that the server has an average of 100 concurrent connections. Where should you look to determine whether this is normal or whether your FTP server is being attacked?
A. Secure code review B. Baseline reporting C. Security policy D. DRP |
Answer: B. Baseline reporting
Explanation: Baseline reporting will tell you what has happened in the past on your FTP server. By creating a baseline, you can compare current results with past results, helping you to determine whether the activity is normal. Secure code review is done to analyze whether the source code of a program has vulnerabilities. A security policy will dictate how an organization will approach risk and how it will deal with vulnerabilities. A DRP is a disaster recovery plan. |
|
|
A user attempts to log on to the network three times and fails each time. After the third time, the user is not allowed to attempt to log in for 30 minutes. What setting is this known as?
A. Account lockout duration B. Account lockout threshold C. Password complexity requirements D. Minimum password age |
Answer: A. Account lockout duration
Explanation: The account lockout duration is the amount of time that users will not be allowed to attempt to log in to the network after they have reached the threshold of account login failures. By default this setting is 30 minutes on many security policies. The account lockout threshold is the amount of times that the user is allowed to attempt to log in. The default on many policies is five, but often organizations change this to three (known as the three-strikes-and-you’re-out rule). Password complexity requirements can be enabled within a policy; if so, the users need to incorporate three of four methods of password complexity including uppercase characters, numeric characters, special characters, and so on. Minimum password age is the amount of days that a password must exist before a user is allowed to change it. |
|
|
Which of the following is a trusted OS implementation used to prevent malicious code from executing on Linux platforms?
A. System File Checker (SFC) B. SELinux C. Tripwire D. vmlinuz |
Answer: B. SELinux
Explanation: Security-Enhanced Linux (SELinux) is a feature that supports mandatory access control and includes modifications that add security to Linux distributions helping to prevent malicious and suspicious code from executing. System File Checker (SFC) is a utility in Windows that checks the integrity of system files and replaces them if necessary. Tripwire is Linux-based open source software designed to check data integrity and alert users to changes. Vmlinuz is a compressed bootable version of the Linux kernel. |
|
|
Your boss asks you to install a wireless access point and set up a new wireless network. Which protocol offers the best wireless security?
A. WPA B. SSH C. WEP D. WPA2 |
Answer: D. WPA2
Explanation: WPA2 (Wi-Fi Protected Access version 2) is the most secure of the protocols listed when it comes to wireless networking security. WPA (or WPA version 1) is still widely used, but if possible wireless networks should be upgraded to WPA2. SSH is Secure Shell, which allows data to be sent and received securely between two networked systems. WEP (Wired Equivalent Privacy) is deprecated and not recommended for use. |
|
|
Which of the following would a routine system audit most likely include?
A. Penetration testing B. User rights and permissions reviews C. Security policy development D. Port scanning |
Answer: B. User rights and permissions reviews
Explanation: Routine system audits will check for user rights and permissions as well as analyze log files, for example, the Security log in Windows. The development and implementation of the security policy that enabled the security log should have been done long before actual auditing takes place. Penetration testing and port scanning are not included in routine system audits but might be part of more elaborate security audits. Routine system audits are noninvasive (passive) allowing the systems to be audited to continue functioning as normal. |
|
|
What is a default rule found in a firewall’s ACL?
A. Deny all B. Permit all C. netsh advfirewall firewall D. add address=192.168.0.0/16 |
Answer: A. Deny all
Explanation: The deny all rule is a default rule found in a corporate firewall’s access control lists (ACLs). It is an example of the implicit deny concept. Permit all is not a default rule as it would be quite dangerous. Netsh advfirewall firewall is a command used in Windows to view personal firewall information. Add address=192.168.0.0/16 is a way to disable (or enable) private addressing space. |
|
|
Your Windows domain has additional servers configured as member servers. Your job is to minimize the risk of unauthorized persons logging on locally to the member servers. Your solution should have a minimal impact on local management and administration and should not limit administrator access. Which of following are the best solutions? (Select the two best answers.)
A. Disable account lockout policies. B. Require strong passwords. C. Rename the local default accounts. D. Configure all services to run under the context of the Local System account. E. Disable the local default accounts. F. Provide backdoors into the member servers. |
Answers: B and C. Require strong passwords, and rename the local default accounts.
Explanation: By renaming the local default accounts (which includes the administrator account), users will have a difficult time attempting to select a username with administrative access. Most people know that the default administrative account in Windows is the administrator account; by renaming it you add a layer of security. Strong passwords is always a good idea and can help prevent an unauthorized user from logging on to the member server. On some Windows systems, by default, the administrator account has a blank password. It is common procedure to rename the account and configure a complex password. Disabling account lockout policies makes the server less secure. By default services do run under the local system account. Disabling the local default accounts would also disable the administrator account, and the question specifies that administrator access should not be limited. It is not a good idea to provide backdoors into any servers or devices; if backdoors are found, they should be eliminated or reported to the vendor of the software. |
|
|
In which of the following ways can risk not be managed?
A. Risk transfer B. Risk mitigation C. Risk acceptance D. Risk elimination |
Answer: D. Risk elimination
Explanation: Risk cannot simply be eliminated. It can be mitigated by way of securing systems and implementing security policies; it can be transferred by way of insurance policies; it can be accepted to a certain extent, but it cannot be eliminated. |
|
|
You get an automated call from what appears to be your bank. The recording asks you to state your name, birthday, and enter your bank account number to validate your identity. What type of attack has been perpetuated against you?
A. Pharming B. Phishing C. Vishing D. Spoofing |
Answer: C. Vishing
Explanation: Vishing is a type of phishing social engineering attack, but it is done over the phone, whereas regular phishing is usually done by e-mail. Pharming is an attack designed to redirect a website’s traffic to another website. Spoofing is an attack where a person or a program masquerades as another one. |
|
|
You need to regulate cooling in your data center. What is the best environmental control to use?
A. EMI shielding B. Hot and cold aisles C. Fire suppression D. Video surveillance |
Answer: B. Hot and cold aisles
Explanation: To regulate cooling in a datacenter or server room, hot and cold aisles should be used. The cold aisle is on one side of the server racks. Air is drawn into the servers and exhausted into the hot aisle and ventilated out of the server room. |
|
|
Which of the following will help to prevent data theft? Select the best answer.
A. Password history B. GPS tracking C. Video surveillance D. Clean desk policy |
Answer: D. Clean desk policy
Explanation: An organization might institute a clean desk policy in the hopes that USB flash drives, discs, and other items are not left lying around. Password history is a policy that can be implemented that disallows users from configuring a same password they had used previously. GPS tracking can be used to find portable devices but will usually be too late to prevent data theft. Video surveillance is great as a record of who entered a building but is not a proactive way to prevent data theft. |
|
|
The IT director asks you to configure security for your network. The network is isolated from the Internet by a perimeter network. The perimeter network contains three web servers and a network intrusion detection system. You need to test the network’s capability to detect and respond to a denial-of-service attack against the applications running on the web servers. What method should you use?
A. Port scanning B. Vulnerability scanning C. Penetration testing D. Network analysis |
Answer: C. Penetration testing
Explanation: Penetration testing will give you a detailed account of whether a network has the capability to detect and respond to a denial-of-service attack. Penetration testing is a type of active testing that should be performed during off hours because it uses many resources on the network and on the computer running the test. The other three answers are types of passive analysis. They might tell you whether the network has the capability to detect an attack but cannot tell you whether the network has the capability to respond to an attack. The network intrusion detection system (NIDS) only detects attacks and warns an administrator if it finds one. So in actuality, chances are your penetration tests will inform you that the network cannot respond to a denial-of-service attack. |
|
|
Which of the following is the best practice to secure log files?
A. Copy the log files to a server in a remote location. B. Log all failed and successful login attempts. C. Increase the size of the log files. D. Perform hashing of the log files. |
Answer: A. Copy the log files to a server in a remote location.
Explanation: The best practice to securing log files is to make sure that they are copied to a remote location—better yet to another server in a remote location where they can be easily accessible if the original server fails. This remote location should be in another city, not across the street in another building. Logging all failed and successful login attempts can create gigantic log files—the kind that might be impossible to manage. Most organizations will not do this. Increasing the size of log files won’t necessarily secure them, but it is a good idea when it comes to the management of log files. The default size of log files in most operating systems is not large enough for today’s big organizations. The hashing of log files is a good idea when securing the log files so that integrity can be maintained but is not necessarily the best practice. It should be used in conjunction with copying the files to a secure location. |
|
|
You are the network security administrator. One of the system administrators reports to you that an unauthorized user has accessed the network. What should you do first?
A. Contact the police. B. Contain the problem. C. Determine the monetary impact. D. Notify management. |
Answer: B. Contain the problem.
Explanation: The first thing you should do is contain the problem. That can mean attracting the unauthorized user to a honeypot or honeynet or shutting down the affected systems. Afterward, depending on policy, you might notify management and possibly contact the police. Finally, you would determine the monetary impact after assessing the damage to the affected systems, if there were any. |
|
|
Randy needs an external add-on solution that can provide encryption and integrate with his existing database server. Which of the following would meet his needs?
A. TPM B. FDE C. CAC D. HSM |
Answer: D. HSM
Explanation: A hardware security module (HSM) provides encryption and can be an external device that can integrate with an existing server. A trusted platform module (TPM) is an encrypting chip that resides on a motherboard. FDE stands for full disk encryption, which can be implemented with a TPM. CAC stands for Common Access Card, a smart ID card used by the DoD. |
|
|
You investigate an executive’s laptop and find a system-level kernel module that is modifying the operating system’s functions. What is this an example of?
A. Logic bomb B. Virus C. Rootkit D. Worm |
Answer: C. Rootkit
Explanation: Rootkits are designed to gain administrative control over an OS without being detected, and perform malicious operations. Worms and viruses affect files but not the kernel of the OS. Logic bombs are ways of delivering malicious software at a specific date. |
|
|
You are the systems administrator for your organization. Human resources notifies you that a particular user has been terminated. What should you do? (Select the two best answers.)
A. Retain the user’s data for a specific amount of time. B. Delete the user’s account. C. Delete the user’s data. D. Disable the user’s account. |
Answers: A and D. Retain the user’s data for a specific amount of time, and disable the user’s account.
Explanation: If a user is terminated, standard policy is to disable that user’s account and to retain the user’s data for a specific amount of time, which should be stated within the policy. It is not wise to delete a user’s account, because all audited information and encryption keys associated with the user account will be lost. |
|
|
Which of the following is most likely to result in data loss?
A. Accounting personnel transferring confidential staff information with SFTP B. Developers copying data from production to test environments with USB sticks C. Encrypted backup tapes left unattended at reception for offsite storage D. Back office staff updating details on a mainframe with SSH |
Answer: B. Developers copying data from production to test environments with USB sticks
Explanation: By default, if data is copied to a USB stick, it is not encrypted. There is virtually no security in this scenario, and the worst part is that the USB sticks are physically travelling from one department to another. To rectify the situation, the developers could consider using AES256 to encrypt the data on the USB flash drives. The accounting personnel are using SFTP, the backup tapes are encrypted, and the back office staff is using SSH. All these other scenarios at least have some kind of security in mind. |
|
|
Which of the following solutions should be used by heavily utilized networks?
A. VPN concentrator B. Remote access C. Provider cloud D. Telephony |
Answer: C. Provider cloud
Explanation: Provider clouds can offer Infrastructure as a Service (IaaS), which can alleviate some of the stress an organization’s network might suffer from. In addition provider clouds can offer software (SaaS) and platforms (PaaS). VPN concentrators and remote access are not good choices for heavily utilized networks. They are meant for smaller groups of remote users. Telephony is not a solution for heavily utilized networks—quite the opposite; often networks are the solution for telephony usage. |
|
|
You ran a penetration test against your two database servers and found out that each of them could be compromised with the default database user account and password. Which of the following did you forget to do to your database servers?
A. OS hardening B. Patch management C. Virtualization D. Application hardening |
Answer: D. Application hardening
Explanation: Part of application hardening is renaming (or disabling) default accounts and setting complex passwords. If this is not done, it becomes very easy for attackers to compromise the application. OS hardening is not correct in this instance because it is the database that can be compromised using the default database username/password. Databases are considered to be applications, not operating systems. Patch management won’t affect the default user account. The account has to be secured manually. Virtualization of operating systems doesn’t come into play here, although it could help to have backup virtual images made in the case that the database server is compromised. |
|
|
Which of the following is the best fire suppression system to use if you do not want any equipment to be damaged?
A. Wet pipe sprinkler B. Deluge sprinkler C. Carbon dioxide D. Wet chemical fire extinguisher |
Answer: C. Carbon dioxide
Explanation: Carbon dioxide fire extinguishers are the best fire suppression system to use if you don’t want your equipment to be damaged. All the other answers can seriously damage equipment such as networking devices and servers. A carbon dioxide fire extinguisher is gaseous. There is only a slight chance of ESD damage, but that is rare. |
|
|
You have implemented an X.509 PKI. One of the private keys has been compromised before the certificate’s regular expiration date. What should you do?
A. Validate the certificate. B. Revoke the certificate. C. Register the certificate. D. Put the certificate in escrow. |
Answer: B. Revoke the certificate.
Explanation: If a certificate is compromised before its regular expiration date, you should revoke the certificate. At this point it should be added to the certificate revocation list and published. The certificate should not be used again. It should not be validated or registered. It should also not be put in escrow unless a third party specifically requests it. |
